Rubrik CDM Version 7.0 User Guide (Rev. A5)

Rubrik CDM User Guide
Version 7.0
755-0196-01 Rev A5
Rubrik Headquarters: Palo Alto, California 94304

1-844-4RUBRIK www.rubrik.com
Legal Notices
Copyright and trademarks

Copyright
Copyright © 2022 Rubrik Inc.

All rights reserved. This document may be used free of charge. Selling without prior written consent is
prohibited. Obtain permission before redistributing. In all cases, this copyright notice and disclaimer must
remain intact.
THE CONTENTS OF THIS DOCUMENT ARE PROVIDED "AS IS," AND COPYRIGHT HOLDERS MAKE NO
REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT,
OR TITLE; THAT THE CONTENTS OF THE DOCUMENT ARE SUITABLE FOR ANY PURPOSE; THAT THE
IMPLEMENTATION OF SUCH CONTENTS WILL NOT INFRINGE ANY THIRD PARTY PATENTS, COPYRIGHTS,
TRADEMARKS OR OTHER RIGHTS.
COPYRIGHT HOLDERS WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL
DAMAGES ARISING OUT OF ANY USE OF THE DOCUMENT OR THE PERFORMANCE OR IMPLEMENTATION
OF THE CONTENTS THEREOF.
Trademarks
Registered in the U.S. Trademark Office

Rubrik, the Rubrik graphic, and Datos IO are registered trademarks of Rubrik, Inc. in the U.S. and other
countries. Additionally, Rubrik, Inc. holds common law trademark rights in Rubrik Polaris, Polaris GPS,
Polaris Radar, Polaris Sonar, Rubrik Envision, Rubrik Edge, and Mosaic in the U.S. and/or other countries.
All other trademarks are the property of their respective owners.
Legal Notices
Certain products and features, including Microsoft 365 Protection provided by Rubrik Polaris, are subject to
additional product-specific terms available at https://www.rubrik.com/en/legal.
By using the Rubrik Polaris Sonar application, you understand and acknowledge that Rubrik Polaris Sonar’s
pre-existing Policies and Analyzers contain general suggestions for data elements and formats based on
common data sets and formats. The suggested data elements and formats in Rubrik Polaris Sonar are not
intended to be a comprehensive or exhaustive list of data elements and formats regulated by the GDPR,
CCPA or any other applicable laws and regulations. We also do not guarantee that your Rubrik Polaris
Sonar search results will include every instance of each data element and format within your data set. We
Copyright and trademarks 05/25/2022 | ii

strongly recommend that you consult legal counsel for specific advice regarding compliance with applicable
laws and regulations.
Rubrik Polaris Sonar is designed to assist customers with identifying certain data elements and formats and
should not be solely relied upon to identify all data elements and formats of a certain type for any purpose,
including legal or compliance.
Use of the Polaris Management Console software is subject to additional product-specific terms available at
https://www.rubrik.com/en/legal.
Copyright and trademarks 05/25/2022 | iii

Preface
Welcome to Rubrik. We appreciate your interest in our products.
Rubrik is continually working to improve its products and regularly releases revisions and new versions.
Some information provided by this guide may not apply to a particular revision or version of a product.
Review the release notes for the product to see the most up-to-date information about that product.
Revision history
The revision history for the Rubrik CDM User Guide.
Revision Date Description

Rev. A0 February 2022 General Availability release of Rubrik CDM version 7.0.
Rev. A1 February 2022 • Added a new section for Trusted SSL-TLS interception
• Added a new section for vCenter Server diagnostics
• Added a prerequisite for data recovery from a host fileset or share
fileset.
Rev. A2 March 2022 Limited release.

Rev. A3 April 2022 • Added documentation for an enhanced version of Rubrik Envoy for
Rubrik CDM version 7.0.1 and later.
• The vCenter Diagnostics tool introduced in Rubrik CDM 7.0 has been
deprecated in Rubrik CDM 7.0.1.
• Added documentation about the two-person rule for Rubrik CDM
versions 7.0.1 and later.
• Added CloudOn compute service requirements for AWS and Azure.
• Added documentation about storage-based quotas for tenant
organizations.
• Added information on automatic package upgrades for RBS for
supported host types.
• Added Azure permissions for archival.
• Added information on configuring a VLAN.
• Added documentation for an enhanced version of Rubrik Envoy for
Rubrik CDM version 7.0.1 and newer.
Preface 05/25/2022 | iv
Revision Date Description
Rev. A4 May 2022 • Added information about downloading replicated snapshots.
• Fixed the inbound port number for communication between SAP HANA
host and Rubrik cluster from 9369 to 9639.
• Added Advanced settings topic in Archiving section.
Rev. A5 May 2022 • Updated information about preparing Azure storage for archiving.
• Fixed typos and made some wording changes in Appendix E for
shutdown and reboot.
• Updated the procedure for downloading RBS for SCVMM hosts.
• Updated port requirements for SAP HANA in the Ports appendix.
• Added a vSphere version restriction for deploying Rubrik Envoy for CDM
7.0.1 only.
• Removed AWS information incorrectly mapped into the Azure section.
Support
Use one of the following methods to contact Rubrik Support.
Web Rubrik Support Portal

Phone See Get In Touch for contact options.
Email support@rubrik.com
Related documentation
Rubrik provides documentation that covers a broad range of related concepts, tasks, and reference
information.
• Rubrik Polaris User Guide
• Rubrik Polaris Radar Quick Start Guide
• Rubrik CDM Release Notes
• Rubrik CDM User Guide
• Rubrik CDM Install and Upgrade Guide
• Rubrik CDM Security Guide
• Rubrik CDM Cloud Cluster Setup Guide
• Rubrik CDM Hardware Guide
• Rubrik CDM CLI Guide
• Rubrik CDM Events Guide
• Rubrik Edge Install and Upgrade Guide
• Rubrik Virtual Cluster Install Guide
• Rubrik Compatibility Matrix
Preface 05/25/2022 | v
Comments and suggestions
We welcome your comments and suggestions about our products and our product documentation.
Products
To provide comments and suggestions about our products contact Rubrik Support, as described in Support.
Product documentation
To provide comments and suggestions about the product documentation, please send your message by
email to: techpubs@rubrik.com.
Please include the following information about the product documentation to help us to find the content
that is the subject or your comments:
• Full title
• Part number
• Revision
• Relevant pages
Rubrik Build
Rubrik hosts community-based tools through the Rubrik Build program and associated GitHub repositories
for community-supplied tools.
Rubrik Build is an open source program that provides access to a growing community of enthusiasts and
experts across a number of languages and tools. Rubrik Build is used to create and improve projects that
simplify monitoring, testing, development, and automated workflows for Rubrik product deployments.
Rubrik Build includes the following resources:
• Software Development Kits
• Tooling Integrations
• Use Cases
• Community Projects
• Rubrik REST API documentation
Important: USE AT YOUR OWN RISK. Rubrik does not officially support the community tools. Carefully
investigate a community tool before using it. Always test a community tool on non-production data before
using the tool with production data.
Contents
Configuration.................................................................................................................................. 29
Logging in to the Rubrik CDM web UI...................................................................................... 29
Logging in with a local account...................................................................................... 29
Logging in with an LDAP account................................................................................... 30
Logging in with Single Sign-on....................................................................................... 30
Logging in with Polaris...................................................................................................31
Federated Access with Polaris.........................................................................................31
Gear menu.............................................................................................................................. 31
Opening the gear menu................................................................................................. 32
Settings and tasks available through the gear menu........................................................ 32
Manage hosts.......................................................................................................................... 34
Adding a physical host................................................................................................... 34
Editing a physical host................................................................................................... 35
Removing a physical host...............................................................................................35
Guest OS settings.................................................................................................................... 36
Guest OS credentials......................................................................................................36
Providing credentials for a Windows guest OS................................................................. 37
Providing credentials for a Linux guest OS...................................................................... 37
Editing guest OS credentials...........................................................................................38
Deleting guest OS credentials.........................................................................................38
Rubrik Backup Service automatic deployment.................................................................. 38
Manage storage arrays.............................................................................................................39
Adding a storage array.................................................................................................. 39
Editing a storage array...................................................................................................40
Deleting a storage array.................................................................................................40
Adaptive Backup...................................................................................................................... 41
On-demand snapshots....................................................................................................41
Limit types.....................................................................................................................41
Enabling Adaptive Backup settings.................................................................................. 42
Pause and resume protection activity........................................................................................42
Impact of pausing protection activity.............................................................................. 43
Pausing protection activity.............................................................................................. 44
Resuming protection activity........................................................................................... 44
Data sources setting................................................................................................................ 45
Setting data sources...................................................................................................... 45
Configuring IPMI......................................................................................................................45
iSCSI configuration...................................................................................................................46
Configuring iSCSI........................................................................................................... 46
Time zone setting.................................................................................................................... 47
Setting the cluster time zone......................................................................................... 47
Default time zone.......................................................................................................... 48
Time zone setting changes.............................................................................................48
Security banner and classification settings.................................................................................48
Setting the login banner text..........................................................................................49
Setting the security classification color and text...............................................................49
Secure SMB............................................................................................................................. 49
Configuring SMB Security............................................................................................... 50
Contents 05/25/2022 | vii

Deleting an Active Directory domain............................................................................... 51
SMB authentication when NTLM is disabled.....................................................................51
Proxy settings.......................................................................................................................... 53
Functions that use internet access..................................................................................53
Proxy implementations................................................................................................... 54
Configuring proxy server support.................................................................................... 54
Email notifications.................................................................................................................... 55
Required outgoing email settings.................................................................................... 55
Configuring outgoing email settings................................................................................ 55
Modifying the outgoing email settings............................................................................. 56
Deleting the outgoing email settings............................................................................... 56
Configuring event email settings..................................................................................... 57
SNMP integration..................................................................................................................... 58
Rubrik MIB file...............................................................................................................58
Downloading the Rubrik MIB file.................................................................................... 59
Syslog messages as SNMP objects..................................................................................60
SNMP polling................................................................................................................. 60
Configuring SNMPv2c support......................................................................................... 60
Configuring SNMPv3 support.......................................................................................... 60
Adding trap receivers..................................................................................................... 61
Network settings...................................................................................................................... 62
Configuring network settings.......................................................................................... 62
Editing network settings................................................................................................. 63
Add CORS support................................................................................................................... 64
Configuring CORS support.............................................................................................. 65
Network Throttling................................................................................................................... 67
Scheduling replication throttling overrides....................................................................... 67
Enabling and configuring replication throttling................................................................. 68
Scheduling archival throttling overrides........................................................................... 68
Enabling and configuring archival throttling..................................................................... 69
Replication throttling bypass.....................................................................................................69
API endpoints for replication throttling bypass.................................................................70
Retrieving replication throttling bypass status.................................................................. 71
Retrieving replication throttling bypass status for a target................................................ 72
Modifying replication throttling bypass status...................................................................73
HTTP response model for replication throttling bypass..................................................... 74
Syslog settings.........................................................................................................................74
Syslog export rule settings............................................................................................. 75
Adding a syslog export rule............................................................................................75
Remote syslog servers................................................................................................... 76
Supported facility and severity syslog levels.................................................................... 77
Support bundle........................................................................................................................ 78
Creating and downloading a support bundle....................................................................78
Secure access to the support tunnel.........................................................................................79
Opening the Support tunnel........................................................................................... 79
Editing the timeout window............................................................................................80
Closing the support tunnel............................................................................................. 80
VLAN tagging..................................................................................................................................81
Trunk port requirements...........................................................................................................81
Management Network and Data Network.................................................................................. 81
Adding special network VLANs after system setup........................................................... 82
Adding VLANs from the command line............................................................................ 83
Adding VLANs from the Rubrik CDM web UI................................................................... 84
Viewing VLANs from the Rubrik CLI................................................................................84
Viewing VLANs through the Rubrik CDM web UI..............................................................84
Contents 05/25/2022 | viii

Removing a VLAN from the Rubrik CLI........................................................................... 85
Removing a VLAN from the Rubrik CDM web UI..............................................................85
User accounts................................................................................................................................. 87
TLS certificate management..................................................................................................... 87
Trusted SSL-TLS interception.......................................................................................... 87
Importing a TLS certificate............................................................................................. 87
Editing a TLS certificate................................................................................................. 88
Deleting a TLS certificate............................................................................................... 89
Using a different TLS certificate......................................................................................89
Generating a CSR.......................................................................................................... 90
Authentication..........................................................................................................................90
Roles....................................................................................................................................... 91
Inheritance of privileges................................................................................................. 92
Adding a custom role.....................................................................................................92
Adding an Infrastructure Admin role............................................................................... 95
Overwrite original during restore.................................................................................... 96
Assigning roles...............................................................................................................96
Global search...........................................................................................................................97
Viewing authentication and authorization information.................................................................98
Local authentication................................................................................................................. 98
Guidelines for choosing a strong password......................................................................98
Strong passwords...........................................................................................................98
Password requirements.................................................................................................. 99
Adding a local user account......................................................................................... 101
Editing local user account information........................................................................... 102
Revoking a role from a local user account.....................................................................102
Removing a local user account..................................................................................... 103
User account lockout....................................................................................................103
Unlocking a user account............................................................................................. 104
Rubrik Two-step Verification with TOTP................................................................................... 104
Enforcing Rubrik Two-step Verification for a local user....................................................104
Enforcing Rubrik Two-step Verification for an LDAP domain............................................ 105
Configuring Rubrik Two-step Verification as a user......................................................... 105
Changing the TOTP device........................................................................................... 106
Configuring Rubrik Two-step Verification........................................................................106
LDAP authentication............................................................................................................... 107
LDAP credentials.......................................................................................................... 108
LDAP servers............................................................................................................... 108
User and Group settings...............................................................................................109
Adding LDAP servers.................................................................................................... 110
Specifying credentials to communicate with an LDAP server........................................... 110
Specifying servers, user settings, and group settings......................................................110
Enabling multifactor authentication................................................................................111
Viewing LDAP server information.................................................................................. 111
Deleting an LDAP server...............................................................................................112
User account and group account authorization.............................................................. 112
Deactivating a user account or group account............................................................... 112
Single Sign-on........................................................................................................................113
Generic Single Sign-on workflow................................................................................... 113
Rubrik metadata file.....................................................................................................113
ADFS integration workflow......................................................................................................114
Downloading the ADFS metadata file............................................................................ 115
Service Provider host address....................................................................................... 115
Configuring single sign-on in Rubrik CDM...................................................................... 115
Adding Rubrik as a Relying Party Trust..........................................................................116
Contents 05/25/2022 | ix
Adding a nameId claim rule......................................................................................... 117
Adding an email claim rule........................................................................................... 118
Group claim rules.........................................................................................................119
Verifying ADFS Service Provider settings........................................................................121
Testing the SSO connection.......................................................................................... 122
Assigning roles to SSO users........................................................................................ 122
Assigning roles to SSO groups...................................................................................... 123
Okta integration workflow.......................................................................................................123
Service Provider host address....................................................................................... 124
Downloading the Rubrik metadata file...........................................................................124
Preparing the encryption certificate for uploading to Okta.............................................. 125
Adding Rubrik as an application integration................................................................... 125
Downloading the Okta metadata file............................................................................. 127
Adding Okta as an identity provider.............................................................................. 127
Granting Okta users access to Rubrik CDM....................................................................128
Granting Okta groups access to Rubrik CDM..................................................................128
Testing the SSO connection.......................................................................................... 129
Assigning roles to SSO users........................................................................................ 129
Assigning roles to SSO groups...................................................................................... 130
Multifactor authentication....................................................................................................... 130
Multifactor authentication with RSA SecurID.................................................................. 131
Configuring an RSA Authentication Manager connection................................................. 131
Configuring an RSA Cloud Authentication Service connection.......................................... 132
CLI access and SSH password support....................................................................................132
Disabling SSH password authentication......................................................................... 133
Configuring authentication to the Rubrik CLI by SSH key pair......................................... 133
API tokens............................................................................................................................. 134
Generating an API token.............................................................................................. 134
Deleting an expired API token...................................................................................... 135
Restricted API operations....................................................................................................... 135
Managing API token whitelist........................................................................................136
Service accounts.................................................................................................................... 136
Adding a service account..............................................................................................137
Editing a service account..............................................................................................137
Deleting a service account............................................................................................137
Rotating the client secret............................................................................................. 138
Encryption..................................................................................................................................... 139
Data in flight encryption.........................................................................................................139
Data at rest encryption.......................................................................................................... 139
Password encryption.....................................................................................................140
Mixed mode clusters.................................................................................................... 140
Key management................................................................................................................... 141
Adding a KMIP server.................................................................................................. 141
Rotating encryption keys.............................................................................................. 142
Integrating with Vormetric Data Security Manager................................................................... 143
Configuring Vormetric DSM........................................................................................... 143
Obtaining a TLS Certificate for Vormetric DSM............................................................... 143
Adding a TLS Certificate to Vormetric DSM....................................................................144
Troubleshooting the Vormetric DSM installation..............................................................144
Verifying the encryption status............................................................................................... 145
Multitenant organizations............................................................................................................146
Tenant organizations.............................................................................................................. 146
Tenant organizations and reports............................................................................................ 147
Multitenancy and Rubrik Envoy............................................................................................... 147
Contents 05/25/2022 | x
Deploying Rubrik Envoy..........................................................................................................148
Supported Rubrik Envoy Network Assignments........................................................................ 149
Configuring Rubrik Envoy....................................................................................................... 149
Registering Rubrik Envoy with a Rubrik cluster........................................................................ 151
Comparing Rubrik Envoy web certificates...................................................................... 153
IP address changes in Rubrik Envoy....................................................................................... 153
Deregistering Rubrik Envoy from a Rubrik cluster.................................................................... 154
Create a new tenant organization........................................................................................... 155
Organization Administrator privileges.............................................................................155
Naming the organization and adding users or AD groups............................................... 156
Protecting objects in an organization.............................................................................157
Assigning protection resources to a tenant organization................................................. 157
Modifying an existing tenant organization................................................................................158
Deleting a tenant organization................................................................................................159
Impact of deleting a tenant..........................................................................................159
Tenant organization storage quota.......................................................................................... 159
Assigning tenant organization storage quota..................................................................160
Viewing the tenant organization storage quota.............................................................. 161
Editing the assigned tenant organization storage quota.................................................. 161
Protection policies........................................................................................................................162
Default SLA Domains..............................................................................................................162
Custom SLA Domains............................................................................................................. 163
Service Level Agreement.............................................................................................. 163
Base Frequency............................................................................................................164
Local retention period.................................................................................................. 165
SLA Domain name....................................................................................................... 165
SLA Domains with CDP enabled....................................................................................165
Creating a custom SLA Domain.....................................................................................165
Snapshot window................................................................................................................... 167
Configuring a snapshot window.................................................................................... 167
First full backup..................................................................................................................... 168
Configuring a first full backup window.......................................................................... 168
SLA Domain changes..............................................................................................................169
Editing an SLA Domain.................................................................................................169
Base Frequency changes.............................................................................................. 171
Retention changes........................................................................................................172
Replication target changes............................................................................................174
Impact of retention changes on archival policy and replication policy...............................174
Snapshot window changes............................................................................................175
Take first full backup changes...................................................................................... 175
Impact of SLA Domain changes on snapshots............................................................... 175
SLA update log backups......................................................................................................... 179
Delete an SLA Domain........................................................................................................... 179
Deleting an SLA Domain...............................................................................................180
Local SLA Domains.................................................................................................................180
Viewing all local SLA Domains...................................................................................... 180
Local SLA Domain properties page................................................................................181
Viewing information for a specific SLA Domain.............................................................. 182
Pause and resume protection................................................................................................. 183
Pausing protection........................................................................................................183
Resuming protection.....................................................................................................184
Retention Locked SLA Domains...............................................................................................184
How retention lock works............................................................................................. 185
Examples: Restrictions on modifying retention locked SLA Domains................................. 187
Creating a retention locked SLA Domain........................................................................187
Contents 05/25/2022 | xi
Backup Verification...................................................................................................................... 189
Authorizing a Rubrik REST API session................................................................................... 190
Backup Verification API attributes........................................................................................... 190
Obtaining object ID from UI...................................................................................................191
Obtaining object ID using API................................................................................................ 191
Verifying backups using API................................................................................................... 192
Getting the status of a Backup Verification job........................................................................ 194
Backup Verification result....................................................................................................... 195
HTTP status codes................................................................................................................. 195
Replication.................................................................................................................................... 197
Replication policy workflow..................................................................................................... 197
Replication target setup..........................................................................................................198
Replication using a private network...............................................................................198
Replication using NAT...................................................................................................199
Removing a replication target....................................................................................... 201
Replication policy................................................................................................................... 202
Configuring replication policy for an SLA Domain..................................................................... 202
Replication policy changes............................................................................................ 203
Replication policy disabled............................................................................................ 204
Replication policy re-enabled.........................................................................................204
Replication retention period increased........................................................................... 204
Replication retention period decreased.......................................................................... 204
Replication start........................................................................................................... 205
Manage Replication page........................................................................................................205
Viewing the Manage Replication page........................................................................... 206
Global replication pause............................................................................................... 206
Pausing replication....................................................................................................... 207
Resuming replication after a pause............................................................................... 207
Replication pause per location...................................................................................... 208
Pausing replication per location.....................................................................................208
Resuming replication per location..................................................................................209
Replication monitoring and reporting.......................................................................................209
Remote SLA Domains............................................................................................................. 210
Viewing all remote SLA Domains...................................................................................210
Information on the Remote SLA Domains page..............................................................210
Searching for a remote SLA Domain............................................................................. 210
Viewing the page of a remote SLA Domain................................................................... 211
Information provided for a remote SLA Domain............................................................. 211
Remote data sources............................................................................................................. 212
Viewing a remote data source page..............................................................................212
Snapshots card or Recovery Points card........................................................................ 213
Working with a replica................................................................................................. 214
Expired snapshot recovery......................................................................................................214
Downloading a replicated snapshot............................................................................... 214
Archiving....................................................................................................................................... 216
Archival policy........................................................................................................................216
Changing archival policy............................................................................................... 216
Archival data security............................................................................................................. 221
Archival bucket exclusivity...................................................................................................... 221
Archival workflow................................................................................................................... 221
Upload of a full or incremental archival snapshot........................................................... 222
Archival Locations page.......................................................................................................... 223
Archival location configuration................................................................................................ 224
Archival location display name...................................................................................... 224
Contents 05/25/2022 | xii

Amazon S3 archival locations........................................................................................225
Google Cloud Platform archival locations....................................................................... 230
Microsoft Azure............................................................................................................ 233
Object storage system..................................................................................................239
NFS share....................................................................................................................241
QStar tape archive....................................................................................................... 243
Archival Consolidation.............................................................................................................245
Archival Consolidation for Amazon S3 and Azure............................................................246
Archival Consolidation for NFS and S3 Compatible Object Stores..................................... 246
Managing consolidation for Amazon S3......................................................................... 247
Managing consolidation for Azure..................................................................................247
Managing consolidation for NFS.................................................................................... 248
Managing consolidation for S3 compatible object storage systems...................................248
Cascading Archival................................................................................................................. 249
Data retention settings................................................................................................. 249
Cascading Archival configuration considerations............................................................. 249
Using Cascading Archival.............................................................................................. 250
Archival location proxy........................................................................................................... 251
Configuring an S3 archival location proxy...................................................................... 251
Configuring an Azure archival location proxy..................................................................252
Disaster recovery using an archival location............................................................................ 253
Reader-writer archival model........................................................................................ 253
Source vCenters available for recovery.......................................................................... 257
Source vCenters unavailable for recovery...................................................................... 257
Connecting to an S3 archival location for disaster recovery.............................................258
Connecting to an Amazon S3 Glacier archival location for disaster recovery...................... 259
Connecting to a GCP archival location for disaster recovery............................................ 260
Connecting to an Azure archival location for disaster recovery........................................ 261
Connecting to an object storage system for disaster recovery......................................... 262
Connecting to an NFS archival location for disaster recovery...........................................263
Connecting to a tape archival location for disaster recovery............................................ 264
Testing disaster recovery using an archival location........................................................265
Advanced settings........................................................................................................ 266
Archival lifecycle best practices............................................................................................... 269
Archival location removal........................................................................................................ 270
Deleting an archival location.........................................................................................270
Rubrik Backup Service................................................................................................................. 271

Downloading the RBS software............................................................................................... 273
Obtaining the RBS software by URL........................................................................................274
RBS firewall rules...................................................................................................................275
RBS file locations................................................................................................................... 275
Installing RBS on Linux and Unix hosts................................................................................... 275
Rubrik Backup Service account on Windows............................................................................ 277
Installing RBS on Windows........................................................................................... 277
SQL Server roles and permissions for RBS.....................................................................279
Automatically deploying RBS......................................................................................... 280
Rubrik Backup Service status..................................................................................................282
Reinstallation of RBS on the host........................................................................................... 283
Reconnecting a host and retaining existing backups on reinstallation.........................................283
Connecting the Rubrik cluster to RBS on a cloned Linux or Unix host........................................ 284
Connecting the Rubrik cluster to RBS on a cloned Windows host.............................................. 285
Registering a guest OS install of RBS......................................................................................286
Changing the primary Rubrik cluster for RBS...........................................................................287
Downloading RBS for SCVMM hosts........................................................................................ 287
Installing RBS on an SCVMM host...........................................................................................288
Contents 05/25/2022 | xiii

Determine when RBS is running on a Windows system............................................................ 289
Determine when RBS is running on a non-Windows system..................................................... 289
Removing RBS from a Linux or Unix host................................................................................290
Removing RBS from a Solaris host..........................................................................................290
Removing RBS from a Windows host...................................................................................... 291
Removing RBS from SAP HANA.............................................................................................. 292
RBS management commands................................................................................................. 293
Enabling automatic package upgrade for RBS for AIX, Linux, and Solaris hosts.......................... 294
Hyper-V virtual machines............................................................................................................ 295

Virtual machine protection...................................................................................................... 295
Automatic protection.................................................................................................... 295
System Center Virtual Machine Manager........................................................................296
Hyper-V host configuration........................................................................................... 296
Hyper-V without SCVMM...............................................................................................296
Hyper-V host management........................................................................................... 297
Adding a Windows host................................................................................................297
SLA Domain assignment......................................................................................................... 298
Assigning an SLA Domain setting to a virtual machine................................................... 298
Assigning an SLA Domain setting to a Hyper-V cluster or server..................................... 299
Manage Protection options............................................................................................300
Removing an SLA Domain setting................................................................................. 301
Finding protection objects...................................................................................................... 302
Displaying all discovered virtual machines..................................................................... 302
Displaying unprotected virtual machines from the Dashboard..........................................302
Displaying unprotected virtual machines from the Hyper-V VMs page.............................. 303
Sorting virtual machines by using the SLA filter............................................................. 303
Finding virtual machines by using the Search field......................................................... 304
Finding entities by using the object tab........................................................................ 304
Selecting data sources..................................................................................................304
Protected warning........................................................................................................ 305
Protection consequences........................................................................................................ 305
Protecting a new virtual machine..................................................................................306
Changing the assigned SLA Domain.............................................................................. 306
Removing protection from a virtual machine..................................................................306
Reprotecting a virtual machine..................................................................................... 307
Local host page..................................................................................................................... 307
Viewing a local host page............................................................................................ 307
Action bar....................................................................................................................307
Overview card..............................................................................................................308
Snapshots card............................................................................................................ 308
Information available on the day view for a local virtual machine.................................... 309
Actions available on the day view for a local virtual machine.......................................... 310
Archival location actions............................................................................................... 311
Virtual machine snapshots...................................................................................................... 311
Performance and scalability.......................................................................................... 311
Backup processes.........................................................................................................312
Snapshot window......................................................................................................... 312
Protection exceptions....................................................................................................312
Backup consistency levels............................................................................................. 312
Application consistency................................................................................................. 313
Linux guest OS............................................................................................................ 313
On demand snapshots..................................................................................................313
Creating an on-demand snapshot of a Hyper-V virtual machine...................................... 313
Exclude VHD files...................................................................................................................314
Excluding VHD files of a virtual machine....................................................................... 314
Contents 05/25/2022 | xiv

Archival snapshots..................................................................................................................315
Archival location storage...............................................................................................315
Retention..................................................................................................................... 315
Unmanaged data....................................................................................................................315
Recover and restore virtual machine data............................................................................... 315
Recovery of virtual machines.................................................................................................. 316
Recovery actions by snapshot type............................................................................... 316
Selecting a snapshot or an archival snapshot.................................................................317
Selecting a replica........................................................................................................317
Virtual machine recovery.............................................................................................. 318
Performing an instant recovery..................................................................................... 318
Performing a Live Mount.............................................................................................. 319
Performing an Export................................................................................................... 319
Powering off after Instant Recovery or Live Mount.........................................................320
Unmounting after Instant Recovery or Live Mount......................................................... 321
Removing a virtual machine entry after live migration.................................................... 321
Live Migration.............................................................................................................. 322
Instant Recovery.......................................................................................................... 322
Recovery of folders and files.................................................................................................. 323
Searching for a file or folder........................................................................................ 323
Recovering a file or folder............................................................................................ 323
Restore files and folders directly to a guest file system.................................................. 324
Restoring to the source file system............................................................................... 324
Restore files and folders by download...........................................................................325
Restoring from notification link..................................................................................... 326
Restoring from Activity Detail........................................................................................326
Configuring Chrome to ask for download location.......................................................... 327
AHV virtual machines...................................................................................................................328

Nutanix cluster management.................................................................................................. 328
Nutanix prerequisites..............................................................................................................328
Nutanix limitations..................................................................................................................329
Configuring Nutanix support................................................................................................... 329
Rubrik Backup Service and Nutanix guests.............................................................................. 330
Automatic protection rules............................................................................................ 331
Unprotected virtual machines........................................................................................331
Assigning an SLA Domain setting to a Nutanix cluster.................................................... 333
Virtual machine scripts........................................................................................................... 336
Enabling scripts............................................................................................................337
Exclude virtual machine disk files............................................................................................338
Excluding virtual machine disk files............................................................................... 338
Find protection objects........................................................................................................... 338
Displaying unprotected virtual machines from the AHV VMs page....................................339
Finding entities by using the Object tab........................................................................ 340
Protected warning........................................................................................................ 341
Contents 05/25/2022 | xv
Protecting a new virtual machine..................................................................................341
Changing protection consequences................................................................................342
Removing protection from a virtual machine..................................................................342
Reprotecting a virtual machine..................................................................................... 342
Local host page..................................................................................................................... 342
Action bar....................................................................................................................343
Overview card..............................................................................................................344
Snapshots card............................................................................................................ 344
Day view for a local virtual machine............................................................................. 345
Actions available on the Day view for a local virtual machine.......................................... 346
Virtual machine snapshots...................................................................................................... 347
AHV Performance and scalability................................................................................... 347
AHV backup processes................................................................................................. 348
Snapshot window......................................................................................................... 348
Application consistent snapshots on Linux..................................................................... 349
Setting snapshot consistency........................................................................................ 349
On-demand snapshots.................................................................................................. 350
Creating an on-demand snapshot of an AHV virtual machine.......................................... 350
Snapshot expiration......................................................................................................350
Archival snapshots..................................................................................................................351
Unmanaged data....................................................................................................................351
AHV Virtual machine recovery.................................................................................................352
Selecting a snapshot or archival snapshot..................................................................... 352
Virtual machine recovery using export...........................................................................353
Exporting a virtual machine snapshot............................................................................354
Virtual machine recovery using Live Mount....................................................................354
Virtual machine Live Mount operations.......................................................................... 355
Creating a Live Mount without migration....................................................................... 356
Creating a Live Mount with optional migration............................................................... 357
Live Mounts page for AHV virtual machines...................................................................358
Migrating a live mounted virtual machine...................................................................... 359
Unmounting a virtual machine...................................................................................... 359
Recovery of folders and files.................................................................................................. 360
Searching for a file, a folder, or a fileset....................................................................... 360
Recovering a file or folder............................................................................................ 361
Restoring to the source file system............................................................................... 361
Restoring from notification link..................................................................................... 363
Restoring from Activity Detail........................................................................................363
vSphere virtual machines............................................................................................................ 365

Unprotected virtual machines........................................................................................367
Virtual machine linking................................................................................................. 367
Manage vCenters................................................................................................................... 368
vCenter Metro Storage Clusters.....................................................................................368
Minimum vCenter Server privileges............................................................................... 368
Adding vCenter Server connection information...............................................................369
Adding vCenter Metro Storage Cluster connection information.........................................370
Refreshing the metadata provided by a vCenter Server.................................................. 371
Editing vCenter Server connection information............................................................... 371
Contents 05/25/2022 | xvi

Enabling HotAdd transport for vCenters Servers.............................................................372
Deleting vCenter Server connection information............................................................. 372
Using vCenter Server diagnostics.................................................................................. 373
RBS on a Linux guest OS.......................................................................................................373
RBS on a Windows guest OS................................................................................................. 374
Windows access control list values................................................................................375
Assigning an SLA Domain setting to a vCenter Server folder........................................... 378
Assigning an SLA Domain setting to a vCenter Server cluster or host...............................379
SLA Domain assignment by tag.................................................................................... 380
Resolving SLA conflicts................................................................................................. 382
Virtual machine scripts........................................................................................................... 384
Enabling scripts............................................................................................................385
Storage array integration........................................................................................................ 386
Datastore requirements for storage array integration......................................................386
Enabling storage array integration for a virtual machine................................................. 386
Exclude VMDK files................................................................................................................ 387
Excluding VMDK files of a virtual machine..................................................................... 387
Finding protection objects...................................................................................................... 388
Displaying all discovered virtual machines..................................................................... 388
Displaying unprotected virtual machines from the VM Protection page............................. 388
Finding entities by using the object tab........................................................................ 390
Warning messages....................................................................................................... 391
Assignment Conflicts.................................................................................................... 391
Protected VMs warning.................................................................................................392
VMware tools warning.................................................................................................. 392
Protect a new virtual machine...................................................................................... 393
Changing the assigned SLA Domain.............................................................................. 393
Remove protection from a virtual machine.................................................................... 393
Re-protect a virtual machine.........................................................................................394
Local host page..................................................................................................................... 394
Action bar....................................................................................................................395
Overview card..............................................................................................................396
Snapshots card............................................................................................................ 396
Day view for a local virtual machine............................................................................. 397
Actions available on the day view for a local virtual machine.......................................... 398
Snapshots.............................................................................................................................. 400
Backup processes.........................................................................................................400
Snapshot window......................................................................................................... 400
Protection exceptions....................................................................................................400
VMware Tools version...................................................................................................402
Application consistency................................................................................................. 402
Specifying crash consistent backups.............................................................................. 402
On-demand snapshots............................................................................................................403
Creating an on-demand snapshot of a vSphere virtual machine...................................... 403
Snapshot expiration......................................................................................................404
Contents 05/25/2022 | xvii

Unmanaged data....................................................................................................................404
Recovering and restoring virtual machine data........................................................................ 404
Recovery of virtual machines.................................................................................................. 405
Recovery actions by snapshot type............................................................................... 406
Selecting a snapshot or an archival snapshot.................................................................406
Virtual machine recovery.............................................................................................. 407
Live migration.............................................................................................................. 407
Virtual raw disk mappings............................................................................................ 408
esx_subnets and IP addresses...................................................................................... 408
Performing an Instant Recovery for a vSphere virtual machine........................................408
Creating a Live Mount of a vSphere virtual machine.......................................................410
Migrating a virtual machine to a vCenter Server datastore.............................................. 412
Verifying successful migration of a virtual machine.........................................................413
About batch Live Mounts..............................................................................................413
Creating a batch of vSphere virtual machines from snapshots.........................................414
Creating a Live Mount of a virtual disk snapshot............................................................415
IP address selection for Live Mounts............................................................................. 415
Exporting a vSphere virtual machine............................................................................. 417
Exporting a vSphere virtual machine with download.......................................................418
Exporting to a standalone host..................................................................................... 419
Powering off after Instant Recovery or Live Mount.........................................................420
Unmounting after Instant Recovery or Live Mount......................................................... 420
Removing a virtual machine entry after live migration.................................................... 421
In-Place Recovery of virtual machines........................................................................... 421
File and folder restore............................................................................................................423
Searching for a file or folder........................................................................................ 424
Browsing for a file or folder......................................................................................... 425
Restore files and folders directly to a guest file system.................................................. 425
Restoring directly to a guest file system........................................................................426
Restoring files or folders by download from notification message.................................... 427
Restoring files or folders by download from Activity Detail.............................................. 428
Configuring Chrome to ask for download location.......................................................... 429
Continuous Data Protection.................................................................................................... 430
Installing the CDP Filter............................................................................................... 430
Uninstalling the CDP Filter............................................................................................ 431
Mounting a virtual machine from latest PIT on a Rubrik cluster.......................................431
Mounting a virtual machine from specific PIT on a Rubrik cluster.................................... 432
vCloud Director vApps................................................................................................................. 433

Protection and management features...................................................................................... 433
Metadata protection............................................................................................................... 435
Limitations............................................................................................................................. 435
Multitenancy and RBAC.......................................................................................................... 435
Protection hierarchy............................................................................................................... 436
Interaction with vSphere protection hierarchy................................................................ 437
Migration from virtual machine level protection..............................................................437
vCloud Director instances....................................................................................................... 437
Adding a vCloud Director instance................................................................................ 438
Refreshing vCloud Director instances.............................................................................438
Editing a vCloud Director instance................................................................................ 438
Deleting a vCloud Director instance.............................................................................. 439
vApp management................................................................................................................. 439
Finding a vApp through global search........................................................................... 440
Finding a vApp through vApp search............................................................................ 440
Contents 05/25/2022 |
xviii
Finding a vApp through the vCD Organizations view...................................................... 441
Opening the local page for a vApp............................................................................... 441
Enabling synchronization...............................................................................................441
Excluding a virtual machine.......................................................................................... 442
Including an excluded virtual machine...........................................................................442
Performing tasks with a vApp virtual machine................................................................443
Protecting a vApp through the vCloud Director hierarchy................................................ 443
Protecting a vApp through the vApps tab...................................................................... 444
Protecting a vApp through the local page......................................................................444
Taking an on-demand snapshot of a vApp.....................................................................445
Protecting vApp templates...................................................................................................... 445
Recovery and restore of vApp data.........................................................................................447
Instant Recovery and Export network options................................................................447
Recovery workflow....................................................................................................... 448
Performing an Instant Recovery of a full vApp...............................................................449
Performing an Instant Recovery of a partial vApp.......................................................... 449
Exporting a full vApp................................................................................................... 450
Exporting a partial vApp...............................................................................................451
Recovering folders and files for download..................................................................... 452
Recovering folders and files to overwrite originals..........................................................453
Recovering folders and files to a new location............................................................... 453
VMware Cloud on AWS................................................................................................................ 455

Virtual machine HotAdd proxy requirements............................................................................ 455
Adding an SDDC.................................................................................................................... 456
Listing HotAdd proxy virtual machines.....................................................................................457
Editing the network configuration for proxy virtual machines.................................................... 457
Microsoft Azure VMware Solution...............................................................................................459

Requirements for Azure VMware Solution................................................................................ 459
Adding an SDDC.................................................................................................................... 461
Google Cloud VMware Engine..................................................................................................... 463

Requirements for Google Cloud VMware Engine.......................................................................463
Adding an SDDC.................................................................................................................... 465
CloudOn for AWS..........................................................................................................................467

CloudOn for AWS compute instances...................................................................................... 467
Prerequisites for CloudOn for AWS..........................................................................................468
Connectivity to AWS.....................................................................................................468
Security group............................................................................................................. 469
IAM roles.....................................................................................................................469
Pre-configurations for source virtual machines............................................................... 469
Boot loader partitioning configurations.......................................................................... 470
Virtual machine configurations...................................................................................... 470
AWS AMI tags............................................................................................................. 471
CloudOn CloudFormation template.......................................................................................... 472
Configuring AWS CloudOn using the CloudFormation template........................................ 472
CloudFormation template output................................................................................... 475
Workflow for manual configuration of AWS CloudOn................................................................ 475
Permissions............................................................................................................................ 476
Contents 05/25/2022 | xix

Creating an Amazon S3 bucket..................................................................................... 476
AWS CloudOn security policy........................................................................................ 477
Creating a user account with access to the bucket.........................................................480
Creating a security policy for AWS CloudOn...................................................................480
VM Import service role...........................................................................................................481
Security group....................................................................................................................... 481
Security group requirements......................................................................................... 482
Creating a security group for AWS CloudOn.................................................................. 482
Configuring S3 Endpoints..............................................................................................483
Cloud conversion settings....................................................................................................... 483
Incremental snapshot conversion.................................................................................. 484
Configuring cloud conversion........................................................................................ 485
Cloud instance management...................................................................................................486
Instantiating a virtual machine on the cloud..................................................................487
Powering off a cloud instance.......................................................................................488
Removing entry............................................................................................................488
Launching AMIs........................................................................................................... 489
Removing cloud instances.............................................................................................489
Removing AMIs............................................................................................................ 489
CloudOn for Azure........................................................................................................................491

CloudOn for Azure compute instances.....................................................................................491
Prerequisites.......................................................................................................................... 492
Azure Virtual Network connection................................................................................. 492
Resource ID and subnet for VNet................................................................................. 493
Azure Active Directory application with contributor privileges.......................................... 493
Network security group................................................................................................ 493
Resource group............................................................................................................493
General purpose account storage.................................................................................. 493
Configurations on source virtual machine...................................................................... 494
Required settings......................................................................................................... 494
Azure CloudOn configuration and setup...................................................................................495
Downloading the Rubrik Cloud Compute for Azure zip file...............................................495
Setting up and configuring the PowerShell in Cloud Shell............................................... 495
Configuring Azure Objects............................................................................................ 496
Configuring the subnet................................................................................................. 497
Setting up permissions on Azure...................................................................................498
Azure CloudOn configuration...................................................................................................501
Editing a location to add Azure CloudOn................................................................................. 501
Cloud conversion settings....................................................................................................... 502
Linux incremental snapshot conversion..........................................................................503
Configuring cloud conversion........................................................................................ 504
Cloud instance management...................................................................................................505
Instantiating a virtual machine from a snapshot............................................................ 505
Instantiating a virtual machine on the cloud using VHDs................................................ 506
Powering off a cloud instance.......................................................................................507
Terminating cloud instances..........................................................................................507
Removing virtual machine entries................................................................................. 508
Launching virtual machines images............................................................................... 508
Removing virtual machine images................................................................................. 509
Resource groups.......................................................................................................... 509
Amazon EC2 instance backup..................................................................................................... 511

Amazon EC2 instance protection............................................................................................. 511
Contents 05/25/2022 | xx
Indexing when VPN is unavailable................................................................................ 512
AWS account and user........................................................................................................... 513
Configuring the AWS account security policy................................................................. 513
Configuring the Rubrik CDM user..................................................................................514
Adding an AWS account......................................................................................................... 515
Amazon EC2 Instances tab data................................................................................... 516
Managing an existing AWS account.........................................................................................516
Assigning an SLA to an Amazon EC2 instance......................................................................... 517
EBS volume exclusion.............................................................................................................518
Excluding EBS volumes from the protection assigned to an instance................................518
Taking an on-demand snapshot.............................................................................................. 518
Restoring Amazon EC2 instance snapshots.............................................................................. 519
Exporting Amazon EC2 instance snapshots.............................................................................. 519
Downloading files or folders from snapshots............................................................................520
File systems.................................................................................................................................. 521

Hosts and shares combined with filesets................................................................................. 522
Protection workflow for host filesets............................................................................. 522
Protection workflow for storage array filesets................................................................ 522
Protection workflow for share filesets............................................................................522
File system metadata................................................................................................... 523
Symbolic links and junctions......................................................................................... 523
Open files.................................................................................................................... 523
Modified files............................................................................................................... 523
Direct Archive.............................................................................................................. 524
Determining access for files exported to Linux.........................................................................524
Rubrik Backup Service............................................................................................................525
Host management..................................................................................................................525
Adding a host.............................................................................................................. 526
Editing the stored information for a host.......................................................................526
Removing a host..........................................................................................................527
NAS host management...........................................................................................................527
Required Isilon privileges..............................................................................................528
Adding an Isilon NAS host............................................................................................528
Minimum NetApp privilege requirements for NetApp API integration................................ 529
Adding a NetApp NAS host...........................................................................................531
Adding a Nutanix NAS host.......................................................................................... 532
NAS shares.................................................................................................................. 533
Edit the stored information for a NAS host.................................................................... 535
Removing a NAS host.................................................................................................. 535
SnapDiff usage.............................................................................................................536
NetApp SnapMirror....................................................................................................... 537
Filesets.................................................................................................................................. 539
Adaptive backup for fileset........................................................................................... 540
Fileset fields, rules, and value types..............................................................................540
Host-specific fields....................................................................................................... 541
Fileset description rules................................................................................................ 541
Host-specific fileset description rules............................................................................. 542
Accepted values for fileset descriptions......................................................................... 543
Regular expression handling......................................................................................... 543
Fileset regular expression conversions........................................................................... 544
Fileset error notifications.............................................................................................. 546
Creating a fileset..........................................................................................................546
Editing a fileset............................................................................................................547
Deleting a fileset from a host or share..........................................................................548
Deleting a fileset globally............................................................................................. 548
Contents 05/25/2022 | xxi

Host filesets and share filesets............................................................................................... 549
Protecting a host fileset or share fileset........................................................................ 549
Starting an on-demand backup of a host fileset or share fileset...................................... 551
Removing protection for a host fileset or share fileset.................................................... 552
Cluster-served fileset protection.............................................................................................. 553
Creating a Windows cluster.......................................................................................... 553
Protecting a Windows cluster-served fileset................................................................... 553
Creating a Linux or Unix cluster................................................................................... 554
Adding a fileset protection on Linux and Unix clusters....................................................555
Storage array integration........................................................................................................ 555
Adding an array-enabled fileset.....................................................................................556
Adding an array-enabled Array Volume Group................................................................556
Backup scripts for Linux, Unix, or Windows hosts.................................................................... 557
Configure backup script behavior.................................................................................. 557
Enabling host scripts.................................................................................................... 558
Local host pages and local share pages.................................................................................. 558
Viewing the local page................................................................................................. 559
Overview card in the local view.................................................................................... 559
Filesets card.................................................................................................................559
Snapshots card............................................................................................................ 560
Activities card.............................................................................................................. 561
Unmanaged data....................................................................................................................561
Data recovery from a host fileset or share fileset.................................................................... 562
Searching for a file, a folder, or a fileset....................................................................... 562
Recovering files, folders, or filesets............................................................................... 563
Restoring a file, a folder, or a fileset............................................................................. 563
Export path..................................................................................................................564
Showing hidden files on Windows hosts........................................................................ 565
Exporting a file, a folder, or a fileset.............................................................................565
Downloading files or a folder from a fileset snapshot..................................................... 566
Full Volume Protection for Windows........................................................................................ 566
Protecting Windows volumes........................................................................................ 567
Installing the Rubrik Volume Filter Driver on a Windows host......................................... 568
Taking an on-demand backup of a volume group...........................................................568
Restoring a Windows volume........................................................................................569
Downloading the Windows recovery tools......................................................................570
Restoring a volume group on a Windows host without RBS............................................ 570
Restoring a legacy snapshot of a basic boot volume group to a host without Windows...... 571
Restoring a basic boot volume group to a host without Windows.................................... 574
Restoring a volume group using Rubrik CDM v4.2 MBR dynamic volumes.........................575
Restoring a volume group without Windows using MBR dynamic volumes........................ 578
Restoring a volume group using GPT dynamic volumes.................................................. 580
Oracle databases.......................................................................................................................... 583

Oracle configuration............................................................................................................... 584
System requirements.................................................................................................... 584
Create an empty oratab file..........................................................................................586
Rubrik Backup Service.................................................................................................. 586
Role based access..................................................................................................................587
Create an Oracle query user account............................................................................ 588
Verifying the functionality of the Oracle query user account............................................591
Adding a query user to an existing host........................................................................591
Oracle database management.................................................................................................592
Automated Oracle Data Protection................................................................................ 593
OKV-managed TDE databases.......................................................................................594
Discovering Oracle databases........................................................................................595
Contents 05/25/2022 | xxii

Validating Oracle databases.......................................................................................... 596
Refreshing Oracle hosts................................................................................................597
Remove an Oracle RAC................................................................................................ 597
Assigning an SLA Domain to a host or database............................................................ 597
Oracle Data Guard on Rubrik clusters..................................................................................... 598
Oracle Data Guard group tablespace point-in-time recovery............................................ 598
Oracle Data Guard member node log deletion............................................................... 599
Reviewing Oracle Data Guard groups............................................................................ 599
Oracle Data Guard group validation.............................................................................. 600
Taking an on-demand snapshot of an Oracle Data Guard group...................................... 601
Backing up Oracle Data Guard logs...............................................................................601
Restoring an Oracle Data Guard group..........................................................................602
Instantly recovering Oracle Data Guard groups.............................................................. 603
Oracle Data Guard Live Mount......................................................................................604
Oracle Data Guard group backups................................................................................ 606
Placing Oracle Data Guard groups on legal hold............................................................ 608
Changing retention for an Oracle Data Guard group snapshot.........................................608
Backups and archived redo logs............................................................................................. 610
Backing up databases...................................................................................................611
Backing up logs........................................................................................................... 613
Policies for archived log deletion...................................................................................614
Archive log restore.................................................................................................................615
Mounting archived logs.................................................................................................615
Restoring the archived logs manually............................................................................ 616
Creating an on-demand snapshot........................................................................................... 616
Point-in-time recovery............................................................................................................ 617
Number of channels in recovery............................................................................................. 618
Live Mount for Oracle............................................................................................................ 618
Live Mount and snapshot chain consolidation................................................................ 619
Directories created before a recovery operation............................................................. 619
Live Mount prerequisites...............................................................................................620
Mounting a database backup using Live Mount..............................................................620
Recover databases after a file-only live mount...............................................................622
Instant Recovery for Oracle.................................................................................................... 627
Dropping a database.................................................................................................... 628
Performing an Instant Recovery.................................................................................... 629
Database clones for Oracle.....................................................................................................630
Database clone prerequisites........................................................................................ 631
SPFILE requirements.................................................................................................... 632
Custom PFILE recovery................................................................................................ 632
Clone using a different database name......................................................................... 633
Cloning databases........................................................................................................ 633
Managing failed clones................................................................................................. 635
Advanced Oracle database clone and mount parameters.......................................................... 635
Memory parameters..................................................................................................... 635
File location parameters............................................................................................... 636
Oracle database cloning and mounting parameters........................................................ 640
Same Host Recovery.............................................................................................................. 640
Prerequisites for Same Host recovery............................................................................ 641
Performing a Same Host recovery.................................................................................641
Performing a roll forward recovery................................................................................ 642
Tablespace recovery............................................................................................................... 642
Dropping a tablespace..................................................................................................643
Restoring tablespaces................................................................................................... 644
SQL Server databases.................................................................................................................. 646
Contents 05/25/2022 |
xxiii
Point-in-time recovery............................................................................................................ 647
Live Mount.............................................................................................................................648
SQL Server requirements........................................................................................................648
SQL Server permissions required for backups................................................................ 648
Rubrik Backup Service............................................................................................................649
Windows Server hosts............................................................................................................ 649
Adding a Windows Server host..................................................................................... 649
Removing a Windows Server host.................................................................................650
SQL Server per-host tuning.................................................................................................... 651
Per-host configurations................................................................................................. 651
Numerical limits for per-host configurations................................................................... 652
Creating a per-host configuration..................................................................................652
Updating a per-host configuration................................................................................. 652
Retrieving a per-host configuration............................................................................... 653
Listing per-host configurations for multiple hosts........................................................... 653
Deleting a per-host configuration.................................................................................. 654
SQL Server databases............................................................................................................ 655
Setting the default log backup frequency...................................................................... 655
Managing and protecting databases through a parent object.......................................... 656
Managing and protecting individual databases............................................................... 657
Removing an SLA Domain assignment...........................................................................658
Creating an on-demand snapshot................................................................................. 658
Creating a group on demand snapshot task.................................................................. 659
Creating a tail-log backup.............................................................................................660
Downloading snapshot and transaction logs...................................................................660
SQL Change Block Tracking.................................................................................................... 661
Configuring default CBT settings................................................................................... 661
Enabling or disabling CBT on a Windows host............................................................... 661
Change block tracking for SQL Server clusters............................................................... 662
Unmanaged data....................................................................................................................663
Recovery Points card page..................................................................................................... 663
Overview card..............................................................................................................663
Recovery Points card.................................................................................................... 664
Database recovery................................................................................................................. 664
Recovering a database................................................................................................. 664
Live mounting a SQL Server database...........................................................................665
Force Unmount............................................................................................................ 666
Unmounting a Live Mount database.............................................................................. 666
Exporting a database................................................................................................... 667
SQL Server log shipping......................................................................................................... 668
Setting up a log shipping target................................................................................... 668
Deleting the log shipping configuration......................................................................... 670
Windows Server Failover Clustering.........................................................................................670
Automatic detection and display................................................................................... 670
Failover events............................................................................................................. 671
Adding failover clusters................................................................................................ 671
Viewing failover clusters and databases.........................................................................672
Managing and protecting FCI databases through a parent object.................................... 672
Managing and protecting individual FCI databases......................................................... 673
Removing an SLA Domain assignment...........................................................................674
Creating an on-demand snapshot................................................................................. 675
Recover or export from FCI database recovery points.................................................... 675
Always On Availability Groups................................................................................................. 675
Exporting or restoring an availability database recovery point......................................... 676
Workflow to restore a database into an Always On Availability Group...............................677
Contents 05/25/2022 |
xxiv
SAP HANA databases................................................................................................................... 678
SAP HANA backup retention................................................................................................... 678
Rubrik Backup Service for SAP HANA...................................................................................... 679
Requirements for using sap_hana_bootstrap_main...................................................................679
Including a JSON file with the bootstrap script.............................................................. 680
Including user names and passwords at the command line.............................................681
Enabling SSL connections....................................................................................................... 681
Registering SAP HANA database............................................................................................. 682
Configuring Rubrik backup for SAP HANA databases................................................................ 683
Backing up an SAP HANA database........................................................................................ 684
Viewing the backup catalog.......................................................................................... 685
Restoring an SAP HANA database........................................................................................... 685
Bootstrap SAP HANA for high availability................................................................................. 686
Copying a database from an external host.............................................................................. 686
Restoring a database from a Managed Volume snapshot.......................................................... 688
Pausing Backint backups........................................................................................................ 690
Resuming Backint backups..................................................................................................... 691
SAP HANA best practices........................................................................................................692
Managed Volume SLA Domains..................................................................................... 692
SAP HANA log backup frequency.................................................................................. 693
Managed Volume Channels........................................................................................... 693
Backint streams........................................................................................................... 695
Floating IPs................................................................................................................. 695
Managed Volumes........................................................................................................................ 696

Configuration workflow........................................................................................................... 696
Floating IP addresses............................................................................................................. 697
Setting up floating IP addresses................................................................................... 697
Managed Volume settings.......................................................................................................698
Managed Volume application tags................................................................................. 699
Creating a Managed Volume................................................................................................... 700
Editing a Managed Volume..................................................................................................... 701
Resizing a Managed Volume................................................................................................... 702
Deleting a Managed Volume................................................................................................... 702
Managed Volume mounts....................................................................................................... 703
Linux baseline mount options....................................................................................... 703
AIX baseline mount options.......................................................................................... 704
Solaris baseline mount options..................................................................................... 705
Mounting the channels through fstab on Linux.............................................................. 705
Mounting the channels through fstab on AIX................................................................. 706
Mounting the channels through fstab on Solaris.............................................................706
Obtaining the exported channels...................................................................................707
Mounting the channels from the command line............................................................. 708
Managed Volumes with Oracle databases................................................................................ 708
Relationship between RMAN backups and SLA Domain snapshots....................................709
Direct NFS................................................................................................................... 710
Performance database parameters and mount options....................................................710
Block change tracking.................................................................................................. 713
RMAN merged incremental backups.............................................................................. 713
Managed Volumes end snapshot API failure............................................................................ 717
Managing protection with SLA Domains...................................................................................717
Relationship between scripted backups and SLA Domain snapshots................................. 718
Assigning an SLA Domain to Managed Volumes............................................................. 719
Snapshot-level protection........................................................................................................719
Specifying Managed Volume snapshot assignment..........................................................720
Contents 05/25/2022 | xxv

Creating a Live Mount from a Managed Volume snapshot............................................... 720
Deleting an unmanaged on-demand snapshot............................................................... 721
Viewing a Managed Volume local page................................................................................... 721
Action bar....................................................................................................................722
Overview card..............................................................................................................722
Snapshots card............................................................................................................ 722
SLA Managed Volumes.................................................................................................................723

SLA Managed Volume settings................................................................................................ 723
Prohibited mount points and script directories for SLA Managed Volumes.................................. 726
Creating NFS SLA Managed Volumes.......................................................................................727
Preparing Windows hosts for SLA Managed Volumes................................................................728
Creating SMB SLA Managed Volume........................................................................................729
Custom SLA Domains for SLA Managed Volumes..................................................................... 731
Recovering SLA Managed Volumes.......................................................................................... 732
SLA Managed Volumes backup failure..................................................................................... 732
Error handling in backup scripts....................................................................................733
Retention management............................................................................................................... 735

Snapshot Management page...................................................................................................736
Opening the Snapshot Management page..................................................................... 736
Types of snapshots...................................................................................................... 736
Unmanaged Snapshots data source fields......................................................................737
Filters available at the data source level........................................................................738
Reader location object refresh...................................................................................... 738
Viewing the object level of the Snapshot Management page...........................................739
Filters available at the object level................................................................................740
Relic data sources........................................................................................................ 740
Legal Hold page.....................................................................................................................742
Legal hold limitations................................................................................................... 742
Viewing legal hold summary information....................................................................... 743
Placing a legal hold on a snapshot............................................................................... 743
Downloading a snapshot on legal hold.......................................................................... 744
Removing a legal hold..................................................................................................744
Unprotecting a data source.................................................................................................... 746
Changing the retention policy for snapshots............................................................................ 746
Changing the retention policy for a protectable object............................................................. 747
Deleting snapshots for a data source...................................................................................... 748
Removing individual snapshots for a data source.....................................................................748
Removing snapshots retrieved from an archive........................................................................749
Reports.......................................................................................................................................... 750
Summary view....................................................................................................................... 750
Viewing report summary information.............................................................................750
Displaying a report.......................................................................................................751
Default reports.......................................................................................................................751
Custom reports...................................................................................................................... 752
Object logical size........................................................................................................ 752
Types of charts............................................................................................................ 753
Chart measures............................................................................................................753
Chart attributes............................................................................................................ 759
Table measures............................................................................................................ 761
Table attributes............................................................................................................ 766
Report filters................................................................................................................767
Creating a custom report..............................................................................................769
Modifying a custom report............................................................................................771
Transaction log metadata retention......................................................................................... 771
Contents 05/25/2022 |
xxvi
Changing transaction log metadata retention................................................................. 771
Exporting a report data table................................................................................................. 772
Report schedules....................................................................................................................772
Scheduling reports....................................................................................................... 772
Changing ownership of a scheduled report email subscription......................................... 773
Changing a report schedule.......................................................................................... 773
Removing report schedules...........................................................................................774
System and task information...................................................................................................... 775

Data measurements............................................................................................................... 775
Dashboards............................................................................................................................ 776
Viewing the Summary Dashboard................................................................................. 776
Viewing the Monitoring dashboard................................................................................ 778
Viewing the Compliance dashboard............................................................................... 782
Viewing the CDP Performance dashboard...................................................................... 783
Viewing the System Performance dashboard..................................................................784
Viewing log backup status from the Databases dashboard.............................................. 786
Activity Log............................................................................................................................787
Viewing Activity Log messages............................................................................................... 787
Viewing error chains.............................................................................................................. 788
Filtering messages..................................................................................................................788
Viewing activity details........................................................................................................... 789
Information provided by Activity Log messages....................................................................... 790
Activity Log filters.................................................................................................................. 790
Specifying a custom date range..............................................................................................791
The two-person rule.................................................................................................................... 793

Initial TPR configuration......................................................................................................... 793
Actions protected by TPR............................................................................................. 794
Enabling TPR............................................................................................................... 795
Adding TPR accounts................................................................................................... 796
TPR roles...............................................................................................................................797
Global administrator role details....................................................................................797
TPR Admin role details................................................................................................. 800
TPR Approver role details............................................................................................. 800
TPR requests......................................................................................................................... 801
TPR request details...................................................................................................... 801
Viewing TPR requests...................................................................................................802
Managing TPR requests................................................................................................ 803
Canceling TPR requests................................................................................................ 803
Updating the TPR options.............................................................................................804
Appendix A: Ports......................................................................................................................... 805

Additional network requirements.............................................................................................811
Uses for secure port 443 TCP.......................................................................................811
Rubrik cluster inbound ports.........................................................................................814
Rubrik cluster outbound ports.......................................................................................817
Ports used for communication between nodes in a cluster.............................................. 819
Archiving ports.......................................................................................................................820
Azure ports............................................................................................................................ 821
GCP ports.............................................................................................................................. 821
AWS ports............................................................................................................................. 822
HotAdd proxy port requirements................................................................................... 823
Replication port information....................................................................................................823
Contents 05/25/2022 |
xxvii
Appendix B: Minimum vCenter Server privileges....................................................................... 824
Minimum datastore privileges................................................................................................. 824
Minimum global privileges...................................................................................................... 825
Minimum host privileges......................................................................................................... 825
Minimum network privileges................................................................................................... 825
Minimum resource privileges...................................................................................................826
Minimum sessions privileges................................................................................................... 826
Minimum virtual machine privileges.........................................................................................826
Minimum profile-driven storage privileges................................................................................ 829
Minimum vSphere tagging privileges....................................................................................... 829
Appendix C: Active Directory account.........................................................................................830

Initialization account required permissions...............................................................................830
Delegating initialization account permissions............................................................................831
Confirming the delegation of permissions................................................................................ 832
Appendix D: Archive preparation................................................................................................ 833

Generating an RSA key.......................................................................................................... 833
Prepare to use Amazon S3 as an archival location................................................................... 833
Creating an Amazon S3 bucket..................................................................................... 834
AWS permissions for archiving...................................................................................... 834
Creating a security policy for the bucket....................................................................... 838
Creating a user account with access to the bucket.........................................................839
Preparing to use GCP as an archival location...........................................................................840
Azure permissions for archiving.............................................................................................. 841
Archive preparation in Azure...................................................................................................842
Azure storage account settings..................................................................................... 843
Azure storage account access keys............................................................................... 844
Preparing Scality as an archival location..................................................................................845
Preparing to use an NFS share as an archival location............................................................. 845
NFS Export settings......................................................................................................845
Preparing an Isilon NFS share as an archival location...............................................................846
Prepare a QStar Integral Volume as an archival location.......................................................... 846
QStar requirements...................................................................................................... 846
Setting up the QStar Integral Volume set...................................................................... 847
Appendix E: Node shutdown and reboot.................................................................................... 849

Determining the status of the node........................................................................................ 849
Shutting down the node.........................................................................................................850
Shutting down the cluster...................................................................................................... 850
Rebooting the cluster or node................................................................................................ 851
Appendix F: Changing the hostname of the node......................................................................852
Appendix G: Audit and change management of configuration parameters..............................853

Parameters to filter the list of configuration updates................................................................ 853
Viewing a list of configuration updates....................................................................................855
Parameters to filter configuration values by date..................................................................... 856
Viewing configuration values by date...................................................................................... 857
HTTP status codes................................................................................................................. 858
Chapter 1
Configuration
Configuration
Configure a Rubrik cluster and perform other system tasks.

Configuration describes how to log in to Rubrik CDM to access the Rubrik CDM web UI and provides an
overview of all tasks completed through the gear menu.
Logging in to the Rubrik CDM web UI

Steps to access the Rubrik CDM web UI for the first time.
Procedure
1. On a computer with network access to the Rubrik cluster, start a web browser.
2. In the address field, type the following URL: https://RubrikCluster
Where RubrikCluster is the resolvable hostname or IP address of the Rubrik cluster.
The Welcome screen appears.
3. In Username, type admin.
Use the admin account to log in to the Rubrik cluster for the first time.
4. In Password, type the password for the admin account.
Use the password for the admin account that was created during system setup.
5. Click Sign In.
At the first login, the End User License Agreement appears.
6. Click I Agree to continue.
Result
The Dashboard page for the Rubrik CDM web UI appears.
Note: When the Rubrik cluster has not been registered, a notification appears on each page of the Rubrik
CDM web UI. The Rubrik CDM Install and Upgrade Guide provides detailed information about how to
register the Rubrik cluster.
Logging in with a local account

Users who have an account in the local directory on the Rubrik cluster can log in with their local account
credentials. During the first login, the Domain field is left blank since local users are not logging in through
an LDAP domain.
Procedure
1. Open the Rubrik CDM web UI in a web browser.
2. In Username, type the username assigned to the local account.
3. In Password, type the password for the account.
Configuration 05/25/2022 | 29
4. Click Sign In.
Result
The Dashboard page for the web UI appears.
Logging in with an LDAP account

Authentication through an LDAP domain requires a user name and password associated with that domain.
If a user is a member of multiple LDAP domains, the user should indicate which domain to use for
authentication.
Context
If no domain is specified during login, the Rubrik cluster searches all LDAP domains randomly until it finds
the first occurrence of the user name. The password entered by the user must match the password stored
in the LDAP directory that was found during the search, or login fails.
Procedure
2. In Username, type the username associated with the LDAP account.
4. In Domain or Domain Display Name, type the name of the LDAP domain that contains the login
credentials to be used for authentication.
5. Click Sign In.
Result
The Rubrik cluster authenticates the username through the specified LDAP domain, with one of the
following results:
• Authentication succeeds, and access is permitted. The Dashboard page for the web UI appears.
• Authentication succeeds, but access is denied because the user account has the No Access role
assigned.
• Authentication fails.
Logging in with Single Sign-on

Use single sign-on to log in to Rubrik CDM through an identity provider.
Prerequisites
A user with global administrator privileges must first configure single sign-on in the Rubrik CDM web UI
and in the UI of the identity provider. Once configured, the Sign In with SSO button becomes available
on the Welcome screen.
Procedure
2. Click Sign In with SSO.
The Rubrik CDM web UI redirects to the login page for the Identity Provider.
3. Type the requested login credentials and click Sign In.
Result
The identity provider login page redirects to the Rubrik CDM web UI, and the Dashboard page appears.
Logging in with Polaris
A Polaris user can use their credentials to log in to a connected Rubrik cluster.
Context
Users with accounts on a Polaris instance can use their Polaris credentials to log in to Rubrik clusters
managed by that Polaris instance.
Procedure
2. Click Sign In with Polaris.
The Polaris login screen appears. Users that are already logged in to Polaris redirect to the CDM
dashboard.
Result
The Dashboard page appears.
Federated Access with Polaris

Federated access enables Polaris user accounts to directly access the connected Rubrik clusters and the
inventory of protectable objects from the Polaris web UI.
Federated access allows Polaris users to seamlessly access the connected Rubrik clusters without providing
the login credentials. A Polaris user with the Administrator role can enable or disable the Federated Access
feature from the Polaris web UI.
For federated access to work, Polaris acts as the identity provider and uses the SAML protocol to pass the
identity and the permissions associated with the currently logged-in Polaris user account to the Rubrik
cluster. When federated access is enabled, the Polaris web UI provides an option to enable the display of
the inventory of protectable objects derived from the Rubrik clusters. Administrators can create roles with
privileges that apply to the protectable objects of the Rubrik clusters and assign the roles to user accounts
in the Polaris web UI. Rubrik clusters honor the role-based access control (RBAC) rules that are created
and assigned to the user accounts in Polaris. Additionally, Polaris users with the Administrator role retain
the administrative privileges in the Rubrik clusters.
The Activity Log in the Rubrik cluster displays a message that includes the username of the account that
was granted the federated access from Polaris using SAML SSO and the IP address of the Polaris instance.
Federated access from Polaris is available only for Rubrik clusters running Rubrik CDM version 5.3.2 and
later, and provides the following capabilities:
• Direct access to the summary dashboard of the Rubrik cluster that is selected on the Clusters page.
• Direct access to the management page of a protectable object on a Rubrik cluster from the Inventory
page.
• Ability to create and assign roles with privileges to manage the protectable objects of the connected
Rubrik clusters the Polaris web UI.
• Availability of Polaris RBAC rules across the connected Rubrik clusters.
Gear menu
The Rubrik CDM web UI provides access to Rubrik cluster settings and tasks through the gear menu.
Use the gear menu to perform the following configurations in Rubrik CDM:
• Application Configuration
• System Configuration
• Network Configuration
• Access Management
• Support
Opening the gear menu

The gear menu provides access to Rubrik cluster settings and tasks.
Procedure
1. Log in to the Rubrik CDM web UI using the admin account.
2. Click the gear icon.
Result
The gear menu appears.
Settings and tasks available through the gear menu

The gear menu provides access to the Rubrik cluster settings and tasks.
Menu item Description

Application Configuration
vCenter Servers Add, view, edit, and delete vCenter Servers.
See Virtual machine protectionfor more information.
vCD Instances Add, refresh, edit, and delete vCloud Director instances. See vCloud Director
instances for more information.
SCVMM servers Add, view, edit, and delete Microsoft System Center Virtual Machine Managers
(SCVMMs).
See Hyper-V virtual machines for more information.
Nutanix Clusters Add, view, edit, and delete Nutanix Clusters.

See Configuring Nutanix support for more information.
Hosts Add, view, edit, and delete physical Windows, Linux, and Unix hosts.
See Configuring SNMPv2c support for more information.
Cloud Sources Configure the cloud accounts and regions where instances need to be protected.
See Adding an AWS account for more information.
Guest OS Settings Provide credentials to access the guest operating systems. Also, control
deployment of the Rubrik Backup Service (RBS) to vSphere virtual machines that
have a Windows guest operating system.
See Guest OS settings for more information.
System Configuration
Replication Targets Add and remove a Rubrik cluster as a replication target and view information
about replication activity.
See Replication for more information.
Archival Locations Provide the connection settings for an archival location, view information about
archival activity, and initiate a recovery connection.
See Archiving for more information.
Storage Arrays Add, edit, and remove configuration information for storage arrays.
See Manage storage arrays for more information.
Adaptive Backup Configure the Rubrik cluster to pause backup of a virtual machine when resource
usage exceeds set values.
See Adaptive Backup for more information.
Pause Protection Manual pause and resume of all backup jobs and archival jobs.
See Network Throttling for more information.
IPMI Credentials Provide more security for the baseboard management controller on the Rubrik
nodes by setting an IPMI password.
See Configuring IPMI for more information.
iSCSI Sources Provide and view the connection settings for an iSCSI data connection.
See Configuring iSCSI for more information.
Certificate Install or delete signed Transport Layer Security (TLS) certificates, and generate
Management Certificate Signing Requests (CSRs).
For more information, refer to the Rubrik CDM Security Guide.
Cluster Settings Set Rubrik cluster name and time zone and set visibility settings for Data
Sources.
See Time zone setting and Data sources setting for more information.
SMB Security Configure SMB security to use secure SMB enforcement.

See Secure SMB for more information.
Manage Encryption Configure the Rubrik cluster for encryption.

See Encryption for more information.
Network Configuration
Proxy Settings Provide the Rubrik cluster with proxy configuration information for external
connections.
See Proxy settings for more information.
Network Settings Provide connection information for NTP servers, DNS servers, and search
domains. Also provides information on Interfaces.
See Network settings for more information.
Network Throttling Enable and configure replication throttling. Enable and configure archival
throttling.
See Network Throttling for more information.
Notification Settings Configure the SMTP server on the Rubrik cluster so it can send email. Configure
an SNMP server to be able to poll the Rubrik cluster for information. Configure
a list of email recipients, and decide whether log messages should be sent to
Syslog.
See Email notifications, SNMP integration, and Syslog settings for more
information.
Access Management
Users Manage local user accounts and manage authorization for authenticated users.
See User accounts for more information.
Organizations Manage local tenant organizations.

See Multitenant organizations for more information.
Support
Support Bundle Instruct the Rubrik cluster to provide a complete bundle of cluster and node logs
for local download.
See Creating and downloading a support bundle for more information.
Support Tunnel Enable and disable the tunnel used by Rubrik Support.
See Secure access to the support tunnel for more information.
About Rubrik Click to display the Rubrik software version.
Manage hosts
The Hosts page is a central location to manage physical hosts in the Rubrik cluster.
The Rubrik cluster supports Windows, Linux, and Unix hosts. The Hosts page provides a central location
to add the supported physical hosts to the Rubrik cluster. The Hosts page also provides the ability to edit
hosts and to remove hosts from the Rubrik cluster.
Adding a physical host

Add supported physical hosts to the Rubrik cluster.
Prerequisites
Install the Rubrik Backup Service (RBS) software on the hosts by completing the tasks described in:
• Downloading the RBS software or Obtaining the RBS software by URL
• Installing RBS on Linux and Unix hosts or Installing RBS on Windows
Procedure
3. Click Hosts.
The Hosts page appears.
4. Select one of the following host tabs.
• Windows Hosts
• Linux & Unix Hosts
5. Click the + icon.
The Add Hosts dialog box appears.
6. In IPs or Hostnames, type a comma-separated list of IPv4 addresses or resolvable hostnames of
physical hosts.
The list can contain a mix of IPv4 addresses and hostnames. The Rubrik cluster requires one IPv4
address or one hostname for each physical host being added.
7. Click Add.
Result
The Rubrik cluster checks connectivity with the specified physical hosts and adds the physical hosts.
Related Tasks
Adding a query user to an existing host
Update an existing Oracle host with information on the Oracle query user in order to use the Oracle query
user instead of the user with SYSDBA privileges.
Editing a physical host

Edit the IP address or hostname specified for a physical host.
Procedure
3. Click Hosts.
4. Select the Windows Hosts tab or select the Linux & Unix Hosts tab.
5. Open the ellipsis menu next a host entry and click Edit.
The Edit Host dialog box appears.
6. In IP or Hostname, type a replacement IPv4 address or resolvable hostname for the physical host.
7. Click Update.
Result
The Rubrik cluster checks connectivity using the specified value and stores the information for the host.
Related Tasks
Removing a physical host

Remove a physical host from the Rubrik cluster when data management is no longer required.
Procedure
3. Click Hosts.
4. Select the Windows Hosts tab or select the Linux & Unix Hosts tab.
5. Open the ellipsis menu next to a host entry and click Delete.
A confirmation message appears.
6. Click Delete.
Result
The Rubrik cluster removes the selected host.
Guest OS settings
Enable the administration of guest OS credentials for virtual machines and fileset hosts.
The Guest OS Settings page enables the administration of guest OS credentials for virtual machines and
fileset hosts. The page also provides a setting to enable and disable automatic deployment of the Rubrik
Backup Service to vSphere virtual machines.
The Rubrik cluster uses guest OS credentials to provide application consistent snapshots of vSphere virtual
machines that are running a Windows guest operating system. The Rubrik cluster also uses guest OS
credentials to enable direct restore of files and folders to guest operating systems that do not have the
Rubrik Backup Service installed. The guest OS credentials are added through the Restore File dialog box
during a direct restore.
Related Concepts
Backup consistency levels
By default, the Rubrik cluster provides the highest level of backup consistency that is available for a virtual
machine.
Related Tasks
Restoring directly to a guest file system
Restore a file or folder to the source file system of a supported Windows or Linux guest operating system.
Guest OS credentials
Guest OS credentials provide access to guest operating systems for vSphere virtual machines.
The Rubrik cluster requires an installed Rubrik Backup Service or guest OS credentials to start scripts on a
vSphere virtual machine.
• If the Rubrik Backup Service is installed and registered on the account, no additional permissions are
required. The Rubrik Backup Service will execute the script.
• If the Rubrik Backup Service is not installed, provide guest OS credentials with sufficient privileges.
To restore directly to a Linux guest, provide the credentials for an account that has Write permission for
the restore location.
To restore directly to a Windows guest or to create application-consistent snapshots from a Windows
guest, the Rubrik cluster requires the credentials of an account that has administrator access to the guest.
The account can be either a local administrator account or a domain administrator account.
• Using a local administrator account on the guest OS provides access. However, providing individual
guest OS credentials for each guest OS can be inconvenient.
• Using a domain administrator account on the guest OS provides access. However, using a domain
administrator account causes security concerns for network administrators.
Rubrik recommends providing the Rubrik cluster with a credential for a domain-level account that has
a small privilege set that includes administrator access to the relevant guests. Based on organizational
requirements, several credentials of this sort can be provided. The Rubrik cluster tries each provided guest
OS credential to gain access to a Guest OS.
Providing credentials for a Windows guest OS

Provide credentials with administrator privileges for a Windows guest OS to enable application consistent
snapshots and direct restores.
Prerequisites
Select or create a credential for an account that provides administrator access to the Windows guest OS.
Procedure
3. Click Guest OS Settings.
The Guest OS Settings page appears.
The Add Guest OS Credentials dialog box appears.
5. In Domain, type the resolvable hostname or IP address of the authentication server for the
credential.
When the guest OS performs Workstation Authentication of credentials instead of Domain
Authentication, leave the Domain field empty.
With some ESXi hypervisors, the VMware API requires a single period character in the Domain field to
correctly pass the Workstation Authentication value to the Windows guest OS. When an empty Domain
field does not provide successful Workstation Authentication with the Windows guest OS, add a period
character in the Domain field.
6. In Username, type the username.
7. In Password, type the password.
8. Optional: Click the + icon on the Add Guest OS Credentials dialog box to add credentials for additional
virtual machines.
9. Click Add.
Result
The Rubrik cluster stores the credential.
Providing credentials for a Linux guest OS

Provide credentials with the necessary Write privileges for a Linux guest OS to enable direct restores.
Prerequisites
Select or create an account with the necessary Write access for the Linux guest OS.
Procedure
5. Leave the Domain field empty.
6. In Username, type the username.
7. In Password, type the password.
8. Optional: Click the + icon on the Add Guest OS Credentials dialog box to add credentials for additional
virtual machines.
9. Click Add.
Result
The Rubrik cluster stores the credentials.
Editing guest OS credentials

Edit guest OS credentials to update the Rubrik cluster with changes to the authentication server,
username, or password.
Procedure
4. Open the ellipsis menu next to a Guest OS credential entry, and click Edit.
The Edit Guest OS Credential dialog box appears.
5. Make edits to server, username, or password.
For a Linux credential, ensure that the Domain field is empty.
6. Click Update.
Result
The Rubrik cluster saves the new information.
Deleting guest OS credentials

Delete guest OS credentials to remove them from the list of credentials the Rubrik cluster uses to access
virtual machines.
Procedure
4. Open the ellipsis menu next to a Guest OS credential entry, and click Delete.
5. Click Delete.
Result
The Rubrik cluster deletes the selected credential.
Rubrik Backup Service automatic deployment

Enable or disable automatic deployment of the Rubrik Backup Service from the Guest OS Settings page.
The Rubrik Backup Service Settings tab of the Guest OS Settings page provides options to enable and
disable automatic deployment of the Rubrik Backup Service. Automatic deployment of the Rubrik Backup
Service provides a method for automatically installing and registering the Rubrik Backup Service on
multiple vSphere virtual machines that are running a Windows guest OS.
Related Tasks
Automatically deploying RBS
A Rubrik cluster can install and register the Rubrik Backup Service on a supported Windows guest at the
next scheduled or on-demand backup of that Windows guest.
Manage storage arrays

Storage array level snapshots provide optimal ingest performance for data stored on storage arrays.
The following table lists the requirements for storage array integration.
Category Requirement
Storage array type Pure Storage FlashArray//m series
Storage array API Pure Storage REST API version 1.0 or newer
Storage array account Username and password for a storage array account with ‘storage admin’
privileges
Related Concepts
Storage array integration
A Rubrik cluster can integrate with a storage array to further reduce the time that a virtual machine is
quiescent during a snapshot operation. To qualify for storage array integration, all datastores assigned to
the virtual machine must reside on storage arrays.
Adding a storage array

Add a storage array to the CDM web UI to permit the Rubrik cluster to interact directly with the storage
array.
Procedure
3. Click Storage Arrays.
The Storage Arrays page appears.
The Add Storage Array dialog box appears.
5. In Array Type, select the type of array.
Array Type Description
Pure Storage Adds Pure Storage array
Dell EMC PowerStore Adds Dell EMC PowerStore storage array
6. In Hostname, type the IPv4 address or resolvable hostname of the storage array.
7. In Username, type the user name for an account with storage admin privileges on the storage array.
9. Optional: To add a root certificate for the storage array type, select the TLS certificate from the
Signed TLS Certificate drop-down menu.
When the TLS certificate is missing from the drop-down menu, it can be added through the Certificate
Management Page.
10. Click Add.
Result
The Rubrik cluster tests access to the storage array and saves the configuration information.
Editing a storage array

Edit the stored information for a storage array.
Procedure
4. Open the ellipsis menu next to an array entry and click Edit.
5. Edit the fields.
6. Click Update.
Result
The Rubrik cluster tests access to the storage array using the new configuration information and saves the
configuration information.
Deleting a storage array

Delete the entry for a storage array to remove the configuration information that is stored by the Rubrik
cluster.
Context
Deleting a storage array removes storage array integration for all virtual machines that use the array as
a datastore. The Rubrik cluster switches the data ingestion path from the storage array to the vCenter
Server. This can potentially cause a performance impact for snapshots of those virtual machines.
Procedure
4. Open the ellipsis menu next to an array entry and click Delete.
A warning appears.
5. Click Delete.
Result
The Rubrik cluster removes the configuration information for the selected storage array.
Adaptive Backup
Adaptive Backup settings instruct the Rubrik cluster to check the resource usage of a virtual machine
before starting a snapshot. When the resource usage is above configured limits, the Rubrik cluster
postpones the snapshot.
When Adaptive Backup settings are enabled, the Rubrik cluster checks the virtual machine I/O latency,
datastore I/O latency, and virtual machine CPU utilization before starting a snapshot. When a value
exceeds a configured limit, the Rubrik cluster reschedules the snapshot. Rubrik cluster cancels the backup
jobs associated with the datastore when the free capacity of a datastore is lower than the value defined in
a threshold.
After approximately 15 minutes, the Rubrik cluster checks the values again. When the values are below the
limits, the Rubrik cluster initiates the snapshot. When the values are above the limits, the Rubrik cluster
reschedules the snapshot.
Each time an Adaptive Backup setting causes the rescheduling of a snapshot, the Rubrik cluster moves
the policy-based snapshot schedule for the virtual machine to accommodate the change. Consider the
following example.
Example: Rescheduling caused by Adaptive Backup settings
The Rubrik cluster has Adaptive Backup settings enabled. A virtual machine is protected by the Gold SLA
Domain of the Rubrik cluster. This SLA Domain requires hourly snapshots. The next two hourly snapshots
for this virtual machine are scheduled for 1:00 PM and 2:00 PM.
At 1:00 PM the Rubrik cluster finds that the CPU utilization of the virtual machine is above the configured
limit. The 1:00 PM snapshot is rescheduled for 1:15 PM.
At 1:15 PM the snapshot is successfully initiated, and the next hourly snapshot is scheduled for 2:15 PM.
On-demand snapshots
Adaptive Backup settings also apply to on-demand snapshots.
When the Adaptive Backup settings are enabled, the Rubrik cluster performs an Adaptive Backup settings
check before starting an on-demand snapshot. When a value exceeds a configured limit, the Rubrik cluster
reschedules the on-demand snapshot.
After approximately 15 minutes, the Rubrik cluster checks the values again. When the values are below the
limits, the Rubrik cluster initiates the on-demand snapshot.
The Rubrik cluster continues to reschedule the on-demand snapshot until the values for the virtual
machine are below the configured limits. When the values are below the limits, the Rubrik cluster
completes the on-demand snapshot.
Limit types
When applying Adaptive Backup settings the Rubrik cluster considers the virtual machine I/O Latency,
datastore I/O latency, and virtual machine CPU utilization before initiating a snapshot of that virtual
machine.
The Rubrik cluster postpones a snapshot when the actual value of a limit type exceeds the value that is
set for the limit. The following table describes how the Rubrik cluster applies the Adaptive Backup settings
based on the limit types.
Limit Description
Maximum VM IO Latency Sets the maximum time in milliseconds to process a command from the
guest OS to the virtual machine.
The actual value is determined from ‘vm.maxTotalLatency’.
Maximum Datastore IO Sets the highest latency for all datastores being used by a virtual machine,
Latency not including any excluded VMDKs.
The actual value is determined by finding the highest value for
‘disk.TotalLatency’ for all of the datastores assigned to the virtual machine.
Maximum VM CPU Utilization Sets the maximum percentage of the combined frequency of all processors
assigned to the virtual machine.
The actual value is computed by dividing the vm.overallCpuUsage by
vm.maxCpuUsage.
Enabling Adaptive Backup settings

Configure Adaptive Backup settings to postpone snapshots when the resource usage of a protected virtual
machine is above configured limits.
Procedure
3. Click Adaptive Backup.
The Adaptive Backup page appears.
4. Select Enable Adaptive Backup.
5. In Maximum VM IO Latency, type an integer value representing the highest virtual machine I/O
latency allowed, in milliseconds.
6. In Maximum Datastore IO Latency, type an integer value representing the highest datastore I/O
latency allowed, in milliseconds.
7. In Maximum VM CPU Utilization, type an integer value representing the greatest percentage of
virtual machine CPU utilization allowed.
8. Click Update.
Result
The Rubrik cluster saves the Adaptive Backup settings. The Rubrik cluster checks the measured values at
the time of every snapshot and postpones a snapshot when a measured value is higher than a set value.
Pause and resume protection activity

Pause backup jobs and archival data uploads.
The Pause Protection feature of the Rubrik cluster provides the ability to pause backup jobs and archival
data uploads. The feature prevents scheduled backup and archiving jobs from starting and requests the
cancellation of running backup and archiving jobs.
Use the pause feature to temporarily reduce the impact of Rubrik cluster activity on the associated
resources. Resume the protection activity when required.
Enabling the Two-Person Rule (TPR) for Pause Data Protection/ Backup requires approval from an account
with the TPR approver role.
Related Concepts
The two-person rule
The two-person rule provides additional data security on Rubrik CDM by ensuring that no individual user
can perform key operations on data without the approval of a secondary user.
Related Tasks
Pausing protection activity
Pause protection activity to temporarily reduce the impact of Rubrik cluster activity.
Resuming protection activity
Resume protection activity to remove the restrictions of the pause feature.
Related reference
Impact of pausing protection activity
Pausing protection impacts all the impending and ongoing protection activities on a Rubrik cluster.
TPR Approver role details
A user account with the TPR Approver role is responsible for approving or denying TPR requests.

Activity Impact Description

Pending policy driven Canceled The Rubrik cluster cancels all policy driven snapshots that are
snapshot scheduled during the pause period. The missed snapshots are
not rescheduled.
Pending archival Canceled The Rubrik cluster cancels all archival snapshots that are
snapshot scheduled to occur during the pause period.
Running policy driven Cancel requested The Rubrik cluster requests the cancellation of all policy driven
snapshot snapshots that are running. A snapshot is canceled when the
state of the snapshot task permits cancellation. Otherwise, the
snapshot completes.
Running archival Cancel requested The Rubrik cluster requests the cancellation of all archival
snapshot snapshots that are running. An archival snapshot is canceled
when the state of the archival snapshot task permits
cancellation. Otherwise, the archival snapshot completes.
SQL Database log No impact The pause feature does not stop scheduled backups of
backups database transaction logs.
Oracle Database log Cancel requested The Rubrik cluster requests the cancellation of all scheduled
backups backups of database transaction logs.
Replication tasks Cancel requested The Rubrik cluster requests the cancellation of all replication
tasks that are running. A replication task is canceled when the
state of the replication task permits cancellation. Otherwise,
the replication task completes.
Manual tasks No impact The pause feature does not affect manually initiated tasks.
Managed Volume No impact for The Rubrik cluster continues any Managed Volume backups
backups jobs in progress in progress. No new Managed Volume backups can be started
during a pause.
Activity Impact Description
SLA Managed Cancel requested The Rubrik cluster requests the cancellation of all SLA
Volumes Managed Volume backups that are in progress. A backup
is canceled when the state of the backup task permits
cancellation. Otherwise, the backup completes.
No new SLA Managed Volume backups can be started during a
pause.
Pausing protection activity

Pause protection activity to temporarily reduce the impact of Rubrik cluster activity.
Procedure
3. Click Pause Protection.
A confirmation dialog box appears.
4. Click Continue Anyway.
5. On the Submit Two-Person Rule Request dialog box, click Submit.
The Submit Two-Person Rule Request dialog box appears only when Pause Data Protection/ Backup is
enabled on the Two-Person Rule Controlled Action page. Otherwise, you will not see this dialog box.
The Two-Person Rule generates a review request. When the request is approved, the Rubrik cluster
applies the requested actions. When the request is denied, the Rubrik cluster rejects the requested
actions.
Result
The Rubrik cluster pauses the protection activity.
Related Concepts
Pause and resume protection activity
Pause backup jobs and archival data uploads.
The two-person rule
Related reference
Resuming protection activity

Resume protection activity to remove the restrictions of the pause feature.
Procedure
3. Click Resume Protection.
4. Click Resume.
Result
The Rubrik cluster resumes all protection activity.
Data sources setting

The Rubrik CDM web UI provides the ability to configure visibility preferences for virtual machines, servers,
and applications. The ability to configure visibility preferences allows the customization of the data sources
that appear on the Rubrik CDM web UI.
Setting data sources

Configure the visibility preferences for data sources on the Rubrik CDM web UI.
Procedure
3. Click Cluster Settings.
The Cluster Settings page appears.
4. Click the Data Sources tab and clear any data sources that are not applicable. Data sources in use
cannot be cleared.
5. Click Update.
Result
The Rubrik cluster saves the settings and displays only the selected data sources.
Configuring IPMI
The Rubrik node hardware includes a baseboard management controller (BMC) that can be used to
perform Intelligent Platform Management Interface (IPMI) tasks.
Context
Provide more security for the Rubrik nodes by requiring a secure strong password for access to the IPMI
interface.
Use the Rubrik CDM web UI to assign a strong password and to control access to the IPMI interface on all
nodes in the Rubrik cluster.
Procedure
3. Click IPMI Credentials.
The Configure IPMI page appears.
4. Select one of the following external services to access IPMI.
• HTTPS
• IKVM (Java for .Net)
5. Click Update.
6. Click IPMI Password.
The Update IPMI password page appears.
7. In Password, type a secure password.
The password can be from 5 to 16 extended ASCII printable characters. Secure the password in a safe
location.
8. In Re-Enter Password, type the password again.
9. Click Update.
Result
The Rubrik CDM web UI assigns a strong password and controls access to the IPMI interface on all nodes
in the Rubrik cluster.
iSCSI configuration
The Rubrik cluster supports the iSCSI protocol for direct data connection to a storage array that is
providing storage for virtual machines.
When iSCSI is enabled, the Rubrik cluster maintains a control channel with the hypervisor host and uses
the iSCSI protocol to establish a data channel with the storage array. This protocol replaces the NBD
transport protocol for transfers of data from the storage array.
The Rubrik cluster supports the following authentication modes:
• No authentication.
• Unidirectional CHAP – Using the Challenge-Handshake Authentication Protocol (CHAP), the Rubrik
cluster authenticates with the storage array.
• Bidirectional CHAP – Using CHAP, the Rubrik cluster authenticates with the storage array and the
storage array authenticates with the Rubrik cluster.
PPP Challenge Handshake Authentication Protocol (CHAP), RFC 1994 defines the username and
password requirements for unidirectional and bidirectional CHAP.
Configuring iSCSI
To enable iSCSI support, provide the Rubrik cluster with the iSCSI connection details.
Procedure
3. Click iSCSI Sources.
The iSCSI Sources page appears.
4. In Server Name, type the name of the iSCSI server.
5. In Port, type the connection port used by the iSCSI server for incoming iSCSI connections.
The default is port 3260.
6. In Target, type the IPv4 address of the iSCSI server.
Leave Target empty to instruct the Rubrik cluster to attempt to automatically discover the IP address
of the iSCSI server.
7. In Authentication Mode, select the authentication mode used by the iSCSI server.
Choose one of the following:
• No Authentication
• Unidirectional CHAP
• Bidirectional CHAP
8. When No Authentication is selected, click Update.
9. (Unidirectional CHAP and Bidirectional CHAP) In Outgoing Name, type a username that enables the
storage array to authenticate the Rubrik cluster.
The storage array must grant sufficient access rights to the account represented by the username to
allow the Rubrik cluster access to the stored data.
10. (Unidirectional CHAP and Bidirectional CHAP) In Outgoing Secret, type the associated password.
11. When Unidirectional CHAP is selected, click Update.
12. (Bidirectional CHAP) In Incoming Name, type a username that enables the Rubrik cluster to
authenticate the storage array.
13. (Bidirectional CHAP) In Incoming Secret, type the associated password.
14. Click Update.
A success message appears.
15. To add additional iSCSI connections, repeat this task for each connection.
Result
The Rubrik cluster enables the iSCSI connection and uses the iSCSI protocol to directly access data that is
stored on the storage array.
Time zone setting

The Rubrik CDM web UI provides the ability to set the time zone that is used by the Rubrik cluster. The
Rubrik cluster uses the specified time zone for time values in the Rubrik CDM web UI, all reports, SLA
Domain settings, and all other time-related operations.
A Rubrik cluster can be configured to use the same time zone as its physical location, or any other time
zone. Once the time zone is set, the Rubrik cluster displays all time values using the configured time zone.
Time values in the Rubrik CDM web UI appear the same in all web browsers, even when viewed from web
browser hosts running in different time zones.
The Rubrik cluster automatically handles any changes between standard time and daylight savings time for
the selected time zone.
Setting the cluster time zone

Use the Rubrik CDM web UI to configure the time zone used by the Rubrik cluster.
Procedure
4. In Cluster Time Zone, select a time zone for the Rubrik cluster.
5. Click Update.
Result
The Rubrik cluster changes the cluster time zone to the specified time zone and handles zone-specific
daylight savings time changes automatically.
Default time zone
The default time zone used by a Rubrik cluster is the Coordinated Universal Time (UTC) time zone.
Until a time zone is configured for a Rubrik cluster, the Rubrik cluster displays a banner message in the
Rubrik CDM web UI to alert the user that a cluster time zone is not set and that the Rubrik cluster is using
the UTC time zone.
Time zone setting changes

The time zone setting for a Rubrik cluster can be changed, either from the default UTC time zone to
another time zone, or between two configured time zone settings.
How a change impacts a displayed time value depends upon the whether the time value is an event time
value or a report time value.
An event time value stays the same relative to the UTC time zone. The offset from UTC changes to match
the configured time zone.
A report time value keeps the set value. After the cluster time zone setting is changed, the displayed time
value stays the same.
The following table shows the impact of changing the time zone setting from PDT to EDT for an event and
for a report.
Original time zone New time zone

Report at 1:00 PM (PDT) Report at 1:00 PM (EDT)
Snapshot window 1-3 PM (PDT; UTC -7) Snapshot window 4-6 PM (EDT; UTC -4)
The table shows:

• Report that was scheduled for 1:00 PM in the PDT time zone is scheduled for 1:00 PM in the EDT time
zone after the time zone setting is changed.
• Snapshot window of 1-3 PM in the PDT time zone keeps the same time relative to UTC (8-10 PM UTC)
by changing to 4-6 PM in the EDT time zone. To use the original snapshot window after the time zone
setting is changed, edit the SLA Domain rule to specify a snapshot window of 1:00 PM to 3:00 PM EDT.
Security banner and classification settings

Rubrik CDM allows configurable top and bottom banners for the Rubrik CDM web UI pages.
Rubrik CDM provides the ability to add a configurable message to the login page. For example, the
message might be the text of an authorized-use agreement that must be acknowledged for login to be
permitted. The message text can be formatted as plain text or can use standard HTML markup.
Rubrik CDM also provides the ability to add configurable top and bottom page banners in the Rubrik CDM
web UI. The banner text and the banner background color can be configured.
The Cluster Settings page provides access to the following settings:
• Login notice
• Top and bottom banner background color
• Top and bottom banner text
Setting the login banner text
Use the Rubrik CDM web UI to set the login banner text.
Procedure
4. In Login Banner Text, enter the login notice text.
Result
The Rubrik cluster saves the content and adds it to the modal dialog box on the login screen for
subsequent logins.
Setting the security classification color and text

Use the Rubrik CDM web UI to set the security classification color and text.
Procedure
4. In Security Classification Color, select the banner color.
The supported choices are yellow, orange, red, blue, green, and none.
5. In Security Classification Text, enter the classification text.
6. Click Update.
Result
The Rubrik cluster saves the content and adds it to the banners in subsequent sessions.
Secure SMB
When the Rubrik cluster enforces SMB security, SMB clients must authenticate through Active Directory
before gaining access to SMB shares.
Important:
Enforcing security for Server Message Block (SMB) shares can cause certain operations to fail if the
required Active Directory (AD) domain is not correctly configured. Examples of operations that depend
on correct AD domain configuration are Volume Group backups, Volume Group mounts, SQL Server Live
Mounts, and Managed Volume actions.
To secure the SMB protocol, the Rubrik cluster joins an AD domain as a user account.
Secure SMB is used by the SQL Live Mount, Hyper-V Live Mount, Managed Volumes using SMB, Volume
Group, and Bare Metal Recovery features. When SMB shares are secured, all the SMB clients are required
to authenticate to access the SMB share. Rubrik CDM uses SMB servers to support signed and encrypted
connections.
AD domains can exist in several valid states.
State Description
Not configured The initial state when the domain is discovered.
Configured No action necessary - SMB security for this domain is configured.
Failed Network connectivity has failed and the domain must be manually re-added.
Configuring SMB Security

Configure security for a Server Message Block share to enforce user authentication through Active
Directory.
Prerequisites
Verify access to the following information:
• Fully qualified domain name of the AD Server
• Username and password of a user with domain access privileges
• List of fully qualified hostnames of domain controllers
• AD service account name of the Rubrik cluster
• AD organization unit
Procedure
1. Log in to the Rubrik CDM web UI.
2. From the gear icon, navigate to System Configuration > SMB Security
The SMB Security page appears.
3. Select a failed connection to reinstate or select the plus icon in the top right corner to configure a new
domain.
The Add SMB Domain dialog box appears.
4. Add the domain information and click Add to complete the configuration.
The Rubrik cluster only uses the Username and Password entries one time in order to join the AD
domain.
The Rubrik cluster saves the configuration information and returns to the SMB Security page.
5. Click SMB Security Configuration in the top right corner.
The Manage SMB Security Configuration dialog box appears.
6. Select Enforce SMB Security.
7. Click Update.
Result
The Rubrik cluster enforces secure access to Server Message Block (SMB) shares from the specified AD
domain.
Related reference
Secure SMB domain information
Enabling security for a Server Message Block share requires information about several fields in an Active
Directory domain.
Secure SMB domain information

Enabling security for a Server Message Block share requires information about several fields in an Active
Directory domain.
Field Description
Domain (FQDN) The fully-qualified domain name (FQDN) of the
server for the Active Directory (AD) domain.
Username The username of an account with access privileges
for the specified AD domain.
Password The password for the specified username.
Domain Controllers (Fully Qualified Hostnames) The FQDNs of the domain controllers for the
specified AD domain.
Computer Account Name A unique computer account name the Rubrik cluster
uses in the AD domain. This name must meet
NETBIOS standards and be unique in the AD forest.
Using an existing name overwrites the current
entry.
Organization Unit Optional. The name of the organization unit to
which the computer account belongs.
Deleting an Active Directory domain

Removing a configured Active Directory domain removes the ability to perform secure Live Mounts of data
sources that depend on that domain.
Procedure
2. Open the gear menu and click System Configuration > SMB Security.
3. Click the ellipses next to the domain.
4. Click Delete.
Result
The Rubrik cluster removes the specified Active Directory domain from the list of available domains.
SMB authentication when NTLM is disabled

Use the Kerberos protocol for SMB authentication when NTLM protocol is disabled.
Windows defaults to the NT LAN Manager (NTLM) authentication protocol for hosts that use IPv4
addresses instead of hostnames. Windows clients that have NTLM disabled must use the Kerberos protocol
to authenticate SMB shares on a Rubrik cluster.
To enable Kerberos authentication, perform the following steps:
1. On the Windows domain controller, configure support for using IP addresses as hostnames in Service
Principal Names.
2. For each node in the Rubrik cluster, set the Service Principal Name using the IP address as the
hostname portion of the name.
For environments that do not provide NTLM authentication, Rubrik CDM only provides support for hosts
running Windows Server 2016 or newer. Additionally, those hosts must be configured to permit Kerberos
authentication using an IP address.
Related Tasks
Enabling Kerberos authentication for SMB shares
Configure Kerberos clients to support IPv4 and IPv6 hostnames in SPNs.

Context
Clients that are part of an Active Directory domain can authenticate to SMB shares on a Rubrik cluster
using the Kerberos protocol instead of the default NT LAN Manager (NTLM) protocol. By default, Windows
does not use Kerberos authentication for hosts that use IPv4 addresses instead of hostnames.
Procedure
2. Open the gear menu and click System Configuration > SMB Security.
3. Note the Service Account Name for the SMB domain.
This name is a unique identifier for the Rubrik cluster in the AD forest.
Service Account Name for demo.com is CVM08CS0ffee61.
4. Log on to the controller for the Active Directory domain of the client.
Consult Microsoft Active Directory documentation for details on logging in to Active Directory domain
controllers.
The Active Directory controller prompt appears.
5. Configure support for using IP addresses as hostnames in Service Principal Names by adding the
TryIPSPN entry to the registry of the client host.
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

\Kerberos\Parameters"
/v TryIPSPN /t REG_DWORD /d 1 /f
Set the TryIPSPN registry value on each client machine that needs to access Kerberos-protected
resources by IP address.
6. Restart the Rubrik Backup Service.
7. For each node in the Rubrik cluster, set the Service Principal Name using the IP address as the
hostname portion of the name.
Setting the Service Principal Name using the IP address is a requirement for SLA Managed Volume use
cases.
setspn -s $service/$IP_for_hostname $account
Where:
• $service is the name of the service.
• $IP_for_hostname is the IP address being used to replace the hostname.
• $account is the Service Account Name.
setspn -s host/nnn.nnn.nnn.nnn CVM08CS0ffee61
8. Optional: Set the Service Principal Name as hostname.

Setting the Service Principal Name using the hostname instead of an IP address may be required for
use cases other than SLA Managed Volumes.
setspn -s host/node-a.customer.com CVM08CS0ffee61
9. Optional: Verify that the Service Account Name lists the service principal names for all the nodes.
setspn -l $service_account_name
setspn -l CVM08CS0ffee61
Result
The Rubrik cluster enables Kerberos authentication for SMB shares.
Proxy settings
Some Rubrik cluster functions rely on internet access. The Rubrik cluster can be configured to use a proxy
server when accessing the internet.
To manage network and security requirements, optionally configure the Rubrik cluster to use a proxy
server. The proxy server must be configured to permit the Rubrik cluster to meet the network requirements
listed in Ports.
Functions that use internet access

Some Rubrik cluster functions require access to the internet.
Function Description
Archiving to public cloud Communication between the Rubrik cluster and cloud-based archival
locations.
Uploading log bundles Upload of log bundles to Amazon S3. Rubrik Support can use the log
bundles when diagnosing issues. Rubrik deployments upload support
bundles to Amazon S3 every night. The support bundles are retained in
Amazon S3 for 20 days before being archived to Glacier, the Amazon S3
archive location.
Uploading real-time logs Real-time upload of error and failed job logs to an Amazon EC2
instance. The Rubrik Support alert system uses these logs to provide
quick responses to issues.
Uploading statistics Upload of Rubrik cluster statistics to provide Rubrik Support with a
dashboard view of the health of a Rubrik cluster. The statistics are also
integrated into the Rubrik Support alert system.
Function Description
Support tunnel Creates a tunnel from the Rubrik cluster to the Rubrik Support SSH
server. The Rubrik Support SSH server runs on an Amazon EC2 instance.
The tunnel can be opened to permit Rubrik Support to securely access
the Rubrik cluster. When the tunnel is opened, Rubrik Support uses the
tunnel to diagnose issues and perform maintenance operations. Enable
and disable this tunnel from the Rubrik CDM web UI.
Proxy implementations
There are several options for proxy server implementations.
A Rubrik cluster supports the following proxy server implementations:
• HTTP
• HTTPS, using the HTTP CONNECT method and port 443
• SOCKS5
Configuring proxy server support

Configure a Rubrik cluster to route internet communication through a proxy server.
Procedure
3. Click Proxy Settings.
The Proxy Settings page appears.
4. In Protocol, select an internet protocol that is supported by the proxy server.
Select one of the following protocols:
• HTTP
• HTTPS
• SOCKS5
5. In Proxy Server (IP or FQDN), type the IPv4 address or the FQDN of the proxy server.
6. In Port Number, type the port number the proxy server uses for requests from the Rubrik cluster.
The Rubrik CDM web UI automatically populates this field with the default port for the selected
protocol. When the proxy server uses a custom port, type that value instead.
7. Optional: In User Name, type the proxy server username assigned to the Rubrik cluster.
8. Optional: In Password, type the password associated with the assigned username.
9. Click Update.
Result
The Rubrik cluster stores the proxy settings and routes all subsequent internet traffic through the proxy
server.
Email notifications
Enable the Rubrik cluster to send email notifications.
To enable the Rubrik cluster to send email notifications, provide configuration information through the
Notifications page.
The Rubrik cluster transfers notification email messages to an SMTP server for delivery to the administrator
accounts.
Note: All email notifications generated by Rubrik contain the following origin identifier at the beginning of
the body of the message text: "This email notification is automatically generated by
Rubrik."
Notification messages are collected from the activity log and organized by event type. All messages
associated with one or more event types can be sent to a list of email recipients, as configured in the
Rubrik CDM web UI.
Related Tasks
Configuring outgoing email settings
To have a Rubrik cluster send email notifications, configure the outgoing email settings.
Configuring event email settings
Specify the types of events and the recipients for event notifications that are sent through email.
Required outgoing email settings

In order to use email notifications, there are required outgoing email settings.
Setting Description
Host Name Host Name of the SMTP server.
Port Incoming port on the SMTP server. Normally port 25, port 465, or port 587, depending
upon the type of encryption used.
From Email The email address assigned to the account on the SMTP server.
Address
Username The username assigned to the account on the SMTP server.
Password The password associated with the username.
Encryption The encryption protocol that the SMTP server requires for incoming SMTP connections.
The Rubrik cluster supports the following protocols:
• NONE
• SSL
• STARTTLS
Configuring outgoing email settings

To have a Rubrik cluster send email notifications, configure the outgoing email settings.
Prerequisites
Obtain the information described in Required outgoing email settings.
Procedure
3. Click Notification Settings.
The Notification Settings page opens, and the Email Settings tab is selected by default.
4. In Host Name, type the IP address or the FQDN of the SMTP server.
5. In Port, enter the incoming connections port for the SMTP server.
6. In From Email Address, type the email address assigned to the account on the SMTP server.
7. In Username, type the username assigned to the account on the SMTP server.
8. In Password, type the password associated with the username.
9. In Encryption, select the encryption protocol required by the SMTP server.
10. Click Update.
The Rubrik cluster validates and stores the email settings.
11. Click Send Test Email.
Result
The Rubrik cluster obtains the email address of the current administrator user, and sends a test email to
that user account on the local Rubrik cluster.
Modifying the outgoing email settings

Use the Email Settings page to make changes to the outgoing email settings.
Procedure
The Notification Settings page appears, with the Email Settings tab selected.
4. Make changes to the settings.
5. Click Update.
The Rubrik cluster validates and stores the email settings.
6. Click Send Test Email.
Result
The Rubrik cluster obtains the email address of the current administrator user, and uses the new settings
to send a test email to that user account on the local Rubrik cluster.
Deleting the outgoing email settings

Use the Email Settings page to remove the outgoing email settings.
Procedure
The Notification Settings page appears.
4. Select the Email Settings tab.
5. Click Clear SMTP Settings.
Result
The Rubrik cluster removes the settings.

Procedure
3. In Network Configuration, click Notification Settings.
The Notification Settings page opens.
4. Click the Notifications tab.
The Add Notification Setting wizard appears, set to the Event Types step.
6. In Event Types, do one of the following to send notifications.
• Select a specific event type. For example, you can select Two Person Rule to send notifications
about events related to the two-person rule.
• Select the Event Types checkbox to send notifications for all event types.
7. Click Next.
The wizard advances to the Severity step.
8. In Severity, do one of the following to send notifications for events based on the event severity.
• Select a specific severity level. For example, you can select Informational severity level to send
notifications about events related to the two-person rule.
• Select the Severity checkbox to send notifications for all event types.
9. Click Next.
The wizard advances to the Object Types step.
10. In Object Types, do one of the following to send notifications for specific object types.
• Select a specific object type.
• Select the Object Types checkbox to send notifications for all object types.
11. Click Next.
The wizard advances to the Send To step.
12. In the Emails tab, perform the required action depending on the notification option.
Option Required action
Emails Specify a comma-separated list of recipient email
addresses.
Send to all Administrators Select this option to send notifications to all
accounts that are part of the administrators
group.
Send to all Two-Person Rule Users Select this option to send notifications to all
accounts that have a two-person rule role
assigned.
Multiple options can be selected.
13. Optional: In the Syslog tab, click Send to syslog server.
14. Click Finish.
Result
The Rubrik cluster saves the event email settings.
Related Concepts
TPR roles
Enforcing the two-person rule on a Rubrik cluster requires assigning multiple roles that have specific
permissions.
SNMP integration
Rubrik CDM uses SNMP integration for central monitoring.
SNMP is used for network management and network monitoring. SNMP exposes management data
through a Management Information Base (MIB).
Rubrik SNMP integration supports SNMPv2c and SNMPv3.
Rubrik MIB file

The Rubrik MIB file defines what kinds of information can be obtained from the Rubrik cluster. The
information can be divided into two categories: parameters and traps.
An SNMP manager polls the Rubrik cluster for parameter information via the SNMP protocol. Examples of
parameters in the Rubrik MIB file include:
• Current storage available on the cluster
• Average physical ingest bandwidth for last hour
• Number of active nodes in the cluster
• Rubrik SLA Domain name
A trap is an alert message that is triggered by a predefined condition. The Rubrik cluster sends traps to
one or more trap receivers as soon as a trap condition occurs. The trap receiver decodes the traps based
on information found in the MIB file. The Rubrik MIB file specifies several categories of traps, as shown the
following table.
Category Traps
Network • Network interface down on a port
• Network interface changed state to Recovered
Hardware • Clock on machine is out of sync

• Replace chassis
• Errors with DIMM
• Errors with BIOS
• Node replacement required because of hardware issues
• Power supply recovered
• Check power supply
• Replace power supply
• Chassis recovered
• DIMM recovered
• BIOS recovered
Category Traps
Disk • A disk is locked
• A disk on a node is unavailable
• A disk on a node was marked recovered
• A disk on a node could not be marked as removed
• A disk on a node was successfully marked as removed
• A disk on a node could not be set up
• A disk on a node was successfully set up
• An unformatted disk was found on a node
• A disk on a node failed health checks
Node • Failed to add nodes

• Added nodes to cluster
• Automatically removed node
• Failed to automatically remove node
• Node detected as automatically removed
• Node decommission started
• Node decommission in progress
• Unable to complete node decommission
• Successfully completed node decommission
• Another node detected a node in an inconsistent state
• Another node detected a status of "OK" for this node
• Node has exited maintenance mode and is recommissioned to the cluster
• Node failed to exit maintenance mode
• Node removal succeeded
• Node removal failed
• The TPM on a node requires a firmware upgrade
• A periodic node task has failed
• Node failed NTP configuration checks
Downloading the Rubrik MIB file

To work with the SNMP feature, download the Rubrik MIB file.
Context
Download the MIB file from the Rubrik cluster to view measurements and notification messages (traps)
specified in the file.
Procedure
3. Click Network Configuration > Notification Settings.
4. Select the SNMP tab.
5. Click either Configure SNMP or Edit SNMP.
6. At the top of the dialog box click Download MIB file.
Result
The SNMP MIB file is downloaded.
Syslog messages as SNMP objects
The Management Information Base module inside the Rubrik cluster represents syslog messages as SNMP
objects.
The Management Information Base (MIB) module conveys any syslog message using SNMP, allowing
Rubrik clusters using SNMP to send Rubrik CDM events and provide information for the network
management station (NMS) to detect alerts.
The syslog messages conform to the Internet Engineering Task Force (IETF) standards described in RFC
5425, "The Syslog Protocol", and RFC 5676, "The SYSLOG-MSG-MIB."
SNMP polling
SNMP managers can poll the SNMP agent on the Rubrik cluster and request information by using the
SNMPv2c or SNMPv3 protocol.
The SNMP agent on the Rubrik cluster collects information and compiles it into a Management Information
Base (MIB). The information collected corresponds to the Object Identifiers (OIDs) defined in RFC 1213
“MIB-II” and RFC 2790 “Host Resources” and in the Rubrik MIB file.
The Rubrik cluster opens incoming UDP port 161 for polling by SNMP managers. A request for information
must include the community string (similar to a password) for SNMPv2c or user credentials for SNMPv3
along with an SNMP GET-REQUEST in order for the Rubrik cluster to respond with the requested
information.
Configuring SNMPv2c support

Enable SNMPv2c on the Rubrik cluster to allow an SNMP manager to poll the Rubrik cluster and to receive
SNMPv2c traps.
Procedure
5. Click Configure SNMP or Edit SNMP.
The relevant dialog box appears.
6. Enable SNMP.
7. In Community String, enter the string to be used as a password when sending a request to the
SNMP agent.
8. Click Update.
Result
The Rubrik cluster is configured for SNMPv2c support.
Configuring SNMPv3 support

Configure SNMPv3 support on the Rubrik cluster to provide additional security.
Procedure
5. Click Configure SNMP or Edit SNMP.
The relevant dialog box appears.
6. Enable SNMP.
7. In SNMP v3 settings, click Search by Username or click +.
The Add SNMP User dialog box appears.
8. In Username, type the username for the SNMP user.
9. In Authentication Password, type the SHA password.
10. In Privacy Password, type the AES password.
11. Click Add.
12. Click Update.
Result
The Rubrik cluster is configured for SNMP v3 support.
Adding trap receivers

After SNMPv2c or SNMPv3 is configured, traps from the Rubrik MIB file can be sent to a trap receiver for
further processing. Configure one or more trap receivers by specifying the IP address or FQDN, along with
the receiver port.
Procedure
5. Enable SNMP.
6. Click Update.
7. Click Add Trap Receiver.
The Add Traps Receiver dialog box opens.
8. Select the version for the SNMP Trap Receiver, SNMP v2c or SNMP v3.
9. In Traps receiver information, enter the IP address or FQDN corresponding to the trap receiver
that collects the traps sent from the Rubrik cluster.
10. In UDP Port, enter the incoming connections port for the SNMP trap receiver.
11. Click Add.
12. Each trap receiver can use a different port and different IP address.
Repeat the previous steps to add additional trap receivers.
Result
The Rubrik cluster saves the SNMP trap receiver configuration.
Network settings
The Rubrik cluster uses network address information for specific types of network entities to perform
system tasks.
Network entity Description

DNS Server Comma-separated list of Domain Name System (DNS) server IP addresses.
Search domain Comma-separated list of domain names. The Rubrik cluster will only
request DNS records for the listed domains.
Floating IPs Comma-separated list of IP addresses used to maintain NFS mounts if a
Rubrik node fails.
The number of floating IP addresses is distributed evenly across the
nodes in a cluster. If the number of available nodes changes, floating
IP addresses are rebalanced as necessary to maintain even distribution.
Configure floating IP address to one of the subnets assigned to the
network interfaces of a Rubrik node.
VLAN settings Add a VLAN to the Rubrik cluster by configuring the VLAN ID, VLAN Subnet
Mask, and VLAN IP address.
NTP Comma-separated list of IP addresses or resolvable hostnames of Network
Time Protocol (NTP) servers.
Enabling the Two-Person Rule (TPR) for editing NTP requires approval from an account with the TPR
approver role.
To change the IP address of a Rubrik node, refer to the Rubrik CDM CLI Reference or contact Rubrik
Support.
Related Concepts
The two-person rule
Related Tasks
Configuring network settings
Configure the network settings of the Rubrik cluster to enable system tasks.
Editing network settings
Edit the network settings when network requirements change.
Related reference

Procedure
3. Click Network Settings.
The Network Settings page appears.
4. Click the Network tab.
The Network settings dialog box appears.
5. In DNS Servers, type a comma-separated list of DNS Servers.
For each DNS Server, type the IPv4 address.
6. In Search Domains, type a comma-separated list of search domains.
For each search domain, type the FQDN.
7. Optional: In Floating IPs IPv4, type a comma-separated list of IPv4 addresses.
8. Optional: In Floating IPs IPv6, type a comma-separated list of IPv6 addresses.
9. Optional: Click the Interfaces tab.
The Interface settings appear.
10. Optional: Click Add VLAN.
The Add VLAN dialog box appears.
11. Optional: In VLAN ID, type the VLAN ID.
12. Optional: In VLAN Subnet Mask, type the VLAN Subnet Mask.
13. Optional: In VLAN IP Address, type a comma-separated list of IPv4 addresses.
14. Optional: Click Add.
15. Click Update.
16. Click the NTP Servers tab.
The NTP Servers dialog box appears.
17. In NTP Servers, type a comma-separated list of network time protocol servers.
For each server, type either the IPv4 address or the FQDN.
Result
The Rubrik cluster stores the information.
Editing network settings

Edit the network settings when network requirements change.
Procedure
4. Change the network settings.
The Submit Two-Person Rule Request dialog box appears only when Changes to NTP Configuration is
enabled on the Two-Person Rule Controlled Action page. Otherwise, you will not see this dialog box.
6. Click Update.
applies the requested edits. When the request is denied, the Rubrik cluster rejects the requested edits.
Result
The Rubrik cluster stores the new information.
Related Concepts
Network settings
The Rubrik cluster uses network address information for specific types of network entities to perform
system tasks.
The two-person rule
Related Tasks
Related reference
Add CORS support

Cross-origin resource sharing (CORS) adds HTTP headers that enable a browser to grant permission to
a web application running at one location to have access to selected resources on a server running at a
different location.
A user account with administrator permissions can configure CORS support to integrate with Rubrik CDM.
For example, the CORS implementation allows the vCloud Director UI plugin to work with Rubrik CDM
without requiring a reverse proxy server.
The Rubrik REST API endpoints for CORS are:
• GET /v1/cluster/{id}/security/cors
• PATCH /v1/cluster/{id}/security/cors
Use the PATCH /v1/cluster/{id}/security/cors endpoint to configure Rubrik CDM for CORS.
When a web page makes a subsequent cross-origin XMLHttpRequest (XHR) call, the browser performs
preflight checks by making an OPTIONS call. If the request headers satisfy the CORS condition, the web
page can receive the response.
Once the external site that will access the cluster is configured to permit CORS, the browser checks
periodically and reloads the route if it has been updated.
The following table provides information about the CORS endpoints actions.
Action Description
Enable or disable the CORS configuration Specify true or false.
By default, CORS support is not enabled.
Create CORS rules on Rubrik CDM that authorize This can be a specific origin, or use the wildcard
specified origin URLs to access API endpoints on character (*) to allow any origin.
CDM.
Specify the headers allowed This can be a comma-separated list or a wildcard
character (*). For example, the list can specify a list
of these headers:
Authorization,Origin, X-Requested-
With, Content-Type, Accept, x-vcloud-
authorization
Example: Making a cross-origin GET call
Once CORS is enabled using the PATCH endpoint for the external site or server that accesses the cluster,
this HTML example script can be run from that external site or server. Any GET endpoint can be added
in the script. Because CORS is enabled for that external site, the script can access the cluster using the
browser.
<html>
<head>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.0/
jquery.min.js"></script>
</head>
<body>
<button id="test">Get Info</button>
<p id="content"></p>
<script>
$("#test).click(function() {
var req = new XMLHttpRequest();
req.open('GET', 'https://10.0.113.18/api/v1/cluster/me', true);
req.onreadystatechange = function() {
if (req.readyState === 4) {
$("#content").html(req.responseText);
}
};
req.setRequestHeader('Accept', 'application/json');
req.setRequestHeader('Authorization', 'Bearer TOKEN');
req.send()
});
</script>
</body>
</html>
Configuring CORS support

Use the Rubrik REST APIs to enable a web browser to receive permission from a web server to request
cross-origin information from a Rubrik cluster.
Context
Users with global administrator permissions can use the GET and PATCH endpoints to configure Rubrik
CDM for CORS support, enabling them to integrate Rubrik CDM in other products. Make the API calls by
using the OpenAPI-based Rubrik playground by issuing cURL commands from the command line of a
computer with access to the Rubrik cluster, or by using any RESTful API-compliant client software.
Access the Rubrik REST API playground through a Rubrik cluster at: https://$cluster_address/
docs/v1/playground/. The GET and PATCH endpoints are located under the /cluster heading.
Procedure
2. Open the account menu in the upper right corner and select API Token Manager.
3. On the API Token Manager page, click +.
4. Complete the Duration and tag fields and click Generate.
5. Click Copy.
6. Paste the token in a scratch file.
7. Use the token value to create an authenticated session with the Rubrik REST API server.
In the Rubrik REST API playground, click Authorize, paste the token in the value field, and click
Authorize again.
8. Expand the PATCH endpoint under the /cluster heading.
9. Type the payload for the PATCH endpoint to enable CORS on the external site.
Replace the ip_address with IP addresses of the server where the HTML script will run:
{
"isEnabled": true,
"allowedOrigins": "http://ip_address:8081, http://ip_address:8082",
"allowedHeaders": "*"
}
The cURL command for this is:
curl -X PATCH --header 'Content-Type: application/json' --header

'Accept: application/json' --header 'Authorization: Basic
YWRtaW46UnVicmlrQWRtaW5QYXNzd29yZA==' -d '{ \
"isEnabled": true, \
"allowedOrigins": "http://ip_address:8081, http://ip_address:8082", \
"allowedHeaders": "*" \
}' 'https://olive.rubrik-lab.com/api/v1/cluster/me/security/cors'
Note: To allow every origin, type "allowedOrigins": "*".

The port numbers in the sample code, 8081, 8082, are just examples. The port numbers are optional
in the PATCH payload. If they are included, specify the port numbers in the PATCH payload based on
where the service is running.
10. Get the current CORS support configuration for the web server with the GET endpoint.
This example retrieves the current CORS support configuration:
{
"isEnabled": true,
"allowedOrigins": "string",
"allowedHeaders": "string"
}
The cURL command for this is:
curl -X GET --header 'Accept: application/json' --header 'Authorization:

Basic YWRtaW46UnVicmlrQWRtaW5QYXNzd29yZA==' 'https://olive.rubrik-
lab.com/api/v1/cluster/me/security/cors'
The response body displays the IP addresses specified in the PATCH endpoint.
{
"isEnabled": true,
"allowedOrigins": "http://8.8.8.8:8081, http://9.9.9.9:8082",
"allowedHeaders": "*"
}
Network Throttling
Rubrik CDM provides settings for replication and archiving that can be used to specify the maximum
bandwidth allowed for outbound traffic.
Use the Network throttling feature to set bandwidth limits for replication and archiving. The general
throttling settings can be modified by setting one or more scheduled overrides. The general settings can be
used alone or with scheduled throttle overrides.
The following rules specify how network throttling settings are applied:
• The general setting applies unless overridden by a scheduled override.
• Scheduled throttle overrides apply only for the specified time window.
• Scheduled overrides override the general throttle setting.
• Multiple schedules can be set.
• No two schedules can have a common time window.
• The scheduled overrides are enforced according to the cluster time zone.
The bandwidth limits for archiving and replication are configured separately and are independent of each
other. The bandwidth limits are configured at the Rubrik cluster level and available bandwidth is distributed
dynamically between the nodes based on the load. The Rubrik cluster size should be considered when
configuring throttle limits, the same throttle limit may not work well across different Rubrik cluster sizes.
Note: The bandwidth limit is enforced on each node by throttling traffic on port 443 for archiving and
port 7785 for replication. If an archival location proxy is enabled and uses a port other than 443, archival
throttling will not work. When determining whether to use archival throttling, take into consideration that
enabling it will slow all traffic through port 443, not just archiving and replication traffic.
Related Concepts
Ports
Rubrik CDM has specific port requirements.
Replication throttling bypass
The Rubrik REST API can be used to bypass the network throttle to provide more bandwidth for
replication.
Scheduling replication throttling overrides

Replication throttling overrides can be scheduled to specify how much bandwidth can be used for
replication during specified days and times.
Context
Multiple throttle schedules can be set. For example, bandwidth can be more limited during business hours
and increased during non-business hours.
Replication throttling must be enabled for the scheduled overrides to work. The scheduled limit overrides
the general limit if the schedule is active.
Procedure
3. Click Network Throttling.
The Network Throttling page appears.
4. Click Schedule Override.
The Schedule Network Throttle Override page appears.
5. Select Replication.
6. Under Bandwidth Limit (Mbps), type an integer value representing the highest network usage
allowed, in Mbps.
7. Select specified Day(s) for the replication throttling policy.
8. Select specified times for the replication throttling policy.
9. Click Add.
After throttling is configured, click the ellipsis next to the scheduled override to edit or delete the
throttle policy. Configure additional replication throttling policies if needed.
Result
Replication throttling is overwritten.
Enabling and configuring replication throttling

Specify the maximum bandwidth for replication by configuring replication throttling. Replication throttling
can only be set by a global administrator.
Procedure
4. Select Enable Replication Throttling.
5. In Replication Network Usage Threshold (Mbps), type an integer value representing the highest
network usage allowed, in Mbps.
6. In Select Network Interface, select a network interface.
7. Click Update.
Result
The Rubrik cluster overrides scheduled replication throttling. This setting can be used alone or with
scheduled replication throttling overrides.
Note: Network throttling is not supported for archiving to any location that does not use Port 443, such
as NFS targets and QStar tape.
Scheduling archival throttling overrides

Archival throttling overrides can be scheduled to specify how much bandwidth can be used for archiving
during specified days and times.
Context
Multiple throttle schedules can be set. For example, bandwidth can be more limited during business hours
and increased during non-business hours.
Archival throttling must be enabled for the scheduled overrides to work. The scheduled limit overrides the
general limit if the schedule is active.
Procedure
The Network throttling page appears.
4. Click Schedule Override.
The Schedule Network Throttle Override page appears.
5. Select Archival.
6. Under Bandwidth Limit (Mbps), type an integer value representing the highest network usage
allowed, in Mbps.
7. Select specified Day(s) for the archival throttling policy.
8. Select specified times for the archival throttling policy.
9. Click Add.
Result
Archival throttling overrides are configured. After throttling is configured, click the ellipsis next to the
scheduled override to edit or delete the throttle policy. Configure additional archival throttling policies if
needed.
Enabling and configuring archival throttling

Specify the maximum bandwidth for archiving by configuring archival throttling. Archival throttling can only
be set by a global administrator.
Procedure
4. Select Enable Archival Throttling.
5. Under Archival Network Usage Threshold (Mbps), type an integer value representing the highest
network usage allowed, in Mbps.
6. In Select Network Interface, select a network interface.
7. Click Update.
Result
The Rubrik cluster overrides scheduled archival throttling. This setting can be used alone or with scheduled
archival throttling overrides.

replication.
Replication throttling bypass is a feature of Rubrik CDM that allows individual replication targets to bypass
the network throttle configuration of the source cluster. The Rubrik REST API provides an endpoint that
must be invoked from the source cluster to configure a property for a replication target cluster to bypass
replication throttling.
The name of the property is shouldBypassReplicationThrottle. When the property is set to true
for a replication target cluster, the cluster bypasses the bandwidth limit of the network throttle setting
configured on the source cluster. In other words, an active replication network throttle does not limit the
outgoing traffic from the source cluster to the replication target cluster that has the property set to true.
A replication target cluster that has the property set to false does not bypass the bandwidth limit of the
configured network throttle setting.
Bypassing replication throttling for a replication target cluster allows faster replication of snapshots on that
target cluster. The available bandwidth specified by the network throttle is shared by the target clusters
that are not configured to bypass the replication throttle limit.
Currently, Rubrik CDM supports replication throttling bypass only for replication clusters that are set up in
a private network where the source and target clusters are assigned static IP addresses and are directly
reachable from each other within the network. It is not supported for source and target clusters where
replication is set up using the Network Address Translation (NAT) network topology.
Example: Replication throttling bypass scenario
Consider a scenario where a replication source Rubrik cluster is associated with three replication target
clusters: Cluster A, Cluster B, and Cluster C. Replication throttling is enabled on the source cluster and
configured with a bandwidth of 200 Mbps.
If shouldBypassReplicationThrottle = true for Cluster A, Cluster A will bypass the network
throttle and network traffic to Cluster A will not be constrained.
The aggregate traffic to Cluster B and Cluster C will be limited to 200 Mbps.
Related Concepts
Network Throttling
Replication
The replication feature directs the Rubrik cluster to send replicas of source snapshots or backups to a
target Rubrik cluster and defines the maximum time to keep the replica on each cluster.
Replication using a private network
To perform replication, a source Rubrik cluster can optionally communicate with a target Rubrik cluster
through a private network.
Related Tasks
Enabling and configuring replication throttling
Specify the maximum bandwidth for replication by configuring replication throttling. Replication throttling
can only be set by a global administrator.
Retrieving replication throttling bypass status
Retrieve the replication throttling bypass status for all replication target clusters.
Modifying replication throttling bypass status
Modify the replication throttling bypass status for a specific target cluster.
API endpoints for replication throttling bypass

The Rubrik REST API provides endpoints for managing the network throttle bypass settings of replication
targets.
Endpoint Description
GET /network_throttle/replication/ Retrieves the throttle bypass status for replication
target targets of the API session host cluster. A successful
response contains the following information for the
replication target: ID, name, and bypass status.
Endpoint Description
GET /network_throttle/replication/ Retrieves the throttle bypass status for the
target/{id} replication targets identified by {id}, where {id} is
the ID of the target cluster.
The response of GET /network_throttle/
replication/target endpoint includes the IDs
for the replication targets available to the session
host.
PATCH /network_throttle/replication/ Updates the throttle bypass status for the

target/{id} replication target identified by {id}, where {id} is the
ID of the target cluster.
The response of GET /network_throttle/
replication/target endpoint includes the IDs
for the replication targets available to the session
host.
Related reference
HTTP response model for replication throttling bypass
Description of the elements contained in the responses from the replication throttling bypass endpoints.

Prerequisites
Create an authorized Rubrik REST API session. To use the Rubrik REST API playground for this task,
authorize the session on the "v1" API branch, as described in Authorizing a Rubrik REST API session.
Procedure
1. In a web browser with network access to the Rubrik cluster, open https://RubrikCluster/
docs/v1/playground/.
2. Click /network_throttle.
The listing expands to show all the operations for that endpoint.
3. Click GET /network_throttle/replication/target.
The endpoint listing displays a list of parameters, if any.
4. Click Try it out.
The Execute button appears.
5. Click Execute to send the request.
The response to a successful request is a set of JSON objects containing the replication throttling
bypass status for each target cluster.
{
"hasMore": false,
"data": [
{
"id": "$replication_target_cluster_1_id",
"clusterName": "$replication_target_cluster_1_name",
"shouldBypassReplicationThrottle": true
},
{
"id": "$replication_target_cluster_2_id",
"clusterName": "$replication_target_cluster_2_name",
"shouldBypassReplicationThrottle": false
}
],
"total": 2
}
Result
The Rubrik REST API server responds with the summary of all the replication target clusters and specifies
whether the target clusters are bypassing the network throttle.
Related Tasks
Retrieving replication throttling bypass status for a target
Retrieve the replication throttling bypass status for a specified replication target cluster.
Related reference

Prerequisites
Do the following:
• Open an authorized Rubrik REST API session. To use the Rubrik REST API playground for this task,
• Have available the ID assigned to the replication target cluster to check whether the cluster is
configured to bypass replication throttling.
Procedure
3. Click GET /network_throttle/replication/target/{id}.
The endpoint listing displays the parameters.
The parameters become editable and the Execute button appears.
5. In id, type the ID of the target replication cluster.
The response to a successful request is a JSON object containing the replication throttling bypass
status for the specified target cluster.
{
"id": "$replication_target_cluster_id",
"clusterName": "$replication_target_cluster_name",
}
Result
The Rubrik REST API server responds with a summary for the replication target cluster and specifies
whether the target cluster is bypassing the network throttle.
Related Tasks
Related reference
Modifying replication throttling bypass status

Modify the replication throttling bypass status for a specific target cluster.
Prerequisites
Do the following:
• Open an authorized Rubrik REST API session. To use the Rubrik REST API playground for this task,
• Have available the ID assigned to the replication target cluster to update the replication throttling
bypass status for the cluster.
Procedure
3. Click PATCH /network_throttle/replication/target/{id}.
The endpoint listing displays the parameters.
The parameters become editable and the Execute button appears.
5. In id, type the ID of the target replication cluster.
6. In config, type the JSON input representing the configuration property and the value to be set for the
property.
Sample JSON input to set the property to true:
{
}

The response to a successful request is a JSON object containing the updated replication throttling
bypass status for the specified target cluster.
{
"id": "$replication_target_cluster_id",
"clusterName": "$replication_target_cluster_name",
}
Result
The Rubrik REST API server responds with the updated summary of the specified replication target cluster.
Related Tasks
Related reference

Element Required/ Type Description

Optional
id Required String UUID of the replication target cluster.
clusterName Required String Name of the replication target cluster.
shouldBypassReplicationThrottle Required Boolean Value that specifies whether the replication
target cluster will bypass the network
throttle configured on the replication
source cluster.
When true, the replication target will
bypass the network throttle and the
outgoing traffic from the source cluster
to the replication target will not be
constrained
When false, the network throttle will
apply to the outgoing traffic from the
replication source cluster to the replication
target.
Related reference
API endpoints for replication throttling bypass
The Rubrik REST API provides endpoints for managing the network throttle bypass settings of replication
targets.
Syslog settings
The Rubrik cluster supports transmission of system activities to an external syslog server.
The Rubrik cluster uses the standard syslog protocol for formatting and transmission of system
notifications. By default, at the transport layer the Rubrik cluster sets the syslog standard protocol and
port (UDP/514). The transport layer protocol and port can be disabled, or can be configured to use custom
settings.
At the application layer, the syslog transmissions use the HTTP protocol.
When syslog support is enabled, the Rubrik cluster sends server messages to an external syslog server
according to how the facility or severity levels are configured. The facility level represents the machine
process that created the syslog event. For example, general system processes such as the kernel, a user,
mail, but there are also facilities for Rubrik specific logs. The severity level determines how severe the
message is displayed in syslogs. For example, critical, warning, or purely informational.
By default, Rubrik CDM sends all messages to the syslog. The Activity Log displays all the messages.
Note: The syslog message format conforms to RFC 5424.
Related Tasks
Viewing Activity Log messages
View recent messages of the Activity Log to see the 15 most recent activity messages.
Syslog export rule settings

Rubrik clusters support the creation of syslog export rules based on various settings.
Setting Description
IP or Hostname IPv4 address or resolvable hostname of the syslog server host.
Protocol Transport layer protocol to use for communication between a Rubrik
cluster and the syslog server host. Either TCP or UDP is used. To use
TLS encryption, TCP must be selected.
Port Port number for contacting the syslog server host.. The default syslog
server port is 514.
Facility The event reporting facility to send events from.
• Selecting All sends entries from all facilities.
• Selecting a specific facility sends entries only from the specified
facility.
Severity The event severity threshold to filter. Filters out all events that have a
lower severity than the specified level.
• Selecting All sends all the entries from the selected facility without
filtering based on severity.
• Selecting a specific severity sends entries only for the severity
level that is specified or is greater than what is specified.
TLS Enables TLS encryption of data transmitted from the Rubrik cluster to
the syslog server host. TLS encryption is available only when TCP is
selected as the transport layer protocol.
Adding a syslog export rule

Add a syslog export rule to specify the details for sending syslog events to a remote syslog server.
Context
Rubrik clusters manage interactions with syslog servers through the settings provided by syslog export
rules.
Procedure
The Notifications page appears.
4. Click the Syslog tab.
5. Click Add Syslog Export Rule.
The Add Syslog Export Rule dialog box appears.
6. In IP or Hostname, type the IPv4 address or resolvable hostname of the syslog server host.
7. In Protocol, choose a transmission layer protocol.
• TCP
• UDP
8. In Port, type the incoming port on the syslog server host to use.
9. In Facility, select an event reporting facility to monitor.
10. In Severity, select a severity level to monitor.
The Rubrik cluster will only send events at the specified severity level or greater.
11. (TLS only) Click Enable TLS.
12. (TLS only) In Signed TLS Certificate, select the certificate from a list or type a name for the TLS
certificate.
The specified name must be unique among all syslog export rules on the Rubrik cluster.
13. Click Add.
Result
The Rubrik cluster validates the connection information provided by the syslog export rule. If the
connection is not valid, the Rubrik cluster does not add the rule. If the connection is valid, the Rubrik
cluster saves the syslog export rule and begins transmitting syslog messages based on the rule.
Note: This check does not guarantee the connection is valid for UDP connections because UDP
connections do not require acknowledgements. To validate a UDP connection, look for the test message or
requested logs on the syslog server.
Related reference
Remote syslog servers

Rubrik clusters support multiple remote syslog servers and message filtering based on event reporting
facility and event severity.
Syslog export rules are used to monitor Rubrik cluster activity through a remote syslog server. Multiple
syslog export rules can be added to send distinct categories of syslog entries to different targets, on the
same syslog server and on multiple syslog servers. Syslog export rules can be set up with TLS to encrypt
in-flight data sent to a syslog server.
Rubrik clusters automatically validate syslog export rules when the rules are added or edited. When the
syslog export rule information does not enable a successful connection to the specified syslog server,
Rubrik clusters block further additions or modifications.
The Rubrik CDM web UI provides an option called Test Connection in the ellipsis menu for the syslog
export rules to determine if the rules are valid. Error messages for a test failure appear in the notifications
section. Rubrik clusters also allow editing the settings in an existing syslog export rule.
Related reference
Supported facility and severity syslog levels

Syslog messages are classified according to facility and severity levels.
Replicating version 5.0 and earlier facility and severity behavior
Use a facility level of RubrikEvent and a severity level of All to replicate the facility and severity
behavior from versions 5.0 and earlier. Upgraded versions of Rubrik CDM automatically use these values for
facility and severity levels for systems that had previously configured syslog.
Severity levels
Numerical code Severity level Description

0 Emergency The system is unusable.
1 Alert And action on the system is required immediately.
2 Critical The system has critical conditions.
3 Error The system has some error conditions.
4 Warning The system has some warning conditions.
5 Notice The system has some normal, but significant,
condition.
6 Informational Informational messages
7 Debug Debug-level messages
Facility levels
Numerical code Facility Description

0 Kernel Kernel messages
1 User User-level messages
2 Mail Mail system
3 Daemon System daemons
4 Auth Security and authorization messages
5 syslog Messages generated by syslogd
6 LPR Line printer subsystem
7 News Network news subsystem
8 UUCP UUCP subsystem
9 Cron Clock daemon
10 Security Security and authorization messages
11 FTP FTP daemon
12 NTP NTP subsystem
Numerical code Facility Description
13 LogAudit Log audit
14 LogAlert Log alerts
15 Clock Clock daemon
16 RubrikEvent(local0) Rubrik user audits (all defined user event audits)
17 RubrikCLI(local1) rkcli logs (executed command and output logs)
18 RubrikSSH(local2) ssh command logs (contains all interactively
executed commands)
19 RubrikApp(local3) Rubrik scala application logs (for example, spray,
JFL, node monitor)
20 N/A (local4) local use 4 (unused)
Support bundle
When it is not feasible for Rubrik Support to use the Support Tunnel to troubleshoot an issue on a Rubrik
cluster, the Rubrik cluster can create a bundle of Rubrik cluster and Rubrik node logs for download and
transfer.
Once a support bundle is created, it can be downloaded from the Rubrik CDM web UI and transferred
to Rubrik Support. The support bundle provides an alternative method for providing Rubrik Support with
troubleshooting information that does not require a network connection between Rubrik Support and the
Rubrik cluster.
The Rubrik cluster organizes a support bundle into a single file using tar and compresses the tar file using
gzip. The size of a support bundle will vary significantly depending on many factors, such as:
• Number of Rubrik nodes
• Data protection activity
• Number of logged alerts, warnings, and notifications
Creating and downloading a support bundle

Initiate a task on the Rubrik cluster to create a support bundle file. Then download the support bundle file.
Procedure
3. Click Support Bundle.
The Support Bundle dialog box appears.
4. Click Prepare.
The Rubrik cluster starts creating the support bundle and a message appears in the Notifications area.
When the support bundle is ready, the ‘Prepared logs’ message appears in the Rubrik CDM web UI
Notifications area.
5. Click Prepared logs.
The message can be clicked in the Notifications area or on the Notifications page.
The Save As dialog box appears in the web browser.
6. Select a download location for the file and click Save.
The web browser retrieves the file from the Rubrik cluster and saves it to the selected location.
7. Contact Rubrik Support to arrange the method to use when transferring the support bundle.
Result
The Rubrik cluster creates the support bundle and sends it to Rubrik Support.
Related Concepts
Support
Use one of the following methods to contact Rubrik Support.
Related Tasks
Configuring Chrome to ask for download location
Use the Google Chrome web browser to access the Rubrik CDM web UI and download recovered files and
folders. Change the default setting of the Chrome web browser to permit specifying the local download
location.
Secure access to the support tunnel

The Rubrik cluster provides a built-in tunnel utility to permit Rubrik Support to make a secure remote
connection to the Rubrik cluster.
Rubrik Support uses the support tunnel to examine the health of the Rubrik cluster, and to troubleshoot
and resolve issues.
The support tunnel utility initiates a connection with proxy.rubrik.com to create a tunnel using outbound
port 443 TCP. Once open, the tunnel remains open until either inactivity on the Rubrik Support side
triggers a configurable timeout value or the user manually closes the tunnel.
The Support Tunnel Page provides a table that includes:
• Nodes attached to the Rubrik cluster
• Tunnel Status of each node: Open or Closed
• Last Opened time for each node
• Timeout Window value configured for each node: the default is 96 hours
• Port number used by each node
If the support tunnel for a given node is closed, the Last Opened, Timeout Window, and Port columns are
empty.
Opening and closing the support tunnel, and editing the timeout window in the support tunnel, apply only
to the node marked as Current.
Opening the Support tunnel

To permit access by Rubrik Support, open the Support tunnel through the Rubrik CDM web UI.
Procedure
3. Click Support Tunnel.
The Support Tunnel page appears.
4. Click Open Support Tunnel.
The Open Support Tunnel dialog box appears.
5. Enter a value, in hours, for the Timeout Window.
If no value is entered, the default value is 96 hours.
6. Click Open Tunnel.
Result
The Support Tunnel page reappears, showing all of the values for the current node.
Editing the timeout window

Edit the timeout window of the support tunnel.
Procedure
4. Open the ellipsis menu next to the Port column and click Edit Timeout Window.
The Edit Timeout Window dialog box appears.
5. In Timeout Window, enter a new value, in hours.
6. Click Update.
Result
The Support Tunnel page reappears, showing the updated timeout value.
Closing the support tunnel

To disable Rubrik Support access to a Rubrik cluster, close the support tunnel.
Procedure
4. Click Close Support Tunnel.
5. Click Close Tunnel.
Result
The Support Tunnel page reappears, showing no values for the current node except for Node and a Tunnel
Status of Closed.
An alternate method for closing the tunnel is simply to allow the Timeout Window value to expire.
Chapter 2
VLAN tagging
VLAN tagging
Virtual Local Area Networks (VLAN) tagging is an optional feature that allows a Rubrik cluster to efficiently
switch network traffic using VLANs.
Each VLAN is partitioned and isolated at the data link layer. By applying VLAN tags to network packets the
network traffic of some applications on a physical network can be separated from the network traffic of
other applications on the same physical network.
In enterprise data centers, VLANs are typically used to segregate network traffic according to
organizational group, application type, or security policy. Segregating network traffic using VLANs can
optimize network throughput and promote data security.
Trunk port requirements

To support VLAN tagging, a network switch must be configured with a trunk port.
A trunk port allows packets to pass through without changing the VLAN tag. This process provides the
ability to use multiple VLAN tags on a single port.
Refer to your network switch documentation for information about implementing a trunk port, trunk link,
and VLAN tagging.
Management Network and Data Network

Rubrik recognizes two networks that require special handling when VLANs are used, the Management
Network and the Data Network.
The Management Network handles management communications that take the form of API calls made
from a web browser to the nodes of the Rubrik cluster and the responses to those calls. The Management
Network also handles API calls and responses in a Rubrik REST API session.
The Data Network handles data transfers between nodes of the Rubrik cluster.
The Management Network and the Data Network can share the same network, which can be tagged as
a VLAN. The Management Network settings define the configuration for this shared management/data
network VLAN.
Optionally, the Management Network and the Data Network can be separate networks. Each network
can optionally carry a VLAN. When using separate VLANs, the VLAN configuration for the Management
Network is defined by the Management Network settings and the VLAN configuration for the Data Network
is defined by the Data Network settings.
The Rubrik cluster uses the Management Network and the Data Network to carry data that is integral
to cluster operations and interactions. The importance of these networks imposes requirements on the
actions described in the following table.
VLAN tagging 05/25/2022 | 81

Action Description
Configuration The Management Network and the Data Network VLAN configuration can only be
accomplished by using one of the following methods:
• Specify the VLAN settings during Rubrik cluster system setup using the Rubrik CLI.
• Use the CLI tool network re_ip to reconfigure the network settings for the
Rubrik cluster.
Bonding Interface bonding requirements:

• The Data Network must use bond0 to join the active/passive 10GbE interfaces.
• When the same network is used for both management and data, the bond0
interface must be used.
• When both bond0 and bond1 interfaces are used, the Data Network must use
bond0 and the Management Network must use bond1. If the bond interfaces are
connected to the same physical network, each bond must be on a separate VLAN.
Note: For equipment that has both 1GbE and 10GbE interfaces, use only the 10GbE interfaces for the
Data Network.
VLAN settings for the Management Network and the Data Network must be configured using the Rubrik
CLI. This can be done during system setup, as described in the Rubrik CDM Install and Upgrade Guide, or
by using the network re_ip tool after system setup, as described in Adding special network VLANs after
system setup.
When configuring VLAN settings for the Management Network and the Data Network after system setup,
take into consideration the following:
• All nodes must have an OK status.
• Changing an IP address, or multiple IP addresses, requires an automatic reboot of each affected node.
• Configuring the Management Network and the Data Network on two separate networks means that
network access must be available to both the 10GbE and the 1GbE interfaces.
Adding special network VLANs after system setup

Configure VLAN settings for the Management Network and the Data Network, after system setup, by using
the network re_ip command.
Context
Do not use the network vlan add command to configure VLAN settings for the Management Network
or the Data Network. The Rubrik CDM Install and Upgrade Guide describes how to use the Rubrik CLI to
configure VLAN settings for the Management Network and the Data Network.
Procedure
1. Log in to the Rubrik cluster and check that all nodes have an OK status.
If any node in the Rubrik cluster does not have an OK status, make any corrections that are required
to return all nodes to an OK status before continuing this task.
2. On any node in the Rubrik cluster, open an SSH session.
ssh admin@node_ip
Where node_ip is the IP address of a node.

3. At the password prompt, type the password for the admin account.
The Rubrik CLI prompt appears.
VLAN tagging 05/25/2022 | 82

4. At the prompt, type network re_ip.
The network re_ip command starts.
5. At Management Gateway, type the IPv4 address of the network gateway for the Management
Network.
To use the existing gateway, press Enter.
6. At Management Subnet Mask, type the subnet mask for the Management Network.
To use the existing subnet mask, press Enter.
7. At Management VLAN, type a unique VLAN tag for the Management Network VLAN.
A valid VLAN tag is any integer from 2 to 4094. The tag must be unique within the network trunk.
Many switches reserve VLAN 1 for the default native VLAN. To avoid conflicts with this setting, select a
VLAN tag other than VLAN 1.
The Data Subnet Mask prompt appears.
8. At Data Subnet Mask, type the subnet mask for the Data Network.
When a subnet is not provided, the Proceed with Re IP, Yes/No prompt appears. When a
subnet is provided, the Data VLAN prompt appears.
9. At Data VLAN, type a unique VLAN tag for the Data Network VLAN.
10. At Proceed with Re IP, Yes/No, type Yes.
Result
The Rubrik cluster saves the new network configuration and reboots any nodes that have a changed IP
address.
Adding VLANs from the command line

The Rubrik CLI provides tools to manage the creation of new VLANs for the cluster. Do not use the tools in
this section to create the special Management and Data VLANs.
Procedure
1. On any node in the Rubrik cluster, open an SSH session:
ssh admin@node_ip
where node_ip is the IP address of a node.

3. Type: network vlan add.
The network vlan add command starts.
4. At VLAN ID, type a unique VLAN tag.
A valid VLAN tag is any integer from 2 to 4094. The tag must be unique within the network trunk.
Many switches reserve VLAN 1 for the default native VLAN. To avoid conflicts with this setting, select a
VLAN tag other than VLAN 1.
5. At Netmask, type the subnet mask for the network identified by the VLAN tag.
6. At Starting IP address, type an IPv4 address.
This IP address becomes the first IP address in the range allowed by the subnet mask and identified
by the VLAN tag. IP addresses from the allowed range are assigned to the nodes sequentially starting
with this IP address.
Result
The Rubrik cluster saves the new network configuration. The Rubrik cluster routes all packets that are
tagged with the specified VLAN tag through the associated IP addresses.
VLAN tagging 05/25/2022 | 83

Adding VLANs from the Rubrik CDM web UI
The Rubrik CDM web UI provides tools to manage the creation of new VLANs for the Rubrik cluster. Do not
use the tools in this section to create the special Management and Data VLANs.
Procedure
3. Select Network Settings.
The Network Settings tab appears.
4. Click Interfaces.
The Interfaces tab appears.
5. Click Add VLAN.
The Add VLAN dialog box appears.
6. Enter the required information in the fields:
• VLAN ID
• VLAN Subnet Mask
• IP address of each node in the cluster
7. Click Add VLAN.
Result
The Rubrik cluster saves the new network configuration. The Rubrik cluster routes all packets that are
tagged with the specified VLAN tag through the associated IP addresses.
Viewing VLANs from the Rubrik CLI

Use the Rubrik CLI vlan_list utility to view the VLANs that have been configured on a Rubrik cluster.
Procedure
1. On any node in the Rubrik cluster, open an SSH session:
ssh admin@node_ip

3. At the prompt, type:
network vlan list
Result
The Rubrik CLI lists the VLAN tags that have been configured for the Rubrik cluster.
Viewing VLANs through the Rubrik CDM web UI

Use the Rubrik CDM web UI to view the VLANs that have been configured on a Rubrik cluster.
Procedure
VLAN tagging 05/25/2022 | 84

Result
The lower pane of the Network Settings page lists the VLANs that have been configured on the Rubrik
cluster.
Removing a VLAN from the Rubrik CLI

Use the Rubrik CLI vlan_remove utility to remove a non-special VLAN that is no longer required.
Context
Do not use this method to remove the VLAN assigned to the Management Network or to the Data Network.
Use the network re_ip command to make those changes.
Before removing a VLAN, verify that the Rubrik cluster can be accessed on a network other than the one
being removed. Failure to do ensure alternate connectivity can result in the Rubrik cluster losing network
access when the VLAN is removed.
Procedure
1. On any node in the Rubrik cluster, open an SSH session.
ssh admin@node_ip

network vlan remove VLAN-ID
where VLAN-ID is the tag of the VLAN to remove.
Result
The Rubrik cluster removes the specified VLAN. Network traffic with the specified VLAN tag is routed
through the native VLAN, if available. Otherwise, the traffic is not routed.
Removing a VLAN from the Rubrik CDM web UI

Use the Rubrik CDM web UI to remove a non-special VLAN that is no longer required.
Context
Do not use this method to remove the VLAN assigned to the Management Network or to the Data Network.
Use the network re_ip utility to make those changes.
Before removing a VLAN, verify that the Rubrik cluster can be accessed on a network other than the one
being removed. Failure to do ensure alternate connectivity can result in the Rubrik cluster losing network
access when the VLAN is removed.
Procedure
The Network Settings tab appears.
4. Click Interfaces.
The Interfaces tab appears.
VLAN tagging 05/25/2022 | 85

5. Click Delete VLAN.
The Delete VLAN dialog box appears.
6. Select the VLAN to delete.
7. Click Delete VLAN.
Result
The Rubrik cluster removes the specified VLAN. Network traffic with the specified VLAN tag is routed
through the native VLAN, if available. Otherwise, the traffic is not routed.
VLAN tagging 05/25/2022 | 86

Chapter 3
User accounts
User accounts
Rubrik CDM provides role-based access control and several methods for authenticating a user account.
When Rubrik CDM is installed, the 'admin' user is created by default and cannot be modified or deleted.
New local users can be created on a Rubrik cluster and are associated with a set of roles that define the
actions a user can perform on the cluster.
In addition to local accounts, Rubrik supports multiple authentication methods for user accounts, including
single sign-on, multifactor authentication, and API tokens for automated API calls.
TLS certificate management

Rubrik clusters provide a management workflow for TLS certificates as required by several different
authentication components.
When Rubrik CDM starts, it configures a default Rubrik self-signed certificate for web services traffic to
enable secure transport layer security (TLS) encrypted traffic over HTTPS (port 443). Rubrik clusters
support the import and export of TLS certificates signed by a Certificate Signing Request (CSR) or a key
phrase, as well as unsigned and wildcard certificates.
Imported TLS certificates can be in the Encrypted Private Key and Certificate (PKCS12) format or base64-
encoded in the PEM format. Once a TLS certificate is imported to the Rubrik cluster, authentication
workflows enable users to select a TLS certificate to use with the specific service.
Trusted SSL-TLS interception

Trusted SSL-TLS interception provides a trusted point of visibility and inspection into SSL-TLS encrypted
network traffic.
Trusted SSL-TLS interception uses proxy servers to allow secure or trusted inspection of encrypted network
traffic.
Trusted SSL-TLS interception is configured by:
• Installing a Trusted SSL-TLS interception proxy server
• Configuring the Trusted SSL-TLS interception proxy server certificate through the Rubrik CDM web UI
and adding this certificate to the Trust Store
• Validating successful communication from Rubrik cluster through the Trusted SSL-TLS interception
proxy server
Importing a TLS certificate

Import a TLS certificate to the Rubrik cluster to use the certificate with authentication workflows that
support TLS certificates.
Procedure
User accounts 05/25/2022 | 87

3. Click Certificate Management.
The Certificate Management page appears.
4. Click Add Certificate.
The Add Certificate dialog box appears.
5. In Display Name, type a name for the certificate.
6. Optional: In Description, type a description for the certificate.
7. In Certificate, paste the text of the TLS certificate.
8. Select a key type for the TLS certificate.
• Select CSR to complete an existing signing request.
• Select Key to import a certificate that was created outside the Rubrik cluster and includes a private
key.
• Select None to import a self-signed certificate created outside the Rubrik cluster.
9. Optional: To enable Trusted SSL-TLS interception, turn on theAdd to trust store toggle.
If you turn on the Add to trust store toggle, the Trust Option dialog box appears.
10. Optional: In the Trust Option dialog box, click OK.
11. Click Add.
The Rubrik cluster imports the TLS certificate.
Result
The Rubrik cluster can now use the TLS certificate using the service configuration.
Related tasks
Generating a CSR
A CSR authenticates a TLS certificate.
Editing a TLS certificate

Edit a TLS certificate to change settings after initial TLS certificate configuration.
Procedure
4. Click Editfrom the ellipses menu next to the certificate you want to edit.
The Edit Certificate dialog box appears.
5. Optional: In Display Name, change the name for the certificate.
6. Optional: In Description, change the description for the certificate.
7. Optional: In Certificate, edit the TLS certificate.
8. Optional: To edit Trusted SSL-TLS interception, turn on the Add to trust store toggle.
If you turn on the Add to trust store toggle, the Trust Option dialog box appears.
9. Optional: In the Trust Option dialog box, click OK.
10. Click Save.
The Rubrik cluster saves the edits to the TLS certificate.
Result
The Rubrik cluster uses the edited TLS certificate.
Related concepts

Deleting a TLS certificate

Delete a TLS certificate if it is no longer needed.
Procedure
4. Click Deletefrom the ellipses menu next to the certificate you want to delete.
The Delete Certificate dialog box appears.
5. Click Delete.
Result
Rubrik cluster deletes the TLS certificate.
Related concepts
Using a different TLS certificate

The Rubrik cluster uses the current TLS certificate until the imported certificate is specified.
Prerequisites
Add certificates to the Rubrik cluster using the steps described in Importing a TLS certificate.
Procedure
1. Select Cluster Settings from the gear icon.
The Cluster page appears with the Cluster Settings tab selected.
2. Click the X next to the certificate name under the Web Server Certificate heading to remove the
current certificate.
3. Select the new certificate from the list.
4. Click Update.
Result
The Rubrik cluster uses the new TLS certificate.
Related concepts
Related tasks
Generating a CSR
Configuring an RSA Authentication Manager connection

Set up an RSA Authentication Manager connection to provide an additional authentication requirement
when users log in to a Rubrik cluster.
Specifying credentials to communicate with an LDAP server
A Rubrik cluster requires the LDAP server name, bind-user credentials, and any required certificate
information in order to communicate with an LDAP server.
Generating a CSR
Context
Generating a Certificate signing Request (CSR) is the first step for importing a Transport Layer Security
(TLS) certificate with a private key that is managed by the Rubrik cluster. Once a CSR is generated, use
this CSR with the certificate authority (CA) to generate a TLS certificate. Specify the certificate type as CSR
to import this certificate into the Rubrik cluster.
After the CSR signing is complete, the signed certificate must be imported and configured.
Procedure
The Certificate Management page appears with the Certificates tab selected.
4. Click the CSRs tab.
The Certificate Management page changes to the Certificate Signing Request tab.
5. In the top right, click Generate CSR.
The Generate Certificate Signing Request dialog box appears.
6. Fill out the fields and click Generate.
The CSR appears.
7. Click Download.
The web browser saves the CSR to local storage as a text file.
Result
The downloaded or copied CSR can now be signed by a CA. Once the CSR has been signed, it can be
imported for use in the Rubrik cluster.
Related tasks
Importing a TLS certificate
Import a TLS certificate to the Rubrik cluster to use the certificate with authentication workflows that
support TLS certificates.
Authentication
The Rubrik cluster authenticates all login attempts.
Rubrik cluster authentication verifies that the user account is known to the Rubrik cluster and that the
provided account name and password match an authorized account. After authentication, the Rubrik
cluster uses the privileges granted by the roles assigned to the account to authorize actions during the
session.
Several authentication mechanisms use Transport Layer Security (TLS) certificates to secure the user
session. Users can import TLS certificates to the Rubrik cluster for use by the authentication mechanisms
that support TLS certificate use.

Roles
Use roles to define privileges for user accounts on a Rubrik cluster.
A role is a collection of privileges. A role can be assigned to more than one user account and a user
account can be assigned more than one role.
The set of privileges are enabled for the duration of a session on the Rubrik cluster. The following table
describes the types of roles.
Role Description
Infrastructure Administrator Access to all Rubrik operations, except for backup and restore, on all
objects. Choose additional permissions to manage objects.
Infrastructure Administrators have view-only access to the tenant
organizations to which they have been granted access. Therefore,
Organization Administrators cannot create an Infrastructure
Administrator role.
Custom Choose the permissions and access to objects required for the
specific job function.
For example, create a view-only role with access to specific objects
and disable all privileges.
Administrator Access to all Rubrik operations on all objects.

The role is created by default.
ReadOnlyAdministrator Allows view only access to all objects on the cluster.

The role is created by default for a global organization.
Tenant organizations do not have a read-only administrator role.
Organization Administrator Choose the permissions required for the specific job function.
No Access User accounts that are not assigned any roles or user accounts that
are assigned roles which do not provide access to any resources
cannot log in to the Rubrik cluster. Assign roles that permit the user
account to access the Rubrik CDM web UI.
The resources in a Rubrik cluster can be partitioned into independently managed collections known as
Tenant Organizations. Users in tenant organizations have privilege levels that are managed by users with
the Organization admin role.
Related tasks
Adding a custom role
Create a custom role and add privileges to access resources and to perform administrative tasks.
Adding an Infrastructure Admin role
Create an Infrastructure Admin role and assign privileges to this role.
Modifying an existing tenant organization

Modify the properties of a tenant organization.
Inheritance of privileges
Privileges for an object can be inherited from the privilege assigned for a parent object. Privileges for an
object can also be inherited through membership in an LDAP group.
A privileged object can contain other objects. For example, a virtual environment cluster contains virtual
machines. Assigning the privilege for an object also assigns privileges for all objects contained within the
assigned object.
A user that is a member of an LDAP group adds the group’s privileges to the privileges held by the user
individually. A user that does not have a particular object specifically assigned to that user gains privileges
on that object if the user is a member of an LDAP group to which that object is assigned.

Procedure
2. Select the gear icon.
3. Select Users from the Access Management category.
The User Management page appears with the Users and Groups tab selected.
4. Click Roles.
5. Click Add Role.
6. Select Custom Role and click Next.
The Add Custom Role dialog box appears.
7. Provide a Role Name.
Optionally, in Description, provide a description to help identify this role.
8. Click Next.
The Protectable Objects screen appears.
9. Select the objects to protect.
Users with this role have backup and recovery access for each selected object. Selecting the required
Windows and Linux hosts provides access to the SLA Managed Volumes tab of the Rubrik CDM web
UI.
10. Click Next.
The Other Resources screen appears.
11. Choose SLA Domains and reports.
Users with this role can assign the chosen SLA Domain and view the selected reports. Users with this
role must have access to the selected SLA Domains.
12. Click Next.
The Privileges screen appears.
13. Select privileges.
Users with this role will have the selected privileges for all of the selected objects of this role. Users
with this role must have permission to perform the actions listed in the Protection column.
14. Click Next.
The Summary screen appears and provides parameters of the role.
15. Click Finish.

Result
The custom role is created and can be assigned to user accounts.
Related concepts
Privileges for custom roles
Assign privileges to custom roles.
Protectable Objects and Other Resources

When creating a custom role, access can be granted to protectable objects and replication targets.
Additionally, choices can be made for the SLA Domains that can be assigned to data sources and reports
that can be viewed.
Protectable object/ Setting

Resource
vSphere VMs • Select all current and future vSphere VMs
• VMs
• Folders
• Clusters/ Hosts
• Target Cluster/ Hosts
vCD vApps • Select all current and future vCD vApps

• vApps
• vCD Organizations
• Target vCD Organizations
Hyper-V VMs • Select all current and future Hyper-V VMs

• VMs
• Clusters/ Hosts
• Target Cluster/ Hosts
AHV VMs • Select all current and future AHV VMs

• VMs
• Clusters
• Target Cluster
Linux and Unix Hosts • Select all current and future Linux and Unix hosts
• Linux and Unix Hosts
• Target Linux and Unix Hosts
Windows Hosts • Select all current and future Windows hosts

• Windows Hosts
• Target Windows Hosts
NAS Shares • Select all current and future NAS Shares

• All NAS Shares
• NAS Hosts
• Target NAS Hosts
SQL Server DBs • Select all current and future SQL Server DBs
• DBs
• Failover Clusters

Protectable object/ Setting
Resource
• Availability Groups
• Hosts/ Clusters
• Target Hosts
Oracle DBs • Select all current and future Oracle DBs

• DBs
• Hosts/ Clusters
• Target Hosts/ Clusters
Managed Volumes • Select all current and future Managed Volumes

• All Managed Volumes
EC2 Instances • Select all current and future EC2 Instances

• Instances
• Accounts
• Target Accounts
SLA Domains The SLA Domain that users with this role can assign to data sources.
Reports The reports that users with this role can view.
Privileges for custom roles

Assign privileges to custom roles.
The following table lists the privileges that can be assigned to a custom role. These privileges apply to
selected data sources, target destinations, SLA Domains, and Reports.
Privilege type Description

Protection
Manage SLA Domain Allows SLA Domains to be assigned to data sources.
protection
Removes explicit SLA assignment from the data source. In this case, the data
source inherits protection from its parent object.
This privilege is assigned by default to a custom role.
Set data sources to Do Halt future snapshots for a selected data source and assign a retention policy
Not Protect for existing snapshots.
Snapshots inherit protection from the next higher object.
Set data sources to Ability to assign objects and their contents to the SLA Domain of the next
derive protection higher level object.
Allows the role to take Take an on-demand snapshot for the selected data source.
on-demand snapshots
Recovery
Download files Data download only from assigned object types.
Export files Write data from backups to the source location, overwriting existing data. This
only applies to objects assigned to the role and only when the role has the
‘Restore files and snapshots over original’ privilege.

Privilege type Description
Restore files and Ability to perform Instant Recovery.

snapshots over original
For vSphere and Hyper-V virtual machines, assign the 'Live Mount snapshots'
privilege to the role.
For SQL Server databaes, assign the 'Export snapshots privilege to the role.
Assign the Export files and Restore files and snapshots over original privileges
to enable the Overwrite original and Restore to separate folder options for file
recovery.
Live Mount snapshots Live Mount or Export a snapshot only from specified virtual machines and only
to specified target locations.
Export snapshots Export data only from specified source objects.

Data Source Management

Refresh data source Allows the custom role to initiate a metadata refresh of data sources including
metadata vCenter Servers and hosts.
Adding an Infrastructure Admin role

Create an Infrastructure Admin role and assign privileges to this role.
Procedure
2. Click the gear icon and, in the Access Management section, select Users.
The User Management page appears with the Users and Groups tab selected.
3. Click Role.
The Roles page appears.
4. Click Add Role.
The Add Role screen appears.
5. Select Infrastructure Admin and click Next.
6. Type a Name.
Optionally, in Description, provide a description to help identify this role.
7. In Privileges, select privileges for the role.
Users assigned this role will have each of the selected privileges.
Multiple privileges can be selected.
8. Click Add.
Result
The role is created and can be assigned to user accounts.
Related reference
Infrastructure Admin Privileges

Privileges available for the Infrastructure Admin role.
Infrastructure Admin Privileges

Privileges available for the Infrastructure Admin role.
Privilege Description
Data Source Management Manage add, remove, and register data sources.
Enables managing data sources under the Application Configuration
section of the gear menu.
System Configuration Perform system setting operations from the gear menu.
Enables settings under the System Configuration section of the gear
menu.
Network Configuration Configure network and notifications tasks from the gear menu.
Enables settings under the Network Settings section of the gear menu.
Access Management Configure user and organization settings.

Does not include the permissions to create, edit, delete, assign, and
revoke roles.
Support Perform support related operations.

Enables settings under the Support section of the gear menu.
Overwrite original during restore

To enable accounts with a custom role to restore data to the source location, assign the Restore files and
snapshots over original privilege for the user account or group account.
When assigned, the Restore files and snapshots over original option applies to all objects assigned to the
account.
Assigning roles
Assign roles to existing user accounts.
Procedure
3. Click Users.
The Users page appears.
4. Select the Users and Groups tab.
5. Click Assign Roles.
The Assign Roles dialog box appears.
6. In Directory, choose a directory service type.
Option Description
local or LDAP Directory a. Use the Search by Name to search for user
names.

Option Description
b. Choose the user name from the list.
IDP Directory a. Select a principal type (User or Group) and

enter the user name.
b. Choose the user name from the list.
If the user name is not found in the search,
click Select User orSelect Group based on
the principal type.
The current search type and username is
added to the list.
Multiple users from different directories can be selected.

7. Click Next.
The Assign Roles screen appears with the list of previously created roles.
8. Choose the role to assign.
More than one role can be assigned.
9. Click Finish.
Result
The selected user account is assigned the chosen roles.
Global search
Users with the Administrator role can search across all objects, files, and folders that the Rubrik cluster has
indexed.
Search results are restricted based on the privileges associated with the role of the user. Users who log in
with the Administrator role can search across all objects, using the search bar at the top of the Rubrik CDM
web UI. Users who log in with another role can perform object-level searches, but the results are limited to
the objects for which they have viewing privileges.
Only the Administrator role has the necessary privileges to search for files or folders. When a user logs in
with the Administrator role, the left side of the global search bar appears and offers two search levels:
• Search by Object
• Search by File/Folder
Note: The left side of the global search bar does not appear for users who log in with any other role,
including an organization administrator role.
For a file-level or folder-level search, select Search by File/Folder. In the Search by Name or
Location field, enter the search term or pattern, including wildcards as necessary to expand the scope of
the search.
Each search can return up to 100 results at a time, although a typical search pattern produces fewer
results. If more than 100 results match the search criteria, the results are randomized each time the
search is performed.

Viewing authentication and authorization information
The Rubrik cluster provides authentication and authorization information for accounts on the Users and
Groups page.
Procedure
1. Log in to the Rubrik CDM web UI as an admin user or a user with the Administrator role.
3. Click Users.
Result
The Users and Groups page appears where you can view the authentication and authorization information
for accounts.
Local authentication
Local authentication methods control access to local accounts on the Rubrik cluster.
For local authentication, the Rubrik cluster stores each local user’s username in a database. The Rubrik
cluster uses that information along with the user’s password to authenticate a login. By default, the Rubrik
cluster requires passwords to be of at least eight characters. Rubrik clusters do not support passwords
longer than 1000 characters.
For local user accounts, a more stringent password strength checker is available, which is based on the
zxcvbn algorithm.
Related concepts
Strong passwords
If a Rubrik cluster has the zxcvbn password strength checker enabled, passwords for local users will be
checked against the zxcvbn criteria for a strong password.
Guidelines for choosing a strong password

When choosing a password, the goal is to make it difficult to guess but easy to remember.
The following characteristics make a password difficult to guess, but easy to remember:
• Long strings of dictionary words that are not commonly combined in a sequence, such as
CorrectHorseBreadStaple. Rubrik clusters do not support passwords longer than 1000 characters.
• Unexpected caPitalizAtion.
• Numbers at the beginning or middle of the password, or distributed throughout the password.
• A series of short keyboard patterns with lots of turns.
A turn corresponds to a change of direction on the keyboard from one character to the next. A turn can
also refer to the “gap” between pattern segments in the password.
Strong passwords
The zxcvbn algorithm estimates the strength of a password by measuring its entropy. Entropy is a measure
of randomness and unpredictability that indicates how difficult it is to guess a particular password.
Recognizable character patterns have low entropy and require very little computing power to guess.

Character strings that can only be guessed by trying every possible character combination have high
entropy and take much longer to guess.
Examples of passwords and character patterns that are easy to guess include:
• Single words that can be found in a dictionary.
• Common passwords, such as passw0rd, letmein, or abc123.
• Repeated characters, such as aaaa or 2222.
• Character sequences, such as abcd or 1234.
• L33t speak, where numbers and symbols are used in place of letters; for example, 3 for e, @ for a, and
$ for s.
• Spatial patterns, which correspond to adjacent keys on a keyboard, such as qwerty or ujm.
The zxcvbn algorithm parses a password and identifies distinct pattern segments that can be guessed by
different password guessing methods. The algorithm then calculates the entropy for each segment, and
correlates that to the time it would take to guess the pattern.
The following table shows the pattern matching methods used by the zxcvbn algorithm and the resulting
entropy calculations for the password Rom#16:22GreetYou. Where the algorithm cannot find a pattern
match for a particular segment, the pattern is listed as None.
Password segment Pattern Entropy

Rom Dictionary 11.513
# None 5.044
16 Regex 6.644
: None 5.044
22 Repeat 4.322
Greet Dictionary 13.337
You Dictionary 1
The entropy calculated for the entire password is the sum of the entropies for each segment plus the
configuration entropy. Configuration entropy refers to the additional entropy introduced by the number of
password segments and the way they are arranged.
Note: Passwords that would be considered strong by a traditional Lowercase Uppercase Digit Symbol
(LUDS) strength estimator might be rejected as too weak by zxcvbn.
Password requirements
Configure password requirements for local user accounts.
A Rubrik cluster administrator can set the requirements for all local user account passwords at the global
level. The password requirements apply to all local accounts, including organization level accounts. When
an administrator adds or edits a local user account, the password requirements are displayed next to the
Password field.
If a password does not meet the requirements, or is too easy to guess, a message appears that describes
any unmet requirements. The account cannot be created or edited until the password requirements are
met.
A password cannot have more than 1,000 characters. The following table describes the available
requirements for local user account passwords.

Requirement Default value Description
Minimum characters 8 The lowest number of characters
in a valid password.
Minimum lower case characters 0 The lowest number of lowercase
alphabetic characters in a valid
password.
Minimum upper case characters 0 The lowest number of uppercase
alphabetic characters in a valid
password.
Minimum numeric characters 0 The lowest number of integers,
0-9, in a valid password.
Minimum special characters 0 The lowest number of special
characters in a valid password.
Special characters that can be
used, within double quotes and
starting with the space character:
" !"#$%&'()*+,-./:;<=>?
@[\]^_`{|}~"
Use zxcvbn Disabled for new installs. Retain Determines whether to use
existing setting for upgrades. the zxcvbn password strength
checker. When enabled, this
setting ignores all character
requirement settings.
Prevent password reuse Disabled Determines whether to reject a
previously used password. When
enabled, a local user account
cannot use a password that was
previously used for that account.
Setting password requirements

Configure a Rubrik cluster with global password requirements for all local user accounts.
Context
Change the password requirements for all new and edited local user accounts.
Procedure
2. Click the gear icon on the top bar of the web UI.
3. Click Users.
The Users page appears with the Users and Groups tab selected.
4. Open the ellipsis menu in the upper-right of the page and select Password Requirements.
The Password Requirements dialog box appears.
5. (Optional) Change the minimum character requirements.
Password requirements describes the available minimum character requirements.
6. (Optional) Select ZXCVBN.
The zxcvbn password strength checker replaces the evaluation of minimum characters for the
determination of password validity.

7. (Optional) Select Prevent Password Reuse.
8. Click Update.
Result
The Rubrik cluster saves the new password requirements and enforces the requirements for all new and
edited local user accounts.
Adding a local user account

Create a new local user account on the Rubrik cluster.
Procedure
3. Click Users.
4. Click Add Local User.
The Add Local User dialog box appears.
5. In Username, type a user name.
6. In Email Address, type a valid email address.
The Rubrik cluster uses the email address for notifications and alerts.
7. In Password, type a password for the new user account.
The password strength is checked by the current password strength checker.
8. In Re-enter Password, type the same password.
9. Optional: In Roles, assign roles to the user account.
10. Optional: Configure the RSA SecurID server.
11. (If using RSA SecurID) Click Enable RSA SecurID to enable multifactor authentication using an RSA
SecurID server.
12. (If using RSA SecurID) Select an RSA SecurID server from the menu.
13. Click Add.
Result
The Rubrik cluster adds the new local user account.
Next task
Assign roles to the user accounts. The role should grant at least one privilege to access the Rubrik CDM
web UI.
Related concepts
Strong passwords
Multifactor authentication with RSA SecurID
The Rubrik cluster can integrate with two types of RSA SecurID integration servers by using REST API
calls: RSA Authentication Manager (on-premises) and RSA Authentication Server (cloud).
Related tasks
Assigning roles

Assign roles to existing user accounts.
Editing local user account information

Update login credentials or email settings for local user accounts.
Procedure
3. Click Users.
5. Scroll the page or use the search field to locate a user account entry.
6. Open the ellipsis menu next to the user account entry and select Edit.
The Edit Local User dialog box appears.
7. Optional: In Email Address, change the email address.
8. Optional: In Update Password, type a new password.
9. (When password is changed) In Re-Enter Password, type the new password again.
10. Optional: In Roles, assign roles to the user account.
11. Optional: Change the setting for Enable RSA SecurID.
12. Click Update.
Result
The Rubrik cluster stores the updated information and applies any change to the authorization level of the
account.
Revoking a role from a local user account

Revoke roles assigned to a local user account.
Procedure
3. Click Users.
The list of user accounts appears.
5. For the user account click the ellipsis and click Edit.
The Edit User dialog box appears.
6. Revoke a role by clicking the x next to the listed role.
More than one role can be revoked.
7. Click Update.
Result
The Rubrik cluster removes the selected roles from the specified user account.

Removing a local user account
Remove Rubrik cluster authorization for a local user account and delete the account from the Rubrik CDM
web UI.
Procedure
3. Click Users.
5. Scroll the page or use the search field to locate a local user.
6. Open the ellipsis menu next to the local user account entry.
7. Select Delete.
The Delete User confirmation appears.
8. Click Delete.
Result
The Rubrik cluster removes Rubrik cluster authorization for the selected user account and deletes the
account.
User account lockout

Prevent local user account logins after a set number of failed login attempts.
To enhance the security of a Rubrik cluster, the user account lockout feature can be enabled. When
enabled, the feature monitors each attempt to login to the Rubrik cluster from a local user account. The
Rubrik cluster counts the number of failed logins for a user account since the last successful login for that
user account. When the number of failed attempts reaches a specified value the Rubrik cluster blocks
logins for that user account.
A Rubrik cluster unlocks a locked-out user account after a specified wait period or after manual action by
an administrator. The wait period can also be disabled to require administrator action to unlock a locked-
out account.
For a Rubrik cluster with multitenancy, the administrators for an organization can unlock a locked-out user
account for their organization only. Global administrators can unlock any locked-out user account.
The user account lockout feature only applies to locally authenticated user accounts and does not apply to
LDAP authenticated user accounts.
To enable the user account lockout feature and set the wait period, contact Rubrik Support.
Important: While the user account lockout feature is a valuable tool to help prevent brute force account
intrusions, malicious persons can use it to lock an account and prevent a legitimate login by the user who
owns the account. Managing and monitoring IP address access to the Rubrik cluster can help mitigate this
issue.

Unlocking a user account
Unlock a locked user account.
Context
A global administrator, or an organization administrator for the organization of the account, can unlock a
locked local user account.
Procedure
2. Click the gear icon on the top bar of the web UI.
3. Click Users.
4. Find the locked local user account and open the ellipsis menu for that entry.
5. Click Unlock Account.
Result
The Rubrik cluster resets the count of failed logins to zero and unlocks the account.
Rubrik Two-step Verification with TOTP

Rubrik Two-step Verification for Rubrik clusters uses time-based one-time passwords to provide secure
authentication for users.
Rubrik Two-step Verification implements two-factor authentication (2FA) for Rubrik clusters. Users can
enable Rubrik Two-step Verification to use time-based one-time password (TOTP)-mediated 2FA, which
provides an additional layer of authentication security. In addition to the username and password, TOTP
uses an app to provide a single-use numeric code that serves as the second authentication factor.
Administrators can enforce Rubrik Two-step Verification for users. When enforced, each user must
configure Rubrik Two-step Verification on an individual basis. Rubrik Two-step Verification works with
any TOTP app that complies with RFC2638. Rubrik Two-step Verification does not support LDAP security
groups.
Rubrik Two-step Verification is enabled by default on Rubrik CDM version 5.3.3 and later. Users with
administrative privileges can skip 2FA configuration and disable global enforcement of Rubrik Two-
step Verification from the web UI. All other users must configure 2FA at their next login unless global
enforcement is disabled. Once a user with administrative privileges confirms global 2FA enforcement, all
users must configure 2FA in order to log in.
Enforcing Rubrik Two-step Verification for a local user

A user with the required privileges can enable or disable enforcement of Rubrik Two-step Verification for
local users.
Procedure
3. Click Users.

5. Scroll the page or use the search field to locate a user account entry.
6. Open the ellipsis menu next to the user account entry and select Edit.
The Edit Local User dialog appears.
7. Turn on the Enable MFA Addons toggle.
The multifactor authentication option drop-down menu appears.
8. From the Select Option drop-down menu, select Two-Step Verification.
9. Click Update.
Result
Subsequent logins to this account use Rubrik Two-step Verification after the user configures a source for
time-based one-time passwords.
Enforcing Rubrik Two-step Verification for an LDAP domain

A user with the required privileges can enable or disable enforcement of Rubrik Two-step Verification for
individual users on LDAP servers. Rubrik Two-step Verification does not support LDAP security groups.
Procedure
3. Click Users.
4. Select the LDAP Servers tab.
5. Scroll the page or use the search field to locate an LDAP server entry.
6. Open the ellipsis menu next to the LDAP server entry and select Edit.
The Edit LDAP Server wizard appears.
7. Type the password for the domain name or username and click Next.
The wizard advances to the next step.
8. Click Next.
9. Turn on the Enable MFA Addons toggle.
The multifactor authentication option drop-down menu appears.
10. From the Select Option drop-down menu, select Two-Step Verification.
11. Click Update.
Result
Subsequent logins to a user account in this LDAP domain use Rubrik Two-step Verification after the user
configures a source for time-based one-time passwords.
Configuring Rubrik Two-step Verification as a user

Users can configure Rubrik Two-step Verification for their own accounts.
Prerequisites
Install an app that provides time-based one-time passwords (TOTP). Rubrik Two-step Verification supports
apps from Microsoft, Google, and Okta.
Procedure
2. From the silhouette drop-down, select Two-Step Verification Configuration.

The Two-Factor Authentication wizard appears.
3. Click Next.
The 2FA Quick Response (QR) code appears.
4. (When QR code scanning is unavailable) Click reveal link.
A text link for manual entry into the 2FA app appears.
5. Launch the 2FA app and set up a new authentication service.
The device launches the camera software.
6. Focus the device camera on the QR code.
The 2FA app displays a TOTP.
7. In One Time Password, type the TOTP.
8. Click Submit.
Result
Subsequent logins to this account require a valid TOTP.
Changing the TOTP device

Change the device used to generate time-based one-time passwords from the Rubrik web UI.
Prerequisites
Confirm that the account already has TOTP enabled.
Procedure
2. From the silhouette drop-down, select Two-Step Verification Configuration.
The Two-Factor Authentication dialog appears.
3. Click Change Device.
The Two-Factor Authentication wizard appears.
4. Click Next.
The 2FA Quick Response (QR) code appears.
5. Launch the 2FA app and set up a new authentication service.
The device launches the camera software.
6. Focus the device camera on the QR code.
The 2FA app displays a TOTP.
7. In One Time Password, type the TOTP.
8. Click Submit.
Result
The new device is now the TOTP source for the account.
Configuring Rubrik Two-step Verification

Rubrik cluster administrators can enforce Rubrik Two-step Verification use for all local and LDAP users on a
Rubrik cluster or set configuration reminders that display at login.
Procedure
3. Click Users.

5. From the ellipsis menu at the top of the list of users, select Two-Step Verification Options.
The Two-Step Verification Options dialog box appears.
6. Choose a verification option.
• Turn on the Global Enforcement toggle to require a time-based one-time password (TOTP) in
order to authenticate a user to the cluster for all local and LDAP login attempts.
• Turn on the Two-Step Reminders toggle to remind users to configure Rubrik Two-step
Verification for their accounts at login.
When global enforcement is active, reminders are not displayed even when the Two-Step Reminders
toggle is turned on.
7. In Remember Device (Days), type a number.
The number used must be an integer and specifies an interval in days. After a successful login, users
that check Remember this device at login are not asked to provide a valid TOTP for the specified
number of days. A value of zero requires a valid TOTP at every login.
8. Click OK.
LDAP authentication
The Rubrik cluster uses LDAP to authenticate users who log in through the Rubrik CDM web UI welcome
screen.
The Rubrik cluster connects to one or more Lightweight Directory Access Protocol (LDAP) servers through
a service or bind account with read access. This account enables the Rubrik cluster to search information
about the user, such as email address and group membership. A base distinguished name (DN) will narrow
the search to a specific location within the LDAP directory tree. Search filters will identify specific groups or
users to further narrow the search.
The Rubrik CDM web UI requests LDAP server information in three stages:
• Credentials – Establishes the starting point of an LDAP directory search for a user who is trying to log in
to the Rubrik cluster.
• Servers, User and Group Settings – Servers require a list of one or more LDAP servers to search, and
user settings specify how Rubrik determines who is a user, and what attributes to use when mapping
users to the respective LDAP directory.
• Multifactor Authentication – Adds one or more factors to the basic authentication process, which
prevents unauthorized users from accessing the Rubrik cluster.
The Rubrik cluster uses the user management system to control authorization for authenticated users.
Related concepts
LDAP credentials
LDAP credentials establish the starting point of an LDAP directory search for a user who is trying to log in
LDAP servers
The Rubrik cluster requires a list of one or more LDAP servers for connection security.
Related tasks
Enabling multifactor authentication

Configure multifactor authentication requirements for LDAP users.
LDAP credentials
LDAP credentials establish the starting point of an LDAP directory search for a user who is trying to log in
The Rubrik cluster uses the parameters shown in the following table to search for information about
an authenticated user in the Lightweight Directory Access Protocol (LDAP) directory structure and to
authenticate a user. The LDAP or Active Directory administrator can suggest the actual values to use.
Parameter Description
Name used by the Rubrik cluster when referring to this LDAP integration. Users can
Domain or enter this name for the Domain when logging in on the welcome screen. Domain
Domain Display Display Name can be an alias for the domain that is easier to remember than the full
Name domain name.
This information is no case sensitive.
Base DN Indicates where to begin searching within the LDAP tree. If not specified, the Rubrik
cluster will begin searching at the root (defaultNamingContext).
Bind DN or User with read privileges that can be used to search the LDAP directory to obtain
Username information such as group membership.
Password Password for the account entered as the Bind DN or Username.
CA Certificates A .PEM format X.509 certificate is used either to validate an explicitly chosen TLS-
capable LDAP server, or when the LDAP server offers support for StartTLS.
The Rubrik cluster supports multiple LDAP domains; however, when a user provides a Domain or Domain
Display Name in the login screen, only that domain is searched for the user’s credentials.
The Rubrik cluster uses the LDAP information for authentication on the local Rubrik cluster only. To enable
LDAP authentication on another Rubrik cluster, log in to that Rubrik cluster and provide the required
information.
When an LDAP server cannot be reached, the Rubrik cluster rejects logins that authenticate against that
server. Until an LDAP server becomes available, the Users and Groups page will not show authorization for
any LDAP users or groups associated with that server.
Note: Unlike the Rubrik web UI, the Rubrik REST API does not authenticate using the Domain Display
Name value. For LDAP authentication through the Rubrik REST API, the server searches through all LDAP
users in the Organization.
Requirements for BIND user credentials

Rubrik CDM has specific requirements for BIND credentials.
Rubrik CDM requires setting the BIND credentials for an account to never expire or lockout. This
requirement also applies to the Kerberos user credentials from integrations earlier than Rubrik version 4.2.
Provide a BIND user credential if the Kerberos user credentials become invalid.
LDAP servers
The Rubrik cluster requires a list of one or more LDAP servers for connection security.
Lightweight Directory Access Protocol (LDAP) servers can be specified in two ways:

• Dynamic DNS name
• IP or hostname along with the associated port for each LDAP server
The Rubrik cluster first tries to connect to an LDAP server. If LDAP servers are not specified, or if they
are not responsive, the Rubrik cluster next tries to discover Global Catalog servers that correspond to the
dynamic DNS name by resolving DNS SRV records for _gc._tcp.dynamic DNS name. If no Global
Catalog servers are found, the Rubrik cluster tries to resolve DNS SRV records for _ldap._tcp.dynamic
DNS name.
If the discovered servers are active on port 636 (for LDAP) or port 3269 (for Global Catalog), the Rubrik
cluster automatically chooses secure LDAP using Transport Layer Security (TLS). If the LDAP servers
support StartTLS, the Rubrik cluster automatically chooses StartTLS.
Note: If the field is empty, the Rubrik cluster is forced to connect using only the dynamic DNS name.
User and Group settings

User settings specify how Rubrik determines who is a user, and what attributes to use when mapping users
to the respective LDAP directory.
Field Description Default

Search Filter Query that specifies which (&(objectCategory=person)(objectClass=user) (!
users to retrieve from the (useraccountcontrol:1.2.840.113556.1.4.803:=2)))
LDAP directory.
Username Attribute that identifies sAMAccountName
Attribute the user. This attribute is
compared to the username
entered in the login screen.
For example, in Active
Directory the attribute is
sAMAccountName. Specify
hanr to enable Microsoft’s
Ambiguous Name Resolution.
Group Indicates groups for which memberOf
Membership the user is a member.
Attribute
Group settings for search

Use specific settings to focus the search on a group within a particular LDAP directory.
Field Description Default

Search Filter Query that specifies which groups to retrieve from the (&(objectCategory=group))
LDAP directory.
Group Member Determines which members belong to a given group. member
Attribute For example, in Active Directory, the attribute is
member.

Adding LDAP servers
A Rubrik cluster requires information about LDAP directory servers in order to access the LDAP directories
to authenticate accounts.
Use the Rubrik web UI to provide LDAP server information in three stages:
• Credentials
• Servers, User and Group Settings
• Multifactor Authentication
Specifying credentials to communicate with an LDAP server

A Rubrik cluster requires the LDAP server name, bind-user credentials, and any required certificate
information in order to communicate with an LDAP server.
Prerequisites
For each LDAP server domain, obtain the domain name along with the user name and password of an
account with read privileges for that domain. If the LDAP server requires a Transport Layer Security (TLS)
certificate, import the TLS certificate using the procedure detailed in Importing a TLS certificate.
Procedure
3. Click Users.
The LDAP server page appears.
5. Click Add LDAP Server.
The Add LDAP Server dialog box appears, with the Credentials step highlighted.
6. In Domain or Domain Display Name, type the domain name associated with the set of LDAP
users.
7. Optional: In Base DN, specify a DN where the Rubrik cluster should begin searching from within the
LDAP directory tree structure.
If this field is left blank, the Rubrik cluster begins searching at the root of the directory tree.
8. In Bind DN or Username, enter the credentials for a user with read privileges.
9. In Password, type the password for the account entered in the previous step.
10. (If the LDAP server requires a TLS certificate) Select a TLS certificate.
11. Click Next.
Result
The Servers, Users & Group Settings step is highlighted.
Specifying servers, user settings, and group settings

Once the Credentials page is filled in, specify one or more LDAP servers, and optionally, specify user and
group settings.
Procedure
1. Click the Servers tab.
The Servers dialog box opens.

2. (If using Dynamic DNS) In Dynamic DNS Name, enter the dynamic DNS name that publishes the
server.
3. Optional: Add servers by providing the IP address or hostname and the port number for each server.
4. Optional: Select Use SSL connection if secure LDAP is used.
5. Optional: Click the User Settings tab.
The User Settings dialog box appears.
6. In the Search Filter field, enter a query that specifies which users to retrieve from the LDAP
directory.
7. In the Username Attribute field, enter the attribute that will be used when comparing to the
username entered in the login screen.
8. In the Group Membership Attribute field, enter the attribute that determines which groups the
user belongs to.
9. Optional: Click the Group Settings tab.
10. In the Search Filter field, enter a query that specifies which groups to retrieve from the LDAP
directory.
11. In the Group Member Attribute field, enter the attribute used to determine which members belong
to a given group.
12. Click Next.
Result
The Multifactor Authentication step is highlighted.
Enabling multifactor authentication

Configure multifactor authentication requirements for LDAP users.
Context
Lightweight Directory Access Protocol (LDAP) is configured per directory as part of the LDAP directory
configuration. Enforce LDAP globally by enabling Time-based One-time Password (TOTP) globally, which
applies to all LDAP and local users.
Procedure
1. (If at least one RSA SecurID server has been configured) Select the RSA SecurID server to use for
multifactor authentication.
2. Click Add.
Result
The LDAP users are configured for multifactor authentication.
Viewing LDAP server information

Review the list of LDAP servers associated with a Rubrik cluster.
Procedure
3. Click Users.
The Users and Groups page appears.

Result
The LDAP Servers page appears and lists the domain display name of each authentication domain and
whether multifactor authentication is enabled or disabled for that domain.
Deleting an LDAP server

Delete an LDAP server from the list of servers the Rubrik cluster can use to authenticate users. Once the
LDAP server is deleted, users authenticated from that server will not be able to log in.
Procedure
3. Click Users.
5. Open the ellipsis menu for a listed LDAP display name.
6. Select Delete.
A warning dialog box appears.
7. Click Delete.
Result
The Rubrik cluster no longer uses the LDAP cluster to authenticate users. Users that authenticate from the
removed server are no longer able to log in.
User account and group account authorization

The Rubrik cluster uses LDAP server information to authenticate user account credentials at login.
After authentication, the Rubrik cluster uses the settings assigned to a user account or group account and
stored on the Rubrik cluster to determine which operations the user is authorized to perform.
Assign roles to the account to permit the account to access the Rubrik CDM web UI.
Deactivating a user account or group account

Remove Rubrik cluster authorization for a user account or group account.
Context
Removing a group account removes the group-level access of the users in the group but does not change
existing user account level access, if any.
Procedure
3. Click Users.
4. Scroll the page or use the search field to locate a user account or group account.
5. Open the ellipsis menu next to the user account or group account entry and select Assign Roles.
6. Clear all roles.
7. Click Finish.

Result
The Rubrik cluster removes Rubrik cluster authorization for the selected user account or group account and
hides the account.
Single Sign-on
Rubrik CDM supports single sign-on using the Security Assertion Markup Language 2.0 standard.
Single sign-on (SSO) allows users to log in to Rubrik CDM using credentials associated with an identity
provider (IdP). The Security Assertion Markup Language (SAML) 2.0 standard uses metadata files to
exchange information between an IdP and a Service Provider (SP), such as Rubrik CDM. The information
in these files establishes a trust relationship between the two entities. The files also specify where
authentication requests and responses should be sent, along with formatting details.
Rubrik CDM can be integrated with any SAML 2.0-enabled IdP that supports either SP-initiated SSO or IdP-
initiated SSO.
Generic Single Sign-on workflow

The generic workflow gives a high-level view of the tasks involved in configuring a Rubrik cluster to use
single sign-on with any identity provider.
To successfully configure single sign-on, several individual tasks must be completed. The following list
provides an overview of those tasks. Each task involves multiple steps, and all steps in a task must be
completed before moving to the next task.
Note that some tasks are performed in the UI of the identity provider (IdP), and some are performed in
the Rubrik CDM web UI.
Note: When performing these tasks, keep two tabs open: one for the Rubrik CDM web UI and one for the
IdP UI.
1. (Rubrik) Download the Rubrik metadata file.

2. (Text editor) If required by the identity provider, prepare the signing certificate and the encryption
certificate for uploading.
3. (IdP) Add the Rubrik application as the Service Provider.
4. (IdP) Download the IdP metadata file.
5. (IdP) Specify attributes for the claims that will be included in the SAML assertion responses.
6. (Rubrik) Upload the IdP metadata file.
7. (Rubrik) Test the connection.
8. (Rubrik) Grant authorization to SSO users and groups.
Rubrik metadata file

The Rubrik metadata file provides configuration and credential information to an identity provider as part
of enabling single sign-on.
The Rubrik metadata file is generated from the Rubrik UI. It provides information to the identity provider,
including a signing certificate and an encryption certificate that allows authentication information to be
sent securely to Rubrik. The metadata file follows standard SAML 2.0 metadata specification format.

Field name Description
EntityID The relying party (Service Provider) identifier.

Rubrik appends rubrik-sso-sp- to the cluster
(/EntityDescriptor/@entityID) ID in order to create a unique identifier.
Encryption key A public key used to encrypt the data being

transferred (such as user names, email addresses,
(/EntityDescriptor/SPSSODescriptor/KeyDescriptor and group names).
use=”encryption”/KeyInfo/X509Data/
@X509Certificate)
Signing key The certificate used to generate the signature on

a SAML request to the identity provider. Rubrik
(/EntityDescriptor/SPSSODescriptor/KeyDescriptor also requests that all SAML assertion responses be
use=”signing”/KeyInfo/X509Data/@X509Certificate) signed.
NameID A name identifier format that is explicitly supported

by Rubrik. SAML assertion responses must contain
(/EntityDescriptor/SPSSODescriptor/
name identifiers in these formats in order for Rubrik
@NameIDFormat)
to recognize them. Supported formats include:
•unspecified
•emailAddress
•WindowsDomainQualifiedName
•kerberos
Location The URL of the SAML Assertion Consumer Service

endpoint, which specifies where to send the SAML
(/EntityDescriptor/SPSSODescriptor/ assertion response from the Identity Provider. This
AssertionConsumerService/@Location) corresponds to the Service Provider host address
entered in the Configure Identity Provider
Service section of the Add Identity Provider
dialog box in the Rubrik UI.
ADFS integration workflow

The workflow gives a high-level view of the tasks involved in configuring single sign-on with ADFS.
To successfully configure single sign-on with ADFS, several individual tasks must be completed. The
following list provides an overview of those tasks.
Complete the tasks in the order shown. Each task involves multiple steps, and all steps in a task must be
completed before moving to the next task.
Note that some tasks are performed in the ADFS management console, and some are performed in the
Rubrik CDM web UI.
1. (ADFS management console) Download the ADFS metadata file.
2. (Rubrik CDM web UI) Configure single sign-on in CDM by uploading the ADFS metadata file to CDM
and downloading the Rubrik metadata file.
3. (ADFS management console) Add Rubrik as a Relying Party Trust.
4. (ADFS management console) Configure NameId, Email, and Group claim rules.
5. (ADFS management console) Verify the ADFS Service Provider settings.
6. (Rubrik CDM web UI) Test the SSO connection.
7. (Rubrik CDM web UI) Grant authorization to SSO users.

Downloading the ADFS metadata file
Download the ADFS federation metadata file associated with the ADFS Server.
Context
The identity provider metadata file contains information that Rubrik CDM needs in order to send and
receive SAML assertions.
Procedure
1. In a web browser, type https://adfs_host/FederationMetadata/2007-06/
FederationMetadata.xml, where adfs_host is the DNS hostname or IP address for the ADFS
Server.
2. Proceed to the ADFS Server address.
Result
The web browser downloads the FederationMetadata.xml file to the default download location.
Next task
Configure single sign-on in Rubrik CDM, as described in Configuring single sign-on in Rubrik CDM.
Service Provider host address

The Service Provider host address is the location where the identity provider sends SAML responses.
Rubrik CDM requires a host address when generating the Rubrik metadata file. The metadata file uses the
host address as the URL for the Assertion Consumer Service endpoint.
The choice of host address depends on whether floating IP addresses are configured. When floating
IP addresses are configured, Rubrik CDM chooses a default host address from the available floating IP
addresses. Alternatively, a specific floating IP address can be chosen from the list of configured floating IP
addresses.
If floating IP addresses are not configured, the only choice is to supply a static address: IPv4, IPv6, or
DNS.
Configuring single sign-on in Rubrik CDM

Upload the identity provider's metadata file to Rubrik CDM and download the Rubrik metadata file.
Procedure
1. Log in to the Rubrik CDM web UI as a user with the Administrator role, or any role that has permission
to view and manage security settings.
2. Click the gear icon and select Users.
3. Select the Identity Providers tab.
4. Click Add Identity Provider.
The Add identity provider dialog box appears.
5. In the Configure Single Sign-on section, in Identity Provider Name, type a name.
The identity provider name is the name that will appear in the Directory column of the Users and
Groups page.
6. Click the download icon to the right of the Identity Provider Metadata field.
7. Select the appropriate metadata file from the Downloads folder and click Open.
8. In Configure Identity Provider Service, enter the Service Provider host address.

The Service Provider host address can be a floating IP address or a static address, as explained in
Service Provider host address.
The Download Rubrik Metadata link becomes active.
9. Click Download Rubrik Metadata.
The Rubrik metadata file is generated and the web browser downloads it to the default download
location.
10. Click Add.
The identity providers tab displays the following information, which is extracted from the identity
provider's metadata file:
• Entity ID
• Sign in URL
• Expiration of the signing certificate
Result
The identity providers tab in Rubrik CDM web UI displays information from the uploaded ADFS metadata
file. The web browser downloads the Rubrik metadata file.
Next task
Upload the Rubrik metadata file to the ADFS management console and add Rubrik as a relying party trust,
as described in Adding Rubrik as a Relying Party Trust.
Adding Rubrik as a Relying Party Trust

To establish a trust relationship between Rubrik CDM and ADFS, add Rubrik as a Relying Party Trust in the
ADFS management console.
Context
The ADFS Add Relying Party Trust Wizard requires certain information in order to add Rubrik to its list of
Relying Party Trusts. Some information is provided through the Rubrik metadata file, and some information
is entered manually.
Procedure
1. On the Windows Server running ADFS, open the ADFS management console.
2. In the left pane, open the Trust Relationships folder and select Relying Party Trusts.
The center pane displays the following Relying Party Trust information for each configured Service
Provider:
• Display Name
• Enabled status (yes or no)
• Identifier (the Service Provider entity ID)
3. In the Actions window on the right, under Relying Party Trusts, select Add Relying Party
Trust....
The Welcome pane of the Add Relying Party Trust Wizard appears.
4. Click Start.
The Select Data Source pane appears.
5. Select Import data about the relying party from a file, then click Browse to find and select the
Rubrik_Metadata.xml file.
6. Click Next.
The Specify Display Name pane appears.
7. Type the display name and click Next.
The display name identifies the name of the relying party trust in the Relying Party Trusts display.

The Choose Issuance Authorization Rules pane appears.
8. Choose the option that corresponds to the required initial behavior of the issuance authorization rules
for this relying party trust. Follow company policy when choosing the option.
Option Effect
Permit all users to access this relying party The issuance authorization rules allow all users
to access Rubrik CDM initially. Rubrik CDM
performs an additional check to determine
whether a user should have access.
Deny all users access to this relying party The issuance authorization rules deny all users
access to Rubrik CDM initially. Add issuance
authorization rules to enable users to access
Rubrik CDM.
9. Click Next.
The Ready to Add Trust pane appears.
10. Verify that the settings are correct and click Next.
The Finish pane appears.
11. Select Open the Edit Claim Rules dialog box for this relying party trust when the wizard
closes.
12. Click Close.
The Edit Claim Rules dialog box appears, with the Issuance Transform Rules tab selected.
Result
The ADFS management console lists Rubrik in the Relying Party Trusts display.
Next task
Add custom claim rules, beginning with the nameId rule, as described in Adding a nameId claim rule.
Adding a nameId claim rule

Add a claim rule to tell ADFS how to format the nameId claims sent to Rubrik CDM.
Prerequisites
Complete the steps in the Add Relying Party Trust Wizard, as described in Adding Rubrik as a Relying Party
Trust.
Context
ADFS offers a set of templates for configuring claims. Use the Send Claims Using a Custom Rule
template to set up a custom nameId rule.
Procedure
1. In the Edit Claim Rules dialog box, with the Issuance Transform Rules tab selected, click Add
Rule.
The Select Rule Template pane appears.
2. From the Claim rule template menu, click Send Claims Using a Custom Rule and click Next.
The Configure Rule pane appears.
3. In Claim rule name, type a name for the nameId claim rule.
For example, type nameId.
4. In Custom rule, type the custom rule for nameId.

The custom rule for nameId claims is:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/
windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active
Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/
claims/nameidentifier"), query = ";sAMAccountName;{0}", param = c.Value);
5. Click Finish.
Result
The nameId custom claim rule is configured.
Next task
Add an email custom claim rule, as described in Adding an email claim rule.
Adding an email claim rule

Add a claim rule to tell ADFS how to format the email claims sent to Rubrik CDM.
Prerequisites
Add a custom claim rule for the nameId attribute, as described in Adding a nameId claim rule.
Context
ADFS offers a set of templates for configuring claims. Use the Send Claims Using a Custom Rule
template to set up a custom email rule.
Procedure
Rule.
3. In Claim rule name, type a name for the email claim rule.
For example, type email.
4. In Custom rule, type the custom rule for email.
The custom rule for email claims is:
Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/
claims/emailaddress"), query = ";mail;{0}", param = c.Value);
5. Click Finish.
Result
The email custom claim rule is configured.
Next task
Add a group custom claim rule.
• If groups cannot be filtered based on a naming convention, add a custom claim rule that sends all
group claims, as described in Adding a group claim rule for all groups.

• If groups follow a naming convention, add a custom claim rule that sends all group claims, followed by
a group filter claim rule, as described in Adding a group filter claim rule.
Group claim rules

Before writing custom group claim rules, review the example group claim rules in this topic. The example
group claim rules in this topic can be adapted to work with various group naming conventions.
Group claim rules determine which group claims should be included in the SAML assertion response sent to
Rubrik CDM. To understand how group claim rules work, consider the following scenarios:
• User group names do not follow a naming convention, so there is no way to apply a filter based on a
name pattern. As a result, all available group claims are sent to Polaris.
• User group names follow a naming convention that can be used as a filter in a group claim rule. As a
result, the outgoing token only contains group claims for groups with the matching name pattern.
The first scenario requires only one custom group claim rule, referred to as the "all-groups" rule:
Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query =
";tokenGroups;{0}", param = c.Value);
This claim rule transforms the incoming ADFS group claims into the format requested in the SAML request,
and issues the resulting group claims in the SAML response.
The second scenario requires two custom group claim rules:
• The first claim rule adds all group claims, but does not issue them in the outgoing token. Instead, the
output of this rule is a new incoming claim, which is used as an input for the second claim rule.
• The second claim rule applies a filter to the group claims in the incoming claim. The filter allows only
group claims that start with certain characters to be sent as outgoing claims.
Note: The claims rule engine processes each claim rule in the order listed in the Edit Claim Rules dialog
box. Since the second claim rule depends on the first, the claim rules must be listed in the correct order.
The following example shows the pair of claim rules to use for groups with names that start with "rubrik".
1. The "all-groups" rule, modified by replacing issue with add:
windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active
2. The "group-filter" rule, which uses "^rubrik" as the regular expression:
c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "^rubrik"]

=> issue(Type = "http://schemas.xmlsoap.org/claims/Group", Value =
c.Value);
The regular expression can be adapted to any group naming convention. For example, if the names of all
user groups start with "prod", change the regular expression to "^prod".
Adding a group claim rule for all groups

Add a custom group claim rule that includes all group claims in the SAML assertion response sent to Rubrik
CDM.
Prerequisites

Learn how to set up group claim rules for different scenarios by reading Group claim rules.
Context
The all-groups rule is used when group names do not follow a pattern. As a result, claim rules cannot
make use of a pattern-match filter before the group claims are sent to Rubrik CDM. If group names follow
a pattern, skip this task and follow the instructions in Adding a group filter claim rule instead.
Procedure
Rule.
3. In Claim rule name, type a name for the group claim rule.
For example, type all-groups.
4. In Custom rule, type the custom rule for all-groups.
The custom rule is:
5. Click Finish.
6. Click OK.
The Edit Claim Rules dialog box disappears.
Result
The custom claim rules are configured.
Next task
Verify that all ADFS Service Provider settings are correct, as described in Verifying ADFS Service Provider
settings.
Adding a group filter claim rule

Add claim rules that allow only group claims that start with certain characters to be sent to Rubrik CDM.
Prerequisites
Create a custom email claim rule, as described in Adding an email claim rule. Learn how to set up group
claim rules for different scenarios by reading Group claim rules.
Context
Use the Send Claims Using a Custom Rule template to add two custom rules. The output of the first
rule is a list of all group claims. The second rule filters the list of all group claims so that only groups with a
certain prefix are included in the SAML response.
Procedure
Rule.

3. In Claim rule name, type a name for the group claim rule that will include all group claims.
For example, type all-groups.
4. In Custom rule, type the custom rule for all-groups.
The custom rule is:
windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active
5. Click Finish.
6. Click Add Rule.
8. In Claim rule name, type a name for the custom filter rule.
For example, type rubrik-groups for a rule that only sends group claims for groups that begin with
"rubrik".
9. In Custom rule, type the custom rule for rubrik-groups.
The custom rule for rubrik-groups is:
c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "^rubrik"]

=> issue(Type = "http://schemas.xmlsoap.org/claims/Group", Value =
c.Value);
10. Click Finish.

11. Click OK.
Result
The custom group filter claim rules are configured.
Next task
Verify that all ADFS Service Provider settings are correct, as described in Verifying ADFS Service Provider
settings.
Verifying ADFS Service Provider settings

After downloading the Rubrik metadata file and setting up custom claim rules, verify that all ADFS Service
Provider settings have the correct values.
Prerequisites
Add the appropriate group claim rules, as described in Adding a group claim rule for all groups and Adding
a group filter claim rule.
Procedure
1. In the Display Name column, right-click the relying party trust and select Properties.
The Properties page appears.
2. Select Advanced.
3. From the Secure hash algorithm menu, select SHA-256.

4. Select Signature.
5. Verify that the information is correct.
6. Select Encryption.
7. Verify that the information is correct.
8. Select Endpoints.
9. Verify that SAML Assertion Consumer Endpoints is set to the Rubrik cluster host address where
SAML assertion responses should be sent.
10. Click OK.
Result
ADFS has the correct Service Provider settings.
Next task
In the Rubrik CDM web UI, test the SSO connection, as described in Testing the SSO connection.
Testing the SSO connection

Test the connection to verify that users can access the Rubrik cluster using single sign-on.
Procedure
1. Log in to the Rubrik CDM web UI as a user with the Administrator role.
2. On the top bar of the Rubrik CDM web UI, click the gear icon and select Users.
3. Select Identity Providers.
The identity providers page appears.
4. Open the ellipsis menu for the newly added identity provider and select Test.
The Rubrik cluster redirects to the Sign-in screen for the Identity Provider.
5. Type the user name and password for the registered account on the identity provider's system and
click Sign In.
6. Proceed to the Rubrik cluster’s host address.
The Rubrik CDM web UI appears with a message that the SSO test was successful.
Result
The test establishes that users can sign in to the Rubrik cluster using single sign-on.
Next task
Authorize SSO users, as described in Assigning roles to SSO users. Authorize SSO groups, as described in
Assigning roles to SSO groups.
Assigning roles to SSO users

Assign a role to an SSO user account to specify the permissions for the account.
Procedure
The user management page appears with the Users and Groups tab selected.
The Assign Roles wizard opens at the Select Users/Groups step.
4. From the Directory menu, choose the Identity Provider.

5. From the User/Group menu, select User.
6. In Username, type the username exactly as it appears in the identity provider's user list.
The username is case sensitive.
A link appears below the search field.
7. Click Select User.
The user name appears in the Selected column.
8. Optional: Repeat the two previous steps to add more users.
Only add users who should have the same roles.
9. Click Next.
The wizard advances to the Assign Roles step.
10. Select one or more roles to assign to the selected users and click Finish.
Result
The Rubrik cluster updates the Users and Groups tab with the user names and their role assignment.
Assigning roles to SSO groups

Add SSO groups and assign roles to those groups.
Context
This task assigns roles to SSO groups managed by an identity provider (IdP).
Procedure
2. From the gear settings menu, select Users.
4. Click the Directory menu and select the newly added identity provider name.
5. Click the User/Group menu and select Group.
6. In Groupname, type the group name and click Continue.
7. Select a set of roles and click Finish.
A message confirms that authorization was updated for the selected group.
Result
The Rubrik cluster adds the new group and role to the Users and Groups tab.
Okta integration workflow

The Okta integration workflow gives a high-level view of the tasks involved in configuring single sign-on
with Okta.
To successfully configure single sign-on with Okta, complete the following tasks in the order shown. Each
task involves multiple steps, and all steps in a task must be completed before moving to the next task.
Note that some tasks are performed in the Okta UI, and some are performed in the Rubrik CDM web UI.
1. (Rubrik CDM web UI) Download the Rubrik metadata file.
2. (Text editor) Prepare the encryption certificate for uploading to Okta.
3. (Okta UI) Create a new application integration.
4. (Okta UI) Download the Okta metadata file.

5. (Rubrik CDM web UI) Upload the Okta metadata file.
6. (Okta UI) Grant Okta users and groups access to Rubrik CDM.
7. (Rubrik CDM web UI) Test the SSO connection.
8. (Rubrik CDM web UI) Grant authorization to SSO users and groups.
Service Provider host address

The Service Provider host address is the location where the identity provider sends SAML responses.
Rubrik CDM requires a host address when generating the Rubrik metadata file. The metadata file uses the
host address as the URL for the Assertion Consumer Service endpoint.
The choice of host address depends on whether floating IP addresses are configured. When floating
IP addresses are configured, Rubrik CDM chooses a default host address from the available floating IP
addresses. Alternatively, a specific floating IP address can be chosen from the list of configured floating IP
addresses.
If floating IP addresses are not configured, the only choice is to supply a static address: IPv4, IPv6, or
DNS.
Downloading the Rubrik metadata file

Download the Rubrik metadata file containing information that Okta requires to set up the SAML 2.0
connection.
Procedure
1. Log in to the Rubrik CDM web UI as a user with the Administrator role, or any role that has permission
to view and manage security settings.
3. Select the Identity Providers tab.
4. Click Add Identity Provider.
The Add Identity Provider dialog box appears.
5. In the Configure Single Sign-on section, in Identity Provider Name, type a name.
The identity provider name is the name that will appear in the Directory column of the Users and
Groups page.
6. In Configure Identity Provider Service, enter the Service Provider host address.
The Service Provider host address can be a floating IP address or a static address, as explained in
Service Provider host address.
The Download Rubrik Metadata link becomes active.
7. Click Download Rubrik Metadata.
Result
The Rubrik cluster generates the metadata file and the web browser downloads it to the default download
location.
Next task
Prepare the encryption certificate for uploading to Okta, as described in Preparing the encryption certificate
for uploading to Okta.

Preparing the encryption certificate for uploading to Okta
Extract the X.509 certificate from the Rubrik metadata file and transfer it to Okta.
Context
Edit the certificate and store it in a file to prepare the encryption certificate for uploading to the identity
provider.
Procedure
1. From the Downloads folder, open the Rubrik-Metadata.xml file.
2. Find the X.509 certificate used for encryption.
The path is: /EntityDescriptor/SPSSODescriptor/KeyDescriptor use=”encryption”/
KeyInfo/X509Data/@X509Certificate
3. Copy the encryption certificate from the metadata file, without formatting, and paste it into a plain
text editor.
4. Add the statement ––-–-BEGIN CERTIFICATE----- at the beginning of the file and the statement
–––--END CERTIFICATE----- at the end of the file.
5. Save the file and assign a file name, such as enc_cert.pem.
Result
The encryption certificate is ready to upload to Okta.
Next task
In the Okta Admin portal, add Rubrik as an application integration, as described in Adding Rubrik as an
application integration.
Adding Rubrik as an application integration

To establish a trust relationship between Rubrik and Okta, add Rubrik as an application integration in the
Okta Admin portal.
Prerequisites
Create a file for the encryption certificate, as described in Preparing the encryption certificate for uploading
to Okta.
Procedure
1. Log in to the Okta web UI as a user with Administrator privileges.
2. Click Admin to go to the administrator portal.
3. On the top menu, next to the gear icon, click Classic UI.
4. Click Applications and select Applications from the menu.
5. Click Add Application.
The Add Application menu appears.
6. Click Create New App.
The Create a New Application Integration page appears.
7. From the Platform menu, select Web.
8. From the Sign-on method menu, select SAML 2.0.
9. Click Create.
The Create SAML Integration page appears.
10. In the General Settings section, enter a name in App name.
11. Click Next.

The SAML Settings pane opens.
12. In Single sign on URL, type the value for Location from the Rubrik metadata file, as shown in
Rubrik metadata file.
Example for URLs: https://10.0.132.173/api/v1/saml/assertion_consumer
13. Select Use this for recipient URL and destination URL.
14. In the Audience URI (SP Entity ID) field, enter the entityID from the Rubrik metadata file, as
shown in Rubrik metadata file.
Example SP Entity ID: rubrik-sso-sp-1e97b00d-9ca5-4b27-b56a-db01a619a8b7
15. In Name ID format, select Unspecified.
16. In Application username, select Okta username.
17. Click Show Advanced Settings.
Additional settings appear.
18. In Response, select Signed.
19. In Assertion Encryption, select Encrypted.
Additional fields appear.
20. In Encryption Certificate, click Browse files... and select the encryption certificate file created
previously.
21. In Honor Force Authentication, select Yes.
22. Under ATTRIBUTE STATEMENTS (OPTIONAL), in Name, type the email address claim rule.
The email address claim rule is
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
23. In Value, select user.email.

24. Under GROUP ATTRIBUTE STATEMENTS (OPTIONAL), in Name, type the group claim rule.
The group claim rule is
http://schemas.xmlsoap.org/claims/Group
25. In Filter, select Matches regex and type a regular expression to use for the filter.
Regular expression Description
.* This filter allows all groups to be included in the
outgoing claims.
^rubrik This filter only allows groups whose names start
with rubrik to be included in the outgoing claims.
The regular expression can be changed to fit
other naming conventions.
26. Click Next.
The Feedback page appears.
27. Answer the question Are you a customer or a partner?
28. Click I'm an Okta customer adding an internal app.
29. Click Finish.
Result
Okta adds Rubrik as an application integration in the Okta Admin portal.
Next task
Download the Okta metadata file, as described in Downloading the Okta metadata file.

Downloading the Okta metadata file
Download the Okta identity provider metadata file, which provides Rubrik with the information necessary
for sending and receiving SAML assertions.
Procedure
4. Click Applications and select Applications from the menu.
5. Select the Rubrik CDM application.
The application page for the Rubrik CDM application appears.
6. Click the Sign On tab.
In the SAML 2.0 section of the Settings page, a message indicates that “Identity Provider metadata is
available if this application supports dynamic configuration.”
7. Click Identity Provider metadata to download the Okta metadata file.
Result
The browser downloads the metadata file to the default downloads location.
Next task
Upload the Okta metadata file to add Okta as an identity provider, as described in Adding Okta as an
identity provider.
Adding Okta as an identity provider

Upload the Okta metadata file so Rubrik CDM can add Okta as an identity provider.
Prerequisites
• Generate the Rubrik metadata file, as described in Downloading the Rubrik metadata file.
• In the Okta Admin portal, add Rubrik as a SAML 2.0 application integration, as described in Adding
Rubrik as an application integration.
Context
These steps are performed in the Rubrik CDM web UI after downloading the Rubrik metadata file. The
Rubrik CDM web UI tab should still be open, with the Add Identity Provider dialog box displayed.
Procedure
1. In the Add Identity Provider dialog box of the Rubrik CDM web UI, click the download icon to the
right of the Identity Provider Metadata field.
2. Select the Okta metadata file from the Downloads folder and click Open.
3. Click Add.
Result
The Identity Providers page displays the following information, extracted from the Okta metadata file:
• Entity ID
• Sign in URL
• Expiration of the signing certificate

Next task
Grant Okta users access to Rubrik CDM, as described in Granting Okta users access to Rubrik CDM.
Granting Okta users access to Rubrik CDM

From the Okta Admin portal, assign the users that can access the Rubrik CDM application.
Prerequisites
Create an application integration, as described in Adding Rubrik as an application integration.
Procedure
4. Click the Applications menu and select Applications.
6. Select the Assignments tab.
7. Open the Assign menu and select Assign to People.
The Assign application_name to People dialog box appears. The dialog box lists the names of
people who can be assigned to access the application.
8. Add a user by clicking Assign next to the name of the user.
A confirmation dialog box appears with the name of the user displayed.
9. Click Save and Go Back.
The Assigned status appears next to the name of the user.
10. Repeat steps 8 and 9 until all Rubrik CDM application users have been assigned, then click Done.
Result
The Assignments page confirms that the specified users have access to Rubrik CDM.
Next task
Grant Okta groups access to Rubrik CDM, as described in Granting Okta groups access to Rubrik CDM.
Granting Okta groups access to Rubrik CDM

From the Okta Admin Console, assign the groups that can access the Rubrik CDM application.
Prerequisites
Create an application integration, as described in Adding Rubrik as an application integration.
Procedure
4. Click the Applications menu and select Applications.
6. Select the Assignments tab.
7. Open the Assign menu and select Assign to Groups.

The Assign application_name to Groups dialog box appears. The dialog box displays the names of
groups that can be assigned access to the application.
8. Add a group by clicking Assign next to the group name.
The Assigned status appears next to the group name.
9. When all groups have been assigned, click Done.
Result
The Assignments page appears with the Group filter selected. The page displays all groups that have
access, along with an edit icon and a delete icon next to each group name.
Next task
Test the SSO connection, as described in Testing the SSO connection.
Testing the SSO connection

Test the connection to verify that users can access the Rubrik cluster using single sign-on.
Procedure
2. On the top bar of the Rubrik CDM web UI, click the gear icon and select Users.
3. Select Identity Providers.
The identity providers page appears.
4. Open the ellipsis menu for the newly added identity provider and select Test.
The Rubrik cluster redirects to the Sign-in screen for the Identity Provider.
5. Type the user name and password for the registered account on the identity provider's system and
click Sign In.
6. Proceed to the Rubrik cluster’s host address.
The Rubrik CDM web UI appears with a message that the SSO test was successful.
Result
The test establishes that users can sign in to the Rubrik cluster using single sign-on.
Next task
Authorize SSO users, as described in Assigning roles to SSO users. Authorize SSO groups, as described in
Assigning roles to SSO groups.
Assigning roles to SSO users

Assign a role to an SSO user account to specify the permissions for the account.
Procedure
The Assign Roles wizard opens at the Select Users/Groups step.
4. From the Directory menu, choose the Identity Provider.
5. From the User/Group menu, select User.
6. In Username, type the username exactly as it appears in the identity provider's user list.

The username is case sensitive.
A link appears below the search field.
7. Click Select User.
The user name appears in the Selected column.
8. Optional: Repeat the two previous steps to add more users.
Only add users who should have the same roles.
9. Click Next.
The wizard advances to the Assign Roles step.
10. Select one or more roles to assign to the selected users and click Finish.
Result
The Rubrik cluster updates the Users and Groups tab with the user names and their role assignment.
Assigning roles to SSO groups

Add SSO groups and assign roles to those groups.
Context
This task assigns roles to SSO groups managed by an identity provider (IdP).
Procedure
2. From the gear settings menu, select Users.
4. Click the Directory menu and select the newly added identity provider name.
5. Click the User/Group menu and select Group.
6. In Groupname, type the group name and click Continue.
7. Select a set of roles and click Finish.
A message confirms that authorization was updated for the selected group.
Result
The Rubrik cluster adds the new group and role to the Users and Groups tab.
Multifactor authentication
Multifactor authentication (MFA) adds one or more factors to the basic authentication process, which
prevents unauthorized users from accessing the Rubrik cluster.
Note: When multifactor authentication is required for a user, the Rubrik user’s username must match the
username stored in the MFA server.
If a user account is associated with an MFA server, that user will see an additional login screen after
signing in with username and password. Another authentication factor will be required, such as a
passcode, a PIN, or biometric data. The type of authentication factor, and the number of factors required
to authenticate to the Rubrik cluster, are determined by the configuration of the MFA server.

If a user is enabled for multifactor authentication, and that user accesses Rubrik REST APIs from a script,
an API token must be generated from the Rubrik CDM web UI and inserted in the script. See API tokens
for instructions.
Multifactor authentication with RSA SecurID

The Rubrik cluster can integrate with two types of RSA SecurID integration servers by using REST API
calls: RSA Authentication Manager (on-premises) and RSA Authentication Server (cloud).
When the RSA Authentication Manager is enabled, it generates an Access Key and an Access ID. The
Rubrik cluster acts as an Authentication Agent, and requires the Access Key in order to securely pass
authentication requests to and from the RSA Authentication Manager. If the Hash-based Message
Authentication Code (HMAC) mode is used, the Rubrik cluster also requires the Access ID.
Note: The Access Key is confidential. Copy this value to a secure location, and use it to configure the RSA
SecurID server from the Rubrik CDM web UI.
Configuring an RSA Authentication Manager connection

Set up an RSA Authentication Manager connection to provide an additional authentication requirement
Prerequisites
If the RSA SecurID server requires a Transport Layer Security (TLS) certificate, import the TLS certificate
using the procedure detailed in Importing a TLS certificate.
Procedure
3. Click Users.
4. Click RSA SecurID.
The list of RSA SecurID servers appears.
5. Click Add RSA SecurID.
The Add RSA SecurID dialog box appears.
6. In Name, type a name to identify the RSA Authentication Manager.
7. In Base URL, type the RSA Authentication Manager server’s REST API base URL.
8. In RSA SecurID API Key, type the API Access Key that was generated when RSA SecurID was
enabled.
9. In Client ID, type the host name or IP address of the Rubrik cluster, which acts as the Authentication
Agent.
10. Optional: Type the name of the assurance policy in Assurance Policy Name.
11. (If using HMAC mode) In REST API Access ID, enter the RSA Authentication Manager server’s
access ID that was generated when RSA SecurID was enabled.
12. (If the RSA SecurID server requires a TLS certificate) Select a TLS certificate.
13. Click Add.
Result
After the RSA server is configured, add a test account to verify connectivity to the RSA server. Once
connectivity is verified, enable the RSA server for production users.

Configuring an RSA Cloud Authentication Service connection
Set up an RSA Cloud Authentication service connection to provide an additional authentication requirement
Prerequisites
If the RSA SecurID server requires a Transport Layer Security (TLS) certificate, import the TLS certificate
using the procedure detailed in Importing a TLS certificate.
Procedure
3. Click Users.
4. Click RSA SecurID.
The list of RSA SecurID servers appears.
5. Click Add RSA SecurID.
The Add RSA SecurID dialog box appears.
6. In Name, enter a name to identify the RSA Cloud Authentication Service settings.
7. In Base URL, enter the RSA Cloud Authentication Service’s REST API base URL.
8. In RSA SecurID API Key, type the API Access Key that was generated when RSA SecurID was
enabled.
9. In Client ID, enter the host name or IP address of the Rubrik cluster, which acts as the
Authentication Agent.
10. In Assurance Policy Name, type the name of the assurance policy.
11. (If the RSA SecurID server requires a TLS certificate) Select a TLS certificate.
12. Click Add.
Result
After the RSA server is configured, add a test account to verify connectivity to the RSA server. Once
connectivity is verified, enable the RSA server for production users.
CLI access and SSH password support

Rubrik cluster users with administrator privileges gain access to the command-line interface by connecting
to a node using the Secure Shell protocol.
Users with the required privileges can connect to a node in the Rubrik cluster using the Secure Shell (SSH)
protocol with or without a password. Password authentication for SSH sessions is enabled by default. A
login that does not require a password uses a public/private key pair exchange between the system that
initiates the terminal session and the Rubrik cluster. Authentication that uses a public/private key pair can
require an optional passphrase that is set at the time the key pair is generated. The passphrase is distinct
from the account password.
The Rubrik cluster administrator can enable or disable password support for SSH passwords from the
Rubrik cluster web UI. The Rubrik cluster administrator can establish and change the SSH key the Rubrik
cluster uses to authenticate SSH login attempts that do not use passwords. Changes to authentication
methods to the command-line interface (CLI) can take up to a minute to propagate all nodes in the Rubrik
cluster.

When SSH logins without passwords are in use, an individual user generates public/private key pairs
specific to the user account. The key pair authenticates SSH connections to nodes in the Rubrik cluster.
The Rubrik cluster administrator uploads the public component of the key pair to the Rubrik cluster.
Related tasks
Disabling SSH password authentication
Disable password authentication for Secure Shell sessions in order to authenticate with public/private key
pairs.
Configuring authentication to the Rubrik CLI by SSH key pair
Assign a Secure Shell key to a user account to enable authentication without transmitting the account
password.
Disabling SSH password authentication

Disable password authentication for Secure Shell sessions in order to authenticate with public/private key
pairs.
Context
Password support for connecting to a Rubrik cluster node using the Secure Shell (SSH) protocol is enabled
by default.
Procedure
3. Click Users.
5. Click the ellipsis menu in the top bar and select SSH Authentication Options from the list.
By default, Secure Shell (SSH) password authentication is enabled.
The SSH Authentication Options dialog box appears.
6. Turn off the SSH Password Authentication toggle and click Save.
Result
SSH sessions to nodes in this Rubrik cluster can no longer authenticate using passwords.
Related tasks
password.

password.
Prerequisites
Obtain the public Secure Shell (SSH) protocol key for the user account. The key must be in the OpenSSH
format. Copy the SSH key to the clipboard.
Context
This task assigns an SSH key to a user account. Multiple methods and utilities exist for generating SSH
keys. Use any method that results in a valid SSH key that uses the OpenSSH format. Authenticating with

an SSH key pair does not require transmitting the password to the user account, but key pairs generated
with a passphrase still require the passphrase to authenticate a login attempt.
Procedure
1. Log in to the Rubrik CDM web UI as the Rubrik cluster administrator.
2. From the silhouette drop-down, select SSH Configuration.
The SSH configuration dialog box appears.
3. In the SSH keys field, paste the SSH key.
4. Click Update.
Result
The Rubrik cluster uses the SSH key to authenticate SSH connection attempts.
API tokens
API tokens can be used in scripts to provide secure authentication, rather than hard-coding credentials
directly in the script and exposing them as clear text.
Tokens are generated directly from the Rubrik CDM web UI. When a token is generated, the user can
specify how long the token is valid, and supply a tag that can be used to identify its purpose. For example,
if a different token is generated for each script a user plans to run, the tag can indicate the name of the
script associated with that token.
If a token is accidentally exposed, the user who generated it can delete it from the Rubrik CDM web UI,
then generate a new token.
Note: Users cannot delete tokens generated by other users.
API Tokens have the same privileges as the user who generates them. For example, if a user with the
Administrator role generates an API token, that token has Administrator privileges.
API tokens may not be used for the following purposes:
• Updating or deleting any MFA servers
• Creating new sessions or generating additional API tokens
• Creating new user accounts or updating user account information
• Updating user preferences
• Creating, updating, or deleting LDAP services
Generating an API token

Generate an API token for use in REST API scripts that run on the Rubrik cluster.
Procedure
2. Open the User account menu and select API Token Manager.
The API Token Manager dialog box appears.
3. Click the plus icon at the top right of the dialog box.
The Generate API Token dialog box appears.
4. In Duration, type the number of days the token will be valid.
The default duration is 30 days.
5. In Tag, enter a name to distinguish this token from other tokens.

If no tag name is entered, the tag name will appear as API Token in the list of tokens.
6. Click Generate.
The Copy API Token dialog box appears.
7. Click Copy and store the API token for future use.
Result
The display shows a list of API token IDs along with the associated token tag names, expiration dates, and
last activity.
Deleting an expired API token

API tokens can be deleted they expire and can be replaced with a new token.
Context
Delete an expired API token so that it cannot be used in REST API calls to the Rubrik cluster.
Note: Use caution when deleting an API token. Once the token is deleted, all REST API calls that use that
token will fail.
Procedure
The API Token Manager dialog box appears.
3. Open the ellipsis menu next to the API token to be deleted and select Delete.
The Delete API Token dialog box appears with a warning message about the consequences of deleting
the token.
4. Click Delete.
Result
The API token is removed from the list of API tokens.
Restricted API operations

By default, Rubrik CDM requires multi-factor authentication for certain API operations that can modify
cluster-wide configurations.
Rubrik REST API sessions can be authenticated by either Basic Authentication or Token Authentication. The
Basic Authentication method requires account credentials and can be used in a multi-factor authentication
(MFA) combination with a time-based one-time password (TOTP). Token Authentication requires a Rubrik
cluster-generated session token, also known as an API token, and cannot be used with TOTP.
API tokens have the same privileges as the user who generates them. For example, if a user with the
Administrator role generates an API token, that token has Administrator privileges. While the enforcement
of multi-factor authentication (MFA) adds an additional layer of security for users accounts, the use of MFA
is not practical for automated API-based interactions that rely on API token authentication.
By default, Rubrik CDM does not allow the following operations to run in a session that is authenticated by
a token:
• Managing NTP servers
• Managing SLA Domains

When the restricted API operations require automation, global administrator accounts can whitelist these
operations allowing them to authenticate via an API token. But, whitelisting of these operations must
be done with due consideration to the risk involved because these API operations affect cluster-wide
configurations that can lead to data deletion and backup schedule modification.
Related concepts
API tokens
Multifactor authentication
Managing API token whitelist

Use the API token whitelist to enable or disable API token authentication for API operations.
Context
Note: An API operation on the whitelist can run in a session that is authenticated with only the
single authentication factor offered by an API session token. Consider the security risk involved before
whitelisting any API operation.
Procedure
The API Token Manager window opens.
3. Click Manage Token Whitelist.
The Manage API Token Whitelist dialog box opens.
4. Select the API operation to whitelist.
You can select multiple operations at once.
5. Click Submit.
Result
The Rubrik cluster permits the selected API operations to be called in a session authorized through an API
token.
Related concepts
Restricted API operations
By default, Rubrik CDM requires multi-factor authentication for certain API operations that can modify
cluster-wide configurations.
Service accounts
Service accounts allow users to access CDM APIs through scripts or other automation method.
To access CDM APIs through scripts or other automation method, a user can create a service account that
can be seen by all admins. When a user creates a service account, the ID and password for that account
is only shown once. To see it again, a user must rotate the password, which will bring up the credentials
once more (the same ID but a different password because it was rotated). A service account can fetch an
API token by an API call, which is then used by the same automation script.
A POST request to the /service_account/session endpoint generates an API token with a 24-hour
time to live (TTL). This token inherits the permissions of the service account that was used to create
the token. A service account can be assigned roles that specify a set of permissions of the API tokens
created by that service account. A tenant organization administrator can see all service accounts within the
organization and global administrators can see all service accounts on the Rubrik cluster.

Adding a service account
Add a service account to generate client credentials.
Procedure
3. Click Users.
4. Click Service Accounts > Add Service Account.
The Add Service Account dialog box appears.
5. In Service Account Name, type the name of the service account.
6. In Roles, select either AdministratorRole or ReadOnlyAdminRole.
7. Click Add.
The Service Account ID and Secret dialog box appears.
8. Click Copy Secret.
Store the service account ID and secret in a secure location.
The secret is copied to clipboard.
Result
The Rubrik cluster adds a service account and generates credentials.
Editing a service account

Edit a service account to change the name of the service account and the user roles in that service
account.
Procedure
3. Click Users.
4. Click Service Accounts.
The list of service accounts appears.
5. Open the ellipsis menu of the service account and click Edit.
The Edit Service Account dialog box appears.
6. Edit the name of the service account or roles.
7. Click Update.
Result
The Rubrik cluster updates the service account with the new information.
Deleting a service account

Delete a service account.
Procedure

3. Click Users.
5. Open the ellipsis menu of the service account and click Delete.
The Delete Service Account confirmation dialog box appears.
6. Click Delete.
A confirmation message appears to indicate the selected service account has been deleted.
Result
The Rubrik cluster deletes the selected service account.
Rotating the client secret

Generate a new client secret for a service account periodically for security purposes.
Procedure
3. Click Users.
5. From the ellipsis menu of a service account, click Rotate Secret.
The Rotate Secret dialog box appears.
6. Select Expire all existing sessions immediately to invalidate the existing secret.
7. Click Confirm.
The new client secret appears.
The Service Account ID and Secret dialog box appears.
8. Click Copy Secret.
Store the new secret in a secure location.
The secret is copied to clipboard.
Result
The Rubrik cluster generates a new secret for the service account.

Chapter 4
Encryption
Encryption
Encryption restricts the ability of unauthorized parties to read the encrypted data.
Encryption can be used to protect:
• Data at rest - Data that is stored in a persistent device such as a storage drive.
• Data in flight - Data that is being transmitted between devices.
In a secure Rubrik cluster, data that is transmitted between nodes of the cluster is encrypted using the
Transport Layer Security (TLS) protocol. TLS prevents unauthorized access of the transmitted data even if
the transmission is intercepted.
Secure Rubrik clusters encypt data at rest using the Advanced Encryption Standard (AES) symmetric-key
algorithm with a 256-bit key length (AES-256).
Encryption keys can be managed internally using the Trusted Platform Module (TPM) and can be
archived as required by operational policy. Encryption keys can also be managed remotely using the Key
Management Interoperability Protocol (KMIP) and a KMIP-compliant key manager. With KMIP, archiving the
encryption keys becomes the responsibility of the KMIP key manager.
Data in flight encryption

Data transmission between nodes in a secure Rubrik cluster is encrypted using the Transport Layer
Security (TLS) 1.2 protocol. This restricts unauthorized parties from accessing the transmitted data.
To ensure secure data transmission to public or private cloud environments, a Rubrik cluster encrypts all
data before transmission. The Rubrik cluster uses client-side encryption libraries that are supported by the
public cloud providers and uses envelope encryption. Envelope encryption protects transmitted encryption
keys by encrypting them using another encryption key.
Data at rest encryption

Rubrik clusters secure data at rest with the Advanced Encryption Standard (AES) symmetric-key algorithm
using a 256-bit key length (AES-256). Data is encrypted before being written to disk and decrypted during
read operations.
Rubrik clusters encrypt data at rest using software encryption or hardware encryption, depending on the
specific model.
For software encryption, Rubrik secures data-at-rest using AES-256 encryption and supports data
tampering detection even when the system is powered off. When this data at rest encryption is enabled
both data and metadata are encrypted.
Rubrik clusters encrypt all file system data with a 256-bit Data Encryption Key (DEK), which is further
protected by wrapping it inside encryption using a 256-bit Key Encryption Key (KEK). This permits secure
deletion of the encrypted data by erasing the KEK to make the data inaccessible.
Encryption 05/25/2022 | 139

Brik models in the r3xx and r6xxx series support data encryption at rest using the AES-256 encryption
algorithm implemented in the software. This does not include the r528 and 6xxxF series appliances which
are hardware encryption clusters with self-encrypting drives.
For hardware encryption, Rubrik offers an option for physical appliances with FIPS 140-2 Level 2 certified
hard disk and solid-state drives. The Rubrik r528 and 6xxxF series appliances uses self-encrypting drives
(SEDs) where DEKs and their passwords are encrypted with a Key Encryption Key (KEK). Data encryption
at rest for these Briks is always enabled and uses the Advanced Encryption Standard (AES) symmetric-key
algorithm, using a 256-bit key length (AES-256) at the disk layer.
Rubrik recommends regular KEK rotation. Periodic key rotation can be accomplished using the Rubrik REST
API. This allows integration with external compliance and governance systems. Key rotation can also be
used to migrate keys from an internal key manager to an external key manager.
To enable effective key management, Rubrik offers the flexibility to manage the keys using an internal key
manager via the Trusted Platform Module (TPM) chip or an external key manager that is Key Management
Interoperability Protocol (KMIP) compliant.
All encrypted snapshot and backup data that is archived to the cloud includes a copy of the system
metadata. This metadata can be accessed by any Rubrik CDM instance that has the correct credentials and
encryption keys.
Enabling software data encryption at rest is performed during initial Rubrik cluster system setup or after
a Rubrik cluster reset. However, keep in mind that a Rubrik cluster reset will delete all data on the Rubrik
cluster.
The Rubrik CDM Install and Upgrade guide provides a complete description of system setup.
Related Concepts
Key management
The security of encrypted data on a Rubrik cluster depends on keeping the Data Encryption Keys (DEKs)
secure.
Related Tasks
Verifying the encryption status
Verify the encryption status of the Rubrik cluster.
Password encryption
Rubrik clusters do not store the passwords for local accounts in plain text.
The passwords for local user accounts on a Rubrik cluster are hashed with a salt using the SHA-512
algorithm. To authenticate a local log in attempt the Rubrik CDM cluster compares the resulting hash value
to the stored hash value.
The passwords for services external to the Rubrik cluster are encrypted using AES-256.
Mixed mode clusters

Mixed mode clusters are Rubrik clusters that have some nodes with hardware encryption and some nodes
without hardwared encryption.
Rubrik clusters can support a mix of nodes that have hardware encryption with nodes that do not have
hardware encryption. This permits migrating data from one hardware platform to another.
However, Rubrik clusters that use software encryption to encrypt data at rest must enable encryption on all
nodes in the cluster.
Encryption 05/25/2022 | 140

Key management
The security of encrypted data on a Rubrik cluster depends on keeping the Data Encryption Keys (DEKs)
secure.
DEKs and the passwords to the self-encrypting drives (SED) on r5xx and r6xxxF series Briks are encrypted
using a Key Encryption Key (KEK).
As a best practice, regularly rotate the KEK. Rubrik supports two methods of securely storing and rotating
KEKs:
• Interacting with the TPM chip present in a Brik.
• Communicating with an external server running the Key Management Interoperability Protocol (KMIP).
Related Tasks
Rotating encryption keys
To provide enhanced encryption key security, rotate the KEK and SED passwords.
Adding a KMIP server

Before using a KMIP server to manage the KEK and SED passwords on a Rubrik CDM cluster, configure
Rubrik with the address and credentials of the KMIP server.
Prerequisites
To use a TLS certificate for client authentication, first import the certificate to the Rubrik cluster, as
described in Importing a TLS certificate.
Procedure
Use the admin account or an account with administrator privileges.
2. Click the gear icon on the top bar of the Rubrik CDM web UI.
The Settings menu appears.
3. Click Manage Encryption.
The Manage Encryption page appears with the Key Rotation Status tab selected.
4. Click the KMIP Settings tab.
A list of the KMIP servers available to the Rubrik cluster appears.
5. Click Configure Client Settings.
The Configure Client Settings dialog box appears.
6. In Client Authentication Mode, select an authentication method.
• Password Only
• Client Certificate Only
• Both
7. (Password Only or Both) In Username type a username and in Password type a password.
Type the username and password required by the key manager. If a username and password are not
required, leave these blank.
8. (Client Certificate Only or Both) In Select a TLS Certificate, select the TLS certificate or type the
name of the certificate.
The certificate must be imported to the Rubrik cluster before it can be selected, or added by typing
the name.
9. Click Update.
The Rubrik cluster stores the updated key manager information.
Encryption 05/25/2022 | 141

10. Click Add KMIP Server.
The Add KMIP Server dialog appears.
11. In Server Address type the IP address of the KMIP server.
12. In Port type the port number to use when contacting the KMIP server.
13. In Select a TLS Certificate, select the TLS certificate or type the name of the certificate.
The certificate must be imported to the Rubrik cluster before it can be selected, or added by typing
the name.
The selected certificate must include the chain of certificates up to the root CA.
14. Click Add.
The Rubrik cluster stores the updated KMIP server information.
Result
The Rubrik cluster is configured with the address and credentials of the KMIP server.
Rotating encryption keys

To provide enhanced encryption key security, rotate the KEK and SED passwords.
Prerequisites
To begin rotating keys by using an external KMIP server, first provide the Rubrik cluster with the KMIP
server information as described in Adding a KMIP server.
Context
Select a key manager for rotating the encryption keys, either the TPM chip or an external KMIP server, or
switch from one manager to the other.
Procedure
3. Click Manage Encryption.
The Manage Encryption page appears with the Key Rotation Status tab selected.
4. Click the Rotate Keys.
The One-Time Key Rotation dialog box appears.
5. Choose a key manager.
Important: Changing the key manager requires restarting all nodes in the cluster. Restarting the
nodes will stop any currently running jobs.
Option Description
External Key Manager (KMIP-compliant) Rotate the keys using an external KMIP server.
Select this field when an external KMIP server is
being used to manage the keys. When the Rubrik
cluster is using the on-board TPM chip for key
rotation, selecting this option will change the key
manager to use an external KMIP server.
Internal Key Manager (Rubrik TPM) Interact with the TPM chip to rotate the keys.
Select this field when interacting with the TPM
chip is being used to manage the keys. When the
Encryption 05/25/2022 | 142

Option Description
Rubrik cluster is using an external KMIP server
for key management, selecting this option will
change the key rotation manager to the TPM
chip.
6. Optional: Select Allow Rubrik to decrypt the data in the event of a disaster recovery
scenario.
Selecting this option causes the Rubrik cluster to wrap the KEK with a Rubrik CDM public key. In case
of a key manager failure, Rubrik Support can then assist with recovery of the keys.
7. Click Continue.
Result
The Rubrik cluster rotates the KEKs and, where applicable, the SED passwords.
Integrating with Vormetric Data Security Manager

A Rubrik cluster can be integrated with a Vormetric Data Security Manager KMIP server.
Before you begin to integrate the Vormetric Data Security Manager (DSM) KMIP server, ensure that the
Rubrik cluster is comprised entirely of FIPS-compliant Briks or uses the "r"-series nodes with software
encryption enabled.
To check whether a Rubrik cluster has software encryption enabled, log in to the cluster, navigate to the
System page, and look for the lock icons on the disks on the System Summary page.
If KMIP is not already enabled on the Rubrik cluster, contact Rubrik Support.
Configuring Vormetric DSM

Configure the settings on the Vormetric DSM appliance.
Context
Follow the instructions in the Vormetric DSM Administration Guide. Generally, configuring the Vormetric
DSM for Rubrik CDM includes the following steps.
Procedure
1. Enable TLS 1.2 support.
2. Configure licenses on the DSM to enable KMIP.
3. Create a domain on the DSM with KMIP enabled.
4. Within the new domain, add a host for the Rubrik cluster using an FQDN with A or CNAME records
pointing to the Rubrik nodes. Make a note of the FQDN in a safe place.
5. For client certificate authentication, ensure that the Password attribute is Generate.
6. Retrieve the Server Certificate from the DSM using a web browser (Windows) or OpenSSL (Linux).
Obtaining a TLS Certificate for Vormetric DSM

Create a certificate signing request to obtain a TLS certificate to use with Vormetric DSM.
Procedure
Encryption 05/25/2022 | 143

The Certificates page appears.
4. Click CSRs.
The CSRs tab appears.
5. Click Generate CSR.
The Generate Certificate Signing Request dialog box appears.
6. Complete the fields.
In Hostnames, enter the same case-sensitive FQDN entered in “Configuring the Vormetric DSM”.
7. Click Generate.
8. Download the CSR.
9. Submit the CSR to an internal or public enterprise certificate authority (CA).
10. Retrieve the signed, 2048-bit or higher TLS certificate.
Next task
Add the TLS certificate to the Vormetric DSM server as described in Adding a TLS Certificate to Vormetric
DSM.
Adding a TLS Certificate to Vormetric DSM

Add to Vormetric DSM the signed TLS certificate that was created from a CSR generated on the Rubrik
cluster.
Procedure
1. In the Vormetric DSM UI, locate the Rubrik cluster host and click Import KMIP Key.
2. In Username, type the case-sensitive FQDN.
3. In Client Certificate, paste the signed TLS client certificate.
4. In Server, type the FQDN or IP address of the Vormetric DSM.
5. In Port, type 5696.
6. In Server Certificate, paste the Vormetric DSM server certificate.
7. Click Update.
Result
The Rubrik cluster adds the signed TLS certificate.
Related Tasks
Obtaining a TLS Certificate for Vormetric DSM
Create a certificate signing request to obtain a TLS certificate to use with Vormetric DSM.
Troubleshooting the Vormetric DSM installation

There are several troubleshooting steps that can be used when a Vormetric installation is not successful.
If the Vormetric installation does not complete successfully:
• Verify the network connectivity over port TCP 5696 between the DSM and the Rubrik cluster.
• Reboot the DSM.
• Ensure the fingerprint of the configured client certificate matches the one being configured on the
Rubrik cluster.
Encryption 05/25/2022 | 144

Verifying the encryption status
Verify the encryption status of the Rubrik cluster.
Procedure
1. Generate an API token.
Follow the directions in Generating an API token.
2. Retrieve the encryption status of the Rubrik cluster.
In a UNIX shell, use the following command.
curl -k -X GET --header "Authorization: Bearer api_token"

https://rubrik_host/api/v1/cluster/me/security/encryption
Where
• api_token is the token generated in step 1.
• rubrik_cluster is the IP address of the CDM cluster.
Result
On encrypted Rubrik clusters, the response of the API call is:
{"isEncrypted":true,"cipher":"AES","keyLength":256}
On unencrypted Rubrik clusters, the response of the API call is:
{"isEncrypted":false}
Encryption 05/25/2022 | 145

Chapter 5
Multitenant organizations
The multitenancy extension of the Role Based Access Control (RBAC) scheme enables a central
organization to delegate administrative capabilities to multiple tenant organizations.
Each tenant organization in a multitenant RBAC cluster has a subset of administrative privileges defined by
the global organization. The subset of administrative privileges also specifies the cluster resources available
to the tenant organization. The administrators of the tenant organization can exercise these administrative
privileges independently of each other and of the cluster administrators.
Organizations can only be set up by users with the Rubrik Administrator role. However, no additional
external privileges, such as specific Active Directory or Windows Domain permissions, are required.
A Rubrik cluster can have one central organization and any number of tenant organizations. An
organization is a collection of the following elements:
• Protected objects
• Replication and archival targets
• SLA Domains
• Local users
• Active Directory users and groups
• Service credentials
• Reports
A central organization is administered by a user with the Administrator role. The Administrator role
has access to all cluster resources and grants privileges to other users, including tenant organization
administrators.
Related concepts
User accounts
Tenant organizations
Tenant account permissions determine whether that account can add, modify, and delete SLA Domains.
Tenant organizations are managed through the following rules:
• SLA Domains created outside of a tenant organization and assigned to that organization cannot be
altered by the users or AD groups of the tenant organization.
• SLA Domains that are created by the users or AD groups in a tenant organization can be used outside
the tenant organization, but cannot be modified by users that are not members of the organization.
• An organization administrator can delete SLA Domains created by users or AD groups that belong to the
organization. An SLA Domain that is assigned to any object protected on the cluster cannot be deleted.
• A user with Administrator privileges over the Rubrik cluster can add users or AD groups to a tenant
organization.
• An organization administrator can view the list of AD domains of the users or groups in the tenant
organization and manage privileges for those users.
Multitenant organizations 05/25/2022 | 146

• An organization administrator can manage roles for existing cluster users that are assigned to the
organization by the cluster administrator, but cannot otherwise modify those users.
• A tenant administrator with the privileges to manage users can create new local users within the tenant
organization and manage them. Organization administrators can configure SAML authentication to their
organization but cannot add existing cluster users, AD users, or AD groups to tenant organizations.
• Users with the end user role in an organization receive notifications about system activity on objects
assigned to those users. Tenant administrators receive notifications about system activity that affects all
objects in the tenant organization.
Tenant organizations and reports

Tenant organizations have access to the default reports in the Rubrik CDM web UI. The report information
is restricted to the resources assigned to the tenant organization.
When the user of a tenant organization creates a new custom report, that custom report is only visible to
other users or Active Directory (AD) groups in the tenant organization.
Related concepts
Reports
The Rubrik CDM web UI provides a reports summary and a gallery of reports. The gallery includes default
reports and custom reports created from templates.
Multitenancy and Rubrik Envoy

Rubrik Envoy enables data movement between Rubrik clusters and a tenant network.
Rubrik Envoy is a data path proxy used with segmented and isolated networks. Rubrik Envoy is one or
more virtual appliances deployed into a tenant network. Rubrik Envoy provides secure connectivity and
simplified cluster access when using NAT or overlapping network addressing between the provider and
tenant networks.
Rubrik Envoy facilitates backup-as-a-service (BaaS) offerings in multitenant environments with segmented
or overlapping network topologies.
Rubrik Envoy provides data proxy support for tenant-hosted VMware vSphere, Windows, Linux and Unix
filesets, and Microsoft SQL Server workloads.
The following table describes the Rubrik Envoy features.
Feature Description
Proxy service Rubrik Envoy is a data-path proxy between the tenant network and the service
provider network.
Using RBS, Rubrik Envoy supports VMware file recovery between the tenant
network and the managed service provider network.
Rubrik Envoy supports filesets, Microsoft SQL Server, and VMware image backups
hosted in a tenant network.
Simple setup Rubrik Envoy requires no change to the firewall in most situations. Each virtual
machine requires only outbound network communication with the Rubrik cluster.
Tenants can only see and access objects that belong to their organization.
Scale out Multiple instances of Rubrik Envoy can work together to increase performance and
provide high availability.

Related concepts
Supported Rubrik Envoy Network Assignments
Rubrik Envoy supports both DHCP and static IP network assignments.
Create a new tenant organization
Create a new tenant organization by providing a name for the organization, adding users, and assigning
objects to be protected.
Related tasks
Deploying Rubrik Envoy
Deploy Rubrik Envoy on a vSphere virtual machine.
Configuring Rubrik Envoy
Configure the Rubrik Envoy virtual machine.
Registering Rubrik Envoy with a Rubrik cluster
Register the Rubrik Envoy virtual machine with the Rubrik cluster using the Rubrik CLI.
Comparing Rubrik Envoy web certificates
Check the validity of the certificate displayed by the Rubrik envoy registration script.
Deregistering Rubrik Envoy from a Rubrik cluster
Remove the association between a Rubrik Envoy virtual machine and a Rubrik cluster.

Prerequisites
Rubrik Envoy requires a minimum of 2 vCPU, 2 GB of memory, and a 20 GB virtual disk. Deploying the
Rubrik Envoy NG OVA package for Rubrik CDM Version 7.0.1 requires vSphere 6.7 or later (with HTML5).
Procedure
1. Log in to the Rubrik Support Portal.
2. Under Docs and Downloads, click View Downloads.
The Documentation and Downloads page appears.
3. Select Rubrik CDM 7.0 (GA).
The Rubrik CDM 7.0 (GA) page appears.
4. On the software list, select 7.0.1-xxx (Envoy NG).
The EULA appears.
5. Accept the EULA.
6. Click OVA package for Rubrik Envoy.
The browser downloads the OVA package to the chosen location.
7. Log in to the vSphere Web Client of a vCenter Server.
Log in from the computer with the downloaded OVA package.
8. On the vSphere Web Client home page, click Hosts and Clusters.
The Data Center page appears.
9. Select the data center.
10. In the main area of the data center page, open the Actions menu and select Deploy OVF
Template.
The Deploy OVF Template wizard opens.
11. Follow the wizard instructions.
Be sure to deploy Rubrik Envoy on a network with access to the tenant hosts.
12. When the wizard completes, click Finish.

The new Rubrik Envoy virtual machine could take up to a few minutes to complete the deployment.
13. In the navigation pane, open the computer resource destination for the Rubrik Envoy virtual machine
and select the new Rubrik Envoy virtual machine.
The Rubrik Envoy virtual machine page opens.
14. Open the Actions menu and select Power on.
The vCenter Server powers on the Rubrik Envoy virtual machine.
15. Immediately below the virtual machine preview screen, click Launch Web Console.
The Launch Console dialog box appears.
16. Select Web Console and click OK.
The web console of the Rubrik Envoy virtual machine at the vSphere Web Client data center launches.
Result
The vCenter Server deploys a new Rubrik Envoy virtual machine.
Next task
Complete the steps in Configuring Rubrik Envoy to configure IP addresses.
Related concepts
Related tasks

Rubrik Envoy supports both static IP network assignments and the default DHCP network assignment.
Note, however, that the DHCP IP address must be set using static IP mapping on the DHCP server.
The Rubrik Envoy virtual machine uses Netplan to manage static IP and name server configurations. The
default configuration is in /etc/netplan/00-installer-config.yaml.
Related tasks

Prerequisites

• Complete the procedures in Naming the organization and adding users or AD groups, Protecting objects
in an organization, Assigning protection resources to a tenant organization, and Deploying Rubrik
Envoy.
• Identify a DNS server that can resolve the names of the tenant network hosts.
Context
Complete this task when networking is not configured using VMware vSphere or vCloud Director
customization.
To configure, use the sample Netplan template shown.
Procedure
1. Open an SSH session to the Rubrik Envoy virtual machine.
2. Log in using the account name ubuntu and account password Envoy.
3. Change the default password using the passwd command.
4. Change the hostname of the Rubrik Envoy virtual machine.
The default hostname is "envoy-ng". Successfully registering Rubrik Envoy requires a hostname that is
unique among all Rubrik Envoy virtual machines in the multitenant organization. To change the name,
type:
sudo hostname <varname>unique_hostname</varname>
The hostname of the Rubrik Envoy virtual machine is unique.

5. Select the network assignment type.
Option Description
Default DHCP network assignment When using DHCP, ensure that the IP address
used for Rubrik Envoy is set using static mapping
on the DHCP server.
Static IP network assignment When configuring static IP, configure eth0 IP and
DNS using a Netplan template.
Sample Netplan template for configuring static IP
network:
ethernets:
eth0:
addresses:Envoy_VM_IP/Netmask_Length
gateway4:Gateway_IP
dhcp4: false
optional: true
nameservers:
search:Search_domain_name
addresses:DNS_IP1, DNS_IP2
version: 2
Additional sample templates are available at netplan.io.

Rubrik Envoy configures the IP addresses.
6. Apply the completed configuration using the sudo netplan apply command.
Result
You have configured the Rubrik Envoy virtual machine.

Next task
Registering Rubrik Envoy with a Rubrik cluster.
Related concepts
Related tasks

Prerequisites
Complete the procedures in Naming the organization and adding users or AD groups, Protecting objects
in an organization, Assigning protection resources to a tenant organization, Deploying Rubrik Envoy, and
Configuring Rubrik Envoy.
Context
Setting NAT addresses to register Rubrik Envoy is necessary only if using the provider-side NAT.
Procedure
1. Open an SSH session on the Rubrik node.
2. Log in to the Rubrik CLI.
3. Choose whether to use the data IP addresses on bond0 or to set NAT addresses.
Option Description
Data IP addresses on bond0 By default, Rubrik nodes talk to Rubrik Envoy
virtual machines using the data IP addresses on
bond0.
Provider-side NAT When using the provider-side NAT, set the
external NAT target IP and port for Rubrik Envoy
to use to establish connections to Rubrik cluster
nodes.
4. To set the external NAT target IP and port, run the following command.
Type
network cdm_nat_address set
Enter the sequence numbers of the Rubrik cluster nodes for which to set the NAT address. Enter 0
when done.
Enter the NAT IP address of the node.
Enter the NAT port of the node: 8011.

The command sets the external NAT target IP and port.
5. Open an SSH session on the Rubrik Envoy virtual machine.
6. Log in using the account name ubuntu and account password Envoy.
7. Before running the registration script, be sure to change the default hostname to a unique hostname,
using the sudo hostname <your_unique_hostname> command.
8. Run the registration script and provide the requested information.
Type
sudo /home/ubuntu/envoy_ng_startup.py
9. Enter the Rubrik CDM IP address.

10. Enter 443 as the default HTTP port number.
The script uses the provided IP address and HTTP port to obtain the required Rubrik cluster web
certificate and display it.
11. Confirm the validity of the web certificate.
Option Description
Yes Confirm that the displayed web certificate is
valid.
No Do not accept the displayed web certificate as
valid. The script exits, returning a blank prompt.
The Rubrik Envoy virtual machine does not
connect to the Rubrik cluster.
The script includes information about viewing the original web certificate for comparison in the
browser of the Rubrik CDM web UI of the Rubrik cluster node.
12. Choose whether to complete the user authentication using an API token or the tenant organization
admin account and password.
Option Description
Enter an API token Optionally obtain an API token from the Rubrik
CDM web UI by clicking the user name in the
upper right of the screen and then selecting API
Token Manager.
Enter the tenant organization admin account Type the tenant organization admin account
name and password name and password.
13. Enter the name of the tenant organization.
The registration script completes, displaying a comment that the SSF tunnels for all CDM nodes set up
successfully.
Result
Rubrik Envoy connects to the Rubrik cluster for the specified organization.
Related concepts
Related tasks


Prerequisites
Creating and exporting a secure cluster web certificate requires an operating system and browser that
support that functionality. A combination of web browser and operating system that is known to work for
this task is Google Chrome running on either Windows or Linux.
Context
The Rubrik Envoy registration script obtains the web certificate of the Rubrik cluster, displays it in the shell
session, and prompts for confirmation that the certificate is valid. This task describes how to obtain the
certificate directly from the Rubrik cluster using a web browser and compare it to the one displayed in the
shell session. Doing this adds an additional layer of security.
Procedure
2. Click the padlock icon on the browser address bar.
A menu appears. The menu includes a choice related to the certificate of the Rubrik cluster.
3. Navigate to the certificate export functionality and choose to export the certificate.
Select the Base-64 encoded X.509 (.CER) export file format.
4. Download the certificate to a local file.
5. Visually compare the contents of the file with the certificate displayed by the Rubrik Envoy registration
script.
The first few lines of the certificate displayed by the script appear on separate lines for readability, but
the contents should otherwise match the certificate obtained through the browser.
Result
You are able to confirm that the Rubrik cluster web certificate shown by the Rubrik Envoy registration
script is the same as the certificate provided to your web browser.
Related tasks
IP address changes in Rubrik Envoy

The effects of changes to the IP address of a Rubrik Envoy virtual machine.
After a Rubrik Envoy virtual machine is registered with the Rubrik cluster, its IP address must remain the
same. If the IP address changes, Rubrik Envoy becomes undetectable by the Rubrik cluster. In that case,
the Rubrik CDM web UI and Rubrik CLI continue to show the IP address that was used to register Rubrik
Envoy with the Rubrik cluster.
While an unanticipated change to the IP address of a properly configured and registered Rubrik Envoy
virtual machine is not common, it can happen in situations such as the following:
• Someone with administrator privileges manually changes the Rubrik Envoy IP address by mistake.

• During reboot after a long shutdown, the Rubrik Envoy virtual machine receives a different IP address
from the DHCP server.
In the event of an IP address change, change it back to the original IP address. If changing the IP address
is not possible, then correct the situation by deregistering and then reregistering the Rubrik Envoy virtual
machine.
Related concepts
Related tasks

Context
Use the Rubrik CDM web UI to deregister a Rubrik Envoy virtual machine from the Rubrik cluster or to
move it from one cluster to another. A deregistered Rubrik Envoy virtual machine is not deleted; it exists in
an idle mode, not associated with any cluster.
Deregistering is also helpful if the IP address of the Rubrik Envoy virtual machine changes inadvertently.
Since that IP address is expected to remain the same, a changed address renders the Rubrik Envoy virtual
machine undetectable by the Rubrik CDM web UI and Rubrik CLI, which would continue to show the
original IP address. Correct that by deregistering and then reregistering the Rubrik Envoy virtual machine
address.
Procedure
3. Click Organizations.
The Organizations page appears.
4. Open the ellipsis menu and select Manage Envoy.
The Manage Envoy page appears, showing a list of the deployed Rubrik Envoy virtual machines and
their connection status.
5. Select the Rubrik Envoy virtual machine and click Deregister.
More than one Rubrik Envoy virtual machine can be selected.
Result
The Rubrik cluster deregisters the selected Rubrik Envoy virtual machine.
Related concepts
IP address changes in Rubrik Envoy

The effects of changes to the IP address of a Rubrik Envoy virtual machine.
Related tasks
Create a new tenant organization

Create a new tenant organization by providing a name for the organization, adding users, and assigning
objects to be protected.
Users with the Administrator role can create tenant organizations. Users that are part of tenant
organizations can have different levels of cluster and organization privileges.
User accounts that are not assigned any roles or user accounts that are assigned roles which do not
provide access to any resources cannot log in to the Rubrik cluster. Assign roles that permit the user
account to access the Rubrik CDM web UI.
Related concepts
User accounts
Roles
Organization Administrator privileges

When a global administrator creates an organization administrator role, certain privileges are enabled by
default.
Any of the privileges defined in the following table can be disabled to prevent an organization administrator
from performing the actions associated with that privilege.
Privilege Name Description

Create SLA Create local or remote SLAs for the objects associated with the organization.
Manage Hosts Add a physical host to the Rubrik cluster, edit the IP address or hostname, or
delete a physical host from the Rubrik cluster.
Manage Users Add local users, delete users or groups from users in the organization.
Additionally, assign or remove roles from users in the organization.
Unrestricted Delete snapshots immediately when changing SLA assignment to Do Not

Unprotection Protect.
Unrestricted Snapshot Delete snapshots from the Snapshot Management page.
Retention

Naming the organization and adding users or AD groups
The first steps in defining a tenant organization are assigning a name, creating administrator roles, and
adding users or AD groups.
Procedure
4. Click Create Organization.
The Create Organization wizard appears.
5. In Organization Name, provide a name for the organization.
6. Click Next.
The Administrator Roles screen of the wizard appears.
7. Optional: Select the Enable per tenant access control toggle.
When this toggle is enabled, the organization administrator can add single sign-on domains to the
organization.
8. Add administrator roles to this organization.
The roles are assigned to users in the following screen of the wizard.
9. Optional: Click Add Role to create a new role.
Type a name for the role and assign the privileges to this role.
The following privileges are assigned by default:
• Create SLA
• Manage Hosts
• Unrestricted Unprotection
• Manage Users
• Unrestricted Snapshot Retention
10. Click Next.
The Users screen of the wizard appears.
11. Select a domain from the Directory drop-down menu.
Valid domains are ‘local’ for user accounts on the cluster, or any AD domains connected to the cluster.
An organization can contain users or AD groups from any number of separate domains.
12. Enter a search string in the Search by Name field to display a list of users and AD groups that match
the string.
13. Click Add for a user or AD group in the list to add that user or AD group to the organization.
14. Optional: Select a role for the user from the Administrator Roles drop-down list to make the user
an Organization Administrator.
In an organization, assign the Organization Administrator role to at least one user.
15. Click Next.
The Protectable Objects section of the wizard appears.
Next task
Use the procedure in Protecting objects in an organization to continue creating the organization.

Protecting objects in an organization
Specify the organization objects to protect.
Prerequisites
Complete the steps in Naming the organization and adding users or AD groups.
Procedure
5. In the Protectable Objects section, select the appropriate tab to add an object to the tenant
organization.
6. Select the objects to include in the tenant organization from the list.
The number of selected objects next to the listed object type updates automatically.
7. Click Next.
The Other Resources section of the wizard displays.
Result
The specified objects are added to the organization.
Next task
Use the procedure in Assigning protection resources to a tenant organization to continue creating the
organization.
Assigning protection resources to a tenant organization

Finalize the creation of a tenant organization by assigning resources that can be used to permit data
management and protection.
Prerequisites
Complete the procedures in Naming the organization and adding users or AD groups and Protecting
objects in an organization.
Procedure
5. Click Other Resources.
A list of optional resources appears.
6. Click SLA Domains and select the SLA Domains to assign to the tenant organization.
SLA Domains can optionally be assigned at this point and can be assigned or changed later by editing
the tenant organization.
7. Click Archival Locations and select the archival locations to assign to the tenant organization.

Archival locations can optionally be assigned at this point and can be assigned or changed later by
editing the tenant organization.
8. Click Replication Targets and select the replication targets to assign to the tenant organization.
Replication targets can optionally be assigned at this point and can be assigned or changed later by
9. Click Replication Sources and select the replication sources to assign to the tenant organization.
Replication sources can optionally be assigned at this point and can be assigned or changed later by
10. Click Next.
Result
The organization has new resource assignments.
Next task
Use the procedure in Deploying Rubrik Envoy to continue creating the organization.
Modifying an existing tenant organization

Modify the properties of a tenant organization.
Prerequisites
A user must have the global administrator role to edit tenant organization settings.
Procedure
4. Open the ellipsis menu for the organization and click Edit.
The Edit Organization page appears with the Organization Name section selected.
5. Optional: Type a new name in the Organization Name field to change the organization name.
6. Optional: Click Administrator Roles at the top of the Edit Organization page to create roles.
7. Optional: Click Users at the top of the Edit Organization page to manage users or AD groups in the
organization.
8. Optional: Click Protectable Objects at the top of the Edit Organization page to manage the
protectable objects assigned to the tenant organization.
9. Optional: Edit the protectable objects that are assigned to a tenant organization.
10. Optional: Click Other Resources at the top of the Edit Organization page to manage SLA Domains,
archival locations, or replication targets assigned to the tenant organization.
Users with the Organization Admin role and the Create/Edit SLA permission can only modify SLA
Domains that are created within a tenant organization.
11. Optional: Edit the resources that are assigned to a tenant organization.
12. Click Finish.
Result
The Rubrik cluster modifies the tenant organization.
Related tasks
Naming the organization and adding users or AD groups

The first steps in defining a tenant organization are assigning a name, creating administrator roles, and
adding users or AD groups.
Protecting objects in an organization
Specify the organization objects to protect.
Assigning protection resources to a tenant organization
Finalize the creation of a tenant organization by assigning resources that can be used to permit data
management and protection.
Deleting a tenant organization

Remove a tenant organization from the Rubrik cluster.
Procedure
4. Next to an organization entry, click the ellipsis and select Delete.
5. Click Delete.
Result
The Rubrik cluster deletes the organization definition.
Impact of deleting a tenant

Deleting a tenant organization impacts the information that the Rubrik cluster stores for that organization.
Deleting a tenant organization from a Rubrik cluster has the following effects on the data objects that
comprise the organization:
• Users and AD groups in the organization have their privilege level set to “No Access”.
• SLA Domains created within the tenant organization persist.
• All other protected elements remain unmodified.
• When Rubrik Envoy is configured, the Envoy virtual machine persists and stores the metadata for the
deleted tenant organization.
Tenant organization storage quota

Storage-based quotas can be assigned to tenant organizations in multi-tenant environments to restrict
resource utilization and protect resource availability.
Assigning storage quotas to tenant organizations in multi-tenant environments provides a mechanism for
capacity planning and resource allocation. Administrators can assign storage quotas with both hard and
soft limits to tenant organizations. Only global admin users can assign, view, and edit organization storage
quotas.

When the used storage quota exceeds the assigned soft limit, the Activity Log displays this for the admin
and the organization and, optionally, the admin receives an email. When the used storage quota exceeds
the hard limit, further backups and storage operations are stopped. The Activity Log also displays this
for the admin and the organization and optionally, the admin receives an email. Backups and storage
operations are resumed once the used storage is reduced or the assigned quota has been increased. Any
global administrator can increase or decrease the storage quota limit as required, and the Activity log
displays these changes as well.
Related concepts
Data measurements
The Rubrik CDM web UI depicts data values using the decimal definition for the prefixes used with bits and
bytes.
Related tasks
Assigning tenant organization storage quota
Assign storage-based quota to a tenant organization to restrict resource utilization and protect resource
availability.
Viewing the tenant organization storage quota
View the assigned and used storage-based quota for a tenant organization.
Editing the assigned tenant organization storage quota
Edit the assigned tenant organization storage quota to increase or decrease the storage limits for an
organization.
Assigning tenant organization storage quota

Assign storage-based quota to a tenant organization to restrict resource utilization and protect resource
availability.
Prerequisites
Create the organization as described in Naming the organization and adding users or AD groups.
Procedure
1. Log in to the Rubrik CDM web UI as a global admin.
4. In the ellipsis menu for the organization, click Manage Quota.
The Manage Quota dialog box appears.
5. Turn on the Storage Based Quota toggle.
6. In Metric to Quota on select one of the following storage options:
• Local storage is the amount of Rubrik cluster storage currently in use.
• Local effective storage is a calculation of the equitable allocation of deduplicated data assigned
to individual snapshots. This enables a fair distribution between objects.
7. Provide values for the Soft Limit and optionally, for the Hard Limit.
The Hard Limit value cannot be less than the Soft Limit value.
8. Click Save.
A message appears confirming that the organization quotas have been updated.
Result
Storage-based quota is assigned to an organization.

Viewing the tenant organization storage quota
View the assigned and used storage-based quota for a tenant organization.
Prerequisites
Assign storage-based quota to an organization as described in Assigning tenant organization storage
quota.
Procedure
The Organizations page appears. The used storage-based quotas and the soft and hard limits appear
in the Storage Quota Used column.
Note: If the storage used is less than 1 GB, this appears as 0 GB.
4. Optional: In the ellipsis menu for the organization, click Manage Quota.
The Manage Quota dialog box appears, displaying the type of Metric to Quota on selected.
Local storage is the amount of Rubrik cluster storage currently in use. Local effective storage is a
calculation of the equitable allocation of deduplicated data assigned to individual snapshots.
Result
The assigned storage quota appears in the Organizations page.
Editing the assigned tenant organization storage quota

Edit the assigned tenant organization storage quota to increase or decrease the storage limits for an
organization.
Procedure
The Organizations page appears. The storage-based quotas and the soft and hard limits appear in the
Storage Quota Used column.
4. In the ellipsis menu for the organization, click Manage Quota.
The Manage Quota dialog box appears.
5. Edit the Soft Limit and/or the Hard Limit, as required.
The limits cannot be set to a value less than the storage quota used.
6. Optional: In Metric to Quota on select one of the following storage options:
• Local storage is the amount of Rubrik cluster storage currently in use.
• Local effective storage is a calculation of the equitable allocation of deduplicated data assigned
to individual snapshots. This enables a fair distribution between objects.
7. Click Save.
A UI message appears confirming that the organization quotas have been updated.
Result
The storage-based quota assigned to an organization is updated.

Chapter 6
Protection policies
Protection policies
The SLA Domain feature has default protection policies and user configured protection policies.
Service Level Agreements (SLAs) through the Rubrik SLA Domain feature unifies data protection policies
through a single policy engine. The SLA Domain feature provides a configurable set of policies that can be
applied to groups of virtual machines, applications, and hosts to achieve specific data protection objectives.
The following table defines the data protection policies available through the SLA Domain feature.
Policy Description
Snapshot and backup Directs the Rubrik cluster when to create point-in-time snapshots or backups
frequency and retention of data sources and how long to keep the data.
Replication Directs the Rubrik cluster to send replicas of source snapshots or backups to
a target Rubrik cluster and defines the maximum time to keep the replica on
each cluster.
Archiving Directs the Rubrik cluster to move snapshot or backup data to a separate
data storage system for long-term retention.
Default SLA Domains

Rubrik CDM has three default local SLA Domains, Gold, Silver, and Bronze.
These policies have the archival policy and the replication policy disabled, do not have a Snapshot Window,
and do not set a Take First Full Snapshot time.
Name Gold Silver Bronze

Hourly Create snapshot every 4 Create snapshot every None
hours 12 hours
Retain for 3 days Retain for 3 days
Daily Pick the last successful Pick the last successful Create snapshot every
snapshot every day and snapshot every day and day and retain it for 32
retain it for 32 days retain it for 32 days days
Monthly Pick last successful Pick last successful Pick last successful
snapshot every month snapshot every month snapshot every month
and retain it for 1 year and retain it for 1 year and retain it for 1 year
Yearly Pick last successful Pick last successful Pick last successful
snapshot every year and snapshot every year and snapshot every year and
retain it for 2 years retain it for 2 years retain it for 2 years
Protection policies 05/25/2022 | 162

Custom SLA Domains
Custom SLA Domains provide the ability to create sets of data protection policies that meet the
requirements of various groups of data sources in an enterprise.
Service Level Agreement

The Service Level Agreement section defines snapshot frequency and retention.
The Rubrik cluster creates snapshots to satisfy the smallest frequency that is specified by the SLA rules of
the SLA Domain.
For example, when the Hourly rule specifies the smallest frequency, the Rubrik cluster creates snapshots
based on the settings of the Hourly rule. However, when the Daily rule specifies the smallest frequency, the
Rubrik cluster creates snapshots based on the settings of the Daily rule.
The Rubrik cluster uses each rule that specifies a frequency that is larger than the smallest to determine
snapshot expiration.
The maximum local retention period reflects the maximum retention period specified in the SLA rules.
The following table describes the frequency and retention values for each rule type.
Rule type Frequency Retention

Hourly Every n-hours hours For n-days days
Daily Every n-days days For n-days days
Monthly Every n-months months For n-months months
Yearly Every n-years years For n-years years
The following table describes the advanced options for frequency and retention values for each rule type.
To view the advanced options, enable Advanced Frequencies when creating or editing SLA Domains.
For the Minute Rule, the minimum allowed value for Take Snapshots and Keep Snapshots is 15
minutes.
SLA Domains with a backup frequency in minutes will apply only to Managed Volume objects.

Minute Every n-minutes minutes For n-minutes minutes or n-hours hours
Hourly Every n-hours hours For n-hours hours, n-days days, or n-weeks
weeks
Daily Every n-days days For n-days days or n-weeks weeks
Weekly Every n-weeks weeks For n-weeks weeks
On the specified day of the week
Monthly Every n-months months For n-months months, n-quarters quarters, or

n-years years
On the first, 15th or last day of the month
Quarterly Every n-quarters quarters For n-quarters quarters or n-years years
On the first or last day of the quarter

Begin Quarter in month
Yearly Every n-years years For n-years years
On the first or last day of the year

Begin Year in month
For each rule type, the rule that initiates the creation of the retained snapshot is the rule type that
specifies the smallest frequency, such as the hourly rule. This occurs when a snapshot that is initiated by
another rule is the last successful snapshot for the defined period.
Each of the rule types described is referred to as an SLA Rule. Any snapshot created based on an SLA Rule
is referred to as a policy driven snapshot.
In the following scenarios the latest snapshot is skipped by the Expiration Job:
• If a protected data source is protected by a valid SLA Domain it is skipped when deleting the latest
snapshot for the protected data source.
• If a protected data source is retained by a valid SLA Domain, it is skipped when expiring the latest
snapshots in all active retention locations. The latest snapshot is not skipped if it is the last snapshot at
the retention location.
• If a protected data source is unprotected, the latest snapshot at the current location is skipped only if it
is not the last snapshot at that location.
Related concepts
Retention management
Assign retention policies to existing scheduled snapshots, on-demand snapshots, and snapshots retrieved
from an archival location.
Related tasks
Creating a custom SLA Domain
Create a custom SLA Domain with policies that meet specific SLA requirements.
Base Frequency
The Base Frequency of an SLA Domain determines when snapshots are created to comply with all of the
rules specified for the SLA Domain.
Base Frequency is determined through the following SLA Domain settings:
• The Base Frequency corresponds to the shortest frequency specified in the SLA Domain configuration.
• When there is no Minute Rule, the Base Frequency corresponds to the frequency specified in the Hourly
Rule.
• When there is no Hourly Rule, the Base Frequency corresponds to the frequency specified in the Daily
Rule.
• When both the Hourly Rule and the Daily Rule are not defined, the Base Frequency corresponds to the
frequency specified in the Monthly Rule.
• When the Yearly Rule is the only rule defined, the base frequency corresponds to the frequency
specified in that rule.

Local retention period
The Rubrik cluster retains a snapshot or backup locally based on the local retention period specified by the
SLA Domain.
For an SLA Domain, the maximum local retention period is the longest period that is specified by any of
the retention rules. If Rubrik CDM has limited storage capacity, configuring maximum retention period can
result in rapid usage of storage capacity.
After setting an archival policy, a replication policy, or both, the local retention period can be shortened
from the default maximum retention period. Shortening the local retention period reduces the storage
requirements for Rubrik CDM.
For example on Rubrik Edge (which has limited capacity), snapshots and backups could be retained
for only a few days locally and retained for a much longer period on a physical Rubrik cluster that is
configured as the replication target.
SLA Domain name

SLA Domain names must be unique and follow character usage requirements.
An SLA Domain name must meet the following requirements:
• Is unique in the local Rubrik cluster namespace
• Consists of any combination of the following characters: alphanumeric, blank space, hyphen, and
underscore
• Contains at least one character
SLA Domains with CDP enabled

SLA Domains with Continuous Data Protection (CDP) enabled are used for near term recovery.
In order for CDP to be functional, a CDP Filter must be installed on an ESXi host (version 6.7 or newer).
SLA Domains with CDP enabled can be configured between one to four hours through Keep Recovery
Points For (Hours). After the Keep Recovery Points For (Hours) value is configured, it is required to
configure the Take Snapshots Every (Hours) value equal to or less than Keep Recovery Points For Hours.
After CDP is configured for the SLA Domain, configure the rest of the SLA Domain settings.

Procedure
2. On the left-side menu, select SLA Domains > Local Domains.
The Local SLA Domains page appears.
The first page of the Create SLA Domain wizard appears.
4. In SLA Domain Name, type a name for the new SLA Domain.
The name must comply with the requirements defined for SLA Domain names. To create a CDP SLA
(if CDP is enabled), enable the slider toggle for Continuous Data Protection. In Keep Recovery
Points for (Hours) specify the number of hours for the CDP log file. By default, CDP SLAs can only be
configured for four hours.
5. In Service Level Agreement, configure the snapshot frequency and a corresponding retention
period.

Each backup frequency category is optional but at least one category must have a value.
6. Optional: Create a snapshot window for the SLA Domain.
A snapshot window creates snapshots for the data sources protected by the SLA Domain.
7. Optional: Specify a first full snapshot and backup time for the SLA Domain.
8. Click Next.
9. Optional: Create an archival policy for the SLA Domain.
10. Optional: Create a Replication Retention policy for the SLA Domain.
11. Optional: In Retention On Brik, specify a local retention period for the SLA Domain.
Move the slider to set the local retention period for the SLA Domain. The setting can be from 0 day up
to the maximum local retention period defined in the SLA rules.
An archival policy, a replication policy, or both must be specified before the local retention period can
be adjusted.
12. Click Next.
The Summary page of the Create SLA Domain dialog box appears.
This page summarizes the frequency and retention defined for the new SLA Domain.
13. Review the summary information and click Create.
Result
The Rubrik cluster creates the new SLA Domain and adds it to the Local SLA Domains page.
Next task
Assign the SLA Domain to data sources.
Related concepts
SLA Domain name
SLA Domain names must be unique and follow character usage requirements.
Archival policy
An archival policy defines how long to retain data within the local Rubrik cluster before moving the data to
an archival account for long term storage. Archival policy is optional for an SLA Domain.
Replication policy
Enable a replication policy for an SLA Domain to replicate the snapshot and backup data of the source
objects that are protected by the SLA Domain.
Local retention period
The Rubrik cluster retains a snapshot or backup locally based on the local retention period specified by the
SLA Domain.
Related tasks
Configuring a snapshot window
Configure a snapshot window for an SLA Domain when creating a custom SLA Domain or when editing an
SLA Domain.
Configuring a first full backup window
Configure a first full backup window for an SLA Domain when creating a custom SLA Domain or when
editing an SLA Domain.
Assigning an SLA Domain setting to a Hyper-V cluster or server
Specify an SLA Domain setting for Hyper-V host to have the setting applied to the objects and virtual
machines contained by the clusters and host.
Assigning an SLA Domain setting to a Nutanix cluster

Specify an SLA Domain setting for Nutanix clusters to have the setting applied to the objects and virtual
machines contained by the clusters and server.
Assigning an SLA Domain setting to a virtual machine
Specify an SLA Domain for a virtual machine, set the virtual machine to inherit from a parent, or specify Do
Not Protect for the virtual machine.
Snapshot window
A custom SLA Domain can optionally provide a snapshot window. A snapshot window defines a period
during each day when the Rubrik cluster is permitted to create snapshots for the data sources that are
assigned to the SLA Domain.
When a backup is running and the current snapshot window closes, any currently running backup will be
allowed to complete, but no new backup job will be allowed to start.
Configuring a snapshot window

Configure a snapshot window for an SLA Domain when creating a custom SLA Domain or when editing an
SLA Domain.
Procedure
3. Complete one of the following to add or modify the snapshot window for an SLA Domain:
• For a new custom SLA Domain, click the + icon and configure the SLA rules.
• For an existing SLA Domain, on the Local SLA Domains page, select the SLA Domain. The
properties page for the selected SLA Domain appears. Open the ellipsis menu, and select Edit.
The Snapshot Window section appears near the bottom of the dialog box box.
4. In Take Snapshots From, click the left box and select the beginning time for the snapshot window.
The Rubrik cluster waits until the specified time to initiate policy-based snapshots for this SLA Domain.
5. In Take Snapshots From, click the right box and select the ending time for the snapshot window.
The Rubrik cluster will not initiate policy-based snapshots for this SLA Domain after this time.
6. Complete any other changes and click Create (for a new SLA Domain) or Update (for an existing SLA
Domain).
Result
The Rubrik cluster adds the snapshot window to the SLA Domain. The Rubrik cluster creates snapshots for
the SLA Domain only during the specified period each day.
Related tasks

First full backup

A custom SLA Domain can specify a window for creating a first full snapshot or backup. The Rubrik cluster
waits until the first full window before initiating the first full snapshots or backups of data sources that are
assigned to the SLA Domain.
The default value for the first full backup is First Opportunity. When an SLA Domain is configured to take
the first full backup at the first opportunity, the Rubrik cluster initiates the first full backup when a data
source is added. For the First Opportunity setting only, if a snapshot window is specified, the Rubrik cluster
waits until the next available snapshot window.
For data sources that are added outside of the window that allows a first full backup, the Rubrik cluster
initiates the first full backup at the next occurrence of the first full window.
After a first full backup is created for a data source, subsequent snapshots or backups of that data source
are created based on the SLA Domain rules, including any snapshot window setting.
Configuring a first full backup window

Configure a first full backup window for an SLA Domain when creating a custom SLA Domain or when
editing an SLA Domain.
Procedure
3. Complete one of the following to add or modify the first full backup window for an SLA Domain:
• For a new custom SLA Domain, click the + icon and configure the SLA rules.
The Snapshot Window section appears near the bottom of the dialog box. On the Take first full
between line, the default value First Opportunity appears in the left box.
4. On the Take first full between line, click the left box and select a day of the week.
The selection specifies the first day of each week when the Rubrik cluster can initiate first full
snapshots and backups.
After entering a value, fields for specifying the end of the time range appear.
5. On the Take first full between line, click the right box and select a time of the day.
The selection specifies the time of day when the Rubrik cluster can initiate first full snapshots and
backups.
6. On the second line, click the left box and select a day of the week.
The selection specifies the last day of each week when the Rubrik cluster can initiate first full
snapshots and backups.
7. On the second line, click the right box and select a time of the day.
The selection specifies the time of day when the Rubrik cluster stops initiating first full snapshots and
backups.
8. Complete any other changes and click Create (new SLA Domains) or Update (existing SLA Domains).

Result
The Rubrik cluster adds the first full backup window policy to the SLA Domain, and initiates first full
snapshots and backups, for data sources that are awaiting a first full, at the next occurrence of the
selected day and hour.
Related tasks
SLA Domain changes

Edit Local SLA Domain policies when changes are needed.
Remote SLA Domains provide information in a read-only format. To edit an SLA Domain that appears as a
remote SLA Domain, log in to the Rubrik cluster where the SLA Domain is local.
Changing the settings of an existing SLA Domain will cause changes to the data protection provided by the
SLA Domain.
Enabling the Two-Person Rule (TPR) for editing SLA Domain changes requires approval from an account
Related concepts
The two-person rule
Related tasks
Editing an SLA Domain
Edit an existing local SLA Domain to change the specified data protection.
Related reference

Procedure
3. On the Local SLA Domains page, select the SLA Domain.
The properties page for the selected SLA Domain appears.
4. Open the ellipsis menu, and select Edit.
The Edit SLA Domain wizard appears.
5. Make changes to the SLA rules.
6. Click Next.
The Set Archiving and Replication page of the Edit SLA Domain wizard appears.
7. Optional: Make changes to the archival policy, the replication policy, or both.
8. Optional: Use the slider for Retention On Brik to adjust the local retention period for the SLA
Domain.
An archival policy, a replication policy, or both must be specified before the local retention period can
be adjusted.

9. Click Next.
The Review Impact page appears.
10. Optional: Click Apply to existing snapshots.
The changes made to the SLA Domain are applied to the existing snapshots. The summary
information describes the impact of the changes on existing and new snapshots.
11. Optional: Select Include on-demand and downloaded snapshots.
The summary information describes the effect of the changes on existing, new, on-demand, and
downloaded snapshots.
12. Click Update.
The Submit Two-Person Rule Request dialog box appears only when Changes to Changes to SLA
Domain is enabled on the Two-Person Rule Controlled Action page. Otherwise, you will not see this
dialog box.
Result
The Rubrik cluster stores the new policies and rules for the SLA Domain. The following sections
describethe potential consequences of various SLA Domain changes.
Related concepts
SLA Domain changes
Edit Local SLA Domain policies when changes are needed.
Base Frequency changes
Editing the SLA rules can change the frequency with which snapshots are created. When changes to the
frequency impact the Base Frequency of the SLA Domain, all future snapshots are created using the new
Base Frequency.
Retention changes
Editing the SLA rules can have an effect on existing snapshots and future snapshots of associated data
sources.
Replication target changes
Editing the replication targets in an SLA Domain does not impact existing snapshots.
Impact of retention changes on archival policy and replication policy
When the retention period associated with any SLA Rule is changed, it can potentially trigger an automatic
change of an SLA Domain’s existing Archival and Replication policies.
Snapshot window changes
Changing the snapshot window causes the Rubrik cluster to use the new snapshot window when creating
new snapshots.
Take first full backup changes
Changing the time specified by the Take first full field causes the Rubrik cluster to wait until the specified
time before creating the first full snapshot or backup of newly added data sources. When a snapshot
window is specified, the Rubrik cluster creates the first full during the next available snapshot window after
the specified Take first full time.
The two-person rule
Related reference

Base Frequency changes

Editing the SLA rules can change the frequency with which snapshots are created. When changes to the
frequency impact the Base Frequency of the SLA Domain, all future snapshots are created using the new
Base Frequency.
Base Frequency increased

Increasing the Base Frequency causes the SLA Domain to create new snapshots based on the higher
frequency. When the retention periods are unchanged, there are no changes to existing snapshots.
Since the system cannot increase the frequency with which snapshots were taken in the past, increasing
the snapshot creation frequency for an SLA Domain can cause all the virtual machines being protected by
the SLA Domain to be out of compliance. The frequency of the existing snapshots may not be sufficient to
meet the requirements of the new policy.
Example: Increasing Base Frequency
Edits are made to an SLA Domain to increase the Base Frequency by making the following SLA rules
changes:
• Old Hourly Rule – Create one snapshot every six hours and retain it for three days.
• New Hourly Rule – Create one snapshot every three hours and retain it for three days.
These edits result in the following impact to snapshots:
• Existing snapshots – No change.
• New snapshots – Snapshots are created based on the higher frequency specified in the new Hourly
Rule, once every three hours instead of every six hours.
Base Frequency decreased

Decreasing the snapshot creation frequency causes new policy driven snapshots associated with the SLA
Domain to be created based on the lower frequency.
The Rubrik cluster also applies a decreased Base Frequency to existing snapshots. Applying the decreased
Base Frequency causes some of the existing snapshots to expire automatically. Automatic expiration occurs
when an existing snapshot is not required for compliance with the new policy.
Automatic expiration applies to existing snapshots on the local Rubrik cluster, archival snapshots on the
archival location, and replicas on the target replication cluster.
Decreasing Base Frequency

Edits are made to an SLA Domain to decrease the Base Frequency by making the following SLA rules
changes:
• Old Hourly Rule – Create one snapshot every three hours and retain it for three days.
• New Hourly Rule – Create one snapshot every six hours and retain it for three days.
• Existing snapshots – Some existing snapshots expire automatically because retention of these
snapshots is not required for compliance with the new lower frequency.

• New snapshots – Snapshots are created based on the lower frequency specified in the new Hourly Rule,
once every 6 hours instead of every 3 hours.
Retention changes
Editing the SLA rules can have an effect on existing snapshots and future snapshots of associated data
sources.
The new retention period is applied to existing snapshots and to new snapshots. Edits can increase or
decrease the retention period. In both cases, existing snapshots are impacted by the edits.
Snapshot retention period increased

Increasing the retention period causes the Rubrik cluster to retain all new snapshots for the new longer
retention period.
Example: Increasing snapshot retention with changes not applied to existing snapshots
Edits are made to an SLA Domain to increase the snapshot retention period by making the following SLA
rules changes:
• Old Hourly Rule – Create one snapshot every four hours and retain it for three days.
• New Hourly Rule – Create one snapshot every four hours and retain it for five days.
• Existing Snapshots – Retained for three days.
• New Snapshots – Retained for five days.
Example: Increasing snapshot retention with changes applied to existing snapshots
Edits are made to an SLA Domain to increase the snapshot retention period by making the following SLA
rules changes:
• Old Hourly Rule – Create one snapshot every four hours and retain it for three days.
• New Hourly Rule – Create one snapshot every four hours and retain it for five days.
• Existing Snapshots – Retained for five days.
• New Snapshots – Retained for five days.
Snapshot retention decreased

Decreasing the retention period causes the Rubrik cluster to retain new snapshots for the shorter retention
period.
If changes are applied to existing snapshots, some snapshots may expire immediately as a result of the
decreased retention. If changes are not applied to existing snapshots, the retention of existing snapshot
remains unchanged.

Example: Decreasing snapshot retention with changes applied to existing snapshots
Edits are made to an SLA Domain to decrease the snapshot retention period by making the following SLA
rules changes:
• Old Hourly Rule – Create one snapshot every four hours and retain it for seven days.
• New Hourly Rule – Create snapshot every four hours and retain it for four days.
• Existing snapshots – Some existing snapshots may expire automatically as they are not required for
compliance with the shorter retention period.
• New snapshots – Retained for four days.
Example: Decreasing snapshot retention with changed not applied to existing snapshots
Edits are made to an SLA Domain to decrease the snapshot retention period by making the following SLA
rules changes:
• Old Hourly Rule – Create one snapshot every four hours and retain it for seven days.
• New Hourly Rule – Create snapshot every four hours and retain it for four days. Changed not applied to
existing snapshots
• Existing snapshots – Retention unchanged for existing snapshots.
• New snapshots – Retained for four days.
Related reference
Impact of SLA Domain changes on snapshots
Examples showing the impact of changing the retention policy of the SLA Domain assigned to an object.
Examines the impact of retroactive and non-retroactive retention changes on local, archived, and replicated
snapshots.
Impact of SLA Domain changes to existing snapshots

The SLA Domain governs the retention, archiving, and replication for each snapshot.
By default, changes to the SLA Domain affect existing and scheduled snapshots. For example, when the
retention period is reduced
• Existing snapshots that exceed the reduced retention period expired and are removed.
• Existing snapshots that do not exceed the reduced retention period are kept only for that period.
• Scheduled snapshots are kept for the reduced retention duration.
Existing snapshots can be excluded from any changes to the SLA Domain. In this case, existing snapshots
are not impacted and will be retained for the duration specified by the retention policy of the original SLA
Domain.
Similarly, when the retention policy is changed for any data source, the existing snapshots can be either
included or excluded from the impact of these changes.
Related concepts
Retention policy for existing snapshots

Choose the retention policy for existing snapshots after removing the SLA Domain setting.
Snapshot expiration
A Rubrik cluster always retains the latest snapshot of a protected object at locations specified in the SLA
Domain, even when the retention period for all snapshots has expired.
When the retention period for a snapshot ends, the cluster marks the snapshot as expired. Expired
snapshots are no longer listed as a Snapshot Management object in the Rubrik CDM user interface.
The Rubrik cluster periodically deletes expired snapshots, but retains expired snapshots that meet specific
criteria.
SLA Domain type Snapshot at a location specified in Expired snapshot retained

SLA Domain
Protection Yes Latest snapshot retained indefinitely.
No Latest snapshot retained according to
the settings of the SLA Domain.
Retention Yes Latest snapshot retained unless it is
the last snapshot at the location.
None n/a Latest snapshot retained unless it is
Replication target changes

Editing the replication targets in an SLA Domain does not impact existing snapshots.
When a new replication target is added to an SLA Domain, snapshots taken in the past 31 days will be
replicated to the new target for all data sources for the SLA Domain. Similarly, when a replicated target is
changed, snapshots taken in the past 31 days will be replicated to the new target for all data sources for
the SLA Domain.
When a replication target is deleted, new snapshots are not replicated and the existing replicated
snapshots are not impacted.
Impact of retention changes on archival policy and replication policy

When the retention period associated with any SLA Rule is changed, it can potentially trigger an automatic
change of an SLA Domain’s existing Archival and Replication policies.
These changes are described in the following sections:
• Changing archival policy
• Retention changes
• Replication policy changes
Before changing the retention period of an SLA Rule, consider the automatic changes to archival policy and
replication policy that result from the change.

Snapshot window changes
Changing the snapshot window causes the Rubrik cluster to use the new snapshot window when creating
new snapshots.
Take first full backup changes

Changing the time specified by the Take first full field causes the Rubrik cluster to wait until the specified
time before creating the first full snapshot or backup of newly added data sources. When a snapshot
window is specified, the Rubrik cluster creates the first full during the next available snapshot window after
the specified Take first full time.

snapshots.
Original SLA Domain Changes SLA Domain Impact on snapshots

Frequency = 1 day Frequency = 1 day Existing snapshots derive the retention
policy of the original SLA Domain and does
Retention = 7 days Retention = 10 days
not change.
Changes not applied to
New snapshots derive the retention policy
existing snapshots.
of the modified SLA Domain.

policy of the modified SLA Domain and are
retained for 10 days.
Changes applied to existing
snapshots.
from the modified SLA Domain.
Older snapshots are retained for 10 days.
policy from the original SLA Domain and
does not change.
existing snapshots.
from the modified SLA Domain.

policy from the modified SLA Domain and
are retained for 5 days.
Likely that some snapshots expire
snapshots.
immediately.
from the modified SLA Domain and are
retained for a shorter duration.
Frequency = 1 day Frequency = 5 day Likely that some snapshots expire
Retention = 7 days Retention = 7 days immediately.
SLA Domain SD1 SLA Domain SD2 The local retention for new snapshots is
decreased to 1 month.
Frequency = 2 months Frequency = 2 months

Retention = 3 months Retention = 3 months The local retention for existing snapshots is
decreased to 1 month. As a result, existing
Archival location = AL1
snapshots older than 1 month will expire
Archival threshold = 1 immediately and are deleted locally.
month
All snapshots older than 1 month are
Changes applied to existing archived to location AL1 and the archival
snapshots retention is based on SD2.
SLA Domain SD1 SLA Domain SD2 Archiving starts after 15 days.
Frequency = 2 months Frequency = 2 months The local retention for new snapshots is
decreased to 15 days.
Retention = 3 months Retention = 3 months
The local retention for existing snapshots
Archival location = AL1 Archival location = AL2
does not change and is 1 month.
Archival threshold = 1 Archival threshold = 15 days
All local snapshots older than 15 days are
month
Changes not applied to archived to location AL2.
existing snapshots.
Snapshots already archived to location AL1
will not be archived again.
The archival retention for the existing
snapshots not archived are derived from
SD1 and will decrease.
SLA Domain SD1 SLA Domain SD2 The local retention for new snapshots is
decreased to 15 days.
The local retention for existing snapshots
is decreased to 15 days. As a result, some
Archival location = AL1 Archival location = AL2 existing snapshots expire immediately and
are deleted locally.
Archival threshold = 1 Archival threshold = 15 days
month All local snapshots older than 15 days are
archived to location AL2. Snapshots already
snapshots.
archived to location AL1 will not be archived
again.
SLA Domain SD1 SLA Domain SD2 The local retention for new snapshots is 45
days.
The local retention for existing snapshots is
increased to 45 days.
Archival location = AL1 Archival location = AL2
All local snapshots older than 45 days are
Archival threshold = 1 Archival threshold = 45 days archived to location AL2.
month
Changes applied to existing Snapshots already archived to location AL1
snapshots. will not be archived again.
The total retention for all snapshots is
derived from SD2.
SLA Domain SD1 SLA Domain SD2 Local retention of existing snapshots will
remain as 1 month, as specified in SD1.
Frequency = 2 months No archival location
Local retention for new snapshots is based
Retention = 3 months Changes not applied to
on SD2.
existing snapshots.
Archival location = AL1

Archival threshold = 1 The existing snapshots that have been
month archived to AL1 are retained there for the
archival retention policy specified by SD1.
The existing snapshots that have not
been archived will not be archived and are
retained locally for the duration specified in
SD1.
SLA Domain SD1 Frequency SLA Domain SD2 Local retention policy for existing snapshots
= 2 months is specified in SD2.
No archival location
Retention = 3 months The snapshots that have been archived to
AL1 are retained there for the retention
Archival location = AL1 snapshots.
policy specified by SD2.
Archival threshold = 1
The existing snapshots that have not been
month
archived will not be archived and their
retention policy is derived from SD2.
SLA Domain SD1 SLA Domain SD2 All snapshots from the last 30 days, if
available, are eligible for replication to the
Frequency = 1 month Frequency = 1 month
new target.
Snapshots are retained on the replication
No replication. Replication target = RT1 target for 10 days.
Replication retention = 10
days
existing snapshots.
SLA Domain SD1 SLA Domain SD2 All snapshots from the last 30 days, if
available, are eligible for replication to the
new target.
Snapshots retained on the replication target
No replication. Replication target = RT1 RT1 for 10 days.
days
existing snapshots.
SLA Domain SD1 SLA Domain SD2 Any snapshot from the last 30 days is
eligible for replication to the new target
location.
Snapshots retained on the replication target
Replication target = RT1 RT1 for 10 days.
Note: The replication retention window
days
starts from the time the snapshot is
Changes applied to existing created.
snapshots.

SLA Domain SD1 SLA Domain SD2 Snapshots already replicated are retained
on replication target RT1 for 10 days.
Replication target = RT1 Replication target = RT1
Snapshots not yet replicated are replicated
Replication retention = 10 Replication retention = 20
to RT1 and are retained for 20 days.
days days
New snapshots will follow the retention
policy specified by SD2.
existing snapshots.
to RT1 and are retained for 20 days.
days days
New snapshots follow the retention policy
specified by SD2.
snapshots.
All snapshots are replicated to RT2 and
days. days
existing snapshots
All snapshots are replicated to RT2 and
days days
snapshots.
All snapshots from the last 30 days are
replicated to RT2 and are retained for 20
days days
days.
Replication target = RT2
Replication retention = 20 to RT1 and are retained for 10 days.
days
existing snapshots.
Snapshots not replicated are replicated to
RT1 and retained for 20 days.
days days
All snapshots from the last 30 days are
replicated to RT2 and are retained for 20
Replication retention = 20 days.
days

Changes applied to existing Snapshots not yet replicated are replicated
snapshots. to RT1 and are retained for 10 days.
SLA Domain SD1 Object deleted. Snapshots already replicated are retained
Snapshots not replicated are replicated
based on SD1.
days
Existing snapshots are retained locally
based on SD1.
SLA update log backups

The Rubrik cluster allows administrators to configure log backups as part of an SLA Domain.
Backing up logs provides lower recovery point objectives (RPOs) and enables point-in-time recovery for
databases. Log backups provide the administrator the flexibility to delete logs from the host, if and when
they require. Administrators can trigger backups based on the number of log files created.
On Microsoft SQL Server systems, log backups can also trigger backups based on the log space usage on
the host. On Oracle systems, administrators can choose to delete logs either immediately after a successful
backup or after a few hours, or they can choose to retain logs forever.
Administrators can enable log backups for Microsoft SQL Server and Oracle hosts, RACs, or databases
when protecting a specific database in the Manage Protection dialog box. The database inherits the log
backup schedule from its parent SLA Domain, or the administrator can configure different log backup
schedules for the database. The log backup schedule is determined by its frequency, in minutes, and its
retention, in days. Logs can also be archived and replicated, and they follow the archival and replication
policies defined in the SLA Domain assigned to the respective object.
Objects newly created in Rubrik CDM version 7.0 and later can use the SLA Domain only for log backup
configuration.
For objects created in versions of Rubrik CDM earlier than version 7.0, the Rubrik cluster attempts to follow
the SLA Domain with the appropriate log parameters configured. However, some objects with object-
level configurations may still exist. Rubrik recommends moving these objects to use the appropriate log
parameters.
Delete an SLA Domain

Deleting an SLA Domain deletes the SLA rules, archival policy, and replication policy specified for the SLA
Domain and removes the SLA Domain from the list of local SLA Domains.
Rubrik CDM requires the removal of all assigned data sources from an SLA Domain before that SLA Domain
can be deleted.
Remote SLA Domains provide information in a read-only format. To delete an SLA Domain that appears
as a remote SLA Domain, log in to the Rubrik cluster where the SLA Domain is local. Information about a
remote SLA Domain is removed from the Rubrik CDM web UI of the target Rubrik cluster when either of
the following is true:
• The remote SLA Domain does not protect any virtual machines.
• The remote SLA Domain’s replication policy is disabled.

Deleting an SLA Domain
Delete an SLA Domain to remove its rules and policies.
Prerequisites
Remove all data sources that are assigned to the SLA Domain. An SLA Domain cannot be deleted when
data sources are assigned to it.
Procedure
3. On the Local SLA Domains page, select the SLA Domain.
The properties page for the selected SLA Domain appears.
4. Open the ellipsis menu, and select Delete.
The Delete SLA Domain confirmation message appears.
Note: When data sources are assigned to the SLA Domain, a warning message appears. Click OK to
acknowledge the message. To delete the SLA Domain, first remove the data sources that are assigned
to the SLA Domain.
5. Click Delete.
Result
The SLA Domain is deleted.
Local SLA Domains

The Local SLA Domains page provides general information about all of the SLA Domains that are local to a
Rubrik cluster.
A local SLA Domain is an SLA Domain that is created on the local Rubrik cluster. General information about
all the local SLA Domains is available on the Local SLA Domains page.
Column heading Description

Name Name assigned to the local SLA Domain.
Base Frequency The rate at which snapshots are created as a result of all the rules of the SLA
Domain.
Object Count Combined total number of source objects that are protected by the SLA Domain.
Archival Location Name of the archival location that is assigned to the SLA Domain.
Replication Target Name of the replication target that is assigned to the SLA Domain, or None.
Viewing all local SLA Domains

Access the Local SLA Domains page to view general information about all local SLA Domains.
Procedure

3. Optional: In the Search by Name field of the Local SLA Domains page, type a text string.
The Rubrik cluster provides a list of the local SLA Domains that have a name that contains the search
string.
Result
Local SLA Domain properties page

Each local SLA Domain has a separate page with details summarized in information cards.
Information Element or field Description

card
SLA Domain Quick view of the SLA rules specified by the local SLA Domain.
Policy
Take Column listing of the Minute, Hourly, Daily, Monthly, and Yearly rules
of snapshot frequency.
Retain Column listing of the Minute, Hourly, Daily, Monthly, and Yearly rules
of snapshot retention.
Snapshot The Snapshot Window for the SLA Domain.
Window
Replication Replication retention policy of the SLA Domain.
Retention Policy
Archival Policy Archival policy of the SLA Domain.
Storage Donut graph Quick view of the occupied and free space on the local Rubrik cluster.
Click legend entries to include or exclude them from the graphic.
The graphic always starts at the top and runs clockwise with the
segments displayed in order by size from largest to smallest.
This domain Color-highlighted graphical indication of the portion of the total
storage space on the local Rubrik cluster that is occupied by data
associated with the selected local SLA Domain. Hover over This
domain to highlight that section in the graphic.
Other domains Color-highlighted graphical indication of the portion of the total
from other local SLA Domains. Hover over Other domains to
highlight that section in the graphic.
Unprotected Color-highlighted graphical indication of the portion of the total
from unprotected virtual machines. Hover over Unprotected to
highlight that section in the graphic.
Available Color-highlighted graphical indication of the portion of the total
storage space on the local Rubrik cluster that is free. Hover over
Available to highlight that section in the graphic.
Line graph Shows the storage ramp-up over time, from 30 days ago to the
present.

Information Element or field Description
card
Source list Drop down list Selection list to choose a type of data source. Open the list to select a
data source type:
•vSphere VMs
•vCD vApps
•Hyper-V VMs
•AHV VMs
•Linux & Unix Hosts
•Windows Hosts
•NAS Shares
•SQL Server DBs
•Oracle DBs
•Managed Volumes
•EC2 Instances
Search field Search field that permits a text string search of the names of all data
sources that are protected by the selected local SLA Domain. Search
is confined to the currently selected data source.
Name Name of a protected data source.
Location Location or host of the protected data source.
Viewing information for a specific SLA Domain

Access an SLA Domain’s properties page to view details for the SLA Domain.
Procedure
3. Optional: In the Search by Name field of the Local SLA Domains page, type a text string.
The Rubrik cluster provides a list of the local SLA Domains that have a name that contains the search
string.
4. Click a local SLA Domain entry.
Result
The page of the selected local SLA Domain appears. The ellipsis menu provides choices to edit or delete
the local SLA Domain, as described in Editing an SLA Domain and Deleting an SLA Domain. The Pause
Protection button provides the option to pause protection tasks for all objects on the page, as described
in Pause and resume protection. If protection is currently paused, the Resume Protection button
appears on the page.

Pause and resume protection
Protection tasks for all objects assigned to an SLA Domain can be paused and then resumed from the
SLA Domain properties page. Pausing protection is useful when performing maintenance activities on
applications, for example, or when storage capacity is an issue.
When protection is paused, all in-progress backup and archival tasks are canceled and no scheduled tasks
are queued. On-demand snapshots can still be taken while protection is paused. If any replication tasks
are in progress at the time of the pause, they are allowed to finish before the pause takes effect. Once
resumed, protection tasks start again according to the schedule in the SLA Domain.
When an object is removed from an SLA Domain that is paused, and then reassigned to another SLA
Domain, the new SLA protection policy takes effect immediately. When an object is reassigned to a paused
SLA Domain, no scheduled protection tasks will be started until protection is resumed.
Pause Protection does not apply to Live Mounts and Managed Volumes and the following rules apply:
• Pause Protection does not keep a Live Mount from starting.
• A Live Mount in progress does not keep Pause Protection from starting.
• Managed Volumes can be locked and unlocked while protection is paused.
Note: SLA Domains with CDP enabled cannot be paused. Also, Pause Protection does not pause database
log backups.
Pausing protection
Pause protection tasks of all objects assigned to an SLA Domain, whether through direct assignment or
derived assignment.
Procedure
1. Log in to the Rubrik CDM web UI as a user with administrator privileges.
3. Select a local SLA Domain entry.
4. Click Pause Protection.
A confirmation dialog box appears with the message “Pause Protection will cancel all scheduled
backup, archiving, and replication tasks for all data sources protected by this SLA Domain. In-progress
tasks will be canceled immediately except when data transfer has started. Are you sure you want to
Pause Protection?”
A confirmation message appears briefly to indicate the selected SLA Domain is paused. After the
message disappears, the Resume Protection button appears on the properties page of the SLA
Domain. On the Local SLA Domains page, a pause icon appears next to the paused SLA Domain.
Result
When an SLA Domain is paused, a message with this format appears in the Activity Log: “Pausing
protection tasks for all objects in SLA Domain ‘name’.”
If an SLA Domain is paused while a backup is in progress, a message appears in the Activity Log to
indicate that: “Pause Protection on SLA Domain name has caused the scheduled backup of Object name to
be canceled. Resume Protection on SLA Domain to resume backups.”

Resuming protection
Resume protection tasks of all objects assigned to a paused SLA Domain.
Procedure
The Local SLA Domains page appears. A pause icon provides a visual indicator next to each paused
SLA Domain.
3. Select the paused SLA Domain that can be resumed.
The properties page of the selected SLA Domain appears.
4. Click Resume Protection.
A confirmation dialog box appears with the message “This will resume all protection activity. Are you
sure you want to proceed?”
5. Click Resume.
A confirmation message appears briefly to indicate the selected SLA Domain has been resumed. After
the message disappears, the Pause Protection button appears on the properties page of the SLA
Domain.
Result
When an SLA Domain is resumed, a message appears in the Activity Log to indicate that protection tasks
for all objects in that SLA Domain have been resumed.
Retention Locked SLA Domains

Retention locks on a Rubrik SLA Domain prevent premature deletion of snapshots.
Snapshots for an SLA Domain with retention lock enabled cannot be deleted during the specified retention
period.
Assign data sources to an SLA Domain that has retention lock enabled to do the following:
• Provide compliance with SEC Rule 17a-4, which specifies data retention requirements for financial
securities companies.
• Ensure preservation of the non-rewritable and non-erasable snapshots of a data source that is assigned
to a retention-locked SLA Domain.
Enabling the Two-Person Rule (TPR) for editing Manage Retention Lock requires approval from an account
Related concepts
How retention lock works
The SLA Domain retention lock feature must be enabled by Rubrik Support. After the feature is enabled, a
toggle to apply retention lock appears on the Create SLA Domain page.
The two-person rule
Related tasks
Creating a retention locked SLA Domain
A retention lock prevents the retention period assigned to an SLA Domain from being reduced.
Related reference

How retention lock works

The SLA Domain retention lock feature must be enabled by Rubrik Support. After the feature is enabled, a
toggle to apply retention lock appears on the Create SLA Domain page.
A retention lock prevents the retention period assigned to an SLA Domain from being reduced. Only use
this feature when the minimum retention period for the SLA Domain is certain.
Once enabled for a given SLA Domain, the retention lock cannot be removed from that SLA Domain. No
user can delete retention-locked snapshots from an object, or shorten how long the snapshots are kept.
The following table describes the attributes of retention locked SLA Domains:
Topic Description
Retention-lock removal A retention-locked SLA Domain cannot have the retention lock disabled.
Limits on field When editing a retention-locked SLA Domain:
modification
• The retention-locked SLA Domain cannot be deleted.
• The local retention period can be increased, but not reduced.
• Once added, replication and archival locations cannot be deleted or
modified.
For archival locations, the retention is governed by the archival threshold
and maximum retention. The retention period can be decreased by
increasing the archival threshold.
• Replication retention can be modified only if the new retention period is
longer than the previous period.
• Instant Archive can be enabled but, once set, cannot be disabled.
• The frequency and retention policies of any SLA Domain rule can be
increased, but not decreased. Decreasing the frequency and retention of
the SLA Domain could prevent future snapshots, thus violating the initial
compliance requirement.

Topic Description
SLA Domain assignment Once a retention lock is assigned to an object, the following SLA Domain
operations are not allowed on that object:
• New SLA Domain assignments that are not retention-locked
• Clear SLA Domain assignments
• Assignments of "No SLA Domain" or "Do Not Protect”
The following assignment operation is allowed:
New retention-locked SLA Domain assignments that have longer retention
periods, higher snapshot frequency, or both compared to that of the original
retention-locked SLA Domain.
If an object becomes a relic:
• Retention-locked SLA Domains associated with that relic carry over into
snapshot retention. The SLA Domains can be edited based on SLA Domains
rules or a new SLA Domain can be assigned based on frequency retention
rules.
• A retention-locked snapshot can be assigned to another retention-locked
SLA Domain that has a longer retention period.
If the snapshot is archived, the new SLA Domain should be configured to
use the same archival location.
• A retention-locked snapshot cannot be assigned a new SLA Domain that
is not retention-locked. The snapshot can, however, be assigned a more
constrained retention-locked SLA Domain.
When a SLA Domain is converted to a retention-locked SLA Domain:
• The retention lock can be retroactively applied to existing policy based
snapshots.
• The retention of any snapshots taken before the SLA Domain was retention-
locked remain unchanged if the updates to the SLA Domain are not
retroactively applied to existing policy based snapshots.
Reports In reports, users can easily sort for objects that have been assigned retention-
locked SLA Domains, because the naming convention indicates whether an SLA
Domain has a retention lock.
Miscellaneous • Removing a VM from a Rubrik cluster and then adding the VM back does not
cause any retention-locked SLA Domain to be removed from the VM, as long
as the linking for the VM is enabled for the vCenter.
• An external NTP clock must be used when the retention lock feature is
enabled. Using the local clock is not allowed.
Related concepts
Examples: Restrictions on modifying retention locked SLA Domains

There are restrictions on the modification of retention locked SLA Domains.
Examples: Restrictions on modifying retention locked SLA Domains

There are restrictions on the modification of retention locked SLA Domains.
Original SLA Domain Modification to the SLA Domain Reason
Frequency = 1 hour, retention Frequency = 1 hour, retention The retention period for any
period = 5 hours period = 6 hours frequency type cannot be
reduced.
Frequency = 1 day, retention Frequency = 1 day, retention
period = 5 days period = 4 days
Frequency = 2 hour, retention Frequency = 2 hour, retention The frequency cannot be

period = 5 hours period = 5 hours reduced.

period = 5 hours period = 6 hours location cannot be reduced.

Local cluster retention = 5 days Local cluster retention = 4 days
period = 5 hours period = 6 hours location cannot be reduced.

Local cluster retention period = 5 Local cluster retention period = 6
days days
Replication cluster retention Replication cluster retention
Frequency = 1 hour, retention Frequency = 1 hour, retention The existing archival or replication
period = 5 hours period = 6 hours location cannot be modified.
Replication cluster retention Replication cluster retention

period = 4 hours period = 6 days
Replication location = Replication location =
replicationLocation1 replicationLocation2
Archival location = Archival location =
archivalLocation2 archivalLocation2
Creating a retention locked SLA Domain

A retention lock prevents the retention period assigned to an SLA Domain from being reduced.
Procedure
1. Request Rubrik Support to enable the retention lock feature.

The first page of the Create SLA Domains page appears. After Rubrik Support has enabled the
retention lock feature, the Retention Lock switch is visible in the upper-right corner of the page.
Hover over the adjacent information icon for information about restrictions associated with a retention
lock.
5. Configure the policies of the SLA Domain.
Creating a custom SLA Domain descibes how to do this.
6. Click Create.
A confirmation dialog box appears, warning that the retention lock feature significantly limits future
changes to the SLA Domain.
The Submit Two-Person Rule Request dialog box appears only when Manage Retention Lock is enabled
on the Two-Person Rule Controlled Action page. Otherwise, you will not see this dialog box.
applies the requested action. When the request is denied, the Rubrik cluster rejects the requested
action.
Result
After the Rubrik cluster enables a retention-locked SLA Domain, the Retention Lock switch for that SLA
Domain is no longer a switch, and the wording changes to Retention Locked SLA. Hover over the adjacent
information icon for additional information.
Related concepts
Retention Locked SLA Domains
Retention locks on a Rubrik SLA Domain prevent premature deletion of snapshots.
The two-person rule
Related reference

Chapter 7
Backup Verification
Backup Verification
Backup Verification enables administrators to verify local backups on a Rubrik cluster through the Rubrik
REST API.
Backup Verification validates that the data in the snapshot or backup matches the data on the protected
object. Additionally, the ability to verify backups facilitates compliance with data assurance requirements.
The Rubrik REST API provides an endpoint that can be used in customer-side scripts to automatically
initiate an individual or batch snapshot verification job. As the verification proceeds, the Rubrik cluster
displays the series of events for the verification process in the Activity Log. For those events the Rubrik
cluster uses the Event-Type label:
Diagnostic
Upon completion, the Backup Verification process generates a downloadable CSV file with the results.
The Backup Verification process verifies snapshots and backups that reside on the Rubrik cluster, and does
not verify snapshots and backups on a replication target or an archival location.
The Backup Verification process is asynchronous and does not impact other backup related jobs. The
Rubrik cluster supports only one Backup Verification job per node, at any given time. For the ability to run
more than one process at the same time, contact Rubrik Support.
A single Backup Verification job can verify up to five snapshots of a protectable object at a time. The
snapshots may be on-demand snapshots or policy-based snapshots. The snapshots have to belong to the
same protectable object. For example, the request payload of a Backup Verification API will take up to five
IDs for snapshots of a fileset object. The API will not accept a payload with three IDs for snapshots of a
fileset object and two IDs for snapshots of a Managed Volumes object.
The Backup Verification process can verify backups and snapshots for the following protected object types:
• vSphere virtual machines
• Filesets and volume groups
• Managed Volumes and SLA Managed Volumes
• SQL Server databases
• Oracle databases
• Hyper-V virtual machines
• AHV virtual machines
Backup Verification 05/25/2022 | 189

Authorizing a Rubrik REST API session
Obtain an authorization token and create an authorized session in the Rubrik REST API playground.
Context
This topic describes how to obtain an authorization token and enable an authorized session in the Rubrik
REST API playground. A similar process can be used to authenticate a Rubrik REST API session for any
REST API client software or requesting system.
Procedure
2. Click the account name in the upper-right corner and select API Token Manager.
The Generate API Token window opens.
4. Enter the duration and tag requirements and click Generate.
The Copy API Token window opens.
5. Click Copy.
7. In a web browser, open the Rubrik REST API playground page.
Open https://RubrikCluster/docs/branch/playground/.
Where:
• RubrikCluster is the IPv4 address or resolvable hostname of the Rubrik cluster.
• branch is the name of the branch that has the relevant API. For example: internal, v1, v2, or v3.
8. On the Rubrik REST API playground page, click Authorize.
The Available authorizations dialog box appears.
9. In Value in the Bearer (apiKey) section, type Bearer, a space, and paste the token.
Bearer
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI3NzdhNjMyYy1lOWU5LTQ2Nj
UtYTU1YS02Nm2MDcifQ.gBoPXfCzTB6WMtzRZUtIl-X-hVVtk0N_uizMFoQdfpA
10. Click Authorize.

11. Click Close.
Result
The Rubrik REST API server creates an authorized session. The web browser stores the session key and
automatically adds it to all requests sent during the session.
Backup Verification API attributes

The required and optional attributes for a POST /backup/verify request.
Attribute Required JSON type Description

objectId Required String ID of the protected object to verify.
snapshotIdsOpt Optional Array of strings Comma-separated list of snapshot IDs
that need verification. By default, the
latest snapshot is verified.

Attribute Required JSON type Description
Provide up to five snapshot IDs at a
time.
locationIdOpt Optional String ID for the location where the snapshot

data resides. Currently, must be the ID
of the controlling Rubrik cluster, which is
the default.
Related Tasks
Verifying backups using API
Use the Rubrik REST API to verify the backup of a protected object.
Obtaining object ID from UI

Obtain the ID for a protectable object from the Rubrik CDM web UI.
Procedure
2. Navigate the left-side menu and locate the menu item that identifies the type of the protectable
object.
For example, to obtain the ID for a vSphere virtual machine, click Virtual Machines > vSphere
VMs.
A page appears with a list of objects of the selected type. The page may have multiple tabs for each
sub-type of the protectable object type.
3. Select an object from the list.
Type a string into the search field to search for an object by name, or use the filters at the top of the
list.
The management page for the selected object appears.
4. In the URL of the management page, note the identifier that begins with the string
$object_type:::.
Where, $object_type is the type of the protectable object.
The identifier in the URL is the ID for the object.
For example, the ID for a vSphere virtual machine is of the form:
VirtualMachine:::868aa03d-4145-4cb1-808b-e10c4f7a3741-vm-128843
Result
The ID for a protectable object is available to use with Rubrik REST API endpoints.
Obtaining object ID using API

Use the Rubrik REST API to obtain the ID for a protectable object.
Prerequisites
Create an authorized Rubrik REST API session.

Context
This task describes how to get the ID for a protectable object from the Rubrik REST API playground.
Actions similar to those in this topic can be used to perform the same task from any REST API client
software or requesting system.
Procedure
1. Open https://$RubrikCluster/docs/$branch/playground/.
2. Click the endpoint that represents the protectable object.
For example, to obtain the ID for a fileset object, click /fileset.
The listing expands to show all operations for that endpoint.
3. Open the endpoint listing.
Click GET /$object_type.
Where, $object_type is the type of the protectable object.
The endpoint listing displays a list of parameters.
The parameters become editable.
5. Click Execute.
The REST API call returns a JSON representation of the protectable object. The data array in the
response body supplies the details for each object.
6. In the data array, use the name element to locate a specific object.
The corresponding id element has the ID for the object. The ID has the form
$object_type:::$uuid.
For example, the ID for a fileset is of the form:
Fileset:::5f928a2d-6e9e-424c-a0bd-ef7188d603e3
7. Optional: To obtain IDs for snapshots of the object, click GET /$object_type/{id}.
Use the object ID obtained in the previous step as the value for the {id} parameter and invoke the API.
The Rubrik REST API server responds with the details of the specified object. The snapshots array
in the response includes a list of snapshot objects. The value of the id element is the ID for the
snapshot.
Result
The ID for a protectable object is available to use with other Rubrik REST API endpoints.
Related Tasks

Prerequisites
1. Create an authorized Rubrik REST API session. To use the Rubrik REST API playground for this task,
authorize the session on the "v1" API branch.
2. Obtain the ID for a protected object to verify backups.

Context
This task describes how to start a Backup Verification process from the Rubrik REST API playground.
Actions similar to those in this topic can be used to perform the same task from any REST API client
software or requesting system.
Procedure
1. Open https://$RubrikCluster/docs/v1/playground/.
2. Click /backup.
3. Click POST /backup/verify.
The JSON object for verification_parameters becomes editable.
5. In verification_parameters, edit the JSON object to include the objectId that corresponds to the
ID of the protected object.
Remove optional attributes that do not apply to the current use case.
For example, the JSON object to verify the latest backup of a Fileset:
{
"objectId": "Fileset:::$fileset-uuid"
}
Include the optional attribute, snapshotIdsOpt, to verify up to five snapshots of the object
identified by the objectId attribute.
For example, the JSON object to verify the snapshots of a Fileset:
{
"objectId": "Fileset:::$fileset-uuid",
"snapshotIdsOpt": [
"$snapshot1_id",
"$snapshot2_id",
"$snapshot3_id",
"$snapshot4_id",
"$snapshot5_id"
]
}
6. Click Execute.
The Backup Verification job starts and the Rubrik REST API server responds
with the job details that include the job ID, status, progress, and the ID for the
node where the object belongs. The Backup Verification job ID has the form
BACKUP_INTEGRITY_VERIFICATION_$backup_verification_uuid. The response also
includes the IDs for all the event series that correspond to the snapshots being verified.
7. Optional: Use the GET /event_series/{id} endpoint to retrieve the details of each snapshot
verification job.
8. The Activity Log displays the status of the Backup Verification process.
Result
The Rubrik cluster generates a CSV file with the results of the Backup Verification process when the
process completes. The event series in the Activity Log includes an icon to download the CSV file.
Next task
Download the CSV file and view the results of the Backup Verification process.

Related Tasks
Obtaining object ID from UI
Obtain the ID for a protectable object from the Rubrik CDM web UI.
Obtaining object ID using API
Use the Rubrik REST API to obtain the ID for a protectable object.
Related reference
Backup Verification API attributes
The required and optional attributes for a POST /backup/verify request.
Backup Verification result
After a Backup Verification task the Rubrik cluster creates a CSV file containing fields with the results of the
task.
Getting the status of a Backup Verification job

Use the Rubrik REST API to get the status of a Backup Verification job.
Prerequisites
1. Create an authorized Rubrik REST API session. To use the Rubrik REST API playground for this task,
2. Start a Backup Verification process and obtain the Backup Verification job ID.
Context
This task describes how to get the status of a Backup Verification process from the Rubrik REST API
playground. Actions similar to those in this topic can be used to perform the same task from any REST API
client software or requesting system.
Procedure
2. Click /backup.
3. Click GET /backup/verify/{id}.
5. In id, type the {id} of the Backup Verification job.
Where {id} is the backup verification job ID.
The ID has the form:
BACKUP_INTEGRITY_VERIFICATION_$backup_verification_uuid
Where the portion $backup_verification_uuid is the backup verification job ID.
Result
The Rubrik REST API server responds with the status of the Backup Verification job, including ID, status,
start time, node ID, and a link to the request. The response also includes the end time and a link to the
CSV file with results, when the job is done.

Related Tasks
Related reference
task.

task.
Column name Description

Snapshot ID ID of the verified snapshot
Object Type Type of protected object. For example, Fileset.
Object Name Name of the protected object
SLA Domain Name of the SLA Domain that protects the object
Start Time Time when the Backup Verification job starts
End Time Time when the Backup Verification job completes
Status PASSED or FAILED
Failure Reason Provides the reason in case of failures. The value is
"Not Applicable" in case of successful completion.
Content Identifier Hash value of the content IDs used for Backup
Verification
HTTP status codes

HTTP status codes in the Backup Verification API response.
Status Code Description

200 OK The request is successful and the Rubrik REST API server returns the
response.
401 Unauthorized The request fails due to the failure of user authentication.
403 Forbidden The request fails because the requestor has insufficient authorization
to perform the requested action.
422 Unprocessable Entity The request fails due to one of the following errors.
• The request includes an invalid object ID or snapshot ID.
• The request includes more than five snapshot IDs.
• The request includes an ID for an object that does not have any
snapshots.

• The request includes a value for the location ID that is not the ID
of the controlling Rubrik cluster.

Chapter 8
Replication
Replication
The replication feature directs the Rubrik cluster to send replicas of source snapshots or backups to a
target Rubrik cluster and defines the maximum time to keep the replica on each cluster.
When a replication policy is enabled for a local SLA Domain, the remote Rubrik cluster (target Rubrik
cluster) rapidly copies the snapshot and backup data for that SLA Domain from the local Rubrik cluster
(source Rubrik cluster).
A source Rubrik cluster and a target Rubrik cluster use the Transport Layer Security (TLS) protocol to
encrypt all replication data in-flight.
A Rubrik cluster can have multiple target Rubrik clusters. Each SLA Domain on the source can direct
replication to the target that best accomplishes business goals.
A Rubrik cluster can be the target for many source Rubrik clusters.
When issues interfere with the network connection between the source Rubrik cluster and a target Rubrik
cluster, the replication task is retried. The Rubrik cluster retries the task every 30 seconds, with up to 20
retries. This provides the ability to handle up to 10 minutes of network downtime before the task fails.
Important: When constraints, such as limited bandwidth, interfere with the completion of all of the
replication tasks that are specified for an SLA Domain, the Rubrik cluster may skip replication of older
snapshots and backups to ensure that the newest data is successfully replicated. In this scenario the SLA
does not govern the retention policy. Older snapshots that are outside of the local retention policy are
deleted.
Related concepts
Network Throttling
replication.
Replication policy workflow

Adding a replication policy to an SLA Domain follows a set workflow.
The replication workflow is:
1. Set up a target Rubrik cluster.
2. Enable replication for the SLA Domain.
3. Select a target Rubrik cluster.
4. Select the retention period for the data on the target.
5. Modify the retention period for the data that is retained locally on the source Rubrik cluster.
Replication 05/25/2022 | 197

Replication target setup
A Rubrik cluster can replicate data to other Rubrik clusters. To use a Rubrik cluster as a replication target,
the source Rubrik cluster must be provided with information about the target.
A Rubrik cluster can have multiple target Rubrik clusters. After at least one target Rubrik cluster is
successfully set up, the source Rubrik cluster makes replication policy settings available for local SLA
Domains. An SLA Domain on the Rubrik cluster can be configured to use any of the available targets.
Communication between the source Rubrik cluster and the target Rubrik cluster can use either of the
following addressing methods:
• Private network
• Network address translation (NAT)
For private network addressing, the source and target cluster IP addresses must be static. For NAT, the
source and target clusters can use floating IP addresses.
Replication using a private network

To perform replication, a source Rubrik cluster can optionally communicate with a target Rubrik cluster
through a private network.
To replicate to a target Rubrik cluster through a private network, the source Rubrik cluster sends data
packets to the static IPv4 address of the target Rubrik cluster, and the target Rubrik cluster sends data
packets to the static IPv4 address of the source Rubrik cluster.
Note: When private IPv4 addressing is used, this method carries the potential for IP address conflicts
between the source Rubrik cluster and the target Rubrik cluster. To avoid this problem, be sure each
cluster uses different static IPv4 addresses.
Setting up replication using a private network

Provide the source Rubrik cluster with the required information about the target Rubrik cluster to enable
replication over a private network.
Prerequisites
For the source and the target, ensure that the network meets the port requirements described in Ports.
Procedure
3. Click Replication Targets.
The Manage Replication page appears.
The static address view of the Add Remote Cluster dialog box appears.
5. In Target Cluster IP, type one of the IPv4 addresses of the target Rubrik cluster.
Do not use a floating IP address for the target Rubrik cluster IP.
6. In Target Cluster Username, type the username for an account on the target Rubrik cluster that
has the Admin role.
For Active Directory domain users, the format is domain name followed by username, seperated by a
space.
7. In Target Cluster Password, type the password for the account.
Replication 05/25/2022 | 198

8. Click Add.
The source Rubrik cluster tests the replication information.
9. Leave the Advanced Setting field empty.
The Advanced Setting field is available for administrators in case a successful configuration requires
the target replication Rubrik cluster certificate path.
If an administrator must enter the target replication Rubrik cluster certificate path, then replication
setup completes successfully, using the target replication Rubrik cluster certificate path.
Result
After a successful test, the source Rubrik cluster adds the replication relationship to the Replication
Clusters section of the Manage Replication page. The target Rubrik cluster also adds the replication
relationship to its Manage Replication page.
Replication using NAT

To perform replication, a source Rubrik cluster can communicate with a target Rubrik cluster by using NAT.
For replication with NAT to work properly, all devices in the network configuration must comply with
Network Address Port Translation (NAPT) as defined in RFC 2663. NAPT is a subset of NAT that permits
multiple private addresses and ports to be mapped to a single public address.
During replication, the source Rubrik cluster and the target Rubrik cluster communicate with each other
using one-to-multiple NAPT. This means that the Rubrik cluster utilizes a single public address and one or
more ports that are mapped to one or more private addresses.
When replication is performed over NAT, the source Rubrik cluster sends data packets destined for the
target Rubrik cluster using the following process.
1. The source Rubrik cluster sends the data packet to a specified port on the gateway for the target
Rubrik cluster.
The specified port is reserved for routing replication requests and acknowledgments.
2. The gateway device forwards the data packet to one of the private IP addresses that is assigned to a
node on the target Rubrik cluster.
3. The target Rubrik cluster provides the data packet to the appropriate service and node on the target
Rubrik cluster.
The process is reversed for data packets sent from the target Rubrik cluster to the source Rubrik cluster.
1. The target Rubrik cluster sends the data packet to a specified port on the gateway for the source
Rubrik cluster.
2. The gateway device forwards the data packet to one of the private IP addresses that is assigned to a
node on the source Rubrik cluster.
3. The source Rubrik cluster provides the data packet to the appropriate service and node on the source
Rubrik cluster.
Replication 05/25/2022 | 199

NAT replication requirements
Replication with NAT requires dedicated replication ports and port forwarding rules.
Requirement Description
Assign ports on the Assign incoming ports on the target gateway specifically for the replication
target gateway processes. Each dedicated “replication” port on the target gateway receives
data packets from the source Rubrik cluster.
A minimum of one “replication” port on the target gateway is required, up to a
maximum of the number of Rubrik nodes on the target Rubrik cluster.
To provide redundancy, Rubrik recommends at least two “replication” ports on
the target gateway.
Port forwarding rules on The target gateway uses port forwarding rules to forward the data packets
the target gateway received on a target gateway “replication” port.
The target gateway forwards the data packets to port 7785 of the associated
private IP address that is assigned to a Rubrik node on the target Rubrik
cluster.
Assign ports on the Assign incoming ports on the source gateway specifically for the replication
source gateway processes. Each dedicated “replication” port on the source gateway receives
data packets from the target Rubrik cluster.
A minimum of one “replication” port on the source gateway is required, up to a
maximum of the number of Rubrik nodes on the source Rubrik cluster.
To provide redundancy, Rubrik recommends at least two “replication” ports on
the source gateway.
Port forwarding rules on The source gateway uses port forwarding rules to forward the data packets
the source gateway received on a source gateway “replication” port.
The source gateway forwards the data packets to port 7785 of the associated
private IP address that is assigned to a Rubrik node on the source Rubrik
cluster.
Setting up replication using NAT

Provide the source Rubrik cluster with the required information to enable replication using NAT.
Prerequisites
For source and target Rubrik clusters, make the gateway ports and port forwarding rules described in NAT
replication requirements available.
Procedure
The Add Remote Cluster dialog box appears.
5. Select NAT.
The NAT view of the Add Remote Cluster dialog box appears.
6. In Source Gateway IP, type the local IPv4 address of the source gateway device.
Replication 05/25/2022 | 200

Use the public IPv4 address of the source gateway device that sends replicated data to the target
gateway device.
7. In Target Gateway IP, type the local IPv4 address of the target gateway device.
Use the public IPv4 address of the target gateway device that receives replicated data from the source
gateway device.
8. In Source Gateway Ports, type a comma-separated list of the ports on the source gateway that are
specified for Rubrik cluster replication.
There must be at least one port, and the number of ports should not exceed the number of Rubrik
nodes on the target Rubrik cluster. For each port, the gateway must have a port forwarding rule that
directs packets to the IP address of a Rubrik node on the source Rubrik cluster.
9. In Target Gateway Ports, type a comma-separated list of the ports on the target gateway that are
specified for Rubrik cluster replication.
There must be at least one port, and the number of ports should not exceed the number of Rubrik
nodes on the target Rubrik cluster. For each port, the gateway must have a port forwarding rule that
directs packets to the IP address of a Rubrik node on the target Rubrik cluster.
10. In Target Cluster Username, type the username for an account on the target Rubrik cluster that
has the Admin role.
11. In Target Cluster Password, type the password for the account.
The source Rubrik cluster tests the replication information.
12. Leave the Advanced Setting field empty.
The Advanced Setting field is available for administrators in case a successful configuration requires
the target replication Rubrik cluster certificate path.
If an administrator must enter the target replication Rubrik cluster certificate path, then replication
setup completes successfully, using the target replication Rubrik cluster certificate path.
Result
After a successful test, the source Rubrik cluster adds the replication relationship to the Replication
Clusters section of the Manage Replication page. The target Rubrik cluster also adds the replication
relationship to its Manage Replication page.
Removing a replication target

Remove a replication target to prevent replication to that target.
Procedure
4. In the Replication Clusters section, open the ellipsis menu next to the name of the target Rubrik
cluster.
5. Click Delete.
6. Click OK.
The local Rubrik cluster removes the replication target.
Result
After removing a target, the replicas on that target become unmanaged objects. The replicas must be
manually managed through the Snapshot Management page of the target Rubrik cluster.
Replication 05/25/2022 | 201

Replication policy
Enable a replication policy for an SLA Domain to replicate the snapshot and backup data of the source
objects that are protected by the SLA Domain.
A replication policy specifies a replication target and determines how long replicas are kept on the target.
Replication policy is optional for an SLA Domain.
After enabling a replication policy, a slider provides two alternative settings that determine how long
replicas are kept. The first alternative specifies that only the most recent replica is kept. The second
alternative specifies that replicas are kept for the retention period that is specified by the slider’s position,
up to the Maximum Retention Period of the SLA Domain.
Note: The replication policies of SLA Domains assigned to data sources that use Direct Archive do not
apply to snapshots of those data sources. Replication for snapshots that use Direct Archive is not available
because the Rubrik cluster does not store such snapshots in cluster storage.
Slider setting Replica retention

Far left, null position Retained until another replica is created.
Any position except the far left The period defined by the position of the slider,
up to the Maximum Retention Period of the SLA
Domain
Locally stored snapshots expire according to the Retention on Brik setting, even when the snapshot was
not successfully replicated.
Related tasks
Configuring replication policy for an SLA Domain
Configure the replication policy for an SLA Domain when creating a custom SLA Domain or when editing
any SLA Domain.
Configuring replication policy for an SLA Domain

Configure the replication policy for an SLA Domain when creating a custom SLA Domain or when editing
any SLA Domain.
Prerequisites
Configure at least one replication target for the Rubrik cluster. Replication target setup describes how to
create a replication target.
Context
These changes determine how long the Rubrik cluster retains replication snapshots or backups on a target
cluster and which replication snapshots or backups are automatically expired by the Rubrik cluster.
Procedure
3. Complete one of the following to add or modify a replication policy for an SLA Domain:
• For a new custom SLA Domain, click the + icon and configure the other fields on the Create New
SLA Domain dialog box.
Replication 05/25/2022 | 202

4. Complete the Service Level Agreement for the SLA Domain.
5. Click Next.
The Set Archiving and Replication page of the Create SLA Domain wizard appears.
6. In Replication, click the toggle.
The replication slider becomes available.
7. Select a replication target.
8. Move the position of the replication slider.
• Leave the slider in the leftmost position.
This position specifies that only the most recent replica is kept on the target Rubrik cluster.
• Move the slider to the right to define a replication retention period.
9. Optional: Click the + icon to configure a second replication target.
SLA Domains support up to two replication targets.
10. (When configuring a second replication target) Repeat Step 7 and Step 8.
11. Complete any other changes.
12. Click Next.
13. (Edit SLA Domain only) In Apply changes to existing snapshots, choose a setting.
• Accept the default setting to apply changes to the existing snapshots.
• Clear the setting to leave the retention policy of existing snapshots unchanged.
14. Click Create or Edit.
Result
The Rubrik cluster adds the replication policy to the SLA Domain and applies it to subsequent snapshots for
protected objects assigned to the SLA Domain.
When Apply to existing snapshots is selected, the Rubrik cluster also applies the archival policy to
existing snapshots of the protected objects.
Related concepts
Custom SLA Domains
Replication policy changes

Editing an SLA Domain results in a variety of changes that impact the replication policy.
These changes determine how long the Rubrik cluster retains replication snapshots or backups on a target
cluster and which replication snapshots or backups are automatically expired by the Rubrik cluster.
Possible changes that impact an replication policy include:
• Replication policy disabled
• Replication policy re-enabled
• Replication retention period increased
• Replication retention period decreased
Replication 05/25/2022 | 203

Replication policy disabled
When the replication policy is disabled, the Rubrik cluster does not create additional replicas on the target
Rubrik cluster.
Replicas on the target Rubrik cluster that existed before the replication policy was disabled remain on the
target. Manage these replicas through the Snapshot Management page of the target Rubrik cluster.
Related concepts
Replication policy re-enabled

When a replication policy is disabled and then re-enabled, the Rubrik cluster does not create replicas for
existing snapshots and backups.
When the replication policy for an SLA Domain is re-enabled, the Rubrik cluster immediately initiates
replication tasks to push replicas for the newest snapshots and backups to the target Rubrik cluster.
Replicas that exist from before the replication policy was disabled are managed again when the policy
is re-enabled. The Rubrik cluster manages these existing replicas based on the current SLA rules and
replication retention period.
Replication retention period increased

Changes to the SLA rules cause an automatic increase in the replication retention period.
When the replication retention period is increased, the retention of snapshots that have been replicated
remains unchanged. New snapshots are retained for the increased retention period and the Rubrik cluster
continues to manage the replicas based on the SLA rules.
Related reference
snapshots.
Replication retention period decreased

Changes to the SLA rules cause an automatic decrease in the replication retention period.
When the replication retention period is decreased, the retention of snapshots that have been replicated
remains unchanged. New snapshots are retained for the decreased retention period and the Rubrik cluster
continues to manage the replicas based on the SLA rules.
Related reference
Replication 05/25/2022 | 204

snapshots.
Replication start
For any data source, the start of replication depends on adding the replication target to the Rubrik cluster
and adding the replication policy to the associated SLA Domain.
Event Description
Replication target added Snapshots that were created before the replication target was added to the
to the Rubrik cluster Rubrik cluster are not replicated.
Unexpired snapshots created after the replication target is added are
replicated when the replication policy is added to the associated SLA Domain.
Replication policy added Unexpired snapshots for a data source are replicated when a replication policy
to the SLA Domain is added to the associated SLA Domain.
The Rubrik cluster starts by replicating the most recent snapshot from a data
source and works backward in time, replicating the unexpired snapshots of
that data source.
Manage Replication page

The Manage Replication page provides summary information about the replication associations of the local
Rubrik cluster.
The Manage Replication page provides information on replication in several panes.
The Network Utilization for Replication pane provides historical information about network bandwidth
consumption due to replication activities.
Two line charts display the network bandwidth consumption, for the previous 24 hours, in a multiple of bits
per second.
The Incoming chart displays the incoming network bandwidth used for replication to the local Rubrik
cluster from all source Rubrik clusters.
The Outgoing chart displays the outgoing network bandwidth consumption caused by replication activity
from the local Rubrik cluster to all target Rubrik clusters.
The Replication Clusters pane provides information cards for each of the replication associations of the
local Rubrik cluster.
Each card displays the local Rubrik cluster on the left and a remote Rubrik cluster on the right. The card
provides information about the replication association between the two Rubrik clusters.
The information cards in the Replication Clusters section use symbols to indicate the replication
configuration between the two Rubrik clusters, either unidirectional or bidirectional.
In addition to the replication configuration symbol, the information card provides the information described
in the following table.
The information on the card is presented from the perspective of the local Rubrik cluster. The card
does not provide all replication information for the remote Rubrik cluster, only the information from the
association between the two clusters.
Replication 05/25/2022 | 205

Field Local section Remote section
Data Total amount of data replicated by the Total amount of data replicated by the local
remote Rubrik cluster to the local Rubrik Rubrik cluster to the remote Rubrik cluster.
cluster.
When the local Rubrik cluster is the target of
When the remote Rubrik cluster is the a unidirectional replication association this
target of a unidirectional replication section is empty.
association this section is empty.
SLA Domains The number of remote SLA Domains that The number of local SLA Domains that
replicate data to the local Rubrik cluster. replicate data to the remote Rubrik cluster.
Objects The number of remote objects that are The number of local objects that are
replicated to the local Rubrik cluster. replicated to the remote Rubrik cluster.
Viewing the Manage Replication page

Use the Manage Replication page to view summary information about the replication associations of the
Prerequisites
Configure a replication target Rubrik cluster, as described in Replication target setup.
Procedure
2. On the top action bar, click the gear icon.
Result
Global replication pause

Global replication pause, pauses inbound replication to a Rubrik cluster and reduces the load on system
resources.
When a Rubrik cluster pauses replication, all incoming replication jobs from other Rubrik clusters that use
the pausing Rubrik cluster as a replication target are canceled. Outgoing replication from a Rubrik cluster
to a replication target is unaffected. The replication pause affects snapshots, logs, and Continuous Data
Protection (CDP).
When a Rubrik cluster resumes replication after a pause, the user resuming replication can choose whether
replication includes snapshots taken during the pause or if snapshots taken during the replication pause
are not replicated to the target.
The impact of Global Replication Pause for CDP is as follows:
• CDP Replication status will be healthy ("Healthy" or "Initializing" state), if Global Replication Pause is
enabled and the pause status is synchronized to the source replication cluster from target replication
cluster.
• CDP Replication status will be unhealthy ("Failed" state), if Global Replication Pause is enabled and the
pause status is not synchronized to the source replication cluster from target replication cluster.
• CDP Replication will be automatically recovered (back to "Healthy" or "Initializing" state) if Global
Replication Pause is disabled.
Replication 05/25/2022 | 206

Pausing replication
A Rubrik cluster can temporarily pause all incoming replication tasks.
Context
When a Rubrik cluster is a replication target, pausing replication across the cluster can reduce demand on
network bandwidth for the duration of the pause.
Procedure
3. Select Replication Targets.
4. Click the ellipse on the Incoming pane of the Network Utilization for Replication section.
5. Click Pause all replication.
6. Click Pause all replication.
Result
The cluster cancels all replication jobs that use this cluster as a replication target. The message 'All
replication is paused' appears at the top of the Incoming pane. Other clusters that use this cluster as a
replication source continue to use network bandwidth for those replication jobs.
Resuming replication after a pause

Resume replication after a global replication pause from the Rubrik web UI.
Procedure
The Manage Replication page appears. The message 'All replication is paused' is visible at the top of
the Incoming pane of the Network Utilization for Replication section.
4. Click the ellipse in the Incoming pane of the Network Utilization for Replication section.
5. Click Resume all replication.
6. Choose whether to replicate missed snapshots.
Choice Effect
Resume replicating all new snapshots and missed Replication resumes for all snapshots, including
snapshots snapshots that missed replication during the
pause. For lengthy pauses, replicating missed
snapshots can require substantial time and
network bandwidth.
Resume replicating all new snapshots Replication resumes for new snapshots only.
Replication does not include snapshots that
missed replication during the pause or snapshots
taken before the pause.
7. Click Resume all replication.
Replication 05/25/2022 | 207

Result
The Rubrik cluster launches replication jobs for the chosen option.
Replication pause per location

Use Replication Pause per location to reduce the system resource load of a Rubrik cluster pausing all
incoming replication tasks from a source replication cluster to a target replication cluster.
Reduce the system resource load of a Rubrik cluster by enabling Replication Pause for specified source
replication clusters. When incoming replication traffic to a target cluster is paused, the target cluster no
longer replicates snapshots from the specified source cluster.
The Manage Replication Pause page provides two tabs. The Active tab lists all source replication clusters
replicating to the target replication cluster. The Pause tab lists source clusters with replication paused.
When replication is resumed, snapshots taken before and during the pause can be replicated or the
snapshots can be ignored.
Pausing replication per location

A Rubrik cluster can temporarily pause all incoming replication tasks from a source replication cluster to a
target replication cluster.
Context
When a Rubrik cluster is a replication target, pausing replication per location can reduce demand on
network bandwidth for the duration of the pause.
Procedure
4. Click Manage Pause.
Source clusters that do not have replication paused appear on the Active tab. Source clusters with
replication paused appear on the Pause tab.
5. Click Active.
The active replication source clusters appear.
6. Select a replication source.
More than one replication source can be selected.
7. Click Pause.
The Manage Replication Pause dialog box appears.
Choice Effect
Cancel in-progress replication tasks immediately The replication target immediately cancels in-
progress replication tasks and pauses incoming
replication tasks from the specified source
replication clusters.
Allow in-progress tasks to complete The replication target completes any in-progress
replication jobs then pauses incoming replication
tasks from the specified source replication
clusters.
9. Click Pause Replication.
Replication 05/25/2022 | 208

Result
The specified replication source clusters appear on the Pause tab of the Replication Targets page.
Resuming replication per location

Resume all incoming replication tasks from source replication clusters after a pause and specify how to
handle snapshots that occurred before and during the pause.
Procedure
4. Click Manage Pause.
The Manage Replication Pause page appears.
5. Click Pause.
A list of the paused source replication clusters appears.
6. Select a source replication cluster.
More than one source replication cluster can be selected.
7. Click Resume.
The Manage Replication Pause dialog box appears.
Choice Effect
Resume replicating all new snapshots and missed Replication resumes for all snapshots, including
snapshots snapshots that missed replication during and
before the pause. For lengthy pauses, replicating
missed snapshots can require substantial time
and network bandwidth.
Resume replicating all new snapshots Replication resumes for new snapshots only.
Replication does not include snapshots that
missed replication during the pause and
snapshots taken before the pause.
9. Click Resume Replication.
Result
The target Rubrik cluster resumes replication tasks for the specified source Rubrik clusters.
Replication monitoring and reporting

The target Rubrik cluster provides real-time monitoring and reporting of replication activity.
After it generates a snapshot for a virtual machine, the source Rubrik cluster begins replicating that
snapshot to the target Rubrik cluster. The Activity Log on the target Rubrik cluster lists an entry for the
replication task.
You can view replication tasks in the Activity Log by setting Replication in the Type filter.
A virtual machine-oriented view of the success and failure of completed replication tasks is available in the
Protection Tasks Summary. In the Protection Tasks Summary report, in Filter Type, choose Replication to
see all replication task results for the selected time period.
Replication 05/25/2022 | 209

Related concepts
Activity Log
The Activity Log contains log messages about standard tasks and notifications that are considered time
sensitive.
Related reference
Default reports
The Gallery view includes eight default reports. Each report consists of two charts and a table of
information. The information in the reports is refreshed every hour.
Remote SLA Domains

A remote SLA Domain is an SLA Domain that was created on a Rubrik cluster other than the local Rubrik
cluster. Remote SLA Domains appear on a local Rubrik cluster when the local Rubrik cluster is a replication
target.
Viewing all remote SLA Domains

Access the Remote SLA Domains page to view general information about all remote SLA Domains that use
the current Rubrik cluster as a replication target.
Procedure
1. Log in to the Rubrik CDM web UI of a selected Rubrik cluster.
2. On the left-side menu, select SLA Domains > Remote Domains.
Result
The Remote SLA Domains page appears.
Information on the Remote SLA Domains page

The Remote SLA Domains page provides read-only information that is described in the following table. Sort
the information in an ascending or descending order by clicking on one of the columns headings.
The following information is available on the Remote SLA Domains page:
Column heading Description

Name Name of the remote SLA Domain.
Remote Cluster Name of the remote Rubrik cluster.
Base Frequency The rate at which snapshots and backups are created as a result of all of the
SLA rules of the remote SLA Domain.
Object Count Total number of objects that are protected through the remote SLA Domain.
Replication Retention Replication retention period specified by the remote SLA Domain.
Searching for a remote SLA Domain

Use the search field on the Remote SLA Domains page to find a specific remote SLA Domain or a group of
remote SLA Domains.
Procedure
Replication 05/25/2022 | 210

A local Rubrik cluster session starts on the selected Rubrik cluster.
3. In the search box at the top of the Remote SLA Domains page, type a text string.
Result
The Rubrik cluster provides a list of every remote SLA Domain name that contains the search string.
Viewing the page of a remote SLA Domain

Use the SLA Domains menu option to view summary information about remote SLA Domains.
Procedure
3. On the Remote SLA Domains page, click a remote SLA Domain entry.
Result
The page of the selected remote SLA Domain appears.
Information provided for a remote SLA Domain

The information that the Rubrik cluster provides through the cards on the page for a remote SLA Domain.
Information card Field Description

SLA Domain Policy Quick view of the SLA rules specified by the remote SLA Domain.
Take Column listing of the Minute, Hourly, Daily, Monthly, and Yearly
rules of snapshot frequency.
Keep Column listing of the Minute, Hourly, Daily, Monthly, and Yearly
rules of snapshot retention.
Backup Window (Optional) Displays the Snapshot Window setting, when the
remote SLA Domain has a Snapshot Window.
Storage Donut graph Quick view of the occupied and free space on the local Rubrik
cluster that is occupied by data associated with the selected
remote SLA Domain. Click legend entries to include or exclude
them from the graphic. The graphic always starts at the top and
runs clockwise with the segments displayed in order by size from
largest to smallest.
Hover over the entry to highlight that section in the graph.
This domain Color-highlighted graphical indication of the portion of the total

associated with the selected remote SLA Domain.
Other domains Color-highlighted graphical indication of the portion of the total
from other SLA Domains.
Replication 05/25/2022 | 211

Information card Field Description
Unprotected Color-highlighted graphical indication of the portion of the total
from unprotected virtual machines.
Available Color-highlighted graphical indication of the portion of the total
storage space on the local Rubrik cluster that free.
Line graph Shows the storage ramp up over time for data associated with
the selected remote SLA Domain, from 30 days to the present.
Selection list to choose a type of data source. Open the list to

select a data source type:
• vSphere VMs
• Hyper-V VMs
• AHV VMs
• Windows Hosts
Data source • NAS Shares
selection • SQL Server DBs
• Managed Volumes
Search field Search field that permits a text string search of the names of the
selected type of data source objects that are protected by the
remote SLA Domain.
Name Names of the data source objects of the selected type.
Location Location information for the selected type of data source objects.
Remote data sources

Remote data sources are the virtual machines, databases, hosts, and NAS shares that provide the data
that is replicated to a local Rubrik cluster.
A target Rubrik cluster provides access to the replicas of remote data sources though Rubrik CDM web UI
pages that are similar to the pages provided for local data sources. The difference is that the pages for
remote data sources are read-only. Use these pages to find and work with the replicas of the remote data
sources.
Viewing a remote data source page

Access the page for a remote data source to view and work with the replicas from the remote data source.
Context
To go directly to the page for a remote data source, type the name of the data source in the search box on
the top bar of the Rubrik CDM web UI and select the remote data source from the results list.
Procedure
3. In the Name column, select the name of a remote SLA Domain.
Replication 05/25/2022 | 212

The page for the selected remote SLA Domain appears.
4. On the data source card, select a data source type.
5. On the data source card, in the Name column, click the name of a data source.
6. (File system data sources only) On the Filesets card, in the Name column, select the name of a fileset.
For a virtual machine or a database, the remote data source page appears.
For a file system based data source, the Filesets card appears.
Result
The remote data source page appears.
Snapshots card or Recovery Points card

For a selected remote data source, the Snapshots card or Recovery Points card provides the ability to
browse and work with the replicas that reside on the local Rubrik cluster.
The card provides information through a series of calendar views. Each view uses color spots to indicate
the presence of replicas on a date. The color indicates one of the following:
• Status of compliance with the replication policy of the remote SLA Domain for the selected remote
virtual machine on the selected date.
• Consistency state of the snapshot.
• Indexing status.
Snapshots in the calendar view are color coded by status.
Color Status
Green All replicas required by SLA Domain policy were successfully created.
Orange All replicas required by SLA Domain policy were successfully created but at least one replica
caused a warning.
Red At least one replica required by SLA Domain replication policy was not successfully created.
Snapshots card calendar view

The calendar view displays information at different levels of granularity.
View Description
Year The Year view displays replica creation information for an entire year. A color spot indicator
on a specific date indicates replication activity, and displays the compliance status for the
replication policy for that day.
Month The Month view displays replica creation information for an entire month. A color spot
indicator on a specific date indicates replication activity, and displays the compliance status
for the replication policy for that day.
Day On a Snapshot card, the Day view displays the individual replicas that were created on the
selected day.
On a Recovery Points card, the Day view provides access the replicas of the available
snapshots and log backups for the database.
Replication 05/25/2022 | 213

Working with a replica
Access a replica and perform one of the actions available for the data source type.
Procedure
3. In the Name column, select the name of a remote SLA Domain.
The page for the selected remote SLA Domain appears.
4. On the data source card, select a data source type.
5. On the data source card, in the Name column, click the name of a data source.
For a file system based data source, the Filesets card appears.
For a virtual machine or a database, the remote data source page appears.
6. (File system data sources only) On the Filesets card, in the Name column, select the name of a fileset.
The remote data source page appears.
7. Select a date.
The Day view appears.
8. Based on the type of data source, perform an available action.
Result
The Rubrik cluster provides access to the replicas of the remote data source.
Expired snapshot recovery

The Rubrik CDM web UI provides an option to download a copy of the replicated snapshot to the source
Rubrik cluster for the snapshot recovery.
When a snapshot expires on the source Rubrik cluster and a replicated copy of the snapshot is available on
the target Rubrik cluster, you can download the replicated snapshot on the source Rubrik cluster.
The downloaded copy of the snapshot is the incremental difference between the closest snapshot and
the replicated snapshot. The closest snapshot is decided in terms of date. For example, if the replicated
snapshot was taken on March 10, the snapshot taken on March 11 available on the source Rubrik cluster
will be considered the closest snapshot.
The option to download a replicated snapshot is not available for SQL server, Oracle, and SAP HANA
databases. The supported protectable objects are Nutanix, VMware, Managed Volumes, VMware vCloud
Director (vCD), Hyper-V, Volume Groups, and Fileset.
Downloading a replicated snapshot

Download a copy of the replicated snapshot to the source Rubrik cluster for the snapshot recovery.
Prerequisites
To enable downloading replicated snapshots, contact Rubrik Support.
Procedure
2. On the left-side menu, locate the menu item that identifies the type of the protectable object.
Replication 05/25/2022 | 214

For example, to download the replicated snapshot for a vSphere virtual machine, click Virtual
Machines > vSphere VMs.
A page appears with a list of objects for the selected type.
3. Click the name of a protectable object.
The local host page for the selected object appears.
4. Click a date with a snapshot from the calendar.
Dates with snapshots are marked with a dot.
The Snapshots card displays the list of snapshots for the selected date.
An exclamation mark appears on the snapshot icon when the snapshot on the source Rubrik cluster
expires and its replicated copy is available on the target Rubrik cluster.
5. Click the ellipsis menu for the replicated snapshot and then click Download.
The Download Snapshot dialog box appears, displaying the replication and archival locations where
the snapshot is stored.
6. Select the replication location and then click Download.
The Manage Protection for Downloaded Snapshot wizard appears.
7. Choose a protection option.
Option Description
SLA Domain The SLA Domain is assigned to the downloaded
copy of the snapshot.
Retain Forever The downloaded copy of the snapshot is retained
till it is manually deleted.
The Max Retention and Time Left columns appear for each SLA Domain. The maximum retention
period is counted from the time when the snapshot was taken and the time left is the time till when
Rubrik cluster will retain the copy of the snapshot.
8. Click Next.
The wizard advances to the Review Impact step.
9. Review the information and click Next.
The download job begins.
Any scheduled backup job for the protectable object is paused when the download job is in progress.
If a backup job is in progress, the download job is queued until the backup job completes.
Result
The replicated snapshot is downloaded to the source Rubrik cluster and the exclamation mark on the
snapshot icon disappears.
Replication 05/25/2022 | 215

Chapter 9
Archiving
Archiving
An SLA Domain can include an archival policy that instructs the Rubrik cluster to copy protected data to
an archival location. The archival policy specifies the archival location to use, how soon after a backup the
data is copied, and how long the data is retained.
The Rubrik cluster supports the following archival location types:
• Amazon S3
• Google Cloud Platform
• Azure
• Object Store
• NFS
• Tape
Cloud-based archival locations use the following terms to identify a logical unit of storage:
• bucket – Amazon S3 and Google Cloud Platform
• container – Microsoft Azure
A specific bucket can only be used by one Rubrik cluster. When a bucket is assigned to a Rubrik cluster, the
Rubrik cluster places restrictive permissions on the bucket that prevent other Rubrik clusters from using
the bucket. This action protects the data that is written to the bucket.
Multiple archival locations and types can be added to a Rubrik cluster. The archival policy of an SLA Domain
can only specify one archival location but each SLA Domain can specify a different archival location.
Archival policy
An archival policy defines how long to retain data within the local Rubrik cluster before moving the data to
an archival account for long term storage. Archival policy is optional for an SLA Domain.
When available, the Rubrik cluster uses an encrypted connection to transfer data to an archival location.
The Rubrik cluster deduplicates, compresses, and, when supported by the archival location, encrypts all
data that is stored at the archival location.
Related tasks
Changing archival policy
Configure the archival policy for an SLA Domain when creating a custom SLA Domain or when editing an
SLA Domain, and enable Instant Archive.
Changing archival policy

SLA Domain, and enable Instant Archive.
Prerequisites
Configure an archival location for the local Rubrik cluster, as described in Archival location configuration.
Archiving 05/25/2022 | 216

Procedure
3. Create a new SLA Domain or edit an existing SLA Domain.
5. Click Next.
6. In Archiving, turn on the Archiving toggle.
7. Optional: In the archival policy section, select Enable Instant Archive.
With the Instant Archive feature enabled, the Rubrik cluster creates a snapshot and immediately
queues a task to transfer the associated archival snapshot to the archival location.
8. In Archival Location, select one of the configured archival locations.
10. Click Next.
11. (Edit SLA Domain only) In Apply to existing snapshots, choose a setting.
12. Click Update or Create.
Result
The Rubrik cluster adds the archival policy to the SLA Domain and applies it to subsequent snapshots for
protected objects assigned to the SLA Domain.
When Apply to existing snapshots is selected, the Rubrik cluster also applies the archival policy to
existing snapshots of the protected objects.
Related tasks
Instant Archive
The Instant Archive feature can be enabled to instruct the Rubrik cluster to immediately queue a task to
copy a new snapshot to a specified archival location.
When an SLA Domain has the Instant Archive feature enabled, the Rubrik cluster queues a task to copy a
snapshot to the associated archival location as soon as the snapshot is processed.
Instant Archive does not change the amount of time that a snapshot is retained locally on the Rubrik
cluster. The most recent snapshot is always preserved locally for protected data sources. The Retention On
Brik setting determines how long a snapshot is kept on the Rubrik cluster. However, if the local copy is the
most recent snapshot it is retained (at minimum) until a new subsequent snapshot is taken. This retention
policy takes precedence over the brik retention setting.
Reserve enough space on the Rubrik cluster to retain at least one full snapshot for each protected
object, to store any additional incremental snapshots based on the assigned SLA Domains, and to run
consolidation and reverse operation tasks.
Instant Archive is not supported for tape archival locations.
Archiving 05/25/2022 | 217

Example: Archival policy without Instant Archive
Assume the following rules are specified for an SLA Domain:

• Hourly Rule – Take one snapshot every 12 hours and retain the snapshot for five days.
• Daily Rule – Retain the most recent daily snapshot for 32 days.
• Monthly Rule – Retain the most recent monthly snapshot for one year.
• Annual Rule – None specified.
• Archival policy – Retention on Brik is set to 60 days. Instant Archive is not enabled.
The Rubrik cluster transfers snapshots that are 61 days old (or older) to the archive location and retains
the archival snapshots at that location for one year from the date of the snapshot. The one year value is
the Maximum Retention Period which, in this example, is specified by the Monthly Rule.
The local Rubrik cluster stores all relevant snapshots, as determined by the Hourly Rule and the Daily
Rule, for 60 days. After 60 days, the Rubrik cluster creates archival snapshots, stores them in the archival
account, and expires the source snapshots on the local Rubrik cluster. The Rubrik cluster expires the
archival snapshots based on the retention settings of the Daily Rule and the Monthly Rule for the SLA
Domain.
Example: Archival policy with Instant Archive
Assume the following rules are specified for an SLA Domain:

• Hourly Rule – Take one snapshot every 12 hours and retain the snapshot for five days.
• Daily Rule – Retain the most recent daily snapshot for 32 days.
• Monthly Rule – Retain the most recent monthly snapshot for one year.
• Annual Rule – None specified.
• Archival policy – Retention on Brik is set to 60 days. Instant Archive is enabled.
When snapshots are created, the Rubrik cluster immediately queues tasks to transfer the associated
archival snapshots to the archive location and retains the archival snapshots at that location for one year.
The one year value is the Maximum Retention Period which, in this example, is specified by the Monthly
Rule.
The local Rubrik cluster stores all relevant snapshots, as determined by the Hourly Rule, the Daily Rule,
and the Monthly Rule (day 33 through day 60), for 60 days. After 60 days, the Rubrik cluster expires the
source snapshots on the local Rubrik cluster. The Daily Rule and Monthly Rule govern the expiration of the
archival snapshots.
Instant Tiering
The Instant Tiering feature can be enabled to instruct the Rubrik cluster to immediately send snapshots to
cold storage.
Instant Tiering is a two-step process. First, snapshots are uploaded to the default tier. Then the snapshots
are moved to less-expensive cold storage for Azure or AWS.
Instant Tiering is enabled for new snapshots by selecting the following options:
• Archive Access Tier Only as the tiering option for Azure.
• Glacier Storage Class Only or Glacier Deep Archive Storage Class Only as the tiering option for AWS.
Archiving 05/25/2022 | 218

Note: The AWS SDK has a known limitation. Files larger than 5 GB cannot be tiered to Glacier Storage
Class or Glacier Deep Archive Storage Class.
Optionally, Instant Tiering can be applied to existing snapshots through the Tier existing snapshots
selection. The existing snapshots group includes on-demand, custom retention, and policy-based
snapshots.
Archival policy disabled

After the archival policy is disabled, the Rubrik cluster does not create new archival snapshots at the
archival location. Existing archival snapshots remain at the archival location and the Rubrik cluster
continues to manage the archival snapshots based on the SLA Domain rules.
After the archival policy is disabled, the Rubrik cluster maintains the Retention on Brik setting, when one is
enabled. Otherwise, the Rubrik cluster sets the Local Cluster Retention Period to the Maximum Retention
Period.
If changes are applied to existing snapshots, they remain on the local Rubrik cluster until they expire
based on the Maximum Retention Period. The Maximum Retention Period is applied to new and unarchived
snapshots.
If changes are not applied to existing snapshots, the retention period for snapshots on the local Rubrik
cluster and unarchived snapshots remains unchanged. The Maximum Retention Period is applied to new
snapshots.
Disabling archival policy for an extended period, then re-enabling archival policy, can result in a backlog
that will temporarily delay the expiration of snapshots.
Archival policy re-enabled

When an archival policy is disabled and then re-enabled, all policy driven snapshots on the local Rubrik
cluster that are older than the Local Cluster Retention Period are automatically moved into the archival
account. The Rubrik cluster manages existing archival snapshots at the archival location based on the SLA
Domain rules.
Retention on Brik period increased

When the Retention on Brik period is increased, the Rubrik cluster continues to manage existing archival
snapshots at the archival location based on the SLA Domain rules. Existing archival snapshots are not
moved back to the local Rubrik cluster.
When a policy driven snapshot on the local Rubrik cluster is older than the Retention on Brik period, the
Rubrik cluster moves it to the archival location. The Rubrik cluster keeps new policy driven snapshots on
the local Rubrik cluster for the time set by the new Retention on Brik period.
An increase in the Retention on Brik period increases the archival threshold. The local retention period
increases for new snapshots.
When changes are applied to existing snapshots, the increased Retention on Brik period is applied to
existing snapshots on the Rubrik cluster and to existing unarchived snapshots. Older snapshots will be
retained longer. The decreased SLA Domain retention policy is applied to new and existing archived
snapshots. This change will immediately delete existing archived snapshots that are older than the SLA
Domain retention policy.
When changes are not applied to existing snapshots, the retention period and the archival threshold
remains unchanged for existing snapshots. The increased archival threshold is applied only to new
snapshots. The decreased SLA Domain retention policy is applied only to new archived snapshots. There is
no change to the SLA Domain retention policy for existing archived snapshots.
Archiving 05/25/2022 | 219

Related reference
snapshots.
Retention on Brik period decreased

When the Retention on Brik period is decreased, the Rubrik cluster moves existing local snapshots that are
older than the new Retention on Brik period to the archival location. The Rubrik cluster also applies the
decreased Retention on Brik period to all new policy driven snapshots.
Archived snapshots remain at the archival location and the Rubrik cluster manages those archival
snapshots based on the SLA Domain rules.
A decrease in the Retention on Brik period decreases the archival threshold. The local retention period
decreases for new snapshots.
When changes are applied to existing snapshots, the decreased Retention on Brik period is applied
to snapshots on the Rubrik cluster and any archival locations. As a result of the decreased retention,
existing snapshots may expire immediately and may be deleted from the local Rubrik cluster and from the
associated archival locations.
When changes are not applied to existing snapshots, the decreased retention period and the archival
threshold remains unchanged for existing snapshots. There is no change to the SLA Domain retention
policy for existing archived snapshots.
Related reference
snapshots.
Maximum Retention Period increased

Changes to the retention policy of the SLA Domain can cause an automatic increase in the Maximum
Retention Period.
When changes are applied to existing snapshots, the Rubrik cluster applies the new higher Maximum
Retention Period to all archived snapshots at the archival location. The Rubrik cluster continues to manage
the archived snapshots based on the SLA Domain rules.
When changes are not applied to existing snapshots, the Rubrik cluster applies the new higher Maximum
Retention Period to new archived snapshots. There is no change to the retention policy for snapshots that
have already been archived.
Maximum Retention Period decreased

Changes to the retention policy of the SLA Domain can cause an automatic decrease in the Maximum
Retention Period.
When changes are applied to existing snapshots, the Rubrik cluster applies the new lower Maximum
Retention Period to all existing snapshots and snapshots on any archival location. The Rubrik cluster
automatically expires snapshots from the local Rubrik cluster, replicas at the target Rubrik cluster, and
archival snapshots at the archival location as needed to comply with the new Maximum Retention Period.
When changes are not applied to existing snapshots, the Rubrik cluster applies the new lower Maximum
Retention Period to new snapshots and snapshots on any archival location. The retention period for local,
archived, and replicated snapshots remains unchanged.
Archiving 05/25/2022 | 220

Archival data security
The Rubrik cluster encrypts archival data before transmitting the data to any of the supported archival
location types.
To prepare a file for archiving, a Rubrik cluster uses an encrypted multi-part upload to create AES-256
encrypted chunks of data. The Rubrik cluster then encrypts (wraps) the random AES-256 key using a
2048-bit RSA key, a KMS master key ID, or an encryption password, depending on the archival location
type.
During archival setup, the Rubrik cluster encrypts the keys that are provided and stores the keys in a
distributed database that is part of each Rubrik cluster. The database for a Rubrik cluster can only be
accessed by using the RSA private key of that Rubrik cluster.
When the archival policy goes into effect, the Rubrik cluster transfers the data to the archival location by
uploading the chunks of data in parallel. This process is known as a multipart upload. The Rubrik cluster
stores the wrapped AES-256 key at the archival location with the associated encrypted data chunks.
The Rubrik cluster uses the following protocols to transfer data between the Rubrik cluster and an archival
location.
Archival storage type Protocol

Cloud-based archival location HTTPS
Object storage system HTTPS or HTTP, depending on the capabilities and
configuration of the system.
NFS shares UDP or TCP, depending on the configuration of the
NFS host.
QStar Archive Manager tape archive SMB
Archival bucket exclusivity

An archival bucket can only be used by one Rubrik cluster.
Cloud-based archival locations use the following terms to identify a logical unit of storage:
• ‘bucket’ – Amazon S3 and Google Cloud Platform
• ‘container’ – Microsoft Azure
When a bucket is assigned to a Rubrik cluster, the Rubrik cluster places restrictive permissions on the
bucket that prevent other Rubrik clusters from using the bucket. This action protects the data that is
written to the bucket.
Archival workflow
Archiving data to an archival location follows a standard workflow. As one of the steps in that workflow,
the Rubrik cluster determines whether to upload an incremental or full copy of the archival snapshot.
The following steps describe the typical sequence of tasks that a Rubrik cluster performs to satisfy the
archival policy of an SLA Domain.
1. Based on the archival policy initiate an archival task.
2. Determine the most recent existing archival snapshot from the data source.
Archiving 05/25/2022 | 221

3. Use the factors described in Upload of a full or incremental archival snapshot to determine if an
incremental or full upload of the snapshot is processed.
4. Check that the required space is available.
5. Prepare the metadata for the new archival snapshot.
6. Create a local copy of the archival snapshot data.
7. Upload archival snapshot data to the archival location.
8. Verify the integrity of the uploaded data.
9. When the local copy of the index file for the snapshot is ready, upload a copy of the index file to the
archival location.
10. Upload the metadata for the new archival snapshot to the archival location.
Upload of a full or incremental archival snapshot

The Rubrik cluster uses several factors to determine if a snapshot is uploaded as a full or incremental
snapshot.
Rubrik clusters use incremental snapshots whenever a full snapshot is not required.
Common characteristics for archival snapshots
Archival snapshots have several common characteristics.

• The first upload of a snapshot to an archival location is always a full upload.
• If the SLA Domain is changed to use another archival location, the first snapshot on the new archival
location is a full upload.
• Rubrik CDM maintains separate chains for on-demand and SLA Domain-based snapshots. The first
snapshot is a full upload.
• Rubrik CDM always use full uploads for tape snapshots.
• Rubrik CDM can be configured to force a full upload for all snapshots or for specific snapshots.
• Rubrik CDM maintains fingerprint files corresponding to the last uploaded snapshot on the Rubrik
cluster to compute the delta changes for the next incremental upload. If the fingerprint file does not
exist, the Rubrik cluster will initiate a full upload.
Archival snapshots with Azure Instant Tiering enabled
When Azure Instant Tiering is enabled, archival snapshots have specific characteristics.
• A snapshot can consist of a chain of no more that 40 incremental snapshots. When the chain of
incremental snapshots reaches 40, the Rubrik cluster initiates a full upload of the protected object and
reduces the incremental snapshot chain.
• The Rubrik cluster performs a full snapshot of a protected object when the last archived snapshot was
in Azure Archive Tier and Instant Tiering is not enabled.
Archival snapshots with AWS Tiering enabled
When AWS Tiering is enabled, archival snapshots have specific characteristics.

• A snapshot can consist of a chain of no more that 40 incremental snapshots. When the chain of
incremental snapshots reaches 40, the Rubrik cluster initiates a full upload of the protected object and
reduces the incremental snapshot chain.
• The Rubrik cluster performs a full snapshot of a protected object when the last archived snapshot was
in either the AWS Glacier Storage class or the Glacier Deep Archive Storage Class and Tiering is not
enabled.
Archiving 05/25/2022 | 222

Archival Consolidation is enabled
The Archival Consolidation feature is available for NFS, Amazon S3 compatible, AWS S3, and Azure archival
locations. If archival consolidation is enabled, the following logic determines when a snapshot uses a full
upload.
• The minimum duration between two full uploads is 14 days.
• If the current snapshot chain length of unexpired snapshots exceeds the default length of 60, a full
upload is used.
Archival Consolidation is disabled
The Archival Consolidation feature is available for NFS, Amazon S3 compatible, AWS S3, and Azure archival
locations. If archival consolidation is disabled, the following logic determines when a snapshot uses a full
upload.
• The minimum duration between two full uploads is 14 days.
• If the current snapshot chain length of expired or unexpired snapshots exceeds the default length of
60, a full upload is used.
Absolute chain limit
Snapshot chains cannot exceed an absolute limit of 120. Rubrik uploads a full backup when the chain
length exceeds this limit.
Note: Rubrik Support can change the chain limits from these defaults.
Archival Locations page

The Archival Locations page provides summary information about the archival locations configured on the
Archival locations can be added, edited, disconnected, and deleted in the Archival Locations page. At the
top of the Archiving Locations page, two line charts display the network bandwidth consumption over the
previous 24 hours, in a multiple of bits per second. One chart is for incoming archival activity, and the
other chart is for outgoing archival activity. Each chart displays the combined bandwidth consumption for
all active archival locations.
The Archival Locations section of the Archival Locations page provides information cards for each archival
location configured for the local Rubrik cluster. The following table describes the information fields.
Field Description
Name Reference name for the archival location, which appears at the top of the archival
location card. The Rubrik cluster uses a default generated name unless a custom
name is configured.
Location The type of archival location, followed by an identifier. The identifier value
type:identifier matches the location parameter that was set when the archival location was
created. The format for each location type is shown below:
• S3:S3_bucket_name
• Azure:Azure_container_name
• GCP:GCP_bucket_name
• NFS:host_name
• QStar:host_name
Archiving 05/25/2022 | 223

Field Description
• S3Compatible:bucket_prefix
Status Current status of the archival location. The status is one of the following:
• Read/Write – Available for archival read and write operations.
• Read Only – Available for read operations only.
• Paused – New archive operations cannot be performed until the archival
location is set to resume operations.
• Disabled – New archive operations, as well as any background operations that
change data, cannot be performed until the archival location is enabled.
Additional information • Disconnected – The Rubrik cluster does not recognize the archival location,
probably because of a network connectivity issue or invalid credentials.
• Last Refreshed – (Applies to Read Only archival locations only) The time the
archival location was last refreshed.
Available Space (Applies to NFS archival locations only) Total amount of space available in the NFS
directory.
Data Archived Total amount of data currently archived on the archival location. This amount
changes as new snapshots are archived and old snapshots are deleted.
Data Downloaded Running total of data downloaded from the archival location over the last 30 days.
Archival location configuration

Configure the Rubrik cluster to support a specific archival location by providing the requested archive-
specific information.
The following topics explain how to set up specific types of archives:
• Amazon S3 archival locations
• Google Cloud Platform archival locations
• Microsoft Azure
• Object storage system
• NFS share
• QStar tape archive
Archival location display name

An archival location display name is a short, human-readable string that identifies a specific archival
location.
When creating or editing an archival location, assign a display name or allow the Rubrik cluster to generate
a name. The archival location display name appears when adding or editing an SLA Domain and on the
Archival Locations page.
After a bucket or container name is added to an archival location, the Rubrik cluster automatically
generates a display name for the archival location. The generated name combines the short form for the
archive type and the bucket or container name. For example, for an Amazon S3 archive with a bucket
named ‘region-6’ the Rubrik cluster generates the display name ‘S3:region-6’ and adds that name to the
Archival Location Name field.
The generated display name can be accepted or a new display name can be typed into the Archival
Location Name field. The value in this field appears when adding or editing an SLA Domain and in the
Archiving 05/25/2022 | 224

heading portion of the card for the archival location on the Archival Locations page. The generated name
always appears on the second line of the card for the archival location.
Amazon S3 archival locations

Rubrik CDM supports Amazon S3 as an archival location and provides data encryption by using an RSA key.
Archival locations that use Amazon S3 cloud storage can use regular storage or immutable storage
depending on the use case.
Amazon S3 archival locations with immutable storage

Immutable storage enables the unalterable preservation of archived objects.
Immutable bucket storage for archival locations on the Amazon S3 cloud service can only be enabled
during location creation. Archival locations with immutable storage use a time-based immutability lock.
Snapshots that a Rubrik cluster writes to an immutable container cannot and will not be expired for the
entire immutability lock period, which is greater than the SLA duration.
Archival locations with immutable storage do not support archival consolidation, Glacier storage class only
or Glacier deep archive storage class only (which are supported by regular S3 locations), smart tiering
(which is not supported by Amazon S3 by default), or early snapshot expiration. The immutability lock
period cannot be shortened.
The immutability lock period of a snapshot at an immutable archival location must be based on the
retention period of the SLA Domain that it is assigned to. The immutability lock period is the period for
which all files written to the target are locked. All files, including snapshot data and metadata files in the
location, are governed by this period. Due to the immutable nature of the storage, storage usage and
related charges can increase beyond the expectations set by mutable storage usage patterns.
Archival locations with immutable storage only support an SLA Domain where only one frequency type
will send data to the archival target. The SLA itself can have multiple frequency types, such as hourly,
daily, or weekly, but the archival threshold must be set to allow only the max frequency type to archive.
For example, an SLA Domain has hourly snapshots for 24 hours, daily snapshots for 14 days, and weekly
snapshots for 52 weeks. If we set the archival threshold to 30 days, this would be acceptable since only
the weekly snapshots would be unexpired at the end of 30 days and eligible for archival.
Mutable storage versus immutable storage usage

Mutable and immutable storage have specific differences and can be used as per the use case.
Mutable storage and immutable storage are different from each other and are used as required by the
specific use case.
A protectable object is assigned an SLA Domain that takes monthly snapshots with a two-year retention,
is kept in mutable storage, and has a snapshot chain limit of 60 snapshots. The snapshot chain limit is the
number of incremental snapshots that build on a given full backup snapshot. The Rubrik cluster takes a
new full backup snapshot after reaching the snapshot chain limit.
Monthly snapshots and the snapshot chain limit of 60 result in a snapshot chain that spans five years of
activity. Expired snapshots remain available and are not subject to deletion, garbage collection, or space
reclamation until all of the snapshots in the chain expire. As a result, a two-year retention period and a
five-year snapshot chain length means that the oldest snapshot in the chain is seven years old when the
entire chain expires. This is mutable storage.
With immutable storage and a snapshot chain limit of 60 snapshots, the immutability lock period must be
seven years to preserve the earliest snapshot for the entire period. The immutability lock on the Amazon
S3 container preserves the last snapshot in the chain, which is taken at the end of the fifth year, for the
Archiving 05/25/2022 | 225

length of the immutability lock period, which is seven years. This results in an unalterable 12-year period
of data retention and associated charges.
Setting a shorter immutability lock period lowers the chain limits, which results in more frequent full
uploads. Reducing the SLA Domain retention to two years results in a snapshot chain limit of 12 snapshots
and an immutability lock period of three years for monthly snapshot chains.
Amazon S3 immutability lock periods

Immutability lock periods are limited by the retention period of the associated SLA Domain.
For a protectable object whose snapshots are stored at the archival location, the immutability lock period
for an immutable archival location must be longer than the retention period of the assigned SLA Domain.
Shorter immutability lock periods result in more frequent full backup snapshots.
SLA Domain frequency Lock period must exceed SLA Lock period cannot exceed SLA
Domain retention by at least Domain retention by more than
Hourly 15 days minus the archival 30 days minus the archival
threshold threshold
Daily 60 days minus the archival 90 days minus the archival
threshold threshold
Weekly 365 days minus the archival 420 days minus the archival
threshold threshold
Monthly 365 days minus the archival 730 days minus the archival
threshold threshold
Quarterly 365 days minus the archival 1095 days minus the archival
threshold threshold
Yearly 365 days minus the archival 1095 days minus the archival
threshold threshold
Example: Determining immutability lock period durations
This example assumes that a protectable object is assigned an SLA Domain that retains 30 daily snapshots
and 12 monthly snapshots, with an archival threshold of 31 days and a retention period of 100 days.
Snapshots are sent to the immutable archival location after 31 days on the Rubrik cluster storage and
expire at the archival location after 69 days, for a total retention of 100 days. The immutable archival
location stores the monthly snapshots.
The retention lock period must exceed the SLA Domain retention by the difference between the retention
(100 days) and the archival threshold (31 days), which is 69 days. The possible immutability lock periods
range from 434 days (365 days plus 69) to 799 days (730 days plus 69).
Storage class
The storage class can be edited after the archival location is added. The Rubrik cluster applies the new
storage class to data that is archived after a change.
An Amazon S3 archival location can be configured to use one of the following storage classes:
• Standard
• Standard-Infrequent Access
Archiving 05/25/2022 | 226

• One Zone-Infrequent Access
Refer to Amazon S3 documentation for more information about storage classes and the Amazon pricing
structure.
Multipart uploads
Incomplete partial uploads to Amazon S3 count towards the total storage used by an account.
Amazon S3 does not automatically expire multipart uploads when a failure occurs. Amazon S3 abandons
failed multipart uploads in an incomplete state. Abandoned uploads can consume more storage than
expected.
To avoid unnecessary storage costs, institute an Amazon S3 bucket life cycle policy that removes
incomplete multipart uploads 30 days after the failed upload. Follow the instructions in AWS documentation
for incomplete multipart uploads and configure a bucket life cycle policy on the Amazon S3 bucket that is
used for Rubrik CDM archival data.
Adding an Amazon S3 archival location

Configure a Rubrik cluster to use an Amazon S3 archival location.
Prerequisites
Complete the tasks described in Generating an RSA key and Prepare to use Amazon S3 as an archival
location. Save the following information, which is available from the AWS management console:
• Access key ID
• Secret key
• Bucket name
• KMS master key
• VPC ID
• Subnet ID
• Security Group ID
Context
Provide the Rubrik cluster with Amazon S3 keys and connection information, including the VPC ID, the
subnet ID, and the Security Group ID.
Procedure
3. Select Archival Locations.
The Archival Locations page appears.
4. Click +.
The Add Archival Location dialog box appears.
5. In Archive Type, select Amazon S3.
The Amazon S3 archival location fields appear.
6. In Region, select an Amazon S3 region for the bucket.
7. Select a storage class.
• One Zone - Infrequent Access
• Standard
• Standard - Infrequent Access
8. In AWS Access Key, paste an access key ID.
Archiving 05/25/2022 | 227

9. In AWS Secret Key, paste the associated secret key.
10. In AWS Bucket Name, type the name for the Amazon S3 bucket to use.
The bucket name must comply with the guidelines provided by Amazon for DNS-compliant
bucket names. For information, refer to: http://docs.aws.amazon.com/AmazonS3/latest/dev/
BucketRestrictions.html.
11. In Archival Location Name, type a display name for the archival location.
Alternatively, accept the generated name that is displayed in the field.
12. In Retrieval Tier, select the Amazon retrieval tier.
• Standard
• Expedited
• Bulk
13. In Encryption Type, select an encryption key type.
• KMS Master Key ID
• RSA Key
• Encryption Password
14. (For KMS Master Key ID) In KMS Master Key ID, paste the KMS master key.
Disaster recovery cannot be performed without this password.
15. (For RSA Key) In RSA Key, paste the RSA key for encrypting data for the selected region.
16. (For Encryption Password) In Encryption Password and Re-Enter Encryption Password, type a
complex password.
Password encryption is available for only Immutable AWS locations. Selecting any other encryption
type for Immutable Archive Settings will fail.
17. Optional: Click Advanced Settings.
The advanced settings allows you to configure consolidation, proxy, and immutability settings.
18. Click Save.
Result
The Rubrik cluster tests the keys and connection information. After a successful test, the Rubrik cluster
stores the configuration.
Related tasks
Managing consolidation for Amazon S3
Enable or disable snapshot consolidation for an Amazon S3 archival location.
Rotating keys for an Amazon S3 archival location

Provide more security for the archived data by regularly changing the Amazon S3 access key ID and secret
key.
Prerequisites
Log in to the AWS management console and change the access key ID and secret key assigned to
the Rubrik cluster. Download the .csv file that contains the new access key ID and secret key, so the
information will be available to copy into the Rubrik CDM web UI.
Procedure
3. Click Archival Locations.
Archiving 05/25/2022 | 228

4. On the Archival Locations page, on the archival location card, open the ellipsis menu and click Edit.
The Edit Archival Location dialog box appears.
5. In AWS Access Key, paste the new access key.
6. In AWS Secret Key, paste the new secret key.
7. Click Save.
Result
The Rubrik cluster stores the updated key information.
AWS archive tiering

Rubrik CDM uses archive tiering with AWS to tier data to the Glacier Storage Class or Glacier Deep Archive
Storage Class based on an SLA policy. Glacier Storage Class and Glacier Deep Archive Storage Class are
only supported through Instant Tiering.
An SLA Domain with an archival policy using an AWS archival location can be configured to use one of the
archival tiering options described in the following table.
Tier options Description

Default Storage The Default Storage Class Only option specifies snapshots are archived to the
Class Only storage class configured with the AWS archival location. If this option is selected,
no archive tiering is available.
Glacier Storage Class The Glacier Storage Class Only option specifies snapshots are first uploaded to the
Only default storage class and then immediately tiered to the Glacier storage class. If
this option is selected, metadata files are stored in the default storage class.
The Glacier Storage Class Only option does not apply to existing snapshots.
Glacier Deep Archive The Glacier Deep Archive Storage Class Only option specifies snapshots are first
Storage Class Only uploaded to the default storage class and then immediately tiered to the Glacier
Deep Archive storage class. If this option is selected, metadata files are stored in
the default storage class.
The Glacier Deep Archive Storage Class Only option does not apply to existing
snapshots.
Note: The Glacier Storage Class Only and Glacier Deep Archive Storage Class Only options do not support
Direct Archive workloads.
Configuring AWS tiering

SLA Domain to enable AWS tiering.
Prerequisites
Configure an archival location for the local Rubrik cluster, as described in Archival location configuration.
Procedure
3. Create a new SLA Domain or edit an existing SLA Domain.
Archiving 05/25/2022 | 229

5. Click Next.
The second page of the Create SLA Domain dialog box appears.
6. In Archiving, enable the archiving toggle.
7. In Archival Location, select a configured AWS archival location.
8. Optional: Select Enable Instant Archive to instruct the Rubrik cluster to immediately queue a task
to copy a new snapshot to the archival location.
9. In AWS Tiering, select an option.
• Default Storage Class Only (default selection)
• Glacier Storage Class Only (enables Instant Tiering)
• Glacier Deep Archive Storage Class Only (enables Instant Tiering)
10. Optional: Select Tier existing snapshots to instantly tier existing snapshots for protected objects.
The Rubrik cluster adds the archival policy to the SLA Domain and applies it to the existing snapshots
and the new snapshots for data sources assigned to the SLA Domain.
Result
The SLA Domain uses AWS tiering.
Related tasks
Google Cloud Platform archival locations

Rubrik CDM supports Google Cloud Platform as an archival location.
Google Cloud Storage is a unified object storage solution offering four storage classes. Each storage class
fits a particular use case with different price points and SLA. The four storage classes are:
• Standard storage
• Nearline storage
• Coldline storage
• Archive storage
Rubrik CDM supports all Google Cloud Platform Regional and Multi-Regional locations. A regional location is
a specific geographic place somewhere in the world.
Rubrik CDM does not support immutable object storage for Google Cloud Platform.
Google Cloud Platform as an Archival Target

Adding a Google Cloud Platform archival location is similar to adding other types of archival locations.
Note: Rubrik CDM does not support immutable object storage. Rubrik recommends against using
versioning because it can significantly increase storage usage and costs.
Field Description Additional Information

Region Region for Google Cloud Platform This field cannot be edited after
bucket. initial configuration.
Archiving 05/25/2022 | 230

Field Description Additional Information
Storage Class The storage class specified for The Durable Reduced Availability
the Google Cloud Platform. The storage class is deprecated.
options include: Instead, the Standard storage
class should be used for new
• Standard archival locations.
• Durable Reduced Availability
• Nearline
• Coldline
Bucket Bucket created for use as Rubrik The bucket name must meet
archival target. Google naming conventions.
See the GCP documentation for
bucket name requirements.
The bucket name cannot be
edited after initial configuration.
If the specified bucket name
already exists, the existing bucket
is used. If the bucket name
does not exist, a new bucket is
created.
Because the lifecycle rule controls
the movement of data to Coldline
storage, no additional SLA-based
configuration is required to
ensure the Rubrik cluster data
moves to Coldline storage.
Encryption Password and Re- Password to use for encrypting This field cannot be edited after
Enter Encryption Password data before sending to Google initial configuration.
Cloud Platform. Disaster recovery
The Encryption Password cannot
cannot be performed without this
be recovered from the Rubrik
password.
cluster after configuring the
archival locations. It is the
responsibility of the user to keep
this password safe for future
reference.
Archival Location Name Descriptive name for the archival This field can be edited after
location. By default this is initial configuration.
configured as"GCP:BucketName".
This field can be edited to any
name.
Service Account JSON Key Private JSON key for the service Copy and past the contents
account. of this file. This information is
required for the Rubrik archival
configuration.
Archiving 05/25/2022 | 231

Google Cloud Platform archive tiering
Rubrik CDM supports tiering to the Google Cloud Platform Archive storage class using lifecycle
management policy.
The Rubrik cluster does not allow specifying the Archive storage class when configuring a Google Cloud
Platform (GCP) archival location. However, the Rubrik cluster allows configuring lifecycle rules from the
GCP console to tier older data to the Archive storage class. The rules specify which data will be tiered and
when. This data tiering occurs outside of the Rubrik cluster area of influence, so the Rubrik cluster is not
aware which data has moved to Archive storage.
The Archive storage class has minimum retention requirements. These requirements can cause early
deletion charges if any data is deleted before the minimum duration. Any data access from the Archive
storage class also incurs data retrieval costs. The GCP documentation includes information about data
retrieval charges.
When configuring GCP archive tiering, Rubrik recommends selecting the tiering options listed in this table.

Default Storage The storage class determines costs for storage, data retrieval, and operations.
Class Rubrik recommends that you use the Standard storage class when configuring
archive tiering.
Lifecycle rules Lifecycle rules apply actions to archive tiering objects when certain conditions are
met. Rubrik recommends setting these lifecycle rules:
• Storage class – A Set storage class to archive setting is optimal.
• Age – A length of time of 60 to 90 days is optimal for objects to remain in the
default storage class before moving to the Archive storage class.
Adding Google Cloud Platform as an archival location

Configure a Rubrik cluster to use Google Cloud Platform as the archival location.
Procedure
4. Click +.
5. In Archive Type, select Google Cloud Platform.
The Add Archival Location dialog box changes to show the Google Cloud Platform fields.
6. In Region, select a region type for the archived data.
Location Description
Regional locations Data is stored in one bucket in a single
geographic location within the specified region.
Multi-regional locations Data is geo-redundant and data is stored in
multiple geographic locations.
The Rubrik cluster creates a bucket with the appropriate Storage Class. Standard uses Regional or
Multi-regional storage class based on the region selection. Durable Reduced Availability is a legacy
Storage class that is superseded by Regional class.
7. In Storage Class, choose the class for determining costs for storage, data retrieval, and operations.
Archiving 05/25/2022 | 232

Generally, the Standard storage class is appropriate for the Rubrik cluster.
8. In Bucket, type the bucket name.
The bucket name must be unique across Google Cloud Platform. The Rubrik CDM can generate a
bucket name or a name that corresponds to an existing bucket can be used.
9. In Encryption Password, type the encryption password to recover the Google Cloud Platform
archive.
10. In Re-Enter Encryption Password, type the encryption password to recover the Google Cloud
Platform archive.
11. In Archival Location Name, accept the default archival location name or specify a custom name.
12. In Service Account JSON Key, paste the contents of the JSON file obtained from Google Cloud
Platform.
The advanced settings allow you to configure archival proxy settings.
The Advanced Settings dialog box appears.
14. Click Save.
15. Click Add.
Result
The archival location can now be assigned to SLA Domains.
Related reference
Google Cloud Platform as an Archival Target
Adding a Google Cloud Platform archival location is similar to adding other types of archival locations.
Advanced settings
Information on advanced settings for Amazon S3, Google Cloud Platform, and Azure archival locations.
Microsoft Azure
Rubrik CDM supports Microsoft Azure as an archival location.
Archival locations that use Microsoft Azure cloud storage can use standard storage or immutable storage
depending on the use case.
Related concepts
Microsoft Azure archival locations with immutable storage
Immutable blob storage enables the unalterable preservation of protected data objects.

Immutable blob storage for archival locations on the Microsoft Azure cloud service can only be enabled
during location creation. Archival locations with immutable storage use a time-based immutability lock.
Snapshots of a protectable object that a Rubrik cluster writes to an immutable container cannot be deleted
for the retention duration specified in the SLA Domain assigned to that protectable object.
Archival locations with immutable storage do not support archival consolidation, smart tiering, or early
snapshot expiration. The immutability lock period cannot be shortened.
The immutability lock period of a snapshot at an immutable archival location is based on the retention
period of the SLA Domain assigned to that snapshot, and increases when the Rubrik cluster writes a new
snapshots to the archival location. This increase of retention period ensures the continuity of the snapshot
chain. Due to the immutable nature of the storage, storage usage and related charges can increase beyond
the expectations set by mutable storage usage patterns.
Archiving 05/25/2022 | 233

Archival locations with immutable storage only support snapshots protected by an SLA Domain that takes
snapshots at a single frequency with an archival policy enabled.
Example: Mutable and immutable storage usage differences
A protectable object is assigned an SLA Domain that takes monthly snapshots with a two-year retention,
kept in mutable storage and with a snapshot chain limit of 60 snapshots. The snapshot chain limit is the
number of incremental snapshots that build on a given full backup snapshot. The Rubrik cluster takes a
new full backup snapshot after reaching the snapshot chain limit.
Monthly snapshots and the snapshot chain limit of 60 result in a snapshot chain that spans five years of
activity. Expired snapshots remain available and are not subject to deletion, garbage collection, or space
reclamation until all of the snapshots in the chain expire. As a result, a retention time of two years and a
five-year snapshot chain length means that the oldest snapshot in the chain is seven years old when the
entire chain expires.
With immutable storage and a snapshot chain limit of 60, the immutability lock period must be seven
years to preserve the earliest snapshot for the entire period. The immutability lock on the Azure
container preserves the last snapshot in the chain, taken at the end of the fifth year, for the length of
the immutability lock period, which is seven years. This results in an unalterable 12 year period of data
retention and associated charges.
Setting a shorter immutability lock period lowers the chain limits, which results in more frequent full
uploads. Reducing the SLA Domain retention to two years results in a snapshot chain limit of 12 and an
immutability lock period of three years for monthly snapshot chains.
Related concepts
Archival Consolidation
Archival Consolidation frees archival storage by deleting expired snapshots.
Azure immutability lock periods

Immutability lock periods are limited by the retention period of the associated SLA Domain.
The immutability lock period for an immutable Azure archival location must be longer than the retention
period of the SLA Domain assigned to the protectable object whose snapshots are being stored at the
archival location. Shorter immutability lock periods result in more frequent full backup snapshots.
SLA Domain frequency Lock period must exceed SLA Lock period cannot exceed SLA
Domain retention by at least Domain retention by more than
Hourly 15 days minus the archival 30 days minus the archival
threshold threshold
Daily 60 days minus the archival 90 days minus the archival
threshold threshold
Weekly 365 days minus the archival 420 days minus the archival
threshold threshold
Monthly 365 days minus the archival 730 days minus the archival
threshold threshold
Quarterly 365 days minus the archival 1095 days minus the archival
threshold threshold
Yearly 365 days minus the archival 1095 days minus the archival
threshold threshold
Archiving 05/25/2022 | 234

Example: Determining immutability lock period durations
This example assumes that a protectable object is assigned an SLA Domain that retains 30 daily snapshots
and 12 monthly snapshots, with an archival threshold of 31 days and a retention period of 100 days.
Snapshots are sent to the immutable archival location after 31 days on the Rubrik cluster storage and
expire at the archival location after 69 days, for a total retention of 100 days. The immutable archival
location stores the monthly snapshots.
The retention lock period must exceed the SLA Domain retention by the difference between the retention
(100 days) and the archival threshold (31 days), which is 69 days. The possible immutability lock periods
range from 434 days (365 days plus 69) to 799 days (730 days plus 69).
Adding Microsoft Azure as an archival location

Configure a Rubrik cluster to use Microsoft Azure as the archival location.
Prerequisites
• Plan archival usage to meet the data storage requirements for any single container and storage
account, as defined in Azure subscription and service limits, quotas, and constraints.
• Refer to the Archive preparation in Azure topic to set up an Azure storage account to begin archiving
data from the Rubrik cluster.
Procedure
4. Click +.
5. In Archive Type, select Azure.
The Add Archival Location dialog box changes to show the Azure fields.
6. In Storage Account Name, type the name of a Microsoft Azure account.
7. In Access Key, type the access key for the Microsoft Azure account.
8. In Container, type the name to be assigned to the container.
Container names must meet the following requirements:
• Three to 63 characters in length.
• Can only contain lowercase letters, numbers, and hyphens.
• Hyphens must be preceded and followed by a non-hyphen character.
10. In Instance Type, choose the Cloud Platform type of this archival location.
Instance Type Description
Azure Default All regions except: China, India, and Azure
Government.
Azure Government US Gov Iowa and US Gov Virginia.
Azure China China North and China East.
Archiving 05/25/2022 | 235

Instance Type Description
Azure Germany Germany.
11. In RSA Key, paste the RSA key.
The Rubrik cluster uses the RSA key to encrypt the archived data. Disaster recovery cannot be
performed without this key.
The advanced settings allow you to configure consolidation, proxy, and immutability settings.
13. Click Save.
Result
The Rubrik cluster stores the information.
Next task
Configure additional Microsoft Azure settings through the Azure portal.
Related concepts
Related tasks
Managing consolidation for Azure
Enable or disable snapshot consolidation for an Azure archival location.
Related reference
Advanced settings
Related information
Azure subscription and service limits, quotas, and constraints
Editing the Microsoft Azure account name and account key

Provide more security for the archived data by regularly changing the account key for the Microsoft Azure
account. Also, when necessary, edit the account name or display name.
Prerequisites
Change the account key assigned to the Microsoft Azure account being used by the Rubrik cluster.
Procedure
4. On the Archival Locations page, on the archival location card, open the ellipsis menu and click Edit
5. Optional: In Storage Account Name, type a new account name.
6. In Access Key, type the new access key.
7. In Archival Location Name, type a new display name for the archival location.
The advanced settings allow you to configure consolidation or proxy settings.
Archiving 05/25/2022 | 236

9. Click Update.
Result
The Rubrik cluster tests the updated information and, after a successful test, stores the updated
information.
To configure additional Microsoft Azure settings, use the Azure portal.
Related reference
Advanced settings
Azure tiering
Rubrik CDM supports Microsoft Azure tiering options.
Microsoft Azure implements storage tiers based on varying storage cost, access, and retention
requirements. The storage tiers are Hot, Cool, and Archive.
Note: Refer to the Microsoft Azure documentation for detailed information on tiering options and pricing.
Azure Archive tiering options

Rubrik CDM uses archive tiering with Azure to tier older data to the Archive tier based on an SLA policy.
An SLA Domain with an archival policy using a Microsoft Azure archival location can be configured to use
one of the archival tiering options described in the following table:

Default Access Tier The Default Access Tier Only option specifies snapshots are archived to the default
Only access tier configured by the administrator on the Azure storage account. The
possible access tier values are hot or cool tier. This option does not use the archive
access tier.
Archive Access Tier The Archive Access Tier Only option specifies snapshots are first uploaded to the
Only default access tier and then immediately tiered to the archive access tier. If this
option is selected, metadata files are stored in the default access tier.
The Archive Access Tier Only option does not apply to existing snapshots.
Smart Tiering The Smart Tiering option specifies data is first archived to the default access
tier, and then moved to the archive access tier at a later date based on the SLA
parameters. Smart Tiering requires a General Purpose v2 account. If this option is
selected, metadata files are stored in the default access tier.
Rubrik CDM manages smart tiering using the following rules:

• Administrators specify the minimum time that data remains available in the default access tier. The
snapshot becomes eligible to move to the archive access tier when the snapshot exceeds the minimum
time.
• Evaluate the age of snapshots every six hours and compares that to the minimum time in the tier
required by the SLA Domain.
• Smart Tiering avoids early deletion costs by ignoring a snapshot that fits either of the following criteria:
• Archived for less than 30 days
• In the tier for less than the minimum required time
Archiving 05/25/2022 | 237

• Move older snapshots to the archive access tier when recent snapshots do not depend on the older
snapshot to complete a snapshot chain. A transient compute instance is run on-demand in the Azure
Cloud to perform dependency reversal of snapshots. This allows the older snapshots to be tiered to the
archive access tier.
Note: The Archive Access Tier Only option does not support Direct Archive workloads. Smart tiering
should be used instead to send Direct Archive workloads to the archive access tier.
Configuring Azure tiering

SLA Domain to enable Azure smart tiering.
Prerequisites
Configure an archival location for the local Rubrik cluster, as described in Archival location configuration
and configure the Cloud Compute Setting for Azure CloudOn, as described in Azure CloudOn configuration
and setup.
Procedure
3. Complete one of the following to add or modify an archival policy for an SLA Domain:
• For a new custom SLA Domain, click the + icon and configure the other fields on the Create New
SLA Domain dialog box.
properties page for the selected SLA Domain appears. Open the ellipsis menu and click Edit.
5. Click Next.
The second page of the Create SLA Domain dialog box appears.
6. In Archiving, enable the archiving toggle.
7. In the archival location field, select a configured Azure archival location.
8. Optional: Select Enable Instant Archive to instruct the Rubrik cluster to immediately queue a task
to copy a new snapshot to the archival location.
9. In Azure Tiering select an option.
• Default Access Tier Only (default selection)
• Archive Access Tier Only (enables Instant Tiering)
• Smart Tiering (if selected, specify duration in days)
10. Optional: Select Tier existing snapshots to instantly tier existing snapshots for protected objects.
The Rubrik cluster adds the archival policy to the SLA Domain and applies it to the existing snapshots
and the new snapshots for data sources assigned to the SLA Domain.
Result
The SLA Domain uses Azure tiering.
Related tasks
Archiving 05/25/2022 | 238

Object storage system

The Rubrik cluster supports using an object storage system as an archival location.
Object Store Vendor Description

Amazon S3 API Object storage systems that are compatible with the Amazon S3 API.
Compatible
Scality Scality object storage system
Scality limitations on file listing capabilities prevent full Amazon S3 API
compatibility.
Note: The Rubrik CDM Compatibility Matrix contains the most up-to-date list of supported object storage
system vendor choices.
Host Name value

The Rubrik cluster contacts the object storage system by using the information provided in the Host Name
field.
The value provided in the Host Name field of the Add Archival Location dialog box must be a URL that
includes:
• Protocol, either HTTPS or HTTP
• Resolvable hostname or IPv4 address
Optionally, the URL can include a port designation to indicate the port that the objects storage system
listens on.
Adding an object storage system as an archival location

Configure a Rubrik cluster to use an object storage system as the archival location.
Prerequisites
• For Scality object storage, complete the tasks described in Preparing Scality as an archival location.
• For all object storage systems, generate an RSA key for the Rubrik cluster to use when encrypting the
archival data, as described in Generating an RSA key.
Procedure
4. Click +.
5. In Archive Type, select Object Store.
The Add Archival Location dialog box shows the object storage system fields.
6. Choose an object store vendor.
• S3 Compatible (StorageGRID, Cloudian, IBM COS, or other compatible object storage)
• Scality
Archiving 05/25/2022 | 239

7. In Access Key, type the access key for the object storage system account.
8. In Secret Key, type the secret key for the object storage system account.
9. In Host Name, type the URL of the object store endpoint.
The URL must include a protocol, either HTTP or HTTPS, and optionally can include a port designation:
• http://hostname:port
• https://hostname:port
where:
• hostname is the resolvable hostname of the object storage system or IPv4 address.
• port is the incoming port that the object storage system listens on to receive an archival
connection.
10. In Bucket Prefix, type a prefix to use for naming the buckets.
The Bucket Prefix value cannot contain uppercase letters.
The Rubrik cluster uses the Bucket Prefix value as the common first part of the names for the buckets
assigned to the Rubrik cluster.
For example, when the Bucket Prefix is datacenter-1 and the Number of Buckets is 3, the Rubrik
cluster creates the following buckets at the archival location:
• datacenter-1-rubrik-0
Note: When the provided credentials do not have bucket creation permissions, use the object storage
system management console to manually create the required buckets before completing this task.
11. In Number of Buckets, type the number of buckets assigned to the Rubrik cluster.
Type an integer value that is greater than or equal to one.
13. In RSA Key, paste the RSA key.
The Rubrik cluster uses the RSA key to encrypt the archived data. Disaster recovery cannot be
performed without the RSA key.
14. Optional: Select Enable Archive Consolidation.
15. Optional: Select Use System Proxy.
If the archival location does not need to be accessed via a system-configured proxy server, leave the
box unchecked. This allows the network traffic to flow directly to the archival location, whether a
system proxy is configured or not.
16. Click Add.
Result
The Rubrik cluster tests the keys and connection information and, after a successful test, stores the keys
and connection information.
Editing the object storage system access key and secret key
Provide more security for the archived data by regularly changing the access key and secret key for the
object storage system. Also, when necessary, edit the display name.
Prerequisites
On the object storage system, change the access key and secret key assigned to the Rubrik cluster.
Archiving 05/25/2022 | 240

Procedure
5. Optional: In Access Key, type the new access key.
6. Optional: In Secret Key, type the new secret key.
7. Optional: In Archival Location Name, type a new display name.
The advanced settings allow you to configure consolidation and proxy settings.
9. Click Update.
Result
information.
NFS share
The Rubrik cluster supports using an NFS share, or an EMC Isilon NFS share, as an archival location.
Adding an NFS archival location

Configure a Rubrik cluster to use an NFS share as the archival location.
Prerequisites
Complete the following preparation tasks:
• For an NFS share other than an EMC Isilon NFS share, complete the tasks described in Preparing to use
an NFS share as an archival location.
• For an NFS share from an EMC Isilon, complete the tasks described in Preparing an Isilon NFS share as
an archival location.
Procedure
4. Click +.
5. In Archive Type, select NFS.
The Add Archival Location dialog box changes to show the NFS fields
6. In Host Name, type the resolvable hostname or IP address of the NFS share host.
7. In Export Directory, type the absolute path of the export directory configured in /etc/exports on
the NFS share host, or in the Isilon OneFS UI.
/export/RubrikArchive
The folder specified in the next step must be empty, or only contain files that were written by the
Rubrik cluster. Any other data in the folder will be overwritten by archival data.
Archiving 05/25/2022 | 241

8. In Destination Folder Name, type the name of the target folder beneath the NFS mount point.
Use the folder name, not the full path.
When the full path is /export/RubrikArchive/Cluster1, type Cluster1.
10. Optional: Clear Enable Encryption Password to disable encryption.
Encryption can only be configured when creating the archival location. If encryption is disabled, data
archived to the NFS location will not be encrypted by Rubrik.
11. In Encryption Password, type a complex password.
Encrypted archival data cannot be recovered without the encryption password. The Rubrik CDM web
UI rejects a password that is too easy to guess. The Rubrik cluster uses the password to encrypt the
archival data.
12. In Re-Enter Encryption Password, type the same password.
13. In File Lock Period in Days, type a positive integer, or 0.
This value sets the Write Once Read Many (WORM) lock on every file that the Rubrik cluster writes to
the archival location. The default value is 0, which specifies no WORM lock.
14. Optional: Click Enable Archive Consolidation.
15. Click Add.
Result
The Rubrik cluster tests the connection information and, after a successful test, stores the connection
information.
Related concepts
Archival data security
The Rubrik cluster encrypts archival data before transmitting the data to any of the supported archival
location types.
Editing an NFS archival location

When changes to the NFS archival location occur, edit the configuration information to update the settings.
Context
Use the edit task to modify the settings of an existing NFS archival location. Do not use the task to add a
new NFS share as an archival location.
To add a new NFS share as an archival location, complete the tasks described in Adding an NFS archival
location. Adding a new archival location causes the Rubrik cluster to move the existing archival location to
READ-ONLY status and retain read access to the data.
Do not edit the connection information for an NFS archival location to point to a new export. This will
cause data corruption and data unavailability.
Procedure
5. Optional: In Host Name, type the new resolvable hostname or IP address of the NFS share host.
Archiving 05/25/2022 | 242

The hostname or IP address must point to the existing NFS share. Only modify this when the
hostname or IP address of the existing NFS share is changed.
6. Optional: In Export Directory, type the new absolute path of the export directory configured in /
etc/exports, or in the Isilon OneFS UI.
The new absolute path must point to the original destination folder. Only modify this when the path to
the destination folder is changed.
7. Optional: In Archival Location Name, type a new display name for the archival location.
8. Optional: Choose an authentication type.
• None
• Kerberos
9. Optional: In File Lock Period in Days, type a positive integer, or 0.
A change to the WORM lock setting only applies to data written after the change is made.
10. Optional: Click Enable Archive Consolidation.
11. Click Update.
Result
information.
QStar tape archive

The Rubrik cluster supports archiving to tape using the QStar Archive Manager software running on a
Windows server.
The QStar Archive Manager manages the tape library connected to the Windows server and is responsible
for writing data to and reading data from tape media. QStar abstracts the requirements specific to tape
media and exports them as an Integral Volume Set (referred to here as an Integral Volume). An Integral
Volume is an exported file system to which a Rubrik cluster can mount, using the SMB protocol, for
performing standard file system operations.
An Integral Volume has the following characteristics:
• Tape Drive and Tape Media - One or more tapes assigned as storage media. When performing any read
or write operation on a tape, an Integral Volume selects a tape drive from the tape library. Each tape is
uniquely identified by its barcode. The same tape cannot be shared with other Integral Volumes.
• Cache - Data written to a QStar Integral Volume first lands in the cache that is configured on the QStar
server. The cache is scratch storage that holds data between the Rubrik cluster and the tape media.
This provides higher performance than writing directly to tape.
• Archiving Policy - The QStar server manages archiving to tape from the cache based on the archiving
policy configured. The archiving policy configures thresholds or schedules for sending cache to tape.
If necessary, you can also manually trigger archiving to tape from the QStar UI. Note that the Rubrik
cluster does not control when data is archived to tape from cache.
Once cache data is copied to tape, the cache copy is maintained for easy access but can be purged to free
cache space for new incoming data.
An archival location on a Rubrik cluster is mapped to a folder (a directory) under an Integral Volume. This
folder represents an archival target from a Rubrik cluster and is explicitly owned and locked by that cluster.
Note: More than one archival location can map to the same Integral Volume using different folders. These
archival locations share the same cache and the same underlying storage media. Mapping multiple archival
locations to the same Integral Volume can affect data isolation, performance, and maintenance.
A QStar server may host up to four Integral Volumes to provide data isolation and better concurrency in
archiving and restore operations with multiple archival locations. The tape library and the server must
Archiving 05/25/2022 | 243

follow the configuration recommendations in this section and the recommendations for a QStar Integral
Volume.
Due to the serial access nature of tape media, archives are stored only as full snapshots. Archiving
incremental snapshots with tape archival locations is not supported. As a best practice, schedule tape
archiving operations at least monthly.
Tape data archives support individual file search but not individual file restore. Restore operations from
tape restore the entire requested snapshot from the tape archive to the Rubrik cluster.
Note: The QStar tape archive option does not support direct archive workloads.
Related concepts
Prepare a QStar Integral Volume as an archival location
Prepare a QStar Integral Volume set to use as a tape archival location.
Adding a QStar tape archive as an archival location

Configure a Rubrik cluster to use a QStar tape archive as the archival location.
Prerequisites
Complete the tasks described in Prepare a QStar Integral Volume as an archival location.
Procedure
4. Click +.
5. In Archive Type, select Tape.
The Add Archival Location dialog box changes to show the tape fields.
6. In QStar Host Name, type the hostname of the host of the QStar Archive Manager instance.
The value can optionally include a port designation:
hostname:port
• hostname is the resolvable hostname or IPv4 address of the host.
• port is the incoming port that the QStar Archive Manager instance listens on.
7. In QStar Integral Volume Name, type the name of the Integral Volume set.
8. In Destination Folder Name, type a name for the folder to use for the archival location.
The combination of the three fields: QStar Host Name, QStar Integral Volume Name, and Destination
Folder Name must be unique. After clicking Add, the Rubrik cluster checks the location to ensure that
it is not in use as an archival location.
If the location is in use, the add archival location task fails and a message appears in the Activity Log.
10. In QStar User Name, type the name for a user account.
The specified user account must have permission to mount an Integral Volume set from an external
system and to perform read and write operations on the mounted Integral Volume set.
11. In QStar Password, type the password for the user account.
12. In Encryption Password, type a complex password.
Archiving 05/25/2022 | 244

The Rubrik CDM web UI rejects a password that is too easy to guess.
Important: Disaster recovery cannot be performed without this password.
The Rubrik cluster uses the password to encrypt the archival data.
13. In Re-Enter Encryption Password, type the same password.
14. Click Add.
Result
The Rubrik cluster attempts to mount the Integral Volume set and examines the path specified by the
Destination Folder Name.
If the mount fails or the path is unavailable the job to add the archival location fails and the Rubrik cluster
adds a message to the Activity Log. If both tasks are successful the Rubrik cluster stores the information
and makes the archival location available for use.
Editing the tape archival location

Modify the connection information for the tape archival location. Also, when necessary, edit the display
name.
Procedure
5. Optional: In QStar Host Name, type the new hostname value of the QStar Archive Manager
instance.
6. Optional: In Archival Location Name, type a new display name for the archival location.
7. Optional: In QStar User Name, type the name for a new user account.
8. Required: (When password changes) In QStar Password, type the new password.
9. Click Update.
Result
information.
Enable Archival Consolidation in Rubrik CDM to merge the expired set of snapshots with the next live
snapshot. Archival Consolidation reduces storage requirements and reduces the snapshot chain length.
With reduced snapshot chain length, only the first snapshot requires a full snapshot and the subsequent
snapshots use incremental-forever snapshots.
Archival Consolidation has the following characteristics:
• NFS, Amazon S3, S3 Compatible Object Stores, and Azure archives support Archival Consolidation.
Archiving 05/25/2022 | 245

• Upgrading Rubrik CDM to a release version that supports Archival Consolidation will not automatically
enable Archival Consolidation for existing archival locations. Enable Archival Consolidation for an
existing archival location to merge the expired snapshots of the archive with the next live snapshot.
Archival Consolidation does not convert the previously uploaded full snapshots to incremental
snapshots.
• Only owner cluster archival locations support Archival Consolidation. Reader archival locations do not
support Archival Consolidation.
• The Rubrik cluster disables Archival Consolidation for paused archival locations.
Archival Consolidation is a best practice used with Direct Archive, which enables large-scale storage outside
of the Rubrik cluster. The replication policies of SLA Domains assigned to data sources that use Direct
Archive do not apply to snapshots of those data sources. Replication for snapshots that use Direct Archive
is not available because the Rubrik cluster does not store these snapshots in local storage.
Related concepts
Direct Archive
The Direct Archive feature permits direct transfer of snapshots to archival storage, rather than first storing
the snapshots on the drives of the Rubrik cluster.
Archival Consolidation for Amazon S3 and Azure

The Rubrik cluster launches a temporary Rubrik instance and initiates archival consolidation jobs on
the temporary Rubrik instance when the storage consumed by expired snapshots exceeds a specified
threshold.
The temporary Rubrik instance reads archived data from Amazon S3 and Azure. Then, the temporary
Rubrik instance identifies the expired snapshots and performs Archival Consolidation. Once Archival
Consolidation is complete, the temporary Rubrik instance uploads the consolidated archival data back to
the cloud storage. The Rubrik cluster then shuts down and terminates the temporary Rubrik instance in
order to avoid running costs.
Archival Consolidation is triggered on Amazon S3 and Azure if either of the following conditions exist:
• There are at least five expired snapshots in the chain and the sum of their physical sizes is at least 15%
of the logical size of the chain.
• There are at least 40 expired snapshots in the chain.
In addition to the above conditions, Amazon S3 and Azure trigger Archival Consolidation if either of the
following conditions exists:
• The cost of storage saved (after consolidation has run) is at least 1.5 times greater than the cost of
consolidating the storage.
• It has been at least 30 days since the last Archival Consolidation.
Archival Consolidation for NFS and S3 Compatible Object Stores

The Rubrik cluster performs Archival Consolidation for NFS and S3 Compatible Object Store archival
locations by reading the contents of the affected snapshots to the cluster to generate new consolidated
content and then upload it back to the archival location.
Archival Consolidation increases the bandwidth consumption between the Rubrik cluster and the archival
location.
Archival Consolidation is triggered on NFS and S3 compatible storage if either of the following conditions
exist:
• There are at least five expired snapshots in the chain and the sum of their physical sizes is at least 15%
of the logical size of the chain.
• There are at least 40 expired snapshots in the chain.
Archiving 05/25/2022 | 246

Context
When consolidation for Amazon S3 is enabled, the snapshot consolidation runs in the AWS cloud using the
cloud compute resources.
Procedure
4. On the card for an existing Amazon S3 archival location, open the ellipsis menu and click Edit.
5. Click Advanced Settings.
6. Select Enable Archive Consolidation.
7. Click Save.
8. Click Update in the Edit Archival Location window.
Result
The Rubrik cluster modifies the configuration of an Amazon S3 archival location to enable or disable
snapshot consolidation.
Related concepts
Prepare to use Amazon S3 as an archival location
Prepare to use Amazon S3 object storage as an archival location.
Related tasks
Configuring AWS CloudOn using the CloudFormation template
Use the CloudOn CloudFormation template to configure CloudOn for AWS.
Related reference
Advanced settings
Managing consolidation for Azure

Enable or disable snapshot consolidation for an Azure archival location.
Context
When consolidation for Azure is enabled, the snapshot consolidation runs in the Azure cloud using the
cloud compute resources.
Procedure
4. On the card for an existing Azure archival location, open the ellipsis menu and click Edit.
Archiving 05/25/2022 | 247

7. Click Save.
8. In the Edit Archival Location window, click Update .
Result
The Rubrik cluster modifies the configuration of an Azure location to enable or disable snapshot
consolidation.
Related tasks
Related reference
Advanced settings
Managing consolidation for NFS

Enable or disable snapshot consolidation for an NFS archival location.
Context
When consolidation for an NFS archival location is enabled, the snapshot consolidation runs on the Rubrik
cluster.
Procedure
4. On the card for an existing NFS archival location, open the ellipsis menu and click Edit.
6. Click Update.
Result
The Rubrik cluster modifies the configuration of the NFS archival location to enable or disable snapshot
consolidation.
Managing consolidation for S3 compatible object storage systems

Enable or disable snapshot consolidation for an S3 compatible object storage system.
Context
When consolidation for object storage is enabled, the snapshot consolidation runs on the Rubrik cluster.
Procedure
4. On the card for an existing object storage archival location, open the ellipsis menu and click Edit.
Archiving 05/25/2022 | 248

Clear this setting to disable consolidation.
6. Click Update.
Result
The Rubrik cluster modifies the configuration of an object storage archival location to enable or disable
snapshot consolidation.
Cascading Archival
Cascading Archival replicates data from a source Rubrik cluster to a target Rubrik cluster and then archives
the data from the target Rubrik cluster.
Cascading Archival combines the ability to replicate data from a remote site to a central site and then move
the replicated data to an archival location.
Data retention settings

Several settings impact the retention of data for the Cascading Archival feature.
Replication retention for the source cluster SLA Domain is an upper boundary on how long replicated data
is kept on the target Rubrik cluster or Cascading Archival.
The following table describes data retention settings.
Setting Setting location Description

Source Rubrik cluster On the source Rubrik cluster Specifies how long data is kept
locally on the source Rubrik
SLA Domain > Archiving and cluster.
Replication > Retention on
Brik
Target Rubrik cluster On the source Rubrik cluster Specifies how long data is kept
locally on the target cluster or in
SLA Domain > Archiving and the Cascading Archival location.
Replication > Replication
Archival location On the target Rubrik cluster Specifies how long data is kept at
the Cascading Archival location.
SLA Domain > Archiving and
Replication > Archival
The maximum retention setting on the source Rubrik cluster also determines the maximum retention
of replicated data on the target Rubrik cluster and in the Cascading Archival location. Shortening the
maximum retention of the source SLA Domain will expire data sooner on the source Rubrik cluster, the
target Rubrik cluster, and in the archival location. For an extreme example, setting the maximum retention
on the source Rubrik cluster to 0 will expire the data immediately on the source Rubrik cluster, the target
Rubrik cluster, and the archival location.
Cascading Archival configuration considerations

Cascading Archival must be properly configured to prevent data from being prematurely expired from the
archival location.
Improperly configured Cascading Archival can cause data to prematurely expire from the archival location.
The following is an example of an SLA Domain that is configured properly for Cascading Archival.
Archiving 05/25/2022 | 249

Example: Cascading Archival with early expiration of data
The initial configuration in this example shows an acceptable configuration for Cascading Archival.
SLA on source Rubrik cluster:
• Take snapshots every 1 day for 100 days
• Local retention (on Retention on Brik setting) for 48 days
• Replication retention for 100 days
• SLA on target (after enabling cascaded archival)
• Archive to cloud location after 48 days
• The data would be stored as follows:
• 0 to 48 days – old data resides on source Rubrik cluster
• 0 to 48 days – old data resides on target Rubrik cluster
• 48 days to 100 days – data resides on the archival location
• Changes to the configuration on the source Rubrik cluster, as shown in the following example could lead
to data being expired on the target Rubrik cluster and on the archival location.
• SLA is modified on the orignal Rubrik cluster
• On the source Rubrik cluster, a user modifies the retention setting on the target Rubrik cluster for
the assigned SLA Domain to reduce it to 48 days.
• The new settings become:
• Take snapshots every 1 day and retain for 100 days
• Local retention (on Retention on Brik setting) for 48 days
However, on the target Rubrik cluster the settings remain the same:
• Local retention for 48 days
• Archive to cloud location after 48 days
• When the change is propagated to the target Rubrik cluster, archival to the cloud is disabled.
Importantly, all the data on the archival location that is older than 48 days is immediately expired and
deleted.
Using Cascading Archival

Use the Rubrik CDM web UI to configure Cascading Archival.
Procedure
From the source Rubrik cluster, complete the following steps.
1. From the Rubrik CDM web UI, select SLA Domains > Local Domains.
The Create SLA Domain dialog box appears.
3. Specify the SLA Domain Name.
4. Specify the SLA settings for the Rubrik cluster.
5. Click Next.
6. Enable the Replication toggle.
7. Specify the target Rubrik cluster from the drop-down list.
8. Use the slider bar to specify how long data is kept locally on the target Rubrik cluster.
9. Click Next.
The Summary page of the SLA Domain wizard appears.
Archiving 05/25/2022 | 250

10. Click Create.
It can take several minutes for the replication changes to propagate to other clusters.
From the target Rubrik cluster, complete the following steps:
11. From the Rubrik CDM web UI, select SLA Domains > Remote Domains.
The Remote SLA Domains screen appears.
12. Select the source Rubrik cluster SLA Domain.
13. Click Edit Archival Policy.
The Edit Archival Policy dialog appears.
14. Configure the archival policy for the target Rubrik cluster.
15. Click Next.
The changes made to the remote SLA Domain are applied to the existing snapshots.
The Review Impact page describes the impact of the changes on existing snapshots and for new
snapshots.
17. Click Update.
Result
The archival policy is configured.
Archival location proxy

By default, the archival locations use the global proxy settings. The archival location proxy settings override
the global proxy settings.
Note: Archival location proxies must be forward proxies. Rubrik CDM does not support reverse proxies for
archival location.
Each archival location supports the following proxy types:

• The Archival proxy is used to route traffic for archival requests.
• The Compute proxy is used for API calls that instantiate virtual machines.
Configuring an S3 archival location proxy

S3 archival location proxy is enabled through the Rubrik CDM web UI.
Procedure
4. On the card for S3 archival location, open the ellipsis menu and click Edit.
6. From Archival Proxy Settings, configure:
• Protocol
• Proxy Server (IP or FQDN)
• Port Number
• Username
Archiving 05/25/2022 | 251

• Password
7. Click Save.
8. From Compute Proxy Settings, configure:
• Protocol
• Port Number
• Username
• Password
9. Click Save.
Result
The Rubrik cluster saves the archive location proxy settings.
Related reference
Advanced settings
Configuring an Azure archival location proxy

Azure archival location proxy is enabled through the Rubrik CDM web UI.
Procedure
4. On the card for Azure archival location, open the ellipsis menu and click Edit.
6. From Archival Proxy Settings, configure:
• Protocol
• Port Number
• Username
• Password
7. Click Save.
8. From Compute Proxy Settings, configure:
• Protocol
• Port Number
• Username
• Password
9. Click Save.
Result
The archive location proxy settings are saved.
Related reference
Advanced settings
Archiving 05/25/2022 | 252

Disaster recovery using an archival location

A Rubrik cluster establishes a connection with an archival location by using unique credentials. In the event
the owner Rubrik cluster becomes unavailable, use the same credentials with another Rubrik cluster to
recover the archived data.
The recovery cluster only obtains exclusive write access when the cluster is promoted. Promotion requires
using the credentials of the owner Rubrik cluster to authenticate with the archival location. After promotion
the recovery Rubrik cluster obtains Read and Write access to the archived data.
The recovery cluster can still connect as a reader while the owner cluster is still active, as long as the user
does not promote the reader cluster.
Only replace the owner cluster of an archival target with a new cluster when the owner cluster is no longer
available or access to the archival target from that cluster is no longer needed.
Disaster recovery from an archival location is available for any of the following archive types:
• Amazon S3
• Amazon Glacier
• Google Cloud Platform
• Microsoft Azure
• Object storage system
• NFS share
• QStar tape archive
Related concepts
Reader-writer archival model
This model allows for one owner cluster, multiple reader clusters, and simplifies disaster recovery.
Reader-writer archival model

This model allows for one owner cluster, multiple reader clusters, and simplifies disaster recovery.
A pair of clusters can be set up as reader and writer for archival or for replication. These configurations are
exclusive. A given pair of clusters cannot be configured for both reader-writer archival and for replication.
Archival location states Description

Owner The archival location is owned by the cluster and is active for archiving. The
owner cluster has full read-write access to the archival location. There can be
only one owner for each archival target at an archival location.
Paused An archival location on the owner cluster which is currently paused for
archiving.
Reader The archival location created on a cluster for read-only purposes. The reader
cluster can recover snapshots from the archival target but cannot archive
new snapshots or expire any existing snapshots. There can be more than one
reader cluster to the same archival target concurrently. The owner cluster
has no knowledge of any reader cluster accessing the archival target.
Deleted Once an archival location is no longer needed, it can be deleted from a
cluster. Deleting an archival location from a reader cluster has no effect on
the archival target or the owner cluster.
Archiving 05/25/2022 | 253

Archival states Upload Download Expire and delete SLA mapping
Owner Yes Yes Yes Yes
Paused No Yes Yes Yes
Reader No Yes No No
Deleted No No No No
Reader archival location connections

Connecting the Rubrik cluster to the archival target allows you to recover snapshot data from an archival
location.
A Rubrik cluster retrieves metadata from the archival target when the Rubrik cluster is connected to the
reader archival location. The cluster identifies all the protected objects and snapshots associated with
those objects. You can access or download any of the recovered snapshots as long as the snapshot has
not expired or been deleted by the owner cluster.
The time required to complete metadata recovery depends on how many objects and snapshots are in the
target archival location and whether you are retrieving metadata for objects only or for both objects and
snapshots.
Connecting to a reader archival location is quicker when retrieving only object metadata. However, you
must also refresh reader location objects to retrieve metadata for any new snapshots that are on the
archival location.
Related concepts
Reader location object refresh
Refreshing reader location objects synchronizes the recovery view of the reader cluster with the actual
contents of the archival location.
Related tasks
Refreshing reader location objects
Use the Rubrik CDM web UI to update a reader cluster with the latest snapshot metadata.
Connecting to a reader archival location

Use the Rubrik CDM web UI to connect to a reader archival location and perform metadata recovery from
the archival target.
Procedure
4. Open the ellipsis menu on the page bar and click Connect as Reader.
The Connect as Reader dialog box appears.
5. In Archive Type, select an archive type.
Each archive type has unique parameters.
6. Fill in the parameters.
If you retrieve only object metadata, you must also refresh reader location objects to see the available
points in time on each object for which to retrieve metadata.
The advanced settings allow you to configure consolidation and proxy settings.
Archiving 05/25/2022 | 254

8. Click Connect.
Setting up archival consolidation is not required when connecting as a reader. To access the archival
target, specify the Archival Proxy and Compute Proxy settings.
Result
The Rubrik cluster connects to the reader archival location. The connection time depends on how many
objects and snapshots are present at the target archival location, as specified in Retrieval Method.
A gray border on the dialog box indicates the cluster is in read-only mode. A rolling bar indicates the
cluster is recovering metadata from the archival location.
Related tasks
Related reference
Advanced settings
Refreshing a reader archival location

Use the Rubrik CDM web UI to refresh a reader archival location.
Context
Since the contents of the archival target can be changed by the owner cluster, the recovery view of the
reader cluster can be inconsistent with the actual contents of the archival location. The refresh operation
takes a current view of the contents of the archival target and populates the reader cluster with that
information. Use this operation to synchronize the reader cluster with the latest content.
Procedure
4. Select a reader archival location.
5. Open the ellipsis menu on the page bar and click Refresh.
Result
The Rubrik cluster starts the refresh process.
Promoting to owner cluster for an archive

Promote a reader Rubrik cluster to the owner Rubrik cluster for an archival location.
Prerequisites
Verify that the current owner cluster does not have access to the archival location.
Important: Promoting a reader cluster to owner while another cluster is actively accessing the archival
location as the owner can result in inconsistent data and potential data integrity issues.
Archiving 05/25/2022 | 255

Context
An owner cluster initiates expiration based on the retention policy assigned when the snapshot was
created. Reader clusters do not initiate expiration of archived snapshots, even when the owner cluster
becomes unavailable. When a reader cluster is promoted to owner, the new owner cluster applies any
pending expirations to existing archived snapshots based on the retention period assigned to each
snapshot when it was created. Changes to SLA Domain retention policy that are made after a snapshot
was created do not change the retention period of existing archived snapshots.
Be aware of the possibility of snapshots becoming marked as expired and deleted by the Rubrik cluster
immediately upon promoting a reader archival location.
Procedure
4. Select a reader archival location to promote.
5. Open the ellipsis menu on the page bar and click Promote to Owner.
The Promote to Owner dialog box appears.
6. In The owner cluster has not modified the archival location since the last refresh select an
action based on the state of changes to the archival location.
Action Description
Select Select the field when the owner cluster has not
made changes to the archival location since the
last refresh. This skips synchronization between
the current owner cluster and the archival
location before the promotion.
Clear Clear the field when the owner cluster has made
changes to the archival location since the last
refresh. This forces synchronization between the
current owner cluster and the archival location
before the promotion.
7. Click Promote.
Result
The reader cluster assumes the owner role.
Pausing archival activity

Pause archival activity on an archival location from the Rubrik CDM web UI of the owner cluster.
Context
Pausing suspends archival activity but does not change the status of the owner cluster. For a paused
archival location, some background jobs which may change the contents of the archival location and
expiration of snapshots will continue to be scheduled.
Procedure
Archiving 05/25/2022 | 256

4. On the Archival Locations page, on the archival location card, open the ellipsis menu and click Pause
Archival.
The Pause Archiving dialog box appears.
5. Click Pause.
Result
Jobs in progress are canceled, if possible. Jobs that cannot be canceled are allowed to complete before the
pause takes effect. When the archival location is paused, the information card moves to the bottom of the
display.
Resuming archival activity

Use the Rubrik CDM web UI to resume a paused archival location.
Procedure
4. On the Archival Locations page, on the archival location card, open the ellipsis menu and click
Resume Archival.
The Resume Archiving dialog box appears.
5. Click Resume.
Result
The Rubrik cluster resumes archival activity for the archival location.
Source vCenters available for recovery

When the source vCenter Servers of the source Rubrik cluster are added to the recovery Rubrik cluster
before the recovery, the recovery Rubrik cluster resumes management of the protection objects on the
source vCenter Servers.
The recovery Rubrik cluster manages the protection objects based on the SLA Domain assignments and
rules from the source Rubrik cluster.
After recovery, the SLA Domains of the source Rubrik cluster appear in the Rubrik CDM web UI of the
recovery Rubrik cluster. The recovery Rubrik cluster uses the SLA Domain rules from the source Rubrik
cluster to manage the protection objects on those vCenter Servers.
To re-enable the existing archival policies of the original SLA Domains, add the archival location to the
recovery Rubrik cluster.
Related concepts
Archival location configuration
Configure the Rubrik cluster to support a specific archival location by providing the requested archive-
specific information.
Source vCenters unavailable for recovery

When the source vCenters cannot be added to the recovery Rubrik cluster before the recovery, the original
source virtual machines are unavailable to the recovery Rubrik cluster.
The recovery Rubrik cluster provides management access to this recovered archival data through the
Snapshot Management page.
Archiving 05/25/2022 | 257

If the vCenter Server is unavailable during snapshot removal, related snapshots can become orphaned.
Orphaned snapshots can be deleted from the vCenter Server directly.
Related concepts
Connecting to an S3 archival location for disaster recovery

To connect another Rubrik cluster to an S3 archival location for disaster recovery, provide the recovery
Rubrik cluster with the connection details that were used by the owner Rubrik cluster.
Prerequisites
• Choose a Rubrik cluster to use as the recovery cluster.
• Obtain the access key ID and the secret key used by the owner Rubrik cluster for the S3 archival
location.
• Obtain the KMS master key ID or the RSA key used by the owner Rubrik cluster.
Procedure
5. In Archive Type, select Amazon S3.
6. In Region, select an Amazon S3 region for the bucket.
7. In Storage Class, select the Amazon S3 Storage Class.
8. In AWS Access Key, paste the access key ID.
9. In AWS Secret Key, paste the associated secret key.
10. In AWS Bucket Name, type the name of the Amazon S3 bucket of the owner Rubrik cluster.
11. In Archival Location Name, select Amazon S3 location name.
12. In Retrieval Tier, select the Amazon retrieval tier.
• Standard
• Expedited
• Bulk
13. Select an encryption type.
• KMS Master Key ID
• RSA Key
14. (KMS master key only) In KMS Master Key ID, paste the KMS master key ID that was used to
encrypt the archival data on the owner Rubrik cluster.
15. (RSA key only) In RSA Key, paste the RSA key that was used to encrypt the archival data on the
owner Rubrik cluster.
16. Choose the retrieval method.
• Object List Only (Faster)
Retrieves a list of protected objects.
• Object List and Snapshot Details
Archiving 05/25/2022 | 258

Retrieves a list of protected objects and the associated snapshot details. This action takes longer to
complete.
18. Click Connect.
Result
The selected Rubrik cluster connects to the archival location for read-only access and provides access to
disaster recovery.
The recovery Rubrik cluster tests the keys and connection information and, after a successful test, stores
the keys and connection information. A gray border on the dialog box indicates the cluster is in read-only
mode. A rolling bar indicates the cluster is recovering metadata from the archival location.
Related tasks
Related reference
Advanced settings
Connecting to an Amazon S3 Glacier archival location for disaster recovery

To connect another Rubrik cluster to an Amazon S3 Glacier archival location for disaster recovery, provide
the recovery Rubrik cluster with the connection details that were used by the owner Rubrik cluster.
Prerequisites
• Obtain the access key ID and the secret key used by the owner Rubrik cluster for the Glacier archival
location.
• Obtain the encryption password used by the owner Rubrik cluster.
Procedure
5. In Archive Type, select Glacier.
6. In Region, select an Amazon Glacier region for the archive.
7. In Access Key, type the access key for the Amazon Glacier account.
8. In Secret Key, type the secret key for the Amazon Glacier account.
9. In Glacier Vault Name, type the name of the Glacier Vault to use for the archive. If the vault does
not exist, it will be created.
10. In Archival Location Name, accept the default name or type a new name for the archival location.
11. In Encryption Password, type the encryption password to recover the Glacier archive. This
password must match the encryption password from the owner cluster.
12. In Retrieval Tier, select the Amazon Glacier retrieval tier.
Archiving 05/25/2022 | 259

You can select from:
• Standard
• Expedited
• Bulk
complete.
14. Click Connect.
Result
disaster recovery.
Related tasks
Connecting to a GCP archival location for disaster recovery

To connect another Rubrik cluster to a Google Cloud Platform archival location for disaster recovery,
provide the recovery Rubrik cluster with the connection details that were used by the owner Rubrik cluster.
Prerequisites
• Obtain the access key ID and the secret key used by the owner Rubrik cluster for the Google Cloud
Platform archival location.
• Obtain the encryption password used by the owner Rubrik cluster.
Procedure
5. In Archive Type, select Google Cloud Platform.
6. In Region, select the Regional or Multi-regional location to host the archival data.
7. In Storage Class, select the specified storage class.
8. In Bucket, enter the bucket name.
9. In Encryption Password, type the encryption password to recover the Google Cloud Platform
archive. This password must match the encryption password from the owner cluster.
10. In Re-Enter Encryption Password, type the encryption password to recover the Google Cloud
Platform archive.
Archiving 05/25/2022 | 260

11. In Archival Location Name, accept the default archival location name or specify a custom name.
12. In Service Account JSON Key, paste the contents of the JSON file obtained from Google Cloud
Platform.
complete.
The advanced settings allow you to configure proxy settings.
15. Click Connect.
Result
disaster recovery.
Related tasks
Related reference
Advanced settings
Connecting to an Azure archival location for disaster recovery

To connect another Rubrik cluster to a Microsoft Azure archival location, for disaster recovery, provide the
recovery Rubrik cluster with the connection details that were used by the owner Rubrik cluster.
Prerequisites
• Obtain the account name and the account key used by the owner Rubrik cluster for the Azure archival
location.
• Obtain the container name used by the owner Rubrik cluster
• Obtain the RSA key used by the owner Rubrik cluster.
Procedure
5. In Archive Type, select Azure.
6. In Storage Account Name, type the name of the Microsoft Azure account.
Archiving 05/25/2022 | 261

7. In Access Key, type the access key for the Microsoft Azure account.
8. In Container, type the name of the container.
9. In Archival Location Name, type the archival location name.
10. In Instance Type, select an instance type.
11. In RSA Key, paste the RSA key that was used to encrypt the archival data on the owner Rubrik
cluster.
complete.
14. Click Connect.
Result
disaster recovery.
Related tasks
Related reference
Advanced settings
Connecting to an object storage system for disaster recovery

To connect another Rubrik cluster to an object storage system archival location for disaster recovery,
provide the recovery Rubrik cluster with the connection details that were used by the owner Rubrik cluster.
Prerequisites
• Determine the type of object storage system used by the owner Rubrik cluster.
• Obtain the access key and the secret key used by the owner Rubrik cluster for the object storage.
• Obtain the hostname or IP address of the object storage system endpoint.
• Obtain the bucket prefix used by the owner Rubrik cluster.
• Obtain the RSA key that was used to encrypt the archival data on the owner Rubrik cluster.
Procedure
Archiving 05/25/2022 | 262

5. In Archive Type, select Object Store.
6. In Object Store Vendor, select the object store vendor.
7. In Access Key, type the access key for the object store account.
8. In Secret Key, type the secret key for the object store account.
9. In Host Name, type the resolvable hostname or IP address of the object storage endpoint.
10. In Bucket Prefix, type the prefix that was used for naming the buckets.
11. In Archival Location Name, type the name of the object storage system.
12. In RSA Key, paste the RSA key that was used to encrypt the archival data on the owner Rubrik
cluster. This password must match the encryption password from the owner cluster.
complete.
14. Click Connect.
Result
The selected Rubrik cluster connects to the object storage system for read-only access and provides access
to disaster recovery.
mode. A rolling bar indicates the cluster is recovering metadata from the object storage system.
Related tasks
Connecting to an NFS archival location for disaster recovery

To connect another Rubrik cluster to an NFS archival location for disaster recovery, provide the recovery
Rubrik cluster with the connection details that were used by the owner Rubrik cluster.
Prerequisites
• Obtain the hostname of the NFS share host.
• Obtain the export directory configured in /etc/exports on the NFS share host, or in the Isilon OneFS
UI.
• Obtain the name of the target folder beneath the NFS mount point.
Procedure
Archiving 05/25/2022 | 263

5. In Archive Type, select NFS.
6. In Host Name, type the resolvable hostname or IP address of the NFS share host.
7. In Export Directory, type the absolute path of the export directory configured in /etc/exports on
the NFS share host, or in the Isilon OneFS UI.
8. In Destination Folder Name, type the name of the target folder beneath the NFS mount point.
Use the folder name, not the full path.
9. In Archival Location Name, type the archival location name.
10. In Encryption Password, type the encryption password. This password must match the encryption
password from the owner cluster.
11. Optional: In File Lock Period in Days, type a positive integer, or 0.
This value sets the Write Once Read Many (WORM) lock on every file that the Rubrik cluster writes to
the archival location. The default value is 0, which specifies no WORM lock.
complete.
13. Click Connect.
Result
disaster recovery.
Related tasks
Connecting to a tape archival location for disaster recovery

To connect another Rubrik cluster to a QStar tape archival location, for disaster recovery, provide the
recovery Rubrik cluster with the connection details that were used by the owner Rubrik cluster.
Prerequisites
• Obtain the values used on the owner Rubrik cluster for QStar Host Name, QStar Integral Volume Name,
Destination Folder Name, and Encryption Password.
• Obtain the username and password for an account that has permission to mount the specified Integral
Volume set from an external system and to perform read and write operations on the mounted Integral
Volume set.
Procedure
Archiving 05/25/2022 | 264

5. In Archive Type, select Tape.
6. In QStar Host Name, type the value that was provided on the owner Rubrik cluster.
7. In QStar Host Port, type the port number.
8. In QStar Integral Volume Name, type the name of the Integral Volume set that was provided on
the owner Rubrik cluster.
9. In Destination Folder Name, type a name for the folder that was provided on the owner Rubrik
cluster.
10. In Archival Location Name, type a name for the archival location.
11. In QStar User Name, type the name for the user account that was provided on the owner Rubrik
cluster.
12. In QStar Password, type the password for the user account.
13. In Encryption Password, type the password that was provided on the owner Rubrik cluster.
This password must match the encryption password from the owner cluster.
complete.
15. Click Connect.
Result
disaster recovery.
Related tasks
Testing disaster recovery using an archival location

Perform tests for disaster recovery from an archival location without affecting the production environment.
Procedure
1. Connect another Rubrik cluster as a reader cluster of the archival location.
2. Recover the archived metadata from the archive target to the reader cluster.
3. Once the metadata recovery is complete, use the reader cluster to download snapshots from the
archival target.
Important: Do not promote the reader cluster.
4. After the initial metadata recovery by the reader cluster, use the owner cluster to upload new
snapshots.
The reader cluster will not display the new snapshots until a metadata refresh occurs.
Archiving 05/25/2022 | 265

5. Perform a metadata refresh from the reader cluster to get the most recent view of the location’s
archived metadata.
The refresh captures any snapshots that were created while the metadata was originally synchronized.
Note: The refresh operation can be a lengthy operation, since the entire archival location must be
scanned for metadata files.
Result
The selected reader cluster displays the new snapshots, confirming the test for disaster recovery.
Advanced settings
Amazon S3
Setting Field Description

Cloud Compute Settings Virtual Network ID Amazon S3 VPC ID
When Cloud Compute Settings Subnet ID The IP address of your VPC
is configured, the Rubrik cluster
launches a Rubrik compute Protocol Displays the supported protocols
instance in the cloud for CloudOn like HTTP, HTTPS, SOCKS5
and archival consolidation Enable Archive Consolidation Consolidates the snapshot chain
features. in the archival location
Archival Proxy Settings Protocol Displays the supported protocols
like HTTP, HTTPS, SOCKS5.
When Archival Proxy Settings is
configured, the Rubrik cluster Proxy Server (IP or FQDN) IP address of the proxy server
uses the archival proxy to transfer
all data and metadata pertaining Port Number Port number associated with the
to an archival location. selected protocol appears
Username Compute proxy server username
Password Compute proxy server password
Compute Proxy Settings Protocol Displays the supported protocols
When Compute Proxy Settings
is configured, all API calls for Proxy Server (IP or FQDN) IP address of the proxy server
instantiating a virtual machine on
the archival location are routed Port Number Port number associated with the
over the compute proxy. selected protocol appears
Archiving 05/25/2022 | 266

Immutable Archive Settings Enable Immutable Archive The Immutability Lock Period field
becomes active.
When Immutable Archive Settings
is configured, an Immutable This option is only available when
Archive is created. creating a new archive. Once
enabled, it cannot be disabled.
An immutable archival location
cannot be reverted to a standard
archival location.
Immutability Lock Period (Days) Period in days to provide

immutability for snapshots in the
archive.
Once this value is set, it can
be increased but cannot be
decreased.
Google Cloud Platform

like HTTP, HTTPS, SOCKS5
Archiving 05/25/2022 | 267

Azure

Cloud Compute Settings Import JSON A JSON text.
When Cloud Compute Settings When the user runs the
is configured, the Rubrik cluster rkazurecli_cloud_compute.ps1
launches a Rubrik compute script, the script generates a
instance in the cloud for CloudOn JSON output file with the App
and archival consolidation Id, App Secret Key, Tenant Id,
features. Subscription, Region, General
Purpose Storage name, General
Purpose Storage Container
Name, Resource Group name,
Virtual Network ID, Subnet ID,
and Security Group name, as
described in Configuring Azure
Objects. The script is available at
the Rubrik Support Portal.
The Rubrik cluster imports values
from the JSON output file and
auto-fills these values on the
Rubrik CDM web UI page.
App ID A unique application ID

App Secret Key Azure application secret key
Tenant ID Azure Tenant ID
Subscription Azure subscription
Region Region of the cloud compute
settings
General Purpose Storage Azure storage account
General Purpose Storage Name of the Azure container that
Container Name will store the VHDs
The Azure container names must
meet the following format:
• 3-64 characters
• Lowercase
• Alphanumeric characters and
the dash symbol
Resource Group Azure resource group

Virtual Network ID Virtual Network ID
Subnet ID IP address of your VPC
Security Group ID The ID of the VPC for the security
group
Enable Archive Consolidation Consolidates the snapshot chain
in the archival location
Archiving 05/25/2022 | 268

like HTTP, HTTPS, SOCKS5
Compute Proxy Settings Protocol Displays the supported protocols
When Compute Proxy Settings
is configured, all API calls for Proxy Server (IP or FQDN) IP address of the proxy server
instantiating a virtual machine on
the archival location are routed Port Number Port number associated with the
over the compute proxy. selected protocol appears
Immutable Archive Settings Enable Immutable Archive The Immutability Lock Period field
becomes active.
The Cloud Compute Settings for
this archival location must be This option is only available when
configured before the Immutable creating a new archive. Once
Archive can be enabled. enabled, it cannot be disabled.
Immutability Lock Period (Days) Period in days to provide

immutability for snapshots in the
archive.
Once this value is set, it can
be increased but cannot be
decreased.
Archival lifecycle best practices

The best practices for archival lifecycle management. Configure these best practices through the archival
platforms.
Vendor Notes
Amazon Web • In the AWS Console, move older objects in the S3-Standard Storage Class to S3-
Services Infrequent Access Storage Class.
• Rubrik cluster does not support Lifecycle management to Glacier.
• When a snapshot is transitioned from S3-Standard Storage Class to S3-Infrequent
Access Storage Class, keep the snapshot in the S3-Infrequent Access Storage Class
for a minimum of 30 days to avoid early deletion charges as defined in your SLA
Domain retention policy.
Microsoft Azure • Through Azure, move older objects from the Hot storage tier to the Cool storage
Blob Storage tier.
• Rubrik cluster does not support Lifecycle management to the Archival storage tier.
Archiving 05/25/2022 | 269

Vendor Notes
• When a snapshot is transitioned from Hot storage tier to Cool storage tier, keep the
snapshot in the Cool storage tier for a minimum of 30 days to avoid early deletion
charges as defined in your SLA Domain retention policy.
Google Cloud • Through GCP, move older objects to Nearline or Coldline storage.
Storage • When a snapshot is transitioned to Nearline or Coldline storage, keep the snapshot
in the Nearline storage for a minimum of 30 days or Coldline storage for a
minimum of 90 days to avoid early deletion charges as defined in your SLA Domain
retention policy.
Archival location removal

Archival locations store data to meet the policies specified by the SLA Domains of the Rubrik cluster.
The tasks for retiring an archival location are:
• Pause the archival location to prevent further uploads of data to the archival location.
• Wait until the archival retention period of every snapshot and backup is exceeded, then delete the
archival location.
When retention of the archival data is not required, the waiting period can be skipped and the archival
location deleted immediately after pausing.
Deleting an archival location

Delete a paused archival location to remove it from the Rubrik cluster. Deleting an archival location
immediately expires all unexpired data that is stored through that paused archival location.
Context
Expired data stored at a deleted archival location cannot be retrieved by the Rubrik cluster. To meet SLA
Domain requirements, wait until the retention periods have expired for any data that is stored in a paused
archival location.
Procedure
4. On the Archival Locations page, on the archival location card of a paused archival location, open the
ellipsis menu.
For paused archival locations, the web UI displays ‘Paused’ in the status section of the archival location
card.
5. Select Delete.
A warning appears.
6. Click Delete.
Result
The Rubrik cluster expires all associated data at the archival location and removes the archival location
from the Rubrik CDM web UI.
Archiving 05/25/2022 | 270

Chapter 10
Rubrik Backup Service
The Rubrik Backup Service provides enhanced integration with protected resources and host systems.
The Rubrik Backup Service (RBS) software can be downloaded directly from the Rubrik cluster each time
the software is needed or the software can be downloaded once and pushed to hosts as needed. Providing
software directly from the Rubrik cluster enables the Rubrik cluster and a hosted deployment of the Rubrik
Backup Service to reliably authenticate to each other.
Rubrik provides automatic upgrade of the RBS software as part of a general upgrade of the Rubrik CDM
version. After upgrading the Rubrik CDM version, the Rubrik cluster automatically upgrades the RBS
software at the next backup of a protected resource. After a Rubrik cluster is upgraded to Rubrik CDM
version 7.0.1 or newer, it automatically updates the Rubrik Backup Service (RBS) package on up to 50
Linux, Solaris, or AIX hosts that it protects. The update includes the entire RBS package of binaries,
configuration files, and scripts. The maximum number of supported hosts that will receive automatic
package upgrades for RBS is 50 for each supported host type. When a Rubrik cluster protects more than
50 Linux, Solaris, or AIX hosts, complete the task described in Enabling automatic package upgrade for
RBS for AIX, Linux, and Solaris hosts to increase the number of supported hosts that can be automatically
updated.
RBS registration to multiple Rubrik clusters
RBS software provided by a Rubrik cluster running Rubrik CDM version 5.3.1 or newer can register the host
with multiple Rubrik clusters, with one primary Rubrik cluster. Upgrading a Rubrik cluster to run Rubrik
CDM version 5.3.1 or newer does not enable hosts running versions of RBS installed from Rubrik clusters
running older versions of Rubrik CDM to register with multiple Rubrik clusters. Enabling such hosts to
register with multiple Rubrik clusters requires the installation of a version of the RBS software provided by
a Rubrik cluster running Rubrik CDM version 5.3.1 or newer.
The Rubrik cluster that provides the download for the RBS software package installed to the host is the
initial primary Rubrik cluster for that host. Primary Rubrik clusters provide the following functionality that is
not available for secondary Rubrik clusters:
• Communication and backup activity is restricted to the primary Rubrik cluster.
• Secondary Rubrik clusters do not receive updates on host information or status.
Only Rubrik clusters that replicate to or from the primary Rubrik cluster can register as secondary Rubrik
clusters. RBS instances that connect through Envoy virtual machines or that are running on SCVMM cannot
register with multiple Rubrik clusters. Multi-cluster RBS is not supported for replicated Rubrik clusters
configured as Archival Readers.
RBS for Hyper-V without SCVMM
For Hyper-V without SCVMM, the Rubrik cluster uses the same Rubrik Backup Service software that is used
for Windows file system protection.
For failover Rubrik clusters, the connector should be installed on all hosts and each host should be added
to Rubrik individually.
Rubrik Backup Service 05/25/2022 | 271

RBS for Hyper-V with SCVMM
Download and install of RBS for Hyper-V hosts with SCVMM requires separate tasks. For SCVMM use the
tasks described in:
• Downloading RBS for SCVMM hosts
• Installing RBS on an SCVMM host
• Removing RBS from a Windows host
Related Concepts
Rubrik Backup Service account on Windows
The Rubrik Backup Service must run as an account that has local Administrators group privileges on the
Windows Server host.
SQL Server roles and permissions for RBS
To provide SQL Server protection, assign specific roles and permissions to the account used for Rubrik
Backup Service. For some use cases, assign the SQL Server sysadmin role to the account used for Rubrik
Backup Service.
Related Tasks
Downloading the RBS software
Obtain the Rubrik Backup Service software from the web UI of a Rubrik cluster.
Obtaining the RBS software by URL
Obtain the Rubrik Backup Service software directly by URL instead of through the web UI.
Installing RBS on Linux and Unix hosts
Install the Rubrik Backup Service software on Linux and Unix hosts.
Installing RBS on Windows
Install the Rubrik Backup Service software on a computer or virtual machine that is running the Windows
Server operating system.
Registering a guest OS install of RBS
After installing the Rubrik Backup Service software on a virtual machine guest OS, register the Rubrik
Backup Service with a Rubrik cluster.
Downloading RBS for SCVMM hosts
Obtain the Rubrik Backup Service software for System Center Virtual Machine Manager hosts from the web
UI of a Rubrik cluster.
Installing RBS on an SCVMM host
Install the Rubrik Backup Service software on an SCVMM host.
Removing RBS from a Linux or Unix host
The Rubrik Backup Service can be removed by using standard package manager commands.
Removing RBS from a Solaris host
Remove the Rubrik Backup Service from a Solaris host.
Removing RBS from a Windows host
Remove the Rubrik Backup Service from a Windows host.
Removing RBS from SAP HANA

Remove the Rubrik Backup Service from a SAP HANA database.

Procedure
2. Select a host operating system from Servers & Apps.
• Windows Hosts
The server page for the selected operating system opens. The page includes a button for adding
hosts: Add Windows Hosts for Windows servers or Add Hosts for all other servers.
3. Click the button.
4. Make a choice based on the host operating system.
Option Description
rpm Supported Linux distributions that use the RPM
package manager.
deb Supported Linux distributions that use the Debian
package manager.
AIX AIX 6.1, 7.1, 7.2
Solaris SPARC 10u11+, SPARK 11.1 SRU 14.5+ or I386:
10, 11.1, 11.2, 11.3
Rubrik Backup Service Supported Windows distributions.
A browser-specific dialog box appears to enable saving the package file.
5. Save the file to a temporary location.
Result
The Rubrik CDM web UI downloads the Rubrik Backup Service software.
Next task
Install the Rubrik Backup Service software on the hosts.
Related Concepts
Related Tasks


Context
The Rubrik Backup Service software can be used only with the Rubrik cluster from which it is obtained.
Procedure
1. Open a web browser.
2. Enter the download URL.
Use the URL that is appropriate for the host operating system:
• https://RubrikCluster/connector/rubrik-agent.x86_64.rpm
• https://RubrikCluster/connector/rubrik-agent.x86_64.deb
• https://RubrikCluster/connector/rubrik-agent-aix6.1.pcc.rpm
• https://RubrikCluster/connector/rubrik-agent-solaris.sparc.tar.gz
• https://RubrikCluster/connector/rubrik-agent-solaris.i386.tar.gz
• https://RubrikCluster/connector/RubrikBackupService.zip
where RubrikCluster is the resolvable hostname or IP address of the Rubrik cluster.
A browser-specific dialog box appears to enable saving the package file.
3. Save the file to a temporary location.
Result
The Rubrik Backup Service software is downloaded.
Next task
Install the Rubrik Backup Service software.
Related Concepts
Related Tasks

RBS firewall rules

The firewall on the host must allow communication with the ports used by the Rubrik Backup Service.
The firewall rules on the host must allow traffic through the ports 12800 and 12801 to allow the host to
communicate with the RBS. Registration of the host with the Rubrik cluster will fail if the ports are not
open.
Example: Commands to modify firewall rules on Linux operating systems
sudo firewall-cmd --zone=public --add-port=12800/tcp --permanent

sudo firewall-cmd --zone=public --add-port=12801/tcp --permanent
sudo firewall-cmd --reload
Related Tasks
RBS file locations

Rubrik Backup Service logs are useful for determining the root cause of issues. The location of files used
by the Rubrik Backup Service varies by operating system.
Operating system File type Log file location

Linux/Unix Rubrik Backup Agent logs /var/log/rubrik/agent.log
Linux/Unix Rubrik Backup Service logs /var/log/rubrik/
bootstrap.log
Linux/Unix TLS certificate and key /etc/rubrik/keys
Windows Rubrik Backup Service logs C:\ProgramData\Rubrik
\Rubrik Backup Service
\logs
Windows TLS certificate and key C:\ProgramData\Rubrik
Windows Rubrik Backup Service executable C:\Program Files\Rubrik

Prerequisites

Copy the most up-to-date Linux version of the Rubrik Backup Service (RBS) software to a temporary
location that is available to the Linux operating system.
Context
This task describes how to install RBS from the command line. RBS can also be push installed on multiple
hosts using automation software such as Puppet or Chef.
Procedure
1. Open a terminal session on the host.
2. Change the working directory to the location of the RBS software package.
3. Use sudo to run the package manager command that is appropriate for the Linux distribution.
If sudo access is unavailable, log in as root to run the package manager command.
• sudo rpm -i rubrik-agent.x86_64.rpm
• sudo dpkg -i rubrik-agent.x86_64.deb
• sudo rpm -ivh rubrik-agent-aix6.1.pcc.rpm
• tar -xvf rubrik-agent-solaris.sparc.tar
cd rubrik-agent-version-sparc/
./install-rubrik
Result
The package manager installs RBS on the Linux host.
An Agent UUID is created for the Rubrik Backup Service during installation. The Agent UUID uniquely
identifies the host as the owner of backups and links it to a snapshot chain once backups are initiated.
Next task
Add the hosts that are running RBS to the Rubrik cluster.
Related Concepts
Related Tasks
Related reference
RBS management commands

List of commands to manage RBS on different operating systems.

When first installed, the Rubrik Backup Service runs as a LocalSystem account. A LocalSystem account
includes the privileges that are provided by the local Administrators group.
Instead of running the Rubrik Backup Service as a LocalSystem account, the Rubrik Backup Service can be
configured to run as another account that has local Administrators group privileges on the Windows Server
host. The account can be a local Administrators group account or a domain account with these privileges.
Related Concepts
Backup Service.
Related Tasks

Prerequisites

Copy the zip file containing the most up-to-date version of the Rubrik Backup Service (RBS) software to a
temporary location that the Windows Server operating system can access.
Context
This task describes how to manually install RBS on Windows. For a virtual machine running Windows, RBS
can alternatively be automatically installed, as described in Automatically deploying RBS.
Procedure
1. Log in to the Windows operating system.
Use an account that has local Administrators group privileges.
2. Extract the contents of the ZIP file containing the RBS software to a temporary location.
The ZIP file contains the Windows installer package (RubrikBackupService.msi) and the security
certificate that is used for authentication and encryption of all communication with the Rubrik cluster
(backup-agent.crt).
The Windows installer package and the security certificate must be in the same folder on the Windows
Server host during installation of the software.
3. Double-click RubrikBackupService.msi and follow the on-screen instructions.
Result
The Windows installer package installs the RBS software.
An Agent UUID is created for the Rubrik Backup Service during installation. The Agent UUID uniquely
identifies the host as the owner of backups and links it to a snapshot chain once backups are initiated.
Next task
Add computers that have RBS to the Rubrik cluster.
Related Concepts
Backup Service.
Related Tasks


Backup Service.
For general protection of SQL Server databases, assign specific server-level and database-level roles and
permissions to the account that runs Rubrik Backup Service (RBS). The following table describes these
specific role and permission requirements.
Level Roles and permissions Required? Purpose

Server-level • dbcreator Yes Restore databases.
• ALTER ANY DATABASE
Server-level • VIEW SERVER STATE Yes Collect metadata.

• VIEW ANY DEFINITION
Database-level db_backupoperator Yes Backup databases.

Database-level db_denydatareader No Prevent reading data within
tables.
To prevent RBS from reading data within database tables, assign the role db_denydatareader.
Important: Do not assign db_denydatareader to RBS for the master database or the msdb database.
Assign the sysadmin role to RBS to allow automatic discovery and protection of new databases without
database administrator interaction. Assign the sysadmin role to RBS to enable protection when using the
Virtual Device Interface (VDI) API.
The following examples show the assignment of some of the required roles and permissions in Microsoft
SQL Server Management Studio. Also shown is the assignment of the ‘VIEW SERVER STATE’ and ‘ALTER
ANY DATABASE’ permissions, which are required for the account used by the Rubrik Backup Service.
Example: Assigning server-level roles and database-level roles

Example: Assigning additional permissions

Context
After successfully installing the Rubrik Backup Service (RBS) on the Windows guest, all subsequent
snapshots of the Windows guest use RBS to enable the Rubrik cluster to use the Windows Volume Shadow
copy Service (VSS).
Procedure
1. Disable the Windows ‘Admin Approval Mode’ setting on each Windows guest.
Refer to Microsoft documentation for information on how to disable the Admin Approval Mode setting.
The Guest OS Settings page opens, with the Guest OS Credentials tab selected.

6. Add a credential.
The credential must provide a local Administrators group for each Windows guest. This can be
provided by one or more separate credentials.
Multiple credentials can be added by clicking + on the dialog box. The Rubrik cluster tries each
credential to gain access.
7. Click Add.
8. Select Connector Settings.
The Connector Settings tab opens.
9. In Rubrik Connector Deployment, select Automatic.
10. Click Update.
Result
The Rubrik cluster stores the credential information. For each qualifying Windows guest, the Rubrik cluster
installs and registers RBS on the Windows guest the next time a policy-based or on-demand snapshot is
initiated.
Related Concepts
Related Tasks

Rubrik Backup Service status

The RBS Status column provides information about the status of the Rubrik Backup Service.
The steps to navigate to the page with the RBS Status column depend on the type of object.
Option Description
vSphere and AHV VMs 1. Click Virtual Machines.
2. Click AHV VMs or vSphere VMs.
Hyper-V 1. Click Virtual Machines.

2. Click Hyper-V VMs.
3. Click Hosts and Cluster.
Oracle DB and SQL Server DBs 1. Click Servers & Apps.

2. Click Oracle DB or SQL Server DBs.
3. Click Hosts/Clusters.
Linux, UNIX, and Windows Hosts 1. Click Servers & Apps.

2. Click Linux & Unix Hosts or Windows Hosts.
View the agent status in the RBS Status column. The following table provides information about RBS
status.
Protected Object Status reported

vSphere and AHV • Connected – A connection is established between the Rubrik
cluster and RBS.
• Disconnected – A connection is broken between the Rubrik
cluster and RBS.
• Unregistered – A connection has never been attempted between
the Rubrik cluster and RBS.
Hyper-V (Hosts and Clusters) • Connected – A connection is established between the Rubrik
cluster and RBS.
cluster and RBS.
• Partially Connected – Not all hosts or VMs of the cluster are
connected with the Rubrik cluster.
Oracle DB, and SQL Server • Connected – A connection is established between the Rubrik
cluster and RBS.
cluster and RBS.
Linux, UNIX, and Windows Hosts • Connected – Agent is connected to the virtual machine.
• Disconnected – Agent is disconnected from the virtual machine.
Select an option from the Filter RBS Status drop-down menu to view the agents with that status. The
status for the protected objects are:

• vSphere and AHV – Connected, Disconnected, and Unregistered
• Hyper-V – Connected, Disconnected, and Partially Connected
• Oracle DB, and SQL Server – Connected, Disconnected
• Linus, UNIX, and Windows Hosts – Connected and Disconnected
Related Tasks
Reinstallation of RBS on the host

When RBS is reinstalled on the host, this could generate a new host certificate and agent UUID, and as a
result, the Rubrik cluster will not identify the host.
During the Rubrik Backup Service (RBS) installation, a host certificate and agent universally unique
identifier (UUID) is created for RBS. The agent UUID uniquely identifies the host as the owner of backups
and links it to a snapshot chain once backups are initiated.
When RBS is reinstalled on the host, this could generate a new host certificate and agent UUID. A new
host certificate will fail the verification that is done before connecting to the host for features such as
backups. And a new agent UUID will not reflect the fact that the host had snapshots prior to reinstalling
the Rubrik Backup Service.
When a new host certificate and agent UUID are generated, the Rubrik cluster will not identify the host.
The host will appear to be disconnected in the web UI and backups will fail with the following error
message: Failed to verify host ${hostName}because the host certificate changed. The IP address-to-agent-
UUID pairing must be restored by updating the host in the Rubrik web UI.
Note: Removing the original host from the Rubrik web UI will cause all existing backups to become relics.
This will not void restore options but may not be optimal.
Related Tasks
Reconnecting a host and retaining existing backups on reinstallation
Reconnect a Windows or Linux host after reinstallation, update the certificate, and link existing backups to
the host.
Reconnecting a host and retaining existing backups on reinstallation

Reconnect a Windows or Linux host after reinstallation, update the certificate, and link existing backups to
the host.
Context
When a new host certificate and agent UUID is generated on RBS reinstallation, the Rubrik cluster will
not identify the host. Hence, the host will appear to be disconnected in the web UI and backups will fail

with an error message. To address this, the IP address-to-agent-UUID pairing will need to be restored by
updating the host in the Rubrik web UI.
Note: Do not remove the original host from the Rubrik web UI. This will cause all existing backups to
become relics. This will not void restore options but may not be optimal.
Procedure
2. Select a host operating system from Servers & Apps.
• Windows Hosts
The server page for the selected operating system opens, displaying a button for adding hosts: Add
Windows Hosts for Windows servers or Add Hosts for all other servers.
3. Click the button.
4. Enter the hostname/IP address and click Add.
The status changes to Connected.
5. If the connection displays a Disconnected status at this point, complete the next steps to provide an
updated host certificate.
6. Navigate to the server page for the selected operating system and select the host.
7. Click on the ellipsis menu on the top right and click Edit.
The Edit Host window opens.
8. Turn on the Update Certificate toggle.
9. Click Update.
Result
The status changes to Connected.
Related Concepts
Reinstallation of RBS on the host
When RBS is reinstalled on the host, this could generate a new host certificate and agent UUID, and as a
result, the Rubrik cluster will not identify the host.
Connecting the Rubrik cluster to RBS on a cloned Linux or Unix host

Connect the Rubrik cluster to RBS on a cloned Linux or Unix host with RBS installed.
Context
When a duplicate host is created, it will have RBS installed with the same agent identity (UUID). Adding
the new host to the same Rubrik cluster as the parent host will fail, displaying an error message about
conflicting identities.
Procedure
2. Use the following command to stop RBS on the host:
$ sudo service rubrikagents stop
3. Use this command to move the file that stores the agent ID to a temporary folder:
sudo mv /etc/rubrik/conf/uuid /tmp/uuid
4. Use this command to start the agent:

$ sudo service rubrikagents start
This should generate a new agent UUID.
6. From Servers & Apps, select Linux & Unix Hosts.
The server page for the selected operating system opens, displaying a button for adding hosts.
7. Click Add Hosts.
The RBS status shows as Connected.
9. Use the following command to delete the file that stores the agent ID:
sudo rm /tmp/uuid
Result
The Rubrik cluster is now connected to RBS on a cloned Linux or Unix host.
Connecting the Rubrik cluster to RBS on a cloned Windows host

Connect the Rubrik cluster to RBS on a cloned Windows host with RBS installed.
Context
When a duplicate host is created, it will have RBS installed with the same agent identity. Adding the new
host to the same Rubrik cluster as the parent host will fail, displaying an error message about conflicting
identities.
Procedure
1. Log in to the Windows operating system.
Use an account that has local Administrators group privileges.
2. Stop the Rubrik Backup Service. The agent can be stopped from the Windows Services list.
3. Move the agent ID from the following location to a temporary location:
HKEY_LOCAL_MACHINE\SOFTWARE\Rubrik Inc.\Backup Service
The agent ID will be placed inside a set of brackets with the file name Backup Agent ID. For
example: {c0c3d441-f3de-4b50-a703-b614b8eb1e6f}.
4. Start the Rubrik Backup Agent Service.
The agent can be started from the Windows Services list.
This should generate a new agent UUID.
6. From Servers & Apps, select Windows Hosts.
The server page for the selected operating system opens, displaying a button for adding hosts.
7. Click Add Hosts.
The RBS status shows as Connected.
9. Remove the agent ID from the temporary location where it had been stored.
Result
The RBS status should display as Connected.

Prerequisites
1. Install the RBS software on the guest OS.
2. Modify firewall rules on the guest host to open ports 12800 and 12801 for communication with RBS.
Context
Registering RBS on the guest allows a Rubrik cluster to manage data on the guest.
Procedure
1. In the Rubrik CDM web UI, on the left-side menu, click Virtual Machines and then click the label for
the type of hypervisor that supports the virtual machine.
• vSphere VMs
• AHV VMs
• Hyper-V VMs
2. Click the name of a virtual machine.
The local host page for the selected virtual machine appears.
3. Open the ellipsis menu, and select Register Rubrik Backup Service.
The Register Rubrik Backup Service modal appears.
4. Click Register.
Result
The Rubrik cluster establishes an authenticated and secure connection with RBS on the specified virtual
machine.
Related Concepts
RBS firewall rules
The firewall on the host must allow communication with the ports used by the Rubrik Backup Service.
Related Tasks

Changing the primary Rubrik cluster for RBS

When the Rubrik Backup Service installed on a host is registered with multiple Rubrik clusters, use the web
UI to promote a secondary Rubrik cluster to primary.
Procedure
1. Log in to the Rubrik CDM web UI for a Rubrik cluster registered as a secondary cluster for a host.
2. Choose a host type.
• vSphere virtual machines
• Linux or UNIX hosts
• Windows hosts
The main page for the selected host type appears, listing the hosts of that type that are registered
with the Rubrik cluster.
3. Select a host with the Rubrik Backup Service (RBS) status Connected as Secondary.
Enter a string in the Search by name field to filter by the string. Filters for fileset name, SLA Domain,
and RBS status are at the top right of the list.
4. From the ellipsis menu, select Make Primary.
Result
The Rubrik cluster becomes the primary RBS cluster for the selected host.

Context
When SCVMM servers are already available, this task is not needed.
Procedure
3. Click SCVMM Servers.
4. Click Add SCVMM Servers.
The Add SCVMM Server dialog box appears.
5. Click the Rubrik Backup Service link in the first sentence.
The RubrikBackupServiceForScvmm.zip file downloads.
Result
The Rubrik CDM web UI downloads the Rubrik Backup Service software for SCVMM hosts.

Next task
Install the RBS software on SCVMM hosts.
Related Concepts
Related Tasks

Prerequisites
Download the RubrikBackupServiceForScvmm.zip file as described in Downloading RBS for SCVMM
hosts.
Procedure
1. Copy RubrikBackupServiceForScvmm.zip to a temporary directory on the Windows host.
2. Extract the files from the ZIP file.
The ZIP file contains four files:
• RubrikBackupService.msi, a Windows Installer Package.
• backup-agent.crt, a security certificate for the Rubrik Backup Service.
• scvmm_deploy_agent.crt, the Rubrik service that installs the Rubrik backup software agent on
hosts associated with SCVMM.
• ScvmmReadMe.txt, a readme file for installation of the Rubrik backup software agent on the
SCVMM host.
When installing the Rubrik Backup Service software, the security certificate file must be in the same
folder as the Windows Installer Package.
3. Login with a user account that has local Administrators group privileges.
4. Run the Windows Installer Package, RubrikBackupService.msi.
The Windows Installer Package installs the Rubrik Backup Service software and incorporates the
security certificate into the installation.
5. Create a folder named RubrikBackupService.cr on a host that can access the virtual machine
manager console.
6. Copy the .msi, .crt, and .cmd files to the RubrikBackup.cr folder.
7. Open the SCVMM console.
8. Navigate to Library > Library Servers > MSSCVMMLibrary > ApplicationFrameworks.
9. Right-click on ApplicationFrameworks and select Explore.
10. Copy the RubrikBackupService.msi folder and paste it into ApplicationFrameworks.
11. Right-click on ApplicationFrameworks and select Refresh.
12. Confirm RubrikBackupService.msi is listed as a custom resource.
Result
The Rubrik Backup Service software is installed on the SCVMM host.

Related Concepts
Related Tasks
Determine when RBS is running on a Windows system

View the status of RBS on a Windows system.
Procedure
1. Open the Service pane.
2. Scroll to the Rubrik listing.
3. View the status of Rubrik RBS in the Status column.
RBS should have a status of Running. Any other status indicates that RBS is not functioning as
required on that Windows system.
Result
The Windows system displays the Rubrik Backup Service status.
Determine when RBS is running on a non-Windows system

View the status of RBS on a non-Windows system. The method depends on which platform is running.
Open a shell session on the RBS host computer and run the appropriate command.
Platform Command Output if RBS is running

Ubuntu 16 service --status-all | grep Ubuntu displays a [+] sign for running
rubrik services, and a [-] sign for stopped services.
Centos service --status-all | grep Centos shows a status of UP
rubrik for backup_agent_main and
bootstrap_agent_main.
RHEL service --status-all | grep RHEL shows a status of UP for
rubrik backup_agent_main and
SUSE service --status-all | grep SUSE displays a message from the LSB
rubrik indicating the Rubrik bootstrap and backup
agents are started.
Oracle Linux service --status-all | grep Oracle Linux shows a status of UP
rubrik for backup_agent_main and
AIX ps -ef | grep rubrik | grep AIX shows the backup_agent_main and
agent_main bootstrap_agent_main agents running,

Platform Command Output if RBS is running
along with information about their ports and
private key encryption.
Solaris svcs -p rubrik_backup Solaris shows the rubrik_backup and

rubrik_bootstrap agents have a state
of online.

Procedure
2. Use sudo to run the package manager command that is appropriate for the Linux or AIX distribution
and downloaded package type.
If sudo access is unavailable, log in as root to run the package manager command.
• sudo rpm -e rubrik-agent
• sudo dpkg -P rubrik-agent
Result
The package manager removes RBS. Removing RBS from a host also removes the connection between the
host and the Rubrik cluster. The Rubrik cluster designates any retained backups or snapshots as relics.
Next task
Use the Snapshot Management page to manually manage these relics, as described in Retention
management.
Related Concepts
Related Tasks

Procedure
1. Log in to the Solaris host.
2. Using sudo, run the package remove command.

If sudo access is unavailable, log in as root to run the package remove command.
sudo pkgrm RBKagnt
Type y at each pkgrm question during the removal process.

The pkgrm command performs the following tasks:
• Stops the bootstrap and backup agent services.
• Removes the bootstrap and backup services subsystem definition from the subsystem object class.
• Removes the cron tab entries from the system.
The pkgrm command does not delete generated files.
3. Optional: Remove files generated by RBS.
Remove all files, except /etc/rubrik/conf/uuid, from the following folders and subfolders:
• /usr/bin/rubrik
• /etc/rubrik
Leave /etc/rubrik/conf/uuid so that RBS will run with the same UUID if it is reinstalled.
Result
The pkgrm command removes RBS from the Solaris host. Removing RBS from a host also removes the
connection between the host and the Rubrik cluster. The Rubrik cluster designates any retained backups or
snapshots as relics.
Next task
Use the Snapshot Management page to manually manage the relics, as described in Retention
management.
Related Concepts
Related Tasks

Procedure
1. Log in to the Windows host using an account with local administrator privileges.
2. Right-click the Windows logo key and select Run.
The Run dialog box appears.
3. Type appwiz.cpl, and click OK.
The Windows Uninstall dialog box appears.
4. Right-click Rubrik Backup Service.
5. Click Uninstall/Change.
6. Follow the prompts.

Result
RBS is removed from the Windows host. Removing RBS from a Windows host also removes the connection
between the Windows host and the Rubrik cluster. The Rubrik cluster designates any retained backups or
snapshots as relics.
Next task
Use the Snapshot Management page to manually manage the relics, as described in Retention
management.
Related Concepts
Related Tasks

Procedure
1. Run sap_hana_bootstrap_main from the /usr/bin/rubrik/sap_hana directory.
2. Type the password for the System DB user and press Enter.
3. The Port number of System database (for example, 30113) prompt appears.
4. Type the port for the System database and press Enter.
5. The Enter HANA SID prompt appears.
6. Type the HANA SID, a three character ID, and press Enter.
The Enter Rubrik prefix prompt appears.
7. Type the Rubrik prefix and press Enter.
Use the same Rubrik Prefix that was specified when running sap_hana_bootstrap_main. The
Rubrik prefix or SAP HANA SID, is an ID that is unique for all SAP HANA instances on a Rubrik cluster.
This value is used to distinguish Managed Volumes on a Rubrik cluster when there are multiple SAP
HANA instances with the same SID and which contain databases with the same names.
A series of prompts appears.
8. At the prompt, press 3 to select Uninstall Rubrik (Press 3).
Result
The package manager removes the Rubrik Backup Service software from the SAP HANA database.

Next task
After removing the Rubrik Backup Service Software, SAP HANA backups are still present on the Rubrik
cluster and SAP HANA instances can be recovered from these backups. To remove the previous backups,
remove the corresponding managed volumes.
Related Concepts
Rubrik Backup Service for SAP HANA
Install and configure the Rubrik Backup Service on a SAP HANA host to allow backup and restore of SAP
HANA databases.
Related Tasks
RBS management commands

List of commands to manage RBS on different operating systems.
Operating system type Management commands

Linux • service rubrikagents start
• service rubrikagents stop
• service rubrikagents restart
• service rubrikagents status
AIX • startsrc -s rubrik_backup -e

'LDR_CNTRL=MAXDATA=0X60000000'
• stopsrc -s rubrik_backup
• refresh -s rubrik_backup
• lssrc -s rubrik_backup
Solaris • svcadm enable rubrik_backup

• svcadm disable rubrik_backup
• svcadm restart rubrik_backup
• svcs -p rubrik_backup

Enabling automatic package upgrade for RBS for AIX, Linux, and
Solaris hosts
Enable automatic package upgrades for Rubrik Backup Service on all AIX, Linux, and Solaris hosts
protected by a Rubrik cluster.
Context
After a Rubrik cluster is upgraded to Rubrik CDM version 7.0.1 or newer, it automatically updates the
Rubrik Backup Service (RBS) package on up to 50 Linux, Solaris, or AIX hosts that it protects. The update
includes the entire RBS package of binaries, configuration files, and scripts. The maximum number of
supported hosts that will receive automatic package upgrades for RBS is 50 for each supported host type.
When a Rubrik cluster protects more than 50 Linux, Solaris, or AIX hosts, complete this task to increase
the number of hosts that can be automatically updated.
Procedure
1. As admin, open a SSH session on the Rubrik cluster.
2. Run a Rubrik tool configuration update command.
At the prompt, type:
cluster rubrik_tool update_config infinity

BackupAgentPkgUpgradeMaxHostLimit 2147483647
The integer value 2147483647 is the maximum number of supported host types that can be
automatically updated.
3. Optional: To confirm the change, run the following Rubrik tool command.
At the prompt, type:
cluster rubrik_tool get_config infinity

BackupAgentPkgUpgradeMaxHostLimitnumber
The tool displays the current value for the maximum number of supported hosts that will receive
automatic RBS updates.
Result
All supported hosts protected by the Rubrik cluster will now receive automatic RBS updates when the
cluster is upgraded.

Chapter 11
Hyper-V virtual machines
Hyper-V virtual machines
A Rubrik cluster provides data management and protection for virtual machines that are deployed in
a Microsoft Hyper-V environment. The Rubrik cluster can manage and protect virtual machines in an
environment with multiple Hyper-V servers and virtual machines.
Rubrik invokes the Windows Management Instrumentation (WMI) APIs to communicate with the hypervisor
directly for a first full and forever incremental set of backups via Resilient Change Tracking (RCT). Data is
ingested over the SMB protocol to the Rubrik cluster in a secure manner. There is no requirement to have
SCVMM installed in your environment.
SLA policies can be applied anywhere in the hierarchy stack: the SCVMM host, the cluster, host, or virtual
machine levels. The Rubrik cluster provides a variety of methods to recover virtual machines and to restore
protected data. Recover virtual machines and restore data by using local snapshots, replicas, and archived
snapshots.
Rubrik supports any Hyper-V based Windows or Linux virtual machines using the Rubrik Backup Service.
The Rubrik Backup Service is a connector that self manages after initial deployment.
Hyper-V host refers to a Windows Server with the Hyper-V role installed.
Virtual machine protection

Rubrik clusters can protect virtual machines based on a direct assignment to an SLA Domain or based on
inheritance.
A Rubrik cluster provides protection for virtual machines through either individual assignment of the virtual
machine to an SLA Domain or through automatic protection. Automatic protection occurs when the virtual
machine derives the SLA Domain assignment of a containing folder, cluster, or host.
The Rubrik cluster provides flexibility in the protection assignments made for virtual machines. Virtual
machines that are protected by individual assignment can be set to Do Not Protect or can be set to inherit
a protection setting.
An individual virtual machine, that is part of a group of virtual machines being automatically protected, can
be set to Do Not Protect, without moving the virtual machine out of the group.
Automatic protection
A Rubrik cluster provides automatic protection of virtual machines through inheritance of the SLA Domain
assigned to a parent object.
Rubrik clusters support three Hyper-V hierarchies for protection:
• Hyper-V SCVMM > Hyper-V Cluster > Hyper-V Clustered Hosts > Hyper-V virtual machines on Clustered
Hosts
• Hyper-V Cluster > Hyper-V Clustered Hosts > Hyper-V virtual machines on Clustered Hosts
• Hyper-V Standalone Host > Hyper-V virtual machines on standalone host
The Rubrik cluster uses a specific set of automatic protection rules in the application of automatic
protection.
Hyper-V virtual machines 05/25/2022 | 295

During SLA Domain assignment, the Rubrik cluster displays the objects that have individual assignments
which conflict with the new assignment. For each conflicting object, the Rubrik cluster permits an
administrator to choose to retain the individual setting or apply the new setting.
System Center Virtual Machine Manager

Microsoft provides System Center Virtual Machine Manager to manage virtual machines across multiple
hosts. The Rubrik Backup Service should be installed on all hosts running SCVMM.
The following prerequisites are required for SCVMM hosts supported by Rubrik:
• Hyper-V Server 2016 or newer
• Hyper-V host and Rubrik cluster must be part of the same Active Directory domain
• "Run As" account that is a member of the local Administrators group or a member of the Domain
Admins group on the Hyper-V Server being managed
• For versions of Hyper-V that are older than Hyper-V 2016, use volume snapshots, or install the Rubrik
Backup Service on each virtual machine
Rubrik CDM does not support SCVMM deployed in a high availability configuration.
Related concepts
Related tasks
Hyper-V host configuration

To protect Hyper-V with a Rubrik cluster, the Failover Clustering feature must be enabled on the Hyper-V
host even if the Hyper-V host is not part of a Failover cluster.
To enable Failover Clustering, use the Windows Server Manager, then select the Add Roles and Features
Wizard to add the Failover Clustering feature.
The Failover Clustering Tools include the Failover Cluster Manager snap-in, the Failover Clustering Windows
PowerShell cmdlets, the Cluster-Aware Updating (CAU) user interface and Windows PowerShell cmdlets,
and related tools.
Note: Hyper-V only supports RCT only if Failover Clustering is enabled.
Hyper-V without SCVMM

For Hyper-V without SCVMM, the Rubrik cluster uses the same Rubrik Backup Service software that is used
for Windows file system protection.
For Failover Clusters, RBS should be installed on all hosts and each host should be added to Rubrik
individually.
The following prerequisites are required for Hyper-V hosts supported by Rubrik:
• Rubrik version 4.0 or later
• Hyper-V Server 2016 or later

• Hyper-V host must be joined to one of the Active Directory domains that the Rubrik cluster is a member
of
• Create a Run As Account that is a member of the Domain Admins group or a member of the local
Administrators group
• Virtual machines must be Configuration 8 or later
For versions of Hyper-V that are older than Hyper-V 2016, use volume snapshots, or install the Rubrik
Backup Service on each virtual machine.
Related concepts
Related tasks
Hyper-V host management

After installing the Rubrik Backup Service software on a Hyper-V host, add the host to the Rubrik cluster.
Adding a host to the Rubrik cluster establishes a secure connection between the Rubrik cluster and the
Rubrik Backup Service that is running on the host. After the host is added, an entry for the host appears in
The Rubrik cluster identifies the host by an IPv4 address or a resolvable hostname. When the value that is
used to identify a host changes, edit the host information on the Rubrik cluster to reflect the new value.
To stop managing the data on a host, delete the host from the Rubrik cluster. Deleting a host removes that
host from the Windows Hosts tab. A removed host cannot be paired with a fileset and cannot be a target
of an export. The Rubrik cluster moves the existing host filesets of the removed host and all associated
backups to the Retention Management page.
Adding a Windows host

To begin managing a Hyper-V host, add the host to the Rubrik cluster.
Prerequisites
Obtain and install the Rubrik Backup Service software on each host being added.
Procedure
2. On the left-side menu, select Virtual Machines > Hyper-V VMs.
The VMs tab of the Hyper-V VMs page appears.
3. Click Add Windows Hosts.
The Add Windows Hosts dialog box appears.

4. In IPs or Hostnames, type a comma-separated list of IPv4 addresses or resolvable hostnames for
the hosts being added.
address or one hostname for each host being added.
5. Click Add.
Result
The Rubrik cluster checks connectivity with the specified hosts and adds the hosts.
SLA Domain assignment

Provide protection for a virtual machine through an SLA Domain.
A virtual machine can be protected by assigning an SLA Domain setting individually to the virtual machine.
A virtual machine can also be protected by deriving an SLA Domain setting through automatic protection.
Automatic protection occurs in one of the following ways:
• An administrator assigns an object that contains the virtual machine to an SLA Domain.
• An administrator moves the virtual machine into the hierarchy of an object that is assigned to an SLA
Domain.
Automatic protection uses the automatic protection rules to determine whether a setting applies to an
object. System Center Virtual Machine Manager describes these rules.

Context
Protect a set of virtual machines by assigning the selected set to an SLA Domain. Assigning virtual
machines to an SLA Domain protects the virtual machines by applying the data protection policies of the
SLA Domain.
Procedure
2. On the left-side menu, click Virtual Machines > Hyper-V VMs.
The Hyper-V VMs page appears, with the VMs tab selected.
Note: To go directly to the page for a single virtual machine, type the name of the virtual machine
in the search box on the top bar of the Rubrik CDM web UI and select the virtual machine from the
results list.
3. Select a virtual machine.

Select multiple virtual machines to assign the same setting to all of the selected virtual machines. To
help find virtual machines, use the filters, sort the entries by column heading, or use the search field.
4. Click Manage Protection.
A dialog box with one or more warnings may appear.
The Manage Protection dialog box appears.
5. Select an SLA Domain.
6. Click Next.
The Review Impact of the Manage Protection dialog box displays.

The changes made to the SLA Domain also apply to on-demand snapshots. The summary information
describes the effect of the changes on existing, new, on-demand, and downloaded snapshots.
9. Click Submit.
Result
The Rubrik cluster assigns the selection group to the SLA Domain.
Related concepts
Finding protection objects
The Rubrik CDM web UI provides several tools for finding protection objects.
Related reference
Manage Protection options
Select virtualization hierarchy entities and click Manage Protection to view the Manage Protection dialog
box for the selected entities. The Manage Protection dialog box provides several options for the selected
entities.
Assigning an SLA Domain setting to a Hyper-V cluster or server

Specify an SLA Domain setting for Hyper-V host to have the setting applied to the objects and virtual
machines contained by the clusters and host.
Procedure
2. On the left-side menu, click Virtual Machines > Hyper V-VMs.
3. Select Hosts and Clusters.
The Hosts and Cluster tab appears.
4. Select a Hyper-V host or cluster.
Select multiple objects to apply the setting to more than one object in the hosts hierarchy.
7. Click Next.
The Review Impact of the Manage Protection dialog box appears.
10. Click Submit.
The automatic protection rules determine the application of the selected setting to virtual machines
contained by the selected objects.
Result
The Rubrik cluster applies the selected setting to the selected objects and resolves conflicts as specified.

The automatic protection rules determine the application of the setting to the virtual machines that are
Related concepts
Related reference
entities.

entities.
Field Action Description

Search Search SLA Domains Predictive search for SLA Domains by using the
characters entered in the search field to match the
same sequence of characters anywhere in the SLA
Domain name.
The + icon Click to open the Create Opens the Create New SLA Domain dialog box.
New SLA Domain dialog box Create a new SLA Domain and assign that SLA
Domain to the selected group of objects.
SLA Domain list Select an SLA Domain Select an SLA Domain to assign to the selected
group of objects. The Rubrik cluster assigns the
selected SLA Domain individually to each of the
selected objects. The automatic protection rules
determine whether the Rubrik cluster assigns the
selected SLA Domain to objects contained by a
selected object.
Clear Existing Select to clear the existing The SLA Domain of the next higher level object is
Assignment SLA Domain. assigned.
Do Not Protect Click to stop policy-based Individually assigns the Do Not Protect setting
protection of the object and to each of the selected objects. The automatic
to assign a retention policy protection rules determine whether objects that are
to existing snapshots contained by a selected object inherit the Do Not
Protect setting.
The Rubrik cluster does not create policy driven
snapshots for a virtual machine that is individually
set to Do Not Protect or that inherits the Do Not
Protect setting.
Offers the following options for retaining existing
snapshots.
• Preserve retention from previous SLA
• Keep forever
• Expire immediately

Removing an SLA Domain setting
Remove an individual SLA Domain setting from a virtual machine. After the task completes, the virtual
machine derives a setting based on the automatic protection rules.
Procedure
The Virtual Machines page appears, with the VMs tab selected.
Select multiple virtual machines to remove the individual setting of every virtual machine in the
selection group.
4. To help find virtual machines, use the filters, sort the entries by column heading, or use the search
field. Finding protection objects describes these tools.
6. Choose one of the following options.
Option Description
Inherit The SLA Domain is assigned based on
inheritance rules.
Do Not Protect The virtual machine is excluded from all further
SLA Domain assignments.
Choose the retention policy for the existing
snapshots:
• Keep forever
This is the default choice.

9. Confirm the summary information and click Submit.
If the summary information appears incorrect, click Back to return to the previous screen or Cancel
to cancel the change.
Result
The Rubrik cluster removes the individual assignments for the selected group. Each virtual machine in the
selection group derives a protection setting based on the automatic protection rules.
Related concepts


When the Apply changes to the existing snapshots option is applied for the data sources that can inherit
the SLA Domain of the parent, the retention of existing snapshots changes to the retention policy of the
inherited SLA Domain. For snapshots that cannot inherit the SLA Domain of the parent, the snapshots are
retained forever.
When changes are not applied to existing snapshots, the retention for existing snapshots that can inherit
the SLA Domain of the parent does not change. For snapshots that cannot inherit the SLA Domain of the
parent, the snapshots are retained forever.

The Rubrik CDM web UI lists all of the virtual machines that have been discovered on the Hyper-V VMs
page. Access this page using one of several methods.
The following methods open the Hyper-V VMs page and display all discovered virtual machines:
• On the left-side menu, click Virtual Machines > Hyper-V VMs.
• On the Dashboard page, on the Hyper-V VMs card, click See All.
Displaying all discovered virtual machines

Use a filter to display all unprotected virtual machines.
Procedure
2. In the left-side menu, click Virtual Machines > Hyper-V VMs.
The Hyper-V VMs page appears, with the VMs tab selected, and displays all the virtual machines
present in the system.
3. Click the Filter SLA drop-down menu.
4. On the Filter SLA drop-down menu, select a filter.
• All Unprotected – Displays all unprotected virtual machines, both No SLA and Do Not Protect.
• No SLA – Displays virtual machines that have not inherited an SLA Domain setting.
• Do Not Protect – Displays virtual machines that have inherited the Do Not Protect setting, or
have Do Not Protect individually assigned.
• All Protected– Displays virtual machines that have been associated with defined SLAs.
Result
The Rubrik CDM web UI displays the virtual machines that belong to the selected protection state.
Displaying unprotected virtual machines from the Dashboard

From the Dashboard, display all unprotected virtual machines.
Procedure
1. Open the web UI to the main Dashboard.

2. On the Hyper-V VMs card, in the Unprotected field, click Protect Now.
Result
The Hyper-V VMs page opens, with the VMs tab selected, and filters the view to show All Unprotected
virtual machines
Displaying unprotected virtual machines from the Hyper-V VMs page

Use a filter to display all unprotected virtual machines.
Procedure
4. On the Filter SLA drop-down menu, select one of the following filters:
• All Protected – Displays virtual machines that have been associated with defined SLAs.
Result
Sorting virtual machines by using the SLA filter

Use the SLA filter to find specific virtual machines.
Procedure
4. On the Filter SLA drop-down menu, select one of the named SLA Domains, or select a protection
state:
• No SLA
• Do Not Protect
Result
The web UI displays the virtual machines that belong to the selected SLA Domain or to the selected
protection state.

Finding virtual machines by using the Search field
Use the Search field to find a specific virtual machine.
Procedure
1. Log in to the Rubrik web UI.
2. In the Search field, at the top of all Rubrik CDM web UI pages, type the name of the virtual machine.
The search matches the characters entered in the search field with the same sequence of characters
anywhere in a name. Continue to type characters to narrow down the results until the virtual machine
appears.
The Rubrik cluster begins a predictive search and updates the results as letters are typed.
3. When the name of the virtual machine appears in the displayed list, select the name.
Result
The Rubrik CDM web UI displays the local host page for the virtual machine.
Finding entities by using the object tab

Use object tabs on the Virtual Machines page to define a hierarchical view to search and to browse. Then,
use the search field to find entities within the defined view, or to browse to entities within the defined view
Procedure
3. Select a tab.
• VMs – Provides a virtual-machines-only view, with the hierarchical location of each virtual machine
displayed in the location column.
• Hosts and Clusters – Provides a list of Hyper-V hosts and Hyper-V clusters.
4. (Search Only) In the tab search field, begin typing an entity name.
anywhere in a name. Continue to type characters to narrow down the results until the entity appears
in the results.
5. (Search Only) Stop typing when the name of the entity appears on the page.
6. (Browse Only) Click the name of a top-level entity.
The Rubrik CDM web UI displays the entities within the selected entity.
7. (Browse Only) Continue clicking entity names to browse down the hierarchy to a specific entity.
Result
The search lists the specified entities.
Selecting data sources

Use the objects filter and tab search field to find and select data protection entities.
Procedure

2. In the left-side menu, select the protectable object type.
Option Description
Hyper-V VMs Click Virtual Machines > Hyper-V VMs .
vSphere VMs Click Virtual Machines > vSphere VMs.
AHV VMs Click Virtual Machines > AHV VMs.
The selected page appears, with the VMs tab selected, and displays all the virtual machines present in
the system.
3. Use one of the search or sort methods to display the entities to be selected.
4. Select the entities.
A check mark appears next to each selected entity.
Result
Rubrik CDM selects the data protection entities.
Related concepts
Protected warning
The Rubrik CDM web UI displays the protected warning when the Rubrik cluster detects that an SLA
Domain setting is already associated with a selected virtual machine.
The protected warning is “These VM(s) are already protected”.
When the protected warning appears, do one of the following:
• Continue the operation to assign the selected SLA Domain to the protected virtual machines.
• Cancel the operation and remove the virtual machines from the selection set.
Changing the SLA Domain of a virtual machine may result in immediate expiration of some snapshots.
Related concepts
Changing the assigned SLA Domain
A protected virtual machine may be assigned to another SLA Domain in order to satisfy specific business
requirements (for example, data governance policy changes or space management requirements).
Protection consequences
The SLA rules defined by an SLA Domain impact the protection of virtual machines in several ways. SLA
rules specify when snapshots are created, when snapshots expire, and where snapshot data is stored.
A policy driven snapshot is a snapshot that is created automatically based on the SLA rules of an SLA
Domain. In most cases, the SLA Domain that manages a policy driven snapshot is the same SLA Domain
that created the snapshot.
Sometimes, the source virtual machine for a snapshot is assigned to another SLA Domain after the
snapshot is created. When this occurs the new SLA Domain becomes the managing SLA Domain for the
policy driven snapshot.
A policy driven snapshot can require manual management when it loses an association with the SLA
Domain.

Protecting a new virtual machine
A new virtual machine is one for which no policy driven snapshots exist. After a new virtual machine is
assigned to an SLA Domain, all of its snapshots, replicas and archival snapshots are created and managed
based on the SLA rules of the SLA Domain.
The following table provides an overview of the impact of assigning a new virtual machine to an SLA
Domain.
SLA Domain property Virtual machine snapshot impact

SLA rules Determines when policy driven snapshots are created and when they are
automatically expired.
Local Cluster Retention Determines how long snapshots are retained on the local Rubrik cluster.
Period
When an archival account exists for the SLA Domain, policy driven snapshots
older than the Local Cluster Retention Period are automatically copied to
archival snapshots on an archival location.
Replication Retention Determines how long replicas are retained on a replication target cluster.
Period
Maximum Retention Determines how long snapshots are retained by the system. The Rubrik
Period cluster automatically expires policy driven snapshots that are older than the
Maximum Retention Period.

Example: Assigning a protected virtual machine to another SLA Domain
Assume that a virtual machine was assigned to the SLA Domain D1 and later was assigned to the SLA
Domain D2. At the time of the reassignment, the virtual machine had existing policy driven snapshots.
After the reassignment, those existing policy driven snapshots are managed based on the policies set in
SLA Domain D2.
If D1 has a higher base frequency of snapshots than D2 (e.g. D1 was Gold and D2 was Bronze), then
existing policy-driven snapshots that are not required by the policies of D2 are deleted from the system.
By doing this, the Rubrik cluster brings the snapshot history for the virtual machine into compliance with
the frequency and retention periods defined by D2.
Alternatively, if D2 specifies a higher base frequency of snapshots, (e.g. D2 was Gold and D1 was Bronze)
then the virtual machine will initially appear in the SLA Compliance reports as out of compliance with D2’s
SLA because the existing snapshots were insufficient to meet the new SLA rules.
Removing protection from a virtual machine

When a virtual machine is removed from an SLA Domain, no further policy driven snapshots for virtual
machine are created and no replication or archival activity occurs for the virtual machine.
All existing snapshots for the virtual machine must be managed manually.

Reprotecting a virtual machine
At times, a virtual machine that is protected by one SLA Domain may be temporarily set to Do Not Protect,
and then reassigned to another SLA Domain for protection.
When a reassignment occurs, the existing snapshots of the virtual machine are subject to the retention
policies of the currently assigned SLA Domain, including:
• Local cluster retention period
• Replication retention period
• Maximum retention period
Local host page

The local host page provides detailed information about the protection of a virtual machine, and tasks
related to the virtual machine.
The local host page provides the following sections:
• Action bar
• Overview card
• Snapshots card
Viewing a local host page

Access a local host page to view information about a local virtual machine.
Procedure
1. Virtual Machines > Hyper-V VMs.
To go directly to the page for a single virtual machine, type the name of the virtual machine in the
search box on the top bar of the Rubrik CDM web UI and select the virtual machine from the results
list.
2. In Name, click the name of a virtual machine.
Result
Action bar
The action bar is used to take on demand snapshots or to manage protection.
Action Description
Take On Demand Snapshot Adds an on demand snapshot of the virtual machine to the task queue.
Backup Window settings defined for the SLA Domain of the virtual machine
do not apply to on demand snapshots. Only the maximum retention and
remote configuration settings of the associated SLA Domain apply to on
demand snapshots.
Manage Protection Opens the Manage Protection page where the virtual machine can be
assigned to an SLA Domain for protection.

Action Description
When the virtual machine is already assigned to an SLA Domain, a warning
appears.
Ellipsis menu > Exclude Provides access to the Exclude VHD dialog box
VHDs
Ellipsis menu > Register Establishes a connection between the Rubrik cluster and the Rubrik Backup
Rubrik Backup Service Service (RBS) software running on the guest OS of the virtual machine.
Overview card
The Overview card summarizes protection for Hyper-V hosts.
Field Description
SCVMM If SCVMM is part of the cluster, the IP address of the SCVMM Server.
Cluster If the Hyper-V Server is part of a cluster, the IP address of the Hyper-V Server that
manages the virtual machine.
Host IP address of the hypervisor that hosts the virtual machine.
SLA Domain Name of the SLA Domain that manages the protection of the selected virtual
machine.
Live Mounts Number of live mounts for snapshots associated with the selected virtual machine.
Oldest Snapshot Timestamp for the oldest snapshot associated with the selected virtual machine.
When the SLA Domain has an active archival policy, the oldest snapshot resides at
the archival location.
Latest Snapshot Timestamp for the most recent successful snapshot of the selected virtual machine.
Total Snapshots Total number of retained snapshots for the selected virtual machine, including both
the local Rubrik cluster and any archival location.
Missed Snapshots Number of policy-driven snapshots that did not complete successfully. A missed
snapshot is included in the count until the period since the SLA Domain policy
required the snapshot exceeds the retention period of the SLA Domain.
Snapshots card
For the selected local virtual machine, the Snapshots card provides the ability to browse the snapshots that
reside on the local Rubrik cluster and on the archival location.
The Snapshots card provides access to snapshot information through a series of calendar views. Each view
uses color spots to indicate the presence of snapshots on a date and to indicate the status of SLA Domain
compliance for the virtual machine on that date.
The Snapshots card also provides the ability to search for files across all of the snapshots of the virtual
machine.
The following table defines the status colors used on calendar views.
Color Status
Green All snapshots required by SLA Domain policy were successfully created.

Color Status
Orange All snapshots required by SLA Domain policy were successfully created but at least one
snapshot caused a warning.
Red At least one snapshot required by SLA Domain policy was not successfully created.
Calendar view fields

The calendar view of the Snapshot card displays information based on the selected calendar period.
View Description
Year The Year view displays snapshot creation information for an entire year. A color spot
indicator on a specific date indicates snapshot activity, and displays the SLA Domain
compliance status for that day.
Month The Month view displays snapshot creation information for an entire month. A color spot
Day The Day view displays the individual snapshots that were created on the selected day. The
Day view also provides the additional information and actions described in the following
section.
Information available on the day view for a local virtual machine

The day view provides information about snapshots for a local virtual machine.
Category Description
Time Creation time of the snapshot.
Location For a snapshot that resides only on local storage the indicator field is empty.
The following icon indicates a snapshot that resides at an archival location.
The following icon indicates a snapshot that resides locally and at an archival location.
The following icon indicates a replica of the snapshot from the source Rubrik cluster.

Status The following icon indicates a warning for the snapshot entry. Hover over the icon to see
additional information.
The following icon indicates the policy driven snapshot represented by the entry was not
completed successfully.
Source The following icon indicates a policy driven snapshot.

action
The following icon indicates an on-demand snapshot.
Actions available on the day view for a local virtual machine

The day view provides the ability to initiate various actions with snapshots for a local virtual machine.
Access the actions by clicking the ellipsis menu.
Command Description
Search by Use the predictive search field to find file by typing the name.
File Name
Mount Use the snapshot to create and mount a new virtual machine on a hypervisor host.
The new virtual machine is uniquely named within the virtualization management system.
The name of the recovered virtual machine is constructed as follows: name of source
virtual machine + timestamp of snapshot + incremented integer.
The new virtual machine is powered on but is disconnected from the network.
The local Rubrik cluster is the datastore for the new virtual machine.
Instantly Restore a virtual machine into the production environment by using the selected
Recover snapshot.
The new virtual machine is given the same name as the source virtual machine and is
powered on and connected to the network. The source virtual machine is powered off and
renamed.
The local Rubrik cluster serves as the datastore for the new virtual machine.
Export Use the snapshot to create and mount on an hypervisor host a new virtual machine, that
is a copy of the local virtual machine.

Command Description
The new virtual machine is uniquely named within the virtualization management system.
The name of the recovered virtual machine is constructed as follows: name of source
virtual machine + timestamp of snapshot + incremented integer.
The hypervisor host is the datastore for the new virtual machine.
Browse Files Open a file browser view on the selected snapshot.

Use this view to find, select, and download a file or folder from the snapshot.
Delete Delete the selected snapshot.

This command only appears for snapshots that are not created based on an SLA Domain
policy, such as:
• On-demand snapshots
• Retrieved snapshots
• Snapshots for an unprotected virtual machine
Archival location actions

Snapshots stored at an archival location support the actions listed in the following table.
Command Description
Download Transfer a copy of the selected snapshot to the local Rubrik cluster so that it is
available for additional local actions. The local Rubrik cluster provides a notification
when the download is completed.
Browse Files Open a file browser view on the selected snapshot.
Virtual machine snapshots

The Rubrik cluster provides protection for virtual machines by combining native snapshot technology with
the fast and scalable cloud data management platform of the Rubrik cluster.
Performance and scalability

The Rubrik cluster provides a high performance, highly scalable, integration with the Hyper-V Windows
Management Instrumentation and Microsoft Volume Shadow Copy Service to back up virtual machines
hosted on Hyper-V hypervisors.
By efficient use of Microsoft Volume Shadow Copy Service (VSS) calls and by providing very fast data
ingestion, the Rubrik cluster minimizes the time that a virtual machine is quiescent during a backup. This
reduces and, in most cases, eliminates the application time-outs caused by many other backup products.
The time that a virtual machine is quiescent, sometimes referred to as virtual machine stun or application
stun, is the time between the following:
• The point where execution of the virtual machine is paused, at an instruction boundary, and all in-flight
disk input/output operations are completed.
• The point where execution resumes.

The period a virtual machine is quiescent, is very brief, just long enough to create a snapshot. The virtual
machine does not remain quiescent during the processing and ingestion of the snapshot data.
For best performance, use a 10 Gigabit Ethernet connection between the Rubrik cluster and the Hyper-
V environment. Also, for replication, provide a 10 Gigabit Ethernet connection between the source Rubrik
cluster and the target Rubrik cluster.
The Rubrik cluster uses a distributed job scheduler. The distributed job scheduler permits the Rubrik cluster
to schedule jobs to run on any node and on multiple nodes, as needed.
Since the distributed job scheduler can seamlessly schedule jobs on all available nodes and across multiple
nodes, adding nodes to a Rubrik cluster further increases ingestion and processing efficiency.
Backup processes
A Rubrik cluster backs up a virtual machine by using VSS to create a snapshot of the virtual machine.
When a Rubrik cluster begins protecting a virtual machine, the Rubrik cluster starts by creating a first full
snapshot of the virtual machine. This first full snapshot is a complete backup of the virtual machine.
After the first full snapshot, the Rubrik cluster continues protection of the virtual machine by creating
incremental snapshots based on the change information provided by Resilient Change Tracking (RCT). The
Rubrik cluster creates each incremental snapshot very quickly because the snapshot only includes the data
blocks that have changed since the last snapshot.
The Hyper-V environment transmits the snapshot data to the Rubrik cluster using the SMB protocol.
Snapshot window
An SLA Domain can be configured to include a snapshot window. A snapshot window determines the
period in a day the Rubrik cluster can initiate policy-driven snapshots of the objects that the SLA Domain
protects.
When using the snapshot window policy, the specified window must be long enough to accommodate the
number of objects that are assigned to the SLA Domain. Monitor the snapshot activity of the SLA Domain
to ensure that all policy-driven snapshots are successfully completed. When necessary, lengthen the period
to permit all snapshots to be completed successfully.
Protection exceptions
The Rubrik cluster cannot protect data if protection exceptions exist.
The following list defines the protection exceptions:
• Failover clustering must be installed on the host, even if it is a standalone host. The snapshots will fail if
this feature is not enabled.
• Rubrik will discover Live Mount virtual machines, but they cannot be backed up.

machine.
The Rubrik cluster creates Application Consistent snapshots. If an Application Consistent snapshot cannot
be created, a Crash Consistent snapshot is used.

Application consistency
The Rubrik cluster supports application-consistent snapshots for a variety of guest OS types and
application types.
The Rubrik cluster supports application-consistent snapshots for applications such as:
• Microsoft Exchange Server
• Microsoft SQL Server
• Microsoft Active Directory
• Microsoft SharePoint
• Oracle Database (RDBMS) running through Managed Volume protection
The Rubrik cluster does not support restore of an application-consistent snapshot into an availability group.
Cluster consistency for the availability group cannot be ensured in this situation, and problems might occur.
Linux guest OS
A Rubrik cluster provides file system consistent snapshots on supported Linux guest OS types.
On demand snapshots
In addition to policy based snapshots, create virtual machine snapshots by using the on demand snapshot
process.
A Rubrik cluster creates policy-based snapshots of protected virtual machines automatically, according to
the SLA rules of the associated SLA Domain.
Additional snapshots of protected virtual machines, and snapshots of unprotected virtual machines can be
created by using the on demand snapshot process.
Creating an on-demand snapshot of a Hyper-V virtual machine

Access the host page for a Hyper-V virtual machine to create an on-demand snapshot.
Procedure
1. In the web UI, on the left-side menu, click Virtual Machines > Hyper-V VMs.
The Hyper-V VMs page appears, with the VMs tab selected, and displays all the Hyper-V virtual
machines present in the system.
3. On the local host page, click Take On Demand Snapshot.
The Take On Demand Snapshot dialog box appears.
The Rubrik cluster bases the retention period of the on-demand snapshot on the retention period and
frequency of the assigned SLA Domain. The Rubrik cluster uses the remote configuration settings of
the associated SLA Domain to manage the on-demand snapshot. The selected SLA Domain can be
different from the SLA Domain that protects the virtual machine.
5. Click Take On Demand Snapshot.
Result
The Rubrik cluster adds the specified on-demand backup to the task queue. The Activity Log tracks the
status of the on-demand backup task.

Related concepts
Snapshot Management page
The Snapshot Management page provides access to snapshot and backup information for protected
objects and relic objects
Exclude VHD files

Virtual machines can include some VHD files that do not need to be protected
The Rubrik cluster can ignore some of the VHD files of a virtual machine while protecting other VHD files
on that virtual machine.
Excluding VHD files of a virtual machine

When backups are not required for some VHD files on a virtual machine, exclude these VHD files from
backups.
Procedure
3. In the Name column, click the name of a virtual machine.
To help find virtual machines, use the filters, sort the entries by column heading, or use the search
field.
4. Open the ellipsis menu on the top bar of the local host page and select Exclude VHDs.
The Exclude VHDs dialog box appears.
5. Select the VHD files to exclude.
6. Click Exclude.
Result
The Rubrik cluster excludes the selected VHD files from all future backups of the virtual machine.

Archival snapshots
Archival snapshots provide long term storage of snapshot data outside of the local Rubrik cluster.
Archival location storage

The Rubrik cluster deduplicates and compresses the data in archival snapshots. The Rubrik cluster uses
client-side encryption to encrypt the archival snapshot data stored on all archival locations except NFS
exports.
Retention
The retention period assigned to the archival snapshot by the associated SLA Domain determines the
expiration of an archival snapshot. After the expiration of the retention period, the Rubrik cluster marks the
archival snapshot as expired and moves the snapshot data to garbage collection.
To ensure existing snapshots are always fully functional, the Rubrik cluster combines any required data
from expired incremental snapshots into the chain of existing incremental snapshots. This permits each
retained archival snapshot to be mounted as a fully functional virtual machine.
Unmanaged data
Manage file system and application data that is not subject to a retention policy through the Snapshot
Management page of the Rubrik CDM web UI.
The Rubrik cluster defines backups and snapshots that do not have a retention policy as unmanaged
snapshot objects. Unmanaged snapshot objects can be managed through the Snapshot Management page
of the Rubrik CDM web UI.
View the Snapshot Management page for information about tasks with unmanaged snapshot objects.
Related concepts
Recover and restore virtual machine data

The Rubrik cluster provides a variety of methods to recover virtual machines and to restore protected data.
Recover virtual machines and restore data by using snapshots, replicas, and archival snapshots.
When snapshot data exists in a local snapshot and in an archival snapshot, the Rubrik cluster always
uses the local snapshot to recover a virtual machine or to restore data. By using the local snapshot, the
Rubrik cluster reduces network impact and eliminates any archival data recovery charges associated with a
recovery operation or a restore operation.

Recovery of virtual machines
For a Rubrik cluster, recovery of a source virtual machine means to mount a point-in-time copy of the
source virtual machine.
A virtual machine can be recovered by using any of the Rubrik data protection objects: snapshots, replicas,
and archival snapshots. Recover a virtual machine by using one of the available recovery actions. The
Rubrik cluster provides the following recovery actions for virtual machines:
• Instant Recovery
• Live Mount
The following table describes the differences between recovery actions.
Action Name of recovered virtual Datastore Power Network Source virtual

machine state machine
Instant Assigned the name of the Local Rubrik On Connected Powered off
Recovery source virtual machine cluster (Optional) and renamed
Live Mount The name of the Local Rubrik On Disconnected No impact
recovered virtual machine cluster
is constructed as follows:
name of source virtual
machine + timestamp of
snapshot + incremented
integer.
Export The name of the Datastore of On Disconnected No impact

recovered virtual machine hypervisor
is constructed as follows:
name of source virtual
machine + timestamp of
snapshot + incremented
integer.
Recovery actions by snapshot type

The Rubrik cluster supports different recovery actions based on the type of snapshot.
Snapshot type Available recovery actions

Local Initiated from the local Rubrik cluster:
• Live Mount
• Export
Replica Initiated from the target Rubrik cluster:

• Live Mount
• Export

Archival Initiated from the local Rubrik cluster, after the archival snapshot is downloaded to
the local Rubrik cluster:
• Live Mount
• Export
Selecting a snapshot or an archival snapshot

Use the Rubrik CDM web UI to select a snapshot before applying a recovery action.
Context
Alternatively, use the search box on the top bar of the Rubrik CDM web UI to directly access the local host
page when the name of the source virtual machine is known.
Procedure
To work with data from an unmanaged virtual machine on the Snapshot Management page, click
Snapshot Management from the left pane. Then, continue with the following steps from the
Snapshot Management page instead of the Virtual Machines page.
3. Use the Snapshots card to navigate to a snapshot or an archival snapshot.
4. (Recovering archival snapshot only) Open the ellipsis menu for the snapshot.
5. (Recovering archival snapshot only) On the ellipsis menu, click Download.
The Rubrik cluster does not apply a retention setting to a downloaded archival snapshot. Manually
delete a downloaded archival snapshot that is no longer required on local storage.
The Rubrik cluster retrieves the archival snapshot. Status of the retrieval process or activity appears
on the Activity Log.
6. Perform one of the available recovery actions on the selected snapshot or restore files and folders
from the selected snapshot.
Result
A snapshot is selected for a recovery operation.
Related concepts
Local host page
The local virtual machine page provides detailed information about the protection of a virtual machine, and
tasks related to the virtual machine.
Activity Log
sensitive.
Selecting a replica
Use the Rubrik CDM web UI of the replication target Rubrik cluster to select a replica before applying a
recovery action.
Procedure
1. Log in to the Rubrik CDM web UI on the replication target Rubrik cluster.

2. On the left-side menu, click SLA Domains > Remote Domains.
3. Select a remote SLA Domain.
The page for the selected SLA Domain appears.
4. In the Virtual Machines section of the remote SLA Domain page, click the name of a virtual machine.
Searching with the source virtual machine name using the search box on the top bar of the Rubrik
CDM web UI provides direct access to the Remote VM Details page.
The Remote VM Details page for the selected virtual machine appears.
5. Use the Snapshots card to navigate to a replica.
6. Perform one of the available recovery actions on the selected replica or restore files and folders from
the selected replica.
Result
A replication target Rubrik cluster is selected for a recovery action.
Virtual machine recovery

Recovery consists of selecting a data protection object (snapshot, replica, or archival snapshot) and
selecting an available recovery action (Instant Recovery, Live Mount, or Export). Recovery using a replica
cannot use the Instant Recovery action.
After performing a recovery action, the Rubrik cluster powers on the recovered virtual machine. The
recovered virtual machine can be powered off by using the Rubrik CDM web UI. The virtual machine can
be deleted through the Rubrik CDM web UI.
Performing an instant recovery

Use the Rubrik CDM web UI to perform an instant recovery.
Procedure
1. Select a snapshot or an archival snapshot.
2. Open the ellipsis menu for the snapshot.
3. Click Instantly Recover.
The Instantly Recover Snapshot dialog box appears.
4. Select an Hyper-V host for the virtual machine.
Result
The Rubrik cluster powers down the source virtual machine and renames it. Then the Rubrik cluster
mounts the snapshot on the selected Hyper-V host with the name of source virtual machine, connects the
recovered virtual machine to the network, and powers up the virtual machine.
Related tasks

Performing a Live Mount

A Live Mount creates a new virtual machine from a point-in-time copy of the source virtual machine. The
recovered virtual machine uses the Rubrik cluster as its datastore.
Context
The Rubrik cluster assigns a new name to the recovered virtual machine and powers it up. The Rubrik
cluster does not connect the recovered virtual machine to a network. The Rubrik cluster sets the protection
state of the new virtual machine to Do Not Protect.
Procedure
1. Select a snapshot, an archival snapshot, or a replica.
2. Open the ellipsis menu for the snapshot or replica.
3. Click Mount.
The Mount Snapshot dialog box appears.
4. Select an Hyper-V host for the virtual machine.
5. Optional: Click Remove virtual network device.
Select this option when networking changes or issues prevent the virtual machine from starting.
6. Click Mount.
Result
The Rubrik cluster mounts the snapshot on the selected Hyper-V host with a new name and powers up
the virtual machine. During the process, messages about the status appear in the Activity Log. The Rubrik
cluster records the final result of the task in the Activity Log.
Note: The Rubrik cluster sets the protection state of the Live Mount recovered virtual machine to Do Not
Protect. To protect the new virtual machine, add it to an SLA Domain, or remove the individual assignment
of Do Not Protect to permit it to inherit protection.
Related tasks
Selecting a replica
recovery action.
Performing an Export
An Export creates a new virtual machine from a point-in-time copy of the source virtual machine. The
datastore of the selected Hyper-V host is the datastore for the recovered virtual machine. Rubrik can
export the resulting VMDK as either Thick Provisioned or Thin Provisioned.
Context
Procedure

3. Click Export.
The Export Snapshot dialog box appears.
4. In Choose an Hyper-V Host, select an Hyper-V host for the virtual machine.
A list of the datastores that are associated with the select Hyper-V host appears.
5. In Choose a Datastore, select a datastore.
6. Optional: Select Remove virtual network devices.
7. Click Export.
Result
The Rubrik cluster creates a new virtual machine from the snapshot on the selected Hyper-V host,
transfers the virtual machine files to the datastore, and powers up the recovered virtual machine. During
the process, messages about the status appear in the Activity Log. The Rubrik cluster also records the final
result of the task in the Activity Log.
The Rubrik cluster initially sets the protection state of the exported virtual machine to Do Not Protect. To
protect the new virtual machine, add it to an SLA Domain, or remove the individual assignment of Do Not
Protect to permit it to inherit protection.
Related tasks
Selecting a replica
recovery action.
Powering off after Instant Recovery or Live Mount

Power off a recovered virtual machine from the Live Mounts page of the Rubrik CDM web UI. The Live
Mounts page lists all recovered virtual machines that were recovered by using Instant Recovery or Live
Mount from the local Rubrik cluster.
Procedure
2. On the left-side menu, click Live Mounts.
The Live Mounts page appears.
3. Select a recovered virtual machine with the Powered On status.
4. Open the ellipsis menu for the recovered virtual machine.
5. Click Power Off.
6. Click Power Off.
The Rubrik cluster gracefully powers down the selected virtual machine.
Result
The virtual machine is powered off.

Unmounting after Instant Recovery or Live Mount
Unmount a recovered virtual machine from the Live Mounts page of the Rubrik CDM web UI. The Live
Procedure
1. Log in to the Rubrik CDM web UI on the local Rubrik cluster.
3. Select a recovered virtual machine.
5. Click Unmount.
The confirmation message includes the option Remove local entry even if Rubrik cannot
confirm Hyper-V configuration. Enable this option to remove a stale entry for a recovered virtual
machine that was live migrated.
6. Click Unmount.
The Rubrik cluster removes the selected virtual machine from the Hyper-v host (or cluster) and
deletes the recovered virtual machine files from the Rubrik cluster datastore. This action does not
remove data protection objects.
During the process, messages about the status appear in the Activity Log. The Rubrik cluster also
records the final result of the task in the Activity Log.
7. (After all live mounts are removed) Detach the Rubrik cluster datastore devices from the associated
Hyper-V host (or cluster).
Result
The Rubrik cluster names the datastore devices using the following format:
IP_NODE_sdmount
where IP_NODE is the IPv4 address of one of the nodes of the Rubrik cluster.
Related tasks
Removing a virtual machine entry after live migration
After live migration of a recovered virtual machine the Rubrik cluster maintains an entry for the recovered
and migrated virtual machine on the Live Mounts page. Perform this task to remove the entry from the
Live Mounts page.

Live Mounts page.
Procedure
3. Select a recovered virtual machine that was live migrated.

5. Click Unmount.
6. Select Remove local entry after Storage vMotion.
7. Click Unmount.
Result
The Rubrik cluster removes the metadata associated with the selected virtual machine and removes the
entry for the virtual machine from the Live Mounts page. This action does not remove data protection
objects and does not unmount the recovered and migrated virtual machine.
During the process, messages about the status appear in the Activity Log. The Rubrik cluster also records
the final result of the task in the Activity Log.
Live Migration
After a recovery, the recovered virtual machine use Live Migration.
After live migration of a virtual machine recovered by the Instant Recovery or Live Mount actions, the
Rubrik cluster maintains metadata for the recovered virtual machine which should be removed.
Delete the metadata for the recovered virtual machine through the Live Mounts page of the Rubrik CDM
web UI by using the Force Delete option.
Related tasks
Live Mounts page.
Instant Recovery
An Instant Recovery replaces the source virtual machine with a fully functional point-in-time copy.
The Rubrik cluster powers off and renames the source virtual machine and assigns the name of the source
virtual machine to the recovered virtual machine. The Rubrik cluster powers on the recovered virtual
machine and connects the recovered virtual machine to the source network. The Rubrik cluster is the
datastore for the recovered virtual machine.
the final result of the task in the Activity Log. The Rubrik cluster lists the recovered virtual machine on the
Live Mounts page of the Rubrik CDM web UI.
Optionally, move the recovered virtual machine back to the cluster. Use Hyper-V Manager to move the
instantly recovered virtual machine to any host in the cluster except the host of the source virtual machine.
Once moved, re-add the virtual machine to the cluster, using the Failover Cluster Manager, which returns
the virtual machine to its original state. The instantly recovered virtual machine derives protection from
parent objects. When the recovered virtual machine does not obtain protection from any parent objects,
add it to an SLA Domain. To protect it using the same SLA rules and policies as the source virtual machine,
add the recovered virtual machine to the original SLA Domain. Alternatively, add the recovered virtual
machine to another SLA Domain. By default Instant Recover uses dynamic virtual disks, even if the original
disk was a fixed virtual disk. During storage migration, the disk can be reconfigured as a fixed virtual disk.

Recovery of folders and files
The Rubrik cluster provides file level restore (FLR) of files and folders from any local snapshot, replica, or
archival snapshot that was successfully indexed.
To restore a file or folder, search for the file or folder by name across all local snapshots. or browse for the
file or folder on a selected snapshot.
Searching for a file or folder

Use the Rubrik CDM web UI to browse for a file or folder in a snapshot, replica, or archival snapshot.
Procedure
The Hyper-V VMs page appears with the VMs tab selected, and displays all the virtual machines in the
system.
4. On the Snapshots card, type the name of the file or folder in the search field.
As characters are typed, the Rubrik CDM web UI immediately begins to display matching file and
folder pathnames.
Matches are based on file or folder names that start with the characters typed. Continue to type
characters until the file or folder appears in the results.
5. Select the file or folder.
The Download File Version dialog box appears. A cloud icon appears next to files or folders that are on
archival snapshots.
6. Select a version of the file or folder.
Result
Rubrik CDM searches for the file or folder.
Related tasks
Recovering a file or folder

Use the Rubrik CDM web UI to recover a file or folder in a snapshot, replica, or archival snapshot data
protection object.
Procedure
2. On the left-side menu, click Virtual Machines, and then select a virtual machine type from the list.
The VMs page appears with the VMs tab selected and displays all the virtual machines of that type.
3. Click a virtual machine.
4. Select a snapshot, archival snapshot, or replica.
6. Click Recover Files.
The Recover Files dialog box appears.

7. Select a file or folder.
For supported Windows and Linux guest operating systems, the selection can be restored to the
original file system, or downloaded from a generated link. For other guest operating systems, the
selection can be downloaded from a generated link.
Result
Rubrik CDM web UI recovers a file or folder for a data protection object.
Restore files and folders directly to a guest file system

For supported Windows and Linux guest operating systems, the Rubrik cluster can restore files and folders
directly to the source file system.
The Rubrik CDM Compatibility Matrix provides the most up-to-date information about the guest operating
systems supported by this feature.
When restoring from a snapshot of a supported guest operating system, the Rubrik CDM web UI provides
the option to restore a file or folder directly to the source file system. When this option is selected, the
Rubrik CDM web UI provides a choice to overwrite the source file or folder, or to restore the file or folder to
another location.
A restored file or folder inherits the ACL of the parent folder and the same owner as the parent folder. The
restored file or folder retains the modification time (mtime) of the source file or folder at the time of the
snapshot.
To successfully restore directly to the source file system the Rubrik cluster must be provided the following
information:
• Resolvable hostname or IP address of the authentication server
• Username of an account with Administrator privileges for the target
• Password for the account
When the Rubrik cluster has previously accepted the service credentials of a guest operating system, the
restore job does not require additional credential information. This feature requires that the Rubrik cluster
has successfully used the service credentials for at least one backup prior to the restore task. Otherwise,
the credentials can be provided through the Restore File dialog box during the restore task.
Related concepts
Guest OS settings
Restoring to the source file system

Search or browse for a file or folder and restore that file or folder to the source file system of a supported
Windows or Linux guest operating system.
Procedure
2. On the left-side menu, click Virtual Machines > AHV VMs.
The AHV VMs page appears with the VMs tab selected, and displays all the virtual machines in the
system.
4. Search or browse for a file or folder.
6. Open the ellipsis menu for the file or folder.

7. Click Restore.
The Restore button only appears for supported hosts. When the Rubrik cluster has previously accepted
the service credentials of the host, the credential fields do not appear.
The Restore Files dialog box appears.
8. (Windows only) In Domain, type the resolvable hostname or IP address of the authentication server
for the credential.
When the Windows guest OS performs Workstation Authentication of credentials instead of Domain
Authentication, leave the Domain field empty. For a Linux guest, leave the Domain field empty.
9. (If available) In Username, type a guest OS username for an account with sufficient privileges on the
host.
For a Windows guest, the account must have administrator privileges on the guest. For a Linux guest,
the account must have Write permission for the restore location.
10. (If available) In Password, type the password for the account.
11. Select one of the restore methods.
• Select Overwrite original to restore the selected file or folder to the original path. This choice
overwrites the existing file or folder.
• Select Restore to separate folder to restore the file or folder to another location.
12. (Restore to separate folder only) In Folder Path, type the full path of the restore location.
Do not type the original path of the source file or folder. When Restore to separate folder is
selected, the object cannot be restored to a folder that contains an object of the same name.
Use the correct path delimiter for the guest operating system.
For Windows use a back slash. For example:
C:\Users\jsmith\work
For Linux use a forward slash. For example:
/home/jsmith/work
13. Optional: (If available) Select Store as service credential for all VMs.
Choose this setting to have the Rubrik cluster store the credential. The stored credential can be
managed through the Service Credentials page.
14. Click Restore.
Result
The Rubrik cluster restores the file or folder to the specified location.
Restore files and folders by download

The Rubrik cluster generates download links to use for file level restore of files and folders from any local
snapshot, replica, or archival snapshot that was successfully indexed.
Restore a file from a data protection object through the Rubrik CDM web UI. Browse the virtual machine
file system on the data protection object and select the file. The Rubrik cluster processes the request and
provides a link for download of the file.
Restore a folder from a data protection object through the Rubrik CDM web UI. Browse the virtual machine
file system on the data protection object and select the folder. The Rubrik cluster generates a zip file
containing the folder and all that the folder contains. The zip file retains the hierarchy of the selected
folder. The Rubrik cluster provides a link for download of the zip file.

Restoring from notification link
Search or browse for a file or folder and restore that file or folder by download from a link in the
notification message.
Procedure
system.
7. Click Download.
8. Click OK.
For a folder, the Rubrik cluster retrieves the folder and creates a zip file with the folder and all files and
folders within the selected folder. The zip file preserves the folder hierarchy. In the Rubrik CDM web UI
Activity Log, a ‘Downloaded’ message appears for the selected file or folder.
9. Click the message.
10. Select a download location for the file, and click Save.
11. (Folder only) Extract the folder using a zip utility.
Result
The Rubrik cluster restores the selected files or folders.
Restoring from Activity Detail

Search or browse for a file or folder and restore that file or folder by download from the Activity Detail
dialog box.
Procedure
system.
7. Click Download.
For a folder, the Rubrik cluster retrieves the folder and creates a ZIP file with the folder and all files
and folders within the selected folder. The ZIP file preserves the folder hierarchy.
8. Open the local host page for the virtual machine.
9. On the messages card, select the ‘Link ready for download’ message.

Use the Recovery filter type to filter for this type of message.
The Activity Detail dialog box appears.
10. Click the download icon.
Result

location.
Context
By default, Chrome saves downloaded files to the following locations:
• Windows: \Users\username\Downloads
• Mac: /Users/username/Downloads
• Linux: home/username/Downloads
To download files and folders to a specified location, change the default Chrome Download setting.
Procedure
1. In Chrome, click the customize icon.
The Chrome menu appears.
2. On the menu, click Settings.
The Chrome Settings page appears.
Additional settings appear on the Settings page.
4. In the Downloads section, enable Ask where to save each file before downloading.
Result
Chrome applies the new setting and opens a Save As dialog box for selecting a download location when a
file is downloaded.

Chapter 12
AHV virtual machines
A Rubrik cluster provides data management and protection for virtual machines deployed in a Nutanix
Acropolis (AHV) environment.
The Rubrik cluster can manage and protect virtual machines in an environment with multiple Nutanix
clusters and virtual machines. SLA Domain policies can be applied at both the cluster and virtual machine
levels of the AHV hierarchy.
Rubrik integrates with AHV features including Acropolis Block Services (ABS) and Challenge-Handshake
Authentication Protocol (CHAP) support for connecting to iSCSI targets for data ingest.
The REST API is utilized to interact with Nutanix Changed Region Tracking (CRT) to query the changed
metadata regions given any two snapshots of a virtual disk or virtual machine. CRT is used for incremental
and full backups. The API identifies regions that are zeroed, therefore saving on read operations. Rubrik
integration also leverages Nutanix VSS snapshots with Nutanix Guest Tools to quiesce virtual machines as a
part of the snapshot.
Nutanix cluster management

Adding a Nutanix Cluster to the Rubrik cluster establishes a secure connection between the Rubrik cluster
and the Rubrik Backup Service.
After the Nutanix Cluster is added, an entry for the Nutanix Cluster appears in the Rubrik CDM web UI.
The Rubrik cluster identifies the Nutanix Cluster by an IPv4 address or a resolvable hostname.
To stop managing the data on a Nutanix Cluster, delete the Nutanix Cluster from the Rubrik cluster.
Deleting a Nutanix Cluster removes Nutanix Cluster from the Clusters tab. A removed Nutanix Cluster
cannot be a target of an export. The Rubrik cluster moves the existing virtual machines of the Nutanix
Cluster and all associated backups to the Snapshot Management page.
Nutanix prerequisites
Rubrik CDM support for Nutanix has specific prerequisites.
• AHV based environment listed in the Rubrik Compatibility Matrix
• Nutanix REST API version 3.0 or later
• IP configured for iSCSI Data Services. Rubrik CDM uses iSCSI with CHAP for data ingest and export
from Nutanix
• iSCSI ports 860, 3205, and 3260 are verified as open
• Permissions within Nutanix for the Rubrik cluster to create and delete volume groups, copy containers,
create virtual machines, and create and delete snapshots
• TLS/SSL public key certificate is generated for the Nutanix Cluster
• Highly available IP for Prism
• Obtain the Nutanix Cluster IP address or FQDN
• Obtain the Nutanix Cluster UUID
AHV virtual machines 05/25/2022 | 328

• Have a Nutanix Cluster account with administrative privileges with v3 API permissions:
• The Nutanix Prism admin account
• An Active Directory account with administrator access mapped to the Nutanix Cluster Admin role
• Have a Rubrik account with administrative privileges
• Have access to the public key certificate for the Nutanix Cluster
Use this command to determine the public key certificate:
openssl s_client -connect IP:port -tls1_2
Where IP is the IP address of the Nutanix cluster and port is the web port of the Nutanix cluster.
Nutanix limitations
Nutanix has limitations that impact Rubrik backup and restore functionality. These limitations apply to
export operations; they do not apply to live mount operations.
Limitation Description
Exported virtual machine Even when you export a Nutanix virtual machine that has a disk bus type
disks always have the SCSI other than SCSI, the exported virtual machine disk has the SCSI bus type.
bus type
When you restore the export to a virtual machine that does not support
the SCSI bus type, the virtual machine might fail to boot after the restore
operation.
Exported CD-ROM drives Even when you export a Nutanix virtual machine that has a CD-ROM drive
always have the IDE bus bus type other than IDE, the exported CD-ROM drive has the IDE bus
type type.
When you restore the export to a virtual machine that does not support
the IDE bus type for CD-ROM drives, the virtual machine might fail to boot
after the restore operation.
Related Concepts
A Rubrik cluster provides data management and protection for virtual machines deployed in a Nutanix
Acropolis (AHV) environment.
Nutanix cluster management
Adding a Nutanix Cluster to the Rubrik cluster establishes a secure connection between the Rubrik cluster
and the Rubrik Backup Service.
Related reference
Nutanix prerequisites
Rubrik CDM support for Nutanix has specific prerequisites.
Configuring Nutanix support

To begin managing AHV, add the Nutanix Cluster to the Rubrik cluster.
Procedure

3. Click Nutanix Clusters.
The Nutanix Clusters dialog box appears.
4. In the right-side menu, select +.
The Add Nutanix Cluster page appears.
5. In the Nutanix Cluster field specify the Nutanix Cluster IP address or FQDN.
6. In the Cluster UUID field specify the UUID assigned to the Nutanix Cluster.
7. In the Username field specify a username that has administrative rights to the Nutanix Cluster.
8. In the Password field specify the username password.
9. In the CA Certificate field specify CA certificate for the Nutanix Cluster.
10. Click Add.
Result
The Rubrik cluster checks connectivity with the specified Nutanix Cluster and adds the Nutanix Cluster.
Rubrik Backup Service and Nutanix guests

Installing Rubrik Backup Service provides support for VSS consistent backups. When VSS consistent
backups are not required, this service does not need to be installed.
To use Rubrik Backup Service (RBS) with AHV, install and register RBS on the Nutanix guest OS.
Related Concepts
Related Tasks

machine derives the SLA Domain assignment from a Nutanix cluster.

The automatic protection mechanism simplifies assigning protection to large numbers of virtual machines
and provides an easy method to uniformly assign specific SLA Domains to groups of functionally similar
virtual machines.
protection.
Automatic protection rules

To provide consistency when applying automatic protection the Rubrik cluster adheres to a specific set of
rules.
A Rubrik cluster applies protection to a virtual machine using the following rules:
• The setting individually assigned to an object takes precedence.
• An object that is not individually assigned a setting inherits the setting of the hierarchically closest
containing object that has a setting.
Unprotected virtual machines

The Rubrik CDM web UI identifies virtual machines that are not protected by an SLA Domain.
The Rubrik CDM web UI identifies virtual machines that are not protected by an SLA Domain. Unprotected
virtual machines can then be assigned to an SLA Domain.
Label Inherited Description

No SLA Yes There are no SLA Domains assigned to any of the parent objects of the virtual
machine, in the cluster hierarchy. The virtual machine inherits the No SLA state.
This can be changed by individually assigning an SLA Domain to the virtual
machine, by assigning an SLA Domain to a parent object, or by moving the
virtual machine beneath a protected parent object.
Do Not Yes The Do Not Protect setting is individually assigned to a parent object of the
Protect virtual machine. Based on the automatic protection rules, the virtual machine
inherits the setting from that parent object.
Do Not No The Do Not Protect setting is individually assigned to the virtual machine.
Protect

A virtual machine can be protected by assigning an SLA Domain setting individually to the virtual machine.

Domain.
object.
Related Concepts

Context
SLA Domain.
Procedure
1. In the Rubrik CDM web UI, on the left-side menu, click Virtual Machines > AHV VMs.
The AHV VMs page appears, with the VMs tab selected.
Select multiple virtual machines to assign the same setting to all of the selected virtual machines.
The Manage Protection wizard appears.
5. Click Next.
The Review Impact page of the Manage Protection dialog box appears.
8. Click Submit.
Result
Related Concepts
Related reference

entities.
Assigning an SLA Domain setting to a Nutanix cluster

Specify an SLA Domain setting for Nutanix clusters to have the setting applied to the objects and virtual
machines contained by the clusters and server.
Procedure
2. Select Clusters.
The Cluster tab appears.
3. Select a Nutanix cluster.
6. Click Next.
The Review Impact page of the Manage Protection dialog box appears.
Result
The Rubrik cluster applies the selected setting to the selected objects and resolves conflicts as specified.
Related Concepts
rules.
Related reference

entities.

entities.

Domain name.
selected object.
Protect setting.
Protect setting.
snapshots.
• Keep forever

Procedure

list.
selection group.
field.
Option Description
inheritance rules.
snapshot:s
• Keep forever
Skip step 5.
5. In Apply to existing snapshots, choose a setting.

Result
Related Concepts
Find protection objects


retained forever.
Virtual machine scripts

The Rubrik cluster can be configured to run scripts on a guest OS before a snapshot, after the snapshot,
and after the Rubrik cluster completes the backup process.
The ability to have the Rubrik cluster initiate scripts on a host system allows you to:
• Put the guest OS in a specific state before a snapshot is created
• Change the guest OS state after the snapshot is completed on the host system
• Perform other actions after the Rubrik cluster processes a snapshot
Rubrik Backup Service (RBS) must be installed to enable the Rubrik cluster to run scripts.
To allow the Rubrik cluster to start scripts, provide Guest OS credentials with sufficient privileges. Without
adequate credentials, the Rubrik cluster cannot start the scripts.
For example, run a script to quiesce applications before a snapshot, another script to restore the
applications to their normal running status after the snapshot, and a final script to perform clean-up at the
end of the backup process.
The scripts can consist of any sequence of operations that can be run by the command line interpreter of
the guest OS.
The following table describes the virtual machine pre/post scripts.
Name Description
Pre-Backup • Use a pre-backup script to prepare for a backup by quiescing the applications on the
Script virtual machine.
• The pre-backup script requires that a timeout value be specified.
• The Rubrik CDM web UI provides an option to cancel the backup task when the pre-
backup script does not complete successfully.
Post-Snap Must be idempotent, script may be invoked several times during a single backup task.
Script
• Use a post-snap script to minimize stun time and resume all applications on the
virtual machine.
• Also, use a post-snap script to perform clean-up tasks if a backup task fails.
• The post-snap script requires that a timeout value be specified.
• The post-snap script runs immediately after the host snapshot task completes.
Post-Backup Must be idempotent, script may be invoked several times during a single backup task.
Script
• Use a post-backup script to perform custom post-processing at the end of the
backup process.
• The post-backup script requires that a timeout value be specified.
• The post-backup script runs after: the snapshot is copied to the Rubrik cluster and
released on the virtual machine host, and the Rubrik cluster completes all data and
metadata processing tasks.

Enabling scripts
Configure the Rubrik cluster to run scripts when a virtual machine is backed up.
Prerequisites
Rubrik Backup Service (RBS) must be installed to enable the Rubrik cluster to run scripts.
Procedure
2. On the left-side menu, select Virtual Machines > AHV VMs.
5. Open the ellipsis menu, and select Configure Pre/Post Scripts.
The Configure Pre/Post Scripts dialog box appears.
6. (Optional) In Pre-Backup Script Path, type the full path for the pre-backup script.
The full path is relative to the root of the guest OS file system.
7. (Optional) Select Cancel Backup if Pre-Backup Scripts Fails.
Any script exit status other than 0 is considered a script failure. When this box is selected, the Rubrik
CDM displays a notification of the script failure and the value of the exit status in the Activity Log.
8. (Required when available) In Timeout, type an integer value.
The value represents the number of seconds before the Rubrik cluster terminates the pre-backup
script because the script cannot be completed.
9. (Optional) In Post-Snap Script Path, type the full path for the post-snap script.
The value represents the number of seconds before the Rubrik cluster terminates the post-snap script
because the script cannot be completed.
11. (Optional) In Post-Backup Script Path, type the full path for the post-backup script.
The value represents the number of seconds before the Rubrik cluster terminates the post-snap script
13. Click Apply.
Result
The Rubrik cluster stores the information and runs the specified scripts for all subsequent backups of the
selected virtual machine. The Rubrik cluster provides entries in the Activity Log for errors that occur when
running the scripts as specified.

Exclude virtual machine disk files
Virtual machines can include some virtual machine disk (VMDK) files that do not need to be protected. The
Rubrik cluster can ignore some of the VMDK files of a virtual machine while protecting the other VMDK files
of that virtual machine.
When a virtual machine with excluded VMDKs runs applications that depend on the excluded VMDKs,
such as Exchange or SQL Server, specify crash consistent snapshots as discussed in Setting snapshot
consistency. If crash consistent snapshots are not specified, the application may fail as some disks are not
backed-up.
Excluding virtual machine disk files

When backups are not required for some of the virtual machine disk (VMDK) files, exclude those VMDK
files from backups.
Procedure
2. On the left-side menu, select Virtual Machines > AHV VMs.
field.
4. Open the ellipsis menu on the top bar of the local host page and select Exclude Disks.
The Exclude Disks dialog box appears.
5. Select the disks to exclude.
6. Click Exclude.
Result
The Rubrik cluster excludes the selected virtual machine disk files from all future backups of the virtual
machine.
Find protection objects

The Rubrik CDM web UI lists all of the virtual machines that have been discovered on the AHV VMs page.
The following methods open the AHV VMs page and display all discovered virtual machines:
• On the left-side menu, click Virtual Machines > AHV VMs.
• On the Dashboard page, on the AHV VMs card, click See All.

The Rubrik CDM web UI Dashboard displays all unprotected virtual machines.
Procedure

2. Open the Rubrik CDM web UI to the main Dashboard.
3. On the AHV VMs card, in the Unprotected field view the unprotected virtual machines.
The AHV VMs page opens, with the VMs tab selected, and filters the view to show All Unprotected
virtual machines.
Result
The Rubrik CDM web UI Dashboard displays all unprotected virtual machines.
Displaying unprotected virtual machines from the AHV VMs page

Use a filter to display all unprotected AHV virtual machines.
Procedure
list.
3. On the Filter SLA drop-down menu, select one of the following filters:
Result

Procedure
3. On the Filter SLA drop-down menu, select one of the named SLA Domains, or select a protection
state, either Inherited or Do Not Protect.
Result
The Rubrik CDM web UI displays the virtual machines that belong to the selected SLA Domain or to the
selected protection state.

Procedure
1. In the Rubrik CDM web UI, in the Search field, type the name of the virtual machine. Continue to type
characters to narrow down the results until the virtual machine appears.

The Rubrik cluster begins a predictive search and updates the results as letters are typed. The search
matches the characters entered in the search field with the same sequence of characters anywhere in
a name.
Result
Finding entities by using the Object tab

Use Object tabs on the Virtual Machines page to define a hierarchical view to search and to browse. Then
use the search field to find entities within the defined view, or to browse to entities within the defined
view.
Procedure
1. In the left-pane of the Rubrik CDM web UI, click Virtual Machines > AHV VMs.
The AHV VMs page appears, with the VMs tab selected, and displays all the virtual machines present
in the system.
2. In the tab bar, select one of the following tabs.
• VMs – Provides a virtual machines only view, with the hierarchical location of each virtual machine
• Clusters– Provides the Nutanix clusters.
3. (Search Only) In the tab search field, begin typing an entity name.
4. (Browse Only) Click the name of a top-level entity.
5. (Browse Only) Continue clicking entity names to browse down the hierarchy to a specific entity.
Result
Rubrik CDM displays the search results.

Procedure
Option Description
the system.

Result
Related Concepts
Protected warning
The Rubrik CDM web UI displays the protected warning when the Rubrik cluster detects that an SLA
The protected warning is:
“These VM(s) are already protected”
When the protected warning appears, do one of the following:
Changing the SLA Domain of a virtual machine may result in immediate expiration of some snapshots.
Related Concepts
The SLA rules defined by an SLA Domain impact the protection of virtual machines in several ways. SLA
Sometimes, the source virtual machine for a snapshot is assigned to another SLA Domain after the
snapshot is created. When this occurs the new SLA Domain becomes the managing SLA Domain for the
policy driven snapshot.
A policy driven snapshot can require manual management when it loses an association with the SLA
Domain.
Protecting a new virtual machine

A new virtual machine is one for which no policy driven snapshots exist. After a new virtual machine is
assigned to an SLA Domain, all of its snapshots, replicas and archival snapshots are created and managed
based on the SLA rules of the SLA Domain.
The following table provides an overview of the impact of assigning a new virtual machine to an SLA
Domain.

SLA rules Determines when policy driven snapshots are created and when they are
automatically expired.
Local Cluster Retention Determines how long snapshots are retained on the local Rubrik cluster.
Period

Replication Retention Determines how long replicas are retained on a replication target cluster.
Period
Maximum Retention Determines how long snapshots are retained by the system. The Rubrik
Period cluster automatically expires policy driven snapshots that are older than the
Maximum Retention Period.
Changing protection consequences

Removing protection from a virtual machine

Reprotecting a virtual machine

and then reassigned to another SLA Domain for protection.
When a reassignment occurs, the existing snapshots of the virtual machine are subject to the retention
policies of the currently assigned SLA Domain, including:
Local host page

The local virtual machine page provides detailed information about the protection of a virtual machine, and
tasks related to the virtual machine.
The local virtual machine page provides the following sections:
• Action bar
• Overview card
• Snapshots card

Procedure
1. In the Rubrik CDM web UI, on the left-side menu, select Virtual Machines > AHV VMs.

list.
The AHV VMs page appears with the VMs tab selected.
Result
The local host page displays information about a local virtual machine.
Action bar
Choose actions for a selected virtual machine from the Action bar.
Action Description
Take On Demand Snapshot Adds an on-demand snapshot of the virtual
machine to the task queue.
Backup Window settings defined for the SLA
Domain of the virtual machine do not apply to on-
demand snapshots. Only the maximum retention
and remote configuration settings of the associated
SLA Domain apply to on-demand snapshots.
Manage Protection Opens the Manage Protection page where the

virtual machine can be assigned to an SLA Domain
for protection.
When the virtual machine is already assigned to an
SLA Domain, a warning appears. Click Continue to
open the Manage Protection page. Click Cancel to
return to the local host page.
Ellipsis menu > Delete All Snapshots Only appears for an unprotected virtual machine.
Deletes all snapshots for the virtual machine,
including local snapshots, archival snapshots, and
replicas.
Ellipsis menu > Configure Application Consistency Provides access to the Configure Application
Consistency dialog box.
Register Rubrik Backup Service Establishes a connection between the Rubrik cluster
and the Rubrik Backup Service (RBS) software
running on the guest OS of the virtual machine.
Related Tasks
Specifying crash consistent backups

By default, the Rubrik cluster initiates application consistent backups for a virtual machine when the
environment of the virtual machine meets the requirements of application consistent backups.
Overview card
The Overview card displays information about AHV SLA Domains and snapshots.
Field Description
Cluster The Nutanix cluster that manages the virtual
machines.
SLA Domain Name of the SLA Domain that manages the
protection of the selected virtual machine.
Oldest Snapshot Timestamp for the oldest snapshot associated with
the selected virtual machine.
When the SLA Domain has an active archival policy,
the oldest snapshot resides at the archival location.
Latest Snapshot Timestamp for the most recent successful snapshot

of the selected virtual machine.
Total Snapshots Total number of retained snapshots for the selected
virtual machine, including both the local Rubrik
cluster and any archival location.
Missed Snapshots Number of policy driven snapshots that did not
complete successfully. A missed snapshot is
included in the count until the period since the SLA
Domain policy required the snapshot exceeds the
retention period of the SLA Domain.
Snapshots card
machine.
Color Status
The calendar view displays information at different levels of granularity.

View Description
Day The Day view displays the individual snapshots that were created on the selected day.
The Day view also provides the additional information and actions described in the
following section.
Day view for a local virtual machine

For a local virtual machine, the Day view provides information about snapshots. To view the details for
each snapshot, expand the entry in the day view.
Created Time Creation time of the snapshot.
The following icon indicates a snapshot that resides locally and at an archival
location.
The following icon indicates a replica of the snapshot was sent to the target
Rubrik cluster.
Status The following icon indicates a warning for the snapshot entry. Hover over the
icon to see additional information.
The following icon indicates the policy driven snapshot represented by the
entry was not completed successfully.
Source action The following icon indicates a policy driven snapshot.
Local Expiration Date The date when this snapshot will expire.
Archive Location The archive location for the snapshot that was set in the SLA Domain.

Expiration Date The date when the archival snapshot will expire.
The word Computing in this field indicates that the expiration date is being
calculated.
Actions available on the Day view for a local virtual machine

The Day view enables various actions with snapshots of a local virtual machine. Access the actions by
clicking the ellipsis menu.
Command Description
Search by File Name Use the predictive search field to find file by typing the name.
Export Use the snapshot to create a new virtual machine and to mount that virtual
machine on an AHV host.
The new virtual machine is uniquely named within the virtualization
management system. The name of the recovered virtual machine is
constructed as follows: name of source virtual machine + timestamp of
snapshot + incremented integer.
The AHV host is the datastore for the new virtual machine.
Recover Files Open a file browser view on the selected snapshot.


This command only appears for snapshots that are not created based on an
SLA Domain policy, such as:
Place on Legal Hold The snapshot is retained indefinitely.

Change Retention Assign a retention policy to existing snapshots.
Related Tasks
Changing the retention policy for snapshots

Change the retention policy for specified snapshots of a protectable object on the Snapshot Management
page.
Actions available for snapshots on the local Rubrik cluster

The Day view enables various actions with snapshots of a local virtual machine that are stored directly on
the Rubrik cluster. Access the actions by clicking the ellipsis menu.
Command Description
Download Transfer a copy of the selected snapshot to the local Rubrik cluster so that
it is available for additional local actions. The local Rubrik cluster provides a
notification when the download is completed.
Launch On Cloud Use the snapshot to instantiate a virtual machine.

Place on Legal Hold The snapshot is retained indefinitely.
Change Retention Assign a retention policy to existing snapshots.
Related Tasks
page.
Virtual machine snapshots

machine to an SLA Domain or through automatic protection.
Automatic protection occurs when the virtual machine derives the SLA Domain assignment of a containing
folder, cluster, or host.
machines protected by individual assignment can be set to Do Not Protect or can be set to inherit a
protection setting.
AHV Performance and scalability

The Rubrik cluster provides a high-performance and highly scalable integration with AHV.
The period of quiescence for a virtual machine is the time between pausing the execution of the virtual
machine, at an instruction boundary with all in-flight disk input/output operations completed, and resuming
the execution. This period of quiescence is sometimes referred to as a virtual machine stun or application
stun.
The period of quiescence for a virtual machine is just long enough to create a snapshot. The virtual
machine does not remain quiescent during the processing and ingestion of the snapshot data.

A 10 Gigabit Ethernet connection between the Rubrik cluster and the AHV environment ensures the best
performance. Also, a 10 Gigabit Ethernet connection between the source Rubrik cluster and the target
Rubrik cluster is required for replication.
The Rubrik cluster uses a distributed job scheduler. The distributed job scheduler permits the Rubrik cluster
to schedule jobs to run on any node and on multiple nodes, as needed.
The Rubrik cluster uses a distributed job scheduler that permits the Rubrik cluster to schedule jobs to run
on any available node and on multiple nodes, as needed.
AHV backup processes

A Rubrik cluster backs up an AHV virtual machine by creating a snapshot of the virtual machine.
incremental snapshots based on the change information provided by Changed Block Tracking (CBT). The
Rubrik cluster creates each incremental snapshot very quickly because the snapshot only includes the data
blocks that have changed since the last snapshot.
The Nutanix environment transmits the snapshot data to the Rubrik cluster using iSCSI with CHAP for
authentication.
Snapshot window
protects.

machine.
Consistency Description Rubrik usage

level
Crash consistent A point-in-time snapshot but without Provided when:
quiescence.
• Guest OS does not have Nutanix Guest
• Timestamps are consistent Tools installed
• Pending updates for open files are • Guest OS has an out-of-date version of
not saved Nutanix Guest Tools
• In-flight I/O operations are not
completed
The snapshot can be used to restore
the virtual machine to the same state
that a hard reset would produce.
Application A point-in-time snapshot with Provided when:

consistent quiescence and application-awareness.

level
• Timestamps are consistent • Guest OS is Windows and RBS is not
• Pending updates for open files are installed and registered
saved • The guest has an up-to-date version
• In-flight I/O operations are of Nutanix Guest Tools. and application
completed consistency is supported for the guest OS
• Application-specific operations are
completed.
VSS consistent A point-in-time snapshot with Provided when:

quiescence and application-awareness.
• Guest OS is Windows
• Timestamps are consistent • RBS is installed and registered on the
• Pending updates for open files are Nutanix guest
saved • Snapshot consistency is set to Automatic
• In-flight I/O operations are in the Rubrik CDM web UI
completed
completed
• Supports Exchange log truncation
Application consistent snapshots on Linux

Scripts running on the Linux guest Rubrik CDM can provide application consistent snapshots of Nutanix
virtual machines running a Linux operating system.
Provide the following configuration to enable application consistent snapshots of Nutanix virtual machines
running a Linux operating system:
• Install Nutanix Guest Tools on the Linux virtual machine.
• Create and enable pre-freeze and post-thaw scripts on the Linux virtual machine.
• In the Rubrik CDM web UI, set snapshot consistency for the virtual machine to Automatic.
Setting snapshot consistency

Set the consistency level for Nutanix virtual machine snapshots.
Procedure
The All VMs page appears with the VMs tab selected.
2. Click a virtual machine name.
3. Open the ellipsis menu and select Configure Snapshot Consistency.
The Configure Snapshot Consistency dialog box appears.
4. Select a consistency level.
Option Description
Automatic Rubrik CDM uses the highest level of consistency
possible.
Crash Consistent Rubrik CDM captures snapshots that are crash
consistent.
5. Click Update.

Result
The Rubrik cluster applies the selected setting to subsequent snapshots of the virtual machine.
On-demand snapshots
In addition to policy-based snapshots, create virtual machine snapshots by using the on-demand snapshot
process.
created by using the on-demand snapshot process.
Creating an on-demand snapshot of an AHV virtual machine

Access the host page for an AHV virtual machine to create an on-demand snapshot.
Procedure
The AHV VMs page appears with the VMs tab selected.
3. On the local host page, click Take On Demand Snapshot.
5. Click Next.
6. Review the selected SLA Domain details.
7. Click Next to complete the task.
Result
Related Concepts
Snapshot expiration

criteria.

SLA Domain
Archival snapshots
Archival snapshots provide long term storage of snapshot data outside of the local Rubrik cluster.
Archival location storage
The Rubrik cluster deduplicates and compresses the data in archival snapshots. The Rubrik cluster uses
client-side encryption to encrypt the archival snapshot data stored on all archival locations except NFS
exports.
Retention
The retention period assigned to the archival snapshot by the associated SLA Domain determines the
expiration of an archival snapshot. After the expiration of the retention period, the Rubrik cluster marks
the archival snapshot as expired and moves the snapshot data to garbage collection. To ensure that
existing snapshots are always fully functional, the Rubrik cluster combines any required data from expired
incremental snapshots into the chain of existing incremental snapshots. This permits each retained archival
snapshot to be mounted as a fully functional virtual machine.
Unmanaged data
Related Concepts

AHV Virtual machine recovery

For a Rubrik cluster, a source virtual machine recovery means mounting a point-in-time copy of that source
virtual machine.
You can recover virtual machines and restore data by using any of the Rubrik data protection objects:
snapshots, replicas, and archival snapshots.
The Rubrik cluster provides several methods to recover virtual machines and to restore protected data.
Related Concepts
Virtual machine recovery using export
selecting Export.
Virtual machine recovery using Live Mount
Rubrik CDM supports the Live Mount operation for AHV virtual machine snapshots from Rubrik clusters on
to Nutanix clusters.
Selecting a snapshot or archival snapshot

Procedure
The AHV VMs page appears with the VMs tab selected and displays all the virtual machines in the
system.
3. To work with data from an unmanaged virtual machine, on the left-side menu, click Snapshot
Management.
The Snapshot Management page appears, with the Snapshot Retention tab displaying all the objects.
Alternatively, use the search box on the top bar of the Rubrik CDM web UI to directly access the local
host page when you know the name of the source virtual machine.
6. (Only for Recovering archival snapshot) Open the ellipsis menu for the snapshot.
7. (Only for Recovering archival snapshot) On the ellipsis menu, click Download.
The Rubrik cluster does not apply a retention setting to a downloaded archival snapshot. You have to
manually delete a downloaded archival snapshot that is no longer required on local storage.
The Rubrik cluster retrieves the archival snapshot. Status of the retrieval appears on the Activity Log.

Result
A snapshot is selected for a recovery operation.
Related Tasks
Exporting a virtual machine snapshot
datastore of the selected AHV host is the datastore for the recovered virtual machine. Rubrik can export
the resulting VMDK as either Thick Provisioned or Thin Provisioned.
Creating a Live Mount without migration
Live Mount an AHV virtual machine on a Nutanix cluster from a snapshot on the Rubrik cluster without
migrating the data source to the Nutanix cluster.
Creating a Live Mount with optional migration
Creating a Live Mount of an AHV virtual machine with optional migration involves immediate or delayed
migration of the data source.
Selecting a replica
recovery action.
Procedure
2. On the left-side menu, click SLA Domains > Remote Domains.
4. In the Virtual Machines section of the remote SLA Domain page, click the name of a virtual machine.
Searching with the source virtual machine name using the search box on the top bar of the Rubrik
CDM web UI provides direct access to the Remote VM Details page.
6. Perform one of the available recovery actions on the selected replica or restore files and folders from
the selected replica.
Result
A replication target Rubrik cluster is selected for a recovery action.
Virtual machine recovery using export

selecting Export.
After recovering a virtual machine by exporting a snapshot or replica, the Rubrik cluster powers on the
recovered virtual machine. The recovered virtual machine can be powered off by using the Rubrik CDM
web UI. It can also be deleted through the Rubrik CDM web UI.

Exporting a virtual machine snapshot
datastore of the selected AHV host is the datastore for the recovered virtual machine. Rubrik can export
the resulting VMDK as either Thick Provisioned or Thin Provisioned.
Context
Procedure
system.
6. Click Export.
The Export Snapshot dialog box appears with a list of the containers that are associated with each
Nutanix Cluster.
7. Select a Nutanix cluster.
A list of the datastores of the selected Nutanix cluster appears.
9. Click Export.
Result
The Rubrik cluster creates a new virtual machine from the snapshot on the selected Nutanix cluster,
transfers the virtual machine files to the datastore, and powers up the recovered virtual machine. During
the process, messages about the status appear in the Activity Log. The Rubrik cluster also records the final
result of the task in the Activity Log.
Virtual machine recovery using Live Mount

Rubrik CDM supports the Live Mount operation for AHV virtual machine snapshots from Rubrik clusters on
to Nutanix clusters.
A virtual machine recovery using the Live Mount operation involves using a snapshot to create and mount
a new virtual machine on a Nutanix cluster. Rubrik CDM supports the Live Mount operation on Nutanix
clusters running AOS version 6.0.2 and higher.
There are two data migration options that Rubrik CDM offers for the Live Mount recovery operation.
• Live Mount without migration does not allow data migration after the mounting is complete.
Consequently, specifying a storage container at the time of the mount operation is not required. The
local Rubrik cluster serves as the data store for the mounted virtual machine.

• Live Mount with optional migration provides a choice to migrate the data immediately after the
mounting is complete or at a later time. This option requires specification of a storage container at the
time of the mount operation. Successful migration unmounts the Live Mount.
After the successful mounting of virtual machines, the Live Mounts page for AHV VMs displays all the
mounted virtual machines.
With the option to migrate the data source immediately, the Rubrik cluster unmounts the recovered
virtual machine as soon as the migration is complete. If you do not choose to migrate the data source
immediately, you can initiate the migration manually from the Live Mounts page of the AHV virtual
machines after the mounting completes.
Related Tasks
Related reference
Virtual machine Live Mount operations
The operations available for a Live Mounted AHV virtual machine on the Live Mounts page vary depending
on the type of the Live Mount.
Live Mounts page for AHV virtual machines
The Live Mounts page for AHV virtual machines displays the details of the mounted virtual machines and
provides options to unmount, change the power status, and migrate the data source.

Operation Live mount without Live mount with immediate Live mount with delayed
migration migration migration
Data source Not allowed Occurs immediately after Initiated manually
migration mounting completes
Unmounting Initiated manually Occurs immediately after Occurs immediately after
data source migration data source migration
completes completes
Changing power Allowed at the time of Allowed only at the time of Allowed at the time of
status initiating the Live Mount initiating the Live Mount initiating the Live Mount
and from the Live Mounts and from the Live Mounts
page, after the mounting is page until migration is
complete initiated
Related Tasks
Migrating a live mounted virtual machine

Migrate the data source of a live mounted AHV virtual machine from the Rubrik cluster to a Nutanix
storage container.
Unmounting a virtual machine
Unmount the live mounted AHV virtual machine from the Rubrik cluster.
Related reference

Prerequisites
Select a local, archived, or a replicated snapshot to Live Mount the virtual machine, as described in
Selecting a snapshot or archival snapshot and Selecting a replica.
Context
Creating a Live Mount without migration eliminates the ability to migrate the Live Mounted virtual machine
to a Nutanix AOS cluster after the recovery. The local Rubrik cluster serves as the data store for the live
mounted virtual machine, and the original virtual machine is not impacted.
Procedure
1. On the Snapshots card, from the ellipsis menu of the selected snapshot, click Mount Virtual
Machine.
The Select Cluster page of the Mount Virtual Machine wizard appears.
2. Select Live Mount without Migration.
3. Optional: In Mounted Virtual Machine Name, type a name for the live mounted virtual machine.
The Rubrik cluster will assign a name to the mounted virtual machine if this field is not configured.
4. In Choose a cluster, select a Nutanix cluster to Live Mount the virtual machine.
5. Configure the following settings.
Setting Description
Power on mounted virtual machine Use this setting to determine the power status of
the mounted virtual machine.
Remove virtual network device Use this setting when networking changes or
issues prevent the virtual machine from starting.
6. Click Next.
A Confirmation screen appears with a summary of the Live Mount configuration.
7. Click Mount.
Result
The Rubrik cluster initiates a job to mount the AHV virtual machine without migrating the data source. The
Activity Log and the Activities card display the job status. An entry for the Live Mounted virtual machine
appears on the Live Mounts page.
Next task
Verify the Live Mount on the AHV Live Mounts page and perform the available operations.
Related Tasks

Related reference

Prerequisites
Select a local, archived, or a replicated snapshot to Live Mount the virtual machine, as described in
Selecting a snapshot or archival snapshot and Selecting a replica.
Context
The Live Mounted virtual machine uses the Rubrik cluster as its storage initially, but leverages the selected
Nutanix container for all subsequent writes.
Procedure
1. On the Snapshots card, from the ellipsis menu of the selected snapshot, click Mount Virtual
Machine.
The Select Cluster page of the Mount Virtual Machine wizard appears.
2. Select Live Mount with Optional Migration.
3. Optional: In Mounted Virtual Machine Name, type a name for the live mounted virtual machine.
The Rubrik cluster will assign a name to the mounted virtual machine if this field is not configured.
4. In Choose a cluster, select a Nutanix cluster to Live Mount the virtual machine.
5. Configure the following settings.
Setting Description
Power on mounted virtual machine Use this setting to determine the power status of
the mounted virtual machine.
Remove virtual network device Use this setting when networking changes or
6. Click Next.
The Select Container screen of the Mount Virtual Machine wizard appears with a list of Nutanix storage
containers.
7. In Container Name, select a Nutanix storage container.
8. Optional: Select the Migrate Immediately checkbox to automatically initiate the data source
migration immediately after the mounting operation is complete.
You can clear the checkbox to manually initiate the migration the data source at a later time from the
Live Mounts page.
9. Click Next.
A Confirmation screen appears with a summary of the Live Mount configuration.
10. Click Mount.

Result
The Rubrik cluster initiates a job to create a Live Mount of the AHV virtual machine. The Activity Log and
the Activities card display the status of all the jobs.
The AHV Live Mounts page displays an entry for the live mounted virtual machine until the data source
migration is done. The virtual machine entry disappears when migration and unmounting are complete.
Next task
Verify the Live Mount on the AHV Live Mounts page. Optionally, initiate the migration for the mounted
virtual machine if it was not migrated immediately, as described in Migrating a live mounted virtual
machine.
Related Tasks
storage container.
Related reference

Detail Description
Name Name assigned to the mounted virtual machine.
Status Status of the mounted virtual machine:
• Powered On
• Powered Off
• Migrating
Snapshot Time Time at which the snapshot that is selected to Live Mount the virtual machine was
taken.
Mount Time Time at which the Live Mount was initiated.
Source VM The AHV virtual machine whose snapshot is selected to perform the Live Mount.
IP Address The IP address assigned to the mounted virtual machine on the Nutanix cluster.
Cluster The Nutanix cluster where the Live Mount is created.
Related Tasks
storage container.

Related reference

storage container.
Context
The Nutanix storage container used for migration is selected at the time of initiating the Live Mount of the
virtual machine with optional migration. When the data source migration completes, the Rubrik cluster
automatically unmounts the mounted virtual machine.
Procedure
2. On the left-side menu, click Live Mounts > AHV VMs.
The AHV Live Mounts page appears with the details of existing Live mounted AHV virtual machines.
3. From the ellipsis menu for a virtual machine that was mounted with optional migration, select
Migrate Datasource.
The Storage migration dialog box appears with the migration details.
4. Click Migrate.
Result
The Rubrik cluster initiates a job to migrate the data source for the selected virtual machine. The Activity
Log displays the status of the migration job.
The virtual machine entry disappears from the Live Mounts page when migration and unmounting are
complete.
Related reference

Context
The Rubrik cluster automatically unmounts the virtual machines whose data sources are migrated after the
Live Mount operation.
Procedure
2. On the left-side menu, click Live Mounts > AHV VMs.
The AHV Live Mounts page appears with the details of existing Live Mounted AHV virtual machines.

3. From the ellipsis menu for a mounted virtual machine, select Unmount.
The option to unmount is available only for those virtual machines whose data source has not been
migrated.
The Unmount dialog box appears.
4. Click Unmount.
Result
The Rubrik cluster initiates a job to unmount the selected virtual machine from the Rubrik cluster. The
Activity Log displays the status of the unmounting job.
The virtual machine entry disappears from the Live Mounts page when the virtual machine is unmounted.
Related reference
Recovery of folders and files

To restore a file or folder, search for the file or folder by name across all local snapshots, or browse for the
Searching for a file, a folder, or a fileset

Use search to find data to restore from a backup.
Procedure
2. On the left-side menu, click a choice based on the host type:
Option Description
Servers & Apps > Linux & Unix Hosts The Linux & Unix Hosts tab of the Linux & Unix
Hosts page appears.
Servers & Apps > Windows Hosts The Windows Hosts tab of the Windows Hosts
page appears.
Servers & Apps > NAS Shares The Shares tab of the NAS Shares page appears.
3. Depending on the host type, do one of the following:
• For Linux, Unix, and Windows hosts, in the Name column, click a host name.
• For NAS hosts, in the Path column, click the path for a share.
The local page for the host appears.
4. Optional: To limit the search to a single host fileset, on the Filesets card, click the name of a fileset.
The fileset page appears and the search is confined to the selected fileset.

folder pathnames.
The Choose Version dialog box appears.
7. Find a file or folder version to recover.
Result
Search finds the data to restore from a backup.
Recovering a file or folder

Use the Rubrik CDM web UI to recover a file or folder in a snapshot, replica, or archival snapshot data
protection object.
Procedure
2. On the left-side menu, click Virtual Machines, and then select a virtual machine type from the list.
The VMs page appears with the VMs tab selected and displays all the virtual machines of that type.
3. Click a virtual machine.
4. Select a snapshot, archival snapshot, or replica.
For supported Windows and Linux guest operating systems, the selection can be restored to the
original file system, or downloaded from a generated link. For other guest operating systems, the
selection can be downloaded from a generated link.
Result
Rubrik CDM web UI recovers a file or folder for a data protection object.
Restoring to the source file system

Search or browse for a file or folder and restore that file or folder to the source file system of a supported
Windows or Linux guest operating system.
Procedure
system.

7. Click Restore.
the service credentials of the host, the credential fields do not appear.
8. (Windows only) In Domain, type the resolvable hostname or IP address of the authentication server
for the credential.
Authentication, leave the Domain field empty. For a Linux guest, leave the Domain field empty.
9. (If available) In Username, type a guest OS username for an account with sufficient privileges on the
host.
For a Windows guest, the account must have administrator privileges on the guest. For a Linux guest,
the account must have Write permission for the restore location.
10. (If available) In Password, type the password for the account.
• Select Overwrite original to restore the selected file or folder to the original path. This choice
overwrites the existing file or folder.
• Select Restore to separate folder to restore the file or folder to another location.
Use the correct path delimiter for the guest operating system.
For Windows use a back slash. For example:
C:\Users\jsmith\work
For Linux use a forward slash. For example:
/home/jsmith/work
13. Optional: (If available) Select Store as service credential for all VMs.
Choose this setting to have the Rubrik cluster store the credential. The stored credential can be
managed through the Service Credentials page.
14. Click Restore.
Result
The Rubrik cluster restores the file or folder to the specified location.

file system on the data protection object and select the folder. The Rubrik cluster generates a zip file
containing the folder and all that the folder contains. The zip file retains the hierarchy of the selected
folder. The Rubrik cluster provides a link for download of the zip file.

Procedure
system.
7. Click Download.
8. Click OK.
For a folder, the Rubrik cluster retrieves the folder and creates a zip file with the folder and all files and
folders within the selected folder. The zip file preserves the folder hierarchy. In the Rubrik CDM web UI
Activity Log, a ‘Downloaded’ message appears for the selected file or folder.
Result
Restoring from Activity Detail

dialog box.
Procedure
system.
7. Click Download.

Result

Chapter 13
vSphere virtual machines
a VMware vSphere environment. The Rubrik cluster can manage and protect virtual machines in an
environment with multiple vCenter Servers and multiple ESXi hosts.

machine derives the SLA Domain assignment of a containing folder, cluster, or host.
An individual virtual machine that is part of a group of virtual machines being automatically protected can
be set to Do Not Protect without moving the virtual machine out of the group.
The Rubrik cluster also permits some of the VMDK files on a virtual machine to be protected while
designating other VMDK files on the virtual machine as unprotected.
Objects from which a virtual machine can inherit are the following virtualization system entities:
• Folders
• Clusters
• Hosts
The automatic protection mechanism simplifies assigning protection to large numbers of virtual machines
and provides an easy method to uniformly assign specific SLA Domains to groups of functionally similar
virtual machines.
protection.
vSphere virtual machines 05/25/2022 | 365

rules.
A Rubrik cluster applies protection to a virtual machine using the following rules:
Rule name Description

Rule One The setting individually assigned to an object takes precedence.
Rule Two An object that is not individually assigned a setting inherits the setting of
the hierarchically closest containing object that has a setting.
Rule Three The setting assigned to a containing folder takes precedence over the
setting assigned to a containing cluster or host.
Example: Automatic protection rules applied
To show the impact of automatic protection on the protection settings of a virtual machine, consider the
following fictitious virtual machine environment:
• Virtual machine is newly discovered and no protection has been assigned.
• Virtual machine resides on vSphere cluster C, cluster C has not been assigned protection.
• Virtual machine is contained by folder F1, and F1 is contained by top-level folder F2. Neither folder has
been assigned protection.
Administrator assigns the SLA Domain named ClusterProtection to C:
The virtual machine inherits the ClusterProtection assignment (Rule Two).
Administrator assigns the SLA Domain named Folder2Protection to F2:
The virtual machine inherits the Folder2Protection assignment (Rule Three). The expiration settings of
Folder2Protection apply to the snapshots taken while under ClusterProtection. Some snapshots may be
immediately marked as expired.
Administrator assigns the SLA Domain named Folder1Protection to F1:
The virtual machine inherits the Folder1Protection assignment (Rule Two). The expiration settings
of Folder1Protection apply to snapshots taken while under ClusterProtection and while under
Folder2Protection. Some snapshots may be immediately marked as expired.
Administrator changes the SLA Domain setting of folder F1 to Do Not Protect:
The virtual machine inherits the Do Not Protect setting and is unprotected (Rule Two).
Administrator individually assigns the virtual machine to the Gold SLA Domain:
The virtual machine is protected by the Gold SLA Domain (Rule One).
Administrator changes the SLA Domain setting of folder F1 to the Silver SLA Domain:
A conflict occurs between the individually assigned setting for the virtual machine and the setting selected
for F1. The Rubrik cluster displays the conflict. The administrator chooses to remove the individually
assigned setting and have the virtual machine inherit the new SLA Domain setting of F1. The virtual
machine is protected by the Silver SLA Domain.

Unprotected virtual machines
The Rubrik CDM web UI identifies virtual machines that are not protected by an SLA Domain. Unprotected
virtual machines can then be assigned to an SLA Domain.
Label Inherited Description

No SLA Yes There are no SLA Domains assigned to any of the parent objects of
the virtual machine, in both the folder hierarchy and the cluster/host
hierarchy. The virtual machine inherits the No SLA state. This can
be changed by individually assigning an SLA Domain to the virtual
machine, by assigning an SLA Domain to a parent object, or by
moving the virtual machine beneath a protected parent object.
Do Not Protect Yes The Do Not Protect setting is individually assigned to a parent object
of the virtual machine. Based on the automatic protection rules, the
virtual machine inherits the setting from that parent object.
Do Not Protect No The Do Not Protect setting is individually assigned to the virtual
machine.
Virtual machine linking

Use automatic linking to link and present duplicate virtual machines as a single instance.
When a Rubrik cluster protects virtual machines that are managed by vCenter Servers, certain conditions
can cause a previously protected virtual machine to show up as a new virtual machine with no snapshot
history. This can occur as the result of an instant recovery, migration of a virtual machine to another
vCenter Server, or unregistering a virtual machine from the current vCenter Server and then registering
it back to the same vCenter Server. In these situations, the previously protected virtual machine loses
its association with previous snapshots and SLA assignments. This results in a new full snapshot being
taken during the next backup window. It also compromises the ability to restore old data from the virtual
machine.
For that reason, any time a virtual machine is added to a Rubrik cluster, the Rubrik cluster runs a detection
algorithm designed to identify whether that virtual machine was previously known to the system.
If the optional automatic linking feature is turned on, the Rubrik cluster will link any duplicate virtual
machine occurrences it detects and present them as if they are the same virtual machine. These linked
virtual machines also retain an SLA Domain that is specifically assigned to the original virtual machine.
The automatic linking feature is either turned on or off for an entire vCenter Server. Automatic linking is
configured when the vCenter Server is added or by editing the vCenter Server connection properties.
The automatic linking feature does not perform any retroactive processing. For example, if the feature
is turned off, and a virtual machine is deleted and re-registered with the same vCenter Server, the re-
registered virtual machine is added as a new virtual machine. Even if automatic linking is turned on after
that occurs, the new virtual machine will not be linked to the previous virtual machine.
Note: When virtual machines are linked, the retention periods for snapshots in the Computing state are
evaluated based on the snapshots of the linked VM. These retention policies will be retained if virtual
machines are later unlinked, even though the original snapshots used to determine the retention period
are no longer linked to the virtual machine.

Manage vCenters
The Rubrik cluster accesses virtual machine data through a connection with the VMware vCenter Server
that manages the hypervisor that is running the virtual machine. To successfully connect with a vCenter
Server, the Rubrik cluster requires connection information for that vCenter Server.
The Rubrik cluster provides access to vCenter Server information on the vCenter Servers page. That page
provides the FQDN or IP address, and the connection status, for every vCenter Server that is added to the
Rubrik cluster.
After connection information for a vCenter Server is added to a Rubrik cluster, the Rubrik cluster requests
relevant metadata from the vCenter Server. The Rubrik cluster uses the metadata to display and work with
the virtual machines on the vCenter Server.
The Rubrik cluster automatically refreshes the metadata from a vCenter Server every 30 minutes. This is
referred to as a light refresh. Rubrik Edge and Rubrik Air perform a light refresh of a vCenter Server every
six hours.
The Rubrik cluster automatically refreshes the metadata and rescans the VMDK files of a vCenter Server
every two hours. This is referred to as a full refresh. The Rubrik Edge appliance performs a full refresh of a
vCenter Server every 24 hours.
A Rubrik cluster also uses the vCenter Intelligent Heartbeat feature to monitor the availability of assigned
vCenter Servers. This allows the Rubrik cluster to schedule jobs for a vCenter Server only when the
vCenter Server is available.
VMDK files are also automatically scanned as part of every create snapshot job.
A full refresh can be manually initiated at any time.
vCenter Metro Storage Clusters

A Metro Storage Cluster is a type of vCenter Server that is geographically distributed.
When virtual machines from a site that is part of a Metro Storage Cluster become unavailable, those virtual
machines restart on another site in the Metro Storage Cluster. When the Rubrik cluster is not aware that
these sites are part of a Metro Storage Cluster, those virtual machines register as new virtual machines.
The Rubrik cluster takes full backups of those virtual machines.
Unnecessary full backups and increased usage of network and storage resources can be avoided by
specifying that the vCenter Server is a Metro Storage Cluster when the vCenter Server is added to the
Rubrik cluster.
Minimum vCenter Server privileges
To provide data management and protection for virtual machines in a vSphere environment, the vCenter
Server role assigned to the Rubrik cluster requires minimum privileges.
To access objects and perform operations on them, the Rubrik cluster account requires access permission
for the vCenter Server and child objects. Propagation of child objects ensures operations succeed.
Rubrik CDM provides vCenter Server diagnostic information on the vCenter Server page. This information
can help to determine whether the assigned account has the required vCenter Server access permissions.
Related tasks
Using vCenter Server diagnostics
vCenter Server diagnostics are used to confirm the access permissions of the vCenter Server account
assigned to the Rubrik cluster and to troubleshoot vCenter Server access permission issues.
Adding a vCloud Director instance

To add a vCloud Director instance to a Rubrik cluster provide account information for the vCloud Director
instance.
Related reference
Minimum virtual machine privileges
The vCenter Server role assigned to a Rubrik cluster must provide minimum virtual machine privileges on
the vCenter Server.
Adding vCenter Server connection information

Add vCenter Server connection information to a Rubrik cluster to protect the virtual machines running on
the vCenter Server.
Procedure
3. Click vCenter Servers.
The vCenter Servers page appears.
The Add vCenter dialog box appears.
5. In vCenter IP, type the resolvable hostname or IP address of the vCenter Server.
For an IPv6 address, enclose the address in square brackets.
[fd9d:22d3:cd28:7257::]
6. In vCenter Username and vCenter Password, type the user name and password assigned to the
Rubrik cluster.
7. Optional: To turn on the automatic linking feature, select Automatically link discovered virtual
machines.
8. Optional: To enable export of snapshots using HotAdd transport mode, select Enable HotAdd
transport mode for on-premise vCenter (Export only).
HotAdd transport mode bypasses the throughput bottleneck of the ESXi host by hot-adding one or
more virtual disks to a proxy virtual machine. This significantly reduces the latency that can occur
when exporting a large virtual machine.
An additional task to add the proxy network to enable HotAdd transport must be completed at the
conclusion of this task.
9. Optional: Enable Set Compute Resource Visibility and select a compute cluster in Compute
cluster.
When this toggle is enabled, you can specify which resources on the vCenter Server are visible to the
Rubrik cluster. Any resources not specified are hidden.
10. Click Advanced Setting to add a Certificate Authority (CA) certificate for TLS validation.
The dialog box expands to show the Trusted Root Certificate field.
11. Paste the text of the trusted CA root certificate for the vCenter Server into the Trusted Root Certificate
field.
When a trusted CA root certificate is not provided, the Rubrik cluster uses the trust on first use (TOFU)
standard to authenticate the vCenter Server.
12. Click Add.
Result
The Rubrik cluster tests the connection and adds the server information to the CDM web UI.

Next task
If you chose to enable export of snapshots using HotAdd transport mode, then complete the steps in
Enabling HotAdd transport for vCenters Servers.
Related tasks
Editing vCenter Server connection information
Edit the vCenter Server connection information after the vCenter server is added to a Rubrik cluster.
Enabling HotAdd transport for vCenters Servers
Update the proxy network settings on a Rubrik cluster to enable HotAdd transport mode for vSphere virtual
machines.
Adding vCenter Metro Storage Cluster connection information

Add connection information for a vCenter Metro Storage Cluster to a Rubrik cluster to permit the Rubrik
cluster to protect the virtual machines that are running on the hypervisors of the vCenter Metro Storage
Cluster.
Context
The Rubrik cluster attempts to initiate a connection with the vCenter Metro Storage Cluster using vCenter
Server 6.0 or newer protocols, which require a trusted root certificate.
When a trusted root certificate is not provided, the Rubrik cluster uses the trust on first use (TOFU)
standard to authenticate the vCenter Metro Storage Cluster. Depending on the network environment, this
might not ensure secure operation.
Procedure
4. Click +.
5. In vCenter IP, type the resolvable hostname or IP address of the vCenter Metro Storage Cluster.
For an IPv6 address, enclose the address in square brackets. For example:
[fd9d:22d3:cd28:7257::1]
6. In vCenter Username, type the username assigned to the Rubrik cluster.

7. In vCenter Password, type the password assigned to the Rubrik cluster.
8. Optional: Select Automatically link discovered virtual machines.
The Rubrik cluster enables the automatic linking feature.
9. Optional: Enable Set Compute Resource Visibility.
When this toggle is enabled, users can specify which resources in the vCenter are visible to the Rubrik
cluster. Any resources not specified are hidden.
The Compute cluster and Host group drop-down selectors appear.
10. Select Is a VMware vSphere Metro Storage Cluster?.
11. In Host group, select the host groups that are part of the vCenter Metro Storage Cluster.
13. Paste the text of the trusted CA root certificate for the vCenter Server into the Trusted Root Certificate
field.
14. Click Add.

Result
The Rubrik cluster tests the connection and saves the information.
Refreshing the metadata provided by a vCenter Server

Manually refresh the metadata provided by a vCenter Server.
Prerequisites
Add information about the vCenter Server to the Rubrik cluster.
Procedure
4. Select a vCenter Server.
Select multiple vCenter Servers to refresh all of the selected entries.
5. Open the ellipsis menu at the top of the page.
6. Click Refresh vCenter.
Result
The Rubrik cluster starts a task to refresh the selected vCenters.
Editing vCenter Server connection information

Edit the vCenter Server connection information after the vCenter server is added to a Rubrik cluster.
Procedure
The vCenter Servers page appears with the list of known vCenter Servers.
4. Open the ellipsis menu for a vCenter Server.
5. Click Edit.
The Edit dialog box appears.
6. Make changes to the information.
7. Optional: To turn on the automatic linking feature, select Automatically link discovered virtual
machines.
8. Optional: To enable export of snapshots using HotAdd transport mode, select Enable HotAdd
transport mode for on-premise vCenter (Export only).
HotAdd transport mode bypasses the throughput bottleneck of the ESXi host by hot-adding one or
more virtual disks to a proxy virtual machine. This significantly reduces the latency that can occur
when exporting a large virtual machine.
An additional task to add the proxy network to enable HotAdd transport must be completed at the
conclusion of this task.
9. Click Update.
Result
The Rubrik cluster tests the connection and saves the updated information to the CDM web UI.

Next task
If you chose to enable export of snapshots using HotAdd transport mode, then complete the steps in
Enabling HotAdd transport for vCenters Servers.
Related tasks
machines.

machines.
Prerequisites
Ensure that Enable HotAdd transport mode for on-premise vCenter (Export only) was selected
while adding or editing the vCenter Server connection information.
Procedure
The vCenter Servers page appears, displaying the list of already added vCenter Servers.
4. Open the ellipsis menu for a vCenter Server, and click Edit Proxy VM Network.
The Edit Proxy VM Network dialog box appears.
5. Select a network segment for HotAdd proxy virtual machines.
6. Choose one of the following IP address assignment methods.
Assignment method Description
DHCP Automatically configures the network
parameters.
Static IP Requires manual configuration of the network
parameters.
7. (Static IP only) Provide values for the IP connection parameters.
The following parameters must have values specified: IP address, subnet mask, gateway address, and
DNS server address.
8. Click Update.
Result
The Rubrik cluster tests the connection and enables HotAdd transport mode for the selected vCenter
Server.
Deleting vCenter Server connection information

Delete the vCenter Server connection information that is stored by a Rubrik cluster to remove protection of
the virtual machines of that vCenter Server.
Procedure

4. Open the ellipsis menu of a vCenter Server entry.
5. Click Delete.
6. Click Delete.
Result
The Rubrik cluster deletes the information for the selected vCenter Server.
The Rubrik cluster provides management access to the data from the virtual machines of that vCenter
Server through the Snapshot Management page.

Prerequisites
Confirm the vCenter Server is correctly configured on the Rubrik cluster and in a connected state.
Procedure
4. Select a vCenter Server.
5. From the vCenter Server ellipsis menu, click Refresh vCenter.
6. From the vCenter Server ellipses menu, click Dignostics.
The Diagnostics for the vCenter Server page appears.
7. On the left side of the screen, select a vCenter Server resource to review.
8. Optional: Turn on the Show only errors toggle.
Use this option to focus on any access permission errors.
Result
The Rubrik cluster displays a list of the required Rubrik cluster access permissions and their status.
RBS on a Linux guest OS

A Rubrik cluster can use the Rubrik Backup Service to provide significantly faster file and folder level
restore from vSphere virtual machine snapshots with a Linux guest OS.
To provide performance improvements when restoring data to a Linux guest, install Rubrik Backup Service
(RBS) on the Linux guest OS.
While using RBS to facilitate restore provides performance improvements, using RBS for fileset backups
of the Linux guest is not recommended. The VADP snapshots of a Linux guest provide a more efficient
method for backing up the Linux guest than the file system scanning methods used for fileset backups.
VADP snapshots only need to ingest changed blocks from the Linux guest, but fileset backups require a full
scan of the file system
When RBS is not installed, but VMware Tools is installed, a Rubrik cluster provides file system consistent
snapshots on supported Linux guest OS types. During snapshot creation, the Rubrik cluster uses VMware

Tools to make guest OS kernel level calls to quiesce (freeze) and to enable (thaw) the guest OS file
system.
Related concepts
Related tasks
RBS on a Windows guest OS

A Rubrik cluster can use the Rubrik Backup Service to provide significantly faster file and folder level
restore from vSphere virtual machine snapshots with a Windows guest operating system.
A Rubrik cluster uses Rubrik Backup Service (RBS) running on a Windows guest OS to provide application-
consistent snapshots for Windows applications. The Rubrik cluster uses RBS to enable access to the
Windows OS Volume Shadow copy Service (VSS).
When RBS is not installed, but VMware Tools is installed, the Rubrik cluster attempts to quiesce the
Windows virtual machine using VMware Tools. Application consistency cannot be assured under these
circumstances but it will be attempted.
RBS can be installed manually or automatically. In order to automatically install RBS, the Rubrik cluster
must have valid guest OS credentials for the Windows guest and the Admin Approval Mode must be
disabled on the Windows guest.
For supported versions of Microsoft Exchange Server, RBS truncates the transaction log after a successful
snapshot. Log truncation can significantly reduce the virtual machine space required by the transaction log.
Related concepts
Windows access control list values
A Rubrik cluster can use a PowerShell script to acquire access control list values from a Windows guest file
system. The Rubrik cluster only uses this method when the Rubrik Backup Service is not installed or when
the snapshot was created using an older version of Rubrik CDM.
Related tasks

Windows access control list values

A Rubrik cluster can use a PowerShell script to acquire access control list values from a Windows guest file
system. The Rubrik cluster only uses this method when the Rubrik Backup Service is not installed or when
the snapshot was created using an older version of Rubrik CDM.
When the access control list (ACL) values of an object are successfully acquired, the Rubrik cluster can set
the same ACL values on the object as part of a restore or an export.
The Rubrik cluster runs an ‘icacls’ command-line script in a hidden PowerShell session on the Windows
guest to acquire the ACL values for the objects in the Windows guest file system. PowerShell scripts are
needed only when restoring snapshots taken using Rubrik CDM version 3.1 or earlier, or when Rubrik
Backup Service (RBS) is not installed on a virtual machine. The recommended procedure for restores is to
use RBS on the virtual machine. If RBS is not installed, then the PowerShell script and VMware Tools can
be used to restore snapshots.
To run the PowerShell script successfully, meet the requirements specified in the following table.
Category Requirement
PowerShell Minimum required version is version 3, preferred is
version 4 or newer.
To determine the current version, open a
PowerShell window on the guest and type:
$PSVersionTable
PowerShell Must be set to the ‘unrestricted’ PowerShell

execution policy.
execution policy
To determine the current setting, open a
PowerShell window on the guest and type:
Get-ExecutionPolicy
To set the value to unrestricted, type:
Set-ExecutionPolicy unrestricted
.NET Framework Version 4.5 or newer.

Microsoft provides instructions for determining
the installed .NET Framework versions in How to:
Determine Which .NET Framework Versions Are
Installed.
When the ‘icacls’ script cannot be run, and Rubrik RBS is not installed on the virtual machine, the Rubrik
cluster can still restore objects in the Windows guest file system, but the ACL values of the source objects
will not be preserved in the restored objects.
Related concepts

Related tasks

Use SLA Domains to apply the data protection policies to an individual virtual machine or a selected set of
virtual machines.
Add Rubrik data protection with an SLA Domain assigned to an individual virtual machine or configure
flexible SLA Domains assignment to a set of instances based on:
• The vCenter Server folder
• The vCenter Server cluster or host
• vSphere tags
Domain.
object.
Related concepts

rules.

Context
SLA Domain.
Procedure
2. On the left-side menu, select Virtual Machines > vSphere VMs.
The vSphere VMs page appears, with the VMs tab selected.
Select multiple virtual machines to assign the same setting to all of the selected virtual machines.
field.
6. Click Next.
9. Confirm that the Frequency and Retention settings are correct and click Submit.
Result
Related concepts
Warning messages
As part of the task of assigning SLA Domains, the Rubrik cluster may display warning messages.
Related reference

entities.
Assigning an SLA Domain setting to a vCenter Server folder

Specify an SLA Domain setting for a vCenter Server folder to have the setting applied to the objects and
virtual machines contained by the folder.
Procedure
3. Select Folders.
The Folders tab appears.
4. Select an object within the vCenter Server folder hierarchy.
Click a value in the Name column to move down in the folder hierarchy.
5. Select multiple objects to apply the setting to more than one object in the folder hierarchy.
7. Click Continue Anyway to proceed
Click Cancel to return to the Folders tab.
9. Click Next.
When the SLA Domain selection will cause a change in the individual setting of a object that is
contained by one of the selected objects, the SLA Conflicts dialog box appears.
When there are no SLA conflicts, the Rubrik cluster applies the selected setting to the selected objects.
13. (SLA conflicts only) After resolving all SLA conflicts, click Done.
The Rubrik cluster applies the selected setting to the selected objects and resolves conflicts as
specified.
Result
Related concepts
Warning messages

rules.
Related tasks
Resolving SLA conflicts
The Manage Protection setting of a selected object can conflict with the setting that is individually assigned
to an object contained by the selected object.
Related reference
entities.
Assigning an SLA Domain setting to a vCenter Server cluster or host

Specify an SLA Domain setting for vCenter Server clusters and hosts to have the setting applied to the
objects and virtual machines contained by the clusters and hosts.
Procedure
3. Select Clusters/Hosts.
The Clusters/Hosts tab appears.
4. Select an object within the vCenter Server hosts hierarchy.
To browse down the hosts hierarchy, click a value in the Name column.
5. Select multiple objects to apply the setting to more than one object in the hosts hierarchy.
7. Click Continue Anyway to proceed.
9. Click Next.
12. Click Submit.
When the SLA Domain selection will cause a change in the individual setting of a object that is
contained by one of the selected objects, the SLA Conflicts dialog box appears.
When there are no SLA conflicts, the Rubrik cluster applies the selected setting to the selected objects.

Result
Related concepts
Warning messages
rules.
Related tasks
Related reference
entities.
SLA Domain assignment by tag

SLA Domains can be assigned to virtual machines based on vSphere tags.
vSphere tags apply additional metadata to virtual machines for increased grouping and categorization.
Rubrik SLA Domains can be assigned based on assigned tag.
Assigning SLA Domains to vSphere tags

Assign an SLA Domain based on vSphere tags.
Procedure
3. Select Tags to filter by tag assignment.
4. Select one or more tags from the list.
6. Click Continue Anyway to proceed.
8. Click Next.

When the selected SLA Domain may cause a change in the individual setting of objects assigned the
selected tag, the SLA Conflicts dialog box appears.
Result
The SLA Domain projection rules are applied to all virtual machines with the assigned tag.
Related concepts
Warning messages
Related tasks
Related reference
entities.

entities.

Domain name.
selected object.

Protect setting.
Protect setting.
snapshots.
• Keep forever

Context
When a conflict is detected, the Rubrik cluster opens the SLA Conflicts dialog box to permit the conflict to
be resolved.
When the SLA Conflicts dialog box appears, it lists each object that has an individual SLA setting that
conflicts with the setting being applied to a selected containing object. The SLA Conflicts dialog box initially
lists these objects in the Keep Current SLA column.
Procedure
1. Assign an SLA Domain setting to an object.
2. When the SLA conflicts dialog box appears, choose an action for each listed object.
Option Description
Leave that object in the Keep Current SLA Retains the individual setting of the listed object.
column
Move the object to the Inherit column The individual setting of the listed object is
removed, and the object inherits the setting
selected in the Manage Protection dialog box.
The setting that the object inherits can be a
specific SLA Domain assignment, the Inherit SLA
setting, or the Do Not Protect setting.
3. Click Done.
Result
The Rubrik cluster resolves the conflicts as specified.
Related concepts
Assignment Conflicts

The Rubrik CDM web UI displays the Assignment Conflicts warning when the Rubrik cluster detects a
conflict in the SLA Domain setting for a selected object.
Related tasks
Assigning an SLA Domain setting to a vCenter Server folder
Specify an SLA Domain setting for a vCenter Server folder to have the setting applied to the objects and
virtual machines contained by the folder.

Procedure
selection group.
field.
Option Description
inheritance rules.
snapshots
• Keep forever


Result
Related concepts
Warning messages

retained forever.

Use this feature to put a guest OS in a specific state before a snapshot, change that state immediately
after the snapshot is completed on the host system, and perform other actions after the Rubrik cluster
completes the backup process.
To allow the Rubrik cluster to start scripts, provide Guest OS credentials with sufficient privileges. Without
adequate credentials, the Rubrik cluster cannot start the scripts.
For example, run a script to quiesce applications before a snapshot, another script to restore the
applications to their normal running status after the snapshot, and a final script to perform clean-up at the
end of the backup process.
The scripts can consist of any sequence of operations that can be run by the command line interpreter of
the guest OS.
The following table describes the virtual machine pre/post scripts.
Name Description
Pre-Backup • Use Pre-Backup Script to prepare for a backup by quiescing the applications on the
Script virtual machine.
• Requires that a timeout value be specified.
• The Rubrik CDM web UI provides an option to cancel the backup task when the Pre-
Backup Script does not complete successfully.
Post-Snap Must be idempotent, script may be invoked several times during a single backup task.
Script
• Use Post-Snap Script to minimize stun time and resume all applications on the
virtual machine.

Name Description
• Also, use Post-Snap Script to perform clean-up tasks if a backup task fails.
• Post-Snap Script runs immediately after the host snapshot task completes.
Post-Backup Must be idempotent, script may be invoked several times during a single backup task.
Script
• Use Post-Backup Script to perform custom post-processing at the end of the backup
process.
• Post-Backup Script runs after: the snapshot is copied to the Rubrik cluster and
released on the virtual machine host, and the Rubrik cluster completes all data and
metadata processing tasks.
Related concepts
Guest OS settings
Enabling scripts
Procedure
5. Open the ellipsis menu, and select Configure Pre/Post Scripts.
6. (Optional) In Pre-Backup Script Path, type the full path for the Pre-Backup Script.
7. (Optional) Select Cancel Backup if Pre-Backup Scripts Fails.
Any script exit status other than 0 is considered a script failure. When this box is selected, the Rubrik
CDM displays a notification of the script failure and the value of the exit status in the Activity Log.
The value represents the number of seconds before the Rubrik cluster terminates the Pre-Backup
Script because the script cannot be completed.
9. (Optional) In Post-Snap Script Path, type the full path for the Post-Snap Script.
The value represents the number of seconds before the Rubrik cluster terminates the Post-Snap Script
11. (Optional) In Post-Backup Script Path, type the full path for the Post-Backup Script.

The value represents the number of seconds before the Rubrik cluster terminates the Post-Backup
Script because the script cannot be completed.
13. Click Apply.
Result
The Rubrik cluster stores the information and runs the specified scripts for all subsequent backups of the
selected virtual machine. The Rubrik cluster provides entries in the Activity Log for errors that occur when
running the scripts as specified.

Normally, a Rubrik cluster ingests the VMDK files of a virtual machine as part of the snapshot process.
During this time, the virtual machine must be kept quiescent. A Rubrik cluster ingests the VMDK files very
quickly, resulting in extremely short periods of quiescence. However, for large VMDK files, the time that is
required for ingesting the VMDK files can impact the virtual machine.
With storage array integration, a Rubrik cluster can use the API of the storage array to move ingestion of
the VMDK files out of the vSphere environment and onto the storage array. Using storage array integration,
a Rubrik cluster can release a virtual machine for normal operation immediately after a hypervisor
snapshot. The Rubrik cluster takes storage array snapshots and uses those for ingestion of the VMDK files.
After releasing the virtual machine, the Rubrik cluster mounts the storage array level snapshots as
temporary datastores on the virtual machine host. The Rubrik cluster then attaches the VMDK files from
the temporary datastores to a proxy virtual machine. The Rubrik cluster completes the data ingestion
through the proxy virtual machine, and then removes the temporary datastore objects and the proxy
virtual machine.
Storage array integration can employ custom scripts running on the guest operating system to provide
application level quiescence or application consistency. A pre-backup script can prepare an application for
the brief quiescence and a post-snap script can resume the application immediately after the snapshot.
Related concepts
Datastore requirements for storage array integration

The datastores used by a virtual machine must reside on a single storage array or multiple arrays of the
same type in order to use storage array integration.
Enabling storage array integration for a virtual machine

Enable storage array integration for a virtual machine to allow the Rubrik cluster to ingest VMDK files
directly from datastores on storage arrays.
Prerequisites
• Ensure the datastores of the virtual machine reside on supported storage arrays.
• Add the storage arrays to the Rubrik cluster.

Context
Storage array integration can reduce the quiescence period for a virtual machine during snapshot
operations.
Procedure
3. In the Name column, click the name of the virtual machine.
4. Optional: Open the ellipsis menu on the top bar of the local host page and select Configure Pre/
Post Scripts.
5. Optional: Enable the pre-backup script and the post-snap script for the virtual machine.
6. Open the ellipsis menu on the top bar of the local host page and select Enable Array Integration.
The Enable Array Integration menu item is available when the virtual machine is eligible for storage
array integration. After adding a storage array, the Rubrik cluster scans all virtual machines to
determine eligibility for storage array integration. The menu item does not appear until the scanning
period completes.
The message “Enabled array integration” appears in the Activity Log.
Result
The Rubrik cluster stores the information and uses storage array integration for all subsequent backups of
the virtual machine.
Related tasks
Adding a storage array
Add a storage array to the CDM web UI to permit the Rubrik cluster to interact directly with the storage
array.
Enabling scripts
Exclude VMDK files

Virtual machines can include some VMDK files that do not need to be protected. The Rubrik cluster can
ignore some of the VMDK files of a virtual machine while protecting the other VMDK files of that virtual
machine.
When a virtual machine with excluded VMDKs runs applications that depend on the excluded VMDKs, such
as Exchange or SQL Server, specify crash consistent snapshots as discussed in Specifying crash consistent
backups.
Excluding VMDK files of a virtual machine

When backups are not required for some of the VMDK files of a virtual machine, exclude those VMDK files
from backups.
Procedure

field.
4. Open the ellipsis menu on the top bar of the local host page and select Exclude VMDKs.
The Exclude VMDK dialog box appears.
5. Select the VMDK files to exclude.
6. Click Exclude.
Result
The Rubrik cluster excludes the selected VMDK files from all future backups of the virtual machine.
Related concepts
Local host page

Displaying all discovered virtual machines

The Rubrik CDM web UI lists all discovered virtual machines on the VM Protection page.
The following methods open the VM Protection page and display all discovered virtual machines:
• On the Dashboard page, on the Virtual Machines card, click See All
• On the left-side menu, select Virtual Machines > vSphere VMs

From the Dashboard, display all unprotected virtual machines.
Procedure
2. On the Virtual Machines card, in the view Unprotected.
Result
The Virtual Machines page opens, with the VMs tab selected, and filters the view to show All Unprotected
virtual machines.
Displaying unprotected virtual machines from the VM Protection page

Use a filter to display all unprotected virtual machines
Procedure
3. Click Filter SLA.

4. Select a filter.
Filter Effect
Unprotected Displays all unprotected virtual machines, both
No SLA and Do Not Protect.
No SLA Displays virtual machines that have not inherited
an SLA Domain setting.
Do Not Protect Displays virtual machines that have inherited the
Do Not Protect setting, or have Do Not Protect
individually assigned.
Result

Procedure
3. Click Filter SLA.
4. Select a filter.
• A named SLA Domain
• No SLA
• Do Not Protect
Result
The Rubrik CDM web UI displays the virtual machines that belong to the selected SLA Domain or to the
selected protection state.

Procedure
2. In the Search field, at the top of all Rubrik CDM web UI pages, type the name of the virtual machine.
anywhere in a name. Continue to type characters to narrow down the results until the virtual machine
appears.
Result

Finding entities by using the object tab
Use object tabs on the Virtual Machines page to define a hierarchical view to search and to browse. Then
use the search field to find entities within the defined view, or to browse entities within the defined view.
Procedure
3. Choose a tab.
Option Description
VMs Provides a virtual machines only view, with the
hierarchical location of each virtual machine
Folders Provides the vCenter Server folder hierarchy
view, starting at the vCenter Server.
Clusters/Hosts Provides the vCenter Server cluster and host
hierarchy view, starting at the vCenter Server.
4. Choose to search or browse for an entity.
Method Next Step
Search 5
Browse 7
5. Type characters in the tab search field.
The search matches the characters in the search field with entities that have that sequence of
characters anywhere in the entity name.
6. Stop typing when the name of the entity appears on the page.
Go to step 9.
7. Click the name of a top-level entity.
8. Continue clicking entity names to browse down the hierarchy to a specific entity.
9. Select the entity.
Result
Search results are displayed in the object tab.

Procedure
Option Description

Option Description
the system.
Result
Related concepts
Warning messages
For each type of warning, the Rubrik cluster offers the option to continue or to cancel the task.
The Rubrik cluster may display the following warning messages, individually or in combination:
• Assignment Conflicts
• These VM(s) are already protected
• VMware Tools not installed
Each warnings can appear separately or together in a Multiple Warnings dialog box.
Assignment Conflicts
The Rubrik CDM web UI displays the Assignment Conflicts warning when the Rubrik cluster detects a
conflict in the SLA Domain setting for a selected object.
An Assignment Conflict appears when a virtual machine inherits SLA Domains from a vCenter Server
cluster or host as well as from a vCenter Server folder. When an Assignment Conflict occurs, the SLA
Domain inherited from the vCenter Server folder applies unless the virtual machine has an individually
assigned SLA Domain.
When the Assignment Conflicts warning appears, do one of the following:
• Retain the current SLA Domain assignment.
• Inherit the SLA Domain from a parent.
• Cancel the operation and remove the selected objects from the selection set.
Assigning an SLA Domain can have retroactive effects on existing snapshots depending on the source of
the assignment.
SLA Domain Changes applied retroactively Changes not applied retroactively

assignment
Retain the current Retention for the existing snapshot Retention for existing snapshots does
SLA Domain changes to the retention policy of the not change.
assignment new SLA Domain.

SLA Domain Changes applied retroactively Changes not applied retroactively
assignment
Inherit the SLA Retention for the existing snapshot Retention for existing snapshots does
Domain from a changes to the retention policy of the not change.
parent inherited SLA Domain.
To prevent the Assignment Conflicts warning from appearing again, select Don’t show this again.
Protected VMs warning

The Rubrik CDM web UI displays the protected VMs warning when the Rubrik cluster detects that an SLA
The protected VMs warning is “These VM(s) are already protected”.
When the protected VMs warning appears, do one of the following:
Changing the SLA Domain of a virtual machine may result in immediate expiration of some snapshots, as
described in Changing the assigned SLA Domain.
VMware tools warning

The Rubrik cluster displays the VMware tools warning when it detects that the correct version of VMware
Tools is not installed on a selected virtual machine.
The VMware tools warning is “VMware Tools not installed”.
The Rubrik cluster requires the current version of VMware Tools to perform administrative operations and
to enable application consistent snapshots. The vSphere environment specifies the current version of
VMware Tools for every virtual machine in the environment.
When the VMware tools warning appears, do one of the following:
• Cancel the operation and upgrade VMware Tools on each of the virtual machines in the selection set.
VMware Tools version provides more information about the role of VMware Tools for application consistent
snapshots.
For information on installing VMware Tools on a guest OS, see the How to install VMware Tools knowledge
base article.
The SLA rules defined by an SLA Domain affect the protection of virtual machines in several ways. SLA
When the source virtual machine for a snapshot is assigned to another SLA Domain after the snapshot is
created, the new SLA Domain becomes the managing SLA Domain for the policy driven snapshot.
A policy driven snapshot can require manual management when the snapshot loses an association with the
SLA Domain.

Protect a new virtual machine
A new virtual machine is one for which no policy driven snapshots exist.
After a new virtual machine is assigned to an SLA Domain, all of the snapshots, replicas, and archival
snapshots for that virtual machine are created and managed based on the SLA rules of the SLA Domain.
The following table describes the impact of SLA Domain properties on snapshots.

SLA rules Determines when policy driven snapshots are created and when they
automatically expire.
Local Cluster Retention Determines how long the local Rubrik cluster retains snapshots.
Period
Replication Retention Determines how long a replication target cluster retains replicas.
Period
Maximum Retention Determines how long the system retains snapshots. The Rubrik cluster
Period automatically expires policy driven snapshots that are older than the Maximum
Retention Period.

The SLA Domain assigned to a virtual machine can change in order to satisfy changing business
requirements.
Example: Assigning a protected virtual machine to another SLA Domain
Assume that a virtual machine was assigned to the SLA Domain D1 and later was assigned to the SLA
Domain D2. At the time of the reassignment, the virtual machine had existing policy driven snapshots.
After the reassignment, those existing policy driven snapshots are managed based on the policies set in
SLA Domain D2.
When the base snapshot frequency for D1 is higher than the frequency for D2, then existing policy-driven
snapshots that are not required by the policies of D2 are deleted from the system.
By doing this, the Rubrik cluster brings the snapshot history for the virtual machine into compliance with
the frequency and retention periods defined by D2.
When D2 specifies a higher base frequency of snapshots, the virtual machine initially appears in the SLA
Compliance reports as out of compliance with the D2 SLA Domain because the existing snapshots were
insufficient to meet the new SLA Domain rules.
Remove protection from a virtual machine

For business reasons, a user might choose to remove protection from a virtual machine by removing it
from the assigned SLA Domain.

Re-protect a virtual machine
then reassigned to another SLA Domain for protection.
When a virtual machine is reassigned to an SLA Domain, the existing snapshots of the virtual machine are
subject to the retention policies of the currently assigned SLA Domain, including:
Example: Re-protecting a virtual machine
Assume that a virtual machine is protected under SLA Domain D1, the virtual machine is removed from D1,
and then the virtual machine is protected again by assigning the virtual machine to SLA Domain D2.
In this example, when the virtual machine is removed from protection, all policy driven snapshots for that
virtual machine must be managed manually.
When the virtual machine is assigned to SLA Domain D2, the policy driven snapshots for the virtual
machine are managed based on the policies defined in D2.
All existing and future snapshots for the virtual machine are subject to the rules of the D2 SLA Domain
regarding local cluster retention period, replication retention period and maximum retention period.
Local host page

The local host page provides detailed information about the protection of a virtual machine and tasks
related to the virtual machine. The local host page provides the following sections:
Domain.

Procedure
1. In the Rubrik CDM web UI, on the left-side menu, select Virtual Machines > vSphere VMs.
list.
The vSphere VMs page appears with the VMs tab selected.
Result

Action bar
The Action bar provides details for a selected virtual machine.
Action Description
Take On Demand Snapshot Adds an on-demand snapshot of the virtual machine to the task queue.
Backup Window settings defined for the SLA Domain of the virtual machine
do not apply to on-demand snapshots. Only the maximum retention and
remote configuration settings of the associated SLA Domain apply to on-
demand snapshots.
Manage Protection Opens the Manage Protection page where the virtual machine can be
assigned to an SLA Domain for protection.
When the virtual machine is already assigned to an SLA Domain, a warning
appears. Click Continue to open the Manage Protection page. Click Cancel to
return to the local host page.
Ellipsis menu > Delete All Only appears for an unprotected virtual machine. Deletes all snapshots
Snapshots for the virtual machine, including local snapshots, archival snapshots, and
replicas.
Ellipsis menu > Exclude Provides access to the Exclude VMDK dialog box.
VMDKs
Ellipsis menu > Configure Provides access to the Configure Application Consistency dialog box.
Application Consistency
Ellipsis menu > Configure Provides access to the Configure Pre/Post Scripts dialog box.
Pre/Post Scripts
Ellipsis menu > Enable Only appears when the virtual machine is eligible for storage array
Array Integration integration. Enables storage array integration for all subsequent backups of
Register Rubrik Backup Establishes a connection between the Rubrik cluster and the Rubrik Backup
Service Service (RBS) software running on the guest OS of the virtual machine.
Related concepts
Snapshots
Related tasks
from backups.

Overview card
Information available on the Overview card.
Field Description
vCenter IP address of the vCenter Server that manages the virtual machine.
Host–For virtual machines that are assigned to an SLA Domain
Host
without an Archival policy, shows the IP address of the hypervisor
or
that hosts the virtual machine.
Cloud Conversion
Cloud Conversion–For virtual machines that are assigned to an SLA
Domain with an Archival policy, shows the Configure button and
either:
• Disabled
• Name of the archival location
SLA Domain Name of the SLA Domain that manages the protection of the selected
virtual machine.
Live Mounts Number of live mounts for snapshots associated with the selected
virtual machine.
Oldest Snapshot Timestamp for the oldest snapshot associated with the selected
virtual machine.
When the SLA Domain has an active archival policy, the oldest
snapshot resides at the archival location.
Latest Snapshot Timestamp for the most recent successful snapshot of the selected
virtual machine.
Total Snapshots Total number of retained snapshots for the selected virtual machine,
including both the local Rubrik cluster and any archival location.
Missed Snapshots Number of policy driven snapshots that did not complete successfully.
A missed snapshot is included in the count until the period since
the SLA Domain policy required the snapshot exceeds the retention
period of the SLA Domain.
Snapshots card
machine.

Color Status
Snapshots card calendar view

The calendar view displays information at different levels of granularity based on the selected time period.
View Description
Day The Day view displays the individual snapshots that were created on the selected day.
The Day view also provides the additional information and actions described in the
following section.
Day view for a local virtual machine

For a local virtual machine, the day view provides information about snapshots. To view the details for
each snapshot, expand the entry in the day view.
Created Creation time of the snapshot.
Time
The following icon indicates a snapshot that resides locally and at an archival location.
The following icon indicates a replica of the snapshot was sent to the target Rubrik cluster.
Status The following icon indicates a warning for the snapshot entry. Hover over the icon to see
additional information.
The following icon indicates the policy driven snapshot represented by the entry was not
completed successfully.

Source The following icon indicates a policy driven snapshot.
action
Local The date when this snapshot will expire.

Expiration
Date
Archive The archive location for the snapshot that was set in the SLA Domain.
Location
Expiration The date when the archival snapshot will expire.
Date
The word Computing in this field indicates that the expiration date is being calculated.
Actions available on the day view for a local virtual machine

For a local virtual machine, the day view provides the ability to initiate various actions with snapshots.
Access the actions by clicking the ellipsis menu.
Command Description
Search by File Use the predictive search field to find file by typing the name.
Name
Mount Virtual Use the snapshot to create and mount a new virtual disk on a hypervisor host.
Disk
Mount Virtual Use the snapshot to create and mount a new virtual machine on a hypervisor host.
Machine
The new virtual machine is uniquely named within the virtualization management
system. The name of the recovered virtual machine is constructed as follows: name of
source virtual machine + timestamp of snapshot + incremented integer.
The local Rubrik cluster is the datastore for the new virtual machine.
Instantly Restore a virtual machine into the production environment by using the selected
Recover snapshot.
The new virtual machine is given the same name as the source virtual machine and is
powered on and connected to the network. The source virtual machine is powered off
and renamed.
The local Rubrik cluster serves as the datastore for the new virtual machine.
Export Use the snapshot to create and mount on an hypervisor host a new virtual machine,
that is a copy of the local virtual machine.
The new virtual machine is uniquely named within the virtualization management
system. The name of the recovered virtual machine is constructed as follows: name of
source virtual machine + timestamp of snapshot + incremented integer.
The hypervisor host is the datastore for the new virtual machine.

Command Description
Restoring from notification link describes how to download a file or folder.

This command only appears for snapshots that are not created based on an SLA
Domain policy, such as:
Launch On Use the snapshot to instantiate a virtual machine.

Cloud
Place on legal The snapshot is retained indefinitely.
hold
Change For more information, see Changing the retention policy for snapshots.
Retention
Archival Description
snapshot
action
Download Transfer a copy of the selected snapshot to the local Rubrik cluster so that it is available for
additional local actions. The local Rubrik cluster provides a notification when the download is
completed.
Recover Open a file browser view on the selected snapshot.
Files
Restoring from notification link describes how to download a file or folder.
Launch On Use the snapshot to instantiate a virtual machine.

Cloud
Place on The snapshot is retained indefinitely.
legal hold
Change For more information, see Changing the retention policy for snapshots.
Retention

Snapshots
Backup processes
A Rubrik cluster backs up a virtual machine by creating a snapshot of the virtual machine by using vMware
APIs for Data Protection. For Windows guests, the Rubrik cluster uses the Rubrik Backup Service software
to pass a request to the Volume Shadow copy Service component of the Windows OS.
incremental snapshots based on the change information provided by Changed Block Tracking (CBT). Each
incremental snapshot on the Rubrik cluster only includes the data blocks that have changed since the last
snapshot.
The vSphere environment transmits the snapshot data to the Rubrik cluster using the most efficient
available transport mode. Normally, the vSphere environment uses the Network Block Device protocol
with Secure Socket Layer encryption (NBDSSL). The high efficiency of the Rubrik cluster eliminates data
bottlenecks, enabling data transmission rates that minimize the time that a virtual machine is quiescent.
For virtual machine disks (VMDKs) that are stored on a storage-attached network (SAN), the Rubrik cluster
can use the SAN transport mode. In this mode, the Rubrik cluster uses the Internet Small Computer Serial
Interface (iSCSI) protocol to obtain snapshot data over a direct connection to the storage array resulting in
very fast data transmission.
Snapshot window
protects.
Protection exceptions
The Rubrik cluster cannot protect data when protection exceptions exist.
Protection exceptions include:
• VMDKs that are set to Independent-Persistent mode or to Independent-Nonpersistent mode.
• Network drives that are mounted on the file system of a protected virtual machine.
• Any virtual machine for which the Rubrik cluster does not have snapshot creation permission because of
settings on the virtual machine or on a vSphere folder that contains the virtual machine.
• Any virtual machine data that resides on raw disk mappings (RDMs), where the RDMs are set to
Physical compatibility mode.

The Rubrik cluster provides the highest possible level of backup consistency for a vSphere virtual machine.
The highest possible level is determined by several factors.
The Rubrik cluster provides the highest level of backup consistency when Rubrik Backup Service software
is installed, along with an up-to-date version of VMware Tools. The following table explains the different
backup consistency levels, and the situations where they apply.

level
Inconsistent The lowest level of backup consistency. Not provided.
Each file is copied to the backup target
without quiescence.
File operations are not stopped.
The result is inconsistent timestamps
across the backup and, potentially,
corrupted files.
Crash consistent A point-in-time snapshot but without Provided when:

quiescence.
• Guest OS does not have VMware Tools
• Timestamps are consistent. installed.
• Pending updates for open files are • Guest OS has an out-of-date version of
not saved. VMware Tools.
• In-flight I/O operations are not
completed.
The snapshot can be used to restore
the virtual machine to the same state
that a hard reset would produce.
File system A point-in-time snapshot with Provided when the guest OS has an up-to-
consistent quiescence. date version of VMware Tools and:
• Timestamps are consistent. • Application consistency is not supported
• Pending updates for open files are for the guest OS.
saved. • Guest OS is Windows.
• In-flight I/O operations are
completed
• Application-specific operations may
not be completed.
Application A point-in-time snapshot with Provided when:

consistent quiescence and application-awareness.
• Guest OS is Windows and RBS is installed
• Timestamps are consistent and registered
• Pending updates for open files are • Guest OS is not Windows, the guest has
saved an up-to-date version of VMware Tools,
• In-flight I/O operations are and application consistency is supported
completed for the guest OS
completed.

VMware Tools version
The Rubrik cluster determines whether a guest OS is running the current version of VMware Tools.
The Rubrik cluster requests the status of VMware Tools on a virtual machine from the vSphere
environment. When the vSphere environment replies that a virtual machine is not running the current
version of VMware Tools, the Rubrik cluster displays a warning message. Warning messages provides
information about the warning message.
To ensure file system consistent snapshots or application consistent snapshots for a virtual machine,
always install the most up-to-date version of VMware Tools.
For information on installing VMware Tools on a guest OS, see How to install VMware Tools.
Application consistency
The Rubrik cluster supports application-consistent snapshots for many guest OS types and application
types.
The Rubrik cluster supports application-consistent snapshots for applications such as:
• Microsoft Exchange Server
• Microsoft SQL Server
• Microsoft Active Directory
• Microsoft SharePoint
• Oracle Database (RDBMS) running through Managed Volume protection
To enable application-consistent snapshots for the Microsoft applications, RBS must be installed on the
guest OS.
For Windows, if RBS is not installed, but VMware Tools is installed, the Rubrik cluster attempts to quiesce
the Windows virtual machine using VMware Tools. The cluster attempts application consistency, but cannot
guarantee this outcome.
The Rubrik cluster does not support restore of an application-consistent snapshot into an availability group.
Cluster consistency for the availability group cannot be ensured in this situation and problems may occur.
Related concepts

Context
Specify crash consistent backups to prevent application consistent backups and minimize the effects of
virtual machine stun.
Procedure
1. In the Rubrik CDM web UI, on the left-side menu, select Virtual Machines > vSphere VMs.
3. Open the ellipsis menu, and select Configure Application Consistency.
The Configure Application Consistency dialog box appears.

4. Select Crash Consistent.
5. Click Update.
Result
The Rubrik cluster applies the setting to all future backups of the virtual machine.
On-demand snapshots
In addition to policy-based snapshots, create virtual machine snapshots by using the on-demand snapshot
process.
created by using the on-demand snapshot process.
Creating an on-demand snapshot of a vSphere virtual machine

Select one or more vSphere virtual machines to take on-demand snapshots for those virtual machines.
Procedure
3. Select one or more virtual machines from the list.
4. Open the ellipsis menu and click Take On Demand Snapshot.
When taking an on-demand snapshot for the number of virtual machines selected would result in a
cluster load that affects the compliance of existing SLA Domains, a warning appears. Click Continue
Anyway to dismiss the warning or Cancel to return to the virtual machines list and select fewer
virtual machines.
The Take On Demand Snapshot wizard appears, set to the Assign SLA step.
5. Select an SLA Domain and click Next.
The Take On Demand Snapshot wizard advances to the Review Impact step.
6. Review the retention settings of the selected SLA Domain and click Take On Demand Snapshot.
Result
The Rubrik cluster adds the specified on-demand snapshot tasks to the task queue. The Activity Log tracks
the status of the on-demand backup tasks.
Related concepts

Snapshot expiration
criteria.

SLA Domain
Unmanaged data
Related concepts
Recovering and restoring virtual machine data


A Rubrik cluster provides the following recovery mechanisms to recover virtual machines from Rubrik data
protection objects like snapshots, replicas, and archival snapshots:
• Live Mount
• Export
• In-Place Recovery
The following table compares the available recovery actions.
Action Name of Datastore Power state Network Source virtual

recovered machine
virtual machine
Instant Same as the Local Rubrik On Connected Powered off
Recovery name of the cluster (Optional) and renamed
source virtual
machine
Live Mount Composite Local Rubrik On Disconnected No impact
cluster
Export Composite Datastore of On Disconnected No impact
hypervisor
In-Place Same as the Datastore of On Same as the In-Place
Recovery name of the hypervisor source virtual Recovery
source virtual machine overwrites the
machine virtual disk files
of the source
virtual machine
with the virtual
disk data from
the snapshot,
without
changing the
properties of
the virtual
machine
The name of the recovered virtual machine is constructed as follows: name of source virtual machine +
timestamp of snapshot + incremented integer. For example, the first mount of the snapshot of the virtual
machine “NitroN1” that was created at “08-04 06:48” is named “NitroN1 08-04 06:48 0”.
Related concepts

Recovery actions by snapshot type
The Rubrik cluster supports different recovery actions based on the snapshot type.

Local Initiated from the local Rubrik cluster:
• Live Mount
• Export
Replica Initiated from the target Rubrik cluster:

• Live Mount
• Export
Archival Initiated from the local Rubrik cluster after the archival snapshot is downloaded to the
local Rubrik cluster:
• Live Mount
• Export

Use the local Rubrik CDM web UI to select a snapshot before applying a recovery action.
Context
Use the search box on the top bar of the Rubrik CDM web UI to directly access the local host page when
the name of the source virtual machine is known.
Procedure
3. (Unmanaged virtual machines only) Select Snapshot Management.
6. (Recovering archival snapshot only) Open the ellipsis menu for the snapshot and click Download.
The Rubrik cluster retrieves the archival snapshot. Status of the retrieval appears in the Activity Log.
The Rubrik cluster does not apply a retention setting to a downloaded archival snapshot. Archival
snapshots downloaded to local storage must be manually deleted.
Result
Any of the available recovery actions can be performed on the selected snapshot.
Related concepts
Local host page

Activity Log
sensitive.
Selecting a replica
Select a replica from the replication target Rubrik cluster to use for a recovery action.
Procedure
Use the search box on the top bar of the Rubrik CDM web UI to directly access the Remote VM Details
page when the name of the source virtual machine is known.
2. On the left-side menu of the Rubrik CDM web UI, select SLA Domains > Remote Domains.
4. In the Virtual Machines section of the remote SLA Domain’s page, click the name of a virtual machine.
Result
Any of the available recovery actions can be performed on the selected replica.
Virtual machine recovery

Virtual machine recovery involves selecting a data protection object and an available recovery action.
Rubrik CDM offers recovery options, such as Instant Recovery, Live Mount, Export, and In-Place Recovery
to recover virtual machines from data protection objects, such as local snapshots, replica snapshots, and
archival snapshots.
The Instant Recovery and In-Place Recovery mechanisms are not available for replica snapshots. The
Rubrik cluster turns on the recovered virtual machine after the recovery action is complete. The Rubrik
CDM web UI enables power management and deletion for the recovered virtual machine.
Live migration
A recovered virtual machine can be live migrated using a process such as vSphere Storage vMotion.
After live migration of a virtual machine that was recovered by the Instant Recovery or Live Mount actions,
metadata for the recovered virtual machine remains on the Rubrik cluster. Delete the metadata for the
recovered virtual machine through the Live Mounts page of the Rubrik CDM web UI by using the Force
Delete option.
Related concepts
Related tasks

Live Mounts page.
Virtual raw disk mappings

A data protection object from a virtual machine that has a virtual raw disk mapping (vRDM) can be
recovered.
When a virtual machine with vRDM mappings is recovered, the Rubrik cluster converts the vRDM mappings
to VMDKs.
esx_subnets and IP addresses

esx_subnets filter IP addresses differently on VMware export operations than on instant recovery and Live
Mount operations.
The esxSubnets setting limits the ESXi host IP addresses that can be used for Live Mount and Export
of vSphere snapshots. After configuring esxSubnets, only ESXi host IP addresses that are in a subnet
specified by esxSubnets can be used for Live Mount and Export. A Live Mount will not succeed if it specifies
an ESXi host that does not have an IP address within a subnet specified by esxSubnets.
For VMware, esx_subnets filter the multiple ESXi host IP addresses.
• For VMware export operations, the configured esx_subnets filter the IP addresses of ESXi hosts. For
each IP address within the esx_subnets, an IP address to the ESXi host FQDN mapping entry is added
to the /etc/hosts file. These host file entries take priority over DNS lookups and point VMware
exports to the specified IP address of an ESXi host.
• For VMware Live Mount or instant recovery operations, the esx_subnets filter multiple ESXi host IP
addresses. The IP addresses within the esx_subnets indicate IP address matching or optimization
efforts that select the best local IP address and use it for data store exports during mount operations.
The esx_subnets are configured using the network esx_subnet CLI command.
Performing an Instant Recovery for a vSphere virtual machine

Perform an Instant Recovery to replace the source virtual machine with a fully functional point-in-time
copy.
Context
During an Instant Recovery, the Rubrik cluster powers off and renames the source virtual machine, then
assigns the original name of the source virtual machine to the recovered virtual machine. The Rubrik
cluster powers on the recovered virtual machine and connects it to the source network.
The Rubrik cluster acts as the datastore for the recovered virtual machine. Migrate the recovered virtual
machine to another datastore managed by a vCenter Server to prevent data loss when the Rubrik cluster
unmounts the Live Mount.
Perform an instant recovery of a virtual machine to these resources:
• A cluster of ESXi hosts
• An individually managed vSphere or ESXi host
• A vSphere resource pool
Procedure
2. On the left-side menu, click Virtual Machines > vSphere VMs.

The vSphere VMs page appears with the VMs tab selected, and displays all the virtual machines in the
system.
Search the list by entering a text string in the Search field.
5. (Recovering archival snapshot only) Open the ellipsis menu for the snapshot.
6. (Recovering archival snapshot only) On the ellipsis menu, click Download.
The Rubrik cluster does not apply a retention setting to a downloaded archival snapshot. Manually
delete a downloaded archival snapshot that is no longer required on local storage.
The Rubrik cluster retrieves the archival snapshot. Status of the retrieval appears on the Activity Log.
The Instantly Recover Snapshot wizard appears with the Select Destination page, displaying a list of
compute clusters and standalone hosts.
10. In Select Destination, select the target resource to instantly recover the virtual machine snapshot.
Option Description
Compute cluster Select a compute cluster.
vSphere resource pool Select a resource pool, or click the name of
a resource pool to choose from the children
resource pools.
Host Select a standalone host, or click the name of a
compute cluster to select a vSphere host.
To search the list of hosts or resource pools, type a search string in the search field.
11. Optional: In Advanced Settings, select Remove Tags to skip attempts to re-associate vSphere tags
with the virtual machine.
12. Click Next.
The Instantly Recover Snapshot wizard progresses to the Select Network page.
13. Optional: Switch on the Customize network selection toggle to connect the virtual network
adapter to a specific virtual network configured on the vCenter.
By default, the virtual network adapter connects to the virtual network matching with the name
recorded in the snapshot. The snapshot contains the details of the adapter on the virtual machine and
the corresponding virtual network.
14. (Customize network selection only) In Network, select a network from the list for every network
adapter.
15. Optional: In Advanced network options, select an option.
More than one option can be selected.
Option Description
Remove virtual network devices Select this option when networking changes or
Preserve MAC addresses Select this option to use the MAC addresses
from the snapshot instead of assigning new MAC

Option Description
addresses. When the snapshot contains manually
assigned MAC addresses, those MAC addresses
are used even when this option is not selected.
The Rubrik cluster lists the recovered virtual machine on the Live Mounts page of the Rubrik CDM web
UI.
17. Migrate the virtual machine to a datastore managed by a vCenter Server.
• Use the Migrate Datastore feature in the Rubrik CDM web UI.
• Use vSphere Storage vMotion in the vSphere UI.
18. (When using vSphere Storage vMotion) Power off and unmount the Live Mount after migration is
complete.
Unmounting removes the live mount entry from the CDM web UI. The recovered virtual machine
continues to run from the new datastore. Snapshots of the recovered virtual machine available
through the Snapshot Management page.
Result
The Rubrik cluster instantly recovers the virtual machine with a fully functional point-in-time copy.
Related concepts
Local host page
Activity Log
sensitive.
Related tasks
Power off a recovered virtual machine from the Live Mounts page of the Rubrik CDM web UI.
Creating a Live Mount of a vSphere virtual machine

live mounted virtual machine uses the Rubrik cluster as its datastore.
Context
The Rubrik cluster Live Mounts a virtual machine from a snapshot. The Live Mounted virtual machine has a
new name and can be optionally:
• Connected to the network
• Limited to ESXi subnet IP addresses
• Powered on
The Live Mount can be mounted on any of the following:
• ESXi cluster
• Single ESXi host

• vSphere resource pool
Procedure
system.
Search the list by entering a text string in the Search field.
6. Click Mount Virtual Machine.
The Mount Virtual Machine wizard appears with the Select Destination page, displaying a list of
compute clusters and standalone hosts.
7. In Select Destination, select the target resource to mount the virtual machine snapshot.
Option Description
Mount on a compute cluster Select a compute cluster.
Mount on a vSphere resource pool Select a resource pool, or click the name of
a resource pool to choose from the children
resource pools.
Mount on a host Select a standalone host, or click the name of a
compute cluster to select a vSphere host.
To search the list of hosts or resource pools, type a search string in the search field.
8. Optional: In Advanced Settings, type the name of the mounted virtual machine.
9. Optional: Select one or more of the following Advanced Settings.
Option Description
Power on mounted virtual machine Select this option to start the virtual machine
when the mount is completed.
Remove Tags Select this option to skip attempts to re-associate
vSphere tags with the virtual machine.
10. Click Next.
The Mount Virtual Machine wizard progresses to the Select Network page.
11. Optional: Switch on the Customize network selection toggle to connect the virtual network
adapter to a specific virtual network configured on the vCenter.
12. (Customize network selection only) In Network, select a network from the list for every network
adapter.
13. Optional: In Advanced network options, select an option.
More than one option can be selected.

Option Description
addresses.
MAC address conflicts can result in VMware clearing the MAC address even when the Preserve MAC
addresses option is selected. Consult the VMware documentation for details.
14. Click Mount.
Result
The Rubrik cluster creates the Live Mount and makes it available through the specified management host.
The Rubrik cluster sets the protection state of the Live Mounted virtual machine to Do Not Protect.
Next task
When necessary, enable networking for the virtual machine and power it on. Protect the virtual machine
by assigning it to an SLA Domain, or by removing the Do Not Protect assignment that blocks derived
protection.
Related concepts
Local host page
Related tasks
Selecting a replica
recovery action.
Related information
https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.networking.doc/
GUID-290AE852-1894-4FB4-A8CA-35E3F7D2ECDF.html
Migrating a virtual machine to a vCenter Server datastore

Migrate a virtual machine off the Rubrik datastore to return control of the virtual machine VMDKs to the
vCenter Server to free up storage on the Rubrik cluster.
Context
A Live Mount mounts the VMDKs of a virtual machine on the Rubrik cluster. The Rubrik cluster acts as the
datastore for the virtual machine, and appears as a datastore in the vSphere web client.
During migration, the Rubrik cluster uses Storage vMotion to migrate the VMDKs to a non-Rubrik
datastore. The vCenter Server that controls the virtual machine directly manages the non-Rubrik datastore.
Rubrik can export a VMDK as Thick Provisioned or Thin Provisioned. When selecting the destination
storage for the virtual machine migration in the VMware environment, consider whether to keep the same
format as the source.

Note: Migrate Datastore migrates the data from all of the VMDKs to the selected target vSphere
datastore. If the virtual machine also has disks that are not on the Rubrik cluster, the data on those disks
migrates at the same time.
Procedure
2. On the left-side menu of the Rubrik CDM web UI, select Live Mounts > vSphere VMs.
The vSphere VM Live Mounts page appears.
3. Open the ellipsis menu next to a vSphere VM Live Mount and select Migrate Datastore.
The Migrate Datastore dialog box appears.
4. Select the target datastore from the list and click Migrate.
Result
The Rubrik cluster completes the migration.
Verifying successful migration of a virtual machine

Verify the migration of a virtual machine to a vCenter Server datastore.
Procedure
2. On the left-side menu of the Rubrik CDM web UI, select Virtual Machines > vSphere VMs.
3. Click the name of the migrated virtual machine.
The Local host page appears.
4. Review the Activities card for the virtual machine and check for a message that indicates the virtual
machine was migrated successfully.
Result
The Rubrik CDM web UI verifies the migration of a virtual machine to a vCenter Server datastore.
About batch Live Mounts

A batch Live Mount creates multiple virtual machines from point-in-time copies of the source virtual
machines.
Selected snapshots represent the version of the data that is closest in time to the selected time. The new
virtual machines use the Rubrik cluster as their datastore.
A batch Live Mount can use local snapshots, replicas, or archived snapshots. Download archived
snapshots to the local Rubrik cluster before performing a batch Live Mount. If the archived snapshot is not
downloaded, a message appears instructing the user to retrieve the snapshot from the archival location
and try again:
No valid location has been found to mount the data from snapshot
xxxx-xxxx-xxxx-xxxx-xxxxxx. Please download the snapshot before
attempting a mount.
The Rubrik cluster assigns new names to the live mounted virtual machines. The option to power on the
virtual machine is set by default. Deselect the option to prevent the new virtual machine from powering
on. The Rubrik cluster does not connect the new virtual machines to a network. The Rubrik cluster sets the
protection states of the new virtual machines to Do Not Protect.

Related concepts
Creating a batch of vSphere virtual machines from snapshots

Use the batch Live Mount feature to create multiple new virtual machines in a single action.
Procedure
3. From the list, select virtual machines.
Select up to 10 virtual machines to include in the batch. After the first selection, an ellipsis menu
appears in the upper-right of the page.
4. Open the ellipsis menu and click Mount.
The Snapshot pane of the Mount Virtual Machines wizard appears.
5. Select a snapshot time frame:
• Latest snapshot - The batch uses the most recent snapshot of each selected virtual machine.
• Closest snapshot - Select either before or after and specify a time. From each selected virtual
machine, the batch uses the snapshot that meets this specification.
6. Click Next.
The Target pane of the wizard appears.
7. Select an ESXi host.
Option Description
issues prevent the virtual machine from starting
addresses.
Power on mounted virtual machines Select this option to start the virtual machine
when the mount is completed.
Remove Tags Skip attempts to re-associate vSphere tags with
9. Click Finish.
Result
The virtual machines are created.

Creating a Live Mount of a virtual disk snapshot
A Live Mount creates a new virtual disk or disks from point-in-time copies of the disks on a source virtual
machine. The recovered virtual disks use the Rubrik cluster as the datastore.
Context
The Rubrik cluster mounts the virtual disk to an existing virtual machine. The Rubrik cluster sets the
protection state of the new virtual disk to Do Not Protect.
Procedure
For archival snapshots, complete the download steps.
3. Click Mount.
4. Select Virtual Disk.
A list of disks on the virtual machine appears.
5. Select a disk to mount from the list of disks.
To search the list of disks, enter a search string in the ‘Search by Name’ field.
6. Click Next.
The Mount Snapshot dialog box advances to the ‘Target’ state. A list of virtual machine hosts appears.
7. Select a restore target for the virtual disk from the list of hosts.
To search the list of hosts, enter a search string in the ‘Search by Name’ field.
8. Click Mount.
Result
The Rubrik cluster mounts virtual disks on the selected virtual machine. During the process, messages
about the status appear in the Activity Log. The Rubrik cluster also records the final result of the task in
the Activity Log.
The Rubrik cluster sets the protection state of the Live Mount recovered virtual disk to Do Not Protect. To
protect the new virtual disk, add the virtual disk to an SLA Domain or remove the individual Do Not Protect
assignment to enable the virtual disk to inherit protection settings.
Related tasks
Selecting a replica
recovery action.
IP address selection for Live Mounts

The Rubrik cluster provisions IP addresses to virtual machine live mounts based on the IP address of the
ESXi host and the routing configuration of the Rubrik cluster.
In the absence of other selection criteria, the Rubrik cluster provisions floating IP addresses preferentially
over static IP addresses.
Example: Creating a static route for a Live Mount

The Rubrik CLI provides several utilities to configure the routing for a Rubrik cluster. See the Rubrik CLI
Guide for a complete description on these commands and for instructions on connecting to the Rubrik
command-line interface.
To show the creation of a new static route, consider the following fictitious environment:
• A Rubrik cluster has a virtual interface defined as ‘bond0.1000’.
• The VLAN interface bond.1000 has no static route currently configured.
Administrator logs in to a node in the cluster over SSH.
Administrator uses the network route command:
The command displays the kernel routing table.
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use

Iface
0.0.0.0 10.0.0.255 0.0.0.0 UG 0 0 0
bond0
1.2.0.0 0.0.0.0 255.255.0.0 U 0 0 0
bond0.1000
10.0.0.0 0.0.0.0 255.255.0.0 U 0 0 0
bond0
13.4.0.0 10.0.0.254 255.255.0.0 UG 0 0 0
bond0
Administrator uses the network static_route add command to add an entry to the kernel routing
table. At
the prompts, the administrator enters 12.42.0.0 as the subnet, 255.255.255.0 as the netmask,
bond0.1000 as the interface, and 12.42.1.12 as the gateway:
The CLI command prompts for the entries.
===================
Adding static route
===================
Network: 12.42.0.0
Subnet Mask: 255.255.255.0
Device: bond0.1000
Gateway: 12.42.1.12
Administrator uses the network route command.

The command displays the new kernel routing table.
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use

Iface
0.0.0.0 10.0.0.255 0.0.0.0 UG 0 0 0
bond0
1.2.0.0 0.0.0.0 255.255.0.0 U 0 0 0
bond0.1000
10.0.0.0 0.0.0.0 255.255.0.0 U 0 0 0
bond0
13.4.0.0 10.0.0.254 255.255.0.0 UG 0 0 0
bond0
12.42.0.0 12.42.1.12 255.255.0.0 U 0 0 0
bond0.1000

Exporting a vSphere virtual machine
Export vSphere virtual machine snapshots to create a new virtual machine from a point-in-time copy of the
source virtual machine. Rubrik exports the resulting VMDK as either Thick Provisioned or Thin Provisioned.
Context
This task does not support snapshot exports to Virtual Volume (vVol) datastores. For vVol datastores,
create a Live Mount of the snapshot and perform a live migration using vMotion storage.
Procedure
1. Open the ellipsis menu for vSphere virtual machine snapshot or replica.
2. Click Export.
The Export Snapshot wizard appears.
3. Select a host.
4. Click Next.
The Select Storage page appears.
5. Select a datastore.
6. Optional: In Advanced Settings, type a name to assign to the exported virtual machine.
7. Optional: Select Remove Tags to skip attempts to re-associate vSphere tags with the virtual
machine.
8. Optional: Click Use HotAdd Transport Mode to use HotAdd transport mode for the snapshot.
HotAdd transport mode bypasses ESXi hosts throughput bottleneck by hot-adding virtual disks to a
proxy virtual machine. This significantly reduces the latency of exporting a large virtual machine.
9. Click Next.
The Export Snapshot wizard progresses to the Select Network page.
10. Optional: Enable Customize network selection to connect the virtual network adapter to a virtual
network other then the original.
11. Optional: Select advanced network options.
Option Description
issues might prevent the virtual machine from
starting.
Preserve MAC addresses Select this option to use the original MAC
addresses instead of automatically assigning new
MAC addresses.
12. Click Export.
Result
Related concepts
Live Migration
Related tasks

Selecting a replica
recovery action.
Exporting a vSphere virtual machine with download

Retrieve a virtual machine snapshot from archival storage and automatically deploy the virtual machine
using Export with Download.
Prerequisites
Select an archival snapshot.
Context
Snapshot exports to Virtual Volume (vVol) datastores are not supported. For vVol datastores, create a Live
Mount of the snapshot and perform a live migration using vMotion storage.
Procedure
1. Open the ellipsis menu for the archival snapshot.
2. Click Export with Download.
The Export Snapshot wizard appears.
3. Select a host or cluster from the list.
Type a string into the search field to search for a host or cluster by name, or click the + icon to add a
new ESXi host.
A list of the datastores that are associated with the selected resource appears. The Export Snapshot
wizard advances to the Storage step.
4. Select a datastore from the list.
Type a string into the search field to search for a datastore by name.
Option Description
Preserve MAC addresses Use the MAC addresses from the snapshot
instead of assigning new MAC addresses.
Remove Tags Skip attempts to re-associate vSphere tags with
6. Click Export.
Result
The Rubrik cluster downloads the selected snapshot from the archive location to the selected datastore.
The Rubrik cluster assigns a new name to the recovered virtual machine and powers on the virtual
machine. The Rubrik cluster does not connect the recovered virtual machine to a network. The Rubrik
cluster sets the protection state of the recovered virtual machine to Do Not Protect.
Related concepts
Live Migration

Related tasks
Selecting a replica
recovery action.
Exporting to a standalone host

A snapshot can be exported to an ESXi host that is not managed by vCenter by temporarily adding a
standalone ESXi host that is not already in the list of ESXi hosts.
Context
Snapshots of an existing vCenter server can be recovered by temporarily using a standalone ESXi host
when the vCenter server is unavailable. The initial steps are the same as for exporting to a known ESXi
host.
Procedure
For archival snapshots, complete the download steps.
3. Click Export.
4. In Choose an ESXi Host, click the plus sign near the upper right to add a standalone ESXi host for
The Add ESXi Host dialog box appears.
5. Enter the credentials for the new ESXi host:
• IP address or hostname
• Username
• Password
6. Click Submit to authenticate the new ESXi host.
The new host appears in the alphabetical list of ESXi hosts.
7. Select the ESXi host.
A list of the datastores associated with the new ESXi host appears.
9. Optional: Select Remove virtual network devices.
10. Click Export.
Result
The Rubrik cluster creates a new virtual machine from the snapshot on the selected ESXi host, transfers
the virtual machine files to the datastore, and powers up the recovered virtual machine. During the
process, messages about the status appear in the Activity Log. The Rubrik cluster also records the result of
the task in the Activity Log.

After recovering a snapshot of a vCenter Server or Platform Services Controller, see the documentation for
VMware vCenter to restore an environment based on a vCenter Server image.
Related tasks

Power off a recovered virtual machine from the Live Mounts page of the Rubrik CDM web UI.
Context
The Live Mounts page lists all recovered virtual machines that were recovered by using Instant Recovery or
Live Mount from the local Rubrik cluster.
Procedure
2. On the left-side menu of the Rubrik CDM web UI, select Live Mounts.
3. Select a recovered virtual machine with the Powered On status.
5. Click Power Off.
6. Click Power Off.
Result
The Rubrik cluster gracefully powers down the selected virtual machine.

Procedure
3. Open the ellipsis menu for a recovered virtual machine.
4. Click Unmount.
The confirmation message includes the option Remove local entry after Storage vMotion. Enable
this option to remove a stale entry for a recovered virtual machine that was live migrated.
5. Click Unmount.
The Rubrik cluster removes the selected virtual machine from the ESXi host and deletes the recovered
virtual machine files from the Rubrik cluster datastore. This action does not remove data protection
objects.

6. (After all live mounts are removed) Detach the Rubrik cluster datastore devices from the associated
ESXi hosts.
Result
The Rubrik cluster names the datastore devices using the format IP_NODE_sdmount, where IP_NODE is
the IPv4 address of one of the nodes of the Rubrik cluster.
The VMware knowledge base article How to unmount a LUN or detach a datastore device from ESXi hosts
(2004605) describes how to detach a datastore device from an ESXi 5.0 or newer host.
Related tasks
The Live Mounts page of a Rubrik cluster retains entries for recovered and migrated virtual machines until
manually removed.

The Live Mounts page of a Rubrik cluster retains entries for recovered and migrated virtual machines until
manually removed.
Procedure
3. Select a recovered virtual machine that was live migrated.
5. Click Unmount.
6. Select Remove local entry after Storage vMotion.
7. Click Unmount.
Result
The Rubrik cluster removes the metadata associated with the selected virtual machine and removes the
entry for the virtual machine from the Live Mounts page. This action does not remove data protection
objects and does not unmount the recovered and migrated virtual machine.
the final result of the task in the Activity Log.
In-Place Recovery of virtual machines

VMware In-Place Recovery is a faster and more efficient alternative for virtual machine recovery, compared
with other VMware recovery options.
The In-Place Recovery mechanism significantly improves the performance of the virtual machine recovery
process by using Changed Block Tracking (CBT) to calculate the delta between the latest snapshot of the
virtual machine in vCenter Server and the snapshot that is selected for recovering the virtual machine
in the Rubrik cluster. In-Place Recovery restores the virtual disk files of the source virtual machine by
transferring only the changed blocks of the virtual disk data from the Rubrik cluster datastore directly to
the VMware datastore.

By transferring only the changed data blocks directly from Rubrik cluster to the VMware datastore, the In-
Place Recovery process provides the following benefits over the other recovery mechanisms, such as Live
Mount, Instant Recovery, and Export:
• Significantly reduces the network bandwidth and the time required to recover large virtual machines
• Works for ESXi hosts that do not support mounting of external NFS datastores
• Eliminates the need to migrate the recovered virtual machines from Rubrik cluster to the VMware
datastore using a Storage vMotion
• Preserves the properties, such as name and location, of the source virtual machine
In-Place Recovery and the VMware snapshot jobs are mutually exclusive. In other words, if an In-Place
Recovery job is in progress, Rubrik cluster will throttle or delay the start of a snapshot that is scheduled to
be taken during the same time.
In-Place Recovery pre-check and failure conditions

To avoid any potential loss of data and network misconfiguration, In-Place Recovery performs certain
checks before proceeding with the recovery.
When the In-Place Recovery mechanism is initiated, it turns off the source virtual machine and takes
a snapshot of the virtual machine in the vCenter Server. Subsequently, the In-Place Recovery process
overwrites the virtual disk files of the source virtual machine with the data blocks that have changed
between the latest snapshot taken in the vCenter Server and the snapshot chosen for the recovery in the
Rubrik cluster.
To avoid the loss of virtual machine data during the recovery process, In-Place Recovery checks if the
following properties are same for both the source virtual machine and the snapshot selected for recovering
the virtual machines:
• The number of virtual disks
• The virtual device key of the virtual disk
• The size of the virtual disk
After a successful recovery, the In-Place Recovery process turns on the virtual machine and deletes the
snapshot of the virtual machine from vCenter Server.
In the case of failure, the In-Place Recovery process restores the source virtual machine using the
snapshot in vCenter Server and deletes the snapshot from vCenter Server.
The Rubrik CDM REST API provides an option to save the snapshot in vCenter Server to perform any post-
recovery analysis of the virtual machine.
Performing an In-Place Recovery

In-Place Recovery process of a vSphere virtual machine.
Context
Rubrik CDM allows In-Place Recovery with local and archived snapshots. In-Place Recovery does not work
with replicated snapshots because the original ESXi host and datastores may not exist on the replication
target cluster to write the data in-place to the original VMDK files in the original datastore.
Note: The In-Place Recovery job of vSphere against VMware vCenter will not proceed as the vCenter
shuts down before taking a snapshot.
Procedure

The vSphere VMs page appears with the VMs tab selected and displays all the virtual machines in the
system.
3. Optional: To work with data from an unmanaged virtual machine, on the left-side menu, click
Snapshot Management.
Continue with the following steps from the Snapshot Management page instead of the Virtual
Machines page.
The management page for the selected virtual machine appears.
5. Click on a date on the Snapshots card to navigate to a snapshot or an archival snapshot.
A list of snapshots taken on the selected date appears.
6. Optional: To recover archival snapshots, from the ellipsis menu, click Download.
The Rubrik cluster does not apply a retention setting to a downloaded archival snapshot. The
downloaded archival snapshot that is no longer required on the local storage should be deleted
manually.
The Rubrik cluster retrieves the archival snapshot. Status of the retrieval appears in the Activity Log.
7. Open the ellipsis menu for the selected snapshot and click In-Place Recovery.
The In-Place Recovery window opens.
8. To stop deleting the vSphere snapshots from vCenter server, select Keep vSphere snapshot after
in-place recovery.
After an in-place recovery process, the Rubrik cluster saves the vSphere snapshots on the vCenter
servers using the following naming format: RUBRIK-UUID-IPR_Preserved-UUID, where UUID is a
universally unique identifier for the snapshot.
9. Click Recover.
The Activity Log displays the audit events related to the in-place recovery process. The Dashboards
Summary page lists the in-place recovery job as an in-progress task.
Result
The Rubrik cluster initiates the In-Place Recovery of the virtual machine with the selected snapshot. The
recovery process does not change the name or location of the virtual machine.
File and folder restore

To restore a file or folder, search for the file or folder by name across all local snapshots. or browse for the
Note: VMware snapshots do not support recovery of reparse point files. Use fileset snapshots to protect
reparse points.
The options used for file and folder recovery types are defined in the following table.
Recovery type Description

Download Creates a link to download the selected file or
folder.
Overwrite original Restore the selected file or folder to the original
path. This choice overwrites the existing file or
folder.
Restore to separate folder Restore the file or folder to another location.

Recovery type Description
Export Restore the file or folder to an alternate virtual
machine.

The guest OS of the source virtual machine must have a current version of VMware Tools running to
enable successful indexing.
VMware snapshots do not support recovery of reparse point files. Use fileset snapshots to protect reparse
points.
file system on the data protection object and select the folder. The Rubrik cluster generates a ZIP file
containing the folder and all that the folder contains. The ZIP file retains the hierarchy of the selected
folder. The Rubrik cluster provides a link for download of the ZIP file.
File and folder download links appear in a message in the notification area of the Rubrik CDM web UI.
This message provides a link to the download. The Rubrik cluster also provides the download link on the
Activity Detail dialog box for the download task.

Procedure
The Hyper-V VMs page appears with the VMs tab selected, and displays all the virtual machines in the
system.
folder pathnames.
The Download File Version dialog box appears. A cloud icon appears next to files or folders that are on
archival snapshots.
6. Select a version of the file or folder.
Result
Rubrik CDM searches for the file or folder.
Related tasks

Browsing for a file or folder

Use the Rubrik CDM web UI to browse for a file or folder in a data protection object (snapshot, replica, or
archival snapshot).
Context
Note: The Rubrik cluster must download an archival snapshot before it can be browsed. Searching
by name for a file or folder on an archival snapshot does not require that the archival snapshot be
downloaded first.
Procedure
Selecting a snapshot or an archival snapshot describes the selection task for snapshots and archival
snapshots. For archival snapshots, complete the download steps.
Selecting a replica describes the selection task for replicas.
2. Open the actions menu for the snapshot or replica by clicking the ellipsis icon.
3. Click Browse Files.
The browse dialog box appears.
Result
For supported Windows and Linux guest operating systems, the selection can be restored to the original
file system, or downloaded from a generated link. For other guest operating systems, the selection can be
downloaded from a generated link.

For supported Windows and Unix/Linux guest operating systems, the Rubrik cluster can restore files and
folders directly to the source file system.
When restoring from a snapshot of a supported guest operating system, the Rubrik CDM web UI provides
the option to restore a file or folder directly to the source file system. When this option is selected, the
Rubrik CDM web UI provides a choice to overwrite the source file or folder, or to restore the file or folder to
another location. Refer to the Rubrik CDM Compatibility Matrix, for the most up-to-date information about
supported guest operating systems.
While a restored file or folder inherits the ACL and owner of the parent folder, file restore using VMware
Tools requires the root/admin OS credentials to ensure the ACLs are restored. The restored file or folder
retains the modification time (mtime) of the source file or folder, based on the time of the snapshot.
Extended attributes are not restored in this scenario.
To successfully restore directly to the source file system the Rubrik cluster must be provided the following
information:
• Resolvable hostname or IP address of the authentication server
• Username of an account with Administrator privileges for the target
• Password for the account
When the Rubrik cluster has previously accepted the guest OS credentials of a guest operating system, the
restore job does not require additional credential information. This feature requires that the Rubrik cluster
has successfully used the guest OS credentials for at least one backup prior to the restore task. Otherwise,
the credentials can be provided through the Restore Fileialog box during the restore task.

Related concepts
Guest OS credentials
Guest OS credentials provide access to guest operating systems for vSphere virtual machines.
Restoring directly to a guest file system

Restore a file or folder to the source file system of a supported Windows or Linux guest operating system.
Prerequisites
This task requires source system root access credentials.
Procedure
system.
folder pathnames.
6. Click Restore.
the guest host OS credentials, the credential fields do not appear.
7. (Windows only) In Domain, enter the resolvable hostname or IP address of the authentication server
for the credential.
Option Description
Windows guest Use the administrator credentials.
Unix/Linux guest Use the root credentials.
Authentication, leave the Domain field empty.
Note: With some ESXi hypervisors, the VMware API requires a single period character in the Domain
field to correctly pass the Workstation Authentication value to the Windows guest. When an empty
Domain field does not provide successful Workstation Authentication with the Windows guest, add a
period character in the Domain field.
Option Description
Windows guest Use the administrator credentials.
Unix/Linux guest Use the root credentials.
8. In Username, type a guest OS username for an account with sufficient privileges on the host.

Option Description
Download Creates a link to download the selected file or
folder.
Overwrite original Restore the selected file or folder to the original
path. This choice overwrites the existing file or
folder.
Restore to separate folder Restore the file or folder to another location.
Export Restore the file or folder to an alternate virtual
machine.
Use the correct path delimiter for the guest operating system. For a Windows guest, use a backslash.
For a Unix/Linux guest use a forward slash.
12. Optional: Select Store as service credential for all VMs.
The Rubrik cluster provides this setting only when the credential has not been previously stored. When
this setting is selected, the Rubrik cluster stores the provided credential. The stored credential can be
managed through the guest OS credentials page.
13. Click Restore.
Result
The file or folder is successfully restored to the specified location.
Related concepts
For supported Windows and Unix/Linux guest operating systems, the Rubrik cluster can restore files and
folders directly to the source file system.
Guest OS settings
Related tasks
Restoring files or folders by download from notification message

Search or browse for a file or folder and restore that file or folder by download from the notification
message.
Context
Restore files and folders by download provides an overview of this feature.
Procedure
system.

folder pathnames.
6. For a file, click Download. For a folder, click Download Folder.
7. Click OK.
8. In the Rubrik CDM web UI Activity Log, a ‘Downloaded’ message appears for the selected file or folder.
11. (Folder only) Extract the folder using a ZIP utility.
Result
The selected files or folders are restored.
Related tasks
location.
Restoring files or folders by download from Activity Detail

dialog box.
Context
Restore files and folders by download provides an overview of this feature.
Procedure
system.
folder pathnames.
6. Click Download.

11. (Folder only) Extract the folder using a ZIP utility.
Result
The selected files or folders are restored.
Related tasks
location.

location.
Context
By default, Chrome saves downloaded files to the following locations:
• Windows: \Users\username\Downloads
• Mac: /Users/username/Downloads
• Linux: home/username/Downloads
To download files and folders to a specified location, change the default Chrome Download setting.
Procedure
1. In Chrome, click the customize icon.
The Chrome menu appears.
2. On the menu, click Settings.
The Chrome Settings page appears.
Additional settings appear on the Settings page.
4. In the Downloads section, enable Ask where to save each file before downloading.
Result
Chrome applies the new setting and opens a Save As dialog box for selecting a download location when a
file is downloaded.

Continuous Data Protection
Continuous Data Protection (CDP) enables near-continuous data protection of VMware virtual machines
using the VAIO framework from VMware. CDP runs as a service and captures changes to data on a virtual
machine to a Rubrik cluster.
CDP uses a CDP Filter on an ESXi host (6.7 or newer version) to capture any changes made on a VMDK on
a VMware host. Changes are stored as metadata and log files (all of the delta changes since the previous
snapshot) on a Rubrik cluster and/or replicated Rubrik cluster.
CDP is intended as a near term solution for data recovery. CDP can record data changes for four hours
using a log file.
The two use cases for CDP are:
• Recovery of a virtual machine from the most recent point-in-time
• Recovery of a virtual machine from a specific point-in-time
To use CDP, configure the following:
1. Install the CDP Filter.
2. Create an SLA Domain with CDP enabled and assign it to a virtual machine.
3. Mount a virtual machine from a point in time (PIT). The PIT can be from the last PIT stored on the
Rubrik cluster or any PIT specified within the SLA policy.
• Mount a virtual machine from latest PIT on a Rubrik cluster.
• Mount a virtual machine from a specific point in time on a Rubrik cluster.
Related concepts
SLA Domains with CDP enabled
SLA Domains with Continuous Data Protection (CDP) enabled are used for near term recovery.
Related tasks
Installing the CDP Filter
Before CDP is enabled, install the CDP Filter on vCenter 6.7 (or newer version).
Mounting a virtual machine from latest PIT on a Rubrik cluster
A virtual machine can be mounted from the latest PIT on a local or replicated Rubrik cluster.
Mounting a virtual machine from specific PIT on a Rubrik cluster
A virtual machine can be mounted from a specific PIT on the local Rubrik cluster or a replication target
Rubrik cluster.
Installing the CDP Filter

Before CDP is enabled, install the CDP Filter on vCenter 6.7 (or newer version).
Procedure
4. Select the vCenter > Datacenter > Cluster for the CDP Filter.
The CDP Filter Status will be listed as Not Installed.
5. Click the ellipsis to the right of the Rubrik cluster.
6. Click Install CDP Filter.

An ellipsis only appears next to entries for vCenter Servers running version 6.7 or newer.
An Installing status message is displayed. This can take 1-30 minutes.
Result
After the filter is installed, the CDP Filter Status is listed as Up to Date.
Uninstalling the CDP Filter

The CDP Filter can be uninstalled if it is no longer needed or if the vCenter is removed from the Rubrik
cluster.
Prerequisites
To uninstall a CDP Filter that is not part of a DRS cluster, confirm the following:
• The VMware compute cluster is configured in DRS mode or the virtual machine is powered off
• The virtual machine is not a part of an SLA Domain
To automate uninstalling the CDP Filer on a DRS cluster, confirm the following:
• DRS is configured to use Fully Automated Mode
• All associated virtual machines are using shared storage
• All hosts have the vMotion Traffic Tag enabled
Procedure
4. From the vCenter Servers list, select a vCenter Server.
A list of datacenters on that vCenter Server appears.
5. Select a datacenter.
A list of clusters attached to that datacenter appears with the value of the CDP filter in the CDP Filter
Status column.
6. Click the ellipsis to the right of the cluster.
7. Click Uninstall CDP Filter.
8. Click Uninstall.
An Uninstalling status message appears. This can take a significant period of time on a very large
cluster.
Result
After the filter is uninstalled, the CDP Filter Status is listed as Not Installed.
Mounting a virtual machine from latest PIT on a Rubrik cluster

A virtual machine can be mounted from the latest PIT on a local or replicated Rubrik cluster.
Procedure
1. Log in to the Rubrik CDM web UI on the local or replicated Rubrik cluster.
2. On the left-side menu of the Rubrik CDM web UI, select vSphere VMs.
The vSphere VMs page appears, with the VM tab selected by default.
3. Click on the virtual machine to restore.

4. Click the Recover Latest button.
The Recover Latest Recovery Point dialog box appears.
5. Select Mount Virtual Machine.
6. Click Next.
The Mount Virtual Machine dialog box appears.
7. Choose an ESXi host.
8. Check any applicable options for the new virtual machine.
9. Click Mount.
Result
Use the vSphere Client to access the latest PIT virtual machine.
Mounting a virtual machine from specific PIT on a Rubrik cluster

A virtual machine can be mounted from a specific PIT on the local Rubrik cluster or a replication target
Rubrik cluster.
Procedure
1. Log in to the Rubrik CDM web UI on the local or replicated Rubrik cluster.
2. On the left-side menu of the Rubrik CDM web UI, select vSphere VMs.
The vSphere VMs page appears, with the VM tab selected by default.
3. Select the virtual machine to restore.
4. In the Recovery Points pane, select the current date.
5. Use the slider bar (within the blue range) to select the specific PIT for recovery.
6. Click the ellipsis.
The Recover Latest Recovery Point dialog box appears.
7. Select Mount Virtual Machine.
8. Click Next.
The Mount Virtual Machine dialog box appears.
9. Choose an ESXi host.
10. Check any applicable options for the new virtual machine.
11. Click Mount
Result
Use the vSphere Client to access the latest PIT virtual machine.

Chapter 14
vCloud Director vApps
vCloud Director vApps
Rubrik CDM provides SLA Domain protection and data management for VMware vCloud Director vApps.
When a vCloud Director instance is added to a Rubrik cluster, the Rubrik cluster automatically discovers all
of the components of the vCloud Director deployment, including:
• Organizations
• Organization virtual datacenters
• vApps
• Virtual machines
The components appear in the Rubrik CDM web UI and provide the basis for assigning SLA Domain
protection to the vApps. Rubrik CDM manages and protects the data in vApps using the same SLA Domain
approach that it provides for vSphere virtual machines.
The SLA Domain assignment of a vApp can be derived from a higher level component or the assignment
can be directly specified. Assigning an SLA Domain at a higher level in the organizational hierarchy,
automatically assigns the policies of that SLA Domain to all vApps and virtual machines that are beneath
that level. Assigning an SLA Domain at a lower level in the hierarchy overrides an assignment made at a
higher level.
The Rubrik cluster provides full protection of vApps, backing up not just virtual machine data but also vApp
data and metadata, including networks, boot order, and access lists.
Rubrik CDM offers the option to enable or disable synchronized snapshots for a vApp. When enabled, the
Rubrik cluster attempts synchronization across the vApp by initiating snapshots of all virtual machines in a
vApp at the same time.
Related concepts
Protection hierarchy
SLA Domain protection can be applied to virtual machines within vApps by assigning the SLA Domain at
several different levels in the vCloud Director hierarchy. Protection can also be applied by assigning an SLA
Domain to an individual virtual machine within a vApp.
Protection and management features

In addition to full SLA Domain based protection of vApps, other features available for vSphere virtual
machine are also provided for vApps.
Feature Description
Automatic protection vApps automatically derive the SLA Domain assignment made to vCloud
Director objects that are higher in the vCloud Director hierarchy, such as:
organizations and organization virtual datacenters.
Synchronization When the synchronization setting is enabled, the Rubrik cluster requests that
the associated ESXi host initiate snapshots of the vApp virtual machines at the
same time. Actual snapshot start time depends on the availability of ESXi host
resources and the number of virtual machines in the vApp.
vCloud Director vApps 05/25/2022 | 433

Feature Description
Instant Recovery - Full Using Instant Recovery, a protected vApp can be fully recovered from a
or partial snapshot or the vApp can be partially recovered. A partial recovery recovers
one or more of the virtual machines in the protected vApp. In a full or partial
Instant Recovery, the recovered virtual machines use the default storage
profile of the organization virtual datacenter. Optionally, the network interface
cards of the recovered virtual machines can be connected to any existing
network.
Export - Full or partial Using Export, a vApp snapshot can be used to fully export a vApp to another
location, or to export one or more of the virtual machines from the vApp. The
full export can include the network configuration of the source vApp:
• Isolated vApp network
• Direct vApp network
• NAT routed network
To establish a direct vApp network or a NAT routed network, the associated
organization network must be available. After setting up the exported vApp
network, Export connects the virtual machine network interface cards to the
network.
Exclude virtual machines Optionally, individual virtual machines within a vApp can be excluded from
snapshots of the vApp.
Exclude VMDKs Optionally, individual VMDKs within a vApp can be excluded from snapshots of
the vApp.
Script support Pre-snapshot and post-snapshot scripts can be set up individually on each
virtual machine in a protected vApp.
File level download and Browse or search for files within a vApp snapshot and restore to the original
restore source location or download from the Rubrik cluster.
Custom reports Custom object reports and task reports can be filtered for a specific vCloud
Director organization.
On-demand snapshots On-demand snapshots can be initiated for a vApp or for individual virtual
machines within the vApp.
Migration Virtual machine in a vApp that are protected individually can be migrated to
protection through the vApp. Migrating to vApp protection does not require
a new full snapshot of a virtual machine that was previously protected
individually.
RBAC support End-users can select only organization virtual datacenters that have been
assigned to them.
Multitenancy support Multitenancy rules only permit tenant organization administrators to work
with assigned vCloud Director hierarchy components. For example, to assign
an SLA Domain to a vApp or to use a organization virtual datacenter as
a recovery target those components must first be assigned to the tenant
organization administrator.

Metadata protection
Rubrik CDM protection of vApps includes the metadata of the vApp.
Metadata Description
Networks Protects both isolated and routed networks. Also, can reconnect restored virtual
machines to the virtual datacenter network if the same network is available at restore
time.
Boot order Protects the order that the virtual machines in the vApp are configured to start and
stop.
Access list Protects the access list for the vApp.
Limitations
Rubrik CDM support for vApps works within specific limitations.
Limit type Description

Virtual Maximum of 128 virtual machines in a vApp. To protect a vApp with more than 128
machines in a virtual machines, use the exclude function to reduce the number protected.
vApp
Mounts The Rubrik cluster performs all mounts for vApps at the virtual machine level.
Backup Protection of vApps does not include vCloud Director Object Metadata.
exclusion
Autodiscovery Rubrik CDM ignores the vCloud Director auto discovery feature.
Multitenancy and RBAC

Rubrik clusters supports role based access control and multitenancy deployments for vCloud Director
vApps.
User rights can be granted at the vApp level by using the privilege workflow.
vCloud Director organizations and vApps can be assigned to specific tenant by using the create or modify
tenant organization workflow.
Related concepts
User accounts

The protection hierarchy represents the hierarchical levels in a vCloud Director deployment at which SLA
Domain protection can be specified.
1. Protection at the vCloud Director instance level - The Rubrik cluster applies the policies of the specified
SLA Domain to all virtual machines within the organizations controlled by the vCloud Director instance.
2. Protection at the organization level - The Rubrik cluster applies the policies of the specified SLA
Domain to all virtual machines within the organization. Assigning an SLA Domain at this level overrides
an SLA Domain assignment at the vCloud Director instance level
3. Protection at the organization virtual datacenter level - The Rubrik cluster applies the policies of the
specified SLA Domain to all virtual machines within the organization virtual datacenter. Assigning an
SLA Domain at this level overrides an SLA Domain assignment at the vCloud Director instance level
and the organization level.
4. Protection at the vApp level - The Rubrik cluster applies the policies of the specified SLA Domain to
all virtual machines within the vApp. Assigning an SLA Domain at this level overrides an SLA Domain
assignment at the vCloud Director instance level, the organization level, and the organization virtual
datacenter level.
5. Protection at the virtual machine level - The Rubrik cluster applies the policies of the derived or
individually assigned SLA Domain assignment to the specified virtual machine. Essentially, the Rubrik
cluster ignores that the virtual machine is part of a vApp. To do this, delete the vCloud Director
instance from the Rubrik cluster.

Interaction with vSphere protection hierarchy
An SLA Domain assignment made through the vCloud Director hierarchy prevents an SLA Domain
assignment through the vSphere hierarchy and overrides an existing assignment in the vSphere hierarchy.
After an SLA Domain has been assigned to a vApp, either directly or through the vCloud Director hierarchy,
an SLA Domain cannot be assigned to the virtual machines in that vApp through the vSphere hierarchy.
Also, the SLA Domain assignment to the vApp overrides any existing SLA Domain assignment made
through the vSphere hierarchy for the virtual machines in the vApp.
Migration from virtual machine level protection

Virtual machines that are protected through an individual SLA Domain assignment can be moved to
protection through a containing vApp.
A virtual machine that is part of a vApp and has been protected outside of the vApp through an SLA
Domain assignment (derived or individual) can be migrated to be protected by snapshots of the vApp. The
existing snapshots of the virtual machine remain available, subject to their assigned SLA Domain policies.
The Rubrik cluster does not require a new full snapshot of the virtual machine after migrating to vApp
protection of the virtual machine.
vCloud Director instances

A Rubrik cluster works with vApps through vCloud Director instances.
Start working with vApps by providing access to a vCloud Director instance. Multiple vCloud Director
instances can be added to a Rubrik cluster.
After access is provided, the Rubrik cluster queries the vCloud Director instance and populates the Rubrik
CDM web UI with the instance hierarchy, including all vApps. The Rubrik CDM web UI provides a view for
each of the following levels of the hierarchy:
• vCloud Director instance
• vCloud Director organization
• Organization virtual datacenter
• vApps
Instances of vCloud Director support the actions described in the following table.
Action Description
Refresh Use the refresh action to request that the Rubrik cluster query the vCloud Director
instance for the most recent vApp information.
Edit Use edit to make changes to the account information for the selected vCloud Director
instance.
Delete Use delete to remove a vCloud Director instance. The Rubrik cluster marks the vApps
from that vCloud Director instance as relics. The Rubrik cluster no longer protects the
vApps.

instance.
Procedure
3. Click vCD Instances.
The vCD Instances page appears.
The Add vCD Account dialog box appears.
5. In vCD Server Hostname, type the FQDN of the computer that hosts the vCloud Director instance.
Use the format: vcdhost.example.com
6. In Username, type the name of an administrator account on the vCloud Director instance.
7. In Password, type the account password.
8. Optional: Click Advanced Setting to add a certificate for TLS validation.
The dialog box expands to show the Trusted Root Certificate box.
9. In Trusted Root Certificate, paste the trusted root certificate of the vCloud Director instance.
10. Click Add.
Result
The Rubrik cluster adds the vCloud Director instance. After establishing a connection and successfully
completing authentication, the Rubrik cluster queries the vCloud Director instance for all vApp information.
Refreshing vCloud Director instances

Refresh one or more vCloud Director instances to obtain the most recent vApp information for those
instances.
Procedure
4. Select one or more vCloud Director instances.
5. Click the ellipsis on the title bar of the vCD Instance page.
6. Click Refresh vCD Instances.
Result
The Rubrik cluster queues a task to refresh each selected vCloud Director instance.
Editing a vCloud Director instance

Edit a vCloud Director instance to make changes to the account information provided for that vCloud
Director instance.
Procedure

4. Click the ellipsis next to a vCloud Director instance.
5. Click Edit.
The Edit vCD Account dialog box appears.
6. Make changes to the account information.
7. Click Update.
Result
The Rubrik cluster stores the new account information and queues a task to refresh the selected vCloud
Director instance.
Deleting a vCloud Director instance

Remove vApp protection by deleting a vCloud Director instance from the Rubrik cluster. The Rubrik cluster
marks the vApps from that vCloud Director instance as relics.
Procedure
4. Click the ellipsis next to a vCloud Director instance.
5. Click Delete.
6. Click Delete.
Result
The Rubrik cluster deletes the account information for the vCloud Director instance and marks all vApps
from that instance as relics.
vApp management
After a vCloud Director instance is added, the Rubrik cluster provides methods for finding, viewing, and
protecting the vApps.
When the Rubrik cluster finishes querying the vCloud Director instance, the vApps and hierarchical
information appear on the vCD vAps page. From the vCD vApps page, or the local page for a vApp, the
Rubrik cluster can perform the tasks listed in the following table.
Task Description
Find a vApp View the listing for a specific vApp and use the listing to access the local
page for the vApp.
View the hierarchy View each part of the vCloud Director hierarchy that leads to any vApp.
Enable synchronization Enable synchronization for a vApp to request that the Rubrik cluster initiate
snapshots of all of the virtual machines in a vApp at the same time.
Exclude a virtual machine Select a vApp virtual machine and exclude it from all snapshots of the vApp.

Task Description
Perform virtual machine Select a vApp virtual machine and perform standard Rubrik CDM tasks with
tasks it:
• Configure the application consistency setting
• Set up a pre-script and a post-script
• Exclude VMDKs from snapshots of the virtual machine
• Register the Rubrik Backup Service after it is installed on the virtual
machine
Protect a vApp Assign the data protection policies of an SLA Domain to the vApp. The SLA
Domain can be inherited from any of the levels of the hierarchy or directly
assigned to the vApp.
Take an on-demand Initiate an on-demand snapshot of the selected vApp and assign the policies
snapshot of any SLA Domain to that snapshot.
Finding a vApp through global search

Go directly to the local page for a vApp by using the Rubrik CDM web UI global search field.
Procedure
2. In Search by Name or Location, at the top of the Rubrik CDM web UI, type the name of the vApp.
A portion of the name can be typed. The Rubrik cluster lists all objects that have a name that matches
the string that is typed.
3. When the name of the vApp appears in the search results, click the name.
Result
The local page for the selected vApp appears.
Finding a vApp through vApp search

Find the listing for a vApp by using the vApp only search field on the vCD vApps page.
Procedure
2. On the left-side menu, click Virtual Machines > vCD vApps.
The vApps page appears with the vApps tab selected.
3. Type the name of the vApp in the Search by Name field.
A portion of the name can be typed. The Rubrik cluster lists all vApps that have a name that matches
the string that is typed.
Result

Finding a vApp through the vCD Organizations view
Find the listing for a vApp by using the vApp only search field on the vCD vApps page.
Procedure
3. Click vCD Organizations.
The vCD Organizations tab appears.
4. In the Name column, click each object in the hierarchy of the vApp until the vApp appears.
Result
Opening the local page for a vApp

The local page of a vApp provides information about the SLA Domain assignment, virtual machines,
activities, and snapshots for a vApp.
Context
The local page also provide access to actions for the vApp and the virtual machines in the vApp.
Procedure
2. Use one of the provided methods to locate the listing for the vApp.
An alternative method, to go directly to the local page for a vApp, is to type the name of the vApp in
the global search box on the top bar of the Rubrik CDM web UI and select the vApp from the results
list.
3. In the Name column, click the name of the vApp.
Result
The local page for the vApp appears.
Enabling synchronization
Synchronization enables the Rubrik cluster to simultaneously initiate snapshots for all virtual machines
within a vApp.
Procedure
2. Open the local page of the vApp that contains the virtual machine.
3. Click the ellipsis on the title bar of the local vApp page.
4. Click Enable Synchronization.
5. Click Enable.
Result
The Rubrik cluster enables synchronization for the vApp.

Related tasks
Excluding a virtual machine

Exclude a virtual machine from the snapshots of the containing vApp.
Procedure
4. Click Exclude VMs.
The Exclude VMs dialog box appears.
Multiple virtual machines can be selected.
6. Click Exclude.
Result
The selected virtual machines are excluded from snapshots of the vApp. After being excluded from the
vApp snapshots, the virtual machines start deriving SLA Domain protection through the vSphere hierarchy.
Related tasks
Including an excluded virtual machine

Include a virtual machine, that was previously excluded, back into the snapshots of the containing vApp.
Procedure
4. Click Exclude VMs.
The Exclude VMs dialog box appears.
5. Clear the selection for a virtual machine.
Multiple virtual machines can be cleared.
6. Click Update.
Result
The selected virtual machines are included in snapshots of the vApp.
Related tasks

Performing tasks with a vApp virtual machine

Perform the Rubrik CDM tasks that are available for vSphere virtual machines with a vApp virtual machine.
Procedure
Opening the local page for a vApp describes how to open the local page for the vApp.
3. On the Virtual Machines card, click the ellipsis menu next to a virtual machine entry.
4. Select one of the virtual machine tasks.
Choose one of the following tasks:
• Configure Application Consistency
• Configure Pre/Post Scripts
• Exclude VMDKs
• Register the Rubrik Backup Service
5. Complete the selected task.
Related tasks
Enabling scripts
from backups.
Protecting a vApp through the vCloud Director hierarchy

Assign an SLA Domain to an object in the protection hierarchy of a vApp to begin protecting it. The vApp
derives protection from the next higher object in the hierarchy, that has an assigned SLA Domain.
Procedure
3. Click vCD Organizations.
The vCD Organizations tab appears.
4. In the Name column click each object in the hierarchy until the object appears.
5. Select the object.

Manage Protection options describes the options that are available in this dialog box.
8. Click Submit.
Result
The Rubrik cluster assigns the SLA Domain to the vApp.
Related concepts
Protecting a vApp through the vApps tab

Assign an SLA Domain directly to a vApp through the vApps tab. An individual assignment of an SLA
Domain to a vApp takes precedence over any derived assignment.
Procedure
3. Select a vApp.
Multiple vApps can be selected to apply a single SLA Domain assignment to the group.
6. Click Submit.
Result
The Rubrik cluster assigns the SLA Domain to the selected vApps.
Protecting a vApp through the local page

Assign an SLA Domain directly to a vApp through the local page of the vApp. A individual assignment of an
SLA Domain to a vApp takes precedence over any derived assignment.
Procedure
Use one of the provided methods to locate the listing for the vApp.
list.

5. Click Submit.
Result
The Rubrik cluster assigns the SLA Domain to the vApp.
Taking an on-demand snapshot of a vApp

Taking an on-demand snapshot of a vApp can be used to capture the vApp at specific point in time and to
manage the selected snapshot using the policies of an SLA Domain that is different from the one assigned
to the vApp.
Procedure
list.
To manually manage the snapshot as an unmanaged object, select Forever.
Result
The Rubrik cluster creates an on-demand snapshot of the vApp and assigns it to the selected SLA Domain.
Related reference
entities.
Protecting vApp templates

The Rubrik cluster can protect snapshots of vApp templates to preserve vApp metadata, storage policies,
and network information.
Procedure
1. In a Web browser, open the URL https://RubrikCluster/docs/internal/playground/.
RubrikCluster is the resolvable hostname or IP address of the Rubrik cluster.
The Rubrik REST API Explorer appears.
2. Click Authorize.
The Available authorizations dialog box appears.
3. In the Basic Authorization section, type the user name and password for an administrator account.
4. Click Authorize.
The Rubrik REST API Explorer opens a session and stores the session token.
5. Click /config.

6. Click GET /config/vcd.
The endpoint listing expands.
The Rubrik REST API server responds with a list of configuration values.
8. In the response, verify that the value of the shouldRefreshUnderlyingCatalogs configuration
parameter is true.
Contact Support to correctly set this value if the value is not true.
9. In a separate browser tab, log in to the Rubrik CDM web UI.
10. Click Virtual Machines > vCD vApps.
11. Select a vApp template from the list of vApps.
The card for the vApp template appears.
The Rubrik cluster schedules an on-demand snapshot.
13. In the URL of the current page, note the identifier that begins with the string VcdVapp:::.
This identifier is the vApp ID.
14. In the Rubrik REST API Explorer, click /vcd/vapp.
The list of endpoints expands.
15. Click GET /vcd/vapp/{id}.
The details for this endpoint expand.
16. Type the vApp ID from step 13 in id.
The REST API call returns a JSON object that includes the catalog ID.
18. In the JSON object, note the identifier that begins with the string VcdCatalog:::.
This identifier is the catalog ID.
19. Click GET /vcd/vapp/{id}/snapshot.
20. Type the vApp ID from step 13 in id.
Do not perform this step until the on-demand snapshot job completes successfully.
The REST API call returns a JSON object that includes the snapshot ID.
22. In the JSON object, note the identifier that is the value for the key id.
23. Click GET /vcd/vapp/template/snapshot/{snapshot_id}/export/options.
24. Type the snapshot ID from step 22 in snapshot_id.
25. Type the catalog ID from step 18 in catalog_id.
26. Type a name for the vApp template export in name.
The REST API call returns a JSON object that includes the vDC organization ID.
28. In the JSON object, note the identifier that is the value for the key orgVdcId.
29. In the JSON object, note the identifier that is the value for the key id in the storage policy section,
availableStoragePolicies.
30. Click GET /vcd/vapp/template/snapshot/{snapshot_id}/export.
31. Type the snapshot ID from step 22 in snapshot_id.
32. Type a configuration JSON object in config.

The configuration JSON object is in the following format:
{
"name":"name"
"catalogID":"catalog ID"
"orgVdcId":"vDC Organization ID"
"storagePolicyId":"Storage Policy ID"
}
Result
The Rubrik cluster schedules a job to export a snapshot of the vApp template.
Recovery and restore of vApp data

Use Instant Recovery, Export, or file level recovery to recover data from a vApp snapshot.
Recovery operation Description

Instant Recovery Fully or partially replace all of the virtual machines in the source vApp.
Optionally, install the virtual machine NICs unmapped or mapped, or delete all
NICs.
Export Fully or partially export the vApp as a new vApp or into an existing vApp.
File level recovery Recover folders and files from virtual machines in a vApp through:
• Download through a web browser
• Overwrite of the source files
• Restore to a separate folder
Instant Recovery and Export network options

The Instant Recovery or Export recovery options support specific network options.
Instant Recovery and Description

Export network option
Delete NIC NICs and vApp networks are not restored with the restored or exported virtual
machines.
No mapping The restored or exported virtual machines are restored without vApp networks.
The NICs for these virtual machines are restored as disconnected NICs, without
an IP address or IP addressing mode. The vCD assigns these virtual machines a
MAC address.

Instant Recovery and Description
Export network option
Advanced Individually assign the NICs in each virtual machine that is part of the recovery
or export operation to any of the available networks in the organization.
Restoration and IP address assignment varies depending on the IP address
allocation mode of the network to which the restored virtual machine connects:
Manual IP assigned: Restores the IP and MAC addresses
present in the snapshot.
IP assigned by DHCP: Restores the MAC address. The vCD

assigns the IP address when deploying
IP assigned from a static IP pool: Restores the MAC address. The vCD
assigns the IP address when adding
the NIC to the virtual machine.
Recovery workflow
Recovery provides a way to replace a virtual machine in a vApp with a snapshot of the virtual machine
from a snapshot of the vApp.
An entire vApp or one or more virtual machines in a vApp can be replaced through recovery.
Recovery of a vApp can be either:
• Full – all of the vApp virtual machines and metadata are restored to replace the source vApp.
• Partial – one or more selected virtual machines and their metadata are restored to the source vApp.
Recovery can only be used to replace a virtual machine that exists in the target vApp. To restore a virtual
machine that does not exist in the target vApp, use Export.
To recover a virtual machine, the Rubrik cluster follows this workflow:
1. Remove the virtual machine from the inventory of the vCenter Server.
Note: The virtual machine is not removed from the datastore.
vCloud Director lists the removed virtual machine as missing from the vApp.
2. The Rubrik cluster mounts the snapshot of the virtual machine using the Rubrik cluster as the
datastore and adds the virtual machine to the vCenter Server.
Using the cloud.uuid field, the vCloud Director recognizes the mounted virtual machine and establishes
the link to the vApp.
3. The Rubrik cluster configures the network connections for the virtual machine.
4. The Rubrik cluster powers on the virtual machine.
5. When the virtual machine is powered on, the Rubrik cluster initiates Storage vMotion to move the
datastore to a datastore in the vCloud Director.
If the Storage vMotion fails and the virtual machine was powered on after being mounted, the Rubrik
cluster maintains the Live Mount of the virtual machine and sends an email to the global admin.
If there is a failure anywhere in the process, other than during Storage vMotion, the Rubrik cluster adds
the source virtual machine back to the vCenter Server. Normally, vCloud Director will link the source virtual
machine back into the vApp.

Performing an Instant Recovery of a full vApp
Use Instant Recovery to recover all of a vApp from a snapshot.
Prerequisites
Ensure that the vApp datastore contains at least one virtual machine.
Procedure
list.
4. On the snapshots card, select a date with a snapshot.
5. In the Day view, open the ellipsis menu for a snapshot.
7. In Type, select Full vApp.
8. Click Next.
The Recovery Options panel appears.
9. Optional: Click Manually power on vApp.
The Rubrik cluster powers on all of the virtual machines in the recovered vApp.
10. In NIC Mapping, choose one of the available options.
• No Mapping
• Delete NICs of all VMs
• Advanced
11. (Advanced only) In Network, for each virtual machine NIC, select a network.
12. Click Finish.
Result
The Rubrik cluster performs the recovery actions.
Related concepts
Recovery workflow
Performing an Instant Recovery of a partial vApp

Use Instant Recovery to recover some of the virtual machines in a vApp from a snapshot.
Procedure
list.

7. In Type, select Partial vApp.
A list of the virtual machines in the vApp snapshot appears.
8. Select the virtual machines to include in the Instant Recovery.
9. Click Next.
11. In NIC Mapping, choose one of the available options.
• No Mapping
• Advanced
13. Click Finish.
Result
The Rubrik cluster performs the recovery actions.
Related concepts
Recovery workflow
Exporting a full vApp

Use Export to use a vApp snapshot to create a new vApp.
Procedure
list.
6. Click Export.
7. In Type, select Full vApp.
8. Click Next.
9. On the Destination pane, select the vCloud Director instance for the new vApp.
10. Select the organization for the new vApp.
11. Select the organization virtual datacenter for the new vApp.
12. Click Next.

14. In NIC Mapping, choose one of the options.
• No Mapping
• Advanced
16. In Storage Profile, choose one of the options.
• Default
• Custom
17. (Custom only) For each listed virtual machine, select a storage profile.
18. Click Finish.
Result
The Rubrik cluster uses the data in the selected vApp snapshot to create the new vApp.
Exporting a partial vApp

Use Export to use some of the virtual machines from a vApp snapshot to create a new vApp or to add to
an existing vApp.
Procedure
list.
6. Click Export.
7. In Type, select Partial vApp.
8. In Target, select one of the following options:
• New vApp
• Existing vApp
9. Click Next.
10. On the Destination pane, select the vCloud Director instance for the export.
11. Select the organization for the export.
12. Select the organization virtual datacenter for the export.
13. (Export to existing vApp only) Select the existing vApp.
14. Click Next.
15. (Optional) Click Manually power on vApp.
16. In NIC Mapping, choose one of the options.

• No Mapping
• Advanced
18. In Storage Profile, choose one of the options.
• Default
• Custom
19. (Custom only) For each listed virtual machine, select a storage profile.
20. Click Finish.
Result
The Rubrik cluster uses the data in the selected vApp snapshot to create a new vApp or to add to the
selected existing vApp.
Recovering folders and files for download

Recover folders and files from one of the virtual machine snapshots in a vApp snapshot and download
them through a web browser.
Procedure
list.
The Choose the VM to browse dialog box appears.
7. Select a virtual machine to browse for files.
9. Optional: In the list view, select folders and files at the top level of the virtual machine.
10. Optional: Use the Search field to find and select folders and files at any level in the file system.
Selected folders and files appear in Selected and can be removed by clicking X next to a selection.
11. Click Next.
12. On the Recover Files pane, in Recovery Type, select Download.
13. Click Finish.
The Rubrik cluster creates a ZIP file with the selected folder and files.
In the Rubrik CDM web UI Notifications area, a ‘Downloaded’ message appears.
Result
The web browser retrieves the zip file from the Rubrik cluster and saves it to the selected location.

Recovering folders and files to overwrite originals
Recover folders and files from one of the virtual machine snapshots in a vApp snapshot to overwrite the
original folders and files on the source virtual machine.
Procedure
list.
11. Click Next.
12. On the Recover Files pane, in Recovery Type, select Overwrite original.
13. In Recovery Method, choose an option.
• Use Rubrik Backup Service
• Use VM tools
14. (Use VM tools only) In Service Credential, provide the domain, username, and password for an
account on the source virtual machine that has write permissions for the recovery paths.
15. Optional: (Use VM tools only) Select Store as Service Credentials for All VMs.
16. Click Finish.
Result
The Rubrik cluster writes the recovered folders and files from the snapshot into the specified folder,
preserving the hierarchy.
Recovering folders and files to a new location

Recover folders and files from one of the virtual machine snapshots in a vApp snapshot to a new location
on the source virtual machine.
Procedure
list.

11. Click Next.
12. On the Recover Files pane, in Recovery Type, select Restore to separate folder.
13. In Folder Path, type a full path to a folder for the recovery.
The Rubrik cluster creates the folder if it does not exist at the specified location.
14. In Recovery Method, choose an option.
• Use Rubrik Backup Service
• Use VM tools
15. (Use VM tools only) In Service Credential, provide the domain, username, and password for an
account on the source virtual machine that has write permissions for the recovery paths.
16. Optional: (Use VM tools only) Select Store as Service Credentials for All VMs.
17. Click Finish.
Result
The Rubrik cluster writes the recovered folders and files from the snapshot into the specified folder,
preserving the hierarchy.

Chapter 15
VMware Cloud on AWS
VMware Cloud on AWS
A Rubrik cloud cluster can protect virtual machines deployed on VMware Cloud on AWS (VMC).
VMC provides a software-defined data center, or SDDC, that hosts virtual machines in the AWS cloud.
Rubrik cloud clusters protect VMC data by ingesting the data from the SDDC using HotAdd proxy virtual
machines.
A HotAdd proxy virtual machine loads the Virtual Machine Disk, or VMDK, that is in use by the source
virtual machine. The Rubrik cloud cluster takes snapshots of the VMDK from the proxy virtual machine.
When the Rubrik cloud cluster discovers a new SDDC, the cluster launches jobs to instantiate a number of
HotAdd proxies determined by the size of the SDDC data store and the total number of protected virtual
machines. The Rubrik cloud cluster increases or decreases the number of HotAdd proxies as the inventory
of protected virtual machines increases or decreases.
Rubrik CDM does not support Instant Recovery, Live Mount for virtual machine, or Live Mount for virtual
disk for virtual machines on VMC.
Once configured, manage protected virtual machines in the same manner as any other vSphere virtual
machine. See Recovery of virtual machines for details.
Related Concepts
Virtual machine HotAdd proxy requirements

Each cloud-based datastore that hosts virtual machined protected by a Rubrik cluster requires a number of
HotAdd proxies that is determined by the number of nodes in the Rubrik cluster and the number of ESXi
hosts.
ESXi Rubrik cluster nodes

hosts
3 4 5 6 7 8 9 10 11 12 13 14 15 16
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
2 2 2 2 2 2 2 2 2 2 2 2 2 2 2
3 2 3 3 3 3 3 3 3 3 3 3 3 3 3
4 2 3 4 4 4 4 4 4 4 4 4 4 4 4
5 2 3 4 4 4 4 4 4 4 4 4 4 4 4
6 2 3 4 4 5 5 5 5 5 5 5 5 5 5
7 2 3 4 4 5 6 6 6 6 6 6 6 6 6
8 2 3 4 4 5 6 6 7 7 7 7 7 7 7
VMware Cloud on AWS 05/25/2022 | 455

hosts
3 4 5 6 7 8 9 10 11 12 13 14 15 16
9 2 3 4 4 5 6 6 7 8 8 8 8 8 8
10 2 3 4 4 5 6 6 7 8 8 8 8 8 8
11 2 3 4 4 5 6 6 7 8 8 9 9 9 9
12 2 3 4 4 5 6 6 7 8 8 9 10 10 10
13 2 3 4 4 5 6 6 7 8 8 9 10 10 11
14 2 3 4 4 5 6 6 7 8 8 9 10 10 11
15 2 3 4 4 5 6 6 7 8 8 9 10 10 11
16 2 3 4 4 5 6 6 7 8 8 9 10 10 11
Adding an SDDC
Add an SDDC to the Rubrik cloud cluster to protect the virtual machines on the SDDC.
Prerequisites
The Rubrik cluster uses dedicated ports to access SDDC. The required ports are listed in HotAdd proxy port
requirements.
Procedure
5. In vCenter (IP or FQDN), type the resolvable hostname or IP address of the SDDC.
[fd9d:22d3:cd28:7257::1]

8. Optional: Turn on the automatic linking feature by clicking the Automatically link discovered
virtual machines checkbox.
9. Optional: Click Advanced Setting to add a Certificate Authority (CA) certificate for TLS validation.
10. (When adding a CA) Paste the text of the trusted CA root certificate for the SDDC into the Trusted
Root Certificate field.
11. Click Add.
The Rubrik cloud cluster detects the new vCenter as an SDDC and prompts for proxy network settings.
12. Select a network segment for use by the HotAdd proxy virtual machines.
13. Choose an IP address method.
• DHCP
• Static IP

14. (Static IP only) Enter values for the IP connection parameters listed.
• IP address or CIDR block
• Subnet mask
• Gateway
• DNS Server
15. Optional: Click Network Throttling to enter network usage thresholds in Mbps.
16. Click Set.
Result
The Rubrik cloud cluster discovers the SDDC and assembles an inventory of protectable virtual machines.
Listing HotAdd proxy virtual machines

All HotAdd proxy virtual machines in use are listed on the Proxy VMs page. The Proxy VMs page lists the
network segment, status, and number of VMDKs currently being processed by each HotAdd proxy virtual
machine.
Procedure
4. Click Monitor Proxy VMs.
Result
The Proxy VMs page appears.
Editing the network configuration for proxy virtual machines

Change the network configuration of proxy virtual machines to meet changing requirements.
Procedure
4. Click the ellipsis next to the SDDC in the displayed list of vCenter Servers.
The ellipsis menu appears.
5. Select Edit Proxy VM Network.
The Edit Proxy VM Network Settings dialog appears.
• DHCP
• Static IP
• Subnet mask

• Gateway
• DNS Server
10. Click Set.
Result
The Rubrik cluster saves the configuration.

Chapter 16
Microsoft Azure VMware Solution
Microsoft Azure VMware Solution
A Rubrik cluster can protect virtual machines deployed on the Microsoft Azure VMware Solution (AVS).
AVS provides a software-defined data center, or SDDC, that hosts virtual machines in the Azure cloud.
Rubrik clusters protect AVS data by ingesting the data from the SDDC using HotAdd proxy virtual
machines.
A HotAdd proxy virtual machine mounts a copy of the Virtual Machine Disk (VMDK) that is in use by the
source virtual machine. The Rubrik cluster takes snapshots of the VMDK mounted on the proxy virtual
machine.
When the Rubrik cluster discovers a new SDDC, it launches jobs to deploy HotAdd proxies. The number
of proxies deployed is determined by the number of ESXi hosts and the number of nodes in the Rubrik
cluster. The Rubrik cloud cluster increases or decreases the number of HotAdd proxies as the number of
ESXi hosts or nodes in the Rubrik cluster change.
Rubrik CDM does not support the following operations for virtual machines on AVS:
• Live Mount for virtual machines
• Live Mount for virtual disk
After associating an SDDC with a Rubrik cluster, manage protected virtual machines in the same manner as
any other vSphere virtual machine.
Related Concepts
Requirements for Azure VMware Solution

Before protecting virtual machines on the Azure VMware Solution (AVS), verify that AVS and Rubrik cluster
configurations meet the prerequisites.
To protect virtual machines on AVS with a Rubrik cluster, confirm that each of the listed actions is
complete.
• Deploy the Rubrik cluster on the same region as the AVS instance. Sharing the same region avoids
egress charges and network bandwidth restrictions.
• Configure an ExpressRoute connection between AVS and the Rubrik cluster. See the Microsoft
documentation for AVS for details on configuring ExpressRoute connections.
• Size the VNet Gateway SKU appropriately for the ExpressRoute connection in order to provide
sufficient bandwidth for backup and export operations. See https://docs.microsoft.com/en-us/azure/
expressroute/expressroute-about-virtual-network-gateways for details on VNet Gateway SKU sizing.
• Determine the AVS network segment where the virtual proxies run.
Microsoft Azure VMware Solution 05/25/2022 | 459

• Make one IP address available for each HotAdd proxy. If DHCP is in use, verify that the DHCP
configuration for the AVS network segment is correct. If static IP addressing is in use, allocate one IP
address for each HotAdd proxy.
• Verify that the DNS servers used by the Rubrik cluster and the HotAdd proxies correctly resolve the fully
qualified domain names (FQDNs) of the AVS vCenter Server and the ESXi hosts associated with that
vCenter Server.
• Verify that an AVS user account with the required minimum privileges is available for the Rubrik cluster
to authenticate to the vCenter.
• Verify that the required ports are open between AVS and the Rubrik cluster.
Related reference
hosts.
the vCenter Server.
HotAdd proxy port requirements
A Rubrik cloud cluster requires access to several ports in order to protect virtual machines in a cloud-based
environment.

hosts.

hosts
3 4 5 6 7 8 9 10 11 12 13 14 15 16
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
2 2 2 2 2 2 2 2 2 2 2 2 2 2 2
3 2 3 3 3 3 3 3 3 3 3 3 3 3 3
4 2 3 4 4 4 4 4 4 4 4 4 4 4 4
5 2 3 4 4 4 4 4 4 4 4 4 4 4 4
6 2 3 4 4 5 5 5 5 5 5 5 5 5 5
7 2 3 4 4 5 6 6 6 6 6 6 6 6 6
8 2 3 4 4 5 6 6 7 7 7 7 7 7 7
9 2 3 4 4 5 6 6 7 8 8 8 8 8 8
10 2 3 4 4 5 6 6 7 8 8 8 8 8 8
11 2 3 4 4 5 6 6 7 8 8 9 9 9 9
12 2 3 4 4 5 6 6 7 8 8 9 10 10 10
13 2 3 4 4 5 6 6 7 8 8 9 10 10 11
14 2 3 4 4 5 6 6 7 8 8 9 10 10 11

hosts
3 4 5 6 7 8 9 10 11 12 13 14 15 16
15 2 3 4 4 5 6 6 7 8 8 9 10 10 11
16 2 3 4 4 5 6 6 7 8 8 9 10 10 11
Adding an SDDC
Prerequisites
requirements.
Procedure
[fd9d:22d3:cd28:7257::1]

11. Click Add.
• DHCP
• Static IP
• Subnet mask
• Gateway
• DNS Server
16. Click Set.

Result

machine.
Procedure
Result

Procedure
• DHCP
• Static IP
• Subnet mask
• Gateway
• DNS Server
10. Click Set.
Result

Chapter 17
Google Cloud VMware Engine
Google Cloud VMware Engine
A Rubrik cluster can protect virtual machines deployed on the Google Cloud VMware Engine (GCVE).
GCVE provides a software-defined data center, or SDDC, that hosts virtual machines in the Google cloud.
Rubrik clusters protect GCVE data by ingesting the data from the SDDC using HotAdd proxy virtual
machines.
A HotAdd proxy virtual machine mounts a copy of the Virtual Machine Disk (VMDK) that is in use by the
source virtual machine. The Rubrik cluster backs up the VMDK mounted on the proxy virtual machine.
When the Rubrik cluster discovers a new SDDC, it launches jobs to deploy HotAdd proxies. The number
of proxies deployed is determined by the number of ESXi hosts and the number of nodes in the Rubrik
cluster. The Rubrik cloud cluster increases or decreases the number of HotAdd proxies as the number of
ESXi hosts or nodes in the Rubrik cluster change.
Rubrik CDM does not support the following operations for virtual machines on GCVE:
• Live Mount for virtual machines
• Live Mount for virtual disk
After associating an SDDC with a Rubrik cluster, manage protected virtual machines in the same manner as
any other vSphere virtual machine.
Related Concepts
Requirements for Google Cloud VMware Engine

The Google Cloud VMware Engine and Rubrik cluster configurations must meet specified prerequisites in
order to protect virtual machines deployed on the Google Cloud VMware Engine.
To protect virtual machines on the Google Cloud VMware Engine (GCVE) with a Rubrik cluster, confirm that
each of the listed conditions is met.
• When using a Rubrik Cloud cluster, the cluster is deployed to the same region as the GCVE instance.
• A Private Service Access (PSA) connection exists between GCVE and the GPC VPC to which the Rubrik
cluster has access. See the Google documentation for GCVE for details. To avoid egress charges and
network bandwidth restrictions, the PSA connection shares the same region as the GCVE instance.
• The GCVE network segment where the virtual proxies run has been identified.
• One IP address is available on the GCVE network segment for each HotAdd proxy. If DHCP is in use, the
DHCP configuration for the GCVE network segment is correct. If static IP addressing is in use, one IP
address is allocated for each HotAdd proxy.
• The DNS servers used by the Rubrik cluster and the HotAdd proxies correctly resolve the fully qualified
domain names (FQDNs) of the GCVE vCenter Server and of the ESXi hosts that are associated with that
vCenter Server.
Google Cloud VMware Engine 05/25/2022 | 463

• A GCVE user account with the required minimum privileges is available for the Rubrik cluster to
authenticate to the vCenter.
• The required ports are open between GCVE and the Rubrik cluster.
• A DNS server that can resolve the FQDNs of the GCVE vCenter and the ESXi hosts was specified during
the Rubrik cluster bootstrap. By default, only DNS servers hosted by the GCP project are able to resolve
these FQDNs. For details on how to enable virtual machines on a VPC to resolve GCVE FQDNs, consult
Google Cloud documentation.
Related reference
hosts.
the vCenter Server.
environment.

hosts.

hosts
3 4 5 6 7 8 9 10 11 12 13 14 15 16
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
2 2 2 2 2 2 2 2 2 2 2 2 2 2 2
3 2 3 3 3 3 3 3 3 3 3 3 3 3 3
4 2 3 4 4 4 4 4 4 4 4 4 4 4 4
5 2 3 4 4 4 4 4 4 4 4 4 4 4 4
6 2 3 4 4 5 5 5 5 5 5 5 5 5 5
7 2 3 4 4 5 6 6 6 6 6 6 6 6 6
8 2 3 4 4 5 6 6 7 7 7 7 7 7 7
9 2 3 4 4 5 6 6 7 8 8 8 8 8 8
10 2 3 4 4 5 6 6 7 8 8 8 8 8 8
11 2 3 4 4 5 6 6 7 8 8 9 9 9 9
12 2 3 4 4 5 6 6 7 8 8 9 10 10 10
13 2 3 4 4 5 6 6 7 8 8 9 10 10 11
14 2 3 4 4 5 6 6 7 8 8 9 10 10 11
15 2 3 4 4 5 6 6 7 8 8 9 10 10 11
16 2 3 4 4 5 6 6 7 8 8 9 10 10 11

Adding an SDDC
Prerequisites
requirements.
Procedure
[fd9d:22d3:cd28:7257::1]

11. Click Add.
• DHCP
• Static IP
• Subnet mask
• Gateway
• DNS Server
16. Click Set.
Result

machine.
Procedure
Result

Procedure
• DHCP
• Static IP
• Subnet mask
• Gateway
• DNS Server
10. Click Set.
Result

Chapter 18
CloudOn for AWS
CloudOn for AWS
Rubrik CloudOn for AWS provides the ability to convert a local snapshot, an archived snapshot, or a replica
into an Amazon Machine Image, and then run that image on an Amazon virtual private cloud.
Rubrik CloudOn for AWS can be used in various scenarios, such as:
• Instantiating VMware virtual machines for test and development.
• Migrating on-premises virtual machines to AWS.
• Using an archived snapshot to fail over to AWS when the on-premises data center fails.
CloudOn for AWS compute instances

Rubrik CloudOn for AWS uses two transient compute instances, Bolt and Converter. Compute intensive
tasks use Bolt. Converter writes data to attached disks and copies OS drivers for Windows virtual
machines.
Transient compute instance Description Instance requirements

Bolt Bolt reads archived data from • Instance type: m5.4xlarge
AWS S3 based on information • OS disk: 400 GB (gp2, 1200
shared by the Rubrik cluster for a IOPS)
specific CloudConversion job. • Data disk: 500 GB (st1)
For local snapshots, the Rubrik
cluster constructs incremental
data between the archived
snapshot and the local snapshot.
The Rubrik cluster then uploads
the delta between the archived
snapshot and the local snapshot
to the archival location.
Converter Converter reads incremental data Windows converter

from Bolt, writes to EBS volumes, • Instance type: m4.xlarge
and copies drivers for Windows • OS disk: 30 GB (gp2, 100
virtual machines. IOPS)
Linux converter
• Instance type: m4.xlarge
• OS disk: 8 GB (gp2, 100 IOPS)
CloudOn for AWS 05/25/2022 | 467

Prerequisites for CloudOn for AWS
There are certain prerequisites for configuring CloudOn for AWS.
Prerequisite Description
AWS VM Import Service Rubrik CDM uses its own native converter to convert a virtual machine to an
Amazon Machine Image (AMI). If the conversion is not successful, Rubrik CDM
uses the AWS VM Import Service instead. To prepare for this possibility, the
prerequisites and limitations that apply to the AWS VM Import service must
also be applied to CloudOn for AWS. See AWS documentation on VM Import/
Export Requirements for more information.
Windows virtual machine If the source virtual machine is a Windows system that uses Microsoft KMS for
activation licensing, that virtual machine must have access to a Microsoft KMS server for
activation. One option is to use the Microsoft KMS service hosted by AWS. See
AWS documentation for more information.
Linux virtual machine For optimal performance, Linux source virtual machines must have network
ENA and NVMe drivers drivers installed that support the AWS Elastic Network Adapter (ENA).
In order to access the converted EBS volumes, Linux source virtual machines
must also have NVMe disk drivers installed before using CloudOn for AWS.
Most modern Linux distributions have both types of drivers installed already.
Consult AWS documentation to verify the specific Linux distributions and
versions that will be used with CloudOn for AWS.
Cloud Compute settings CloudOn for AWS uses information from the Cloud Compute settings that
were configured for the Archival location. See Archiving for information on
configuring Cloud Compute settings.
VPC connectivity The Rubrik cluster must have IP connectivity to the VPC specified in the Cloud
Compute settings for the archival location. Any one of the following ways can
establish connectivity between the on-premises network and the VPC:
• Private IP address and NAT instance
• Private IP address and NAT gateway
• Public IP address and internet gateway
Note: To communicate with the Rubrik cluster over a public IP address,

contact Rubrik Support.
Note: Encrypted EBS volumes are not supported in CDM.
Connectivity to AWS
Rubrik CloudOn for AWS requires specific configuration actions.
• If internet access is not available on the VPC, configure an Amazon S3 VPC endpoint to the VPC. This
VPC endpoint secures the access to Amazon S3 without internet access.
• If the Amazon S3 bucket is encrypted with KMS and VPC does not have internet connectivity, Rubrik
recommends adding the KMS endpoint to the VPC.
• When a VPC is configured to provide access from the Rubrik cluster to Amazon S3, the Rubrik cluster
prompts for the VPC ID of the VNet and the subnet ID of a subnet within the VPC.

• Enable DNS resolution on the VPC used in compute settings to allow the VPC to communicate with
Amazon S3.
When a VPC is configured to provide access from the Rubrik cluster to Amazon S3, the Rubrik cluster
prompts for the VPC ID of the VNet and the subnet ID of a subnet within the VPC. Amazon AWS online
documentation provides information on configuring VPCs.
Security group
Create a security group with appropriate rules.
Creating a security group enables secure access to the transient instance within the VPC that the customer
specified.
Related tasks
Creating a security group for AWS CloudOn
The security group enables secure access to the transient instance within the VPC.
IAM roles
Create IAM with the required permissions.
• Create one IAM role for all AWS CloudOn permissions.
Amazon AWS online documentation provides information about IAM roles.
• Create a virtual machine import service role to download disk images from an Amazon S3 bucket.
Amazon AWS online documentation provides information on how to create a virtual machine import
service role.
Related concepts
VM Import service role
To permit an AWS account to use the VM Import/Export service to create AMIs from the VMDK files, AWS
requires that the account have an IAM policy that is attached to the VM Import service role.
Pre-configurations for source virtual machines

To successfully use Rubrik CloudOn for AWS ensure that the source virtual machines meet the
configuration requirements of the feature.
Setting Description
Linux configuration • Enable secure shell for remote access.
• Ensure that the host firewall (for example, Linux iptables) grants access to
SSH.
• Ensure that the Linux virtual machine has GRUB or GRUB2 as its
bootloader.
• Ensure that there is 500 MB space on the root disk.
Windows configuration • Enable Remote Desktop Protocol (RDP).

• Ensure that the RDP port is enabled on the firewall.
• For instantiation, ensure that there is 900 MB of free space on the root
disk.

Boot loader partitioning configurations
Review the supported and unsupported configurations listed in the following table.
BIOS MBR BIOS GPT UEFI MBR UEFI GPT

Windows OS partition Supported Not supported Not supported Not supported
Windows data partition Supported Supported Not supported Not supported
Linux OS partition Supported Not supported Not supported Not supported
Linux data partition Supported Supported Not supported Not supported
Virtual machine configurations

Rubrik CloudOn for AWS has both supported and unsupported configurations.
Setting Description
Supported disk Master Boot Record (MBR) and GUID partition table on both Windows and
partitioning scheme Linux.
Supported file systems • Windows - NTFS
• Linux - EXT3, EXT4, XFS
Supported OS disk • Standard

formats • LVM
• LDM
Dual boot volumes A virtual machine configured to dual boot with two operating systems is not
supported.
Supported non-boot Non-boot volumes using GPT cannot exceed 4 TB.
volume
Supported single disk Cannot exceed 4 TB for instantiations.
size
Supported number of Virtual machines with up to 10 disks can be instantiated.
disks on virtual machines
Supported Windows English
language packs
Supported multiple NICs • For Linux virtual machines: Supported if source virtual machine has eth*
NICs but not supported if source virtual machines have ens* NICs.
• For Windows virtual machines: Supported
Static IPs Supported

Supported encryption For Windows and Linux virtual machines:
• VMware vSphere virtual machine encryption
• Data disks using BitLocker (only if VMware vSphere virtual machine
encryption is enabled)
Unsupported encryption For Windows and Linux virtual machines: Encryption is not supported for
virtual machines located on the OS disk using any encryption method other
than VMware vSphere virtual machine encryption.

Setting Description
Unsupported virtual • Virtual machines with 32-bit configuration
machine configurations • Desktop OS
• Custom kernel
AWS AMI tags

Use the AWS console to find all resources created with the AWS account as part of AWS CloudOn. Rubrik
CDM tags all resources with key-value pairs that store relevant information.
The AWS CloudOn feature uses AMI tags to store information in resources relevant for the cluster.
Tag Description
rk_cluster_id The user friendly name of the source virtual machine. This name is the same for all
resources that are launched within the same cluster. However, this does not include
instances launched by another Rubrik reader cluster or promoted owner cluster.
rk_job_id The job ID used when launching the resources.
rk_instance_class Transient Rubrik Bolt Instance
rk_version The cluster version when the resource is launched.
rk_host_name The name of the vCenter Server, SCVMM host, or Hyper-V host.
rk_snapshot_time The 13 digit Unix Epoch timestamp for the time at which the AMI was created.
rk_snappable_id The ID of the data source.
rk_object_name The name of the data source.
snappable_type The type of the data source.
The CloudOn for AWS feature also adds tags to transient compute instances that are launched in the AWS
account to perform conversion of virtual machines.
Resource Tag Key Tag Value

Bolt and Converter rk_instance_class TransientStormInstance
Instance
storm_type BOLT/LINC/WINC
rk_storm_instance_handle_id
storm_handle_id
EBS volumes created by rk_instance_class CloudSnapshotBasedVolume/EmptyVolume
Rubrik CDM
rk_snappable_id snappable_id
rk_object_name snappableName
rk_instance_class VolumeGeneratedCloudSnapshot
Temporary instance, AMI rk_instance_class ImageConversionTemporaryInstance
and instance launched
provider provider_id
rk_requester_id user-id who launched the job

Resource Tag Key Tag Value
rk_snappable_id snappable_id
rk_snapshot_id snapshotId
rk_host_name vcenterName
rk_snapshot_time snapshot time
location_unique_id uniqueLocationId
snappable_type snappableType
Related reference
CloudOn CloudFormation template

The AWS CloudFormation service provides a way to create a stack of resources using a template. Rubrik
has created the CloudOn CloudFormation template, which is specifically designed to provision the
resources required for the AWS CloudOn application.
The CloudOn CloudFormation template includes a section for provisioning an S3 bucket as an archival
location. If the CloudOut CloudFormation template was previously used to provision an S3 bucket, that
S3 bucket can be used for AWS CloudOn. Similarly, if an IAM user was provisioned for AWS CloudOut, the
same user can be used for AWS CloudOn. Since the IAM user for CloudOn requires additional permissions
compared to the IAM user for AWS CloudOut, the template automatically adds the necessary permissions.
AWS only allows one IAM role with the name vmimport. If the vmimport role already exists, the CloudOn
template automatically adds the permissions needed for CloudOn to the existing role.
Configuring AWS CloudOn using the CloudFormation template

Use the CloudOn CloudFormation template to configure CloudOn for AWS.
Context
Answer the questions in the Create Stack wizard, and edit the default values and descriptions as
necessary.
Prerequisites
AWS CloudOn requires a Virtual Private Cloud (VPC). The VPC can be the default VPC for the AWS region
or a custom VPC. Set up a subnet inside the VPC where AWS CloudOn can launch its compute resources.
The Rubrik cluster uses dedicated ports to access the subnet via VPN, Direct Connect, or public IP address.
The required ports are listed in AWS ports. Update the firewall to allow outbound traffic from the Rubrik
cluster to these ports.
Procedure
1. Log in to the AWS Management Console as a user with cloud administrator privileges.
2. From the top bar of the AWS Management Console, select the AWS region where the CloudFormation
stack will be created.
3. Open the Services menu and select CloudFormation.

The AWS CloudFormation > Stacks page appears.
4. Open the Create stack menu and select With new resources (standard).
The Create stack wizard appears.
5. Under Prepare template, select Template is ready.
6. Under Template source, select AWS S3 URL.
7. In AWS S3 URL, provide the URL of the CloudOn CloudFormation template.
Copy and paste the following URL: https://rubrik-cfts.s3.us-west-1.amazonaws.com/
rubrik_cloudon.template.
8. Click Next.
The wizard advances to the Specify stack details step. Some fields are already filled in with values
from the template.
9. In Stack name, type a name for the AWS CloudOn CloudFormation stack.
10. In CreateNewS3Bucket, choose whether to create a new bucket.
Option Description
Yes Create a new S3 bucket for CloudOut.
No Use an existing S3 bucket for CloudOut.
11. In S3BucketName, type the name of the S3 bucket that will be used as a Rubrik cluster archival
location.
12. In VPC, open the menu and select the VPC for the archival location.
13. In OnPremRubrikCIDR, replace the default value with the actual CIDR block of the Rubrik cluster
that is using AWS CloudOn.
The CIDR block identifies the IP addresses to allow through the VPC firewall, so the Rubrik cluster can
communicate with Bolt instances and converter instances.
14. Under IAM Users and Roles, in CreateNewUser, choose whether to create a new user.
Option Description
Yes Choose Yes when the IAM user has not been
created yet, and CloudOut is being configured for
the first time from the CloudOn template.
No Choose No when the IAM user was previously
created for CloudOut. The CloudOn template
automatically adds the permissions needed for
CloudOn. As a result, the same IAM user can be
used for both CloudOut and CloudOn.
15. In CreateVMImportRole, choose whether to create an IAM role named vmimport.
Option Description
Yes Choose Yes when this AWS account does not
have an IAM role with the name vmimport, so
the CloudOn template will create the role.
No Choose No when an IAM role with the name
vmimport was already created for this AWS
account.
AWS cannot create the stack when Yes is selected and the vmimport role already exists.
16. In IAMUserName, type the name of the IAM user account that will have the IAM policies for AWS
CloudOn assigned to it.
If an existing IAM user account is already used for AWS CloudOut or AWS CloudOn, enter the name
of that account. Otherwise, enter the name of the new IAM user account created by the CloudOn
CloudFormation template.

17. Under Optional, in SecurityGroupName, type a name for the AWS CloudOn security group.
The name must be unique for the region. AWS cannot create the stack when the specified name
matches the name of a security group that already exists in the region.
18. Optional: Edit the default descriptions.
19. Click Next.
The Configure stack options pane appears.
20. Optional: Create tags in the form of key-value pairs to identify resources in the stack.
Resource tags help to categorize and manage AWS resources, such as security groups and IAM roles.
21. Click Next.
The Review pane appears.
22. Review all the assignments.
Click Edit to make changes if necessary.
23. Under Capabilities, read the statement and click I acknowledge that AWS CloudFormation
might create IAM resources with custom names.
24. Click Create stack.
Result
AWS starts the stack creation process. The CloudFormation Stack details page appears, with a status
message about the progress. To see the current status of the stack, click the refresh icon next to Stacks.
To see an activity log for each event in the stack creation process, click the refresh icon next to Events.
Next task
Once the stack is created, click the Outputs tab to obtain the following information:
• AWSBucketName
• IAMUserAccessKey
• IAMUserSecretKey
• KMSKeyId
• Region
• SecurityGroupId
• SubnetId
• VPCId
Provide this information in the Rubrik CDM web UI when configuring the cloud compute settings for an
archival location.
Related tasks
Adding an Amazon S3 archival location
Configure a Rubrik cluster to use an Amazon S3 archival location.
Related reference
CloudFormation template output

After creating a stack by using the CloudOn CloudFormation template, helpful information appears in the
AWS console.
CloudFormation template output

After creating a stack by using the CloudOn CloudFormation template, helpful information appears in the
AWS console.
The CloudOn CloudFormation template automatically collects and summarizes the following information on
the Outputs tab of the AWS management console once the stack is created. Use this information in the
Rubrik CDM web UI when adding an AWS account or an Amazon S3 archival location.
Key Description
AWSBucketName S3 bucket name.
IAMUserAccessKey Access key for the new IAM user. This only appears
when a new user account is requested.
IAMUserSecretKey Secret key for the new IAM user. This only appears
when a new user account is requested.
KMSKeyId KMS encryption key ID.
Region AWS region of the stack.
SecurityGroupId ID of the security group.
SubnetId ID of the subnet.
VPCId ID for the VPC used for the archival location. This is
where the Rubrik Bolt instance is created.
Workflow for manual configuration of AWS CloudOn

As an alternative to using the recommended CloudFormation template method to set up AWS CloudOn, the
manual configuration workflow can be used.
Rubrik recommends the CloudFormation template method for setting up AWS CloudOn; however, a manual
configuration method can be used instead. The manual configuration method uses the following workflow:
1. Create an S3 bucket as an archival location.
2. Create a user account that has access to the S3 bucket.
3. Create a security policy.
4. Create and configure a VM Import service role.
5. Obtain access to the Rubrik AMI.
6. Create a security group.
7. Assign the security group to the archival location object on the Rubrik cluster.
Related concepts
Related tasks
Creating an Amazon S3 bucket
Create an Amazon S3 bucket to use as the target for archiving and for cloud instantiation.
Creating a user account with access to the bucket

Create an IAM user account with policy-based access to the bucket.
Creating a security policy for AWS CloudOn
Create a security policy for the selected AWS bucket. Include the permissions that are required for cloud
instantiation.
Permissions
AWS CloudOn requires a bucket level and site level security policy, and a user account with access to the
specified bucket.
The process of preparing the required AWS objects is similar to the process described in Prepare to use
Amazon S3 as an archival location. The difference is an additional set of permissions granted by the
security policy used for cloud instantiation.
Alternatively, a bucket that is already in use as an archival location can be used for instantiation. To use an
existing bucket, modify the security policy that is applied to the existing bucket and provide the additional
permissions.
Related tasks
instantiation.

Create an Amazon S3 bucket to use as the target for archiving and for cloud instantiation.
Procedure
1. Log in to an AWS account.
2. In the AWS Services list, in the Storage section, select S3.
The Amazon S3 page appears.
3. Click + Create bucket.
The Create bucket modal appears.
4. In Bucket name, type a name for the new bucket.
To see the bucket naming requirements, click the information icon next to the Bucket name.
5. In Region, select the region for the bucket.
6. Click Create.
AWS creates the new bucket, and the bucket appears in the list.
7. Select the new bucket.
A dialog box with the properties, permissions, and management values for the bucket appears.
8. Click Copy Bucket ARN.
9. Paste the Bucket ARN into a plain text scratch file.
Keep this scratch file for use in later tasks.
10. Close the dialog box.
Result
Amazon creates the S3 bucket.

AWS CloudOn security policy
Use a JSON formatted security policy file when creating a security policy for AWS CloudOn. For both KMS
and RSA encryption, add EBS encryption information when using EBS encryption. Then use the JSON file
that is appropriate for the encryption type, either KMS or RSA.
Formatting
Pay close attention to the JSON formatting, including opening and closing braces and brackets.
EBS encryption
When using EBS encryption in the AWS region, add the following actions to the IAM policy utilized by
the CloudOn IAM user. Specify the Amazon Resource Name of the default EBS key for the region in the
resource block of this statement, or use the wild card character (*) to allow this action on all KMS keys.
"Action":[
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
]
KMS encryption
When using a KMS key, copy the following permission set into the IAM Policy for AWS CloudOn.
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"VisualEditor0",
"Effect":"Allow",
"Action":[
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:GenerateDataKey",
"kms:DescribeKey",
"ec2:DescribeInstances",
"ec2:CreateKeyPair",
"ec2:CreateImage",
"ec2:CopyImage",
"ec2:DescribeSnapshots",
"ec2:DeleteVolume",
"ec2:StartInstances",
"ec2:DescribeVolumes",
"ec2:DescribeExportTasks",
"ec2:DescribeAccountAttributes",
"ec2:ImportImage",
"ec2:DescribeKeyPairs",
"ec2:DetachVolume",
"ec2:CancelExportTask",
"ec2:CreateTags",
"ec2:RunInstances",
"ec2:StopInstances",
"ec2:CreateVolume",
"ec2:DescribeImportSnapshotTasks",

"ec2:DescribeSubnets",
"ec2:AttachVolume",
"ec2:DeregisterImage",
"ec2:ImportVolume",
"ec2:DeleteSnapshot",
"ec2:DeleteTags",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeAvailabilityZones",
"ec2:CreateSnapshot",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:CreateInstanceExportTask",
"ec2:TerminateInstances",
"ec2:ImportInstance",
"s3:CreateBucket",
"s3:ListAllMyBuckets",
"ec2:DescribeTags",
"ec2:CancelConversionTask",
"ec2:ImportSnapshot",
"ec2:DescribeImportImageTasks",
"ec2:DescribeSecurityGroups",
"ec2:DescribeImages",
"ec2:DescribeVpcs",
"ec2:CancelImportTask",
"ec2:DescribeConversionTasks",
"ec2:GetConsoleScreenshot",
"ec2:GetConsoleOutput"
],
"Resource":"*"
},
{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetBucketLocation",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:RestoreObject"
],
"Resource":[
"arn:aws:s3:::*"
]
}
]
}
RSA encryption
When using an RSA key, copy the following permission set into the IAM Policy for AWS CloudOn.
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[

"ec2:CreateImage",
"ec2:CopyImage",
"ec2:DeleteVolume",
"ec2:ImportImage",
"ec2:DetachVolume",
"ec2:CreateTags",
"ec2:RunInstances",
"ec2:CreateVolume",
"ec2:AttachVolume",
"ec2:ImportVolume",
"ec2:DeleteTags",
"s3:CreateBucket",
"ec2:DescribeTags",
"ec2:DescribeVpcs",
"ec2:DescribeConversionTasks",
"ec2:GetConsoleOutput"
],
"Resource":"*"
},
{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject",
"s3:RestoreObject"
],
"Resource":[
"arn:aws:s3:::*"

]
}
]
}

Procedure
2. In the AWS Services list, in the Security, Identity & Compliance section, select IAM.
The Identity and Access Management page appears.
3. On the left-side menu, click Users.
The list of users appears.
4. Click Add user.
The Add user page appears.
5. In the Set user details section, in User name, type a name for the user account.
The user account will be used by the Rubrik cluster to access the bucket.
6. In the Select AWS access type section, in Access type, select Programmatic access.
7. Click Next: Permissions.
The Set Permissions page appears with various methods for setting the permissions of the user
account.
8. Click Attach existing policies directly.
A list of the available policies appears.
9. Select the security policy that was created for the bucket, and click Next: Review.
The Review page appears.
10. Click Create user.
AWS creates the user, and a success message appears.
11. Click Download CSV.
The web browser opens a Save As dialog box.
12. Save the file credentials.csv.
Result
The file contains the Access key ID and Secret access key for the user account and should be securely
stored. Use these values when configuring the Rubrik cluster to use this AWS bucket as an archival
location. The file can be renamed.
Related tasks
Creating a security policy for the bucket
Create a security policy for the bucket.

instantiation.
Prerequisites
• Decide on the correct JSON content for the bucket security policy. AWS CloudOn security policy
describes the JSON content choices and provides content that can be copied for this task.
• Select a bucket that does not have versioning enabled. Rubrik CDM does not support immutable object
storage.

Procedure
1. Log in to the AWS account.
3. On the left-side menu, select Policies.
4. Click Create policy.
The Create Policy workspace opens with the Visual Editor tab active.
5. Click the JSON tab.
The JSON text editor appears.
6. Copy and paste the appropriate JSON text into the JSON editor.
7. In the JSON editor, replace mys3bucket with the name of the selected bucket.
Make the replacement for both of the ARN references in that resource.
8. Click Review Policy.
9. In Name, type a name for the policy.
10. Optional: In Description, type a description for the policy.
Result
Amazon AWS creates the security policy and returns to the policy list page.
Related reference
AWS CloudOn security policy
Use a JSON formatted security policy file when creating a security policy for AWS CloudOn. For both KMS
and RSA encryption, add EBS encryption information when using EBS encryption. Then use the JSON file
that is appropriate for the encryption type, either KMS or RSA.

Amazon AWS online documentation provides instructions about how to create the VM Import service role
and attach an IAM policy.
When following the instructions, replace the value of the variable disk-image-file-bucket with the name of
the bucket being used for cloud instantiation.
Security group
Create an AWS security group and assign the ID of the security group to the archival location that will be
used for the instantiation in the cloud.
The Rubrik cluster assigns the security group ID to the transient Rubrik working instance each time it is
instantiated.
To provide the ID of the AWS security group to a Rubrik cluster:
1. Create the security group by using the AWS console.
2. Assign the security group ID to the archival location on the Rubrik cluster.
Alternatively, contact Rubrik Support and provide the security group ID. Rubrik Support then attaches the
security group ID to the selected Rubrik cluster archival location.

Security group requirements
Create a security group that provides specific and limited inbound access.
When creating the security group, specify the most restricted inbound source range possible. The source
range must include the IP addresses of the nodes in the source Rubrik cluster.
For the best security, inbound access should only come from a limited range of hosts with VPN access to
the virtual private cloud of the archival location. Outbound access should not be blocked.
Review the required ports for AWS CloudOn.
Related concepts
Ports

Context
Use the AWS console to create a security group with the required limited inbound access.
Procedure
1. Log in to the AWS console.
2. On the AWS services page, click EC2.
The EC2 dashboard appears.
3. On the left-side menu, under Network & Security, click Security Groups.
The Security Groups page appears.
4. Click Create Security Group.
The Create Security Group modal appears.
5. In Security group name, type a name for the group.
6. Optional: In Description, type a description.
7. In VPC, select the virtual private cloud for the archival location.
8. With the Inbound tab selected, click Add Rule.
The rule fields appear.
9. In Type, select Custom TCP Rule.
10. In Port Range, type a port number.
Review the required ports for AWS CloudOn.
11. In Source, select Custom.
12. In the Source text field, type a CIDR, IP, or security group ID that includes the Rubrik cluster.
AWS creates the security group, and displays the security group page.
13. Click Create.
14. Find the new security group and copy the group ID.
15. Paste the group ID into a plain text scratch file.
Result
The security group for AWS CloudOn is created.
Related concepts
Ports

Configuring S3 Endpoints
Configure specific endpoints in the VPC to address situations when public internet connection is not
available. This ensures that the subnet that the Bolt is configured to launch in can still be used when no
public internet connection is available.
When Rubrik cluster reads data from the S3 archive, the Rubrik cluster launches transient instances within
a VPC over public internet. Launch AWS resources into a specified subnet. When a public subnet for
resources is used but the subnet is not connected to the internet, use an S3 VPC endpoint to gain secure
access to S3 without public internet access. Amazon AWS online documentation provides information on
how to configure an S3 VPC endpoint.
If public internet is not available on the VPC, the Rubrik cluster cannot perform AWS CloudOn for
snapshots on a KMS-encrypted S3 archive. Configure an AWS KMS endpoint to connect directly to AWS
KMS through a private endpoint in the VPC instead of connecting over the internet. Amazon AWS online
documentation provides information on how to configure an AWS KMS endpoint.
The following permissions are used to configure VCP endpoints.
{
"Version":"2008-10-17",
"Statement":[
{
"Sid":"Access-to-specific-bucket-only",
"Effect":"Allow",
"Principal":"*",
"Action":[
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"s3:DeleteObject"
],
"Resource":[
"arn:aws:s3:::<bucket-name>",
"arn:aws:s3:::<bucket-name>/*"
]
}
]
}
Cloud conversion settings

To speed up instantiation of virtual machine snapshots, the Rubrik cluster can be configured to convert
snapshots to AMIs before an instantiation request is made.
The Rubrik cluster provides the ability to specify conversion settings at the virtual machine level.
The settings choices only appear for vSphere virtual machines that are assigned to qualified SLA Domains.
Qualified SLA Domains are ones that are configured with an archival location that meets all of the following
requirements:
• Amazon S3 archival location.
• Bucket security policy and IAM account correctly configured, as described in Permissions.
• VM Import service role correctly set up, as described in VM Import service role.
Each vSphere virtual machine that is assigned to a qualified SLA Domain can be configured with one of the
following settings.

Setting Description
Disabled The default value. The Rubrik cluster converts the snapshots from the
virtual machine into AMIs only when cloud instantiation is requested.
This setting requires the creation of an AMI from the VMDKs of the
selected snapshot after instantiation is initiated and so takes longer
to complete.
Cloud conversion without keeping The Rubrik cluster starts converting the most recent virtual machine
older AMIs snapshot as soon as it has been archived. The Rubrik cluster
combines the chain of incremental snapshots leading to the last full
snapshot and the AMI is created from the resulting snapshot. The
Rubrik cluster automatically removes the previously stored AMI from
cloud storage.
For all snapshots except the most recent, this setting requires the
creation of an AMI from the VMDKs of the selected snapshot after
instantiation is initiated, and takes longer to complete.
Cloud conversion with keeping The Rubrik cluster starts converting the most recent virtual machine
older AMIs snapshot as soon as it has been archived.The Rubrik cluster
combines the chain of incremental snapshots leading to the last full
snapshot and the AMI is created from the resulting snapshot. The
Rubrik cluster does not automatically remove previously created AMIs
from cloud storage. Removing those AMIs requires user action.
This setting normally does not require the creation of an AMI from
the VMDKs of the selected snapshot after instantiation is initiated.
Since the AMI already exists, the instantiation task is much faster.
Incremental snapshot conversion

Rubrik needs three transient compute instances in the AWS account for Cloud Conversion jobs to run
successfully.
The compute instances are launched in the same AWS region and the Archive Location configured within
Rubrik where virtual machine data is archived. The network and firewall settings for these instances are
determined from the Cloud Compute settings configured on the Archival location in Rubrik. Incremental
snapshot conversion works through the following process.
1. Rubrik CDM prepares the snapshot chosen to be instantiated in the cloud.
2. If a snapshot to be converted is located in the on-premises Cluster, CDM will upload the deltas to the
archive location where the prior snapshots in the chain reside.
3. CDM checks if a Bolt and a Converter instance has already launched that it can reuse. If none exists,
CDM will launch new Bolt and Converter instances.
4. New disks are created, corresponding to the disks in the VMDK to be converted, and attached to
the Converter instance. Bolt instance reads data from the Archive location and copies data from the
archived snapshot to the Converter instance.
5. The Converter instance creates snapshots of its attached disks and download drivers required for
Windows instances in AWS.
6. A temporary instance is launched using the newly created snapshots and if necessary, OS drivers are
installed.
7. The temporary instance will be used to validate successful conversion and to create an AMI in AWS.
For Windows virtual machines, the temporary instance will be used to inject AWS required drivers prior
to creation of the AMI.

Transient Compute Description AWS Instance types used
Bolt Instance Reads archived data from Cloud Storage. xlarge
• OS disk gp2 400GB
• Data dish st1 500 GB
Convertor Instance Reads incremental data from Bolt and writes • Linux Converter Instance
to EBS volumes. xlarge - OS disk gp2 8 GB
It also copies drivers for Windows or Linux • Windows Converter Instance -
virtual machines required on the user virtual OS disk gp2 30 GB
machine in AWS.
Temporary Instance For Windows or Linux virtual machines, xlarge - OS disk gp2 30 GB
drivers are installed as a temporary instance
as they are required for online installation in
AWS.
Related reference
Configuring cloud conversion

Configure cloud conversion settings for a vSphere virtual machine.
Prerequisites
• Complete the AWS CloudOn virtual machine deployment described in Configuring AWS CloudOn using
the CloudFormation template.
• Configure an SLA Domain to use an archival location bucket that was created for cloud instantiation.
• Assign at least one vSphere virtual machine to the selected SLA Domain.
Procedure
1. Log in to the Rubrik CDM web UI as either an administrative user or an organization administrator.
Only the administrative user for the Rubrik cluster or the administrator of a tenant organization have
the privileges required to configure cloud conversion settings.
2. On the left-side menu, click Virtual Machines > vSphere.

Possible reasons the Overview card does not contain the Cloud Conversion field are:
• The guest OS of the virtual machine is not Windows.
• The selected virtual machine is not a vSphere virtual machine.
4. On the Overview card, in the Cloud Conversion field, click Configure.
5. Assign a configuration.
Option Description
Disabled In Cloud Conversion, move the slider to the
off position. This is the default configuration and
only needs to be set when the virtual machine
previously had another setting applied.
Cloud Conversion without keeping older AMIs In Cloud Conversion, move the slider to the on
position and clear Keep older AMIs.
Cloud Conversion with keeping older AMIs In Cloud Conversion, move the slider to the on
position and select Keep older AMIs.
Rubrik cluster retains the converted AMIs for all the snapshots of this virtual machine, including
expired snapshots.
6. Click Submit.
Result
The Rubrik cluster applies the specified configuration to the selected virtual machine.
Cloud instance management

The Rubrik CDM web UI provides features to permit management of cloud instances.
Use the Rubrik CDM web UI to view all running instances on the cloud and perform a number of
administrative tasks.
Related tasks
Instantiating a virtual machine on the cloud
Select a vSphere snapshot to use for cloud instantiation. The snapshot can be selected from the Rubrik
cluster that manages the protected object, a replication target Rubrik cluster, or an archival location.
Removing entry

Use the Cloud Mounts page of the Rubrik CDM web UI to remove the virtual machine.
Launching AMIs
Launch an individual AMI from the AWS Cloud Mount page.
Removing AMIs
Virtual machine snapshots that have been converted to AMIs appear on the Cloud Mounts page of the
Rubrik CDM web UI. Remove an individual AMI from the AWS Cloud Mount page.
Removing cloud instances
Use the Cloud Mounts page of the Rubrik CDM web UI to remove instantiated virtual machines.
Instantiating a virtual machine on the cloud

Context
An Amazon Machine Instance (AMI) for the snapshot can exist or can be created during the task.
Note: Windows virtual machines with BitLocker-enabled volumes cannot instantiate on AWS CloudOn.
Procedure
the required privileges to instantiate a virtual machine in the cloud.
4. Browse to a snapshot.
5. Open the ellipsis menu for the snapshot, and select Launch on Cloud.
The Launch on Cloud modal appears.
6. In Location Name, select the name of an archival location.
The virtual machine will be instantiated in the storage for the selected location.
7. In Instance Type, select the type of AMI instance to use for the instantiated virtual machine.
The Rubrik cluster examines the source virtual machine and provides a recommended AMI instance
type.
The Rubrik cluster makes a AMI instance type recommendation based on a 64-bit operating system.
The recommendation, from the m4 series, will be unsuitable for a 32-bit operating system. When the
instantiated virtual machine has a 32-bit operating system, choose Custom Instance Type and specify
a 32-bit AMI instance type.
8. Optional: In Instance Type, select Custom Instance Type.
The Custom Instance Type field appears.
9. Optional: In Custom Instance Type, type the name of an AMI instance type.
The name must be typed in the exact form that Amazon uses. Be sure that the selected instance type
is appropriate for the operating system of the instantiated virtual machine.
10. In Subnet (VPC), select a virtual private cloud.
The field lists the virtual private cloud subnets that are available at the selected archival location. To
see a list in this field, first select an archival location.
11. In Security Group, select an available security group.

The field lists the security groups that are available for the selected virtual private cloud. To see a list
in this field, first select a virtual private cloud subnet.
12. Click Submit.
Result
The Rubrik cluster begins the instantiation task. When the task completes, the instantiated virtual machine
appears on the Cloud Mounts page of the Rubrik CDM web UI.
Note: A Windows virtual machine in AWS may fail to launch due to “Windows activation failures”, which
is caused by licensing issues. A Windows License obtained from the data center is not transferable to
Windows instance launched in the cloud. Windows instances launched on cloud obtain their licenses from
AWS KMS Servers. Amazon AWS online documentation provides information for troubleshooting this issue.
Powering off a cloud instance

Use the Cloud Mounts page of the Rubrik CDM web UI power off instantiated virtual machines.
Procedure
the privileges required to power off a cloud instance.
The cloud mounts page appears, with the Instances tab selected.
3. Open the ellipsis menu next to the selected instance.
4. Click Power Off.
Result
The Rubrik cluster powers off the selected instance. The instance remains as a powered down instance on
the AWS account.
Removing entry
Context
Rubrik cluster stops managing the virtual machine once it has been removed. Manage this virtual machine
from the AWS console.
Procedure
the privileges required to remove a virtual machine entry.
4. Click Remove entry.
Result
The Rubrik cluster removes the selected virtual machine instance.

Launching AMIs
Launch an individual AMI from the AWS Cloud Mount page.
Procedure
the privileges required to launch an Amazon Machine Image (AMI).
3. Click the AMIs tab.
The list of available AMIs appears.
4. Open the ellipsis menu next to a selected AMI.
5. Click Launch AMI.
Result
The Rubrik cluster launches the selected AMI.
Removing cloud instances

Use the Cloud Mounts page of the Rubrik CDM web UI to remove instantiated virtual machines.
Procedure
the privileges required to remove an instantiated virtual machine.
4. Click Power Off.
The Rubrik cluster powers off the selected instance.
5. Open the ellipsis menu next to the selected instance again.
6. Click Terminate.
Result
The Rubrik cluster removes the selected virtual machine instance.
Removing AMIs
Virtual machine snapshots that have been converted to AMIs appear on the Cloud Mounts page of the
Rubrik CDM web UI. Remove an individual AMI from the AWS Cloud Mount page.
Procedure
the privileges required to remove an Amazon Machine Image (AMI).
3. Click the AMIs tab.
The list of available AMIs appears.

4. Open the ellipsis menu next to a selected AMI.
5. Click Delete AMI.
Result
The Rubrik cluster removes the selected AMI.

Chapter 19
CloudOn for Azure
CloudOn for Azure
Rubrik CloudOn for Azure converts a local or archived snapshot of a vSphere virtual machine into a Virtual
Hard Disk (VHD) or a managed disk snapshot. The VHD or managed disk snapshot can then be used to
launch an Azure virtual machine.
Rubrik supports instantiating on-premises vSphere virtual machines to Azure.
Rubrik CloudOn for Azure supports the following scenarios:
• Instantiating vSphere virtual machines for testing and development – Launch on-premises virtual
machines to enable sandbox testing and development needs in Azure.
• Migrating on-premises virtual machines to Azure – Lift-and-shift migration of virtual machines to Azure.
• Disaster recovery (DR) to Azure – Failover to Azure using archived data when the on-premises data
center fails.
CloudOn for Azure compute instances

Rubrik CloudOn for Azure uses two transient compute instances, Bolt and Converter. A Bolt instance
handles compute-intensive tasks. A Converter instance handles writing data to attached disks and copying
OS drivers for Windows virtual machines.

Bolt Bolt reads archived data from • Instance type: Standard DS3
managed disks based on v2
information shared by the • OS disk: 400 GB
Rubrik cluster for a specific (Premium_LRS)
CloudConversion job. • Data disk: 256 GB
For local snapshots, the Rubrik (Premium_LRS)
cluster constructs incremental
data between the archived
snapshot and the local snapshot.
The Rubrik cluster then uploads
the delta between the archived
snapshot and the local snapshot
to the archival location.
Converter Converter reads incremental data Windows converter

from Bolt, writes to EBS volumes, • Instance type: Standard DS3
and copies drivers for Windows v2
virtual machines. • OS disk: 127 GB
(Premium_LRS)
Linux converter
• Instance type: Standard DS3
v2
CloudOn for Azure 05/25/2022 | 491

• OS disk: 30 GB
(Premium_LRS)
Prerequisites
For successful deployment of Azure CloudOn, ensure that the following prerequisites are met. These
prerequisites are applicable to on-premises VMware virtual machines, Rubrik cluster, and Azure Archive.
Azure Virtual Network connection

Rubrik launches transient instances within the account to perform conversion in the specified Virtual
Network (VNet).
The connection between the VNet and the on-premises network requires connectivity from a Rubrik cluster.
• Connectivity from a Rubrik cluster
As a security best practice, Rubrik cluster connects to the instances in the VNet over a private IP.
To establish private connectivity between Rubrik cluster and the VNet, a VPN connection or an
ExpressRoute circuit is required to ensure private connectivity between the Rubrik cluster and Azure
VNet. Microsoft Azure online documentation provides information on connecting to a VPN and for
configuring ExpressRoute.
If the on-premises network is connected to an Azure VNet through VPN or an ExpressRoute, the
following table lists the specific ports and URLs that must be opened for all CloudOn operations to work
successfully
Component Settings
Bolt Network Security Group Bolt Network Security Group (NSG) must be configured to allow
(NSG) Storage Service Tags outbound on port 443.
Azure ExpressRoute connection Configure the Azure ExpressRoute with Microsoft Peering.
Microsoft Azure online documentation provides information
configuring Microsoft peering.
VPN or ExpressRoute The firewall routing must send Rubrik Archival (CloudOut) traffic
over VPN or ExpressRoute.
Microsoft Azure online documentation provides information on the
right solution in connecting an on-premise network to Azure.
• Connectivity to Blob Store
When Rubrik cluster reads data from the Azure archive, the Rubrik cluster launches transient instances
within a VNet over public internet in the same region.
Since Azure storage is available over public endpoints over public internet, if public internet is not
available on the VNet, it is recommended to use Azure VNet endpoint to securely access the Azure
storage. Information on how to configure VNet endpoints can be found in the Microsoft Azure
documentation.

Resource ID and subnet for VNet
The Resource ID of the VNet and subnet within the VNet is required if a VNet is granted the access from
the Rubrik cluster and to the Blob store.
Perform this step with network administrator privileges.
The Microsoft Azure online documentation provides information for creating a virtual network.
Azure Active Directory application with contributor privileges

To support instantiation in Azure cloud, register the Rubrik cluster with Azure Active Directory.
To enable instantiation, register the Rubrik cluster in Azure Active Directory (AD) as described in Setting up
permissions on Azure. This configuration provides contributor permissions to the Rubrik application.
Alternatively, instead of granting contributor permissions to the Rubrik application, create a custom role.
Follow the same steps to associate the custom role with the Rubrik application within your subscription,
as described in Setting up permissions on Azure. The Microsoft Azure online documentation provides
information on creating a custom role.
Information on the set of limited permissions for a custom role can be found at Configuring the subnet.
Network security group

To securely access the transient instance in which data is read from the archive, associate the instance
with a Network Security Group (NSG) that has the appropriate rules.
Perform this step with network administrator privileges.
Configure the NSG for the virtual machines within the same VNet to allow communications between the
virtual machine and the VNet.
The Microsoft Azure online documentation provides information on creating and configuring a NSG.
Resource group
Create a resource group that can be used to launch the transient compute instance and the user instance.
In the Rubrik CDM web UI, specify the resource groups from the "Launch on cloud" option in the Virtual
Machines > vSphere VMs menu.
When upgrading from previous Rubrik CDM version that does not have a resource group specified in the
archival location, Rubrik cluster creates a default resource group which is used to launch the transient
compute instance, as described in Creating a resource group. Alternatively, edit the archival location and
specify a different resource group to be used for such instances.
General purpose account storage

Rubrik clusters convert virtual machine snapshots into an Azure native format (Page Blobs). The Page
Blobs can only be stored on a General purpose V2 storage account.
Rubrik recommends using a General purpose V2 storage account and a standard LRS storage account
for archiving and creating a new storage account for CloudOn. This restricts other applications from
performing any activity on the account. Rubrik does not support Premium Storage account with Azure
CloudOn.
Store customer templates to launch virtual machines from these templates. In a disaster recovery when
the Rubrik on-premises cluster is unavailable, users can launch virtual machines directly from the Azure
portal using these templates.

Store the Bolt and Converter VHD transient compute instances. These transient compute instances are
used for archival consolidation.
Note: Ensure backward compatibility with Rubrik CDM version earlier than 5.0.
Configurations on source virtual machine

Review the following configurations for the source virtual machines.
Configuration Description
Azure CloudOn on Windows virtual Refer to the Rubrik CDM Compatibility Matrix provides operating
machines systems supported by Rubrik for Azure CloudOn on Windows virtual
machines.
Virtual Machine Disk (VMDK) The maximum size of a Virtual Machine Disk (VMDK) that can be
successfully converted by CloudOn is up to 1 TB.
VMware virtual machine with up to 10 disks are supported by Azure
CloudOn.
Windows • Enable Remote Desktop Protocol (RDP)

• Ensure the RDP port is enabled on the firewall.
• For instantiating on Azure, ensure that there is 200 MB free
space on the root disk.
• For Windows 2016, make sure the Windows 10 update in
installed.
Required settings
Azure CloudOn has supported and unsupported virtual machine configurations.
Setting Description
Supported disk partitioning scheme Master Boot Record (MBR) and GUID partition table on Windows.
Supported file systems Windows - NTFS
Supported OS disk formats • Standard
• LDM
Supported boot volume Boot volume using MBR partitioning cannot exceed 1 TB
Supported non-boot volume Non-boot volumes using GPT cannot exceed 1 TB
Supported single disk size Cannot exceed 1 TB for instantiations
Supported number of disks on Virtual machines with up to 10 disks can be instantiated
virtual machines
Supported Windows language English
packs
Unsupported virtual machine • Virtual machines with 32-bit configuration
configurations • Desktop OS
• UEFI/EFI boot partitions
• Multiple network interfaces
• Virtual machines with encrypted root disk

Azure CloudOn configuration and setup
Successful implementation of Azure CloudOn requires the completion of the configuration and setup tasks
in a specified order.
1. Downloading the Rubrik Cloud Compute for Azure zip file
2. Setting up and configuring the PowerShell in Cloud Shell
3. Configuring Azure Objects
4. Configuring the subnet
5. Setting up permissions on Azure
Downloading the Rubrik Cloud Compute for Azure zip file

Download and expand the Rubrik Cloud Compute for Azure zip file.
Procedure
1. Access the Rubrik Support Portal at https://support.rubrik.com/.
2. Select Docs & Downloads.
3. Select Rubrik CDM version.
4. Select version (Cloud Compute).
5. Click Download.
The Accept EULA page appears.
6. Review the EULA.
7. Select Accept and Download.
8. Click Accept and Download.
The file download page appears.
9. Click the zip file.
A browser-specific download of the zip file begins. The browser downloads the zip file to the default
download folder or to the location you select.
10. Extract the contents of the zip file.
Result
The package includes the rkazurecli_cloud_compute.ps1 script and the rkazurecli_util.ps1
script.
Setting up and configuring the PowerShell in Cloud Shell

Use the PowerShell in the Azure Cloud Shell to manage Azure resources.
Context
The PowerShell is supported on Windows platform.
As part of this task, copy values into a temporary file for later use.
Procedure
1. Log in to the Azure Portal.
2. On the top menu of the Azure Portal, click the Cloud Shell Icon.

When Cloud Shell has been previously set up, the Cloud Shell session opens at the bottom of the
page. For the first use, the Persist account files dialog box appears.
3. (First use of Cloud Shell only) In the Persist account files dialog box, select an Azure subscription for
the Cloud Shell, and click Create storage.
Microsoft Azure online documentation provides information about Cloud Shell.
The Cloud Shell session opens at the bottom of the page.
4. If the shell is not set with PowerShell as the command processor, at the top of the Cloud Shell
window, click the shell control, and select PowerShell.
The PowerShell prompt appears in the Cloud Shell window.
Result
The PowerShell is configured in the Cloud Shell
Configuring Azure Objects

The first time the Cloud Shell is launched, the Cloud Shell prompts for the one-time creation of a resource
group, storage account, and Azure Files share.
Procedure
1. Type the following command to navigate to the cloud drive to check if all files were uploaded:
cd $home\clouddrive
The working directory changes to the cloud drive directory.
.\rkazurecli_cloud_compute.ps1
The Azure CloudOn CLI starts and a numbered setup menu appears.
3. At the prompt, type 1.
4. Decide on a region for the resource group and at the prompt, type the number of that region.
Use this region throughout this task.
5. At the prompt, type the number of that storage account.
Alternatively, type 0 and a storage account name to create a new storage account.
6. At the prompt, type the number of that resource group.
Alternatively, type 0 and a resource group name to create a new resource group for the storage
account.
7. At the prompt, type the name of a container group from the list of available container groups.
The container group is where converted VHDs of VMware virtual machines converted by CloudOn are
stored.

8. Type the virtual network ID number for a virtual network. The Virtual Network Resource ID is not
displayed in the Azure portal. You can obtain the Resource ID of any resource in Azure by executing
the following command in Powershell or in Cloud Shell:
Get-AzureRmResource -Name "Name of the resource"
9. Type the subnet ID number from the list of available subnets.

The list of subnets is based on the virtual networked selected.
10. Type the network security group number from the list of available network security groups.
Alternatively, type 0 and a network security group name to create a new network security group.
11. Type the resource group number for the network security group from the list of available resource
groups.
12. Type the Application ID number and the secret key.
Alternatively, type 0 and a name for the application to create a new application.
Result
The rkazurecli_cloud_compute.ps1 script checks and creates the CloudOn configuration
prerequisites. The script generates a JSON text file to capture the configuration prerequisites. The text of
this JSON is used in later configuration to complete Azure CloudOn configuration steps in the Rubrik CDM
web UI.
When the script completes the configuration, it closes.
Configuring the subnet

Azure CloudOn launches a temporary single-node Rubrik instance called Bolt on a specified subnet.
The Rubrik cluster must have private connectivity to instances within this subnet. This subnet must be
configured to have VPN access from the Rubrik cluster.
Context
For information on all necessary ports for CloudOn see Ports.
All other inbound ports must be closed and outbound access must be enabled.
Microsoft Azure online documentation provides information on creating a virtual network and subnet by
using the Azure Portal.
As part of this task, values will be saved in a temporary file for later use.
Procedure
2. On the Azure Portal menu, select Virtual networks.
The Virtual networks page appears with a list of all available subnets.
3. In the resource groups filter, clear all resource groups except the resource group created for Azure
CloudOn.
Clear Select All to clear all selections, then select only the resource group that was copied to the
temporary file in Configuring Azure Objects.
4. Copy the name into your temporary file as the subnet ID.
5. Click the name of the subnet.
The blade for that subnet opens.
6. In the subnet blade menu, select Properties.
7. In Resource ID, click the copy button to copy the resource ID value.
8. Paste the resource ID value into your temporary file.
9. Configure the new subnet to have VPN access to the Rubrik cluster.

Microsoft Azure online documentation provides information about setting up VPN access.
Result
The subnet is configured.
Setting up permissions on Azure

The Azure Active Directory (Azure AD) authenticates to the Rubrik cluster by registering the Rubrik cluster
in Azure AD.
Context
The rkazurecli_cloud_compute.ps1 script creates a JSON file that contains the Application ID,
Subscription ID, Region, General Purpose Storage name, General Purpose Storage Container Name, Virtual
Network ID, Subnet ID and Security Group name.
As part of this task, values will be saved in a temporary file for later use.
Procedure
2. On the Azure Portal menu, click Azure Active Directory.
The Azure Active Directory page for your account appears.
3. Click App Registrations.
The App Registrations blade appears.
4. On the App Registrations blade, click +New application registration.
The Create blade appears.
5. In Name, type a name for the Rubrik cluster application.
6. In Application type, select Web app / API.
7. In Sign-on URL, type a valid URL.
Type any valid URL value. The Sign-on URL value is not used by the Rubrik cluster.
8. Click Create.
The Registered app blade for the Rubrik cluster application appears.
9. On the Registered app blade, find the Application ID value.
10. Copy the application ID value into your temporary file.
11. Click Settings.
The Settings panel appears.
12. Click Keys.
The Keys blade appears.
13. In Key Description, type a description for this key.
The key is assigned to the Rubrik cluster application. The description should identify this purpose.
14. In Duration, select a duration.
Rubrik recommends that you select Never expires to avoid problems with changing the key at the
end of a specified duration period.
15. Click Save.
The key value cannot be retrieved after leaving the Keys blade. Store the key value in a secure
location.
The Azure portal generates a key value and the key value appears in the Value field.
16. Select and copy the key value.
17. Paste the key value into your temporary file.
18. On the Azure Portal menu, click Azure Active Directory.

The Azure Active Directory page for your account appears.
19. On the Azure Active Directory page menu, select Properties.
The Properties blade for the Azure Active Directory appears.
20. In Directory ID, click the copy button to copy the directory ID value.
Microsoft documentation also refers to the directory ID as the tenant ID.
21. Paste the directory ID value into your temporary file.
22. On the Azure Portal menu, click Subscriptions.
In some cases, the menu path may be Cost Management + Billing > Subscriptions.
The Subscriptions page appears.
23. Select a subscription to assign the Rubrik cluster application to.
The Rubrik cluster application must be added as a contributer to a subscription. You can use an
existing subscription or create a new one.
The Subscription blade for the selected subscription appears.
24. In the Subscription blade menu, click Access control (IAM).
The Access control (IAM) blade appears.
25. On the Access control (IAM) blade, click +Add.
The Add permissions blade appears.
26. In Role, select Contributor.
27. In Assign access to, select Azure AD user, group or application.
28. Add the application ID value from your temporary file.
29. Click Save.
The subscription is updated to add the Rubrik cluster application.
30. Type the name of the subscription into your temporary file.
Result
The Rubrik cluster is registered in Azure AD.
Creating a custom role

Create an IAM user account with minimal policy-based access to the account.
Context
Rubrik CDM works with contributor role-based access on your Azure subscription. However, when
contributor access cannot be provided, create a custom role with the minimum required permissions.
Procedure
1. Copy the following JSON structure, including beginning and ending braces, to a plain text editor.
{
"Name":"Rubrik CloudOn 5_0",
"IsCustom":true,
"Description":"Can Launch VMs from archived snapshots",
"Actions":[
"Microsoft.Compute/snapshots/*",
"Microsoft.ClassicCompute/virtualMachines/detachDisk/action",
"Microsoft.ClassicCompute/virtualMachines/attachDisk/action",
"Microsoft.Compute/images/read",
"Microsoft.Compute/images/write",
"Microsoft.Compute/images/delete",
"Microsoft.Compute/disks/*",
"Microsoft.Compute/locations/*/read",
"Microsoft.Compute/skus/read",

"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachines/delete",
"Microsoft.Compute/virtualMachines/extensions/*",
"Microsoft.Compute/virtualMachines/instanceView/read",
"Microsoft.Compute/virtualMachines/powerOff/action",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/runCommand/action",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/vmSizes/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/securityRules/read",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/publicIPAddresses/write",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/delete",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourcegroups/*/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/*",
"Microsoft.Resources/subscriptions/resourcegroups/write",
"Microsoft.Storage/*/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Storage/storageAccounts/read"
],
"NotActions":[
],
"AssignableScopes":[
"/subscriptions/subscription-id"
]
}
2. Near the end of the JSON structure, replace subscription-id with the Azure Subscription ID for the App
Registration subscription.
3. Copy the resulting JSON structure.
4. Open the Azure Cloud Shell for the associated account.
5. Change the current working directory to the account home directory.
Type: cd $home.
6. At the Azure Cloud shell prompt, type nano RubrikCloudOnMinimalPermissions.json.
The nano editor opens and starts a new empty file named
RubrikCloudOnMinimalPermissions.json in the home directory of the account.
7. Paste the JSON structure into the new file in the editor.
Press Ctrl + U to paste into the editor.
8. Save the new file.
Press Ctrl + O, and then press Enter to save the file
9. Close nano.
Pres Ctrl + X to close nano.
10. At the Cloud Shell prompt, type a command to create a role definition.

Type the following: az role definition create --role-definition ./
RubrikCloudOnMinimalPermissions.json.
The Azure CloudOn CLI creates the Rubrik IAM role in the subscription.
11. On the Azure portal menu, select Subscriptions and choose a subscription.
12. Click Access control (IAM).
13. Click +Add.
14. Type the name of the role created in the Cloud Shell.
The JSON structure in this task specifies the following role name: "Rubrik CloudOn".
15. Set Assign access to to Azure AD user, group or application.
16. In Select Search, search for and select the Rubrik application.
Azure assigns the role to the selected Rubrik application.
17. Click Save.
Result
Azure creates a role with minimal permissions and assigns the role to the Rubrik application.
Azure CloudOn configuration

The Rubrik cluster provides a script to simplify the setup of CloudOn for Azure.
To make it easier to set up CloudOn for Azure the Rubrik cluster provides a script,
rkazurecli_cloud_compute.ps1, that runs in the Azure Cloud Shell. The output of the script is
a JSON file containing the Azure data that the Rubrik cluster requires to configure the Cloud Compute
settings for an Azure archival location.
Related tasks
Configuring Azure Objects
The first time the Cloud Shell is launched, the Cloud Shell prompts for the one-time creation of a resource
group, storage account, and Azure Files share.
Editing a location to add Azure CloudOn
Edit an existing Azure archival location to add support for Azure CloudOn.
Editing a location to add Azure CloudOn

Edit an existing Azure archival location to add support for Azure CloudOn.
Context
This task uses values obtained from the tasks Configuring Azure Objects, Configuring the subnet, and
Setting up permissions on Azure and stored in a temporary file.
Procedure
3. Click Archival Location.
4. On the card for an existing Azure archival location, open the ellipsis menu and click Edit.
The Advanced Settings page appears with the Cloud Compute Settings menu selected.

6. In App Id, paste the application ID from the temporary file.
7. In App Secret Key, paste the key value from the temporary file.
8. In Tenant Id, paste the directory ID value from the temporary file.
9. In Subscription, select the subscription name that matches the subscription name in the temporary
file.
10. In Region, select the region that matches the region listed in the temporary file.
11. In General Purpose Storage, select the name of the storage account that matches the storage
account name in the temporary file.
12. In General Purpose Storage Container Name, type a name for the Azure container that will store
the VHDs.
Use a name that meets the Azure requirements for container names:
• 3-64 characters
• Lowercase
• Alphanumeric characters and the dash symbol
13. (CloudOn) In Resource Group, type the name of a resource group.
This resource group specifies where the temporary Rubrik Bolt cloud cluster instance will be launched.
14. In Virtual Network ID, copy and paste the resource ID of the virtual network from the temporary
file.
15. In Subnet ID, copy and paste the name of the virtual network from the temporary file.
16. In Security Group ID, copy and paste the resource ID of the security group.
17. Click Add.
Result
The Rubrik cluster modifies the archival location configuration to add support for Azure CloudOn.
Cloud conversion settings

To speed up instantiation of virtual machine snapshots, the Rubrik cluster can be configured to convert
snapshots to VHDs before an instantiation request is made. The Rubrik cluster provides the ability to
specify conversion settings at the virtual machine level.
The choices for conversion settings only appear for vSphere virtual machines that are assigned to qualified
SLA Domains. Qualified SLA Domains are ones that are configured with an archival location that meets all
of the following requirements:
• Azure archival location.
• Azure CloudOn correctly configured and set up.
Each vSphere virtual machine that is assigned to a qualified SLA Domain can be configured with one of the
following settings.
Setting Description
Disabled The Rubrik cluster converts the snapshots from
the virtual machine into VHDs only when cloud
instantiation is requested. This setting requires the
creation of a VHD from the VMDKs of the selected
snapshot after instantiation is initiated and so takes
longer to complete.
This is the default value.

Setting Description
Cloud conversion without Keep older VHDs The Rubrik cluster starts converting the most recent
virtual machine snapshot as soon as it has been
archived. The Rubrik cluster combines the chain
of incremental snapshots leading to the last full
snapshot and the VHD is created from the resulting
snapshot. The Rubrik cluster automatically removes
the previously stored VHD from cloud storage.
For all snapshots except the most recent, this
setting requires the creation of a VHD from the
VMDKs of the selected snapshot after instantiation
is initiated, and takes longer to complete.
Cloud conversion with Keep older VHDs The Rubrik cluster starts converting the most
recent virtual machine snapshot as soon as it has
been archived. The Rubrik cluster combines the
chain of incremental snapshots leading to the last
full snapshot and the VHD is created from the
resulting snapshot. The Rubrik cluster does not
automatically remove previously created VHDs from
cloud storage. Removing those VHDs requires user
action.
This setting normally does not require the creation
of a VHD from the VMDKs of the selected snapshot
after instantiation is initiated. Since the VHD
already exists, the instantiation task is much faster.
Linux incremental snapshot conversion

Linux incremental snapshot conversion uses three transient compute instances in the Azure account for
CloudConversion jobs to run successfully.
Context
Note: Windows virtual machines only support full conversions.
The compute instances are launched in the same Azure region as the Azure storage. The Archive Location
is configured in the same location the Rubrik cluster uses to archive the virtual machine data. The network
and firewall settings for these instances are configured based on the CloudCompute settings that are
configured on the Archival location.
Procedure
1. Rubrik CDM prepares the selected snapshot to be converted in the cloud.
2. If the snapshot has not already been archived, Rubrik CDM uploads delta changes to the archive
location where the prior snapshots in the chain reside.
3. Rubrik CDM checks if a Bolt and a Converter instance has already launched that can be reused. If
none exists, Rubrik CDM will launch new Bolt and Converter instances.
4. New disks are created, corresponding to the VHD disks and are attached to the Converter instance.
Bolt instance reads data from the Archive location and copies data from the archived snapshot to the
volumes attached at the Converter instance.
5. After all changes have been written to the attached volumes, Rubrik CDM creates snapshots out of the
volumes.

6. The Converter instance makes necessary changes to the drivers and network interfaces required by
the Linux instances in Azure.
7. Rubrik CDM attaches Volumes to a temporary instance, boots it and verifies whether conversion is
successful.
Result
An image is created after successful verification which completes the conversion process.
Note: Incremental conversion is not supported on Hyper-V virtual machines.
Configuring cloud conversion

Configure cloud conversion settings for a vSphere virtual machine.
Prerequisites
• Configure an SLA Domain to use an Azure container that was created for cloud instantiation.
• Assign at least one vSphere virtual machine to the selected SLA Domain.
Procedure
the privileges required to configure cloud conversion settings.
When the Overview card does not contain the Cloud Conversion field shown here, the possible causes
are:
• The SLA Domain is not correctly configured for cloud instantiation.
• The selected virtual machine is not a vSphere virtual machine.
• The guest OS of the virtual machine is not Windows.
4. On the Overview card, in the Cloud Conversion field, click Configure.
5. Assign a configuration.

Option Description
Disabled In Cloud Conversion, move the slider to the
off position. This is the default configuration and
only needs to be set when the virtual machine
previously had another setting applied.
Cloud Conversion without Keep older VHDs In Cloud Conversion, move the slider to the on
position and clear Keep older VHDs.
Cloud Conversion with Keep older VHDs In Cloud Conversion, move the slider to the on
position and select Cloud Conversion.
6. Click Submit.
Result
The Rubrik cluster applies the specified configuration to the selected virtual machine.
Cloud instance management

The Rubrik CDM web UI manages cloud instances.
Use the Rubrik CDM web UI to view all running instances on the cloud and to perform the following tasks:
• Instantiating a virtual machine from a snapshot or Instantiating a virtual machine on the cloud using
VHDs
• Launching virtual machines images
• Terminating cloud instances
• Removing virtual machine images
Instantiating a virtual machine from a snapshot

Context
Note: Windows virtual machines with BitLocker-enabled volumes cannot instantiate on Azure CloudOn.
Procedure
The Launch on Cloud dialog box appears.
6. Under Cloud Provider, select Azure.

8. In Virtual Machine Size, select a VHD instance type from the list, or select Custom Instance
Type.
The Rubrik cluster recommends a VHD instance type for the instantiated virtual machine, based on the
9. Optional: In Virtual Machine Size, select Custom Instance Type.
10. In Custom Instance Type, type the name of a VHD instance type.
The custom VHD instance type name must exactly match the name that is used with Azure.
11. In VNet, select an Azure virtual network.
The field lists the virtual networks that are available at the selected archival location. To see a list in
this field, first select an archival location.
12. In Network Security Group, select an available security group.
The field lists the security groups that are available for the selected virtual network. To see a list in this
field, first select a virtual network.
13. In Resource Group, select an available resource group.
The field lists the resource groups that are available for the selected virtual network. To see a list in
this field, first select a virtual network.
The selected resource group specifies where the instantiated virtual machine will be launched.
14. Click Submit.
Result
The Rubrik cluster launches the Rubrik Bolt cloud instance in the resource group associated with the
archive location to create a full snapshot.
Instantiating a virtual machine on the cloud using VHDs

Select a VHD to use for cloud instantiation. The snapshot can be local or at the archival location. A VHD for
the snapshot can exist or can be created during the task.
Procedure
The Launch on Cloud dialog box appears.
7. In Virtual Machine Size, select the type of VHD instance to use for the instantiated virtual machine.
The Rubrik cluster examines the source virtual machine and provides a recommended VHD instance
type.
8. Optional: In Virtual Machine Size, select Custom Instance Type.

9. In Custom Instance Type, type the name of a VHD instance type.
The name must be typed in the exact form that Azure uses.
10. In VNet, select an Azure virtual network.
The field lists the virtual networks that are available at the selected archival location. To see a list in
this field, first select an archival location.
11. In Network Security Group, select an available security group.
The field lists the security groups that are available for the selected virtual network. To see a list in this
field, first select a virtual network.
12. In Resource Group, select an available resource group.
This resource group specifies where the instantiated virtual machine will be launched.
The field lists the resource groups that are available for the selected virtual network. To see a list in
this field, first select a virtual network.
13. Click Submit.
The Rubrik cluster launches the Rubrik Bolt cloud instance in the resource group associated with the
archive location to create a full snapshot.
Result
Powering off a cloud instance

Use the Cloud Mounts page of the Rubrik CDM web UI to power off instantiated virtual machines.
Procedure
the privileges required to power off an instantiated virtual machine.
2. On the left-side menu, click Cloud Mounts > Azure.
The cloud mounts page appears, with the VMs tab selected.
4. Click Power Off.
Result
The Rubrik cluster powers off the selected instance. The instance remains as a powered down instance on
the Azure account.
Terminating cloud instances

Use the Cloud Mounts page of the Rubrik CDM web UI to terminate instantiated virtual machines.
Procedure
the privileges required to terminate an instantiated virtual machine.
4. Click Power Off.
The Rubrik cluster powers off the selected instance.

5. Open the ellipsis menu next to the selected instance again.
6. Click Terminate.
The Rubrik cluster removes the selected virtual machine instance from the Azure account.
Result
The Rubrik cluster removes the resources created by instantiation from the resource group once the virtual
machine is terminated.
Removing virtual machine entries

Context
Rubrik cluster stops managing the virtual machine once it has been removed. Manage this virtual machine
from the Azure Portal.
Procedure
the privileges required to remove a virtual machine entry.
4. Click Remove entry.
Result
The Rubrik cluster removes the selected virtual machine from Rubrik cluster metadata and stops managing
it.
Launching virtual machines images

Launch an individual virtual machine image from the Azure Cloud Mount page.
Procedure
the privileges required to launch a virtual machine image.
3. Click the VM Images tab.
The list of available virtual machine images appears.
4. Open the ellipsis menu next to a selected virtual machine image.
5. Click Launch VM Image.
Result
The Rubrik cluster launches the selected virtual machine image.

Removing virtual machine images
Remove virtual machine images using the Rubrik CDM web UI.
Procedure
the privileges required to remove a virtual machine image.
3. Click the VM Images tab.
The list of available virtual machine images appears.
4. Open the ellipsis menu next to a selected virtual machine image.
5. Click Delete VM Image.
Result
The Rubrik cluster removes the selected virtual machine image from the Azure account.
Resource groups
Resources can be grouped into a resource group.
To assign resources to a resource group, either assign all the resources or only those to be managed as
a group. To ensure the ease of deployment, update, or deletion of a resource group, Rubrik recommends
that resources added to a resource group share the same lifecycle.
A maximum of 800 resource groups can be created per Azure account subscription. Each resource group,
in turn, can contain a maximum of 800 deployments.
With a configured resource group, a virtual machine will be launched and instantiated in the
selected resource group. The Rubrik cluster launches the Rubrik Bolt cloud instance in the resource
group associated with the archive location to create a full snapshot. When an existing archival
location does not have a resource group, the local Rubrik cluster creates a resource group called
DefaultRubrikStormResourceGroup and uses it to launch Azure Storm instances. For more information, see
Creating a resource group.
As part of the garbage collection tasks, Rubrik cluster deletes deployments with a prefix import-vm*
from the resource group being used to launch the transient compute instance and user instances. Rubrik
cluster deletes these deployments to avoid reaching the maximum number of deployments per resource
group and prevent instantiation failures. Rubrik cluster also deletes non-Rubrik deployments with the same
prefix of import-vm* in the same resource group used for CloudOn that are already in a terminated
state. To determine the impact of deleting deployments, review the Microsoft online documentation. For
more information, see Removing a resource group.
Creating a resource group

Create resource groups to add, deploy, update, or delete resources as a group.
Procedure
2. On the left-side menu, click Resource groups.
The Resource groups page appears.
3. On the top menu bar, click +Add.
The Resource groups blade appears.

4. In Resource group name, type a name for the resource group.
5. In Subscription, select the subscription account to use.
6. In Resource group location, select the resource group location.
7. Click Create.
Azure creates the resource group for the Azure account.
8. Click Refresh to see the newly added resource group.
9. Optional: Create and deploy a resource to the resource group.
Microsoft Azure online documentation provides information for creating and deploying a resource.
Removing a resource from a resource group does not remove the resource group.
10. Add the Azure CloudOn configuration to the Rubrik cluster and configure a new Azure archival location
to use Azure CloudOn.
For more information, see Adding Microsoft Azure as an archival location.
11. Select a snapshot and instantiate a virtual machine.
For more information, see Instantiating a virtual machine from a snapshot
Result
appears on the Cloud Mounts page of the Rubrik CDM web UI. When launched successfully, the Rubrik
cluster names the virtual machine with the local VMware as the prefix and appends a disambiguation string
to the prefix, such as SQL-server-001-disambiguation string.
Rubrik recommends using a disambiguation string to avoid potential conflicts that arise when a string is
ambiguous.
Removing a resource group

Remove resource groups manually on the Azure Portal.
Context
Removing a resource group deletes all resources associated in the resource group.
Before removing a resource group, verify that this resource group does not contain a resource that other
resource group depends upon.
Procedure
2. On the left-side menu, click Resource groups.
The Resource groups page appears.
3. Select a resource group to remove and from the top bar of the Resource groups page click Delete.
Result
Azure removes the selected resource group from the Azure account.

Chapter 20
Amazon EC2 instance backup
Amazon EC2 instance backup
Rubrik clusters enable the management and protection of Amazon Elastic Compute Cloud (Amazon EC2)
instances.
Feature Description
Amazon EC2 instance Takes snapshots of Amazon EC2 instances.
backup
Indexing Enables file search and download within snapshots of Amazon EC2 instances.
Restore to different Enables restoring an Amazon EC2 instance snapshots to regions other than
region their original region.
Note: Amazon EC2 instances created by using a disk deployed from the AWS Marketplace do not support
indexing.
Protecting Amazon EC2 instances requires the AWS credentials for the account that owns the instances.
Amazon EC2 instance protection

A Rubrik cluster provides protection for Amazon EC2 instances through either individual assignment of
the Amazon EC2 instance to an SLA Domain or through automatic protection. Automatic protection occurs
when the Amazon EC2 instance derives the SLA Domain assignment of an associated AWS account.
The Rubrik cluster provides flexibility in the protection assignments made for Amazon EC2 instances.
Amazon EC2 instances that are protected by individual assignment can be set to Do Not Protect or can be
set to inherit a protection setting.
An automatically protected AWS account can contain an individual Amazon EC2 instance that has no
protection.
The Rubrik cluster also permits protecting some of the EBS volumes on an Amazon EC2 instance while
designating other EBS volumes on the Amazon EC2 instance as unprotected.
A Rubrik cluster provides automatic protection of Amazon EC2 instances through inheritance of the SLA
Domain assigned to a parent object.
The automatic protection mechanism simplifies assigning protection to large numbers of Amazon EC2
instances and provides an easy method to uniformly assign specific SLA Domains to groups of functionally
similar Amazon EC2 instances.
protection.
Amazon EC2 instance backup 05/25/2022 | 511


To provide consistency when applying automatic protection, the Rubrik cluster adheres to a specific set of
rules.
A Rubrik cluster applies protection to an Amazon EC2 instance using the following rules:
Rule name Description

Rule One The setting individually assigned to an object takes precedence.
Rule Two An object that is not individually assigned a setting inherits the setting of the
hierarchically closest containing object that has a setting.
Example: Automatic protection rules applied
To show the impact of automatic protection on the protection settings of an Amazon EC2 instance,
consider the following fictitious environment:
• Amazon EC2 instance is newly discovered and no protection has been assigned.
• Amazon EC2 instance is owned by AWS account A. AWS account A has no assigned protection.
Administrator assigns the SLA Domain named ClusterProtection to A:
The Amazon EC2 instance inherits the ClusterProtection assignment (Rule Two).
Administrator individually assigns the Amazon EC2 instance to the Gold SLA Domain:
The Amazon EC2 instance is protected by the Gold SLA Domain (Rule One).
Indexing when VPN is unavailable

Use a public IP address for EC2 indexing if VPN is not available.
Context
If indexing is enabled for EC2 instances but VPN is not available, indexing fails after creating an Apache
Storm cluster in the AWS environment due to connectivity issues. Instead, connect to the Apache Storm
cluster using a public IP address to start indexing for EC2 instances.
Procedure
1. Connect to the Apache Storm cluster using SSH.
2. Type this command.
cluster rubrik_tool get_config cluster_name | grep -i public

"usePublicIpForBolt": false
The public IP address is disabled.

3. Type this command.
cluster rubrik_tool get_config cluster_name | grep -i public

"usePublicIpForBolt": true

The Rubrik cluster switches to using the public IP address.
Result
The public IP address provides connectivity for EC2 indexing.
AWS account and user

An AWS account requires a particular configuration in order for a Rubrik cluster to protect the Amazon EC2
instances owned by that account. The Rubrik cluster also requires a user account created within the AWS
account with the proper privileges.
Configuring the AWS account security policy

The AWS account that owns the Amazon EC2 instances requires a specific security policy to enable Rubrik
to protect the instances.
Procedure
In the next step, pay close attention to the JSON formatting, including opening and closing braces and
brackets.
6. Paste the following text into the JSON editor:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"ec2:AttachVolume",
"ec2:CopyImage",
"ec2:CreateImage",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteKeyPair",
"ec2:DeleteVolume",

"ec2:DescribeVpcs",
"ec2:DetachVolume",
"ec2:ImportImage",
"ec2:RunInstances",
"ec2:TerminateInstances"
],
"Resource":"*"
}
]
}
7. Optional: For an Amazon EC2 instance that contains encrypted volumes, add the following section
immediately following the "Statement": [ line:
{
"Effect":"Allow",
"Action":[
"kms:Decrypt",
"kms:Encrypt",
"kms:ReEncryptTo",
"kms:DescribeKey",
"kms:CreateGrant",
"kms:ReEncryptFrom"
],
"Resource":[
"arn:aws:kms:region:accountId:key/keyId",
"arn:aws:kms:region:accountId:key/keyId"
]
},
Enter the correct region, account ID, and key ID for each encrypted volume in the “Resource”:
section.
8. Click Review Policy.
9. In Name, type a name for the policy.
10. Optional: In Description, type a description for the policy.
Result
AWS creates the security policy and returns to the policy list page.
Configuring the Rubrik CDM user

The Rubrik cluster requires a dedicated user account within the AWS account in order to protect the
Amazon EC2 instances.
Procedure
3. Click Users.
4. Click Add user.

5. Enter a name for the user.
6. Select Programmatic Access in the “Select AWS access type” section.
A list of all the available policies in the AWS Account appears.
9. Select the policy created in the topic describing the AWS account security policy.
10. Click Next: Review.
AWS creates the user and a success message appears.
12. Click Download .csv.
Result
The browser downloads a CSV file that contains the Access Key and Secret Key for the new user.
The Rubrik user account is now ready to provide the Rubrik cluster with access to the Amazon EC2
instances to protect.
Related tasks
Configuring the AWS account security policy
The AWS account that owns the Amazon EC2 instances requires a specific security policy to enable Rubrik
to protect the instances.
Adding an AWS account

To protect Amazon EC2 instances, add the AWS account that owns the instances to the Rubrik cluster.
Procedure
2. On the left-side menu, click Cloud Workloads.
3. Under Cloud Workloads, click EC2 Instances.
The Instances tab appears.
4. Click Add AWS Account.
The Add Cloud Source dialog box appears.
5. In the Credentials tab, enter the following information:
• A name for the cloud source
• The AWS access key
• The AWS secret key
6. Select the regions that contain the instances to protect.
7. Optional: Click the Indexing tab.
Searching for a file within a cloud native snapshot and file-level recovery from a cloud native snapshot
requires indexing.
8. Optional: Move the slider to the right to enable indexing for a region.
9. Optional: For each region with indexing enabled, select a VPC ID, Subnet ID, and Security Group ID.
The Rubrik cluster must be able to connect to instances in the selected VPC. Verify that ports 2002 is
open.
10. Click Add.

Result
The Rubrik cluster connects to the AWS account and fetches a list of the Amazon EC2 instances in the
specified regions. The Rubrik cluster refreshes this list every 180 minutes.
Amazon EC2 Instances tab data

The Instances tab displays summary information about the Amazon EC2 instances associated with the
AWS accounts that are added to the cluster. To search for a specific instance, enter a search string in
the ‘Search by Name or Instance ID’ field. To filter the list of instances by region, assigned SLA, or SLA
assignment type, select a filter from the drop-downs at the top right of the list.
Column Description
Instance ID The unique identifier of the instance.
Instance Name The instance name.
Instance Type The Amazon EC2 type of the instance
Account The account that owns the instance.
Region The region of the instance.
SLA Domain The name of the SLA protecting the instance.
Assignment Specifies whether the SLA was assigned directly or
inherited from an account-wide SLA.
Managing an existing AWS account

Details for AWS accounts that are added to the Rubrik cluster can be updated at any time. AWS accounts
can be assigned an SLA that is inherited by new instances created by that account.
Procedure
4. Click Accounts.
The Accounts tab appears.
5. Select the account to manage.
To search for a specific account, enter a search string in the ‘Search by Name or Instance ID’ field. To
filter the list of accounts by assigned SLA or SLA assignment type, select a filter from the drop-downs
at the top right of the list.
6. Optional: To manage the account, click the ellipsis at the top right of the page.
The list of management options appears.
7. Optional: Select a management option:
Option Description
Edit Update the account information
Delete Remove the account from the Rubrik cluster.
Refresh Refresh the list of instances that are associated
with the account.

8. Optional: Click Manage Protection.
9. Optional: Select an SLA from the list.
• To search for a specific SLA, enter a search string in the ‘Search SLA domains’ field.
• To create a new SLA Domain, click the + button.
10. Optional: Click Submit.
Result
The selected AWS accounts are updated with the new information.
Related concepts
Custom SLA Domains
Assigning an SLA to an Amazon EC2 instance

An individual Amazon EC2 instance can be assigned a specific SLA or inherit the SLA assigned to the
account that owns the instance. This procedure assigns an individual SLA.
Procedure
4. Select an Amazon EC2 instance.
To search for a specific instance, enter a search string in the ‘Search by Name or Instance ID’ field.
To filter the list of instances by region, assigned SLA, or SLA assignment type, select a filter from the
drop-downs at the top right of the list.
6. The Manage Protection dialog box appears.
7. Select an SLA from the list.
To search for a specific SLA, enter a search string in the ‘Search SLA domains’ field.
8. To create a new SLA Domain, click the + button.
9. Click Submit.
Result
The instance is now protected by the selected SLA Domain.
Related concepts
Custom SLA Domains

EBS volume exclusion
Amazon EC2 instances can include EBS volumes that do not need to be protected. The Rubrik cluster can
be configured to ignore specified EBS volumes in an Amazon EC2 instance while protecting the other EBS
volumes in that Amazon EC2 instance.
Excluding EBS volumes from the protection assigned to an instance

When backups are not required for some of the EBS volumes of an Amazon EC2 instance, exclude those
EBS volumes from backups.
Procedure
1. In the Rubrik CDM web UI, on the left-side menu, click Cloud Workloads > EC2 Instances.
Note: To go directly to the page for a specific Amazon EC2 instance, type the name of the instance in
the search box on the top bar of the Rubrik CDM web UI and select the instance from the results list.

2. In the Name column, click the name of an Amazon EC2 instance.
To help find Amazon EC2 instances, use the filters, sort the entries by column heading, or use the
search field.
The instance details page for the selected Amazon EC2 instance appears.
3. Open the ellipsis menu on the top bar of the local host page and select Exclude Volumes.
The Exclude Volumes dialog box appears.
4. Select the EBS volumes to exclude.
5. Click Exclude.
Result
The Rubrik cluster excludes the selected EBS volumes from all future backups of the Amazon EC2 instance.
Related concepts
Taking an on-demand snapshot

An on-demand snapshot of an Amazon EC2 instance is a backup taken outside of the specifications in the
SLA Domain that protects the instance.
Procedure
4. In the Name column, click an instance name.
The Overview, Snapshots, and Status cards appear for that instance.
6. Select an SLA from the list.

To search for a specific SLA, enter a search string in the "Search SLA domains" field.
To create a new SLA Domain, click the + button.
Result
status of the on-demand backup task. The Rubrik cluster manages the snapshot based on the rules and
policies of the selected SLA Domain.
Related concepts
Custom SLA Domains
Restoring Amazon EC2 instance snapshots

Use Amazon EC2 instance snapshots to restore Amazon EC2 instances.
Procedure
5. In the Snapshots card, use one of the following methods to select a snapshot to restore.
• Click the date of the snapshot.
• Search in indexed snapshots by entering a filename string in the Search by File Name field.
A list of snapshots appears in the Snapshots card.
6. Click the ellipsis menu next to the snapshot and click Restore.
The instance is restored, effectively rolling the instance back to the time of the snapshot.
Result
The Rubrik cluster queues the restore of the Amazon EC2 instance snapshot.
Exporting Amazon EC2 instance snapshots

Use Amazon EC2 instance snapshots to export Amazon EC2 instances.
Procedure
5. In the Snapshots card, use one of the following methods to select a snapshot to export.
• Click the date of the snapshot.
• Search in indexed snapshots by entering a filename string in the Search by File Name field.

A list of snapshots appears in the Snapshots card.
6. Click the ellipsis menu next to the snapshot and click Export.
A new instance based on the snapshot is created.
7. In the Export Snapshot dialog box, enter the following information to export the new instance to the
original or to a new region.
• Name of the instance
• Instance type
• Region of the snapshot export
• Subnet
8. Click Export.
Result
The Rubrik cluster queues the export of the Amazon EC2 instance snapshot.
Downloading files or folders from snapshots

A snapshot of an Amazon EC2 instance can make individual files or folders available for download when
indexing is enabled.
Procedure
5. In the Snapshots card, click on the date of the snapshot to restore.
Search in indexed snapshots by entering a filename string in the Search by File Name field.
After selecting a date, a list of snapshots taken on that date appears in the Snapshots card.
6. Click the ellipsis next to the snapshot to restore.
7. Select Recover Files.
8. Select the files to restore.
To search for files, enter a string in the ‘Search Files’ field.
9. Click Finish.
A download link for the files or folders appears.
10. Click the download link.
Result
The files or folders are downloaded to the local system.

Chapter 21
File systems
File systems
A Rubrik cluster provides management and protection of file system data for supported Linux, Unix, and
Windows hosts, and for NAS shares.
For Linux and Windows hosts, the supported operating systems can be running on physical hardware or
on a supported virtual machine. For Unix, the supported operating systems can be running on physical
hardware.
Feature Description
Filesets Define the data to manage and protect by specifying paths, path segments, and
file types to include, exclude and exempt from exclusion.
Valid fileset path statements must begin with one of the following:
• Slash (/)
• Backslash (\)
• A single uppercase or lower case alpha character followed immediately by a
colon. For example, C: and e: .
Use wildcard characters to represent one or more characters in a path or path
segment.
Multiple filesets per Refine protection by creating several different filesets for a host and assigning
host each host fileset to an individually selected SLA Domain.
Filesets stored on Backup filesets stored on Pure Storage FlashArray volumes on AIX hosts.
Pure Storage volumes
on AIX hosts
SLA Domains Protect host filesets with the same SLA Domain functionality that is provided for
other workload types, including SLA rules and policies.
Backup indexing Backup indexes data from a host fileset during ingest. This enables full file level
search and browse of the backed up data when it is on the local Rubrik cluster,
on the replication target, or at the archival location.
Fileset Cluster Backup Fileset backups from clustered hosts.
Replication Assign a host fileset to an SLA Domain that has a replication policy and the data
backed up from that fileset is replicated according to that policy.
Archiving Assign a host fileset to an SLA Domain that has an archival policy and the data
backed up from that fileset is archived according to that policy.
Restore to original Search or browse the indexed host fileset backup to find and restore files and
location folders to the original location on the source host.
Export to a new Search or browse the indexed host fileset backup to find and export files and
location folders to a known host running the same operating system variant (Linux, Unix,
or Windows), or NAS type.
File systems 05/25/2022 | 521

Hosts and shares combined with filesets
For Linux, Unix, and Windows hosts, a Rubrik cluster provides data protection for file systems through the
pairing of the host with a fileset to form a host fileset. For NAS hosts, the Rubrik cluster pairs a fileset with
a NAS share to form a share fileset.
A single host or share can be paired with multiple filesets, and each host fileset or share fileset can be
assigned to a different SLA Domain. This provides the ability to apply different SLA rules to each host
fileset or share fileset.
Protection workflow for host filesets

To protect file system data on a Linux, Unix, or Windows host, complete the protection workflow.
To protect host filesets, complete the following tasks in the order shown.
• Obtain and install the Rubrik Backup Service software on the host.
• Add the host to the Rubrik cluster.
• Create a fileset that defines the data to protect.
• Assign the fileset to the host.
• Assign the host fileset to an SLA Domain.
Protection workflow for storage array filesets

To protect file system data stored on Pure Storage FlashArray volumes on AIX hosts, complete the required
tasks in the order shown by the workflow.
Complete the following tasks in the order shown to protect storage array filesets.
• Add the storage array to the Rubrik cluster.
• Obtain and install the Rubrik Backup Service software on the primary host and any alternate backup
hosts. One alternate backup host can be designated for each fileset. AIX hosts must use Fibre Channel
ports to connect to the Pure Storage array.
• Add each host to the Rubrik cluster.
• Create an array-enabled fileset that defines the data to protect.
• Assign the fileset to an SLA Domain.
Protection workflow for share filesets

To protect file system data on a NAS host, complete the protection workflow.
To protect host filesets, complete the following tasks in the order shown.
• Add the NAS host to the Rubrik cluster.
• Add the NAS share to the Rubrik cluster.
• Create a fileset that defines the data to protect.
• Assign the fileset to the NAS share.
• Assign the share fileset to an SLA Domain.
File systems 05/25/2022 | 522

File system metadata
A fileset backup preserves the metadata that existed on the data source at the time of the backup. When
the data is restored, or exported, the Rubrik cluster includes the preserved metadata with the data.
Host type Preserved and included metadata
• Linux • Modification time (mtime)

• Unix (AIX) • user ID (uid)
• Solaris • group ID (gid)
• NAS (NFS) • permissions
• Windows • Modification time (mtime)

• NAS (SMB) • access time (atime)
• creation time (ctime)
• NTFS file attributes
• access control list (ACL)
Symbolic links and junctions

The Rubrik cluster does not follow symbolic links or junction points during a fileset backup.
When a symbolic link is included in a fileset, the Rubrik cluster backs up the symbolic link as a file. The
Rubrik cluster does not follow the link and does not back up the file or folder that the symbolic link points
to. The file or folder that a symbolic link points to must be directly included in a fileset to be backed up.
Windows hosts and NAS hosts that use SMB use NTFS junction points as symbolic links to directories. The
Rubrik cluster backs up a junction point as a file. The Rubrik cluster does not follow the junction and does
not back up the directory that is referenced by the junction. To back up a directory that is referenced by a
junction, include that directory in a fileset.
Open files
The operating system of the host determines how a Rubrik cluster handles files that are open at the time
of a fileset backup.
For Linux and Unix hosts, the Rubrik cluster backs up open files in the open state. Files that are backed up
in an open state can potentially be inconsistent.
For Windows hosts, the Rubrik cluster uses the Volume Shadow Copy Service (VSS). When the Rubrik
cluster successfully uses VSS, open files are backed up in a consistent state. When the Rubrik cluster is
unable to successfully use VSS, open files are not included in the backup.
Modified files
Files that have been modified between metadata scan and the backup task will still be backed up, but with
an error message indicating the discrepancy in size.
Files that have increased in size since metadata scan will be backed up to the size of the initial scan. The
additional data is not backed up. Files that have decreased in size since metadata scan will also be backed
up. The discrepancy in file size will be indicated by an error message in the Activity log, but the backup
task will not be affected.
File systems 05/25/2022 | 523

Direct Archive
The Direct Archive feature permits direct transfer of snapshots to archival storage, rather than first storing
the snapshots on the drives of the Rubrik cluster.
Protecting very large data sources makes substantial demands on the storage resources of a Rubrik cluster.
Direct Archive provides the ability to transfer those very large snapshots directly to external archival
storage. Since the snapshots never reside on the Rubrik cluster, those snapshots cannot be replicated to
another Rubrik cluster. The Rubrik cluster stores the indexed metadata of the directly archived snapshots,
which permits search and reporting for those snapshots.
Note: The replication policies of SLA Domains assigned to data sources that use Direct Archive do not
apply to snapshots of those data sources. Replication for snapshots that use Direct Archive is not available
because the Rubrik cluster does not store such snapshots in cluster storage. As a best practice, create
separate SLA Domains specifically for use with data sources that use Direct Archive and do not use those
SLA Domains for data sources that do not use Direct Archive.
Direct Archive is only available for filesets that are protected by an SLA Domain that specifies an archival
location. Archival consolidation is a best practice for optimizing the storage use at the archival location.
Rubrik CDM does not support Direct Archive for the following Rubrik CDM deployments:
• Rubrik Edge
• Rubrik Air
• Rubrik Cloud Cluster
• Rubrik e1000
Related concepts
Determining access for files exported to Linux

The Rubrik cluster includes the original group ID and user ID of a Linux file when exporting the file from a
backup.
When a Rubrik cluster backs up a file on a Linux file system the backup includes the group ID (GID) and
user ID (UID) of the file. The GID and UID values determine which Linux groups and users can access the
file. When the Rubrik cluster exports the file to a different Linux file system the original GID and UID are
included. The groups and users that have access to the file could change if the GID and UID values are
mapped differently on the export target file system.
For example, a Rubrik cluster backs up a group accessible file from Linux 1. The file has GID 601 and UID
1320. Sandy Road has UID 1320 and is the only member of the group with GID 601.
The file is exported to Linux 2 with GID 601 and UID 1320.
On Linux 2, GID 601 maps to a group which consists of Cloudy Sky and Bumpy Hill. On Linux 2, UID 1320
maps to Serene Lake. Sandy Road has an account on Linux 2 with UID 1001 and is not part of the group
with GID 601.
In this example, Cloudy Sky, Bumpy Hill, and Serene Lake have access to the exported file on Linux 2, but
Sandy Road does not.
File systems 05/25/2022 | 524

Rubrik Backup Service provides the Rubrik cluster with the ability to manage file system data on Linux,
Unix, and Windows hosts.
The Rubrik Backup Service software can be downloaded directly from the Rubrik cluster when it is needed,
or the software can be downloaded once and pushed to hosts that are protected by that cluster, as
needed. For Windows, the Rubrik cluster uses the same Rubrik Backup Service software for both file
system protection and protection of SQL Server databases.
The Rubrik cluster does not require the Rubrik Backup Service to protect data on NAS shares.
Related concepts
Related tasks
Host management
After installing RBS software on a Linux, Unix, or Windows host, add the host to the Rubrik cluster.
Adding a host to the Rubrik cluster establishes a secure connection between the Rubrik cluster and the
Rubrik Backup Service that is running on the host. After the host is added, an entry for the host appears in
File systems 05/25/2022 | 525

The Rubrik cluster identifies the host by an IPv4 address or a resolvable hostname. When the value that is
used to identify a host changes, edit the host information on the Rubrik cluster to reflect the new value.
To stop managing the data on a host, delete the host from the Rubrik cluster. Deleting a host removes that
host from the Linux & Unix Hosts tab or the Windows Hosts tab. A removed host cannot be paired with
a fileset and cannot be a target of an export. The Rubrik cluster moves the existing host filesets of the
removed host and all associated backups to the Snapshot Management page.
Adding a host
To begin managing and protecting a Linux, Unix, or Windows host, add the host to the Rubrik cluster.
Prerequisites
Obtain and install the Rubrik Backup Service software on each host that will be added.
Procedure
2. On the left-side menu, select the path that is appropriate for the host operating system.
Option Description
Linux, AIX, or Solaris Click Servers & Apps > Linux & Unix Hosts.
Windows Click Servers & Apps > Windows Hosts.
The Hosts tab page appears based on the selected operating system.
3. Click the button that is appropriate for the host operating system.
Option Description
Linux, AIX, or Solaris click Add Hosts.
Windows Click Add Windows Hosts.
The Add Hosts dialog box for the chosen operating system appears.
4. In IPs or Hostnames, type a comma-separated list of IPv4 addresses or resolvable hostnames for
the hosts being added.
address or one hostname for each host being added.
Linux and Unix hosts must be added in the Add Hosts dialog box. Windows hosts must be added in
the Add Windows Hosts dialog box.
5. Click Add.
Result
The Rubrik cluster checks connectivity with the specified hosts and adds the hosts.
Editing the stored information for a host

When the IPv4 address or hostname of a host changes, the associated host entry should be edited to
provide the new address or hostname.
Procedure
Option Description
File systems 05/25/2022 | 526

Option Description
The selected OS Hosts tab appears.
3. Click the selection box next to the host.
4. Open the ellipsis menu and select Edit.
The Edit Linux & Unix Host or the Edit Windows Host dialog box appears. The dialog box provides the
address or hostname that the Rubrik cluster has stored for the host.
5. Delete the existing information and type the new address or hostname.
The typed value must be an IPv4 address or a resolvable hostname.
6. Click Update.
Result
The Rubrik cluster checks connectivity using the new host information and stores the information.
Removing a host
Delete a Linux, Unix, or Windows host from the Rubrik cluster.
Procedure
Option Description
3. Click the selection box next to a host.
4. Open the ellipsis menu and select Delete.
5. Click Delete.
Result
The Rubrik cluster removes the host from the Linux & Unix Hosts tab or the Windows Hosts tab. The
Rubrik cluster moves all the existing filesets for the host to the Snapshot Management page.
The Rubrik cluster retains the backups and archival backups for filesets on the Snapshot Management page
for the length of time specified by the retention policy. The Rubrik cluster removes a host fileset from the
Snapshot Management page when all the backups associated with the host fileset have been manually
deleted.
Related tasks
Deleting snapshots for a data source
Remove snapshots that have a Retain Forever policy.
NAS host management

The Rubrik cluster manages and protects data in NAS shares through the NAS host.
To add a NAS host to a Rubrik cluster provide account and connection information for the host to the
Rubrik cluster.
File systems 05/25/2022 | 527

When the NAS host has access control enabled the Rubrik cluster requires account credentials with
sufficient privileges for that host. For backups of a share fileset on the NAS host, the account must have
the READ privilege for all files and folders in the fileset. For restore operations, the account must have
the WRITE privilege for the restore location. The READ and WRITE privileges for a share fileset can be
provided at the share fileset level.
To give a Rubrik cluster the required level of access, provide credentials with sufficient privileges in the
NAS host connection information section of the Rubrik CDM web UI.
The authentication method used, and the type of credentials required, depends on the mount protocol.
SMB mounts for a NAS host require NTLMv2 authentication. NFS mounts for a NAS host require the Unix
local system root account. Rubrik CDM does not support Kerberos authentication for NAS hosts.
To view a share on a NAS host, the account used for the NAS host connection only requires the READ
privilege for that share.
For a NetApp host the Rubrik cluster can use the SnapDiff API to acquire a list of files that have changed
since the most recent backup. The Rubrik cluster can then use the SnapDiff API to quickly back up just
those changed files. This eliminates the time consuming task of scanning the entire file system.
Required Isilon privileges

Rubrik CDM requires an account on the Isilon appliance with a specific set of privileges in order to access
the OneFS API.
Privilege Access level

Platform API Read-only
Auth Read-only
Cluster Read/Write
Job Engine Read/Write
NFS Read/Write
SMB Read/Write
Snapshot Read/Write
Adding an Isilon NAS host

Add an Isilon NAS host to the Rubrik cluster to manage and protect the data in the Isilon host shares.
Procedure
2. On the left-side menu, click Servers & Apps > NAS Shares.
The NAS Shares page appears, with the Shares tab selected.
3. Click the Hosts tab.
The All NAS Hosts view appears.
4. Click Add NAS Host.
The Add NAS Host dialog box appears, with the IP or Hostname menu selected.
5. In IP or Hostname, type the IPv4 address or resolvable hostname of the NAS host.
6. On the left-side menu, click Share Credentials.
Use this option to provide credentials for all the shares on the host.
Rubrik CDM allows overriding the share credentials during the addition of individual shares to the
Rubrik cluster.
File systems 05/25/2022 | 528

7. In Domain, type the authentication domain for the user account that provides access to the NAS
host.
8. In Username, type the name of a user account that provides access to the NAS host.
9. In Password, type the password for the specified user account.
10. On the left-side menu, click Vendor API Credentials.
11. In Host Type, select Isilon.
12. Optional: For ChangeList API Integration:
• Switch on the toggle to retrieve a list of files that have changed between two snapshots through
the OneFS Platform API.
• Switch off the toggle to scan all the files in the NAS share for changes.
13. In Isilon OneFS Username, type the name of the user account to access the Isilon OneFS Platform
API.
14. In Isilon OneFS Password, type the password for the user account to access the Isilon OneFS
Platform API.
15. Optional: (Only for Isilon with multiple access zones) In System Zone Hostname or IP, type the
hostname or IPv4 address of the system zone.
This step is not required when the hostname or IPv4 address of the system zone is the same as the
hostname or IPv4 address of the Isilon NAS host.
16. Optional: In Non-system Zone Name, type the name of the non-system zone associated with the
system zone.
This step applies to Isilon hosts with multiple access zones using a version of the OneFS Platform API
released prior to version 8.
17. Optional: In CA Certificate, provide the certificate of the Certificate Authority (CA) obtained from the
Isilon host for TLS certificate validation.
18. Click Add.
Result
The Rubrik cluster adds the Isilon host.
Next task
Add NAS shares from the Isilon host to the Rubrik cluster, either manually or by auto-discovery.
Related tasks
Adding individual NAS shares to a host
Add an individual NAS share to a host.
Adding NAS shares in batches
Add a batch of NAS shares to the Rubrik cluster.
Minimum NetApp privilege requirements for NetApp API integration

The NetApp API integration provides Rubrik CDM with access to NetApp native snapshot and metadata
scan capabilities. The integration also eliminates the performance load cause by backup scans of entire file
sets.
If the API call is not authenticated or authorized, Rubrik CDM attempts the backup without using the
NetApp API engine. If a privilege is not met, NetApp API response writes a list of the missing privileges to
the NetApp log file.
File systems 05/25/2022 | 529

Required privileges for the NetApp ONTAP REST API
The privileges required for the NetApp ONTAP REST API are listed in the following table.
Command or command directory Access query level

DEFAULT none
version readonly
volume create readonly
volume modify readonly
volume show readonly
volume snapshot create all
volume snapshot delete all
volume snapshot modify all
volume snapshot show all
vserver cifs share create readonly
vserver cifs share delete readonly
vserver cifs share modify readonly
vserver cifs share show readonly
vserver export-policy readonly
View the current settings for a role in the NetApp GUI , or use the security login command from the CLI to
view the current permissions for a specific role.
This example uses the security login command to view the current settings for the test_role role.
netapp_cork::> security login role show -role test_role -vserver my_SVM

Role Command/
Access
Vserver Name Directory Query Level
---------- ------------- --------- -----------------------------------
--------
my_SVM alan_role DEFAULT none
version
readonly
volume create
readonly
volume modify
readonly
volume show
readonly
volume snapshot create all
volume snapshot delete all
volume snapshot modify all
volume snapshot show all
vserver cifs share create
readonly
vserver cifs share delete
readonly
vserver cifs share modify
readonly
File systems 05/25/2022 | 530

vserver cifs share show
readonly
13 entries were displayed.
Adding a NetApp NAS host

Add a NetApp NAS host to the Rubrik cluster to manage and protect the data in the NetApp host share.
Procedure
Rubrik cluster.
host.
11. In Host Type, select NetApp.
12. Optional: Enable SnapDiff API Integration.
SnapDiff API integration allows for faster file scan speeds and is applied to all shares belonging to the
host.
When enabled, snapshots can be restored only to NetApp API enabled hosts. Additionally, only public
cloud, NetApp S3, or NetAPP NFS storages are supported as archival destinations.
13. In NetApp Username, enter the name of the user account to access the NetApp API.
14. In NetApp Password, enter the password for the user account to access the NetApp API.
15. Optional: In Management Hostname or IP, type a hostname or IP address of a NetApp interface
that supports storage virtual machine (SVM) management.
When Management Hostname or IP is not configured, the value of IP or Hostname is used as
both the management and the data logical interface (LIF) of the SVM.
16. Optional: In CA Certificate, provide the certificate of the Certificate Authority (CA) obtained from the
NetApp host for TLS certificate validation.
17. Click Add.
Result
The Rubrik cluster adds the NAS host.
Next task
Select NAS shares from the NAS host to add to the Rubrik cluster.
File systems 05/25/2022 | 531

Related tasks
Editing the SnapDiff setting for a share
When SnapDiff is enabled for a NAS host, this setting applies to all shares belonging to the host. To change
this default behavior, modify the SnapDiff setting for individual shares.
Related reference
SnapDiff usage
Rubrik CDM integrates with SnapDiff to expedite several functions.
Adding a Nutanix NAS host

Add a Nutanix host to the Rubrik cluster to manage and protect the data in the shares on the Nutanix host.
Procedure
Rubrik cluster.
host.
11. In Host Type, select Nutanix.
12. In Nutanix API Username, type the name of a user account.
The user account must have REST API access privileges on the Nutanix host.
13. In Nutanix API Password, type the password for the account.
14. Optional: In CA Certificate, provide the certificate of the Certificate Authority (CA), obtained from
the Nutanix host.
Rubrik CDM automatically obtains the certificate from the Nutanix host when one is not provided.
15. Click Add.
Result
The Rubrik cluster adds the Nutanix host.
Next task
Manually add NAS shares to the Rubrik cluster or use auto-discovery to find and add shares.
File systems 05/25/2022 | 532

Related tasks
NAS shares
To provide backup for file-level shared storage of a NAS host, Rubrik CDM requires NAS shares to be added
to the Rubrik cluster from the NAS hosts.
Protection of data on NAS hosts requires selecting and adding NAS shares to the Rubrik cluster, either
individually or as a batch. Batch jobs can include NAS shares selected manually or NAS shares selected
using the auto-discovery feature. The auto-discovery feature supports only NetApp, Isilon, and Nutanix API
enabled hosts.
With the auto-discovery feature, Rubrik CDM allows either manual selection of shares to be protected, or
automatic addition of all discovered shares for protection. When automatic addition is selected, the Rubrik
cluster periodically queries the auto-discoverable hosts for NAS shares and automatically adds the newly
discovered shares if the shares have valid API credentials.
The Rubrik cluster does not automatically protect the newly discovered and added shares. When a new
share becomes available protection must be manually configured. Shares deleted after discovery can be
manually re-added if needed.
Access to SMB share accounts requires credentials for those accounts. When the credentials for an SMB
share account are required, the following message appears:
Wrong Credentials
Providing the correct credentials for the SMB share allows access to the share and removes the message.
Related tasks
Related reference
Required privileges for the NetApp ONTAP REST API
The privileges required for the NetApp ONTAP REST API are listed in the following table.

Procedure
3. Click Add NAS Share.
The Add Share wizard starts and the Select Host page appears.
4. Select a host and click Next.
The Add Details page appears in the wizard.
File systems 05/25/2022 | 533

5. Click Manual.
6. In Share Type, perform the action required for the share type.
NAS share type Action
NFS In NFS Path, type the path to the NFS share to
be protected.
SMB In SMB Share Name, type a name for the SMB
share to be protected.
7. Optional: Select Override Host Credentials.
Select this option to override the credentials that were provided when the NAS host was added.
When this option is selected, provide the domain name, user name, and password of the alternative
credentials.
8. Click Finish.
Result
The Rubrik cluster adds the specified NAS share.
Related tasks

Prerequisites
NAS shares can be added in batches only for shares on NetApp, Isilon, and Nutanix API enabled hosts.
Rubrik CDM does not support adding NAS shares in batches for shares on Pure API enabled hosts. Instead,
individually add shares on Pure API enabled hosts.
Procedure
3. Click Add NAS Share.
The Add Share wizard starts and the Select Host page appears.
4. Select a host and click Next.
The Add Details page appears in the wizard.
5. Click Auto.
The Add Share page displays all the discoverable shares.
6. Optional: Click Refresh Shares to update the list of shares.
The Rubrik cluster updates the Share Name column with shares on the NAS server that have recently
changed.
7. In the Share Name column, select the shares to be added.
Auto-discovery does not add the shares back once the user deletes them from the Rubrik cluster. Such
shares can be manually added back to the Rubrik cluster from the NAS host. Shares that are deleted
from the NAS host but not from the Rubrik cluster remain in the Rubrik cluster.
File systems 05/25/2022 | 534

8. Click Finish.
The Shares screen appears. The shares being added have a status of pending until they have
successfully been validated.
• NFS shares that display a status of Access Denied indicate that the host does not allow Briks to
access NFS shares. The NAS administrator must make configuration changes to allow all the Rubrik
nodes in the Brik to access NFS shares.
• If any SMB shares have a status of Wrong Credentials, click Edit from the ellipses menu. The Edit
Share dialog opens. Make any necessary edits to the share credentials and click Finish.
Result
The Rubrik cluster adds the specified NAS shares to the host.
Related concepts
NAS shares
Related tasks
Edit the stored information for a NAS host

When the connection information for a NAS host changes, the associated host entry should be edited to
provide the new information.
Administrators can make changes to the object by clicking Edit and using the Edit dialog box. The Edit
dialog box provides access to all editable values of the existing object.
The Rubrik cluster checks connectivity using the new host information and stores the information.
NetApp online documentation provides information about setting up SnapDiff.
Related tasks
Related reference
SnapDiff usage
Removing a NAS host

Delete a NAS host from the Rubrik cluster.
Procedure
5. Click Hosts.
File systems 05/25/2022 | 535

Result
The Rubrik cluster removes the host from the NAS Hosts tab. The Rubrik cluster moves all the existing
share filesets for the NAS host to the Snapshot Management page.
The Rubrik cluster retains the backups and archival backups for filesets on the Snapshot Management page
for the length of time specified by the retention policy. The Rubrik cluster removes a share fileset from the
Snapshot Management page when all the backups associated with the share fileset have expired.
Related tasks
SnapDiff usage
Support SnapDiff v1 is supported for all FlexVols but is not supported for
FlexGroups.
Backups The first backup is a traditional scan and a snapshot is retained. The
subsequent incremental backups use SnapDiff and are compared with
previous snapshots.
Similarly, when SnapDiff is enabled for an existing fileset where
incremental backups exist, the first backup after enabling SnapDiff is
a regular scan. This NetApp snapshot is retained on the NetApp NAS
and is used for comparison with the subsequent incremental backups.
The subsequent incremental backups use SnapDiff and are compared
with previous snapshots.
Scans • When using SnapDiff v1, if a scan fails or does not work as
expected a traditional metadata scan is initiated.
• When using SnapDiff v2, if a scan fails or does not work as
expected a restart of the SnapDiff v2 session is attempted before
initiating a traditional metadata scan.
Snapshots When SnapDiff is enabled, snapshots can be restored only to NetApp

API enabled hosts. Additionally, only public cloud storage or NetApp
storage are supported as archival destinations.
Enabling SnapDiff for a NAS Host • The SnapDiff setting for a NAS host is applied to all shares
belonging to the host.
Selectively modify the SnapDiff setting for a share.
When shares of a host have different SnapDiff settings, the setting
of the host is displayed as SnapDiff-Mixed.
• Both, data Logical Interface (LIF) and management LIF, have to
be mapped to the NAS host address in Rubrik CDM.
Related tasks
File systems 05/25/2022 | 536


Procedure
4. Click a NAS host.
The file shares of the NAS host appear.
5. Open the ellipsis for a file share and click Edit SnapDiff.
The Edit SnapDiff dialog appears.
6. Choose the SnapDiff setting for the file share.
7. Click Update.
Result
The Rubrik cluster updates the SnapDiff setting for the selected file share.
Related reference
SnapDiff usage
NetApp SnapMirror
The Rubrik cluster can protect a NetApp volume that uses the SnapMirror snapshot replication feature.
The SnapMirror shares detected on SnapMirror replica volumes can be viewed by clicking on a NetApp host
from Servers & Apps > NAS Shares > Hosts.
SnapMirror volumes are read-only and cannot be the target of restore operations. When a SnapMirror
volume changes types and becomes a normal volume, Rubrik CDM generates an event for the event log.
Rubrik CDM does not display any information about the SnapMirror relationship between the NetApp
source and NetApp target. Also, Rubrik CDM does not control or manage the SnapMirror relationship
between the NetApp source and NetApp target. For example, Rubrik CDM does not control the snapshot
replication, replication frequency, or retention period from the NetApp SnapMirror source to the target.
Related concepts
NAS shares
Protecting a SnapMirror volume

Protect and manage data from a NetApp SnapMirror volume using Rubrik CDM filesets.
Prerequisites
Add the SnapMirror volume to the Rubrik cluster as a NAS share.
File systems 05/25/2022 | 537

Procedure
The NAS shares page appears, set to the Shares tab. SnapMirror volumes are listed with a Share Type
of SnapMirror.
3. Select the SnapMirror volume to protect and click Manage Protection.
4. Select an existing fileset or click the + icon to create a new fileset.
Type a string in the Search by Name field to filter the list of filesets. After creating a new fileset, the
Manage Protection dialog appears again. Select the new fileset.
5. Click Modify Labels.
The SnapMirror Label pane appears.
6. Choose a SnapMirror label type.
SnapMirror labels identify snapshots on the SnapMirror volume. The labels identified in this step define
the snapshots used to protect the SnapMirror fileset. To use the most recent snapshot, do not specify
a label.
Label type Description
Full Label for full backups, which are generally less
frequent and take longer to complete than
incremental backups.
Incremental Label for incremental backups.
7. In the Current Label field, type the label of the snapshot to use for the chosen label type.
8. Choose the other label type.
The Current Label field becomes blank.
9. In the Current Label field, type the label of the snapshot to use for the chosen label type.
a SnapMirror volume uses the predefined labels daily and monthly as well as the user-defined label
audit. The Rubrik administrator chooses monthly as the Full label. While daily is generally a good
choice for the Incremental label, the administrator is configuring protection for a specific use case that
requires using the snapshots labeled audit for incremental backups.
To use the most recent snapshot, do not specify a label.
10. Click Save Changes.
11. Click Next.
The Manage Protection wizard advances to the next step.
12. Select an existing SLA Domain, or click the + icon to create a new SLA Domain.
After creating a new SLA Domain, the Manage Protection dialog appears again. Select the new SLA
Domain.
13. Optional: To enable Direct Archive for the fileset, select Direct Archive.
Direct Archive is only available when the fileset is assigned to an SLA Domain that specifies an archival
location.
14. Optional: To resolve symbolic links for the fileset, select Symlink.
This option can only be enabled for filesets that have no snapshots. Filesets with existing snapshots
cannot enable hard link indexing. Enabling this option can affect backup time.
Unresolved symbolic links appear in the UI as files instead of folders. Regardless of setting, the Rubrik
cluster does not resolve symbolic links to a directory in a different fileset.
15. Optional: To resolve hard links, select Hardlink.
Enabling this option can affect backup time.
File systems 05/25/2022 | 538

An inode is a unique identifier for the location of the data of a file or directory. A hardlink is a file
name with the same inode as the target of the hardlink. When this option is not selected, the Rubrik
cluster backs up and restores hardlinks as separate files.
16. Click Finish.
Result
The Rubrik cluster protects the fileset on the SnapMirror volume as required by the SLA Domain assigned
to the fileset.
Related concepts
NAS shares
Modifying a SnapMirror label

Edit the label of a SnapMirror volume to change the snapshots Rubrik uses to protect the volume.
Procedure
The NAS shares page appears, set to the Shares tab. SnapMirror volumes are listed with a Share Type
of SnapMirror.
3. Select a SnapMirror volume and click Manage Protection.
4. Choose the type of label to modify.
• Full
• Incremental
The label for the chosen label type appears in the Current Label field.
5. In the SnapMirror label section, click Modify Label.
The SnapMirror Label pane appears.
6. In New Label, type the new label to use for the protected fileset.
To use the most recent snapshot, do not specify a new label.
7. Click Save Changes.
8. Click Next.
9. Click Finish.
Result
Protection for the specified fileset uses the snapshots specified by the new labels. When no label is
specified, protection uses the most recent snapshot.
Filesets
Rubrik CDM protects folders and files on host computers and NAS shares through filesets.
A fileset defines a set of files and folders on a host computer or NAS share. The Rubrik cluster uses the
filesets that are assigned to a host or share to determine the data to manage and protect.
File systems 05/25/2022 | 539

Adaptive backup for fileset
The adaptive backup capability enables the Rubrik CDM to dynamically and intelligently scale up or scale
down the Rubrik fileset metadata-scan workloads to optimize the performance without affecting the NAS
systems that are being backed up or restored.
Rubrik CDM evaluates the latency of I/O metadata and data requests that are sent during the backup. If
the latency increases beyond the set threshold value or the throughput decrease due to external workloads
on the host or NAS share, Rubrik CDM scales down the Rubrik fileset metadata-scan workloads. This
optimizes the performance of the NAS system and Rubrik CDM and also ensures that the Linux hosts and
NAS systems do not get overloaded by the fileset workloads.
The following points explain how the latency is measured and the workloads are adjusted to optimize the
performance:
• Rubrik Backup Service (RBS) and Rubrik NAS clients (NFS and SMB) measure the time taken by the
server or host to respond to the data requests. The throughput of these requests are also calculated.
• Rubrik CDM compares the measured latency with the automatically set threshold value and analyzes
the fluctuations in throughput to determine whether to scale up or scale down the Rubrik fileset
metadata-scan workloads.
The threshold value is automatically set. To adjust the threshold value, contact Rubrik Support.
Fileset fields, rules, and value types

The Rubrik cluster interprets a fileset based on the values provided in the Include, Exclude, and Do Not
Exclude fields. The Rubrik cluster applies a set of rules to the values provided in these fields and permits
several types of values to be added to the fields.
A fileset accepts full paths, path segments, and file name portions to define the objects to include, exclude,
and exempt from exclusion. The Do Not Exclude values specify objects that should not be excluded from
the fileset by the Exclude values.
Field Required Description

Include Yes Comma-separated set of full path descriptions, path segments, and file types, to
include in the data specified by the fileset. Requires at least one entry.
Exclude No Comma-separated set of full path descriptions, path segments, and file types, to
exclude from the data specified by the Include field.
Do Not No Comma-separated set of full path descriptions, path segments, and file types, to
Exclude exempt from the exceptions specified by the Exclude field. Paths and files specified
by this field will not be excluded from the data specified by the Include field.
Requires at least one value in Exclude.
File systems 05/25/2022 | 540

Host-specific fields
Some fileset fields support particular host types.
Field Host Description

type
Follow Linux By default, the Rubrik cluster does not include file systems that are mounted on a
Network and Unix Linux or Unix host from a network share, for example by using a protocol such as:
Shares NFS or SMB. Select Follow Network Shares to override this default behavior and
include network shared file systems in the fileset.
Note: To address a network share that is mounted on a Windows host, the

Rubrik Backup Service requires the UNC path of the network share, for example: \
\networkshare\folder
Enable Linux, For Linux and Unix hosts, this option appears when Follow Network Shares is
Backup Unix, selected, and is enabled by default.
of and NAS
For Linux and Unix hosts, and for NAS, clear this setting to exclude hidden folders
Hidden
from the fileset.
Folders
Note: On a Windows host, the Rubrik cluster backs up all hidden files and system
files that are within a fileset description.
Enable Linux, Select to configure a script to run before the backup and a script to run after the
Pre/Post Unix, backup.
Scripts and
Windows
Fileset description rules

Fileset descriptions must meet specific requirements.
Rule Description
Character set UTF-8
Wildcard – single asterisk: * Directory level wildcard. Substitute for zero or more characters up to
a directory delimiter.
Wildcard – double asterisk: ** Recursive wildcard, includes files in the specified directory and all
sub-directories. Substitute for zero or more characters including
directory delimiter characters.
Multiple wildcards in a path Allowed
description
Space characters in folder names Allowed
Single dot Not allowed. Indicates a reference to the current directory.
Double dot Not allowed. Indicates a reference to the parent directory.
File systems 05/25/2022 | 541

Host-specific fileset description rules
Fileset descriptions have specific requirements for particular host types.
Rule Linux, Unix, and NAS (NFS) Windows and NAS (SMB)
Case Case sensitive Case insensitive
sensitivity
A file name extension indicates the file
type, but does not determine the file type
with certainty. The Rubrik cluster does not
look at file signatures (magic numbers) to
ascertain file type.
Path Forward slash character: / Backslash character: \

delimiter
Start of a file File paths can be full or partial. A full path File paths can be full or partial.
path starts with a forward slash. Paths cannot
Windows host – A full path starts with a
include the single dot (.) or double dot (..)
drive letter, a colon, and a back slash. For
elements.
example, C:\.
NAS share (SMB) – A full path starts with a
backslash.
Paths cannot include the single dot (.) or
double dot (..) elements.
End of a file Paths that do not end with a single asterisk Paths that do not end with a single asterisk
path (specifying all the contents of the last (specifying all the contents of the last
named folder) are modified to add /** to named folder) are modified to add \** to
the end of the path. This includes all files the end of the path. This includes all files
and folders beneath the last specified folder. and folders beneath the last specified folder.
Network Linux and Unix hosts – Select Follow Windows host – Specify the UNC path
mounts Network Shares and specify the full path to for a network share. For example,
the mount point. \\networkshare\folder or \
\192.168.1.64\folder. To get all
NAS share (NFS) – Does not apply.
shares of a host, specify the host directly.
For example, \\hostname\\**.
NAS share (SMB) – Does not apply.
The mount or mount.cifs command can
include the ‘nocase’ option. This option
causes case insensitive path name matching
for the paths on the network share. Fileset
rules applicable to a network share with the
‘nocase’ option should account for the case
insensitivity.
File systems 05/25/2022 | 542

Accepted values for fileset descriptions
Rubrik clusters accept a specific set of values in fileset descriptions.
Category Linux, Unix, and NAS (NFS) Windows and NAS (SMB)
Paths Path description of a specified directory. Path description of a specified directory.
Paths that end in a directory include Paths that end in a folder include the
the specified directory and everything specified folder and everything hierarchically
hierarchically beneath it. beneath it.
Path descriptions must use the forward Path descriptions must use the backslash
slash character as the directory delimiter. character as the directory delimiter. Paths
Paths cannot include the single dot (.) or cannot include the single dot (.) or double
double dot (..) elements. dot (..) elements.
Path descriptions can include multiple Path descriptions can include multiple
single, or double, asterisk wildcards. single, or double, asterisk wildcards.
Path Path description that does not start with a Path description that does not start with
Segments forward slash. The Rubrik cluster matches a backslash. The Rubrik cluster matches
the path segment wherever it occurs in the the path segment wherever it occurs in the
directory hierarchy and presumes the full directory hierarchy and presumes the full
path from root to each occurrence. path from the root of the system drive to
each occurrence.
Path segments that end in a directory
include the specified directory and Path segments that end in a directory
everything hierarchically beneath it. include the specified directory and
everything hierarchically beneath it.
Path segments must:
Path segments must:
• Start without a forward slash character.
• Use the forward slash character as the • Start without a backslash character.
directory delimiter. • Use the backslash character as the
directory delimiter.
Path segments can include multiple single,
or double, asterisk wildcards. Path segments can include multiple single,
or double, asterisk wildcards.
File matching Use a portion of a filename with wildcards Use a portion of a filename with wildcards
to match specific groups of filenames. to match specific groups of file names.
Specify a file type by using a single asterisk Specify a file type by using a single asterisk
wildcard and a file name extension. For wildcard and a file name extension. For
example, to include all PDF files, add *.pdf example, to include all PDF files, add *.pdf
as an entry in the Include field. as an entry in the Include field.
A file name extension indicates the file
type, but does not determine the file type
with certainty. The Rubrik cluster does not
look at file signatures (magic numbers) to
ascertain file type.
Regular expression handling

Fileset rules convert to regular expressions that follow the Boost regular expression syntax guidelines.
Fileset rules that contain any of the regular expression metacharacters ($, [, ], {, }, (, ),
+, .) are automatically prepended with the \ character to prevent parsing errors. The fileset rule parser
considers a path to match the rule if any part of the path matches the converted regular expression. Partial
File systems 05/25/2022 | 543

matches also count as matches. The pipe metacharacter | is not escaped. Using the pipe metacharacter
can result in fileset rules that convert to unintended regular expressions.
Linux and Unix Windows

Include /usr/local/**, /home/** C:\Users\**,E:\Working Files\*,
\\archive\shared
Exclude /usr/local/tmp, /home/tmp, *.mov C:\Users\AppData\**, \\archive
\shared\*\personal\**
Do Not /home/tmp/logs/**, company*.mp4 **\logs\**, company*.mp4
Exclude
Protection • Protects the folder /usr/local and all • Protects the folder C:\Users and all its
rules its contents contents
• Does not protect the folder /usr/ • Does not protect anything contained by
local/tmp and its subfolders C:\Users\AppData
• Does not protect any file with extension • Protects the contents of the folder
.mov E:\Working Files, but does not
• Protects any files in /usr/local/tmp protect any data that is in folders that
or its subfolders that have a filename are hierarchically beneath E:\Working
that starts with company and ends with Files
.mp4 • Protects the contents of the SMB
• Protects the folder /home and all its mounted drive folder \\archive
contents \shared and everything hierarchically
• Does not protect the folder /home/tmp beneath it
and its subfolders • Does not protect anything contained
• Does not protect any file with extension by a folder named personal that is
.mov contained in a folder directly beneath \
• Protects the contents of /home/tmp/ \archive\shared
logs and all of its subfolders • Protects all files contained in any folder
• Protects any files in /home/tmp or its named logs
subfolders that have a filename that • Protects all files with a filename starting
starts with company and ends with with the string company and extension
.mp4 .mp4
Related information
https://www.boost.org/doc/libs/1_32_0/libs/regex/doc/syntax.html
Fileset regular expression conversions

The Rubrik cluster converts regular expressions used during the specification of a fileset rule.
Rule Converts to regular expression Notes

* .*/[^/]* Universal match.
** .* Universal match.
/** /.* Universal match.
/* /[^/]* Universal match.
/ /.* Universal match.
File systems 05/25/2022 | 544

abc .*/abc$ and .*/abc/.* Matches any path ending in /
abc and any path under that
directory.
/abc /abc$ and /abc/.* Matches the exact path /abc and
any path under that directory.
/abc/abc /abc/abc$ and /abc/abc/.* Matches the exact path /abc/
abc and any path under that
directory.
abc/ .*/abc/.* Matches any path under the
directory /abc but not the
directory itself. Fileset metadata
always retains the parent
directories of matched paths.
abc* .*/abc[^/]* Matches any path with a
component starting with abc,
such as abcfoo.
*abc .*/[^/]*abc$ and .*/ Matches any path with a
[^/]*abc/.* component ending with abc,
such as fooabc, and any path
under that directory.
*.abc .*/[^/]*\.abc$ and .*/ Matches any path with a
[^/]*\.abc/.* component ending with .abc,
such as foo/bar/x.abc, and
any path under that directory.
abc*xyz .*/abc[^/]*xyz$ and .*/ Matches any path starting with
abc[^/]*xyz/.* abc and ending with xyz, such
as abcfoobarxyz, and any path
under that directory.
abc/*/xyz` .*/abc/[^/]*/xyz$ and .*/ Matches paths with the exact
abc/[^/]*/xyz/.* components abc and xyz with
exactly one component between
them, and any paths under the
matched paths. The path /abc/
foo/xyz matches this rule but
the path /abc/foo/bar/xyz
does not.
abc/**/xyz` .*/abc/.*/xyz$ and .*/ Matches any path with the
abc/.*/xyz/.* component abc before the
component xyz that has one or
more components between them,
and any paths under the matched
paths. Matches /abc/foo/xyz
or /abc/foo/bar/xyz, but not
/abc/xyz.
abc**xyz .*/abc.*xyz$ and .*/ Matches paths starting with abc
abc.*xyz/.* and ending with xyz in the same
or a subsequent component, and
any paths under the matched
File systems 05/25/2022 | 545

paths. The example paths /abc/
foo/bar/xyz, /abcd/xyz/
x, and /abcdxyz/x all match,
along with any children of those
paths.
Fileset error notifications

Error conditions related to filesets. These error conditions generate notifications and email alerts.
Error Response
Zero files fetched during a job The Rubrik cluster marks the job as failed and
generates a UI notification and email alert.
High rate of change detected during incremental When the total number of files or the total size
backup of files decrease by 50% or more from the
previous backup, the Rubrik cluster generates a UI
notification and an email alert.
High rate of file fetch failures When more than 50% of the total number of files
in the fileset fail to fetch or when 50% of the total
size of the fileset fails to fetch, the Rubrik cluster
cancels the job.
Related concepts
Email notifications
Enable the Rubrik cluster to send email notifications.
Creating a fileset
Create a fileset to define a set of data in a file system. A fileset can be assigned to a host to protect the
data set specified by the fileset on that host.
Procedure
Option Description
Hosts page appears.
page appears.
3. Click Filesets.
The Filesets tab appears.
4. Click Add Fileset.
The Add Fileset dialog box appears.
5. In Fileset Name, type a unique name for the fileset.
6. (NAS shares only) In Share Type, select either NFS or SMB.
7. In Include, type a comma-separated list of values.
8. Optional: In Exclude, type a comma-separated list of values.
File systems 05/25/2022 | 546

The Rubrik cluster uses the values in Exclude to determine which folders and files to remove from the
fileset defined by the Include values.
9. Optional: In Do Not Exclude, type a comma-separated list of values.
The Rubrik cluster uses the values in Do Not Exclude to determine which folders and files to include
back into the fileset from the folders and files removed based on the values in Exclude.
10. (Linux and Unix only) Select Follow Network Shares.
Select to include the Rubrik cluster in the fileset network shares that are mounted on the Linux or Unix
host.
11. (Linux, Unix, and NAS) In Enable Backup of Hidden Folders, do one of the following:
• Select to include hidden folders in the fileset.
• Clear to exclude hidden folders from the fileset.
For Linux and Unix hosts, this field only appears when Follow Network Shares is selected.
12. (Linux, Unix, and Windows) Click Enable Pre/Post Scripts, and complete the following fields:
• Type a path to a script in Pre-Backup Script Path
• Enable Cancel Backup if Pre-Backup Script Fails
• Type a path to a script in Post-Backup Script Path
13. Click Add.
Result
The Rubrik cluster creates and stores the fileset.
Related reference
Fileset fields, rules, and value types
The Rubrik cluster interprets a fileset based on the values provided in the Include, Exclude, and Do Not
Exclude fields. The Rubrik cluster applies a set of rules to the values provided in these fields and permits
several types of values to be added to the fields.
Editing a fileset
Edit a fileset to change the set of data that the fileset defines. The Rubrik cluster applies the changes to
the fileset backups that are created after the change.
Procedure
Option Description
Hosts page appears.
page appears.
3. Click Filesets.
4. (Linux, Unix, and Windows) Select a fileset entry, open the ellipsis menu at the top of the page, and
select Edit.
5. (NAS) Open the ellipsis menu next to a fileset entry, and select Edit.
The Edit Fileset dialog box appears.
6. Make changes to the values of the fields.
7. Click Update.
File systems 05/25/2022 | 547

Result
The Rubrik cluster modifies the fileset. Fileset changes apply to backups that occur after the changes.
Deleting a fileset from a host or share

Delete the association between a fileset and a host or share to stop SLA Domain protection of the selected
host fileset or share fileset.
Context
Choose whether to move the host fileset or share fileset and all associated backups to the Snapshot
Management page, or to permanently delete the fileset and all associated backups.
Procedure
Option Description
Hosts page appears.
page appears
3. In the Name column, click a host or share name.
The local page for the host or share appears.
4. On the Filesets card, select a fileset.
The local fileset page for the selected host fileset or share fileset appears.
The Delete Fileset dialog box appears.
6. Choose how to handle the existing backups of the host fileset or share fileset.
• Select Transfer Snapshots to Relic to move the fileset and associated backups to the Snapshot
Management page.
• Select Expire Snapshots Immediately to delete the fileset and all associated backups.
7. Click Delete.
Result
The Rubrik cluster deletes the fileset from the host or share and handles the backups as specified.
Deleting a fileset globally

Delete the association between a fileset and all hosts or shares that use that fileset to stop protecting
those hosts or shares through the fileset.
Context
Choose whether to move the associated filesets and associated backups to the Snapshot Management
page or to permanently delete the associated filesets and associated backups.
Procedure
File systems 05/25/2022 | 548

Option Description
Hosts page appears.
page appears.
3. Click Filesets.
4. Select a fileset.
The Delete Fileset dialog box appears.
6. (For assigned filesets only) Choose how to handle the existing backups of all associated host filesets.
• Select Transfer Snapshots to Relic to move the host filesets and associated backups to the
Snapshot Management page.
• Select Expire Snapshots Immediately to delete the host filesets and all associated backups.
7. Click Delete.
Result
The Rubrik cluster deletes the fileset from all associated hosts or shares and handles the backups as
specified.
Host filesets and share filesets

The combination of a fileset with a host creates a protection object referred to as a host fileset. The
combination of a NAS share with a fileset creates a protection object referred to as a share fileset.
A host fileset or share fileset is an object that can be assigned to an SLA Domain for policy-based
protection, and can be manually protected through an on-demand backup.
A host or share can be paired with several different filesets, with each host fileset or share fileset
protecting a different set of data. Each of the host filesets or share filesets can be assigned to a different
SLA Domain, permitting different levels of protection for each set of data.
Choose whether to resolve symbolic links when defining protection for a fileset. Unresolved symbolic links
appear as files, rather than as a folder, in the UI. Symbolic links in Linux and Unix filesets that link to a
directory outside the fileset do not resolve regardless of setting.
Protecting a host fileset or share fileset

Create a host fileset or share fileset by pairing a fileset with a host or share. Assign the host fileset or
share fileset to an SLA Domain to protect the data in the host fileset or share fileset.
Prerequisites
• Add the Linux, Unix, Windows, or NAS host to the Rubrik cluster.
• Add a Linux, Unix, Windows, or NAS fileset to the Rubrik cluster.
Procedure
File systems 05/25/2022 | 549

Option Description
NAS Shares Click Servers & Apps > NAS Shares.
3. Click the selection box next to a host or share.
Select multiple hosts or shares to apply the same fileset and SLA Domain to each selected host or
share. When selecting multiple NAS shares, all shares selected must use the same protocol, either NFS
or SMB.
5. Select an existing fileset or click the + icon to create a new fileset.
After creating a new fileset, the Manage Protection dialog appears again. Select the new fileset.
6. Click Next.
7. Select an existing SLA Domain, or click the + icon to create a new SLA Domain.
After creating a new SLA Domain, the Manage Protection dialog appears again. Select the new SLA
Domain.
8. Optional: To enable Direct Archive for the fileset, select Direct Archive.
Direct Archive is only available when the fileset is assigned to an SLA that specifies an archival
location.
9. Optional: To resolve symbolic links, select Symlink.
Enabling this option can affect backup time.
Unresolved symbolic links appear in the UI as files instead of as folders. Regardless of setting, the
Rubrik cluster does not resolve symbolic links to a directory in a different fileset.
10. Optional: To resolve hard links, select Hardlink.
This option can only be enabled for Linux, Unix, or NAS filesets that have no snapshots. Filesets with
existing snapshots cannot enable hard link indexing. Enabling this option can affect backup time.
On Linux and Unix systems, an inode is a unique identifier for the location of the data of a file or
directory. A hardlink is a file name with the same inode as the target of the hardlink. When this option
is not selected, the Rubrik cluster backs up and restores hardlinks as separate files.
11. Click Next.
The Review Impact screen appears.
Result
The Rubrik cluster creates the selected host filesets or share filesets and assigns them to the selected SLA
Domain.
Related concepts
File systems 05/25/2022 | 550

Related tasks
Creating a fileset
Starting an on-demand backup of a host fileset or share fileset

Start an on-demand backup of a host fileset or a share fileset.
Procedure
Option Description
3. In the Name column, click a host name or share name.
The local cards for the host appear, Overview, Snapshots, and Filesets.
5. Select the fileset to use for the on-demand backup, and click Next.
The Take On Demand Snapshot dialog box changes to show the second step of the task indicated in
the task flow at the top of the dialog box: Assign SLA.
The Rubrik cluster uses the maximum retention and the remote configuration settings of the selected
SLA Domain to manage the on-demand snapshot. The selected SLA Domain can be different from the
SLA Domain that protects the associated host fileset or share fileset. The on-demand snapshot can be
manually managed through the Snapshot Management page.
Result
An error message in the Activity Log will indicate files that have been modified between metadata scan and
the backup task, but the files will still be backed up.
Related concepts
Modified files
File systems 05/25/2022 | 551

Removing protection for a host fileset or share fileset

Remove SLA Domain protection from a host fileset or share fileset.
Procedure
Option Description
4. In Filesets, click the name of a fileset.
The fileset page appears.
6. Select Do Not Protect.
The Existing Snapshot Retention options appear.
7. Choose the retention for existing snapshots:
• Keep forever
8. Click Next.
Result
The Rubrik cluster removes SLA Domain protection from the selected host fileset or share fileset.
File systems 05/25/2022 | 552

Cluster-served fileset protection
A fileset can be served by a cluster of servers for availability and load-balancing purposes.
A fileset being provided by a cluster of hosts is provided as a service that uses a virtual IP address (VIP).
The Rubrik cluster identifies services by their VIP. Each server cluster supports up to 32 nodes and can
provide multiple services. The Rubrik cluster takes backups of the fileset provided by a given service from
the active node. When a failover operation occurs during a backup job, the backup job fails and the Rubrik
cluster retries the backup job using the new active node.
Note: All nodes in a protected cluster must run the same OS type. For example, Rubrik CDM does not
support a cluster with both Windows and Linux based hosts.
For more information about supported environments, refer to the Rubrik Compatibility Matrix.
Creating a Windows cluster

Create Windows clusters with Rubrik CDM.
Context
Use the following steps to set up a Windows cluster for Rubrik CDM protection.
Procedure
1. In the Rubrik CDM web UI, on the left-side menu, select Servers & Apps > Windows Hosts.
2. Select the Clusters tab.
3. Select Create Cluster.
4. Enter a Cluster Name and select the hosts to include in the cluster.
5. Click Submit.
Result
The Rubrik cluster creates the specified cluster object.
Protecting a Windows cluster-served fileset

Protect filesets served by a Windows Server Failover Cluster.
Prerequisites
Create a cluster object using the steps in Creating a Windows cluster.
Context
Use the following steps to set up a Windows cluster for Rubrik CDM protection.
Procedure
1. In the Rubrik CDM web UI, on the left-side menu, select Servers & Apps > Windows Hosts.
2. Select the Clusters tab and select the cluster.
A list of services provided by the selected cluster appears.
3. Click Create Service.
The Create Service dialog box appears.
4. In Service Name, enter a name for the new service.
5. In Virtual IP, enter a virtual IP address (VIP) for the new service and click Submit.
File systems 05/25/2022 | 553

The new service appears in the list of services.
6. Select the check box for the new service and click Manage Protection.
7. Choose an option.
Option Description
Set default SLA to this service Select an SLA Domain that is inherited by all
services for this cluster.
Select a fileset to protect Select specific folders and files to serve.
When an SLA Domain is assigned to the server cluster, that SLA Domain is inherited by all services on
that cluster that do not specify an SLA Domain.
8. (Serving a fileset) Select a fileset to serve.
Search the names of the existing filesets by typing a search string in the Search by Name field. Click
the + button to create a new fileset.
9. Click Next.
10. Choose a protection option and click Finish.
Option Description
Select an SLA Domain from the list Protects the fileset served by the cluster with
the selected SLA Domain. Search the names of
existing SLA Domains by typing a search string in
the Search by Name field. Click the + button to
define a new SLA Domain.
Inherit The fileset inherits the SLA Domain assigned to
the specified parent data source.
Do Not Protect The fileset is not protected.
Result
The Rubrik cluster applies the specified protection options to the fileset.
Related concepts
Related reference
entities.
Creating a Linux or Unix cluster

Create Linux and Unix clusters with Rubrik CDM.
Context
Use the following steps to set up a Linux or Unix cluster for Rubrik CDM protection.
Procedure
1. In the Rubrik CDM web UI, on the left-side menu, select Servers & Apps > Linux and Unix Hosts.
2. Select the Clusters tab.
3. Select Create Cluster.
File systems 05/25/2022 | 554

4. Enter a Cluster Name and select the hosts to include in the cluster.
5. Click Submit.
Result
The Rubrik cluster creates the specified cluster object.
Adding a fileset protection on Linux and Unix clusters

Protect Linux and Unix clusters and cluster filesets.
Prerequisites
Create a cluster object using the steps in Creating a Linux or Unix cluster.
Context
Use the following steps to set up a Linux or Unix cluster for Rubrik CDM protection.
Procedure
1. In the Rubrik CDM web UI, on the left-side menu, select Servers & Apps > Linux and Unit Hosts.
2. Select the Clusters tab and select the cluster.
3. Select the app to work with and select one of the following options.
Option Description
Set default SLA to this application Select an SLA domain.
Select a fileset to protect Select specific folders and files to protect.
4. Click Next.
5. Configure the protection options and click Finish.
Manage Protection options describes this task.
Result
The Rubrik cluster protects the specified cluster based on the assigned SLA Domain.
Related concepts

Files stored on file systems hosted by storage array volumes can be integrated with a Rubrik cluster.
With storage array integration, a Rubrik cluster performs the ingestion phase of the backup operation on
an array-enabled fileset instead of the original file system. The fileset can be located on the primary host
or on an alternate backup host.
Using an alternate backup host for file ingestion frees up resources on the primary host.
File systems 05/25/2022 | 555

Adding an array-enabled fileset
Add a fileset to the primary host or an alternate backup host, and indicate that the fileset is array-enabled.
Context
Note: A fileset logical volumes must belong to volume groups whose physical volumes map to storage
array volumes.
Procedure
1. In the Rubrik CDM web UI, on the left-side menu, click Servers & Apps > Linux & Unix Hosts.
2. Select the host from the list.
The host can be the primary host or an alternate backup host.
4. Click the + icon to create a new fileset to apply to this host.
5. In Fileset of Array Volume Groups, select Fileset.
6. In the Fileset Name field, enter a name for the fileset.
7. Click the slider switch for Array Snapshots to indicate that the fileset is stored in a storage array.
8. In the Include field of the Rules section, provide a comma-separated list of the mount points for all
logical volumes to be protected.
Get the mount points by opening a terminal window and entering lsvg -l volume_group_name
9. Optional: Click Enable Pre/Post Scripts and specify paths to the scripts.
10. Optional: Choose whether to cancel the backup if the pre-backup script fails.
11. Click Add.
Result
The array-enabled fileset is added.
Adding an array-enabled Array Volume Group

Add an Array Volume Group to the primary host and optionally an alternate backup host, and indicate that
the collection of array volumes is array-enabled.
Context
Note: Array Volume Groups are supported for Pure (SAVG).
Procedure
1. In the Rubrik CDM web UI, on the left-side menu, click Servers & Apps > Linux & Unix Hosts.
2. Select the host from the list.
The host can be the primary host or an alternate backup host.
4. Click the + icon to create a new Array Volume Group to apply to this host.
5. In Fileset of Array Volume Groups, select Array Volume Groups.
The Add Volume Group dialog box appears.
6. In the Volume Group Name field, enter a name for the Volume Group Name.
7. In Arrays, click on the Pure array to indicate the volumes stored on the Volume Array.
File systems 05/25/2022 | 556

8. Confirm the serial numbers with the serial numbers of the volume on the Pure Flash Array.
9. Optional: Click Enable Alternate Backup Host and specify alternative backup host.
10. Optional: Click Enable Pre/Post Scripts and specify paths to the scripts.
11. Optional: Choose whether to cancel the backup if the pre-backup script fails.
12. Assign the SLA Domain associated with the Array Volume Group.
13. Click Submit.
14. Click Add.
Result
The array-enabled Array Volume Group is added.
The Pure Flash Array API protects the configured volumes. Configured volumes are protected through on-
demand snapshots or the specified SLA.
Backup scripts for Linux, Unix, or Windows hosts

A fileset can be configured to start scripts on a Linux, Unix, AIX, Solaris, or Windows host before and after
backups.
Use this feature to put a Linux, Unix, AIX, Solaris, or Windows host in a specific state before a backup,
and change that state after a backup. For example, run a pre-backup script to quiesce applications before
a backup, and run a post-backup script to restore applications to their normal running status after the
backup.
Note: The Rubrik cluster does not require a post-backup script with a pre-backup script; however, a post-
backupscript cannot be specified without a pre-backup script.
The pre-backup script and the post-backup script can consist of any sequence of operations that can be
run by the command line interpreter of the host operating system. On a Windows system, for example,
the script filename must have the .cmd or .bat extension, and the Windows command line interpreter,
cmd.exe, must be able to execute the script.
The Rubrik cluster associates host scripts with a fileset. This way, a different set of pre-backup and post-
backupscripts can be assigned to each fileset that is assigned to a host. The Rubrik cluster applies the
script settings of a fileset to all the hosts that are paired with the fileset.
Configure backup script behavior

The Rubrik cluster can be configured to start a pre-backup script on a host and wait for the script to finish
before starting a backup.
By default, a backup is performed whether the pre-backup script finishes successfully or not. The Rubrik
cluster can be configured to run a post-backup script on the host after a backup. The post-backup script is
processed whether or not the backup completes successfully.
• If the backup is set to occur whether or not the pre-backup script passes (the default behavior),
consider creating a post-backup script to handle the case where the pre-backup script fails.
• To override the default behavior so the backup is only performed if the pre-backup script is successful,
enable Cancel Backup if Pre-Backup Script Fails.
File systems 05/25/2022 | 557

Enabling host scripts
Configure the Rubrik cluster to run a script before and, optionally, after the backup of host fileset.
Prerequisites
Create a pre-backup script and, optionally, a post-backup script. Place the scripts at the same full path
location on each host that is associated with the script settings of the fileset.
Context
Pre-backup and post-backup script support does not apply to NAS hosts.
Procedure
1. Open the Add Fileset dialog box or the Edit Fileset dialog box by starting the task of creating or editing
a fileset.
2. Click Enable Pre/Post Scripts.
The script fields appear.
3. In Pre-Backup Script Path, type the full path for the pre-backup script.
The full path is relative to the root of a Linux or Unix host file system or to the specified drive letter of
a Windows file system.
4. Optional: Select Cancel Backup if Pre-Backup Script Fails.
When Cancel Backup if Pre-Backup Script Fails is selected, the Rubrik cluster only runs a backup when
the pre-backup script finishes with a zero exit status.
5. Optional: In Post-Backup Script Path, type the full path for the post-backup script.
The full path is relative to the root of a Linux or Unix host file system or to the specified drive letter of
a Windows file system.
6. Complete the other fields on the dialog box, and click Add or Update.
Result
The Rubrik cluster stores the information and runs the scripts for all subsequent backups of hosts that are
paired with the fileset. The Rubrik cluster provides entries in Notifications for any errors that occur when
running the scripts.
Related tasks
Creating a fileset
Editing a fileset
Edit a fileset to change the set of data that the fileset defines. The Rubrik cluster applies the changes to
the fileset backups that are created after the change.
Local host pages and local share pages

The local host pages and local share pages provide detailed information about the protection of host
filesets and share filesets. The pages also provide access to actions for host filesets and share filesets.
The local pages also provide access to a page for each fileset that is assigned to the host or share.
File systems 05/25/2022 | 558

Viewing the local page
Access a local page to view information about a host or share and the associated filesets.
Procedure
Option Description
Hosts page appears.
page appears.
The Shares tab of the NAS Shares page appears.
Option Description
For Linux, Unix, and Windows hosts In the Name column, click a host name.
For NAS hosts In the Path column, click the path for a share.
Result
Overview card in the local view

In the local view, the Overview card provide general information about a protected object.
Field Description
Oldest Snapshot Timestamp for the oldest backup associated with the filesets of the host or share.
When the SLA Domain has an active archival policy, the oldest backup resides at the
archival location.
Latest Snapshot Timestamp for the most recent successful backup for the filesets of the host or
share.
Total Snapshots Total number of retained backups for the filesets of the host or share, including
both the local Rubrik cluster and any archival location.
Missed Snapshots Number of policy-driven backups that did not complete successfully for the filesets
of the host or share. A missed backup is included in the count until the period since
the SLA Domain policy required the backup exceeds the retention period of the SLA
Domain.
Filesets card
In the local view, the Fileset card provides fileset related information.
Field Description
Name Name of the fileset. Click the name to open the fileset view for that fileset.
File systems 05/25/2022 | 559

Field Description
SLA List of the SLA Domains that are protecting the fileset. When an entry is
abbreviated, hover over the entry to see the full value in a tooltip. Click an
entry to open the SLA Domain page.
Includes List of the values in Include for the fileset. When an entry is abbreviated,
hover over the entry to see the full value in a tooltip.
Excludes List of the values in Exclude for the fileset. When an entry is abbreviated,
hover over the entry to see the full value in a tooltip.
Do Not Exclude List of the values in Do Not Exclude for the fileset. When an entry is
abbreviated, hover over the entry to see the full value in a tooltip.
Snapshots card
The Snapshots card provides the ability to browse the backups that reside on the local Rubrik cluster and
on the archival location.
In the local view, the Snapshots card shows the backups for all filesets of the host or share. In the fileset
view, the Snapshots card shows only the backups for the selected fileset.
The Snapshots card provides access to backup information through a series of calendar views. Each view
uses color spots to indicate the presence of backups on a date and to indicate the status of SLA Domain
compliance for that date.
The Snapshots card also provides the ability to search for files across all the backups of the filesets or
fileset in the current view.
Color Status
Green All backups required by SLA Domain policy were successfully created.
Orange All backups required by SLA Domain policy were successfully created but at
least one backup caused a warning.
Red At least one backup required by SLA Domain policy was not successfully
created.
The Snapshots card calendar view

The calendar view of the Snapshots card displays information at different levels of granularity.
View Description
Year The Year view displays backup creation information for an entire year. A color
spot indicator on a specific date indicates backup activity, and displays the SLA
Domain compliance status for that day.
Month The Month view displays backup creation information for an entire month. A
color spot indicator on a specific date indicates backup activity, and displays
the SLA Domain compliance status for that day.
Day The Day view displays the individual backups that were created on the
selected day.
File systems 05/25/2022 | 560

Activities card
The Activities card contain log messages that describe the current state of tasks on the host or NAS share
and the associated filesets.
The Activities card contains log messages about standard tasks and notifications that are considered time
sensitive.
Item Description
Status Icon representing the state of the task. The possible task states are:
• Canceled
• Failure
• In Progress
• Success
• Warning
• Queued
• Scheduled
The Status column also includes Pause or Resume buttons for pausing or resuming
fileset tasks while the data retrieval is in progress. These buttons can also be used
for pausing and resuming recovery tasks while writing data to the NAS shares and
hosts.
Message Message that provides a detailed description about the task and the task status.
Date Month, day, and time when the Rubrik cluster generated the message. The format
is MONTH DD, YYYY H:MM:SS{AM|PM} in the time zone of the Rubrik cluster.
Activity Detail Provides the status, the log message, and the timestamp of each task involved in
the selected activity and a link to download server logs.
Clicking on an activity row opens the Activity Detail dialog box.
Filter Status An option to filter the activity logs according to the status such as canceled, failure,
in progress, success, warning, and scheduled.
Unmanaged data
Related concepts
File systems 05/25/2022 | 561

Data recovery from a host fileset or share fileset

Rubrik CDM supports data recovery from backups of host filesets or share filesets.
Files and folders can be selected to restore, export, or download by using either the search method or the
browse method.
File system data that is backed up through a host fileset or share fileset can be recovered by restoring,
exporting, or downloading the file or fileset.
To restore a file from a backup, the file must have a name that is supported by the naming requirements
of the host. For example, a file with a name that contains a colon character cannot be restored to a
Windows host.
Searching for a file, a folder, or a fileset

Use search to find data to restore from a backup.
Procedure
Option Description
Hosts page appears.
page appears.
The fileset page appears and the search is confined to the selected fileset.
folder pathnames.
The Choose Version dialog box appears.
7. Find a file or folder version to recover.
Result
Search finds the data to restore from a backup.
File systems 05/25/2022 | 562

Recovering files, folders, or filesets
Use the Rubrik CDM web UI to recover files, folders, or fileset backups.
Procedure
Option Description
Hosts page appears.
page appears
The fileset page appears and the available backups are confined to the selected fileset.
5. Use the Snapshots card to navigate to a specific backup.
6. Open the ellipsis menu next to the backup, and click Recover Files.
The Recover Files dialog box appears. The initial view shows the fileset.
7. Optional: Click the fileset name to navigate to the files and folders in the fileset.
Result
A hierarchical display of selectable files and folders appears.
Restoring a file, a folder, or a fileset

Restore a file, a folder, or a fileset to the source host.
Context
Use search to find a file version or a folder version to restore. Or use browse to find a file, a folder, or a
fileset to restore.
To restore an entire fileset, use the browse method to find and select a specific backup of the host fileset
or share fileset.
Procedure
1. Open the ellipsis menu for the selected data, and select Restore.
The selected data can be a file, a folder, or a complete fileset.
The Restore dialog box appears.
2. Choose where to restore the data.
• Select Overwrite original to restore the folder or file to the original location, replacing the
existing source file, folder, or fileset data.
• Select Restore to separate folder to restore the file, folder, or fileset data to another folder on
the source host. This option does not replace the existing folder or file.
3. (Restore to separate folder only) In Folder Name, type the full path for a folder on the source host.
File systems 05/25/2022 | 563

Note: Do not type the original path of the source folder or file. When Restore to separate folder
is selected, the object cannot be restored to a folder that contains an object of the same name.
The restore path must exist on the source host. The Rubrik cluster will create a specified target folder
but will not create intermediary folders on the specified path.
4. Optional: Select Continue on restore errors.
• Select this option to instruct the Rubrik cluster to continue the restore job after encountering a
restore error. A restore error occurs when a file, folder or symlink cannot be restored.
• Clear this option to instruct the Rubrik cluster to end the restore job when a restore error occurs.
Files that were successfully restored before the error occurred remain on the restore target.
5. Click Restore.
Result
The Rubrik cluster restores the selected object to the specified location. The Activity Log tracks the status
of the task. When a fileset is restored, the fileset is restored first, then the ACL.
Export path
When a backup copy of a file, folder, or fileset is exported, the Rubrik cluster writes the exported data to a
location on the target host.
The location where the data is written consists of the path on the target that is provided through the
Export Path value combined with the path of the exported object relative to the root of the backup.
The path specified in Export Path must already exist on the target. The Rubrik cluster will create the rest of
the path, starting at the specified Export Path value, if it does not already exist.
For a Linux or Unix host, or for a NAS share (NFS), the root directory can be specified by a single forward
slash character.
For a Windows host, the root directory of a drive can be specified by the drive letter, a colon, and a
backslash. For example, specify the root of the ‘D’ drive with: D:\
For a NAS share (SMB), the root directory of the share can be specified by a single backslash character.
Fileset backup of a Windows Fileset backup of a Linux or Fileset backup of a NAS

host Unix host share (SMB)
Description A fileset backup of a A fileset backup of a Linux A fileset backup of a NAS
Windows host includes or Unix host includes the share (SMB) includes
the test_example.txt test_example file. The the test_example.txt
file. The full path of full path of test_example file. The full path of
test_example.txt on the on the source host is: test_example.txt
source Windows host is: C: /usr/local/tmp/ relative to the root of the
\Users\Atom\testing test_example source NAS share is: \temp
\test_example.txt \test_example.txt
Case 1 The value specified in The value specified in Export The value specified in Export
Export Path is: C:\ The Path is:/ Path is: \
Rubrik cluster writes the
The Rubrik cluster writes The Rubrik cluster writes
file to the following path
the file to the following the file to the following path
on the target host: C:
path on the target host: relative to the root of the
\Users\Atom\testing
/usr/local/tmp/ target NAS share: \temp
\test_example.txt
test_example \test_example.txt
File systems 05/25/2022 | 564

Fileset backup of a Windows Fileset backup of a Linux or Fileset backup of a NAS
host Unix host share (SMB)
Case 2 The value specified in Export The value specified in Export The value specified in Export
Path is: G:\testing\temp Path is /usr/local/tmp Path is: \testing\temp
The Rubrik cluster writes The Rubrik cluster writes The Rubrik cluster writes
the file to the following the file to the following path the file to the following
path on the target host: on the target host:/usr/ path on the target host:
G:\testing\temp\C_ local/tmp/usr/local/ \testing\temp\temp
\Users\Atom\testing tmp/test_example \test_example.txt
\test_example.txt
Showing hidden files on Windows hosts

Hidden files and folders on a source Windows system are restored and exported as hidden files and
folders. To view these files and folders, change the setting in the source before backup or on the restored
files and folders.
Prerequisites
Prior to exporting the Windows fileset snapshot at the drive level, change the following settings on your
Windows system to show the hidden target directory. This action allows you to view the target directory
drive where the Windows fileset snapshot is exported to the drive level.
Procedure
1. Navigate to the Windows Control Panel > File Explorer Options > View
2. Clear the Hide protected operating system files (Recommended) option.
3. When prompted, click Yes to confirm.
4. Click OK.
Result
View the target directory drive where the Windows fileset snapshot is exported.
Exporting a file, a folder, or a fileset

Export a file, folder, or fileset backup to another host.
Prerequisites
Use search to find a file version or a folder version to export. Or use browse to find a file, a folder, or a
fileset to export.
Note: To export an entire fileset, use the browse method to find and select a specific backup of the host
fileset or share fileset.
Procedure
1. Open the ellipsis menu for the selected data, and select Export.
The selected data can be a file, a folder, or a complete fileset.
The Export dialog box appears and lists the available export targets.
2. In the Name section, select a host or share.
3. In Export Path, type the full path for a folder on the selected host or share.
The folder must already exist. The Rubrik cluster writes the exported data into the specified folder.
File systems 05/25/2022 | 565

In the path description, use the directory delimiter for the type of operating system. For Linux, Unix,
and NAS (NFS), use a forward slash: /. For Windows and NAS (SMB), use a backslash: \.
4. Click Export.
Result
The Rubrik cluster writes the selected data to the export target at the location indicated by the export
path. The Activity Log tracks the status of the task.
Downloading files or a folder from a fileset snapshot

Search or browse for a set of files, a folder, or a fileset and download the selected items.
Procedure
2. Search or browse for a set of files, a folder, or a fileset.
3. Select the files, folder, or fileset.
The local page for the fileset appears.
4. Click a date with a snapshot from the calendar. Dates with snapshots are marked with a dot.
The Snapshots card displays the list of snapshots for the selected date.
5. Click the ellipsis next to the snapshot to restore and select Recover Files.
The Recover Files dialog box appears at the first task: Select files.
6. Click the name of the fileset
The root directory of the fileset appears.
7. Navigate the fileset directory tree to the files to download.
8. Select the files to download.
The selected items appear in the right hand pane of the Recover Files dialog box.
9. Click Next.
The Recover Files dialog box advances to the next task: Recover Files.
10. Select Download as the recovery type.
11. Click Finish.
The local page for the fileset appears. A message in the Activity Log pane at the bottom appears when
the download link is ready.
12. Click the download link message in the Activity Log pane.
15. (Folder or multiple files only) Extract the folder using a ZIP utility.
Result
The files are available in the selected location.
Full Volume Protection for Windows

A Rubrik cluster can protect a group of drives on a physical Windows server.
In addition to the data protection provided by fileset backup, Full Volume Protection protects the following
information:
File systems 05/25/2022 | 566

• File system type
• Volume size
Note: Indexing is only supported for NTFS volumes.
Full Volume Protection does not preserve the following attributes:

• The Master Boot Record (MBR)
• The GUID Partition Table (GPT)
• The host IP address
Full Volume Protection does not support:
• Dual- or multi-boot systems
• Multiple operating systems on a single computer
• Multiple instances or multiple versions of an operating system on a single computer
• Dynamic simple volumes, which are volumes on a dynamic disk comprising multiple discontiguous disk
extents.
• Volumes over 64 TB in size.
Note: Refer to the Rubrik CDM Compatibility Matrix for a list of the operating systems that the Volume
Protection feature supports.
Protecting Windows volumes

Protecting Windows volumes uses the Rubrik Backup Service on a Windows host to create a Virtual Hard
Drive (VHD) file.
Prerequisites
• Communication between the Rubrik Backup Service and the Rubrik cluster uses the SMB protocol. Port
445 must be open to permit inbound SMB connections to the Rubrik cluster.
• Windows 2016 and 2019 hosts must be joined to a domain.
• Windows 2012 hosts must be joined to a domain, or the local administrator account can be used for
RBS.
• Add the Windows host to the Rubrik cluster.
Note: Volumes can only be restored to an identical or newer OS. For example, Windows Server 2016
volumes cannot be restored to a Windows Server 2012 host.
Procedure
2. On the left-side menu, click Servers & Apps > Windows Hosts.
The Windows Hosts tab of the Windows Hosts page appears, listing the Windows hosts on the Rubrik
cluster.
3. Select the selection box next to a host.
The Manage Protection dialog box appears with the first step of the task indicated in the task flow at
the top of the dialog box: Volumes & Filesets.
5. Click Volumes.
6. Select the volumes to protect and click Next.
Volumes cannot exceed 64 TB in size. The selected volumes are collectively referred to as a volume
group. To search for a specific volume, enter a string in the Search by Name field.
File systems 05/25/2022 | 567

The task flow at the top of the Manage Protection dialog box updates to the next step: SLA. The
dialog box displays a list of available SLA Domains.
7. Optional: To create a new SLA Domain, click the + icon.
8. Select an SLA Domain for the volume group from the list.
The SLA Domain applies to each volume in the volume group. To search for a specific SLA, enter a
string in the Search SLA Domains field.
9. Click Finish.
Result
The selected volume group is protected as a VHD.
Related concepts
Custom SLA Domains
Related tasks
Adding a host
Installing the Rubrik Volume Filter Driver on a Windows host

The Rubrik Volume Filter Driver (VFD) is a utility that tracks changes in the individual blocks of a volume.
Installing the VFD can improve the performance of incremental backups of protected volumes.
Procedure
The Windows Hosts tab of the Windows Hosts page appears.
3. In the Name column, select a host name.
4. Click the ellipsis menu and select Install VFD.
The Rubrik cluster installs the VFD to the Windows host.
5. Reboot the Windows host.
Result
The VFD runs in the background to monitor changes in the protected volume.
Taking an on-demand backup of a volume group

An on-demand snapshot of a volume group is a backup taken outside of the specifications in the SLA that
protects the volume group.
Procedure
3. In the Name column, click a host name.
The Overview, Snapshots, and Status cards appear for that host.
The Take On Demand Snapshot dialog box appears with the first step of the task indicated in the task
flow at the top of the dialog box: Volumes or Files.
5. Click Volumes.
6. Select the volumes to protect and click Next.
File systems 05/25/2022 | 568

Volumes cannot exceed 64 TB in size. The selected volumes are collectively referred to as a volume
group. To search for a specific volume, enter a string in the Search by Name field.
The Take On Demand Snapshot wizard advances to the SLA step.
7. Optional: To create a new SLA, click the + icon.
8. Select an SLA for the volume group from the list.
The SLA applies to each volume in the volume group. To search for a specific SLA, enter a string in the
Search SLA domains field.
9. Click Finish.
Result
The selected volume group is protected as a VHD. The Rubrik cluster adds the specified on-demand
backup to the task queue. The Activity Log tracks the status of the on-demand backup task. The Rubrik
cluster manages the snapshot based on the rules and policies of the selected SLA Domain.
An error message in the Activity Log will indicate files that have been modified between metadata scan and
the backup task, but the files will still be backed up.
Related concepts
Custom SLA Domains
Modified files
Restoring a Windows volume

Create a Live Mount of a volume group for direct access to the volumes in the group. A Live Mount can
also restore the volume group directly to a host.
Restore operations for a protected volume group can target physical hardware or a virtual machine.
Creating a Live Mount of a volume group on a Windows host with RBS

When a Windows host has the Rubrik Backup Service (RBS) installed, a Live Mount of the protected
volume group enables access to the volumes.
Procedure
4. In the Snapshots calendar, select a date with a snapshot.
The list of snapshots for that date appears.
5. Click the ellipsis next to the volume group to restore.
6. Click Mount.
7. Select the volumes in the volume group to restore and click Next.
A list of Window hosts appears.
8. Select the host for the Live Mount.
9. Click Finish.
File systems 05/25/2022 | 569

Result
The Rubrik cluster mounts the selected volumes to the Windows host.
Downloading the Windows recovery tools

Rubrik provides a set of recovery tools that enable restore operations for volume groups that target hosts
without an existing Windows or RBS installation.
Procedure
1. Open the Rubrik Support Portal in a browser by navigating to support.rubrik.com.
2. Log in to the support portal.
3. Click DOCS & DOWNLOADS.
The Documentation and Downloads page appears.
4. Click the Misc Documentation and Software (Kroll, Compatibility Matrix, etc.) link for the
WinPE Recovery Tool.
5. Under Software section, click Download next to WinPE Recovery Tool.
The EULA acceptance window appears.
6. Select the box next to Accept and Download.
7. Click Accept and Download.
A window containing the file link appears.
8. Click the file link.
Result
The browser downloads the ZIP file containing the recovery tools.
Restoring a volume group on a Windows host without RBS

A host with a supported Windows OS installed restores a volume group through the OS functionality.
Prerequisites
Download the Windows recovery tools.
Procedure
4. In the Snapshots calendar, select a date with a snapshot.
The list of snapshots for that date appears.
5. Click the ellipsis next to the volume group to restore.
6. Click Mount.
7. Select the volumes in the volume group to restore and click Next.
A list of Window hosts appears.
8. Select No Host to create an SMB share without a Live Mount, then click Next.
A prompt that requests IP addresses appears.
9. (SMB security disabled) Type the IP addresses of the hosts that require access to the SMB share.
10. (SMB security enabled) In the corresponding fields, type the domain name, a comma-separated list
of user names, a comma-separated list of Active Directory groups, and a comma-separted list of the
File systems 05/25/2022 | 570

IP addresses of the clients mapped to the specified Active Directory groups that require access to the
SMB share.
The domain name must be configured for secure SMB access.
11. Click Finish.
The Rubrik cluster mounts the selected volumes.
12. On the left-side menu, click Live Mounts > Windows Volumes.
A list of Live Mounts appears.
13. Hover the cursor on the mounted volume group.
An information box appears, displaying the original mount point, the SMB share path, and the volume
size.
14. Click the SMB share path to copy the path to the clipboard.
15. Launch the Windows Disk Management utility on the recovery target host.
16. Use the Windows Disk Management utility to create disk partitions on the host for each volume in the
volume group.
The partitions must match the sizes of the volumes in the volume group.
17. Select Action > Attach VHD.
A dialog box prompting for the location of the VHD appears.
18. Type the path of the SMB share of the snapshot being restored.
19. Use the VolumeDataCopy.exe utility to copy data from the attached VHD to the partitions.
Result
The volume group is restored to the Windows host.
Related tasks
Directory.
Restoring a legacy snapshot of a basic boot volume group to a host without

Windows
To restore to a host without a Windows OS installation, use the recovery tools to create a bootable
Windows Preinstallation Environment (WinPE) image.
Prerequisites
Download the Windows recovery tools. Verify that the snapshot of the volume group being restored
was generated by a cluster running release 5.0.0 or earlier of the Rubrik CDM. To restore a snapshot
of a volume group generated by a cluster running a release of Rubrik CDM later than 5.0.0, follow the
procedure described in Restoring a basic boot volume group to a host without Windows.
Context
Only volume groups with a volume that contains a supported Windows OS installation can be restored to
a host without a Windows OS installed. The license for the OS being restored must be available during this
process.
Creating the WinPE image requires a computer with a licensed installation of the Windows Server operating
system that is 2012 R2 or later. The computer must have the Windows Assessment and Deploment Kit
(ADK) installed. Download the Windows ADK from:
https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install
File systems 05/25/2022 | 571

The WinPE image can be used to restore volume groups from any supported operating system version.
Determine the SMB path of the mounted snapshot of the volume group to restore.
Procedure
1. Copy the BMR and WinPEImageCreation folders from the recovery tools ZIP file to the C:\ drive of
the Windows Server computer.
2. Change to the WinPEImageCreation folder.
3. Run the create command.
.\CreateWinPEImage.ps1 -version version -isopath C:\WinPEISO -utilitiespath C:
\BMR
Replace version with the version of the Windows ADK. The version of the ADK installed on a system is
the name of the folder in C:\Program Files (x86)\Windows Kits\.
The command creates the WinPE image is created in the C:\WinPEISO directory.
4. Copy the WinPE image from C:\WinPEISO to boot media.
5. Load the boot media on the target host.
6. Power on the target host.
The host boots from the WinPE image and a command prompt appears.
7. Run the net use command.
net use Z: SMB /user:username password.
• Replace SMB with the SMB share path to the volume group.
• Replace username with the username for the volume group.
• Replace password with the password for the volume group.
On clusters with SMB security disabled, enter the IP addresses of the hosts that require access to the
Samba share.
On clusters with SMB security enabled, enter the domain name, user name, and IP addresses of the
hosts that require access to the Samba share. The domain name must be configured for secure SMB
access.
8. Run powershell.
To restore a volume with no data volumes on dynamic disks, go to step 22.
A Powershell environment initiates.
9. Run diskpart.
The disk partition command environment loads.
10. Run list disk.
A list of the disks on the host appears.
11. Run select disk N.
Use the listed number of the disk that will host the volume as the value of N.
12. Run clean to clean the selected disk.
13. Run convert mbr.
14. Run convert dynamic to enable dynamic volumes.
15. Run create volume simple size=N.
Use the size of the volume in megabytes as the value of the N variable.
The system creates a volume with the specified size.
16. Run retain.
17. Run format fs=filesystem quick.
Where filesystem is the file system format for the volume.
The system formats the volume with the specified file system format.
File systems 05/25/2022 | 572

18. Run assign letter=C to assign a drive letter to the volume.
19. Repeat the volume creation steps for each dynamic data volume in the snapshot being restored.
Assign a new drive letter to each volume.
20. Type exit.
The disk partition environment stops and the Powershell environment returns.
21. Run the command to determine the GUID of the volume.
Get-Volume -DriveLetter C | Select Path
Repeat this step for each dynamic data volume in the snapshot being restored.
22. Change to the X:\utilities directory.
23. Run the following command.
.\RubrikBMR.ps1 -Operation bmr
The prompt Enter total number of data volumes on dynamic disks (0 to skip)
appears.
• Type the number of dynamic data volumes at the prompt.
• Type 0 for volume groups without any dynamic data volumes and skip to step 29.
25. Type the SMB path to a dynamic data volume VHD file.
26. Type the user credentials.
27. Type the drive letter to assign.
28. Type the dynamic data volume GUID.
Type the SMB path, user credentials, drive letter, and GUID for each dynamic data volume in the
snapshot being restored.
The prompt Does the system have a dynamic boot volume? (Y/N) appears.
29. Type N.
30. Type the SMB path of the boot volume VHD file.
The prompt Did the source host have a system reserved partition? (Y/N) appears.
33. Choose an answer for the prompt.
• Y for source hosts with a system reserved partition.
• N for source hosts without a system reserved partition.
For volume groups with no data volumes on basic disks, enter 0 and go to step 37.
The prompt Enter total number of data volumes to add (0 to skip) appears.
34. Type the number of data volumes on basic disks.
35. Type the SMB path to a basic data volume VHD file.
Type an SMB path and drive letter for each basic data volume to restore.
The restore script connects to the SMB shares and copies the data from the volume group snapshot to
the specified volumes on the host, then displays a reboot prompt.
37. Type Y.
The host reboots.
Result
The host boots with the restored operating system and volumes.
Related tasks
File systems 05/25/2022 | 573

Directory.
Restoring a basic boot volume group to a host without Windows

To restore to a host without a Windows OS installation, use the recovery tools to create a bootable
Windows Preinstallation Environment (WinPE) image.
Prerequisites
Download the Windows recovery tools. Verify that the snapshot of the volume group being restored was
generated by a cluster running release 5.0.1 or later of the Rubrik CDM. To restore a snapshot of a volume
group generated by a cluster running a release of Rubrik CDM earlier than 5.0.1, follow the procedure
described in Restoring a legacy snapshot of a basic boot volume group to a host without Windows.
Context
process.
system that is 2012 R2 or later. The computer must have the Windows Assessment and Deployment Kit
https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install.
Use the WinPE image to restore volume groups from any supported operating system version. Determine
the SMB path of the mounted snapshot of the volume group to restore.
Procedure
2. Change to the C:\WinPEImageCreation folder.
3. Run the create command.
.\CreateWinPEImage.ps1 -version version -isopath C:\WinPEISO -utilitiespath
C:\BMR
Use the version of the Windows ADK for the value of the version parameter. The version of the ADK
installed on a system is the name of the folder in C:\Program Files (x86)\Windows Kits\.
The WinPE image is created in the C:\WinPEISO directory.
7. Run the net use command.
net use Z: SMB /user:username password.
File systems 05/25/2022 | 574

On clusters with SMB security disabled, type the IP addresses of the hosts that require access to the
Samba share.
access.
8. Run powershell.
9. Type the path to the restore script that was copied to the clipboard in step 14 of Restoring a volume
group on a Windows host without RBS.
The restore script runs and displays a security warning.
10. Type R.
11. Type Y.
The host reboots.
Result
The host is ready to boot with the restored operating system and volumes.
Related tasks
Directory.
Restoring a volume group using Rubrik CDM v4.2 MBR dynamic volumes
Restoring volume groups to a host that uses dynamic volumes with a MBR partition created in Rubrik CDM
4.2 requires additional steps to manually configure the volumes.
Context
process.
system that is 2012 R2 or newer. The computer must have the Windows Assessment and Deployment Kit
Use the downloaded tools to create a bootable Windows Preinstallation Environment (WinPE) image.
Procedure
File systems 05/25/2022 | 575

3. Run the following command to create the image:
.\CreateWinPEImage.ps1 -version 10 -isopath C:\WinPEISO -utilitiespath C:
\BMR
The value of the -version parameter is the version of the Windows ADK. The version of the ADK
7. Run powershell.
8. Run diskpart.
9. Use list disk to list the disks on the host.
10. Run select disk N.
11. Run clean to clean the selected disk.
12. Run convert mbr.
13. Run convert dynamic to enable dynamic volumes.
For source hosts that do not use a System Reserved partition, go to step 18.
Use the size of the volume in megabytes as the value of the N variable.
The system creates a System Reserved partition with the specified size.
15. Use retain.
16. Run format fs=ntfs quick label="System Reserved"
The system formats the System Reserved partition.
17. Run assign letter=Z.
The system assigns the drive letter to the System Reserved partition.
18. Run list partition.
A list of the partitions present on the system appears.
19. Run select partition N.
Use the partition number identified in step 18 as the value for the N variable.
20. Run active.
Use the volume size in megabytes as the value of the N variable.
The system creates a volume with the specified size.
22. Use the retain command to retain the volume.
23. Run format fs=N quick.
Use the file system format of the volume as the value of the N variable.
The system formats the volume using the specified file system format.
24. Run assign letter=C.
Create, retain, format, and assign letters to a new volume for each dynamic data volume in the
snapshot being restored. Assign a different drive letter to each volume.
The system assigns the specified drive letters to each volume.
25. Type exit.
File systems 05/25/2022 | 576

26. Run the following command to determine the GUID of the volume:
28. Run the following command:
The prompt Enter total number of data volumes on dynamic disks (0 to skip)
appears.
• Type the number of dynamic data volumes at the prompt.
• Type 0 for volume groups without any dynamic data volumes and skip to step 34.
30. Type the SMB path of a dynamic data volume VHD file.
33. Type the dynamic data volume GUID.
Type an SMB path, user credentials, drive letter, and dynamic data volume GUID for each dynamic
data volume. Assign a different drive letter to each volume.
34. Type Y.
35. Type the SMB path of a dynamic data volume VHD file.
37. Type the boot volume GUID obtained in a previous step.
The prompt Enter total number of data volumes (0 to skip) appears.
• Type the number of basic data volumes at the prompt.
• Type 0 for data volumes and go to step 41.
39. Type the SMB path to a basic data volume VHD file.
Type an SMB path and drive letter for each basic data volume.
41. Type N.
• On systems without a System Reserved partition, run the following command.
bcdboot C:\Windows /s C:
This command configures boot data.
• On systems with a System Reserved partition, run the following command.
bcdboot C:\Windows /s Z:
This command configures the EFI System partition.
Result
Related tasks
File systems 05/25/2022 | 577

Directory.
Restoring a volume group without Windows using MBR dynamic volumes

To restore to a host that uses Master Boot Record (MBR) partitions and dynamic data volumes that does
not have a Windows OS installation, use the recovery tools to create a bootable Windows Preinstallation
Environment (WinPE) image.
Prerequisites
Context
process.
The recovery tools can be downloadedThe WinPE image can be used to restore volume groups from any
supported operating system version. Determine the SMB path of the mounted snapshot of the volume
group to restore.
Procedure
3. Run the following command to create the image.
C:\BMR
The value of the version parameter is the version of the Windows ADK. The version of the ADK
4. Copy the WinPE image from the C:\WinPEISO to boot media.
7. Run the following command.
net use Z: SMB /user:username password
File systems 05/25/2022 | 578

On clusters with SMB security disabled, enter the IP addresses of the hosts that require access to the
Samba share.
access.
8. Run powershell.
9. Type the SMB path of the mounted snapshot of the volume group to restore.
The restore script runs and displays a security warning.
10. Type R.
11. Press Enter.
The restore script connects to the SMB shares and copies data from the volume group snapshot to the
specified volumes on the host, then displays a reboot prompt.
12. Type N.
13. Run diskpart.
14. Run list volume to list the available volumes on the host.
15. Run select volume N.
Use the listed number of the volume that contains the OS as the value of N.
16. Run retain to retain the OS volume.
17. Run list disk to list the disks on the host.
• For source hosts without a System Reserved partition, go to step 24.
• For source hosts with a System Reserved partition, run select disk N.
Replace N with the size of the System Reserved partition in megabytes.
20. Type retain.
21. Type format fs=ntfs quick label="System Reserved".
22. Type assign letter=Z.
23. Repeat step 18.
24. Type list partition.
25. Type select partition N.
• On systems with a System Reserved partition, N is the partition number of the System Reserved
partition.
• On systems without a System Reserved partition, N is the partition number of the boot volume that
contains the operating system.
26. Type active.
27. Type exit.
28. Run the command that matches the source host being restored.
• When the source host does not have a System Reserved partition, run the following command.
bcdboot C:\Windows /s C:
• When the source host has a System Reserved partition, run the following command.
bcdboot C:\Windows /s Z:
File systems 05/25/2022 | 579

The system configures boot data for the dynamic boot disks.
Result
Related tasks
Directory.
Restoring a volume group using GPT dynamic volumes

Restoring volume groups to a host that uses dynamic volumes with GPT partitions created in Rubrik CDM
4.2 requires additional steps to manually configure the volumes.
Context
process.
Use the downloaded tools downloaded to create a bootable Windows Preinstallation Environment (WinPE)
image.
Procedure
3. Create the WinPE image by typing the following command.
C:\BMR
The version parameter is the version of the Windows ADK. The version of the ADK installed on a
system is the name of the folder in C:\Program Files (x86)\Windows Kits\.
4. Copy the WinPE image from the C:\WinPEISO to boot media.
7. Type powershell at the prompt.
File systems 05/25/2022 | 580

8. Type diskpart at the Powershell prompt.
9. Type list disk.
A list of disks on the host appears.
10. Type select disk N.
N is the number of the boot disk in the list.
11. Type clean to clean the selected disk.
12. Type convert gpt.
• For source hosts with an EFI partition, type create partition EFI size=N, where N is the
size of the partition in megabytes, to create the EFI partition.
• For source hosts with a Microsoft Reserved partition, type create partition MSR size=N,
where N is the size of the partition in megabytes, to create the Microsoft Reserved partition, then
go to step 17.
• For source hosts without a Microsoft Reserved partition or an EFI partition, go to step 16.
14. (EFI partition) Type format fs=FAT32 quick label="System"
The system formats the EFI system partition.
15. (EFI partition) Type assign letter=Z to assign a drive letter to the EFI system partition.
16. Type create partition primary size=N.
Replace N with the size of the partition in megabytes.
The system creates the boot volume that corresponds to the operating system drive.
17. Run format fs=N quick.
Replace N with the file system of the volume.
The system formats the boot volume.
18. Type assign letter=C.
The system assigns the drive letter C to the boot volume.
19. Type exit.
The disk partitioning environment shuts down and the system returns to the Powershell environment.
20. Run the following command to determine the GUID of the volume:
22. Run the command:
23. Type Y.
24. Type the SMB path of the boot volume VHD file.
26. Type the boot volume GUID from step 20.
The prompt Enter total number of data volumes to add (0 to skip) appears.
27. Type 0.
The restore script executes. A reboot prompt appears after the restore completes.
28. Type N.
29. Type diskpart.
30. Type select disk N.
Replace N with the disk number used in step10.
31. Type convert dynamic.
File systems 05/25/2022 | 581

The system enables dynamic volumes.
32. Run the list volumes command.
Note the volume number of the boot volume.
The system lists the volumes on the host.
33. Type select volume N.
Replace N with the volume number from step 32.
34. Type retain.
35. Type exit.
The disk partitioning environment exits and the system returns to the Powershell environment.
• On systems with EFI system partitions, type bcdboot C:\Windows /s Z: /f UEFI.
• On systems without EFI system partitions, type bcdboot C:\windows /s C: /f UEFI.
Result
Related tasks
Directory.
File systems 05/25/2022 | 582

Chapter 22
Oracle databases
Oracle databases
Use Rubrik CDM to back up, archive, replicate, and migrate Oracle databases.
With Rubrik CDM, Oracle databases are automatically discovered and protected by an SLA Domain. RMAN
script or catalog management is eliminated and Automated Live Mount and Instant Recovery features are
enabled.
How do I start managing Oracle databases with • System requirements

Rubrik CDM? • Oracle configuration
How do I set up my Oracle databases for auto • Automated Oracle Data Protection
discovery? • Discovering Oracle databases
How do I protect Oracle Databases using Managed Managed Volumes with Oracle databases
Volumes?
How do I migrate Oracle databases from the Migrating from Managed Volumes
Managed Volumes solution to auto discovery?
How do I protect Oracle databases with SLA Assigning an SLA Domain to a host or database
Domains?
How do I create backups? • Backing up databases

• Backing up logs
How do I recover a database? • Performing a Same Host recovery

• Performing an Instant Recovery
• Point-in-time recovery
• Tablespace recovery
• Database clones for Oracle
How do I create a live mount for development or Mounting a database backup using Live Mount
testing?
Related concepts
Managed Volumes with Oracle databases
Oracle databases 05/25/2022 | 583

The Rubrik cluster recognizes an Oracle database as a data source.
Oracle configuration
Initial configuration of Rubrik CDM for Oracle requires at least one open or mounted Oracle database and a
user account with SYSDBA privileges.
After initial configuration, a database administrator account may be created with the ability to manage,
protect, and recover selected Oracle databases. The permissions granted to this account can be limited to
specific databases.
Auto discovery requires a host with at least one database in the OPEN or MOUNTED state. If no database is
available, create an empty /etc/oratab file.
Related concepts
Create an empty oratab file
If the Oracle host has no databases running, create an empty /etc/oratab file before installing Rubrik
Backup Service (RBS) software.
Related tasks
Creating an Oracle query user account on non-CDB databases
Create an Oracle query user account with privileges to query an Oracle non-CDB database instead of the
SYSDBA user.
Discovering Oracle databases
Add an Oracle host to the Rubrik cluster to permit discovery of the databases on that host.
System requirements
Rubrik cluster system requirements for Oracle databases.
RMAN Rubrik clusters use RMAN to perform backup and recovery of Oracle
databases. The required RMAN scripts are generated automatically.
Databases must be in ARCHIVELOG mode and in an OPEN state for the Rubrik
cluster to perform backups. Oracle databases in a MOUNTED state are not
scheduled for database or log backups.
Shared storage For Oracle RAC systems, Rubrik CDM only supports shared storage
configuration on Automatic Storage Management (ASM). Archived redo logs
must also be on shared storage (ASM).
Storage system Rubrik CDM protection supports the following restore types :
• Oracle data files in Oracle file systems, but not Oracle RAC systems that
have storage on the file system.
• Automatic Storage Management (ASM) manages Oracle data files on
standalone Oracle and Oracle RAC systems.
For successful restore of Oracle data files, the restore type must be the same
as the original backup type.
NFS share with read/ To perform Oracle backups, Rubrik CDM mounts an NFS share with a default
write size = 512KB read/write size of 512KB. The Oracle host must have the NFS client software
installed and available. In an AIX environment, the default maximum size is
64KB, which is not sufficient. To avoid performance degradation, increase the
maximum size to 512KB by installing the IBM provided patch.

• AIX 6.1 patch
• AIX 7.1 patch
Maximum user processes Set the minimum value of maxuproc to 16384.

User Credentials The Oracle instance must be configured with a user account that has SYSDBA
privileges.
The default oracle user account can be customized, on a per host basis,
while adding the Oracle host or Oracle RAC node in the Rubrik cluster.
Database mode To enable Oracle database, Rubrik CDM requires that the database be in
configuration ARCHIVELOG mode.
CDM auto discovery A host must have at least one database in the OPEN or MOUNTED state, or an
empty /etc/oratab file for CDM discovery.
dNFS Depending on the Oracle version, Oracle patch 20720667 may be required.
Review the patch version requirements described in Direct NFS support.
Note: For Oracle instances on Linux hosts, the ~/.bashrc file is processed each time Rubrik CDM
interacts with the Oracle data source. Make sure the host ~/.bashrc file does not contain processes that
cannot be run at high frequency.
Note: RMAN does not support backing up Oracle databases with datafiles larger than 16TB hosted on the
AIX operating system. Use Managed Volumes to protect Oracle databases with datafiles larger than 16TB
hosted on the AIX operating system.
Related concepts
Direct NFS support

Rubrik CDM supports Oracle systems with dNFS enabled.
When specifying a query user for dNFS enabled hosts, grant the query user privileges to execute
dbms_dnfs.unmountvolume. For example, for a user named rubrik:
grant execute on dbms_dnfs to ops$rubrik;
In some cases an Oracle patch is required.
Oracle Version Patch Run Post Scripts

11.2.0.4 Patch 20720667
$ sqlplus /nologSQL>
This patch is not publicly CONNECT / AS
available. To get this patch for an SYSDBASQL> @?/
AIX system raise a support ticket sqlpatch/20720667/
directly with Oracle. postinstall.sql
12.1.0.2 Patch 20720667

<ORACLE_HOME>/OPatch/
datapatch

Oracle Version Patch Run Post Scripts
12.2.0.1 Not required
For Oracle database version 12.1.0, if an ORA-19744 error occurs when trying to unmount NFS mount
point, even when all the files stored there were removed, apply Patch 23126410 to resolve the error.
Related tasks
SYSDBA user.

Run the following commands, as the root user, to create an empty /etc/oratab file.
touch /etc/oratab
chown oracle:oinstall /etc/oratab
chmod 664 /etc/oratab
The following command creates an Oracle RAC database entry in the /etc/oratab file.
N indicates the database does not start up with the instance.
DB_UNIQUE_NAME:ORACLE_HOME:N
where DB_UNIQUE_NAME is the name of the database.

The following command creates a standalone database entry in the /etc/oratab file. In this case, the
last character can be N if the database should not start up with the instance, or Y if the database should
start up with the instance.
INSTANCE_SID:ORACLE_HOME:N

RBS is required in order to perform automated discovery of Oracle hosts, Oracle RAC systems, and Oracle
databases.
Install RBS on an Oracle host, and add that host to the Rubrik cluster, to start automatic discovery of the
following resources on the Oracle host:
• Oracle databases
• Oracle database metadata
• List of long running Oracle database instances and tablespaces
Rubrik Backup Service (RBS) software can only be used with the Rubrik cluster from which the software
is obtained. Each Rubrik cluster generates a copy of the RBS software that includes authentication
information specific to that Rubrik cluster. This method ensures that the Rubrik cluster and a hosted
deployment of the RBS can successfully authenticate.
Related concepts
Oracle configuration

Initial configuration of Rubrik CDM for Oracle requires at least one open or mounted Oracle database and a
user account with SYSDBA privileges.
Related tasks
Installing Rubrik Backup Service software on Oracle
Download and install the Rubrik Backup Service software on selected Oracle hosts/nodes.

Procedure
2. On the left-side menu, select Servers & Apps > Oracle DBs.
3. Select Add Hosts/Nodes.
The Add Hosts/Nodes dialog box appears.
4. In the text of the dialog box, select the package needed based on the host operating system.
Option Description
rpm Select the rpm link for hosts running on:
• RHEL 6, 7
• CentOS 6, 7
• SUSE Linux 11, 12
deb Select the deb link for hosts running on:

• Oracle Linux 6, 7
• Ubuntu 14.04 LTS, 16.04 LTS, 17.04
• Debian Linux 8
AIX Select one of the following version links:

• 6.1
• 7.1
• 7.2
The web browser downloads the Rubrik agent file to the defined download location.
5. Navigate to the download directory and double click the downloaded file to initiate installation.
Result
The package manager installs RBS on each host. RBS is upgraded as part of each CDM upgrade applied to
each host.
Related tasks
Role based access

Rubrik CDM provides role-based access control (RBAC), along with options for integrating with existing
directory services. RBAC allows multiple tenants to access a restricted set of resources on a shared cluster.
To set up a multi-tenant environment, start by creating a central organization that is managed by the
SYSADMIN role. The central organization accesses resources on behalf of tenant organizations. The

SYSADMIN role can create Org Admin roles for each organization, and assign specific privileges to each
role.
Related concepts
Roles
Multitenancy and RBAC
Rubrik clusters supports role based access control and multitenancy deployments for vCloud Director
vApps.
Create an Oracle query user account

The Oracle query user account is used to query the Oracle databases.
The steps used to create an Oracle query user account are different on CDB and non-CDB databases.
Oracle uses a multitenant architecture to function as a multitenant container database (CDB). A CDB can
contain customer-created pluggable databases (PDBs). A PDB is a portable collection of schemas, schema
objects, and non-schema objects that appear to an Oracle Net client as a non-CDB database.
A user account with SYSDBA privileges must be used to create and grant privileges to a query user. Create
or select a user account in the same group that owns the Oracle home directory. For an Oracle RAC, the
user account must be available on every host that is part of the Oracle RAC. The query user must have
privileges to query all CDBs and PDBs belonging to the database.
Each Oracle role provides specific privileges. Backup scripts must be run with the SYSDBA role. For details
about Oracle roles, review the Oracle Database Administrator Guide.
Related concepts
Role based access
databases.
Related tasks
Verifying the functionality of the Oracle query user account
Check the permissions of the Oracle query user account to ensure that the Rubrik cluster can fully discover
Oracle databases.
Related information
Oracle Base article: OS Authentication

SYSDBA user.
Procedure
1. Create a separate regular operating system account.
This example adds the user rubrik to the oinstall group.
useradd rubrik -G oinstall

2. Create and confirm a new account password for the new user.
This example sets the password for the rubrik account.
passwd rubrik
3. Using SQL*Plus, connect to the Oracle CDB using an account with SYSDBA privileges.
The SQL> prompt appears.
4. Use the following SQL command to retrieve the host account name.
SQL> show parameter os_authent_prefix
The system displays the value of the os_authent_prefix string. On most systems, the value is ops
$.
5. Type the following SQL command to create an Oracle user account with the minimum privileges
required to query a database.
SQL> create user ops$rubrik identified externally;;
Replace ops$ with the os_authent_prefix returned in Step 4, if needed. rubrik can be replaced
with any string to represent the created user name.
The Oracle query account is created.
6. Use the following command to assign the required query account privileges.
SQL> grant connect,select_catalog_role to ops$rubrik;
Replace rubrik with the name provided in Step 5, if needed.

7. Optional: If dNFS is enabled on the host, use the following command to grant the query user
privileges to execute dbms_dnfs.unmountvolume for dNFS volumes.
SQL> grant execute on dbms_dnfs to ops$rubrik;
Where rubrik is the Oracle query user account name.
Result
The Oracle query user account, with OS authentication, is ready to use with Rubrik CDM.
Next task
Verifying the functionality of the Oracle query user account.
Related concepts
Role based access
databases.
Related information
Oracle Base article: OS Authentication

Creating an Oracle query user account on a CDB database
Create an Oracle user with privileges to query an Oracle CDB database instead of the SYSDBA user.
Procedure
1. Create a separate regular operating system account.
This example adds the user rubrik to the oinstall group.
useradd rubrik -G oinstall
2. Create and confirm a new account password for the new user.
This example sets the password for the rubrik account.
passwd rubrik
3. Using SQL*Plus, connect to the Oracle CDB using an account with SYSDBA privileges.
4. Type the SQL command show CON_NAME to retrieve the current container name.
The system displays the value of the CON_NAME string. On most systems, the value is CDB$ROOT.
5. Type the SQL command sequence show parameter prefix to retrieve the prefix values.
SQL> show parameter prefix
The string values of the os_authent_prefix and common_user_prefix parameters appear. On

most systems, the value of os_authent_prefix is ops$ and the value of common_user_prefix
is C##.
6. Change the common_user_prefix parameter to use a value of "ops$" in the scope of the server
parameter file, spfile.
SQL> alter system set common_user_prefix='ops$' scope=spfile;
7. Type the SQL command sequence startup force; to force a database restart.
8. Type the following SQL command to create an Oracle user account with the minimum privileges
required to query a database.
SQL> create user ops$rubrik identified externally;;
Use the actual value of os_authent_prefix returned by the show parameter prefix command
sequence, if it is not ops$. Replace rubrik with the string name of the query account being created
The SQL*Plus tool creates the Oracle query account using the specified name.
9. Type this command to grant execute permission to the ops$rubrik user account on the dbms_dnfs
package.
SQL> grant execute on dbms_dnfs to ops$rubrik;
Replace rubrik with the actual name of the Oracle query account.
10. Type the following command to grant connect and select_catalog_role privileges to the query
account.
SQL> grant connect,select_catalog_role to ops$rubrik container=all;
The select_catalog_role privilege grants users select privileges on data dictionary views.

11. Type the following command to allow the query account to view all container data objects in the
current container.
SQL> alter user ops$rubrik set container_data=all container=current;
Result
The Oracle query user account, with OS authentication, is ready to use with Rubrik CDM.

Oracle databases.
Prerequisites
Create the Oracle user account using the procedure in Creating an Oracle query user account on non-CDB
databases.
Context
This procedure is optional.
Procedure
1. Log in to SQL as the Oracle query user.
2. Type the command show user at the SQL> prompt.
The following system prompt appears:
USER is string$username
where string is the os_authent_prefix string and username is the name of the currently logged-in user.
3. Type the command SELECT VERSION FROM V$INSTANCE; at the SQL> prompt.
The system displays the Oracle version.
Result
The Oracle user account successfully retrieves information about the Oracle instance, confirming the
account has the correct privileges.

Prerequisites
Verify that an Oracle query user exists, or create one as described in Creating an Oracle query user
account on non-CDB databases.
Procedure
2. Click the gear icon and select Hosts.
3. Open the ellipsis menu next to the host and select Edit.
The Edit Host dialog box appears.
4. Activate the Discover Oracle slider.
The SYSDBA and Discovery User fields appear.

5. Configure user access privileges and select Update.
Option Description
SYSDBA User Enter the SYSDBA authorized user (default is
oracle).
Discovery User Add a host query user.
Follow the steps described in Creating an Oracle
query user account on non-CDB databases and
Verifying the functionality of the Oracle query
user account before performing this optional
step.
Result
The query user is enabled on the host.
Oracle database management

Manage discovered Oracle hosts and Oracle RAC systems from the Rubrik CDM Oracle DBs page.
To work with Oracle databases on the Rubrik cluster, click Servers & Apps > Oracle DBs.
Note: For Oracle instances on Linux hosts, the ~/.bashrc file is processed each time Rubrik CDM
interacts with the Oracle data source. Make sure the host ~/.bashrc file does not contain processes that
cannot be run at high frequency.
The smallest unit to which an SLA Domain can be applied is the database. Tablespaces can be recovered
but not individually protected. Oracle records transactions in redo logs before committing to the database.
Redo logs are archived periodically, and backed up to enable point-in-time recovery.
Connected instances are organized by Host/Clusters and All DBs. Toggle the view by selecting either
tab. The following describes the information available on each tab.
Tab Details
Hosts/ This page displays:
Clusters
• Name - Name of the single instance Oracle host or RAC
• Nodes - Number of nodes on the RAC
• Databases - Number of databases on the single instance Oracle host or RAC
• SLA Domain - Name of the assigned SLA Domain
• RBS Status - The connection status (connected, disconnected, partially connected)
All DBs This page displays:

• Name - Name of the database
• Cluster/Host - The name of the cluster or host
• Log Backup - The time, in minutes, since the last log backup was captured
• Instances - The number of instances associated with the cluster or host
• Tablespaces - The number of tablespaces protected
• SLA Domain - The name of the assigned SLA Domain
• Assignment - Indicates if the SLA Domain assignment is Direct or Inherited.

Automated Oracle Data Protection
Automatically discover and protect Oracle databases.
When RBS is installed on an Oracle host, or on one of the nodes of an Oracle RAC, the Rubrik cluster
automatically discovers that Oracle host, or Oracle RAC, and all Oracle database instances running on it.
The Rubrik cluster can then create database snapshots, and manage retention, replication, and archiving
of those snapshots. These tasks are performed according to the SLA Domain policies assigned to, or
inherited by, each discovered database.
DBAs and backup administrators can manage multiple point-in-time copies of Oracle databases, and
perform instant recovery, live migration, and restore tasks.
Oracle discovery derives the ORACLE_SID and ORACLE_HOME values for each database from the pmon
environment variables. These values identify the system identifier (SID) of the database and map to the
directory where the Oracle database client software is installed.
Note: For Oracle hosts that include a running ASM instance, the OSASM group members must be granted
the SYSASM system privileges to administer storage. The OSASM group is named asmadmin. The SYSDBA
user must be a member of the OSASM group to ensure successful discovery of the Oracle host.
Related concepts
Instant Recovery for Oracle
Replace an Oracle database with a fully functional point-in-time copy.
Same Host Recovery
Recover a database to the source Oracle host or Oracle RAC.
Live Migration
Related tasks
Migrating from Managed Volumes
Migrate existing Managed Volume instances to use RBS.
Migrating from Managed Volumes

Migrate existing Managed Volume instances to use RBS.
Procedure
1. Stop any currently running Managed Volume backup scripts.
2. Delete the existing Managed Volume.
Result
All Managed Volume snapshots become inactive objects and are no longer updated. The Oracle Database
can be protected with automated Oracle Database protection.
Related concepts
databases.
Related tasks
Deleting a Managed Volume

Use the Rubrik CDM web UI to delete a Managed Volume.
Backing up databases
Database backups on a Rubrik cluster use incremental RMAN merge.
OKV-managed TDE databases

The Rubrik cluster supports OKV-managed Transparent Data Encryption databases.
The Oracle Key Vault (OKV) enables database administrators to deploy encryption and other security
solutions. The OKV centrally manages encryption keys, certificates, and security objects in the OKV
wallet. The OKV remains separate from the Oracle database server. Hence, if either the OKV or the Oracle
database is compromised, the perpetrators will not have access to both.
Rubrik CDM supports backups for OKV-managed Transparent Data Encryption (TDE) databases. However,
customers are responsible for performing recovery activities.
The Oracle documentation includes a full description of the OKV software and the OKV wallet.
Verifying the OKV configuration for the Rubrik cluster

Verify the OKV is correctly configured for the Rubrik cluster.
Procedure
1. As the Oracle Home owner (typically Oracle), connect to the Oracle host using SSH.
2. To verify the okvutil command line utility is available, type which okvutil at the command line.
This example lists the location of the okvutil utility.
[oracle@okv-197 ~]$ which okvutil
/u01/app/oracle/admin/cdb197/wallet/okv/bin/okvutil
3. To verify that the Oracle Key Vault (OKV) is installed and configured, type okvutil list at the
command line.
This example lists the contents of the OKV wallet on the okv-197 host.
[oracle@okv-197 ~]$ okvutil list

Enter Oracle Key Vault endpoint password:
Unique ID Type Identifier

C94DE5A5-3237-3E8A-E053-0100007FAFF2 Opaque Object TDE Wallet
Metadata
C94DE5A5-323A-3E8A-E053-0100007FAFF2 Opaque Object TDE Wallet
Metadata
C94DE5A5-323B-3E8A-E053-0100007FAFF2 Private Key -
C94DE5A5-323D-3E8A-E053-0100007FAFF2 Symmetric Key TDE Master Key:
MKID 06E69E44C729654FCEBF2B5C084CDD0726
C94DE5A5-323C-3E8A-E053-0100007FAFF2 Opaque Object Certificate
Request
C94DE5A5-3238-3E8A-E053-0100007FAFF2 Opaque Object TDE Wallet
Metadata
C94DE5A5-3239-3E8A-E053-0100007FAFF2 Symmetric Key TDE Master Key:
MKID 06B0BE319D3B734F43BF675291FEA54402
4. To verify the ORACLE_BASE, ORACLE_HOME, and OKV_HOME environment variables are exported in
the login profile of the ORACLE_HOME owner, type echo environment_variable at the command line.
This example shows a sample verification command.
echo $ORACLE_BASE
echo $ORACLE_HOME

echo $OKV_HOME
5. For Oracle database versions 18c and 19c, add the WALLET_ROOT parameter to the pfile to start the
recovery instance.
The Oracle documentation includes information about adding parameters to the pfile.
6. Log into the Oracle database using SQLPLUS.
7. At the SQLPLUS prompt, type this to verify the OKV wallet is set to AUTOLOGIN and the status of the
OKV wallet is open.
select wrl_type,wrl_parameter,status,wallet_type from v$encryption_wallet
This example verifies the status of the OKV wallet:
SQL> select wrl_type,wrl_parameter,status,wallet_type from v

$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE
-------------------------------------------------------------------------------------
FILE /u01/app/oracle/admin/cdb197/wallet/tde/ OPEN AUTOLOGIN
OKV OPEN OKV
Result
The OKV is correctly configured for the Rubrik cluster.

Prerequisites
Confirm that all requirements are completed as described in System requirements.
Confirm that the RBS software is installed on the Oracle host, or on each node of the Oracle RAC, as
described in Installing Rubrik Backup Service software on Oracle.
Procedure
2. On the left-side menu, click Servers & Apps > Oracle DBs.
The Hosts/Clusters page appears.
3. Click Add Hosts/Nodes.
The Add Hosts/Nodes dialog box appears.
4. In IPs or Hostnames, enter an IPv4 address or a resolvable hostname for the Oracle host.
For multiple IP addresses or hostnames use CSV syntax.
5. Configure user access privileges and click Add.
Option Description
SYSDBA User Enter the SYSDBA authorized user (default is
oracle).
Discovery User Add a host query user.
The Rubrik cluster saves the configuration and the new Oracle host appears on the Hosts/Clusters
page.
Result
The Rubrik cluster discovers the databases on the Oracle host and lists the databases on the All DBs page.

Related tasks
SYSDBA user.
Oracle databases.
Validating Oracle databases

Validate the data in an Oracle database snapshot to ensure that the database can be recovered or restored
without any corrupt files or missing blocks.
Context
The Rubrik cluster also supports using the oracle_home and SGA API to validate the Oracle database for
backups.
Validation is a memory intensive operation, and Rubrik recommends running it on hosts other than the
source hosts.
Procedure
3. Click the All DBs tab.
All connected database instances are listed.
4. In the Name column, click the name of a database.
Alternatively, enter a name in the search field or use the filters at the top left of the list.
The Local page for the database appears, with the Recovery Points card showing the month view and
the Overview page showing database details.
5. On the Recovery Points card, select a day that has a green dot.
The green dot indicates a successful snapshot taken on that day.
The Recovery Points card displays the Day view.
6. Open the ellipsis menu and select Validate.
The Validate dialog box appears.
7. Select the name of the Oracle target host or cluster for recovery validation.
Alternatively, enter a name in the search field to search within the list of compatible hosts.
Use the source host or the alternative host for validation. Choose from the list of compatible
standalone hosts and clusters.
8. Optional: In Number of RMAN Channels (Optional), enter the number of Oracle Recovery
Manager (RMAN) recovery channels.
By default, the number of RMAN channels used for recovery is the same as the number of channels
used in the database and the number of log snapshots being recovered.
9. Click Next.
10. Review the caution message.
11. Click Finish.
Result
The Rubrik cluster validates the data in the database snapshot.

Next task
View the validation results on the Overview page or in the activity log.
Refreshing Oracle hosts

Refresh an Oracle host to enable the Rubrik cluster to discover new Oracle databases or mark removed
databases as archived.
Context
To refresh an Oracle RAC, refresh each host on the system.
Procedure
3. Click Hosts.
4. Open the ellipsis menu on the host to select Refresh.
5. Click Refresh.
Result
The Rubrik cluster discovers new Oracle databases or marks removed databases as archived.
Remove an Oracle RAC

To remove an Oracle RAC, remove each node that is part of an Oracle RAC system.
To remove an Oracle RAC, remove each Linux or AIX host for each of the Oracle RAC nodes.
Removed Oracle hosts or Oracle RAC systems remain listed on the Snapshot Management page until all
backups associated with a database expire or are deleted based on the specified retention policy.
Related tasks
Removing a host
Delete a Linux, Unix, or Windows host from the Rubrik cluster.
Assigning an SLA Domain to a host or database

Manage and protect discovered Oracle databases with assigned SLA Domains.
Prerequisites
Before starting this task, complete the tasks described in Oracle configuration and Discovering Oracle
databases.
Context
The SLA Domain assignment governs database backups and SLA retention policy governs database backup
retention. When an SLA Domain is assigned to database host or to an Oracle RAC, all databases on that
host or Oracle RAC inherit the assigned SLA Domain. A direct or inherited SLA Domain assignment enables
the policy-driven management of the backups of a database.
Procedure
1. Log in to the Rubrik CDM web UI using an account with administrator privileges.
2. From the navigation menu, click Servers & Apps > Oracle DBs.

All connected host/cluster instances are listed on the Oracle DBs Hosts/Clusters tab.
3. Click the All DBs tab.
All connected database instances are listed.
4. Select one or more of the database instances and click Manage Protection.
The Manage Protection dialog box appears with the Basic Settings menu selected.
5. Select an existing SLA Domain or click + to create a new SLA Domain.
6. Configure the following options and click Submit:
• Click Clear Existing Assignment to assign selected objects and their contents to the SLA Domain
of the next higher level object.
• Click Do Not Protect to exclude the selected objects from further SLA Domain assignments.
Result
The SLA Domain assigned to a database determines backup frequency and retention for that database. An
SLA Domain can be directly assigned or inherited from a parent object.
Oracle Data Guard on Rubrik clusters

Rubrik clusters support Oracle Data Guard environments to back up primary and standby databases and to
discover new Data Guard groups.
An Oracle Data Guard setup consists of primary and physical standby databases, which are synchronized.
In the event of a primary site disaster, the primary database fails over to the standby database, and the
standby database becomes the new primary database.
Rubrik clusters discover primary and standby databases that are part of a Data Guard environment and
registers these as a single logical entity. This single logical entity is known as a Data Guard group. The
Data Guard group supports physical standby databases, but does not support logical standby or snapshot
standby databases. Rubrik clusters only support backups from physical standby databases in Active Oracle
Data Guard configuration.
Rubrik clusters also track database role changes for switchover and failover events. For example, if a
database changes its role from a primary database to a standby database, the Rubrik cluster tracks the
change and displays the current role of this database in the Rubrik CDM web UI.
Note:
Rubrik recommends performing a database backup after a failover, failback, or switchover operation.
Rubrik clusters perform database and log backups for both primary or standby databases. Offloading the
backup task to the standby helps to free resources for the production environment.
Rubrik clusters delete logs from the database performing the backup operation, not from all members of
the Data Guard group.
Oracle Data Guard group tablespace point-in-time recovery

The primary database in the Data Guard group triggers tablespace point-in-time recovery operations.
The tablespace point-in-time recovery operation performs the tablespace recovery on the primary
database. The operation fails if the Data Guard group does not contain an active primary database.
Rubrik clusters use the Oracle Recovery Manager (RMAN) fully-automated tablespace recovery, which
works with the primary control file. The request fails if the Rubrik cluster takes the last required log
snapshot for tablespace point-in-time recovery from the standby database. In this case, database
administrator (DBA) managed recoveries must be performed.

Oracle Data Guard member node log deletion
Rubrik cluster versions 7.0 and later automatically delete transaction logs on all member nodes of the
Data Guard groups. Users do not need to manually delete transaction logs on the unmanaged Data Guard
member nodes.
In Rubrik CDM 6.0 and earlier, transaction log was deleted only on the node where the backup was
running, either on the primary or standby server. Users could not delete transaction logs on other member
nodes of the Data Guard group using the Rubrik cluster.
In Rubrik CDM version 7.0 and later, the Rubrik cluster activity logs indicate that the transaction logs are
deleted from all Data Guard member nodes.
Only the transaction logs that were backed up after the upgrade to Rubrik CDM version 7.0 are deleted on
all the Data Guard member nodes. Transaction logs that were backed up prior to the upgrade are deleted
only on the Data Guard member where the backup occurred during the upgrade.
If a transient host disconnect occurs and briefly archives a Data Guard member database, the Rubrik
cluster does not delete the database transaction logs on the Data Guard member databases that were
backed up while those member databases were archived.
Rubrik recommends including the APPLIED ON STANDBY or SHIPPED TO STANDBY commands in the
Oracle Recovery Manager (RMAN) configuration on the primary member database for the ARCHIVELOG
DELETION policy. This configuration ensures that the archive logs are not deleted on the primary server
before they are shipped or applied on the standby server.
Reviewing Oracle Data Guard groups

The Rubrik CDM web UI provides details about the Oracle Data Guard groups assigned to Rubrik clusters.
Context
After Oracle hosts are added to Rubrik clusters, they appear in the Data Guard groups.
Procedure
3. Click DG Groups.
The DG Groups page appears.
4. In the Name column, click the name of a Data Guard group.
the Overview card showing database details.
5. In the Overview card, hover over the Databases field.
The database members are displayed.
Result
The Rubric CDM UI displays the database name, Data Guard group name, the name of the host, and
whether the host is a primary or a standby node.
Related tasks

Oracle Data Guard group validation

Validating an Oracle Data Guard group on an alternate host requires a ORACLE_HOME parameter value.
The Rubrik API documentation provides information about setting parameters, including ORACLE_HOME.
The Oracle Data Group validation request fails with an error message if the ORACLE_HOME parameter is
not provided.
Validating an Oracle Data Guard group

Validate the data in an Oracle Data Guard snapshot to ensure that the group can be recovered or restored
without any corrupt files or missing blocks.
Context
Rubrik clusters also support using the ORACLE_HOME parameter and SGA API to validate the Oracle
database for backups.
Validation is a memory intensive operation, and Rubrik recommends running it on hosts other than the
source host.
Procedure
3. Click DG Groups.
6. Open the ellipsis menu and select Validate.
The Validate dialog box appears.
7. Select the name of the Oracle target host or cluster for recovery validation.
Alternatively, enter a name in the search field to search within the list of compatible hosts.
Use the source host or the alternative host for validation. Choose from the list of compatible
standalone hosts and clusters.
8. Click Next.
9. Review the caution message.
The caution message states that when a selected target Host/Cluster is a part of the source Host/
Cluster, validation uses a connection to the source database instance. Otherwise, validation uses 30
percent of the target host's total memory as the SGA to instantiate a temporary database instance.
10. Click Finish.
Result
The Rubrik cluster validates the data in the database snapshot.

Next task
View the validation results on the Overview card or in the activity log.
Taking an on-demand snapshot of an Oracle Data Guard group

Manually initiate a snapshot of the databases in a Data Guard group. Assign an SLA Domain to manage
that snapshot.
Prerequisites
Meet the configuration requirements specified in Oracle database management.
Procedure
3. Click DG Groups.
5. Click Take DB Backup.
The Take DB Backup dialog box appears.
Rubrik clusters use the rules and policies of the selected SLA Domain to manage the on-demand
snapshot. The selected SLA Domain can be different from the SLA Domain assigned to the Data Guard
group.
7. Select Forever to manually manage the on-demand snapshot through the Snapshot Management
page.
8. Optional: Click Retain Forever.
The snapshots are retained till they are manually deleted.
9. Optional: For a full backup, switch on Take Full Database Backup.
The default backup method takes an incremental snapshot.
10. Click Next.
The DB Backup dialog box appears.
11. Click Backup DB.
Result
Backing up Oracle Data Guard logs

Create a backup of an archived redo log for an Oracle Data Guard group.
Prerequisites
Meet all of the requirements described in Database clone prerequisites.

Procedure
3. Click DG Groups.
5. On the Local page, click Take Log Backup.
A notification regarding the backup job being scheduled appears.
6. Click OK.
Result
The Rubrik cluster adds the specified log backup to the task queue. The Activity Log tracks the status of
the log backup task.
Restoring an Oracle Data Guard group

Restore files from an Oracle Data Guard group using a fully functional point-in-time copy.
Prerequisites
Clear the log_archive_config parameter from the original SPILE or from the custom PFILE that will
be used for recovery. Additionally, Rubrik recommends removing any other Data Guard configuration
parameters. Parameters that remain can cause the Rubrik cluster to inadvertently discover the database
you want to recover using backups extracted from a member of a Data Guard group.
Context
Restoring a Data Guard group supports the files-only recovery method.
Procedure
3. Click DG Groups.
6. Open the ellipsis menu and select Restore.
An informational message appears specifying that Restore for Data Guard Group is supported only
through a database administrator (DBA) managed restore.
7. Click OK.
The Restore dialog box appears.
8. In Hosts/Clusters, select an Oracle host.

The selected host will be the target for the database restore.
At this point, any member node of the Data Guard group is available for a same host recovery.
9. Optional: Select Do not restore, make RMAN backup files available for manual recovery.
Select this option to clone the recovery point, and recover files by using Oracle Recovery Manager
(RMAN) on the target host.
10. Optional: In Backup Image Path, type a full path on the target host.
Use this optional field to specify where to place the data files during the clone operation.
11. Click Clone.
Result
The Rubrik cluster recovers the files from an Oracle Data Guard group using a fully functional point-in-time
copy.
Next task
Perform the manual steps to create a database using the backup files. The RMAN documentation describes
the process to manually create a database.
Instantly recovering Oracle Data Guard groups

Recover an Oracle Data Guard group with a fully functional point-in-time copy.
Prerequisites
Clear the log_archive_config parameter from the original SPILE or from the custom PFILE that will
be used for recovery. Additionally, Rubrik recommends removing any other Data Guard configuration
parameters. Parameters that remain can cause the Rubrik cluster to inadvertently discover the database
you want to recover using backups extracted from a member of a Data Guard group.
Context
Instant Recovery requires performing a files-only operation.
Procedure
3. Click DG Groups.
6. Open the ellipsis menu and select Instant Recovery.
An informational message appears specifying that Instant Recovery for Data Guard Group is supported
only through a database administrator (DBA) managed recovery.
7. Click OK.
The Mount Database dialog box appears.
8. Click Cancel.

The selected host will be the target of the database mount.
Select this option to clone the recovery point, and recover files by using Oracle Recovery Manager
12. Click Mount.
The Rubrik cluster displays the database and log backups on an NFS mount point. The database and
log backups provide the files, but do not create a database.
Result
The Rubrik cluster recovers an Oracle Data Guard group with a fully functional point-in-time copy.
Next task
Perform the manual steps to create a database using the backup files. The RMAN documentation describes
the process of manually creating a database.
Oracle Data Guard Live Mount

Live Mount instantiates a database from a copy stored on Rubrik CDM.
Live Mount brings up the database with data files present on storage, but the redo logs and control files
are left on the host (FS/ASM) to allow live migration. Only the data files are migrated. Redo logs and
control files are not migrated.
Live mounting a database uses pre-recovery and post-recovery scripts. All the target nodes for a Real
Application Clusters (RAC) must have these scripts at the provided path, and the Oracle user defined for
the target host must be able to execute these scripts. The Rubrik cluster considers a script exit status
other than 0 to be a script failure. The Rubrik cluster displays notifications of script failures in the Activity
Log.
Mounting an Oracle Data Guard group using Live Mount

Use Live Mount to create a new primary database from a point-in-time copy of a source Data Guard group.
Prerequisites
To live mount a recovery point that is between snapshots, successfully complete archived redo log backups
that cover the recovery point period.
Live Mount requires a database backup containing all data files.
Context
With Live Mount, the database is instantiated from a copy stored on Rubrik CDM. Live Mount brings up the
database with data files present on storage but redo logs and control files are left on the host (FS/ASM) to
allow live migration.
Procedure
3. Click DG Groups.

6. Open the ellipsis menu and select Mount.
The target Oracle hosts or Oracle RAC systems are shown in the dialog box.
Select this option to mount the recovery point, and recover files by using Oracle Recovery Manager
Use this optional field to specify where to place the data files during the mount operation.
11. Expand Advanced Mount Options.
Additional option fields appear.
12. Optional: To execute a pre-recovery script, select Enable Pre/Post Scripts and type the full path of
the pre-recovery script.
The Pre-Recovery Script Path line appears.
13. Optional: To cancel the Live Mount operation if the pre-recovery script fails, select Cancel Recovery
if Pre-Recovery Script fails.
14. Optional: To execute a post-recovery script, type the full path of the post-recovery script.
15. Optional: Select Use custom pfile for recovery, and type the full path of the PFILE.
Specify the full path of the PFILE on the target host.
Selecting this option means that the original SPFILE is not used for the mount operation.
16. Optional: Click the Advanced Mount Options File and upload a custom advanced mounting options
file.
The Rubrik cluster parses the uploaded file and the values are displayed in the UI along with the
corresponding validation errors, if any. The values should be modified if necessary.
17. Optional: Click Download Example File.
Download this plain text file to view information about the acceptable parameters and values to pass
to the Rubrik cluster through a custom advanced mount options file.
18. In Choose a Parameter, select ACO options from the list.
The target ORACLE_HOME parameter is required for Data Guard group mount operations.
19. Optional: Click Add to include additional parameters and provide the parameter value.
To clear a PFILE parameter using an ACO option, use a single or double-quoted empty string for the
value.
20. Click Mount.
Result
The Rubrik cluster mounts the NFS share to the specified Oracle host and creates a primary database using
data files stored on Rubrik CDM. This database is not discovered as a member of a Data Guard group.

The Live Mount will fail if any of the following reboots: the live mounted host, the RAC, or the Rubrik
cluster. If a Live Mount fails, go to the Live Mounts page, find the failed Live Mount entry, and use the
unmount command with the Force option, removing the metadata from the failed Live Mount, then retry
the Live Mount.
Related concepts
Oracle Data Guard Live Mount
Live Mount instantiates a database from a copy stored on Rubrik CDM.
Oracle Data Guard group backups

RMAN reads the previous snapshot and aggregates the changes to form a new snapshot backup through
NFS.
Backups require determining how logs are archived. If the log writes have not completed when the Rubrik
cluster attempts to delete the log on the primary database, the delete fails and the Rubrik cluster displays
a warning message. The Rubrik cluster retries to delete the log again later.
The CONFIGURE ARCHIVELOG DELETION POLICY TO SHIPPED ON ALL STANDBY and CONFIGURE
ARCHIVELOG DELETION POLICY TO APPLIED ON ALL STANDBY policies prevent the logs from being
deleted from the primary before they are shipped or applied to the standby. The Oracle Recovery Manager
(RMAN) documentation describes these policies.
Logs are deleted from the database running the backups. They are not deleted from all members of the
Data Guard group.
Note:
The Rubrik cluster does not perform a log switch during log backups on the standby host. Instead,
the Rubrik cluster backs up the logs that are available on the standby host. The standby host must
be configured to switch logs at the same frequency as the log backup. Log switching is set with the
ARCHIVE_LAG_TARGET parameter or by forcing log switches on the primary host.
The Oracle Data Guard documentation includes information about setting ARCHIVE_LAG_TARGET.
Backing up Oracle Data Guard groups

Protect the databases in a Data Guard group by assigning the group to an SLA Domain.
Prerequisites
Meet the requirements described in Oracle configuration.
Procedure
3. Click DG Groups.
6. Choose from the following protection options.

Option Description
Select a listed SLA Domain to assign to the host
Assign an SLA Domain
or use the search field to find an SLA Domain
that is not listed.
Inherit Derive protection from the parent SLA Domain.
Do Not Protect Prevent the Rubrik cluster from capturing policy-
driven snapshots for the Data Group.
7. In the Archived Redo Log Backup Frequency (Minutes) field, enter an integer value to set the
number of minutes between backups of the archived redo log.
The minimum log backup frequency is 15 minutes. There is no upper limit. Changing the log backup
frequency or retention requires an SLA Domain assignment.
8. In the Archived Redo Log Backup Retention On Brik (Days) field, enter an integer value to set
the number of days to retain the backup.
9. Optional: Switch on the Enable Archived Redo Log Retention On Oracle Host toggle to keep the
archived log files on the host after the backup is completed.
Select this option if the operation for shipping or applying the log to the standby database falls behind
the schedule for performing a log snapshot.
After enabling this option, configure the log retention options. These options are assigned to the
selected databases and do not alter the assigned SLA Domain policy.
Option Description
Set host archived redo log retention ___ hours Enter an integer value to specify the number
of hours after a log backup completes that the
backed up archived log files should be retained
on the host.
Skip archived redo log deletion on the host Prevents the Rubrik cluster from deleting the
backed up archived logs from the host.
10. Optional: Switch on Choose a backup option.
Indicate the database to backup.
Option Description
Use primary database Backup the primary database.
The Rubrik cluster always performs a backup
of the database that is currently the primary
database.
Use selected database Select a database to backup from the list.

11. Click Next.
12. Switch on Apply to existing snapshots.
When enabled, the backup is applied to existing snapshots.
Selecting this option applies the retention changes to existing on-demand and downloaded snapshots.
14. Click Submit.
Result
The Rubrik cluster assigns the selected SLA Domain and the other settings to all databases within the Data
Guard group.

Related reference
Database clone prerequisites
Before cloning, an Oracle database must meet all preliminary requirements.
Placing Oracle Data Guard groups on legal hold

Place a legal hold on a Data Guard group snapshot to prevent the Rubrik cluster from expiring and remove
the snapshot at the end of the assigned retention period.
Procedure
3. Click DG Groups.
6. Open the ellipsis menu and select Place on Legal Hold.
The Place on Legal Hold dialog box opens.
7. Select Hold snapshot(s) in-place box.
Selecting this option holds the snapshot on the cluster until the Legal Hold is removed.
8. Click Submit.
Result
The Rubrik cluster displays a message saying the snapshot was placed in Legal Hold. Snapshots with a
Legal Hold include a scale icon on their listing.
Changing retention for an Oracle Data Guard group snapshot

Change the retention policy for specified Data Guard group snapshots of a protectable object.
Procedure
3. Click DG Groups.

6. Open the ellipsis menu and select Change Retention.
The Change Retention wizard appears.
7. Choose the retention policy.
• SLA Domain
The snapshots are retained at all locations for the maximum retention time specified by the chosen
SLA Domain. Gold, Silver, and Bronze are the three default local SLA Domains.
• Retain Forever
8. Click Next.
The wizard advances to the next step, displaying the SLA Domain level and the retention period.
9. Review the changes to the SLA Domain level and retention period and click Submit.
Result
Rubrik CDM updates the retention policy for the selected Data Guard group snapshots.
Cloning Oracle Data Guard groups

Replace an Oracle Data Guard group with a fully functional point-in-time copy.
Context
• If a single instance clone fails, some manual cleanup may be required. For more information, see
Managing failed clones.
• The fast recovery area (FRA) is not set for a cloned or live mounted database on other hosts.
Cloning a database uses pre-recovery and post-recovery scripts. These scripts must exist at the provided
path on all the target nodes for an Oracle Real Application Clusters (RAC) and must be executable by the
Oracle user defined for the target host. The Rubrik cluster considers a script exit status other than zero to
be a script failure. The Rubrik cluster displays notifications of script failures in the Activity Log.
Clear the log_archive_config parameter to use a custom PFILE for an automated clone, ensuring that
the Rubrik cluster does not create a Data Guard group database after the clone operation completes.
Procedure
3. Click DG Groups.
6. Open the ellipsis menu and select Clone.
7. Click OK.
The Clone Database dialog box appears.

8. Click Cancel.
Select this option to mount the recovery point, and recover files by using Recovery Manager (RMAN)
on the target host.
12. Optional: In Clone Database Name, type a name for the cloned database.
the Clone Database Name allows databases to be cloned using a different database name.
13. Expand Advanced Cloning Options.
15. Optional: To cancel the clone operation if the pre-recovery script fails, select Cancel Recovery if
Pre-Recovery Script fails.
Selecting this option means that the original SPFILE is not used for the clone operation.
18. Optional: Click the Advanced Cloning Options File and upload a custom advanced cloning options
file.
Additional cloning fields appear.
to the Rubrik cluster through a custom advanced clone options file.
20. In Choose a Parameter, select ACO options from the list.
The target ORACLE_HOME parameter is required for Data Guard recovery operations.
21. Click Add to include additional parameters and provide the parameter value.
The value cannot be left empty. To clear a PFILE parameter using an ACO option, use a single or
double-quoted empty string for the value.
22. Click Clone.
Result
The Rubrik cluster clones the specified database recovery point and creates a primary database using data
files stored on the selected Oracle host. This database is not discovered as a member of a Data Guard
group.
Backups and archived redo logs

Rubrik CDM protects Oracle databases with backups and archived redo log backups, running as separate
jobs and at different frequencies in the Rubrik cluster.
Database backups and archived redo log backups are required to restore a database. When on-demand
snapshots are taken, both on-demand database backups and on-demand log backups are required. The
Rubrik cluster requires the on-demand log backup to collect archived redo logs. When configuring log
backup, configure the log frequency and log retention.

The Rubrik cluster creates snapshots of the archive redo logs as part of a database snapshot job. A
backup of all the archived redo logs, generated during the database snapshot, is required to restore from
a snapshot. If a database snapshot appears as unrecoverable, verify the archived redo log snapshot is
available to capture the archived redo logs generated over the duration of the database snapshot.
The Rubrik cluster deletes the logs from the source after it saves the log snapshots.
If instant archival is configured, logs are archived to the cloud, and expired from the cloud, in accordance
with the configured log backup retention policy.
Database backups are governed by SLA assignment. Archived redo log backups are governed by log
backup frequency. Database backup retention is governed by SLA retention, and archived redo log backup
retention is governed by log retention hours.
Rubrik CDM leverages Oracle RMAN to perform database backups. This activity directly writes data to the
Rubrik cluster through the Oracle RMAN channels.
Oracle Enterprise version is required to support parallel streaming via all channels.
The database log backup frequency value is inherited from the parent Oracle host or Oracle RAC. Override
this value by setting a value directly for the database. If no value is specified, log backup jobs are not
scheduled.
Database backups become expired based on the SLA Domain. Archived redo log backups become expired
based on the defined log backup retention policy. The Database backup retention configuration must be
longer than log backup retention configuration.
Related concepts
Policies for archived log deletion
Rubrik CDM deletes logs from a host based on the specified policy for the retention of archived redo logs.
Related tasks
Prerequisites
Before starting this task, confirm that all of the requirements described in Oracle configuration are met.
Context
Through the network file system (NFS), the Oracle Recovery Manager (RMAN) reads the previous snapshot
and aggregates the changes to form a new snapshot.
Procedure
2. On the navigation menu, click Servers & Apps > Oracle DBs.
The Oracle DBs Hosts/Clusters tab appears.
3. Click the selection box next to a host.
4. Optional: Select multiple hosts to apply the same SLA Domain to databases on all of the selected
hosts.

6. Choose from the following protection options.
Options Description
Select one of the listed SLA Domains to assign
Assign an SLA Domain
to the host. Use the search field to find an SLA
Domain that is not listed.
Inherit Use the parent SLA Domain.
Do Not Protect Policy-driven snapshots are no longer captured
for this host.
7. In the Archived Redo Log Backup Frequency (Minutes) field, enter an integer value to set the
number of minutes between backups of the archived redo log.
The minimum log backup frequency is 15 minutes. There is no upper limit. Changing the log backup
frequency or retention requires an assigned protection SLA Domain.
8. In the Archived Redo Log Backup Retention On Brik (Days) field, enter an integer value to set
the number of days to retain the backup.
9. Optional: Activate the Enable Archived Redo Log Retention On Oracle Host toggle to keep the
archived log files on the host after the backup is completed.
Configure the log retention options. These options are assigned to the selected databases and do not
alter the assigned SLA Domain policy.
Option Description
Set host archived redo log retention ___ hours Enter an integer value to equal to the number of
hours after a log backup completes to retain the
backed up archived log files on the host.
Skip archived redo log deletion on the host The backed up archived logs are not deleted
from the host.
10. Click Next.
11. Optional: Click Advanced Settings to configure additional backup options.
Option Description
Number of RMAN Channels By default, the number of RMAN channels is set
to four or to the number of nodes in the Rubrik
cluster, whichever is smaller.
Distribute backups across RAC nodes When selected, the Rubrik cluster distributes
automatically backups evenly across all registered RAC nodes,
based on the number of backups that are
currently running on each node.
Nodes Specifies the node order for the backups.
12. Click Next.
13. Optional: Enable Apply to existing snapshots to apply changes made for managing protection to
existing snapshots.
14. Optional: Select Include on-demand and downloaded snapshots to apply the Advanced Setting
changes to on-demand and downloaded snapshots.
15. Click Submit.
Result
The Rubrik cluster assigns the selected SLA Domain and the other settings to the host and all databases
within the selection group.
Related tasks

Related reference
Determine the RMAN channels
The number of RMAN Channels is set, by default, to 4 or the number of nodes in the Rubrik cluster,
whichever is smaller.
Determine the RMAN channels

The number of RMAN Channels is set, by default, to 4 or the number of nodes in the Rubrik cluster,
whichever is smaller.
Increase the number of RMAN Channels as needed for large databases.
Database editions Number of channels

Standard Edition One channel can be allocated. Backup and restore
operations are processed serially.
Enterprise Edition One or more channels can be allocated. If multiple
channels are allocated, backup and restore
operations may be processed in parallel.
Oracle Enterprise version is required to grant the permissions to support parallel streaming via all channels.
Important: If a database is restored from storage or virtual machine snapshots, the system change
number (SCN) of the database may be older than the snapshots on the Rubrik cluster, which may cause
subsequent backups to fail. Rubrik recommends that customers perform a full database backup after
restoring the database from storage or virtual machine snapshots.
For clusters, assign node backup priority to each node of an Oracle RAC system using the up or down
arrows.
Backing up logs
Create an archived redo log backup of a database.
Prerequisites
A log backup job is triggered automatically when a database backup job completes. Confirm that the
requirements described in Database clone prerequisites have been met.
Context
RMAN can selectively apply archived redo logs and recover to any point in time.
Procedure
3. Click All DBs.
The All Databases page appears.
The Local page for the database appears.
5. Click Take Log Backup.

Result
The Rubrik cluster adds the specified log backup to the task queue. The Activity Log tracks the status of
the log backup task.
Related concepts
Policies for archived log deletion

Rubrik CDM deletes logs from a host based on the specified policy for the retention of archived redo logs.
The Rubrik cluster can delete logs immediately, delete logs after a specified period, or retain logs
indefinitely. The Rubrik cluster deletes archived logs from the Oracle host only after it saves the log
snapshot and after the configured interval.
In the event of a backup failure, the system does not delete the corresponding archived redo logs from the
Oracle host.
Status Policy
Log snapshot job fails No archived logs are deleted.
Log snapshot job succeeds with no missing logs All backed up logs are deleted.
Log snapshot job succeeds with one or more Only the successfully backed up logs are deleted.
missing logs
The Rubrik cluster cleans up archived logs upon backup on a best effort basis. Failure to delete a log is
not considered as overall backup job failure. Continue to perform log management, based on the Oracle
guidelines, for logs not cleared by backup jobs.
Archived log deletion policy delays

Configure the amount of time an archived log is retained on the Rubrik cluster.
Archived logs are deleted after the database backup is successfully completed. When the assigned SLA
Domain is configured with Enable Archived Redo Log Retention On Oracle Host enabled, the
following options to configure the length of retention are available:
• Set host archived redo log retention
• Skip archived redo log deletion on the host
Related tasks
Retry attempts to delete archived logs

The Rubrik cluster automatically retries an archive log deletion that fails.
The Rubrik cluster may be unable to delete certain archived logs. For example, when the RMAN utility fails
to delete the archived logs because a remote instance is out of sync, the Rubrik cluster will try to delete
the logs once but will move on without immediate retry.
The archived log deletion retry is enabled by default on Rubrik CDM version 6.0 and later. It can be
enabled on Rubrik CDM version 5.3.2 and later.
The Rubrik cluster retries deleting archived logs according to the following parameters.

• If deleting an archived log on the host fails at first attempt, the Rubrik cluster retries the delete
operation for up to seven days or up to the time determined by the host log deletion retry threshold.
The amount of time is determined by the host log deletion retry threshold. After this threshold is
reached, the delete operation is no longer attempted.
• The archived logs that Rubrik does not back up are not considered for deletion.
• Rubrik does not support deleting archived logs that are older than the log retention setting if the host
log deletion is configured for skip deletion.
• The log backup time, which specifies the time the log backup job runs, is used to determine which
archived logs can be deleted based on the host log retention setting.
• The host log retention setting cannot be higher for any database than its log retention setting.
Contact Rubrik Support to increase the host log deletion threshold to more than seven days.
Archive log restore

Archive log restore reinstates archived logs from a specified time range or log sequence period.
Archive log restore enables database administrators (DBAs) to roll forward a database by applying only
selected archive logs and enables log mining for historical information by obtaining a series of events that
occurred on the database using the archive logs as input. Archive log restore is available on Rubrik CDM
versions 5.3.3 and later.
Archive log restore uses a time period as input to determine the logs included in the operation. Archive
logs falling within the specified time period are mounted on the target host or RAC cluster over NFS. The
DBA can also manually restore the archive logs.
Archive logs are exposed at the granular level for log snapshots. If an archive log falls within a time period,
all files from that log snapshot are exposed, including the Oracle control files. These files are materialized
in the same channel directories on which they were originally backed up. For log snapshots taken since
Rubrik CDM version 5.3, archive logs are exposed as backup sets rather than individual log files.
Mounting archived logs

Mount archived logs to restore them to a specific time range.
Procedure
1. Log in to the Rubrik CDM web UI and navigate to a snapshot for an active database or a snapshot for
a relic database.
Option Description
Active database snapshot From the left-side menu, click Servers & Apps
> Oracle DBs and select the All DBs tab.
Relic database snapshot From the left-side menu, click Snapshot
Management.
A list of the available protected database objects appears or a list of relic objects appears.
2. In the Name column, click a database name.
The Local page for the database appears, including the Recovery Points card.
3. Click Log Mount.
The Log Mount dialog box appears.
4. For From, enter the start date and time of the archive log range.
The start date and time entered must be in the timezone of the cluster.
5. For To, enter the end date and time of the archive log range.
6. In Hosts/Clusters, select an Oracle host or RAC cluster.

The selected host will be the target for the archive log restore.
The target host or cluster need not be the same as the source host or cluster for an archive log
restore.
7. Optional: In Backup Image Path, type a full path on the target host or cluster.
Use this optional field to specify the location of the archived log files during the restore operation.
8. Click Log Mount.
Result
The Rubrik cluster mounts the archived log files to the specified Oracle host or RAC cluster.
After scheduling the log mount, the details of the mount job appear in the Activity Log. Once the log
mount job has completed, the mount is listed on the Live Mounts page with the suffix _Log_Mount
appended to the mounted database name.
Restoring the archived logs manually

The archived logs can be manually restored once the Log Mount completes.
Procedure
1. As the Oracle user, connect to the Oracle target host or the Oracle Real Application Clusters (RAC)
node.
2. Start Recovery Manager (RMAN).
3. Catalog the target host path specified in the Activity Log.
This example catalogs the f043289a-9579-45ca-
a7e7-4e0c2ec9e076_b5d3279a-1248-4eba-9deb-42083776de12 host path:
catalog start with '/var/rubrik/oracle/f043289a-9579-45ca-
a7e7-4e0c2ec9e076_b5d3279a-1248-4eba-9deb-42083776de12';
4. Restore the logs by providing the start and end date from the time range used for the Log Mount.
Specify times in the database timezone, not the cluster timezone.
This example specifies the time period between 2021-07-20 15:20:00 and 2021-07-20 15:22:00
restore archivelog from time "to_date('2021-07-20 15:20:00','YYYY-MM-
DD HH24:MI:SS')" until time "to_date('2021-07-20 15:22:00','YYYY-MM-DD
HH24:MI:SS')";
Result
RMAN restores the archived logs.
Creating an on-demand snapshot

Manually initiate a database snapshot in addition to the policy-based snapshots of the database. Assign an
SLA Domain to manage that snapshot.
Prerequisites
Confirm the configuration is complete as defined in Oracle database management.
Procedure

3. Click All DBs.
The All Databases page appears.
5. Click Take DB Backup.
The Take DB Backup dialog box appears.
The Rubrik cluster uses the rules and policies of the selected SLA Domain to manage the on-demand
snapshot. The selected SLA Domain can be different from the SLA Domain that protects the database.
To manually manage the on-demand snapshot through the Snapshot Management page, select
Forever.
Result
Related concepts
virtual machines.
Point-in-time recovery
Point-in-time recovery restores database and log snapshots to the defined point in time.
Recover to a specific point-in-time by selecting a recovery time, from the recoverable range, in the Rubrik
CDM web UI.
Recovery points are based on the last snapshot created before the selected point in time and the archived
redo log backups created between the time of the snapshot and the selected recovery point. The Rubrik
cluster recovers the database from the snapshot and the log content is unrolled and applied up to the
selected point in time.
Assign a database to an SLA Domain with frequent snapshots to ensure quick recovery. The closer the
snapshot to the selected recovery point, the shorter the recovery time objective (RTO) the process
requires.
Supported recovery options are:
• Database recovery to a different single instance Oracle host or Oracle RAC with RBS installed
• Database recovery to a different single instance ASM-managed Oracle host with RBS installed
• Tablespace recovery to the same single instance Oracle host or Oracle RAC with a database configured
• Files only (data files, archived logs and control files)
• The Export files only option copies all the files to the host
• The Live Mount files only option keeps the files on the mounted (via NFS) Rubrik CDM storage
• Live Mount recovery to a different single instance Oracle host or Oracle RAC system
• Live Mount recovery to a different single instance ASM-managed Oracle host
• Instant Recovery to the same single instance Oracle host or Oracle RAC where the original database is
destroyed
• Instant Recovery to the same single instance ASM-managed Oracle host where the original database is
destroyed

• Same host recovery to restore a database back to the production Oracle host or Oracle RAC, up to the
latest available recovery point
To resume protection of a restored database, assign an SLA Domain to the database separately. Live Mount
databases are not backed up. A Live Mount must be migrated off the Rubrik CDM storage and unmounted
before a backup is created. An SLA Domain cannot be assigned to a live mounted database directly. The
Live Mount can inherit the SLA Domain from its parent but backups cannot occur until the live mounted
database is migrated and unmounted.
By default, restore operations allocate 30% of the host memory as the value of the SGA_TARGET
parameter, which specifies the total memory size of the System Global Area. Restore operations also
allocate 10% of host memory as the value for the PGA_AGGREGATE_TARGET parameter, which specifies
the total memory size of the Program Global Area. To enable successful restore operations, the value of
the SHMMAX setting must be at minimum 40% of the memory available on the host. The SHMMAX setting
defines the maximum size of a segment of shared memory.
Number of channels in recovery

The value for the number of channels in recovery can be configured for Live Mount, Clone, Restore, Instant
Recovery, and Validation operations.
Changing the number of recovery channels for Live Mount, Instant Recovery, and validation operations
is optional. By default, the number of channels used for recovery is the same as the number of channels
used in the database and log snapshots being recovered.
The value for the number of channels in recovery determines the number of channels allocated in the
RMAN scripts. The number of channels must be greater than zero and less than or equal to 32.
Changing the number of channels in recovery affects CPU and memory usage during the recovery process.
Contact Rubrik Support to configure the maximum number of channels in recovery to a higher threshold.
Live Mount for Oracle

A Live Mount creates a new database from a point-in-time copy of the source database to expedite the
total recovery time.
Live Mount databases are typically used to:
• Reduce recovery time when a problem occurs with the source database
• Perform database testing on a copy of the source database
To perform a fully automated Live Mount recovery, the source and target configurations must be the
same. For example, recover an Oracle RAC to an Oracle RAC, an Oracle single instance to an Oracle
single instance, and an ASM-managed database to an ASM-managed database. The source and target
configurations need not be the same on a files-only Live Mount recovery.
Any existing tempfiles on the target host that use the same path as any tempfiles associated with the
source database are overwritten during clone or Live Mount operations.
The Rubrik cluster supports automated recovery only for databases created using an SPFILE file.
Databases created using a PFILE must use DBA managed recovery.
Live Mount requires a database backup containing all the data files. Perform a database backup after
adding a new data file.
Block change tracking (BCT) is disabled on the target database during a Live Mount operation even if it is
enabled on the source database.

To restore to a point in time after a data file was added but before the next database backup was taken,
use one of the following options:
• Cloning databases
• Live Mount for Oracle (files only)
The following table describes the available Live Mount options.
Option Description
During the Live Mount of an Oracle database backup, Rubrik CDM automatically
Fully-automated Live
mounts the data files, creates the database instance, and adds the new database
Mount
to the /etc/oratab file on the Oracle host.
As part of the Live Mount task, Rubrik CDM also provides the alternative to mount
the backup image, the datafiles, and the control files at a specified location on the
Oracle host. The data remains on the Rubrik cluster with a specified mount point
DBA-managed Live on the Oracle host. This method permits the DBA to perform the actual recovery
Mount using custom scripts.
If the recovery point is a snapshot that is not the most recent snapshot, the
Rubrik cluster automatically runs a full backup after the recovery.
Related concepts
SPFILE requirements
The Rubrik cluster uses the original SPFILE of the source database for recovery during clone and Live
Mount operations unless an alternate custom PFILE is specified.
Advanced Oracle database clone and mount parameters
A parameters file provides the ability to specify advanced recovery options for live mount and cloning
tasks.
Related tasks
Live Mount and snapshot chain consolidation

In some cases, live mounted databases can impact snapshot chain consolidation.
To reduce storage impact, expired snapshots are periodically deleted and the remaining snapshots are
consolidated into a new snapshot chain.
If a snapshot used for a live mounted database expires while the Live Mount is active, the snapshot data
cannot be removed until the live mounted database is unmounted. Once it is unmounted, the snapshot
data is removed, the snapshot chain is consolidated, and the Rubrik cluster reclaims the resulting free
space.
Important: To avoid shutting down the database do not use force unmount.
Directories created before a recovery operation

The Rubrik cluster automatically attempts to create the most common directories before the recovery
operation.
The directories the Rubrik creates before a recovery operation include online log paths, audit file paths,
tempfile paths, and control file paths. If the Rubrik cluster can not create the directories automatically, it
sends a warning event for each of the failed attempts to create a directory to the activity log. To create

Automatic Storage Management (ASM) directories, the Oracle user configured for the target host must
have permissions to create directories on ASM using the asmcmd command.
Live Mount prerequisites

Before performing a Live Mount using an Oracle database snapshot, ensure that the target host meets the
preliminary requirements.
Rubrik Backup Service (RBS) RBS must be installed on the single instance server
or each Oracle RAC system node.
Home path and target version The Oracle installation must have the same Oracle
Home path and Oracle software version as the Live
Mount instance.
Source and target paths Before initiating a restore, the destination file
system directories must be available and identical
to the file system of the clone source. The access
permissions must also be the same.
Unique SIDs The target host must not contain another instance
with the same SID and database ID. The Live
Mount script checks if there is any instance with the
same SID already running on the target host. The
live mounted database is created with the same
database name and database SID.
Memory requirements The target host must have enough memory to run
the database and perform recovery. A successful
recovery requires 30% of the source total memory
and 10% of the target total memory.
Permissions The Oracle host or Oracle RAC and databases must
be assigned restore permission.
Database availability At least one snapshot of the database must be
completed.
Clean target Any stale backup files on the target host (including
the FRA) that belong to the database being
restored must be removed.
Related concepts
operation.
Related tasks
Mounting a database backup using Live Mount

Use Live Mount to create a new database from a point-in-time copy of a source Oracle database.
Prerequisites
Complete the prerequisites as described in Live Mount prerequisites.

To live mount a recovery point that is between snapshots, successfully complete archived redo log backups
that cover the recovery point period.
Live Mount requires a database backup containing all data files.
Context
With Live Mount the database is instantiated from a copy stored on Rubrik CDM. Live Mount brings up the
database with data files present on storage but redo logs and control files are on the host (FS/ASM) to
allow live migration. Only the data files are migrated. Redo logs and control files are not migrated.
Mounting a database uses pre-recovery and post-recovery scripts. All the target nodes for a Real
Application Clusters (RAC) must have these scripts at the provided path, and the Oracle user defined for
the target host must be able to execute these scripts. The Rubrik cluster considers a script exit status
other than 0 to be a script failure. The Rubrik cluster displays notifications of script failures in the Activity
Log.
Procedure
1. Log in to the Rubrik CDM web UI and navigate to the active or relic data object.
Option Description
Active database navigation From the navigation menu, click Servers &
Apps > Oracle DBs > All DBs.
Relic database navigation From the navigation menu, click Snapshot
Management.
The Hosts/Clusters or All Objects page lists all available data objects.
The Local page for the database appears, with the Recovery Points card showing the month view.
4. Move the Recovery point slider to select a recovery point.
To select a snapshot, move the slider to a snapshot indicator or click the snapshot indicator dot. The
selected time icon changes.
To select a recovery point other than a snapshot time, move the slider to choose that time. The time
appears in the time field and the selected time icon changes. Alternatively, type a specific time in the
time field.
The target Oracle hosts or Oracle RAC systems are shown in the dialog box.
Select this option to mount the recovery point, and recover files by using RMAN on the target host.
Use this optional field to specify where to place the datafiles during the mount operation.
10. Optional: Expand Advanced Mount Options.

12. Optional: To cancel the Live Mount operation if the pre-recovery script fails, select Cancel Recovery
if Pre-Recovery Script fails.
Selecting this option means that the original SPFILE is not used for the mount operation.
15. Optional: Click the Advanced Mount Options File and upload a custom advanced mounting options
file.
The Rubrik cluster parses the uploaded file and the values are displayed in the UI along with the
corresponding validation errors, if any. The values should be modified if necessary.
to the Rubrik cluster through a custom advanced mount options file.
17. Optional: In Choose a Parameter, select Advanced Cluster Options (ACO) from the list.
19. Click Mount.
Result
The Rubrik cluster mounts the NFS share to the specified Oracle host and brings up the Oracle database
using datafiles stored on Rubrik CDM.
The Live Mount will fail if any of the following reboots: the live mounted host, the RAC, or the Rubrik
cluster. If a Live Mount fails, go to the Live Mounts page, find the failed Live Mount entry, and use the
Unmount command with the Force option. This removes the metadata from the failed Live Mount. Then
retry the Live Mount.
Related concepts
Local host page
Recovery Points card
The Recovery Points card provides access to the available snapshots and log backups of the database.
Direct NFS
Available in Oracle 11g and newer, Direct NFS (dNFS) runs in the database kernel and provides an
optimized NFS client.
Backups and archived redo logs
Rubrik CDM protects Oracle databases with backups and archived redo log backups, running as separate
jobs and at different frequencies in the Rubrik cluster.
tasks.
Recover databases after a file-only live mount

Manually recover an Oracle database after performing a file-only live mount.
File-only live mounts allow the DBA to mount the backup images from the Rubrik cluster, including
datafiles, control files, and archivelog files at a specified location on the Oracle host. The datafiles remain

on the Rubrik cluster with a specified mount point on the Oracle host. Recovering from a file-only live
mount requires that the DBA create a pfile and then perform the recovery with the RMAN utility.
Files required for file-only live mount

There are a number of files required to recover a database from a file-only live mount.
File SQLPLUS command for file

Audit trail file SELECT value FROM v$parameter WHERE
name='audit_file_dest';
Oracle control file SELECT value FROM v$parameter WHERE
name='control_files';
Oracle spfile SELECT value FROM v$parameter WHERE
name='spfile';
Oracle data file SELECT name FROM v$datafile;
Oracle temp file SELECT name FROM v$tempfile;
Oracle online redo log file SELECT member FROM v$logfile;
Oracle archivelog file SELECT value FROM v$parameter WHERE
name='log_archive_dest_1';
Oracle fast recovery area file SELECT value FROM v$parameter WHERE
name='db_recovery_file_dest';
Oracle DBID SELECT dbname FROM v$database
Creating the initial pfile

Recovering an Oracle database requires creating an initial pfile.
Procedure
1. Use SSH to connect to the Oracle host.
2. Change to the Oracle user.
3. Create the pfile.
Type this command:
echo 'db_name=DB_NAME' > /tmp/initDB_NAME.ora
Where DB_NAME is name of the database being recovered.
This example specifies a database named orcl.
echo 'db_name=orcl' > /tmp/initorcl.ora
Result
The echo command creates a pfile with the specified properties.
Recovering an Oracle database

Use the RMAN utility to perform an Oracle database recovery.
Procedure
1. As the Oracle user, connect to the Oracle host.

2. Set the ORACLE_HOME environment variable.
Type this:
export ORACLE_HOME=$ORACLE_HOME
Where $ORACLE_HOME is the Oracle database installation directory.
3. Set the value for the ORACLE_SID environment variable.
Type this:
export ORACLE_SID=$ORACLE_SID
Where $ORACLE_SID is the SID of the database being recovered.
4. Set the PATH environment variable.
Type this:
export PATH=$ORACLE_HOME/bin:$PATH
5. Set the language used by the Oracle database.
Type this:
export NLS_LANG=american
6. Set the date display.
Type this:
export NLS_DATE_FORMAT="dd-MON-YYYY hh24:mi:ss"
7. Start RMAN and create a log.
Type this:
RMAN TARGET / log=/tmp/live_mount.log
8. At the RMAN prompt type: set echo on;.
RMAN writes the commands to the log.
9. At the RMAN prompt type: startup nomount pfile='/tmp/initDB_NAME.ora';.
Where DB_NAME is the name of the database being recovered.
This example specifies a database named orcl.
startup nomount pfile=’/tmp/initorcl.ora’;
RMAN puts the Oracle instance at the nomount stage.
10. Set the database ID.
From RMAN, type this command:
set dbid DBID;
Where DBID is the ID of the database being recovered.
This example sets the database ID to 1995079040.
set dbid 1995079040;
The database ID is set.
11. Restore the spfile.
Type this:
run
{
set controlfile autobackup format for device type disk to
'file_only_live_mount_path/%F';

restore until time "to_date('pit_date_time', 'YYYY-MM-DD HH24:MI:SS')"
spfile from autobackup;
}
Where file_only_live_mount_path is the file only live mount path, and pit_date_time is the latest date
for the restore.
This example specifies a controlfile named controlfile_%F.
run
{
set controlfile autobackup format for device
type disk to '/u02/lm/665e5d60-7a51-4409-9a61-
e3fa38736fd2_5bf14eb6-9f89-4c35-8a91-5c5d6c76f630/c0/controlfile_%F';
restore until time "to_date('2020-04-05', 'YYYY-MM-DD HH24:MI:SS')"
}
The command restores the spfile.

12. Shut down the instance.
shutdown immediate;
The instance shuts down.
13. Start the instance.
startup nomount;
The instance starts, using the restored spfile.
14. Restore the controlfile.
Type this:
run
{
set controlfile autobackup format for device type disk to
'file_only_live_mount_path/%F';
restore until time "to_date('pit_date_time', 'YYYY-MM-DD HH24:MI:SS')"
}
Where file_only_live_mount_path is the file only live mount path, and pit_date_time is the latest date
for the restore.
This example specifies a controlfile named controlfile_%F.
run
{
set controlfile autobackup format for device
type disk to '/u02/lm/665e5d60-7a51-4409-9a61-
e3fa38736fd2_5bf14eb6-9f89-4c35-8a91-5c5d6c76f630/c0/controlfile_%F';
restore until time "to_date('2010-040-05', 'YYYY-MM-DD HH24:MI:SS')"
controlfile from autobackup;
}
The command restores the controlfile.

15. Mount the database.

alter database mount;
The command mounts the database.
16. Disable Flashback.
alter database flashback off;
The command disables Flashback.
17. Clean up the RMAN repository.
From RMAN, type these commands:
RMAN> delete noprompt force expired archivelog all;

RMAN> crosscheck copy;
RMAN> delete noprompt expired copy;
RMAN> crosscheck backup;
RMAN> delete noprompt expired backup;
RMAN> delete noprompt obsolete;
RMAN cleans the RMAN repository from the restore operation changes.
18. Catalog the RMAN repository.
catalog start with file_only_live_mount_path noprompt;
RMAN catalogs the RMAN repository.
19. Switch databases.
switch database to copy;
Oracle switches database files.
20. From RMAN, type the run command.
RMAN prompts for media recovery information.
21. Perform the media recovery.
The syntax is:
run
{
set until time "to_date('PIT DATE TIME', 'YYYY-MM-DD HH24:MI:SS')";
recover database;
}
Where pit_date_time is the latest date for the database recovery.

This example provides a date of 2020-04-05.
run
{
set until time "to_date('2020-04-05', 'YYYY-MM-DD HH24:MI:SS')";
recover database;
}
22. From RMAN, type this command.

alter database open resetlogs;
Oracle opens the database resetlog.

Result
The RMAN utility recovers the Oracle database.
Verifying the Live Mount

Use the SQLPLUS utility to verify the Live Mount after the Oracle database recovery
Procedure
1. As the Oracle user, connect to the Oracle host.
2. Start SQLPLUS.
3. At the SQLPLUS prompt, type: select dbid,name,open_mode,log_mode,controlfile_type
from v$database;
SQLPLUS displays the database ID, name, mode, log mode, type of control file of the Rubrik backup
image database file copy.
4. At the SQLPLUS prompt, type: select name from v$datafile;
SQLPLUS displays the name of the Rubrik backup image database file copy.
5. At the SQLPLUS prompt, type: select member from v$logfile;
SQLPLUS displays the location of the log files.
6. At the SQLPLUS prompt, type: select name from v$tempfile;
SQLPLUS displays the location of the temp files.
7. At the SQLPLUS prompt, type: select name,value from v$parameter where
name='spfile';
SQLPLUS displays the name of the spfile.
8. At the SQLPLUS prompt, type:select name,value from v$parameter where
name='control_files';
SQLPLUS displays the name of the control file.
Result
The Oracle user verifies the Live Mount.

Before performing an Instant Recovery, drop the existing database. To gradually move database storage
back to the native storage on the database host, use the Oracle live migration feature after Instant
Recovery. Instant recovery brings up the database storage with data files present. However, redo logs and
control files are on the host (FS/ASM) to allow live migration.
Instant recovery requires a database backup containing all the data files. Perform a database backup
after adding a new data file. To restore to a point in time after a data file was added but before the next
database backup was taken, use one of the following options:
• Performing a Same Host recovery
• Use the files only option for Mounting a database backup using Live Mount
Live migration is managed by Oracle, outside of the Rubrik cluster. For more information refer to the Oracle
documentation.
The Rubrik cluster mounts the database snapshot on the selected standalone Oracle host or Oracle RAC,
connects the recovered single instance Oracle host or Oracle RAC to the network, and powers up the new
instance.

Rubrik CDM requires that the parent directories designated in data file paths, control file paths, redo log
paths, audit file destination, FRA path, and the spfile path exist on the Oracle host, or individual node of
the Oracle RAC system, before the recovery process. This applies to both local file-system paths and ASM
paths.
During the process, messages about the status appear in the Activity Log. Once the process is complete,
the Rubrik cluster records the final result of the task in the Activity Log. The Rubrik cluster lists the
recovered Oracle database on the Live Mounts page of the Rubrik CDM web UI.
The instantly recovered Oracle database derives SLA Domain protection from parent objects. Even though
the SLA Domain is inherited, backups will fail until it is migrated off storage and unmounted.
Before attempting an instant recovery review the following configuration details:
• Confirm the source database is running an spfile. Instant Recovery fails on Oracle databases without
an spfile.
• The Rubrik cluster supports automated recovery only for databases created using an SPFILE file.
• Remove any stale backup files on the target host (including the FRA) that belong to the database being
restored.
• During an Instant Recovery, Rubrik CDM expects the parent directories for the different parameters like
data file paths, control file paths, redo log paths, audit file destination, FRA path, and spfile path to
already exist on the Oracle host, or individual node of the Oracle RAC, before the recovery process. This
applies to both local file-system paths and ASM paths.
• For an Oracle RAC or standalone Oracle host with ASM database, if the control files are present on both
ASM and local file-system, only the files on ASM are restored during Instant Recovery.
• Before Recover Production, the database has to be dropped using DROP DATABASE command.
Important: Do not use dbca or similar tooling that deletes the entire database including the base
directories.
• An Instant Recovery does not change the location for redo logs but does consolidate the multiple
members of redo log groups into a single member for each group.
Related concepts
On-demand snapshots
Related tasks
Dropping a database
Before performing an instant recovery, drop the Oracle RAC or standalone Oracle database.
Dropping a database
Context
This task describes steps to delete and unregister (drop) a database on the Oracle RAC system. Oracle
online documentation provides information specific to standalone databases.
Procedure
1. Set the cluster database to FALSE.
SQL> alter system set cluster_database=FALSE scope=spfile sid='*';
The system responds with the message System altered.

2. Stop the database service.
srvctl stop database -d db_name
3. Start the database in mount exclusive mode, with logins restricted.
SQL> startup mount exclusive restrict
The system responds with the message ORACLE instance started. When the mount completes
successfully, the following message appears: Database mounted.
4. Optional: Verify that the database is mounted with logins restricted.
SQL> select instance_name,status,logins from v$Instance;
5. Drop the database.
SQL> DROP DATABASE;
The system responds with the message Database dropped.

6. Remove the database service from the Oracle RAC.
srvctl remove database -d db_name -y
7. Manually remove the database entry in /etc/oratab on each individual node of the Oracle RAC.
Result
The system deletes and unregisters the Oracle RAC or standalone Oracle database.
Related information
Oracle Help Database Backup and Recovery Reference - DROP DATABASE
Performing an Instant Recovery

Use Instant Recovery to replace a database with a point-in-time copy.
Prerequisites
• Oracle restore permissions must be set before recovery. Oracle Help Center - Credentials Required to
Perform Backup and Recovery describes Oracle restore permissions.
• Before recovering a RAC database drop the existing RAC database as described in Dropping a database.
Procedure
2. On the navigation menu, click Snapshot Management.
Alternatively, enter a name in the search field or use the filters at the top right of the list.
4. Select a snapshot or an archival snapshot.

Result
The Rubrik cluster instantly recovers the database back to the source Oracle server or cluster. Recovered
datafiles are mounted on the Rubrik cluster and the database instance is created on the server.
Next task
Migrate the database off of the Rubrik cluster and unmount the Live Mount before adding SLA Domain
protection.
Related tasks
Dropping a database
Mounting a database backup using Live Mount
Use Live Mount to create a new database from a point-in-time copy of a source Oracle database.
Database clones for Oracle

Select a recovery point on the Oracle database to clone to a target location.
The target location must be an Oracle host or Oracle RAC cluster other than the source Oracle host or RAC
cluster. Using the source Oracle host or RAC cluster as the target location can damage the source database
during the cloning process. The source Oracle host or RAC cluster are listed in the UI.
The target Oracle host or Oracle RAC must be registered with the same Rubrik cluster as the source. To
ensure compatibility, the target host or RAC cluster must also use the same version of Oracle binaries.
Rubrik CDM supports the following clone scenarios:
• Oracle RAC database to Oracle RAC database
• Single instance database using FS to another single instance server using FS
• Single instance database using ASM storage to another single instance server using ASM
• Clone to another instance using a minimal spfile to provide the clone configuration parameters. In
this case the source database spfile is restored on the target host, replacing the minimal spfile
provided to create the clone.
For an Oracle RAC database clone, the target Oracle RAC database must have at least as many nodes as
the source Oracle RAC database. Nodes are assigned in numerical order.
During a clone operation, BCT is enabled on the target database if it is enabled on the source database.
Any existing tempfiles on the target host that use the same path as any tempfiles associated with the
source database are overwritten during clone or Live Mount operations.
Example: Oracle RAC database clone
Clone configuration for an Oracle RAC database with four nodes, n1, n2, n3, and n4, and a database
running on two of those nodes, n3 and n4. The Oracle RAC database is cloned to a target Oracle RAC
system with nodes t1, t2, t3, and t4. Rubrik CDM brings up the database on nodes t1 and t2.
The configuration can be manually changed to match the configuration of the original Oracle RAC.
The following table describes the available clone configuration options.

Option Description
Fully-automated clone Restores the database files and recovers the database. Starts the database
instance after creating it and updates the /etc/oratab file.
DBA-managed clone The database files and archived logs are exposed for DBA recovery with
custom scripts.
If the recovery point is not the most recent snapshot, a full backup is created
after the recovery completes.
Related concepts
tasks.
Database clone prerequisites

Before cloning, an Oracle database must meet all preliminary requirements.
A clean target host Any stale backup files on the target host (including the FRA) that belong to
the database being restored must be removed.
Database availability At least one database must be managed and protected.
Log Archive Destination During a clone operation, the archive logs can be restored to the log
archive destination on the Oracle host, enabling the database to be
recoverable to any recovery point. If the source log_archive_dest is
used, it must exist on the host. An ACO parameter can be used to specify a
different log_archive_dest destination.
Log backups (Optional) To clone a recovery point that is between snapshots, successfully complete
log backups that cover the recovery point period.
Memory requirements The target host must have enough memory to run the database and
perform recovery. A successful recovery requires 30% of the source total
memory and 10% of the target total memory.
Permissions The Oracle host or Oracle RAC and databases must be assigned restore
permission.
Register nodes The single instance host or the nodes of the target Oracle RAC must
be registered on the Rubrik cluster. For an Oracle RAC, if only a subset
of nodes are registered, the cloning task succeeds. However, only the
registered nodes have a running instance of the cloned database.
Rubrik Backup Service RBS must be installed on the single instance server or each Oracle RAC
(RBS) system node. For recovery, RBS must be installed on the recovery target
host.
Snapshots At least one snapshot of the Oracle database and logs must be completed.
Source and target paths Before initiating a restore, the destination file system directories must be
available and identical to the file system of the clone source. The access
permissions must also be the same.

Unique SIDs The cloned database is created with the same name and SID as the
original. Verify that the target host does not already have an instance with
a database that has the same name and SID.
Related concepts
operation.
databases.
Point-in-time recovery restores database and log snapshots to the defined point in time.
SPFILE requirements
The Rubrik cluster uses the original SPFILE of the source database for recovery during clone and Live
Mount operations unless an alternate custom PFILE is specified.
Using the original SPFILE during the recovery includes these requirements.
• The target of the clone or Live Mount must have sufficient memory to support the memory parameters
of the original SPFILE.
• The necessary storage requirements listed in the SPFILE must be already configured on the target.
• The target listener configuration must be complete. If any of the listener parameters are set in the
source SPFILE, for example local_listener, the corresponding value must be included in the
tnsnames.ora file in the target.
Custom PFILE recovery

Custom PFILE recovery allows for database Live Mounts or clones that use configurations other than the
original SPFILE configuration.
Custom PFILE must be specified by a full file system path, and must already exist on the target host.
Custom PFILEs cannot be specified with a ASM path. If a target RAC node is being used, the Custom PFILE
must be present on all the RAC nodes in the specified path.
For a RAC database, the custom PFILE must include the following instance-specific parameters:
instance_number, thread and undo_tablespace. The instance SIDs are derived from the source
database instance SIDs and the OLS node numbers of the target RAC nodes.
For example, if the SIDs of the source database are orcl_1 and orcl_2, and the target
RAC nodes have the OLS node numbers 2, and 3, then the custom PFILE must include
entries for orcl_2.instance_number, orcl_2.thread, orcl_2.undo_tablespace,
orcl_3.instance_number, orcl_3.thread, and orcl_3.undo_tablespace.
When a custom PFILE is used during a clone operation, the advanced cloning option (ACO) file
supports only the ORACLE_HOME and SPFILE_LOCATION parameters. When a custom PFILE is
used during a Live Mount, the ACO file supports only the ORACLE_HOME, SPFILE_LOCATION, and
DB_CREATE_ONLINE_LOG_DEST_n parameters.

Clone using a different database name
Specify a different database name during a clone operation.
Specify either, or both, of these sets of parameters in the ACO file or in the custom PFILE to ensure the
target database with the new database name uses the appropriate location parameters:
• PARAMETER_VALUE_CONVERT, DB_FILE_NAME_CONVERT, LOG_FILE_NAME_CONVERT
• CONTROL_FILES, DB_CREATE_FILE_DEST
For any source database, only one clone operation at a time can be active on the target host or RAC node.
In a RAC system, the instance SIDs are comprised of the database name appended with the OLS numbers
of the RAC nodes. For example, for a custom database named clonedb and a target RAC consisting of
nodes with OLS node numbers 2, 3, and 4, the instance SIDs are clonedb2, clonedb3, and clonedb4.
Related concepts
tasks.
Cloning databases
Restore an Oracle database or recover datafiles by cloning a database snapshot.
Prerequisites
Confirm the configuration requirements as defined in Database clone prerequisites.
Context
• If a single instance clone fails, some manual cleanup may be required. For more information, see
Managing failed clones.
• The FRA is not set for a cloned or live mounted database on other hosts.
Cloning a database uses pre-recovery and post-recovery scripts. These scripts must exist at the provided
path on all the target nodes for a RAC and must be executable by the Oracle user defined for the target
host. The Rubrik cluster considers a script exit status other than 0 to be a script failure. The Rubrik cluster
displays notifications of script failures in the Activity Log.
Procedure
1. Log in to the Rubrik CDM web UI and navigate to a snapshot for an active database or a snapshot for
a relic database.
Option Description
Active database snapshot From the left-side menu, click Servers & Apps
> Oracle DBsand select the All DBs tab.
Relic database snapshot From the left-side menu, click Snapshot
Management.
A list of the available protected database objects appears or a list of relic objects appears.
2. In the Name column, click a database name.
The Local page for the database appears, including the Recovery Points card.
3. On the Recovery Points card, select a day with a green dot.
The green dot indicates that at least one successful snapshot was created on that day.

appears in the time field and the selected time icon changes. Alternatively, type a specific time into the
time field.
5. Open the ellipsis menu and select Clone.
The Clone dialog box appears.
The selected host will be the target of the database clone.
Select this option to mount the recovery point, and recover files by using RMAN on the target host.
Use this optional field to specify where to place the datafiles during the clone operation.
9. Optional: In Clone Database Name, type a name for the cloned database.
The Clone Database Name allows databases to be cloned using a different database name.
11. Optional: Expand Advanced Cloning Options.
13. Optional: To cancel the clone operation if the pre-recovery script fails, select Cancel Recovery if
Pre-Recovery Script fails.
14. Optional: To execute post-recovery script, type the full path of the post-recovery script.
Selecting this option means that the original SPFILE is not used for the clone operation.
16. Optional: Click Advanced Cloning Options File and upload a custom advanced cloning options file.
to the Rubrik cluster through a custom advanced clone options file.
18. Optional: In Choose a Parameter, select ACO options from the list.
20. Click Clone.
Result
The Rubrik cluster clones the specified database recovery point to the selected Oracle host.
Related concepts
Local host page

Managing failed clones

Any instance created by a failed clone task is automatically shut down when the clone task fails.
If a single-instance database clone task fails after the RMAN script runs, any instance created by that task
is automatically shut down. Remove any files placed during the failed database clone task.
Location Description
Any datafile or archived log file location as on the Remove the datafiles and archived log files placed
source database during the failed clone task.
Audit directory Remove the audit directory created during the
failed clone task.
$ORACLE_HOME/dbs/SID_control1 and Remove any control files placed during the failed
$ORACLE_HOME/dbs/SID_control2, where SID clone task.
is the Oracle SID of the source database.
/etc/oratab Remove any database entries placed during the
failed clone task.

tasks.
Customize the database parameters during recovery by creating a configuration parameters file to input
database parameters before initiating the recovery job.
For a successful recovery of standalone databases on file systems and Oracle RAC databases, configure
either DB_RECOVERY_FILE_DEST or DB_CREATE_FILE_DEST. If both parameters are not set in the
source database, at least one must be set in the configuration file.
Important: The location directories must already exist on the target Oracle host or Oracle RAC and be
accessible by the Oracle SYSDBA user. Existing files at the locations specified in the configuration file are
overwritten during the recovery.
Memory parameters
The memory parameters can be used to account for differences in resource limitations between the source
and target hosts or Oracle RAC.
Parameter Details Type Input format

PGA_AGGREGATE_TARGETAggregate size of the Enumerated value Enumerated value
Program Global Area for options:
all processes in bytes (or
• TRUE
KB, MB, GB if specified).
• FALSE
The value must be • ONLY
greater than 0 bytes.

Parameter Details Type Input format
SGA_MAX_SIZE Maximum size of the Integer Integer value with the
System Global Area in unit of measurement in:
the specified unit.
• K - KB
The value must be • M - MB
greater than 0 bytes and • G - GB
greater than or equal to
SGA_TARGET.
SGA_TARGET Size of the System Integer Integer value with the

Global Area in bytes (or unit of measurement in:
KB, MB, GB if specified).
• K - KB
This parameter can be
changed during the • M - MB
life of the instance but • G - GB
never to be greater than
SGA_MAX_SIZE.
The value must be
greater than 0 bytes.
SGA_TARGET may
not be larger than
SGA_MAX_SIZE.
File location parameters

The file location parameters can be used to account for differences in storage structure between the
source and target hosts or Oracle RAC.
Parameter Details Input format

AUDIT_FILE_DEST File system location for audit String equal to the full destination
records related to security path.
and monitoring of database
connections.
Must be a file system directory.
CONTROL_FILES Locations of the control files of CSV list of locations:

the newly recovered database.
loc1,loc2,...loc8
This field is required when
performing dissimilar disk group
recovery.
This is a required field to perform
dissimilar disk group recovery.
Up to eight locations can be
specified. Each one must be a file
system location, ASM disk group
name, or ASM location.
The specified control file locations
must be unique.

DB_CREATE_FILE_DEST Default location for Oracle String equal to the full destination
managed files on the newly path.
created database.
Must be an ASM disk group name
or file system directory.
DB_CREATE_ONLINE_LOG_DEST_NSpecifies where the online redo String equal to the ASM disk
log members are located on the group name or file system
N = 1-5
target. Create one member, in directory path.
each location, with the same
number of groups that existed on
the source database for ASM.
This field is required.
On the file system, all online
redo log members will be put
into the first location and can be
reconfigured after the recovery
is complete. Redo log files with
duplicate names will be renamed.
On ASM, all online redo logs are
Oracle-managed files on the
target even if there were alias
redo logs on the source database.
Up to five locations may be
specified.
Each one may be an ASM disk
group name or a file system
directory.
The inputs must be all ASM
disk groups or all file system
directories.
DB_FILE_NAME_CONVERT Specifies how the data files Comma-separated list of string

on the source are mapped to values, each value is enclosed
the target data files during the within single quotes. Each source
database cloning operation. value must map to a target value.
Valid parameter for clone
operations. Not valid for Live
Mount.
DB_RECOVERY_FILE_DEST Default location for the String equal to the full destination
flash recovery area (FRA). path.
The size of the FRA must
be specified with the
DB_RECOVERY_FILE_DEST_SIZE
parameter. This field is required
when performing recovery of
dissimilar disk groups.
For successful recovery to a
standalone database on ASM

or a RAC database, Rubrik
CDM requires a value for either
DB_RECOVERY_FILE_DEST or
DB_CREATE_FILE_DEST. One of
these parameters must be set in
either the source database or in
the parameters configuration file.
For successful recovery to a
DB_CREATE_FILE_DEST. Either
of these parameters must be set
in either the source database or
in the parameters configuration
file.
DB_RECOVERY_FILE_DEST_SIZE For successful recovery to a integer [ K | M | G ]
DB_CREATE_FILE_DEST . Either
of these parameters must be set
in either the source database or
in the parameters configuration
file.
Size of the Fast Recovery Area
(FRA) on the newly recovered
database.
Must be greater than 0 bytes.
LOG_ARCHIVE_DEST_N Specifies locations for log archival String equal to the full path of the
operations of the database. file.
N = 1-10
Archived logs will be multiplexed
to the locations.
Up to ten locations may be
specified.
Each entry must begin with
LOCATION= (case insensitive).
Each one may be an ASM disk
group name or a file system
directory.

LOG_FILE_NAME_CONVERT Specifies that the location of the Comma-separated list of string
redo log files on the source are values, each values is enclosed
mapped to the location of the within single quotes. Each source
redo log files on the target while value must map to a target value.
cloning the database.
Valid parameter for clone
operations. Not valid for Live
Mount.
ORACLE_HOME Location of the ORACLE_HOME String equal to the full destination

directory, where the Oracle path.
RDBMS software is installed on
the target standalone host or
Oracle RAC. This must be the
location of the Oracle RDBMS
installation in the file system.
This parameter must be specified
when the ORACLE_HOME differs
between the source and the
target.
Must be a file system directory.
PARAMETER_VALUE_CONVERT Maps parameters from the source Comma-separated list of string

database to different values on values, each values is enclosed
the target database during the within single quotes. Each source
clone operation. value must map to a target value.
For each pair of source and
target values specified by
PARAMETER_VALUE_CONVERT,
if the source value is included in
any of the other parameters, it is
replaced with the corresponding
target value during the clone
operation.
SPFILE_LOCATION Location for the minimal spfile String equal to the full path of the
with which the database is spfile.
recovered. This must be a
complete path to the spfile
located in the file system or ASM
path. Do not use the disk group
name or a directory path. This
field is required when performing
dissimilar disk group recovery.
If the specified file already
exists, it is overwritten during
the recovery, even if the Oracle
SYSDBA user does not have
permissions to modify the existing
file.

Oracle database cloning and mounting parameters
Example of advanced options for an Oracle database cloning and mounting configuration file.
SGA_MAX_SIZE=1234M
SGA_TARGET=1234M
PGA_AGGREGATE_TARGET=568M
USE_LARGE_PAGES=TRUE
SPFILE_LOCATION=/u01/app/oracle/product/dbhome/spfilerbk.ora
CONTROL_FILES=+DG1,+DG2
DB_CREATE_ONLINE_LOG_DEST_1=+DG1
LOG_ARCHIVE_DEST_1=+DG1
DB_RECOVERY_FILE_DEST=+FRA
DB_RECOVERY_FILE_DEST_SIZE=1000000
DB_CREATE_FILE_DEST=/u01/app/oracle/oradata
AUDIT_FILE_DEST=/u01/app/oracle/audit
ORACLE_HOME=/u01/app/oracle/product/rdbms/12.2.0.2/db_1/
DB_FILE_NAME_CONVERT='+DG1','+TG1','/u01/data','/u02/data'
LOG_FILE_NAME_CONVERT='+DG1','+TG1','/u01/data','/u02/data'
PARAMETER_VALUE_CONVERT='orcl','newdb','dg1','tg1'
Same Host Recovery

Recover a database to the source Oracle host or Oracle RAC.
Important: Same host recovery fails on Oracle databases without an spfile.
During a Same Host Recovery all existing archived logs are deleted and a new set of archived logs are
generated for the new instance, unless the logs from the host are not applied. The feature supports
options to point to a specific archived log path from which the archived logs are applied during the
recovery. The original spfile of the source database is used during the recovery. Any additional
parameters must be set after the restore job is completed. Before running a recovery, ensure that the
parent directories of the required parameters exist on the Oracle host or each node of the Oracle RAC. This
applies to both local file system paths and ASM paths. A Same Host Recovery does not change the location
for redo logs but does consolidate the multiple members of redo log groups into a single member for each
group.
Important:
If a database is a relic, and if the cluster is upgraded to the latest version, the metadata of the database
being recovered must be edited on the Rubrik cluster by Rubrik Support.
Related concepts
Related tasks
Dropping a database

Prerequisites for Same Host recovery

Recovering a backup to the source host requires preliminary actions and settings.
Before performing a Restore or Instant Recovery, the database must be dropped using the SQL drop
database command. Do not drop the database with the dbca command or similar commands that delete
the entire database, including the base directories
Important: If a database became a relic while running on Rubrik CDM version 5.0.2 or older, and if the
cluster was upgraded to 5.0.3 or newer, contact Rubrik support before performing a Same Host recovery.
All stale backup files on the target host (including the FRA) that belong to the database being restored
must be removed
During a Same Host recovery or Instant Recovery, the original spfile from the backup is used for the
database recovery. Configure any required custom parameters before making the database operational.
Dropping the database on the source host and performing host refresh moves the database status from
Live to Relic.
Performing a Same Host recovery

Recover a database from a snapshot back to the production host.
Procedure
2. On the left-side menu, select Snapshot Management.
The Local page for the database appears and confirms that the database status is Relic.
4. On the Recovery Points card, click any green point on the recovery timeline.
5. Click the ellipsis next to the Expiration Date and select Restore.
The Restore operation restores a point-in-time copy of the database to the original host. When the
database is recovered using a snapshot earlier than the most recent one, the Rubrik cluster forces a
full backup for the next database backup.
7. Confirm the recovery point and click Restore.
The activity log appears and tracks the restore task to completion.
Result
The Same Host recovery task completes, the database is open, and the assigned SLA Domain is in place.
Related concepts

Performing a roll forward recovery

Complete a roll forward recovery of a database.
Procedure
2. On the left-side menu, select Snapshot Management.
The Local page for the database appears and confirms that the database status is Relic.
4. On the Overview card, select Latest Recovery Point next to the clock icon.
5. Open the ellipsis menu next to the expiration date and click Restore.
6. Optional: Toggle on Apply Logs from Host.
The Rubrik cluster applies the host logs as part of the recovery.
7. (Apply Logs from Host) Select a location for the logs or type the full path of a custom location.
The Rubrik cluster renames the archived host logs and writes them to the subdirectory rubrik at the
specified location.
8. Click Confirm.
9. Click OK.
Result
The Rubrik cluster performs the roll forward recovery as specified.
Tablespace recovery
Restore a tablespace in place to the same database.
Recovery tasks use the tablespaces protected in the nearest database snapshot before the selected point-
in-time.
Adding single or multiple tablespaces to a databases involves changing multiple components in the
database. Changes are written to the Rubrik Cluster as scheduled by the assigned SLA Domain. However,
Rubrik recommends taking an on-demand snapshot after dropping or adding a tablespace to ensure
immediate availability of changes for recovery operations.
Before restoring tablespaces, confirm the preliminary requirements listed in the following table.
Component Description
Oracle Edition Tablespace recovery requires an Oracle Database Enterprise Edition license with the
RMAN TSPITR feature.
Permissions A file system where the oracleuser has the permission to create a directory.

Component Description
Auxiliary • Ensure that the device on which the auxiliaryDestination path is created has
Destination enough free disk space to store the control file, online redo logs, and the SYSTEM,
Path SYSAUX, TEMP, and UNDO tablespaces for recovery operations on the target host,
and also to accommodate the auxiliary database. The path must be an absolute
file system path (not a relative path, and not a path in an ASM disk group).
• The tablespace export script creates an auxiliary destination directory. This
destination directory must be in a file system where the oracle user has
permission to create a directory.
Information on how to export tablespaces can be found in Restoring tablespaces.
Configuration • Set the Oracle database DB_CREATE_FILE_DEST parameter to the tablespace

datafiles restoration location before the tablespace export is triggered. Provide the
restoration location value as a string equal to the directory name or the disk group
name.
• Ensure that the original device on which the tablespace datafile will be recovered
has twice as much free disk space as the tablespace size.
Free storage The tablespace datafile recovery target device must meet the minimum storage space
space requirements:
• AIX - The host must have free disk space equal to at least twice the size of the
tablespace datafiles.
• Other Linux distributions - The host must have free disk space equal to the at least
the size of the tablespace datafiles.
RMAN Before starting a tablespace recovery, take the tablespace offline, then manually drop
it. This ensures a clean and complete RMAN operation.
Related concepts
Database clones for Oracle
Select a recovery point on the Oracle database to clone to a target location.
Related tasks
Dropping a tablespace
Before performing a recovery of a tablespace, drop the existing tablespace from the recovery target.
Context
If a table and its indexes are stored in different tablespaces, the indexes must be dropped before
performing a tablespace point-in-time recovery (TSPITR).
Procedure
1. On the Oracle host, run the following command.
alter tablespace tablespace_name offline immediate
This command takes the tablespace offline immediately without a database checkpoint of any of the
datafiles.

A tablespace cannot be taken offline immediately if the database is running in NOARCHIVELOG mode.
2. On the Oracle host, run the following command.
drop tablespace tablespace_name including contents and datafiles
This command drops the tablespace and its contents.

Specify including contents to drop a tablespace that contains database objects. Omitting this
clause causes the database to return an error if the tablespace is not empty, and the tablespace is not
dropped.
Result
The datafiles clause instructs the database to delete the associated operating system files. The database
writes a message to the alert log for each operating system file deleted.
Next task
Take an on-demand snapshot to ensure immediate availability of changes for recovery operations.
Related tasks
Restoring tablespaces
Rubrik CDM restores tablespaces by exporting in-place on the same database.
Prerequisites
Set the database to ARCHIVELOG mode before attempting a tablespace recovery.
Context
To initiate a tablespace recovery, select a snapshot or any point-in-time point target from the available
range. The Rubrik cluster restores tablespaces in-place only to the same database.
Procedure
2. On the left-side navigation menu, click Servers & Apps > Oracle DBs.
3. Click All DBs.
The All DBs tab appears.
time field.

7. Click the ellipsis next to the tablespace and select Clone.
The Clone Tablespace dialog box appears.
8. Enter an Auxiliary Destination Path to orchestrate tablespace recovery, and click Clone.
Result
The Rubrik cluster exports the tablespace and restores the tablespace to the selected point-in-time on the
same database.
Next task
Take an on-demand snapshot to ensure immediate availability of changes for recovery operations.
Related concepts
Local host page
Related tasks

Chapter 23
SQL Server databases
A Rubrik cluster provides data management and protection for Microsoft SQL Server databases.
A Rubrik cluster can manage and protect SQL Server databases that are configured to use the full recovery
model, bulk-logged recovery model, or the simple recovery model.
For a database that uses the full recovery model or the bulk-logged recovery model, the Rubrik cluster
performs policy-driven VSS snapshots of the database and frequent interim backups of the transaction log.
The combination of a snapshot of the database and transaction log backups, permits granular restore of a
database to a specified recovery point.
For a database that uses the simple recovery model, the Rubrik cluster performs policy-driven snapshots of
the database. The snapshots permit recovery of the database to its state at the time of a snapshot.
The following table describes the data management features provided for SQL Server databases.
Feature Description
Physical and virtual The Rubrik cluster supports SQL Server databases running on physical installations
instances of Windows Server, and on guest OS installations of Windows Server that are
running in a virtual environment.
Windows Server The Rubrik cluster supports SQL Server databases running on Windows Failover
Failover Clustering Clustering (WSFC) instances of SQL Server.
Full, bulk-logged, The Rubrik cluster provides protection for full recovery model, bulk-logged
and simple recovery recovery model, and simple recovery model databases.
models
Automatic discovery After installing the Rubrik Backup Service software on a Windows Server, the
Rubrik connector automatically discovers all instances of SQL Server and all SQL
Server databases on the Windows Server. The Rubrik connector provides this
information to the Rubrik cluster and the objects appear in the Rubrik CDM web
UI.
Automatic upgrade When new versions of the Rubrik Backup Service software are available, the
Rubrik cluster automatically upgrades the software on all Windows Server hosts.
SLA Domains SLA Domains provide simplified management of SQL Server database protection.
Setting the snapshot frequency and retention, snapshot window, replication policy,
and archival policy for a database can be accomplished by assigning the database
to an SLA Domain.
Derived protection Databases can derive SLA Domain protection through an SLA Domain assignment
made to the SQL Server database or the Windows Server host. Databases added
at a later date automatically derive the protection of the parent entity.
Configurable log For any database, the log backup frequency setting can be derived from the
backups system defaults, or the log backup frequency and retention can be configured
through an SLA Domain assignment. Log backups can also be disabled entirely.
Copy Only backups When a database is assigned to an SLA Domain, Copy Only backups can be
specified for that database.
SQL Server databases 05/25/2022 | 646

Feature Description
Source-side The Rubrik Backup Service compresses the data from SQL Server database
compression backups before sending the data to the Rubrik cluster.
Replication Based on SLA Domain policy, snapshots and transaction log backups can be
replicated to another Rubrik cluster.
Archiving Based on SLA Domain policy, snapshots and transaction log backups can be
archived to a supported archival location.
Point-in-time A database can be recovered from a snapshot or to a point in time between
recovery snapshots. The Rubrik cluster returns the recovered database to the state it was
in at the time specified by the user.
VDI The Rubrik cluster fully supports the Microsoft Virtual Device Interface (VDI) API
for transaction log backup and restore operations. However, VDI requires that the
agent performing backups or restores have sysadmin privileges on the server.
Point in time export A database can be exported to another SQL Server database of the same version
or higher, on the same Windows Server host or on another Windows Server host.
Export of the database can be based on a snapshot, or on a snapshot combined
with transaction log backups.
Group snapshots On-demand snapshots are available for SQL Server hosts or instances, creating
individual snapshots of all the databases on the host or instance. Group snapshots
are also available for multiple databases from different SQL Server hosts or
instances. When snapshots are grouped in this way, the count of incoming
snapshots is the number of snapshot groups, rather than the number of individual
snapshots.
For a database that uses the full recovery model or the bulk-logged recovery model, the Rubrik cluster
uses a combination of a snapshot of the database and the database transaction log backups to recover a
database.
The Rubrik Backup Service obtains the snapshot of the database by using the VSS writer on the SQL
Server host to create a full backup of the database.
The combination of a snapshot of the database and the transaction log backups from the database permits
the Rubrik cluster to recover a database to the state it was in at a selected point in time.
To recover to a selected point in time, the Rubrik cluster uses two pieces of information:
• Last snapshot created before the selected point in time
• Log backups created between the time of the snapshot and the selected point in time
The Rubrik cluster first recovers the database from the snapshot. Then the Rubrik cluster unrolls and
applies the contents of the logs until the selected point in time is reached.
The closer that the snapshot is to the selected point in time, the shorter the Recovery Time Objective
(RTO) that is achieved by the process. To minimize RTO, assign a database to an SLA Domain with
frequent snapshots.

Live Mount
A Live Mount creates a new database from a point-in-time copy of the source database. The Rubrik cluster
provides a Samba share of the new database directly from the Rubrik cluster storage layer.
Live Mount databases can be attached to SQL Servers on any Windows Server host that is running the
Rubrik Backup Service. Specific requirements are listed in the Rubrik Compatibility Matrix.
Transmissions between the Rubrik cluster and the host of the Live Mount are secured by end-to-end
encryption.
Using Live Mount to access a copy of a database can significantly reduce the RTO for the database. A Live
Mount database cannot be protected through the Rubrik cluster.
SQL Server requirements

A Rubrik cluster provides data management and protection for SQL Server databases when specific
requirements are met.
Operating system Refer to the Rubrik Compatibility Matrix for current
version support.
Database management system Refer to the Rubrik Compatibility Matrix for current
version support.
Windows service SQL Server VSS Writer (running)
Network protocol TCP/IP or Shared Memory protocol enabled for
each SQL Server database
SQL Server permissions required for backups

Permissions required to perform Rubrik CDM backups on SQL Server.
SQL Server permission Permission assigned from Permission required for

sysadmin SQL Server instance SQL 2008, SQL 2008 R2, and
Virtual Device Interface (VDI)
APIs
dbcreator SQL Server instance Database restores
ALTER ANY DATABASE SQL Server instance Database restores
VIEW SERVER STATE SQL Server instance Metadata collection
VIEW ANY DEFINITION SQL Server instance Metadata collection
db_backupoperator Databases Database backups
Assigning sysadmin permission grants full administrative rights to the SQL Server instance, similar to root
permissions. It is unnecessary to grant additional permissions once sysadmin is granted.
Because the model database is the template used to create new databases on the instance, any
permissions granted to the model database are applied to any new databases created after those
permissions are assigned.

Install and configure the Rubrik Backup Service on a SQL Server to allow backup and restore of SQL
databases.
Follow the Windows instructions when downloading and installing the Rubrik Backup Service (RBS)
software.
Related concepts
Backup Service.
Related tasks
Windows Server hosts

Manage and protect SQL Server databases through the Rubrik Backup Service running on a Windows
Server host.
Adding a Windows Server host to a Rubrik cluster establishes a secure connection between the Rubrik
cluster and the Rubrik Backup Service on the Windows Server host. After the Windows Server host is
added, the SQL Server databases and SQL Server databases on the Windows Server host appear in the
Rubrik CDM web UI.
Remove a Windows Server host from the Rubrik cluster to stop managing the data of the SQL Server
databases on that host. The SQL Server databases on the removed Windows Server host move to the
Snapshot Management page. The Rubrik cluster continues to provide access to existing snapshots and log
backups until the SQL Server database is removed from the Snapshot Management page.
Adding a Windows Server host

To begin managing and protecting SQL Server databases, add a Windows Server host with SQL Server
databases to the Rubrik cluster.
Prerequisites
Obtain and install the Rubrik Backup Service software on the Windows Server host.

Procedure
2. On the left-side menu, click Servers & Apps > SQL Server DBs.
The Hosts/Instances tab of the SQL Server DBs page appears.
3. Open the ellipsis menu at the upper-right of the page, and select Add Windows Hosts.
4. In IPs or Hostnames, type a comma-separated list of the IPv4 addresses or the resolvable
hostnames of the Windows Server hosts that are being added.
The list can contain both IPv4 addresses and hostnames. The Rubrik cluster requires one IPv4 address
or one resolvable hostname for each Windows Server host.
5. Click Add.
Result
The Rubrik cluster checks connectivity with the Rubrik Backup Service on each specified Windows Server
host and adds the Windows Server hosts that are successfully connected.
Next task
Do the following:
• Set the default database management properties.
• Set the individual database management properties.
• Manage and protect a database by adding it to an SLA Domain.
Removing a Windows Server host

Remove a Windows Server host from the Rubrik cluster to stop managing the data for the SQL Server
databases on that host.
Context
Removing a Windows Server host removes the following from the SQL Server DBs page:
• All SQL Server databases of that host
• All databases of that host
Procedure
3. Select a Windows Server host.
4. Open the ellipsis menu and select Delete.
5. Click Delete.
Result
The Rubrik cluster removes the selected Windows Server host.
When there is at least one existing snapshot for a SQL Server database on the removed Windows Server
host, the database appears on the Snapshot Management page. The snapshots and log backups from a
database on the Snapshot Management page can be used for recovery and export.
Removing individual snapshots for a data source describes how to use the Snapshot Management page to
remove the unmanaged snapshot objects of a database.

SQL Server per-host tuning
SQL Server per-host configurations adjust specific parameters for individual hosts. The per-host
configurations override the corresponding values from global configurations.
Per-host configurations are useful for environments that are not uniform. Different hosts are protected by
different capabilities. Consequently, if configurations are tuned globally, some of the hosts may be under-
utilized. If the hosts are under-utilized or underpowered, the heavy workloads from the Rubrik cluster may
impact the performance of the production environment.
The per-host tuning is performed with the Rubrik APIs. The cluster rubrik_tool command issues the
API operations from the Rubrik CLI.
Per-host configurations
There are a number of per-host configurations available to configure hosts.
Configuration name Type Minimum Maximum Description

boolean
enableDatabaseBatchSnapshots Specifies if SQL Server batch
snapshots are enabled.
enableGroupFetch boolean Enables group fetches for
SQL Server files.
enableVdi boolean Enables SQL Server
log backup and restore
using Virtual Desktop
Infrastructure (VDI).
enableVdiDb boolean Enables SQL Server
database backup and restore
using VDI.
int
fileRestoreReadParallelism 1 64 Number of concurrent read
requests for restoring a file
from the Rubrik cluster to a
remote host.
int
fileRestoreWriteParallelism 1 32 Number of concurrent write
requests for restoring a file
from the Rubrik cluster to a
remote host.
fileTransferParallelismint 1 32 Number of concurrent
requests for transferring a
file from a remote host to
the Rubrik cluster.
int 1
mssqlDefaultMaxDataStreamsPerDatabase 12 Default value for maximum
number of data streams per
database.
int 1 12
physicalHostDatabaseRestoreThrottleMaxRefCount Maximum number of
concurrent database restore
jobs running on a host.
int 1
physicalHostLogBackupThrottleMaxRefCount 40 Maximum number of
concurrent SQL Server log

Configuration name Type Minimum Maximum Description
backup jobs per physical
host.
int
throttlePhysicalHostMaxRefCount 1 40 Maximum number of
concurrent snapshots per
physical host.
Numerical limits for per-host configurations

Per-host configurations enforce numerical limits so unintended values are not used for API endpoints.
Valid entries for boolean types are Enabled, Disabled, and Default. A value of Default resets the
boolean and workflow default values to the value specified by the global configuration.
Tuning the numerical limits is inherently risky and should only be attempted by advanced users. Contact
Rubrik Support to adjust the numerical limits.
Rubrik does not recommend assigning values that approach the maximum or minimum values for
numerical limits.
Customers assume all risks when adjusting their own numerical limits.
Creating a per-host configuration

Create a SQL Server per-host configuration for adjusting specific parameters for individual hosts.
Procedure
1. As admin, open a Rubrik cluster SSH session.
2. Type the cluster rubrik_tool create_mssql_host_configuration command.
For boolean data types, use the Enabled, Disabled, or Default parameters. For numeric types,
use the literal value.
The CLI command creates the per-host configuration.
Example
This is an example of creating a per-host configuration for the host.
ubuntu@vm-machine:~$ cluster rubrik_tool update_mssql_host_configuration

Host:::ce828b9e-490f-4f68-bf1a-b645021fbe02 "{ \"enableVdi\": \"Disabled
\"}"
{
"enableVdi": "Enabled",
"throttlePhysicalHostMaxRefCount": 3
}
ubuntu@vm-machine:~$
Updating a per-host configuration

Update a SQL Server per-host configuration with current values.
Procedure

2. Type the cluster rubrik_tool update_mssql_host_configuration command.
The CLI command updates the per-host configuration.
Example
This is an example of updating a per-host configuration for the host.

Host:::ce828b9e-490f-4f68-bf1a-b645021fbe02 "{ \"enableVdi\": \"Disabled
\"}"
{
"enableVdi": "Disabled",
}
Retrieving a per-host configuration

Retrieve the values from a specific host to view their per-host configuration.
Procedure
2. Type the cluster rubrik_tool get_mssql_host_configuration command.
The CLI command retrieves the per-host configuration for the specified host.
Example
This is an example of retrieving a per-host configuration for host ce828b9e-490f-4f68-bf1a-b645021fbe02.
ubuntu@vm-machine:~$ cluster rubrik_tool get_mssql_host_configuration

Host:::ce828b9e-490f-4f68-bf1a-b645021fbe02
{
}
Listing per-host configurations for multiple hosts

List the configurations for multiple hosts to view their per-host configurations at the same time.
Procedure
2. Type the cluster rubrik_tool list_mssql_host_configurations host1, host2,
host3 command.
The CLI command lists the per-host configuration for the specified hosts.
Example

This is an example of listing the per-host configuration for hosts 71b777fb-5476-4b79-a560-cfc87f20eed1
and 7b21ee64-0610-4633-83b4-820a58646192.
ubuntu@vm-machine:~$ cluster rubrik_tool list_mssql_host_configurations

Host:::71b777fb-5476-4b79-a560-
cfc87f20eed1,Host:::7b21ee64-0610-4633-83b4-820a58646192
{
"data": [
{
"enableVdi": "Enabled",
"hostId": "Host:::71b777fb-5476-4b79-a560-cfc87f20eed1"
},
{
"hostId": "Host:::7b21ee64-0610-4633-83b4-820a58646192"
}
],
"hasMore": false,
"total": 2
}
Deleting a per-host configuration

Delete a SQL Server per-host configuration to remove the option to adjust specific parameters for
individual hosts.
Context
rubrik_tool cannot delete individual numerical per-host configurations. Instead, deleting individual per-
host configurations requires deleting all configurations for a host.
Procedure
2. Type the cluster rubrik_tool delete_mssql_host_configuration command.
The CLI command deletes all per-host configurations.
Example
This is an example of deleting per-host configurations from host ce828b9e-490f-4f68-bf1a-b645021fbe02.
ubuntu@vm-machine:~$ cluster rubrik_tool delete_mssql_host_configuration

Host:::ce828b9e-490f-4f68-bf1a-b645021fbe02
null
This example deletes a boolean per-host configuration with the UPDATE/PATCH call by setting the value
for enableVdi to Default and then sets the value for data to a null set.

{
"data": [
{
"hostId": "Host:::96b9923c-87be-4fe2-9515-0841720cb2d3"
}
],
"hasMore": false,

"total": 1
}
Host:::96b9923c-87be-4fe2-9515-0841720cb2d3 '{"enableVdi": "Default"}'
{}
{
"data": [],
"hasMore": false,
"total": 0
}

After adding a Windows Server host to a Rubrik cluster, the SQL Server databases on that host can be
managed through the Rubrik CDM web UI.
A Rubrik cluster can manage SQL Server databases, including databases with filestreams and in-memory
tables, that are configured to use any of the following models:
• Full recovery
• Bulk-logged recovery
• Simple recovery
A database that is configured to use the Full recovery model or the Bulk-logged recovery model can be
protected through policy-driven snapshots and backups of the transaction log, or through policy-driven
snapshots only.
A database that is configured to use the Simple recovery model can be protected through policy-driven
snapshots only.
For databases that use the Full recovery model or the Bulk-logged recovery model, and have policy-based
snapshots and transaction log backups enabled on the Rubrik cluster, the following log backup options can
be configured:
• Default frequency for transaction log backups by the Rubrik cluster
• Frequency and retention of transaction log backups through settings associated with an assigned SLA
Domain
Setting the default log backup frequency

A Rubrik cluster uses the value set for the default transaction log backup frequency to determine how
frequently to backup the transaction log for a protected database.
Context
Perform these steps for Rubrik CDM versions earlier than version 7.0. In Rubrik CDM versions 7.0 and later,
the log backup frequency is configured with the SLA Domain.
The default value applies to a database unless an override value is directly set for the database or an
override value is set through an SLA Domain assignment.
Procedure

3. Open the ellipsis menu at the upper-right of the page, and select Edit Default Log Backup
Properties.
The Edit Default Log Backup Properties dialog box appears.
4. In Log Backup Frequency, type an integer value.
The integer value sets the number of minutes between backups of the transaction log. The minimum
value is 5 minutes. The default value is 15 minutes.
5. Click Update.
Result
The Rubrik cluster updates the default frequency and applies the new setting to log backups for databases
that use the default value.
Related tasks
Managing and protecting databases through a parent object

Protect databases by assigning an SLA Domain to the parent Windows Server host, or to the parent SQL
Server database. Derived assignment provides a way to uniformly manage and protect those databases.
Prerequisites
• Install the Rubrik Backup Service software on the Windows Server host of the database.
• Add the Window Server host to the Rubrik cluster.
Context
A derived assignment applies to the databases that exist at the time of the assignment and to databases
that are added after the assignment.
Procedure
3. Click the selection box next to a Windows Server host or a SQL Server database.
Click the name of a Windows Server host to view the SQL Server databases on that host.
Select multiple hosts or SQL Server databases to apply the same SLA Domain protection to databases
on all of the selections.
When a database within the selection is already assigned to an SLA Domain, a warning dialog box
appears.
Click Continue Anyway to change the existing assignment to a new selection or click Cancel to
return to the Hosts/Instances tab.
5. In the SLA Domain section, select an SLA Domain.
6. Optional: Select Take Copy Only Backups.
The Rubrik cluster will perform Copy Only backups for the policy-driven backups of the databases in
the selection group.
Selecting Take Copy Only Backups closes the Log Backup Frequency and Log Backup Retention fields.
7. Optional: In Log Backup Frequency, type an integer value.

Type an integer value from 5 to 99. The integer value sets the number of minutes between backups of
the transaction log. This value overrides the default log backup frequency value.
8. Optional: In Log Backup Retention, type an integer value.
The integer value sets the number of days to retain the transaction log.
9. Click Submit.
Result
The Rubrik cluster assigns the SLA Domain and other settings to all existing databases within the selection
group.
Managing and protecting individual databases

To provide data management and protection for an individual database, assign that database to an SLA
Domain.
Prerequisites
Complete these tasks:
Procedure
3. Click All DBs.
Alternatively, select a database through the Hosts/Instances tab by clicking values in the Name field to
move down in the hierarchy of a Windows Server host.
4. Click the selection box next to a database.
Select multiple databases to apply the same SLA Domain protection settings to all of the selected
databases.
When a database within the selection group is already assigned to an SLA Domain, a warning dialog
box appears. Click Continue Anyway to change the existing assignment to a new selection. Or, click
Cancel to return to the All DBs tab.
8. Optional: To disable log backups entirely, select Disable Log Backups.
11. Click Submit.

Result
The Rubrik cluster assigns the selected SLA Domain and the other settings to all databases within the
selection group.
Related concepts
Removing an SLA Domain assignment

Remove an SLA Domain assignment from a database to prevent policy-driven snapshots and log backups
for the database. Both derived and individual SLA Domain assignments can be removed.
Context
Removing an assigned SLA Domain from a database does not block that database from a derived or
individual assignment to an SLA Domain at a later point.
Procedure
3. Select a tab to view specific protection objects.
• To view Windows Server hosts, SQL Server databases, or databases, click Hosts/Instances.
• To view databases, click All DBs.
4. Select a parent object or a database by clicking the selection box next to the object.
• Select a Windows Server host to remove the derived SLA Domain assignments for all SQL Server
databases and databases on that host.
• Select a SQL Server database to remove the derived SLA Domain assignments for all databases on
that instance.
• Select a database to individually remove the SLA Domain assignment of that database.
Select multiple objects in any of these groups to remove the SLA Domain assignment for all databases
covered by the selected group.
A warning appears.
7. Select No SLA.
8. Click Submit.
Result
The Rubrik cluster removes the SLA Domain assignments for all databases within the selection group.
Databases within the selection group that have unexpired snapshots appear on the Snapshot Management
page.

On-demand snapshots enable the creation of snapshots outside the scope of the SLA Domain assigned to a
SQL Server database or instance.
Prerequisites

Procedure
3. Click All DBs.
The Rubrik cluster uses the rules and policies of the selected SLA Domain to manage the on-demand
snapshot. The selected SLA Domain can be different from the SLA Domain that protects the database.
To manually manage the on-demand snapshot through the Snapshot Management page, select
Forever.
Result
Creating a group on demand snapshot task

Group on-demand snapshots for SQL Server databases reduce the overhead of individual database on-
demand snapshot creation
Procedure
3. Optional: Select one or more Windows hosts and go to step 7.
4. Optional: Click the name of a Windows host.
A list of the SQL Server instances on the Windows host appears.
5. Select one or more SQL Server instances.
6. Optional: Click the name of a single instance to list the databases under that instance. Then, select
one or more SQL Server databases for the group on demand snapshot task.
7. Open the ellipsis menu at the upper-right of the page and select Take On Demand Snapshot.
The Take On Demand Snapshot page appears.
8. Select the SLA level to assign to the on-demand snapshots.
Result
The group on-demand snapshot task is scheduled and executed. When the task completes, each SQL
Server database in the selected Windows hosts or SQL Server instances has an individual on-demand
snapshot.

Creating a tail-log backup
Tail-log backups protect records that were written to the transaction log after the most recent transaction
log backup.
Context
Tail-log backups are only available for databases protected with the Full recovery model.
Procedure
3. Click All DBs.
4. In the Name column, click the name of a database protected with the Full recovery model.
5. Click Take T-Log Backup.
Result
The Rubrik cluster adds the specified tail-log backup to the task queue. The Activity Log tracks the status
of the tail-log backup task.
Downloading snapshot and transaction logs

Rubrik CDM provides the ability to download backups of snapshot and transaction logs.
Context
Once the backups are downloaded, administrators can use the snapshot and transaction logs for audit
operations.
Procedure
The Hosts/Clusters tab of the SQL Server DBs page appears.
4. Click Download files.
The Select Files page displays a list of transaction logs and files for the most recent snapshot that
occurred prior to the selected time.
5. Check the box for each file to download.
6. Click Next.
7. Click OK to download the files.
Result
Rubrik CDM downloads backups of snapshot and transaction logs.

SQL Change Block Tracking
Change Block Tracking (CBT) uses a filter driver to track SQL database file changes as they happen.
Without CBT, the entire database is scanned at each backup interval to determine if any changes have
occurred. By using CBT only the tracked changes are scanned to determine modifications, resulting in
improved backup performance improves.
CBT improves backup performance for environments with large databases, low change rate, frequent
backups, or any environment where the full scan time is adversely affecting performance. Enabling CBT
requires a small amount of memory and CPU on the host to track changes.
Configuring default CBT settings

By default, CBT is disabled. Configuring the CBT settings specifies if CBT is enabled or disabled if the
default radio button is selected on a Windows host.
Procedure
3. Select Hosts and click the Windows Host tab.
4. Open the ellipsis menu at the upper-right of the page, and select Edit Default CBT.
The Edit Default CBT dialog box appears.
5. Click the On or Off button to enable or disable the default CBT settings.
6. Click Update.
Result
The default CBT settings are applied to the Windows hosts.
Enabling or disabling CBT on a Windows host

CBT can be enabled or disabled for selected Windows hosts.
Procedure
3. Check the Windows host to configure CBT.
4. Open the ellipsis menu at the upper-right of the page, and select Edit CBT.
The Edit CBT dialog box appears.
5. Select On.
6. Select Update.
Result
CBT is enabled or disabled for the specified Windows host.

Change block tracking for SQL Server clusters
Rubrik clusters can use change block tracking for snapshots of SQL Server databases on failover cluster
instances.
A SQL Server database exists on the designated primary host in a failover cluster. When a failover to a new
host occurs, some data writes may occur when the database is hosted on the original primary host and
other data writes may occur when the database is moved to the new primary host. To capture all of the
writes that occur throughout a failover event, the Rubrik cluster does not use change block tracking (CBT)
for the initial snapshot after the failover. The Rubrik cluster does use CBT for subsequent snapshots.
Enabling or disabling CBT on a failover cluster enables or disables it on all hosts that are part of the
failover cluster. Any standalone databases on one of the hosts that is part of a failover cluster also acquire
the same CBT setting as the databases that are part of the failover cluster.
Enabling change block tracking for SQL Server clusters

Configure a Rubrik cluster to use change block tracking for snapshots of SQL Server databases on failover
clusters.
Context
By default, the Rubrik cluster uses CBT if the failover cluster is configured for CBT.
Procedure
3. Click Failover Clusters.
The Failover Clusters tab appears. The page lists by name each failover cluster. For each failover
cluster, the page provides the number of instances, the number of SQL Server databases, and the SLA
Domains that are assigned.
4. Click the name of a failover cluster.
The databases on the selected SQL Server database system appear. For each database, the page
lists whether log backup is enabled, whether the database is protected through Copy Only, and the
assigned SLA Domains.
5. Click the name of a SQL Server database.
The SQL Server database systems on the failover cluster appear. For each SQL Server database
system, the page provides the number of databases and the assigned SLA Domains.
6. Click the name of a database.
The Recovery Points card for the selected database appears.
7. Click Take on Demand Snapshot.
8. Click Retain Forever.
9. Click Next.
10. Click OK.
The Rubrik cluster takes the snapshot.
11. Optional: Click the status message for the snapshot.
The Activity Detail screen appears.
If the failover cluster is configured for CBT, the Activity Detail includes a line stating the backup uses
CBT.

Result
The Rubrik cluster is configured for CBT. The initial snapshot after a failover does not use CBT. Subsequent
snapshots use CBT.
Unmanaged data
Related concepts
Recovery Points card page

The Rubrik cluster provides a Recovery Points card page for every detected database.
The Recovery Points card page consists of information about the database on two cards:
• Overview card
• Recovery Points card
Overview card
The Overview card on the Recovery Points card page for a database provides general protection
management information for the database.
Field Description
Windows Host The FQDN or IPv4 address of the Windows Server that is the host of the
SQL Server database that manages the database.
SQL Instance The name assigned to the SQL Server database that manages the
database.
SLA Domain The name of the SLA Domain that manages the protection of the
database.
Recovery Model Type of recovery model that controls how the transactions of the
database are logged, either: Full or Simple.
Oldest Recovery Point Timestamp of the oldest retained recovery point for the database.
Latest Recovery Point Timestamp of the most recent retained recovery point for the database.
Local Storage Amount of storage on the Rubrik cluster that is occupied by data from the
database.
Missed Snapshots Number of policy-driven snapshots that did not complete successfully. A
missed snapshot is counted until the period since the SLA Domain policy
required the snapshot exceeds the retention period of the SLA Domain.

The elements of a Recovery Points card are:
• Recovery point slider–Move the slider to the left or right to select a specific recovery point.
• Recovery time line–Represents the 24 hours for the selected day. Dark gray dots indicate 6 hour
intervals. Light gray dots indicate hour intervals. Green segments of the recovery time line indicate
periods with available recovery points as a result of successful log backups. Gray segments of the
recovery time line indicate periods without available recovery points.
• Snapshot indicator–Green dots above the recovery time line indicate the points during the day when a
snapshot was created.
• Selected time–Move the recovery point slider to change the time shown in the selected time field, or
type a time of day into the field. he icon changes to a camera to indicate that a snapshot is selected or
to a document to indicate that a log backup is selected.
The ellipsis menu provides access to the following database actions:
• Restore–Restores the database to the selected point in time.
• Live Mount–Creates a database on a selected SQL Server database from a copy of the database at the
selected point in time.
• Export–Exports a copy of the database at the selected point in time to another known SQL Server
database.
Database recovery
The Rubrik cluster provides recovery of a database through snapshots of the database. When transaction
logs for the database have been backed up, the Rubrik cluster also provides the ability to recover the
database to any point in time that is within the backed up data.
For each protected database, and for each database on the Snapshot Management page, the Rubrik
cluster provides a Recovery Points card. Use the Recovery Points card to select a recovery point and to
start the recovery process.
A database can be exported as a new database from a recovery point on the Recovery Points card.
The export can be to the same SQL Server database or to another SQL Server database on any known
A database recovery point on the Recovery Points card can be used to create a Live Mount. Live Mounts
are shared directly from the Rubrik storage layer over the SMB/CIFS protocol. The Live Mount feature does
not support SQL Server databases that use filestreams or in-memory tables.
Note: The Rubrik cluster can back up SQL Server system databases, such as: ‘master’, ‘model’, and
‘msdb’, but backups of these system databases cannot be directly restored from the Rubrik cluster. System
database backups can be exported or created as Live Mounts.
Recovering a database
Restore a selected database to a specific recovery point.
Procedure

3. Click All DBs.
To work with the unmanaged snapshots for a database that is listed on the Snapshot Management
page, on the left-side menu, click Snapshot Management. Then, continue with the following steps
from the Snapshot Management page instead of the SQL Server DBs page.
To selected recovery point other than a snapshot time, move the slider to choose that time. The time
time field.
7. Open the ellipsis menu and select Restore.
The restore option does not appear when the database is one of the system databases: master, model
or msdb.
The Restore Database dialog box appears.
8. Optional: Select Keep database in Restoring state.
When selected, this option exports the database with the SQL Server NORECOVERY option. The
NORECOVERY option prevents roll back, and allows roll forward to continue.
9. Click Restore.
Result
The Rubrik cluster replaces the existing database with a copy of the database from the selected recovery
point. When the recovery point is between snapshots, the Rubrik cluster uses the log to bring the database
from the closest prior snapshot to the selected recovery point.
Live mounting a SQL Server database

Use Live Mount to create a new database from a point-in-time copy of a source database.
Context
The Rubrik cluster shares the Live Mount over the SMB/CIFS protocol and sets the protection state of the
new database to Do Not Protect.
Note: Live Mount is not supported with SQL Server 2008 databases or with SQL Server databases that
use filestreams or in-memory tables.
Procedure
3. Click All DBs.
page, On the left-side menu, click Snapshot Management. Then, continue with the following steps

time field.
The Mount Database dialog box appears.
8. In Name, select a Windows Server host.
9. Click Next.
Alternatively, enter the name of a host in the search field.
10. In Name, select a SQL Server database.
Alternatively, enter the name of an instance in the search field.
11. In Live Mount Database Name, type a name.
12. Click Mount.
Result
The Rubrik cluster mounts the share to the specified Windows Server host and attaches the Live Mount
database to the specified SQL Server database.
Force Unmount
Use Force Unmount to remove the Live Mount entry and the associated storage and metadata from the
Rubrik cluster, when a normal unmount cannot be completed.
A normal unmount can be prevented by:
• A lost connection with the host of a Live Mount.
• Manually deleting the Live Mount database from the SQL Server database.
When this occurs, use Force Unmount to remove all storage and metadata for the database from the
Rubrik cluster.
Unmounting a Live Mount database

Use the Live Mounts page to unmount a Live Mount database.
Procedure
2. On the left-side menu of the Rubrik CDM web UI, click Live Mounts > SQL Server DBs.
The SQL Server DB Live Mounts page appears.
3. Open the ellipsis menu next to the entry for a Live Mount database.
4. Click Unmount.

5. Optional: Select the Force Unmount box.
6. Click Unmount.
Result
The Rubrik cluster detaches the database from the SQL Server database and unmounts the share from the
Exporting a database
Export a copy of a selected recovery point of a database to a SQL Server database on the same Windows
Server host or on another known Windows Server host.
Procedure
3. Click All DBs.
page, on the left-side menu, click Snapshot Management. Then, continue with the following steps
time field.
7. Open the ellipsis menu and select Export.
The Export Database dialog box appears.
8. In Host, select a Windows Server host for the exported database copy.
9. Click Next.
The second view of the Export Database dialog box appears.
10. In Name, select a SQL Server database.
The Export Database dialog box shows only the SQL Server databases on the selected Windows
Server host that are a SQL Server version that is qualified to receive the exported database.
11. In Exported Database Name, type a name for the exported database recovery point.
12. In Export Path, select a method for providing the export paths.
• Default Method to provide a single path for the data files and a single path for the log files.
• Advanced Method to provide a separate path for each of the database files. The Rubrik cluster
assigns a logical name to each file and lists each file with a logical name and a path entry field.
The specified export path cannot point to existing database files. If the specified export path does not
exist, the Rubrik cluster creates it.

Each export path must point to a location that has sufficient free storage to accommodate the data
files. The Rubrik cluster checks the available space before exporting the data.
The specified location must be accessible by the selected SQL Server database.
13. (Default Method only) In Data Files Export Path, type a full path on the selected Windows Server
host.
During the export task, the Rubrik cluster places the data files for the database recovery point at the
specified location.
14. (Default Method only) In Log Files Export Path, type a full path on the selected Windows Server
host.
During the export task, the Rubrik cluster configures the database to store the database transaction
logs at the specified location.
15. (Advanced Method only) Type a full path for each logically named file in the text entry field next to
each logical name.
The path must be a full Windows path including a valid drive letter, or a valid UNC path for a network
share.
16. Optional: Select Keep database in Restoring state.
When selected, this option exports the database with the SQL Server NORECOVERY option. The
NORECOVERY option prevents roll back, and allows roll forward to continue.
Note: When using the Advance export option if the database is kept in a restoring state, the files are
stored in a sub-folder of the intended path.
For example, the files are stored in folder\filename\filename instead of folder\filename,
where folder is the target path and filename is the file name used for the restore process.
To avoid creating the sub-folder, choose the target file names to be the same as the original database
file names.
17. Optional: Select Overwrite data on export.

When selected, this option performs a destructive export, overwriting existing data at the target.
Selecting this option can result in data loss.
18. Click Export.
Result
The Rubrik cluster exports the database recovery point to the selected SQL Server database.
SQL Server log shipping

A secondary SQL Server database, also known as a log shipping target, is a regularly updated copy of a
primary database.
The log shipping target receives logs of the transactions that are executed on the primary database,
staying current with the state of the primary database.
Setting up a log shipping target

Setting up a log shipping target requires a primary SQL Server database that is protected by an SLA
Domain and is configured to use the Full or Bulk-logged recovery model.
Prerequisites

Register the secondary Windows Server host on the same Rubrik cluster where the primary Windows
Server host is registered.
Procedure
1. Log in to the web UI.
2. On the left-side menu, select Servers & Apps > SQL Server DBs.
3. Click All DBs.
4. Optional: Enter a string in the “Search by Name” field to search for a specific database.
6. Open the ellipsis menu at the upper-right of the page and select Add Log Shipping Secondary.
The Add Log Shipping Secondary dialog box appears, displaying a list of compatible hosts. Only hosts
that have been registered on the Rubrik cluster appear in the list.
7. Select a host.
A list of compatible instances appears.
8. Click Next.
9. Select an instance from the list of compatible instances.
10. Enter a name for the secondary database in the Secondary Database Name field.
11. Select a method for providing the export paths.
• Simple Method to provide a single path for the data files and a single path for the log files.
• Advanced Method to provide a separate path for each of the database files. The Rubrik cluster
assigns a logical name to each file and lists each file with a logical name and a path entry field.
The specified export path cannot point to existing database files. If the specified export path does not
exist, the Rubrik cluster creates it.
Each export path must point to a location that has sufficient free storage to accommodate the data
files. The Rubrik cluster checks the available space before exporting the data.
The specified location must be accessible by the selected SQL Server instance.
12. (Simple Method only) In Data Files Export Path, type a full path on the selected Windows Server
host.
During the export task, the Rubrik cluster places the data files for the database recovery point at the
specified location.
13. (Simple Method only) In Log Files Export Path, type a full path on the selected Windows Server
host.
During the export task, the Rubrik cluster configures the database to store the database transaction
logs at the specified location.
14. (Advanced Method only) Type a full path for each logically named file in the text entry field next to
each logical name.
The path must be a full Windows path including a valid drive letter, or a valid UNC path for a network
share.
15. Select a state for the secondary database.
• A database in the Restoring state cannot be read or written to.
• A database in the Standby state cannot be written to.
16. Optional: For a secondary database in the Standby state, select the Automatically disconnect
users when restoring backups box to disconnect users reading the secondary database when
shipped transaction logs are being applied to the secondary database.
17. Click Add.

Result
The Rubrik system creates a secondary database by restoring the most recent snapshot of the primary
database and prepares to ship the primary database transaction logs.
The secondary database is established and receives the transaction logs of the primary database at regular
intervals.
Deleting the log shipping configuration

Delete a log shipping configuration from the Rubrik cluster.
Procedure
2. On the left-side menu, select Servers & Apps > SQL Server DBs.
3. Click Log Shipping Targets.
The Log Shipping Targets tab appears.
4. Open the ellipsis menu next to the log shipping configuration to delete and click Remove.
The Remove Secondary dialog box appears.
5. Optional: Check Delete from Windows host.
Option Description
Checked The Rubrik cluster deletes the secondary
database and the log shipping configuration.
Unchecked The Rubrik cluster leaves the secondary database
in place, but it removes the log shipping
configuration.
6. Click Remove.
Result
The Rubrik cluster deletes the log shipping configuration and the secondary database, if that check box
was selected. The activity logs and events for the deletion job are available on the details page for the
primary or secondary database.
Windows Server Failover Clustering

The Rubrik cluster provides protection for Windows Server Failover Clustering (WSFC) at the Failover
Cluster Instance (FCI) level.
The Rubrik Backup Service software must be installed on each of the WSFC nodes used by an FCI. Rubrik
Backup Service account on Windows describes how to install the Rubrik Backup Service.
For the account running the Rubrik Backup Service, the View server state permission must be explicitly
enabled at the server scope level for each SQL Server database in the FCI.
Automatic detection and display

The Rubrik Backup Service provides automatic detection of WSFC.
After installation, the Rubrik Backup Service automatically detects when a host is a WSFC node. The Rubrik
Backup Service then detects all SQL Server databases on the WSFC node.

For each SQL Server database that is found, the Rubrik Backup Service determines if the SQL Server
database is part of an FCI, and then detects the IP address of the FCI.
The Rubrik Backup Service transmits the detected information to the associated Rubrik cluster. The
Rubrik cluster groups the SQL Server databases of an FCI into a logical entity called a failover cluster. The
detected failover clusters appear on the Failover Clusters tab of the SQL Server DBs page in the Rubrik
CDM web UI.
Failover events
A Rubrik cluster handles WSFC failover events automatically.
When an active WSFC node fails and a secondary WSFC node becomes the active node, the Rubrik Backup
Software detects the failover and communicates the change to the Rubrik cluster. The Rubrik cluster
automatically continues to manage and protect the databases in the FCI through the new active WSFC
node.
The Rubrik cluster continues to provide for each database in the FCI:
• Same SLA Domain protection
• Access to existing backup history
• Access to existing backups
Adding failover clusters

Add failover clusters to begin managing and protecting the FCI databases on those clusters.
Procedure
1. Install the Rubrik Backup Service software on each node in the failover cluster.
Rubrik Backup Service describes the Rubrik Backup Service software, the permissions required to run
the software, and how to install the software.
2. For the account running the Rubrik Backup Service, enable the View server state permission at the
server scope level for each SQL Server database in the failover cluster.
The Hosts/Instances tab of the SQL Server DBs page appears. Failover clusters are listed on this page
only for hosts, not for instances.
The Failover Clusters tab appears.
6. Open the ellipsis menu at the upper-right of the page, and select Add Windows Hosts.
7. In IPs or Hostnames, type a comma-separated list of the IPv4 addresses or the resolvable
hostnames of each of the Windows Server hosts that is a node in the cluster.
Add all WSFC nodes to the Rubrik cluster to ensure continuous protection of SQL Server databases
in the event of a failover. The Rubrik cluster cannot protect the databases of a SQL Server database
when the active instance is on a WSFC node that has not been added to the Rubrik cluster.
The list can contain both IPv4 addresses and hostnames. The Rubrik cluster requires one IPv4 address
or one resolvable hostname for each Windows Server host.
8. Click Add.
The Rubrik cluster checks connectivity with the Rubrik Backup Service on each specified Windows
Server host and adds the Windows Server hosts that are successfully connected.
Result
The Rubrik Backup Service communicates the failover cluster information to the Rubrik cluster.

Viewing failover clusters and databases
View the available failover clusters, the SQL Server databases on each failover cluster, the databases on
each failover cluster, and the restore points for each database.
Procedure
The Failover Clusters tab appears. The page lists by name each failover cluster. For each failover
cluster, the page provides the number of SQL Server databases and the SLA Domains that are
assigned.
4. Click the name of a failover cluster.
The page lists by name each SQL Server database on the failover cluster. For each SQL Server
database, the page provides the assigned IP address, the number of databases, and the assigned SLA
Domains.
5. Click the name of a SQL Server database.
The page lists by name the databases on the SQL Server database. For each database, the page lists
whether it is an availability replica, whether log backup is enabled, whether the database is protected
through Copy Only, and the assigned SLA Domains.
6. Click the name of a database.
Result
The Recovery Points card for the selected database appears.
Managing and protecting FCI databases through a parent object

Protect databases in an FCI by assigning an SLA Domain to the parent failover cluster, or to the parent SQL
Server database. Deriving an SLA Domain assignment from a parent object provides a way to uniformly
manage and protect a group of FCI databases.
Prerequisites
Add each Window Server host that is a node in the failover cluster to the Rubrik cluster.
Context
A derived assignment only applies to the FCI databases that exist at the time of the assignment.
Procedure
The Failover Clusters tab appears.
4. Click the selection box next to a failover cluster or a SQL Server database.
Click the name of a failover cluster to view the SQL Server databases on that failover cluster.
Select failover clusters or SQL Server databases to apply the same SLA Domain protection to
databases on all of the selections.
When a database within the selection is already assigned to an SLA Domain, a warning dialog box
appears.

6. Click Continue Anyway to change the existing assignment to a new selection or click Cancel to
return to the Hosts/Instances tab.
11. Click Submit.
Result
The Rubrik cluster assigns the SLA Domain and other settings to all existing databases within the selection
group.
Managing and protecting individual FCI databases

To provide data management and protection for an individual FCI database, assign that database to an SLA
Domain.
Prerequisites
Add each Window Server host that is a node in the failover cluster to the Rubrik cluster.
Procedure
3. Click All DBs.
Alternatively, select a database through the Failover Cluster tab by clicking values in the Name field to
move down in the hierarchy of a failover cluster.
4. Click the selection box next to an FCI database.
Select multiple databases to apply the same SLA Domain protection settings to all of the selected
databases.
When a database within the selection group is already assigned to an SLA Domain, a warning dialog
box appears.
8. Optional: Select Select Take Copy Only Backups.
The Rubrik cluster performs Copy Only backups for the policy-driven backups of the databases in the
selection group.

11. Click Submit.
Result
The Rubrik cluster assigns the selected SLA Domain and the other settings to all databases within the
selection group.
Removing an SLA Domain assignment

Remove an SLA Domain assignment from a database to prevent policy-driven snapshots and log backups
for the database. Both derived and individual SLA Domain assignments can be removed.
Context
Removing an assigned SLA Domain from a database does not block that database from a derived or
individual assignment to an SLA Domain at a later point.
Procedure
3. Select a tab to view specific protection objects.
• To view failover clusters, SQL Server databases, or FCI databases, click Failover Clusters.
• To view databases, click All DBs.
4. Select a parent object or a database by clicking the selection box next to the object.
• Select a failover cluster to remove the derived SLA Domain assignments for all SQL Server
databases and FCI databases on that failover cluster.
• Select a SQL Server database to remove the derived SLA Domain assignments for all databases on
that instance.
• Select a database to individually remove the SLA Domain assignment of that database.
Select multiple objects in any of these groups to remove the SLA Domain assignment for all databases
covered by the selected group.
A warning appears.
7. Select No SLA.
8. Click Submit.
Result
The Rubrik cluster removes the SLA Domain assignments for all databases within the selection group.
Databases within the selection group that have unexpired snapshots appear on the Snapshot Management
page.

Create an on-demand snapshot of an FCI database.
Procedure
3. Click All DBs.
4. In the Name column, click the name of an FCI database.
The Local page for the FCI database appears.
Result
The Rubrik cluster adds the on-demand snapshot task to the task queue. Task messages for the on-
demand snapshot appear in the Activity Log.
Recover or export from FCI database recovery points

To recover an FCI database to a selected recovery point or to export a copy of a selected FCI database
recovery point, use the same steps that are required to recover or export other databases.
• To recover an FCI database to a selected recovery point, complete the steps described in Recovering a
database.
When recovering an FCI database, confirm the data recovery path is within the shared storage of the
FCI.
• To export a copy of a selected FCI database recovery point, complete the steps described in Exporting a
database.
Always On Availability Groups

The Rubrik cluster supports data protection for availability databases in an Always On Availability Group.
The Rubrik Backup Service software must be installed on each of the Windows Server hosts to protect the
availability databases.
The account running the Rubrik Backup Service on each Windows Server host must have appropriate
permissions. These are the same permissions required to access a standalone Windows Server host.
Each SQL Server host added must have its own name. Do not add the availability group (AG) listener as a
Windows host.
Prioritizing the synchronous secondary replica for protection by the Rubrik cluster minimizes impact on the
primary replica.
The Rubrik cluster supports export of an availability database backup as a database that exists outside of
the Always On Availability Group. The Rubrik cluster does not support in-place restore of an availability
database backup. Availability databases are actively involved in database mirroring sessions and cannot be
directly replaced by a backup.
Rubrik clusters support availability databases in an Always-On Availability Group and provide auto-
protection for availability databases based on the SQL Server database backup settings described in the
following table.

Database setting Description
sys.availability_groups.automated_backup_preference_desc • PRIMARY: only use the primary replica
for backups
• SECONDARY_ONLY: only use a
secondary replica for backups
• SECONDARY: prefer using a secondary
replica, but use a primary if no
secondaries are available
• NONE: no preference with respect
to whether a replica is primary or
secondary
sys.availability_replicas.backup_priority A value from 0 to 100, with higher numbers

assigning higher priority. Set this value to 0
to never use this replica.
For details on managing these settings, refer to the Microsoft SQL Server documentation.
In order to prevent unauthorized access to database replicas, Rubrik clusters rely on the availability groups
information in the sys.availability_databases_cluster table during the discovery process. Restrict the
visibility of the group_id and group_database_id identifiers to the smallest practicable number of people to
further reduce the risk of unauthorized access.
Related reference
SQL Server permissions required for backups
Permissions required to perform Rubrik CDM backups on SQL Server.
Exporting or restoring an availability database recovery point

Export or restore an availability database recovery point.
Procedure
3. Click Availability Groups.
The Availability Groups tab appears.
4. Optional: Enter a string in the Search by Name field to display availability groups matching that
string.
5. Optional: Choose an SLA Domain from the Filter SLA drop-down to display availability groups
protected by the chosen SLA Domain.
6. In the Name column, click the name of an availability group.
The databases in the selected availability group display.
7. Click the name of a database in the availability group.
10. Export or restore the database recovery point.
11. Choose a recovery method:

• Export the database recovery point, as described in Exporting a database.
• Restore the database recovery point, using the method described in Workflow to restore a
database into an Always On Availability Group.
Result
Rubrik CDM exports or restores an availability database recovery point.
Workflow to restore a database into an Always On Availability Group

Availability Group databases are actively involved in database mirroring sessions and cannot be
automatically replaced by a backup. Rubrik CDM does not directly export, restore, or Live Mount any
database into an Always On Availability Group (AAG).
Procedure
1. Remove the databases from the AAG.
2. Drop the databases from each member.
3. Use the Rubrik CDM web UI to refresh the hosts.
4. Export the databases using the steps described in Exporting a database to each member in the AAG,
using the same point in time for each export.
For all secondary members of the AAG, select Keep database in Restoring state.
5. Add the databases back to the AAG, selecting "Join Only" for the data synchronization option.
Result
The database is restored into an Always On Availability Group.

Chapter 24
SAP HANA databases
SAP HANA databases
Protect and manage data from SAP HANA databases.

A Rubrik cluster provides data management and protection for SAP HANA Databases.
HANA Studio or HANA Cockpit software from SAP can be used to initiate or schedule backup and recovery.
Internally, Rubrik uses Managed Volumes, which can be assigned SLA policies, to store and retrieve SAP
HANA database backup files.
Note: To obtain information about using SAP HANA Studio and SAP HANA Cockpit, go to: SAP HANA Help
Portal.
Rubrik recommends using the native SAP HANA protection instead of using managed volumes and NFS.
For more information, see SAP HANA protection in the Rubrik Polaris User Guide.
SAP HANA backup retention

Retention of SAP HANA backups can be managed through SAP HANA Studio or SAP HANA Cockpit or
through the Rubrik SAP SLA Manager utility.
SAP HANA backups can be stored on a Rubrik cluster, be replicated to another Rubrik cluster, or be
archived to the Cloud.
The policies for backup retention are set at the Managed Volume level through Rubrik CDM web UI.
Backups that are not removed from SAP HANA can be restored immediately using SAP HANA Studio or
SAP HANA Cockpit without additional configuration from Rubrik CDM. Backups that are removed from
SAP HANA, but are still retained through Rubrik (either on a Rubrik cluster or archived to Cloud), can be
restored.
The following table lists an example of SAP HANA backup retention.
SAP Current Available Expired Deletion SAP HANA SAP HANA

HANA ManagedManaged Managed through SAP backups backups
Backup Volume Volume Volume HANA Studio available in available for
snapshotsnapshot snapshots or Cockpit or Managed direct restore
through Script Volume
snapshots
1 (1) (1) None No 1 1
2 (1,2) (1), (1,2) None No 1,2 1,2
3 (1,2,3) (1), (1,2), None No 1,2,3 1,2,3
(1,2,3)
4 (2,3,4) (1,2), (1,2,3), (1) Yes,Backup 1 1,2,3,4 2,3,4
(2,3,4)
5 (3,4,5) (1,2,3), (2,3,4), (1,2) Yes,Backup 2 1,2,3,4,5 3,4,5
(3,4,5)
SAP HANA databases 05/25/2022 | 678

SAP Current Available Expired Deletion SAP HANA SAP HANA
HANA ManagedManaged Managed through SAP backups backups
Backup Volume Volume Volume HANA Studio available in available for
snapshotsnapshot snapshots or Cockpit or Managed direct restore
through Script Volume
snapshots
6 (2,3,4), (3,4,5), (1,2,3) Yes,Backup 3 2,3,4,5,6 4,5,6
(4,5,6)
7 (3,4,5), (4,5,6), (2,3,4) Yes,Backup 4 3,4,5,6,7 5,6,7
(5,6,7)
8 (4,5,6), (5,6,7), (3,4,5) Yes,Backup 5 4,5,6,7,8 6,7,8
(6,7,8)
Related tasks
Restoring an SAP HANA database
The SAP HANA Studio client or SAP HANA Cockpit is used to restore SAP HANA databases. Any database
that was configured with Rubrik Backup by running sap_hana_bootstrap_main program can be restored.
Rubrik Backup Service for SAP HANA

Install and configure the Rubrik Backup Service on a SAP HANA host to allow backup and restore of SAP
HANA databases.
Follow the Linux rpm instructions when downloading the rubrik-agent.x86_64.rpm binary and
installing the Rubrik Backup Service (RBS) software.
rubrik-agent.x86_64.rpm creates transition locks in /var/lib/rpm. Make sure the permissions are
set correctly in this directory to create these locks.
Installing RBS copies the following executable files to /usr/bin/rubrik/sap_hana:
• sap_hana_agent_main – The SAP HANA backint binary that performs backup and restore operations
using third party tools.
• sap_hana_bootstrap_main – The RBS setup script that configures backint for Rubrik CDM.
Important: Before the RBS software is upgraded, pause any SAP HANA backups. RBS software upgrade
can occur automatically whenever the Rubrik CDM software is upgraded on the associated Rubrik cluster.
Requirements for using sap_hana_bootstrap_main

Requirements for running SAP HANA with a Rubrik cluster include appropriate permissions, passwords port
numbers, the SAP HANA SID, and the Rubrik prefix.
The following are requirements for using sap_hana_bootstrap_main.
• The agent must be run as root user. This is required to append mount points in the /etc/fstab file.
The script creates and modifies all required files only inside /usr/bin/rubrik directory. Other than
edits to the /etc/fstab file, no other Linux system files are accessed or modified by the bootstrap
agent.
• In multi-host systems, the agent requires the root password of other hosts if password-less ssh to other
hosts is not configured on the master node.

• The SQL Port number to connect to the database. This is required to fetch all host details in a multi-
host environment and to configure backint settings in SAP HANA.
The SQL port number is in the form of 3instance_number15 for single container system (for example,
30015) and 3instance_number13 for a multi-container system (for example 30013).
Alternatively, use this SQL command to get the relevant port number of the SAP HANA database:
SELECT SQL_PORT FROM SYS_DATABASES.M_SERVICES WHERE ( SERVICE_NAME =

'nameserver' and COORDINATOR_TYPE = 'MASTER' );
• The SAP HANA SID. This is a system ID that consists of three alphanumeric characters, and is used to
identify the SAP HANA system. Search on SID at https://help.sap.com.
• The Rubrik prefix is a unique ID used to determine the managed volume for which the SLA is to be
changed. Providing the SID and prefix prevents two HANA systems from using the same SID and
from containing databases with the same names sharing a common Rubrik cluster. The prefix is user-
generated. Use the same prefix for a HANA system that was used while bootstrapping the system.
Rubrik recommends maintaining a RID-to-HANA system mapping to avoid conflicts. The SLA can be
assigned only to databases that are already configured.
• sap_hana_agent_main and the sap_hana_bootstrap agent must be in the same directory.
• SQL Port Number, which is in the form of 3instance_number15 for single container system and
3instance_number13 for multi-container system
Including a JSON file with the bootstrap script

Include a JSON file containing the sap_hana_bootstrap_main configuration parameters.
The syntax is:
[root@linux-vm sap_hana]# ./sap_hana_bootstrap_main --

json_config path_to_json_file
For example, this JSON file contains all parameters necessary to configure a SAP HANA system named
DB_SP2.
{
"port_number": "30115",
"hana_sid": "SP2",
"rubrik_prefix": "abcd",
"rubrik_node_ip": "10.0.38.71",
"action_number": "2",
"num_backint_channels": "1",
"sla_to_be_assigned": "Bronze",
"DB_SP2": {
"data_mv_size": "20",
"log_mv_size": "10",
"ip_subnet": "",
"client_name_patterns": "10.0.89.224,localhost",
"num_mv_channels": "1"
},
"SYSTEMDB": {
"data_mv_size": "200",
"log_mv_size": "10",
"ip_subnet": "",
"client_name_patterns": "10.0.89.224,localhost",
"num_mv_channels": "2"
}
}

Where action number corresponds to the index of the different operations that can be executed from this
script.
If the JSON file does not contain all the parameters, sap_hana_bootstrap_main prompts for the
parameters interactively during its execution.
Including user names and passwords at the command line

sap_hana_bootstrap_main accepts usernames and passwords at the command line.
sap_hana_bootstrap_main allows users to include the Rubrik user name and password and the
SAP HANA SYSTEM database password at the command line instead of typing them interactively when
prompted.
The syntax is:
sap_hana_bootstrap_main [--username rubrik_username,

--password rubrik_password,
--systemdb_password SYSTEM_DB_password
If any of these are not included at the command line, sap_hana_bootstrap_main prompts for them
during the session.
Enabling SSL connections

The sap_hana_bootstrap_main script connects to the SAP HANA database to configure the Rubrik Backup.
However, for some sites only SSL connections are allowed to connect the SAP HANA database.
Use these flags while running the bootstrap script to enable SSL and TLS encrypted connections:
Parameter Description
--secure Enable SSL and TLS encryption.
--crypto_provider Specify commoncrypto*, sapcrypto (if installed), or openssl.
CRYPTO_PROVIDER
--trust_store Specify the path to the trust store file that contains the server’s public
TRUST_STORE certificates.
--key_store KEY_STORE Specify the path to the keystore file that contains the private key.
--host_name_in_cert Specify the host name used to verify SAP HANA's identity. This host
HOST_NAME name verifies the identity of the server instead of the host name that
established the connection.
--validate_cert Specify whether to validate the server's certificate.
commoncrypto requires dynamic libraries. Issue the following before running the
sap_hana_bootstrap_main script bootstrap script if commoncrypto is used:
export LD_LIBRARY_PATH=path_to_libsapcrypto.so:$LD_LIBRARY_PATH
export SECUDIR=certificate_directory_path
Typically, libsapcrypto.so is located in /usr/sap/hostctrl/exe, and the security certificates are

located in /usr/sap/<SID>/HDBinstance_number/hostname/ip/sec.
Search for "Connect Method and Python Connection Properties" on https://help.sap.com/ for more
information.

Registering SAP HANA database
Use a script to register the Rubrik Backup Service (RBS) for SAP HANA databases.
Context
The sap_hana_bootstrap_main accepts a series of inputs until you enter the admin password, after
which it starts the installation (see the sample session below).
Procedure
1. Open an SSH session on the host running SAP HANA.
2. Change the working directory to /usr/bin/rubrik/sap_hana.
3. As root, run sap_hana_bootstrap_main.
4. Enter the username for the SAP HANA system.
The user need not be the SYSTEM user.
5. Type the password for the SAP HANA user and press Enter.
6. Type the port number for the SAP HANA database and press Enter.
7. Type the HANA SID and press Enter.
The HANA SID is a three-character ID.
sap_hana_bootstrap_main displays a list of configuration options.
9. Type 1 to install Rubrik Backup Service on one or more SAP nodes, and press Enter.
10. Type the resolvable hostname or IPv4 address of the Rubrik node and press Enter.
11. Type the name of the Rubrik cluster administrator and press Enter.
The name of the cluster administrator is typically "admin".
12. Type the account password and press Enter.
Result
A message appears saying the setup was successful.
Example
[root@linux-vm sap_hana]# ./sap_hana_bootstrap_main
=== Rubrik SAP HANA Setup ===

SAP HANA Details (for configuring SAP HANA backups with Rubrik)
Password for 'SYSTEM' DB user (password won't be stored):

Port number of System database: (E.g. 30113)( Press 'h' for help ) 30015
Enter HANA SID: HDB
Enter 'Rubrik prefix' (This should be unique for different HANA instances
using same Rubrik cluster): rbk
[1] Install Rubrik Backup Service on oneor more SAP nodes (Press 1)
[2] Configure Rubrik backup for one or more DB instances (Press 2)
[3] Uninstall Rubrik (Press 3)
[4] Configure system to copy remote database (Press 4)
[5] Configure system to restore a DB from an exported managed-volume
snapshot (Press 5)
[6] Pause/Resume SAP Backups on Rubrik (Press P to pause or R to resume)
[7] Configure SLA for DB managed volumes(Press 7)
1
=== RUBRIK CLUSTER CREDENTIALS ===

Enter Hostname/IP of the Rubrik node: 10.58.52.125
Enter admin username for Rubrik cluster [admin]:
Enter password for user 'admin':
Verifying host registration...
Setup successful
[root@linux-vm sap_hana]#
Related concepts
Configuring Rubrik backup for SAP HANA databases

Configure the Rubrik Backup Service (RBS) for SAP HANA databases.
Prerequisites
Install RBS on the node containing the SAP HANA database.
Context
The sap_hana_bootstrap_main accepts a series of inputs until you enter the admin password, after
which it starts the installation.
Procedure
4. Type the password for the SYSTEM database user and press Enter.
A list of configuration options appears.
8. Type 2 to configure Rubrik Backup Service for one or more database instances, and press Enter.
sap_hana_bootstrap_main verifies the host registration.
12. At the Enter number of MV channels to use prompt, type the number of Managed Volume
channels.
Important: This selection also sets the parallel Backint data backup configuration values to the same
value.
The managed volume channels are created, and sap_hana_bootstrap_main displays the database
state details.
13. Type the number of Backint channels per managed volume channel and press Enter.

sap_hana_bootstrap_main configures the end user and displays the current state of the
database.
14. Type the number corresponding to the SLA assigned to the managed volume.
sap_hana_bootstrap_main displays a list of databases that do not have backup enabled.
15. Type a comma-separated list of numbers corresponding to the databases on which to enable backup
and press Enter.
16. Type the Managed Volume size, in GB, and press Enter.
17. Type the Managed Volume log size, in GB, and press Enter.
18. Type the IP subnet for the outgoing LAN interface, and press Enter.
Result
The setup successful message appears.
Related concepts
Managed Volume Channels
Setting up of Managed Volume channels should follow the specific requirements.
Backing up an SAP HANA database

The SAP HANA Studio client or SAP HANA Cockpit is used to backup SAP HANA databases. Any database
that was configured with Rubrik Backup by running sap_hana_bootstrap_main program can be backed up.
Prerequisites
Install and configure RBS on the SAP HANA database.
Context
The following instructions use the SAP HANA Studio client to backup SAP HANA databases.
Procedure
1. Right-click the database for backup.
2. Select Backup and Recovery > Backup Tenant Database (or System).
The Specify Tenant (or System) database dialog box appears.
3. Select the database for backup and click Next.
The Specify Backup Settings dialog box appears.
4. Select the Backup Type.
Option Description
Complete Data Backup Contains a backup of all data.
Differential Backup Contains only the data that is new or has
changed since the last full backup.
Incremental Backup Contains only data that is new or has changed
since the last backup
5. Select the Backint Destination Type.
6. Accept the Backup Destination.
7. Click Next.
The Review Backup Settings dialog box appears.
8. Confirm the settings are correct and click Finish.

The backup process runs.
Result
When the backup is complete, the Backup Execution Summary confirms the backup is complete.
Viewing the backup catalog

The SAP HANA Studio client maintains a backup catalog for all backups.
Prerequisites
Create backups of SAP HANA databases.
Procedure
1. Right-click on a database name and select Backup Console.
2. In the Backup Console, choose the Backup Catalog tab.
Result
The Backup Catalog tab displays all of the backups for the selected database.
Restoring an SAP HANA database

The SAP HANA Studio client or SAP HANA Cockpit is used to restore SAP HANA databases. Any database
that was configured with Rubrik Backup by running sap_hana_bootstrap_main program can be restored.
Prerequisites
Backup a SAP HANA database.
Context
The following instructions use the SAP HANA Studio client to restore SAP HANA databases.
Procedure
1. Right click on the HANA SID.
2. Select Backup and Recovery and Specify Tenant database (or System).
The Specify Tenant database (or System) dialog box appears.
3. Select the database for restore and click Next.
The Specify Recovery Type dialog box appears.
4. In Recovery Type, select a type of recovery.
Option Description
Recover the database to its most recent state Recovers the database to as close as possible to
the current time.
Recover the database to a specific data backup The database is initialized with the specified data
listed backup.
5. Select a backup for recovery.
6. Click Check Availability to confirm that all of the files that were backed up are available in the
Managed Volume.
7. Click Next.
The Other Settings dialog box appears.
8. In Check Availability of Delta and Log Backups, select Third-Party Backup Tool (Backint).

9. Specify Initialize Log Area.
10. Specify Use Delta Backups.
11. Specify Install New License Key.
12. Click Next.
The Review Recovery Settings dialog box appears.
13. Confirm the settings are correct and click Finish.
The recovery process runs and the Recovery Execution Summary dialog box appears
14. Review the summary and click Close.
Result
The recovery process is complete.
Bootstrap SAP HANA for high availability

Configuring SAP HANA for high availability requires bootstrapping the primary node.
After entering the SYSTEM password, port number, and SID credentials, sap_hana_bootstrap_main
detects the high-availability configuration and connects to the other nodes over SSH to configure them
as secondary nodes. sap_hana_bootstrap_main prompts for the root credentials to each of the
secondary nodes.
Once these credentials are provided, the Rubrik cluster bootstraps the secondary nodes. Once the
bootstrap is complete, no action is required from the Rubrik cluster to complete a failover operation from
the old to the new primary node.
Alternatively, if the database administrator prefers to not provide authentic SSH credentials, or if the
root login is disabled on the secondary nodes, the primary node can be bootstrapped using fake SSH
credentials. Providing fake SSH credentials prevents bootstrapping the secondary nodes but allows the user
to proceed with the failover. After failing over to a new primary node, sap_hana_bootstrap_main must
be run on the new primary node.
sap_hana_bootstrap_main must be rerun on the primary node each time the high-availability system
fails back.
After any failover or failback operation, backups scheduled in SAP HANA Cockpit or SAP HANA Studio must
be disabled on the old primary node and new backups must be scheduled on the new primary node.
Copying a database from an external host

If source and target databases are not in the same SAP HANA system, copy a database from an external
host.
Prerequisites
The target database must be configured for RBS, and the source database must have backups in a Rubrik
cluster.
Context
If the target and source system have the same SID, the database name on the source and the target
database must be different, and the source and target system cannot be connected to different Rubrik
clusters.

If the database copy on the target host requires subsequent backups, the bootstrap process must be rerun
to remove references to the source database parameters and add the correct parameters to back up the
target database.
Procedure
8. Type 4 to select Configure system to copy remote database (Press 4).
The Enter ‘admin’ password for Rubrik cluster prompt appears
12. Type the SID of the source system and press Enter.
13. Type the Rubrik Prefix of the source system and press Enter.
14. Type N to not restore the SID database.
15. Type Y to restore the specified external database.
16. For each database that needs to be copied to in target system, type the corresponding database for
source system and press Enter.
17. Type N.
Result
After the sap_hana_bootstrap_main process is complete, use SAP HANA Studio or SAP HANA Cockpit
to copy the database.
Example


Port number of System database: (E.g. 30113)( Press 'h' for help ) 30015
Enter HANA SID: HDB
using same Rubrik cluster): rbk
[1] Install Rubrik Backup Service on oneor more SAP nodes (Press 1)
snapshot (Press 5)

4

Enter password for user 'admin':
Setting up end user...
=== SETUP COPY DB ===

Enter SID of HANA system to restore from[HDB]:
Enter 'Rubrik Prefix' of HANA system to restore from[rbk]:
Do you want to restore HDB DB[y]? (y/n) y
Enter DB name corresponding to HDB in source system[HDB]:
Writing paramfile file...

Setup successful
Related concepts
Restoring a database from a Managed Volume snapshot

Restore a database from an exported Managed Volume snapshot.
Prerequisites
The snapshots (both data and log) to be restored should be exported on the Rubrik Cluster. Ensure
that the correct log and data Mounted Volume snapshots are exported based on the time of snapshot.
Restoring to any backup not present in the snapshot will fail. If multiple snapshots are mounted for the
same database, the database is restored from the most recently exported snapshot.
Procedure
8. Type 5 to restore the database from an exported managed-volume snapshot, and press Enter.
12. Type Y for replication and N for archival.
13. Type Y for each database you want to restore from a Managed Volume.
A setup successful message appears.

Result
After the sap_hana_bootstrap_main process is complete, use SAP HANA Studio or SAP HANA Cockpit
to restore the database.
Once the restore is complete, reset normal backup operations.
Example


Port number of System database: (E.g. 30113) ( Press 'h' for help ) 30113
Enter HANA SID: SP2
using same Rubrik cluster): lab
[1] Install Rubrik Backup Service on one or more SAP nodes (Press 1)
snapshot (Press 5)
5

Enter admin username for Rubrik cluster [admin]: pavan.m@rubrik.com
Enter 'admin' password for Rubrik cluster:
Setting up end user...
=== SETUP SNAPSHOT RESTORE ===

Configure system to restore from replicated cluster[n]? (y/n) n
Do you want to restore SP2 DB from mounted snapshot[y]? (y/n) y
Do you want to restore SYSTEMDB DB from mounted snapshot[y]? (y/n) n

Setup successful
Related concepts
Related tasks
Configuring Rubrik backup for SAP HANA databases

Configure the Rubrik Backup Service (RBS) for SAP HANA databases.
Pausing Backint backups

Pause Backint backups.
Context
Managed volumes are usually in a busy state because log backups are triggered frequently. This can cause
a Rubrik CDM upgrade to fail. Before an upgrade, pause the Backint backup. Once the backup is complete,
resume the Backint backup.
Procedure
8. Type 6 to pause or resume a backup, and press Enter.
9. Press P to pause the SAP Backup.
sap_hana_bootstrap_main writes the paramfile file and starts terminating the backup process.
Result
sap_hana_bootstrap_main pauses Backint backups.
Example


Enter HANA SID: SP2
snapshot (Press 5)

6
Press R to resume SAP Hana Backups, P to pause SAP HANA Backups [R] P

Terminating in progress SAP Hana backint backups...
Enter 'admin' password for Rubrik cluster:
SAP Hana backups paused with Rubrik backint
Related concepts
Resuming Backint backups

Resume Backint backups.
Context
Managed volumes are usually in a busy state because log backups are triggered frequently. This can cause
a Rubrik CDM upgrade to fail. Before an upgrade, pause the Backint backup. Once the backup is complete,
resume the Backint backup.
Procedure
8. Type 6 to pause or resume a backup, and press Enter.
9. Press R to resume the SAP Backup.
Result
sap_hana_bootstrap_main resumes Backint backups.
Example


Enter HANA SID: SP2

snapshot (Press 5)
6
Press R to resume SAP Hana Backups, P to pause SAP HANA Backups [R] R

SAP Hana backups resumed with Rubrik backint
Related concepts
SAP HANA best practices

SAP HANA best practices suggest the best configuration settings for SAP HANA.
Managed Volume SLA Domains

SLA Domains assigned to Managed Volumes are applicable for retention, replication, and archival policy.
Managed Volume snapshots are triggered from a SAP HANA Server whenever a backup (full, incremental,
differential, or log backup) is triggered and it is not managed through a Managed Volume SLA.
The two most important SLA settings for Managed Volume are retention and frequency. Retention specifies
the period for which the snapshot will be retained on the Rubrik Cluster. Frequency specifies how often
the snapshots will be taken. However, with Managed Volumes, snapshots are taken by external agents.
Therefore, if the SLA Domain is configured to take backups every 1 hour and retain the backups for 1
day, and to take backups every day and retain the backups for a month, all the snapshots taken (by the
external agent) within one hour are consolidated into a single snapshot which is retained for a day and all
snapshots within 1 day are consolidated into a single snapshot and retained for 30 days.
The default SLA Domain, assigned to Managed Volumes created from the bootstrap script, is:
• Snapshot taken every hour and retained for 1 day
• Snapshot taken every day and retained for 30 days
• Snapshot taken every month and retained for 2 months
The default SLA Domain stores a total of 54 snapshots in steady state. All data in the snapshots is
deduplicated. If retention or snapshot frequency is high, the overall disk space consumption in the Rubrik
cluster increases. For environments with high change rates, the recommendation is to have lower snapshot
frequency and local retention.

Assigning SLA Domain to Managed Volumes on SAP HANA
Edit an SLA Domain to provide Managed Volume protection for SAP HANA databases and transaction logs.
Procedure
2. Change the working directory to /usr/bin/rubrik/sap_hana directory.
8. Type 7 to configure the SLA for database Managed Volumes, and press Enter.
11. Type the administrator password and press Enter.
12. Type the comma-separated list of numbers corresponding to the databases to be modified.
13. Type the number corresponding to the SLA to be assigned.
Result
The Managed Volume protection is assigned to the specified databases.
Related concepts
SAP HANA log backup frequency

SAP HANA log backup frequency is configured in the backint_response_timeout value and in global.ini.
Log backup time can be configured for every 15 minutes. It is recommended to set it to a higher value, for
example every 30 minutes to 1 hour. High log backup frequency for a SAP HANA database with significant
high data rate changes can cause log backups to fail due to lack of sufficient resources. For HANA systems
with a high change rate, that incur large log backups, configure the backint_response_timeout
value, in the global.ini configuration file, to the appropriate backup frequency.
Managed Volume Channels

Setting up of Managed Volume channels should follow the specific requirements.
• Setting up Managed Volume channels equally divides the storage capacity into the set number of
channels. Every new channel added requires an overhead of 512 MB (configurable) by SAP HANA to
pipe data over the new channel during the backup.
• SAP HANA parallel backint data ingestion works only when DB size is greater than 128 GB.
• Set the number of Managed Volume channels to 1 if the single data backup size is not more than 500
GiB.
• The maximum channel value is equal to the number of nodes in Rubrik cluster.

• If the DB size is too large, the number of channels must be set as high as possible to achieve High
backup ingestion performance.
Migrating from single to multi channel is not possible. The configured number of MV channels cannot be
changed. New Managed Volumes must be created, and must be configured for SAP backups, to change
the number of channels.
• A complete backup must be obtained when new Managed Volumes are configured.
Note: Existing can be retained for restore operations, but a different RID (Rubrik prefix) must be
entered to create new Managed Volumes for the same database.
Number of Managed Volume channels

The number of Managed Volume channels depends on the number of nodes, the SAP HANA database size,
and the memory required by the SAP HANA Server.
Setting the number of Managed Volume channels sets the parallel backint data backup configuration to
the same value, and setting them equally divides the storage capacity of the Managed Volume into the set
number of channels. However, every new channel adds an overhead of 512 MB of memory usage by SAP
HANA to pipe data over the new channel during the backup. The amount of overhead is configurable.
Set the number of Managed Volume channels to 1 if the single data backup size will not exceed 500GiB.
The maximum possible channel value is limited to number of nodes in Rubrik cluster. If the database size
is too large (for example, in the terabytes), set the number of channels as high as possible to achieve
high backup ingestion performance. However, running the backup channels in parallel implies SAP HANA
memory usage overhead.
Note: In CDM version 5.0.3 and newer, the number of channels per floating IP is limited to 16, including
main and live mounts. If the limit is exceeded, exporting of the newly created Managed Volume fails with
an error message about an insufficient number of available floating IPs.
SAP HANA parallel backint requires that the database size is greater than 128 GB.
For every backint channel, SAP HANA recommends a minimum of 512 MiB for RAM usage. The
data_backup_buffer_size value, in the global.inifile, should be set to:
512 MiB * the number of backint streams
If the database size is larger than 500 GiB, configure the number of channels based on the smaller of the
two following values:
number of nodes in the Rubrik cluster and database size divided by 500 GiB
Consider the following when migrating to multichannel Managed Volumes:
• Once channels are configured for Managed Volumes, they cannot be changed and used for other
purposes.
• New Managed Volumes must be created with the correct number of channels, and must be configured
for SAP backups.
• Existing Managed Volumes may be kept to restore databases from backups, but a different Rubrik Prefix
must be entered to create new Managed Volumes for the same database.
• A complete backup must be taken initially in new Managed Volumes for subsequent differential and
incremental backups to work properly.

Backint streams
The number of backint channels and number of Managed Volume channels should use the same value for
backint streams.
The number of backint channels and number of Managed Volume channels should use the same value for
backint streams. Using different values can impact ingestion performance and non-uniform space usage
among channels, which may result in backup failures.
Floating IPs
SAP HANA should use floating IPs for all nodes in the Rubrik cluster.
SAP HANA should use floating IPs for all nodes in the Rubrik cluster to enable seamless movement of
Managed Volume exports from one node to another without impacting the NFS mount on the SAP HANA
Server. However, floating IPs are not supported on Rubrik cloud clusters. If floating IPs are not enabled,
rerun sap_hana_bootstrap_main to resolve stale NFS mount issues after node failures or node IP
changes.

Chapter 25
Managed Volumes
Managed Volumes
The Managed Volume feature in Rubrik CDM protects and manages data.
Managed Volumes provide hosts with a backup target location on a Rubrik cluster. The Rubrik cluster
manages snapshots of the data that a host backs up to a Managed Volume through the policies of a
specified SLA Domain.
Note: Encrypting application backups can lead to ineffective deduplication. Files encrypted with different
encryption keys do not trigger content-based matching.
Configuration workflow
Establishing a Managed Volume protected by an SLA Domain uses a specified workflow. Once established,
the Managed Volume is treated as any other protected data source.
Complete the tasks in the order specified in this workflow. Each stage references a detailed task. Complete
the steps in a task before moving to the next stage in the workflow. Enable secure SMB connections to use
secure SMB for live mounts of Managed Volumes.
1. Set up floating IP addresses for the Rubrik cluster.
2. Create a Managed Volume.
3. Assign the Managed Volumes to SLA Domains.
The network protocols used by Managed Volumes have the following restrictions:
• Managed volumes that use the secure SMB protocol cannot map the IP address of a client to more
than one domain. A given client IP address can only access managed volumes from within a single
fdomain. Reusing a client IP as an agent-based host as part of another domain can result in conflicts.
• Managed volumes that use the NFS protocol do not support NFSv4.
• Floating IP addresses must be set up before creating any Managed Volumes. Floating IP addresses
provide a consistent connection to the Rubrik cluster even when a cluster node becomes unavailable.
• Configure the same number of floating IP addresses as the number of nodes on the Rubrik cluster. An
equal distribution of floating IP addresses between the nodes ensures efficient distribution of the work
between the nodes.
• After the floating IP addresses are configured, the Rubrik cluster assigns each node a floating IP
address. The nodes handle communication through the assigned floating IP address.
• When a node cannot handle communication on its assigned floating IP address, the Rubrik cluster
assigns (floats) that address to another node. This functionality prevents disruption of data transmission
over the floating IP address and maintains the availability of the Managed Volumes.
• To ensure fault tolerance, Managed Volumes require a minimum of four nodes in the Rubrik cluster.
Related concepts
Secure SMB
Managed Volumes 05/25/2022 | 696

Related tasks
Setting up floating IP addresses
Set up floating IP addresses to ensure that all Managed Volumes remain available even if a Rubrik node
fails.
Creating a Managed Volume
Create a Managed Volume for each app that the Rubrik cluster protects.
Assigning an SLA Domain to Managed Volumes
To provide SLA policy based management of the snapshots of a Managed Volume, assign an SLA Domain
to the Managed Volume or SLA Managed Volume.
Floating IP addresses
Floating IP addresses provide a consistent connection to the Rubrik cluster even when a cluster node
becomes unavailable.
Note: The number of channels per floating IP is limited to 16, including main and live mounts. If the
limit is exceeded, exporting of the newly created Managed Volume fails with an error message about an
insufficient number of available floating IPs.
After the floating IP addresses are configured, the Rubrik cluster assigns each node a floating IP address.
The nodes handle communication through the assigned floating IP address. When a node cannot handle
communication on its assigned floating IP address, the Rubrik cluster assigns (floats) that address to
another node. This functionality prevents disruption of data transmission over the floating IP address and
maintains the availability of the Managed Volumes.
Number Same number of floating IP addresses as the number of nodes on the Rubrik
cluster.
Subnet Same subnet as the static data IP addresses of the Rubrik cluster.
Uniqueness Each IP address must be unique within the subnets and cannot be the same
as the management IP address or the data IP address.
Network bonding Configure the floating IP addresses on bond0.
Setting up floating IP addresses

Set up floating IP addresses to ensure that all Managed Volumes remain available even if a Rubrik node
fails.
Context
One floating IP address must be defined for each Rubrik node, and the floating IP address should be on
the same subnet as the static data IP addresses of the Rubrik nodes.
Procedure

4. Choose an IP address type.
• IPv4
• IPv6
5. (IPv4) In Floating IPs IPv4, type a comma-separated list of IPv4 addresses.
As a best practice, provide the same number of IP addresses as the number of nodes in the Rubrik
cluster. Each IP address must be on the same subnet as the static data IP addresses of the Rubrik
nodes or on one of the service VLANs.
6. (IPv6) In Floating IPs IPv6, type a comma-separated list of IPv6 addresses.
As a best practice, provide the same number of IP addresses as the number of nodes in the Rubrik
cluster. Each IP address must be on the same subnet as the static data IP addresses of the Rubrik
nodes or on one of the service VLANs.
7. Click Update.
Result
The Rubrik cluster stores the floating IP addresses and assigns the floating IP addresses to the nodes.
Managed Volume settings

Managed Volume settings change depending on the channel, size, subnet, and the SLA domain assignment
component.
Component Recommendation Additional information

Managed volume One channel per Managed Volume. For When backing up Oracle databases to a
channels additional throughput, up to 4 total Managed Volume, use the same number
channels can be used per Managed of Managed Volume channels and RMAN
Volume. channels.
Managed Volumes must have 1 channel A given RMAN channel must write to the
for each 64 TB in size. Rubrik CDM does same Managed Volume channel on all
not support single-channel Managed backup jobs.
Volumes over 64 TB in size.
Managed volume Create the Managed Volume with enough For example, a 1 TB data source with a
size space to contain all of the data from 5% change rate requires approximately
the recovery period, and provide some 1.3 TB for a 7 day recovery period and
additional space for unexpected data 1.6 TB for a 14 day recovery period.
growth.
Managed volumes can be increased in
For Managed Volumes created on size as needed, but cannot be decreased
versions of the Rubrik CDM earlier than in size.
5.0, the requested provision size is used
to calculate an optimal number of disks
and Managed Volume size.
This results in an actual volume size
that could be up to 15% larger than the
provision size.

Component Recommendation Additional information
Managed volume When VLAN tagging is configured on Supply a subnet mask value in CIDR
subnet the Rubrik cluster, use this setting to format to limit the network traffic for the
direct the network traffic of the Managed Managed Volume to that subnet.
Volume to a specific VLAN. Create all
Creating all managed volumes on a
Managed Volumes on the same subnet.
single subnet enables optimal load
balancing.
SLA Domain Assign a Managed Volume to an SLA Assigning a Managed Volume to an SLA
assignment Domain before directing any backups Domain ensures that the correct data
into that Managed Volume. management policies are applied to the
snapshots in that managed volume.
When the Managed Volume is not
assigned to an SLA Domain, the Rubrik
cluster assigns the snapshots to the
Unmanaged policy group and does not
expire the snapshots.
Managed Volume application tags

Application tags specify the type of application data that is stored on a managed volume.
Rubrik configures deduplication and data reduction settings based on the application tag. Because
deduplication requires computational resources and time, aggressive deduplication settings can affect
data ingestion time. Application tags configure deduplication for an optimal balance of deduplication and
performance.
Rubrik also uses application tags to configure the mount point settings of log backups. For example, an
application tag can specify mount point settings for log backups that take into consideration the increased
frequency of backups when using the NFS protocol.
The following table lists the relative effects of the application tag settings.
Application Tag Deduplication Ingest Performance

No tag High High
Oracle High High
Oracle Incremental Merge Low High
Microsoft SQL Server High High
SAP HANA High High
MySQL High High
PostgreSQL High High
SAP HANA Log Low Medium
DB transaction log Low Medium
When the data in the managed volume does not correspond to a listed application tag, select a tag that
most closely corresponds to the properties of the data to apply suitable settings. Use the default setting for
data with a high deduplication potential. For data with infrequent backups and low deduplication potential,
use the Oracle Incremental Merge tag, which applies low deduplication and high performance.

Creating a Managed Volume
Create a Managed Volume for each app that the Rubrik cluster protects.
Prerequisites
Set up floating IP addresses for the Rubrik cluster.
Context
Depending on the settings and size of the Managed Volume, the volume creation process can take up to
one hour.
Procedure
2. On the left-side menu, click Servers & Apps > Managed Volumes.
The Managed Volumes page appears.
3. Click Add Volume.
The Add Volume dialog box appears.
4. In Volume Name, enter a name to identify the managed volume.
To simplify identification, use the name of the database being protected.
5. In Provisioned Size, type a size, in gigabytes.
The actual size allotted could be up to 15% larger as the result of an automatically applied optimizing
calculation.
6. Select a communications protocol for the Managed Volume.
Option Description
NFS Use the NFS protocol for live mounts of
snapshots for this managed volume.
SMB Use the secure SMB protocol for live mounts
of snapshots for this managed volume. To use
secure SMB for live mounts of Managed Volumes,
enable secure SMB connections.
7. Optional: Select an application tag from the Applications Tags drop-down.
Application tags specify the type of application content in the Managed Volume. The Rubrik cluster
optimizes the use of CPU and memory during data reduction based on the selected type. When no tag
is selected, data reduction uses more CPU and memory.
8. Optional: In Client Name Patterns, type an IPv4 address or FQDN.
Managed volumes using the NFS protocol support multiple FQDNs, IPv4 addresses, a range of IPv4
addresses, or an IPv4 subnet. The SMB protocol allows only IPv4 addresses.
Managed volumes using the NFS protocol use these IPv4 addresses as a client whitelist for filtering
and authentication. Managed volumes using the secure SMB protocol map these IPv4 addresses to a
domain. Ensure that each IPv4 address is mapped to exactly one domain.
The Rubrik cluster only allows hosts that are identified in the client name patterns to mount the shares
from the Managed Volume and the Managed Volume snapshots.
When this field is empty or contains a single asterisk (*), the Rubrik cluster allows any host to mount
the shares from the NFS-protocol Managed Volume. Managed volumes using SMB do not support a
Client Name Patterns field that is empty or contains an asterisk.
9. Optional: With VLAN tagging enabled, in Subnet type a subnet mask value, in CIDR format.
For example, to use the subnet range 10.128.45.0 - 10.128.45.63, type 10.128.45.0/26.

The Rubrik cluster limits the network traffic of the Managed Volume to the specified subnet.
10. Optional: In Number of Channels, type an integer.
Normally, type the same number as the number of nodes in the Rubrik cluster. The number of
Managed Volume channels is governed by the value of the maxChannelsPerNode configuration
setting. Based on the resources available on the node, this value can be between 4 and 32.
11. Click Add.
Note: The first snapshot taken for a Managed Volume might show a Data Transferred value in the
Activity Detail that is larger than the actual amount of ingested data. This is due to internal, one-time
filesystem metadata initialization, such as inode tables and extent maps.
Result
The Rubrik cluster saves the configuration information and the new Managed Volume appears on the
Managed Volumes page.
Related concepts
Secure SMB
Related reference
Floating IP addresses
Floating IP addresses provide a consistent connection to the Rubrik cluster even when a cluster node
becomes unavailable.
Editing a Managed Volume

Edit the volume name and client name of a Managed Volume.
Procedure
3. Select a Managed Volume.
4. Open the ellipsis menu at the upper-right corner of the page and click Edit.
The Edit SLA Managed Volume dialog box appears.
5. In Volume Name, type a new name for the Managed Volume.
6. Skip Provisioned Size.
Managed Volume sizes are changed using the Provisioned Size dialog box.
7. Optional: To use a new subnet on an SLA Domain Managed Volume, in Subnet type the new subnet
IP address.
8. To modify client access to the Managed Volume, type a resolvable hostname or IPv4 address in Client
Name Patterns.
Multiple hostnames and IPv4 addresses can be added.
The Rubrik cluster only allows hosts that are identified in the client name patterns to mount the shares
from the Managed Volume and the Managed Volume snapshots.
When this field is empty or contains a single asterisk (*), the Rubrik cluster allows any host to mount
the shares from the Managed Volume.
9. Click Edit.

Result
The Rubrik cluster makes the specified changes to the information for the Managed Volume.
Related tasks
Resizing a Managed Volume
You can resize a Managed Volume up to 1024 times its original size.
Resizing a Managed Volume

You can resize a Managed Volume up to 1024 times its original size.
Procedure
3. In the Name column, click the name of the Managed Volume you want to resize.
The Local page for the Managed Volume appears, with the Snapshots card showing the month view.
4. From Provisioned Size in the Overview card, click Resize.
The Provisioned Size dialog box appears.
5. In Provisioned Size, type the new size of the Managed Volume in gigabytes.
The new size of the Managed Volume must be greater than the old size.
Note: A Managed Volume can only be resized to 1024 times its original size.
Note: When editing Managed Volumes for Rubrik CDM versions older than 5.0, an automatically
applied optimizing calculation enables the user to increase the Managed Volume up to 15 percent over
its original size.
6. Click Submit.
Result
The Rubrik cluster resizes the Managed Volume as a background task. The Managed Volume remains in the
read-only state and is inaccessible until the resizing operation completes.
Deleting a Managed Volume

Use the Rubrik CDM web UI to delete a Managed Volume.
Procedure
3. Select a Managed Volume.
4. Open the ellipsis menu at the upper-right of the page and click Delete.
The Delete Managed Volume screen appears.
5. Choose how to handle the existing snapshots of the Managed Volume.
Choose from the following options.

Option Description
Transfer Snapshots to Relic The Rubrik cluster retains the snapshots as
unmanaged relics.
Expire Snapshots immediately Expire Snapshots immediately
6. Select one of the snapshot handling choices.
7. Click Delete.
Result
The Rubrik cluster deletes the specified Managed Volume and applies the selected choice to the existing
snapshots.
Managed Volume mounts

Managed volumes must be mounted to a host file system to be used as a backup target.
In most use cases, Managed Volumes are mounted by entries for the exported channels in the fstab file
of the host. Channels can also be mounted by using the mount command for each channel.
Creating a mount for a Managed Volume requires obtaining export paths for the Managed Volume channels
and mounting those channels on the application host.
Related tasks
Obtaining the exported channels
Use the Rubrik web UI to get the IP addresses and NFS export paths for the channels of a Managed
Volume.
Mounting the channels from the command line
Mount the channels of a Managed Volume from the command line of the application host when the
preferred method of mounting channels through /etc/fstab cannot be used.
Mounting the channels through fstab on AIX
Mount the channels of the Managed Volume on the application host.
Mounting the channels through fstab on Linux
To provide the application with consistent and ready access to a Managed Volume, mount the channels of
the Managed Volume on the application host.
Mounting the channels through fstab on Solaris
Linux baseline mount options

Linux hosts support the following baseline mount options for the mount -o command used with Managed
Volume NFS exports. Specific baseline mount options improve performance through the NFS mounts of the
Managed Volume with no changes to the host operating system.
Option Description
rw Mounts the Managed Volume channel with read and write capability.
bg Background mount option. When an initial attempt to mount the managed
volume channel fails, this option causes mount to create a copy of the mount
process as a subprocess that continues to attempt to mount the channel.
hard Requires that the NFS client wait for the NFS server to return to availability rather
that failing with an error, when the NFS server becomes unavailable.

Option Description
nointr Prevents system signals from interrupting file operations on the Managed Volume
channel.
rsize=1048576 Requires a larger block size (1,048,576 bytes) to speed up reads from the
Managed Volume.
wsize=1048576 Requires a larger block size (1,048,576 bytes) to speed up writes to the Managed
Volume.
tcp Requires that the NFS mount use the TCP protocol.
vers=3 Sets the NFS protocol version that is used by the NFS client to NFS version 3.
timeo=600 Specifies the time that the NFS client waits for a response before retrying the
response. The value is in tenths of a second. A value of 600 specifies a wait of 60
seconds.
noatime Disables the recording of last access times for files in the managed volume in
order to increase performance.
AIX baseline mount options

AIX hosts support the following baseline mount options for the mount -o command used with Managed
Volume NFS exports. Specific baseline mount options improve performance through the NFS mounts of the
Managed Volume with no changes to the host operating system. AIX 6.1 hosts must have APAR IV24594
installed in order to set rsize and wsize to the correct values. AIX 7.1 hosts must have APAR IV24688
installed.
Option Description
intr Prevents system signals from interrupting file operations on the Managed Volume
channel.
llock Uses local file locking instead of sending lock requests to the NFS server.
cio Enables concurrent IO, providing significant performance improvement.
rsize=524288 Requires a larger block size (524,288 bytes) to speed up reads from the Managed
Volume.
wsize=524288 Requires a larger block size (524,288 bytes) to speed up writes to the Managed
Volume.
proto=tcp Requires that the NFS mount use the TCP protocol.

Solaris baseline mount options
Solaris hosts support the following baseline mount options for the mount -o command used with
Managed Volume NFS exports. Specific baseline mount options improve performance through the NFS
mounts of the Managed Volume with no changes to the host operating system.
Option Description
bg Background mount option. When an initial attempt to mount the managed
volume channel fails, this option causes mount to create a copy of the mount
process as a subprocess that continues to attempt to mount the channel.
nointr Prevents system signals from interrupting file operations on the Managed Volume
channel.
rsize=1048576 Requires a larger block size (1,048,576 bytes) to speed up reads from the
Managed Volume.
wsize=1048576 Requires a larger block size (1,048,576 bytes) to speed up reads from the
Managed Volume.
proto=tcp Requires that the NFS mount use the TCP protocol.
forcedirectio Copies data directly to a buffer in user space, instead of caching the data in the
kernel.
Mounting the channels through fstab on Linux

Procedure
1. Log in to the application host as root.
As an alternative to logging in as root, use sudo to provide root permissions.
2. Create a mount point by entering the command sudo mkdir mount_point.
Replace mount_point with the full path to a location on the application host file system to use as the
mount point of an NFS exported channel. Repeat this step for each channel of the Managed Volume.
3. On the application host, open /etc/fstab with write access.
Write access to /etc/fstab typically requires root or sudo permissions.
4. Edit /etc/fstab and add an entry for each channel, placing each entry on a separate line.
Use the following form for each entry:
channel_ip:channel_path mount_point nfs

rw,fg,hard,nointr,rsize=1048576,wsize=1048576,tcp,vers=3,timeo=600,noatime
Replace channel_ip with the IPv4 address for the channel, provided through the Channel Details
dialog box. Replace channel_path with the export path for the channel, provided through the Channel
Details dialog box. Replace mount_point with the mount point for the channel that was created earlier
in this task.
Repeat this step for each channel of the Managed Volume.

5. Save and close /etc/fstab.
6. Run the mount -a command.
Result
The operating system reads the /etc/fstab file and mounts the channels as specified.
Mounting the channels through fstab on AIX

Mount the channels of the Managed Volume on the application host.
Procedure
channel_ip:channel_path mount_point nfs

rw,fg,hard,intr,llock,rsize=524288,wsize=524288,proto=tcp,vers=3,timeo=600
in this task.
Result
Mounting the channels through fstab on Solaris

Procedure

channel_ip:channel_path mount_point rw,fg,hard,

nointr,rsize=1048576,wsize=1048576,proto=tcp,forcedirectio,vers=3,retry=1
in this task.
Result
Obtaining the exported channels

Use the Rubrik web UI to get the IP addresses and NFS export paths for the channels of a Managed
Volume.
Context
Use the NFS export paths of a channel when mounting the channel on a host.
Procedure
1. Log in to the Rubrik web UI using an account with administrator privileges.
2. From the left-side menu, click Servers & Apps > Managed Volumes.
3. Click the name of a Managed Volume.
The local page for the selected Managed Volume appears.
4. On the Overview card, in the Channels section, click View.
Use the values in the IP Address column and in the Path column to mount the channels on the host.
The Channel Details dialog box appears.
5. Optional: Click Download CSV.
A browser-specific dialog box for saving the file appears. Save the file to a temporary location.
6. After obtaining the channel details, click OK.
Result
The Rubrik web UI provides the IP addresses and NFS export paths for the channels of a Managed
Volume.
Next task
Use the channel details to mount the channels on the host.
Related tasks


Procedure
2. Create a mount point.
sudo mkdir mount_point
where mount_point is the full path to a location on the application host file system to use as the
mount point of an NFS exported channel.
3. Repeat step 2 for each channel of the Managed Volume.
Use the mount command to mount a channel at the mount point.
mount -F nfs -o
rw,bg,hard,nointr,rsize=32768,wsize=32768,tcp,actimeo=0,vers=3,timeo=600
channel_ip:channel_path mount_point
where:
• channel_ip is the IPv4 address for the channel, provided through the Channel Details dialog box.
• channel_path is the export path for the channel, provided through the Channel Details dialog box.
• mount_point is the mount point for the channel, created in step 2 of this task.
On AIX hosts, use proto=tcp in place of tcp.
4. Repeat the mount command described in step 3 for each channel.
Result
The operating system mounts the channels as specified.
Managed Volumes with Oracle databases

The Rubrik cluster recognizes an Oracle database as a data source.
Oracle databases can be protected using this functionality, but can also make use of managed volume
functionality by integrating with the Oracle Recovery Manager (RMAN). RMAN merged incremental backups
launched from the Oracle host write data to the Managed Volume.
For each protected database, the Rubrik cluster hosts a Managed Volume with one or more Managed
Volume channels. The Rubrik cluster exports the channels and the channels are mounted on the Oracle
database host.
The Oracle database backup files on the Managed Volume remain available during the RMAN retention
period. RMAN adds and removes files from the Managed Volume based on the settings used for the
incremental merge backup. The snapshots managed by the Rubrik cluster enable the restoration of
backups from outside the RMAN retention period.
Use automated Oracle data protection for a fully automated integration.

Related concepts
Automated Oracle Data Protection
Automatically discover and protect Oracle databases.
Managed Volumes
The Managed Volume feature in Rubrik CDM protects and manages data.
Oracle databases
Use Rubrik CDM to back up, archive, replicate, and migrate Oracle databases.
Relationship between RMAN backups and SLA Domain snapshots

To ensure consistent protection of Oracle database backups, manage the relationship between the
frequency and retention settings of RMAN backups and the frequency and retention settings of the
The base frequency of an SLA Domain is the frequency at which snapshots must be created to comply with
all of the rules specified for the SLA Domain. RMAN backups of the database associated with a Managed
Volume should normally match the base frequency of the assigned SLA Domain.
Setting Description
RMAN frequency Determines how often RMAN creates a backup of the specified database.
RMAN retention For RMAN incremental merge backups, determines how many days of incremental
backups are kept. Using this setting, RMAN controls the maximum number of
incremental backups that exist in the Managed Volume at any point.
SLA Domain base For Managed Volumes, this represents how often the Rubrik cluster selects an
frequency available Managed Volume snapshot to ensure compliance with the SLA policies.
• When the base frequency is the same as the RMAN frequency, the Rubrik cluster
manages each RMAN backup snapshot according to the SLA policies.
• When the base frequency is less than the RMAN frequency, the Rubrik cluster
selects the most recent backup snapshot from the current period, and expires
the remaining snapshots from that period.
• When the base frequency is more than the RMAN frequency, gaps in available
backup snapshots occur and the Managed Volume is out of compliance.
SLA Domain Determines how long the Rubrik cluster manages the backup snapshots.
retention
The frequency of RMAN backups should normally be the same as the base frequency of the SLA Domain.
The RMAN frequency can be configured to be more frequent, but should never be less frequent than the
SLA Domain base frequency.
In order to enable the Rubrik cluster to provide restore points outside of the RMAN retention period, the
SLA Domains used with RMAN backups must provide longer retention periods than the RMAN backups.
The following example shows RMAN settings appropriately matched to SLA Domain settings.
Example: Well matched RMAN and SLA Domain settings
• RMAN frequency and retention: One backup per day with seven days retention.
• SLA Domain base frequency and retention: One snapshot per day with 31 days retention.
• Result: The Rubrik cluster retains each daily snapshot for 31 days. Each daily snapshot contains seven
days of RMAN incremental merge backups.

The next example shows a case where RMAN frequency is greater than the base frequency of the SLA
Domain
Example: Managing backups through SLA Domains with unmatched RMAN backups
• RMAN frequency and retention: One backup per hour with seven days retention.
• SLA Domain base frequency and retention: One snapshot every four hours with 14 days retention.
• The Rubrik cluster selects the latest of the four backups taken by RMAN during the four hour base
frequency period. The Rubrik cluster retains each selected snapshot for the 14 days retention period.
Each snapshot contains seven days of RMAN incremental backups.
Related concepts
virtual machines.
Direct NFS
The dNFS client uses less memory, provides faster performance, and automatically balances load across
available channels.
Oracle online documentation provides information about enabling dNFS on Oracle hosts.
Related information
Setting Up NFS Services
Performance database parameters and mount options

To provide the highest throughput when writing to and reading from Managed Volumes, make changes to
parameters of the Oracle database and use mount options that support those changes.
Throughput to and from a Managed Volume can be enhanced by making changes to specific parameters of
an Oracle database and using mount options that efficiently use the modified parameters. These changes
are optional and should only be considered when the baseline mount options do not provide adequate
performance.
The changes described in this section should be treated as guideline suggestions. The changes interact
with many facets of an Oracle deployment. When applying changes to a database, part of the process
must include testing all aspects of the database performance. Modify the parameters and mount options of
an Oracle database deployment to provide the best overall performance for that deployment.
Oracle online documentation provides information available parameters and how to apply them to
databases.
The following table describes the database parameters that can be tuned to help achieve optimized
performance with a Managed Volume. A default value of n/a indicates that the parameter does not have a
default value.

Parameter Default value New value Description
Process range: 6 to 2000 Works in conjunction with
OS dependent a non-zero value for the
value dbwr_io_slaves parameter to
handle the increased number of
server processes.
memory_max_target n/a 0 Specifying this parameter and
memory_target to be 0
disables the Automatic Memory
Management (AMM) feature.
memory_target n/a 0 Specifying this parameter and
memory_max_targe to be 0
disables the Automatic Memory
Management (AMM) feature.
filesystemio_options n/a SETALL Specifying SETALL enables kernel
asynchronous I/O and direct I/O.
sga_target_size n/a Determined by Provides an increase to the target
DBA value used for automatic sizing of
SGA components.
Industry best practice calls for
SGA sizing to be 1/3 to 1/2 of
physical memory.
sga_max_size n/a Determined by Increases the maximum size of

DBA the system global area (SGA) to
provide additional shared memory
components.
Industry best practice calls for
SGA sizing to be 1/3 to 1/2 of
physical memory.
dbwr_io_slaves 0 4 Simulates asynchronous I/O with

4 parallel server processes. Only
relevant on systems with a single
database writer process.
_backup_disk_bufcnt n/a 16 Sets a static number of 16 buffers
used to process backup sets.
This is an undocumented instance
parameter.
_backup_file_bufcnt n/a 16 Sets a static number of 16 buffers

used to process image copies.
parameter.
_backup_disk_bufsz 1048576 4194304 Increases the size of the buffers

used to process backup sets.
parameter.

Parameter Default value New value Description
_backup_file_bufsz 1048576 4194304 Increases the size of the buffers
used to process image copies.
parameter.
Best practice NFS mount options used with the performance database parameters vary by operating
system. The guidelines are derived from Rubrik internal testing in conjunction with feedback from existing
users. These mount options are recommended unless they conflict with the needs of the application or
host.
These guidelines set the value for read and write operations to one megabyte. Do not exceed 1 megabyte
for these settings.
For AIX systems, use the following command to set the mount options:
mount -o bg,rw,dio,noac,hard,intr,llock,proto=tcp,rsize=524288,
wsize=524288,vers=3 hostname:device path mount path
Where:
• hostname is the name of the source host.
• device path is the path to the Managed Volume to mount.
• mount path is the file system path to the mount point.
Solaris systems require kernel tuning to support large read and write operations over NFS. Use the
following command to make changes in the kernel:
echo "nfs3_bsize/W 100000" | mdb -kw
Use the following command to make the kernel change persist across machine reboots:
set nfs:nfs3_bsize=0x100000
To make the kernel change persist across machine reboots.

Once the kernel is tuned, use the following command to set the mount options:
mount hostname:device path - mount path nfs - yes forcedirectio,

rw,bg,nointr,hard,timeo=600,actimeo=0,wsize=1048576,rsize=1048576,
vers=3,proto=tcp
Where:
For Linux systems, use the following command to set the mount options:
mount hostname:device path mount path nfs rw,bg,hard,nointr,

rsize=131072,wsize=131072,tcp,vers=3,timeo=600,actimeo=0,noatime 0 0
Where:

For engineered systems such as Oracle Exadata or Oracle Database Appliances, use the following
command to set the mount options:
mount hostname:device path mount path nfs rw,bg,hard,nointr,

rsize=1048576,wsize=1048576,tcp,vers=3,timeo=600,actimeo=0,noatime 0 0
Where:
Related concepts
Direct NFS
Block change tracking

Rubrik recommends enabling block change tracking for all Oracle databases that are backed up to a Rubrik
cluster.
Enabling block change tracking (BCT) provides significant performance improvements for Oracle
incremental backups. Once BCT is enabled, RMAN backs up only the changes made since the last backup.
The Rubrik cluster includes an entry in the activity log asking customers to enable BCT.
Refer to Oracle documentation for more information about enabling BCT.
Related information
Enabling Block Change Tracking
RMAN merged incremental backups

Use RMAN merged incremental backups for RMAN backups that are managed and protected by a Rubrik
cluster.
Rubrik CDM only supports RMAN merged incremental backups, also known as incrementally updated
backups.
A merged incremental backup typically uses an RMAN command block that has the following basic form:
RUN
{RECOVER COPY OF DATABASE WITH TAG
'incr_update' UNTIL TIME 'SYSDATE - 7';
BACKUP INCREMENTAL LEVEL 1 FOR RECOVER OF COPY WITH TAG
'incr_update' DATABASE;}
Related information
RMAN Incremental Backups
Preparing a combined RMAN backup script

Using a Rubrik CDM Managed Volume to back up an Oracle database requires a combined RMAN backup
script.
Prerequisites
Update curl on the Oracle host to the most recent version. Older versions of curl may encounter errors.

Context
This task creates an RMAN script that invokes the Rubrik REST API calls and runs the RMAN merged
incremental backup, including backup of the archivelog and controlfile. Add the script lines in the
order described in this task. The RMAN command block may be modified to meet requirements, but must
initiate a merged incremental backup of the database.
Procedure
1. On the Oracle host, open a new plain text file as the script file.
3. From the left-side menu, click Servers & Apps > Managed Volumes.
The local page for the selected Managed Volume appears.
5. From the URL displayed in the web browser address field, save the Rubrik host and the Managed
Volume ID.
If the URL is:
https://172.17.28.11/web/bin/index.html#/object_details/managed_volume/
ManagedVolume:::167bbf90-d0af-4685-b694-cee369536c6e
Save the following Rubrik host:
https://172.17.28.11
Save the following Managed Volume ID:
ManagedVolume:::167bbf90-d0af-4685-b694-cee369536c6e
6. Type the begin snapshot API call into the script file.
curl -k -X POST -u "username:password"

'https://rubrik_cluster/api/internal/managed_volume/\
ManagedVolume:::mv_id/begin_snapshot'
Where:
• username is the name for a Rubrik cluster user account with admin privileges or an account that
has the Managed Volume user role.
• password is the password for the account.
• rubrik_cluster is the resolvable hostname or the IPv4 address of the Rubrik cluster.
• mv_id is the Managed Volume ID.
Authenticate the Rubrik REST API calls using a base64 hash of the user name and password when the
credentials contain special characters or to obscure the credentials in API calls.
7. Type the RMAN merged incremental command block into the script.
Replace the placeholders in this example to suit the deployment, type:
echo "Running the RMAN Commands"

rman nocatalog <<EOF
connect target /
set echo on;
show all;
run {
crosscheck backup;
crosscheck copy;
configure controlfile autobackup on;

configure controlfile autobackup format for device type disk to
'ch_0_mnt_pt/%F';
configure retention policy to redundancy 1;
configure device type disk parallelism 4;
allocate channel ch0 device type disk format 'ch_0_mnt_pt/%U';
backup incremental level 1 for recover of copy with tag 'db_name'
database plus archivelog delete all input;
recover copy of database with tag 'db_name' until
time'SYSDATE-7';
backup as copy current controlfile;
}
delete noprompt obsolete;
EOF
Where:
• ch_0_mnt_pt is the full path to the mount point of channel 0.
• db_name is the name of the database.
This step includes a template example of the RMAN command block. Modify the command block to
adjust to the requirements for the specific database. For example, add or remove ‘allocate channel’
lines so that the command block includes the correct number of channels for the Managed Volume.
8. Type the end snapshot API call.

ManagedVolume:::mv_id/end_snapshot'
Where:
9. Save the RMAN script file.
10. Make the RMAN script executable.
11. Add a cron entry that calls the RMAN script with the correct frequency.
Result
A combined RMAN backup script is ready for use to back up an Oracle database using a Rubrik CDM
Managed Volume.
Related concepts
Managed Volume settings
Managed Volume settings change depending on the channel, size, subnet, and the SLA domain assignment
component.
Related tasks
Authenticating Rubrik API calls with a base64 hash
Authenticate Rubrik REST API calls using a base64 hash of the user name and password.
Viewing a Managed Volume local page

The Managed Volume local page includes sections for the Action, Overview, and Snapshots cards.
Authenticating Rubrik API calls with a base64 hash

Authenticate Rubrik REST API calls using a base64 hash of the user name and password.
Context
Use this method when the credentials contain special characters or to obscure the credentials in API calls.
Procedure
1. Open a terminal session on a computer that has the OpenSSL software library installed.
OpenSSL is included on standard Linux distributions.
2. Type the following command.
echo -n username:password | openssl enc -base64
For example, using the literal values "admin" and "secret".
echo -n admin:secret | openssl enc -base64

YWRtaW46c2VjcmV0
The base64 encoded value appears.

3. Use the encoded value in Rubrik REST API calls.
In the Rubrik REST API call, replace the non-encoded form of "username:password":

with the base64 encoded value:
curl -k -X POST -H 'Authorization: Basic encoded_string'

Where:
• encoded_string is the base64 encoded value of the string formed from username:password.
Result
The Rubrik REST API server authenticates the request.
Related tasks
Preparing a combined RMAN backup script

Using a Rubrik CDM Managed Volume to back up an Oracle database requires a combined RMAN backup
script.
Managed Volumes end snapshot API failure

For Managed Volume backups, the host-side scripts must handle the failure of a Rubrik REST API call to
the /managed_volume/{id}/end_snapshot endpoint.
Using a Managed Volume for backing up data requires the host-side scripts to call the /
managed_volume/{id}/begin_snapshot endpoint to open the Managed Volume for writes. A
subsequent call to the /managed_volume/{id}/end_snapshot endpoint closes the Managed Volume
for writes. The resulting snapshot contains all the data that was written to the Managed Volume between
the two API calls.
To ensure the integrity of the data in a Managed Volume snapshot, the host-side scripts must not delete
the source data until the following conditions are met:
• The API call to the /managed_volume/{id}/end_snapshot endpoint returns the HTTP response
status code of 200, indicating that the call was successful.
• The API call to the /managed_volume/snapshot/{id} endpoint returns the HTTP response status
code of 200, indicating that the snapshot identified by the id in the API call, exists in the Rubrik cluster.
Additionally, the script that calls the end_snapshot API endpoint must handle the following failure
conditions:
• Calling the end_snapshot API endpoint before the backup script completes execution.
• Calling the end_snapshot API endpoint before completion of the data transfer to the Managed
Volume.
To prevent calling the end_snapshot API endpoint before the backup script completes execution and
completes the data transfer to the Managed Volume, introduce a delay of 600 seconds between the
successful execution of the backup script and the call to the end_snapshot endpoint.
After the introduction of a delay, if the end_snapshot request fails again, retry the end_snapshot call
three times with a delay of 300 seconds between each attempt.
Contact Rubrik Support if the Managed Volume backup failure persists.
Example: Sample script with logic to retry end_snapshot request
http_response=''
n=0
while [[ $http_response != "200" && $n<3 ]]
do
http_response=$(curl -w "%{http_code}" -k -s -o /dev/null -X POST -u
"admin:<password>" "https://10.0.86.72/api/internal/managed_volume/
ManagedVolume:::734afa7c-87f6-4094-b938-866fcf8dd0c7/end_snapshot")
(( n = n+1 ))
sleep 300
done;
Managing protection with SLA Domains

Assign a Managed Volume to an SLA Domain to enable policy-driven management of the snapshots of the
Managed Volume.

To prevent differences in the policies applied to the snapshots of a Managed Volume, assign an SLA
Domain to the Managed Volume before using the volume for backups.
When a Managed Volume is not initially assigned to an SLA Domain, and backups are written to the
Managed Volume, default policies are applied to the snapshots that are created. These policies can differ
substantially from the policies applied to the Managed Volume through an SLA Domain assignment.
Relationship between scripted backups and SLA Domain snapshots

To ensure consistent protection for data sources with client-side scripted backups, manage the relationship
between the frequency and retention settings of the scripted backups and the frequency and retention
settings of the assigned SLA Domain.
The base frequency of an SLA Domain is the frequency at which snapshots must be created to comply with
all of the rules specified for the SLA Domain. As a best practice, configure scripted third-party backups
of the data source associated with a Managed Volume to match the base frequency of the assigned SLA
Domain.
Setting Description
Scripted frequency Determines how often the third-party script creates a backup of the specified
database.
Scripted retention Specifies the maximum number of incremental backups that exist in the Managed
Volume at any point.
SLA Domain base For Managed Volumes, this represents how often the Rubrik cluster selects an
frequency available Managed Volume snapshot to ensure compliance with the SLA policies.
• When the base frequency is the same as the scripted frequency, the Rubrik
cluster manages each backup snapshot according to the SLA policies.
• When the base frequency is less than the scripted frequency, the Rubrik cluster
selects the most recent backup snapshot from the current period, and expires
the remaining snapshots from that period.
• When the base frequency is more than the scripted frequency, gaps in available
backup snapshots occur and the Managed Volume is out of compliance.
SLA Domain Determines how long the Rubrik cluster manages the backup snapshots.
retention
The frequency of scripted backups should normally be the same as the base frequency of the SLA Domain.
The scripted frequency may exceed but cannot be less than the SLA Domain base frequency.
To enable the Rubrik cluster to provide restore points outside of the scripted retention period, SLA Domains
used with scripted backups must provide longer retention periods than the scripted backups.
The following example shows scripted backup settings appropriately matched to SLA Domain settings.
Example: Well matched scripted backup and SLA Domain settings
• Scripted frequency and retention: One backup per day with seven days retention.
• SLA Domain base frequency and retention: One snapshot per day with 31 days retention.
• Result: The Rubrik cluster retains each daily snapshot for 31 days. Each daily snapshot contains seven
days of scripted backups.
The next example provides shows a case where RMAN frequency is greater than the base frequency of the
SLA Domain.

Example: Managing backups through SLA Domains with unmatched scripted backup settings
• Scripted frequency and retention: One backup per hour with seven days retention.
• SLA Domain base frequency and retention: One snapshot every four hours with 14 days retention.
• The Rubrik cluster selects the latest of the four backups taken by the third-party backup script during
the four hour base frequency period. The Rubrik cluster retains each selected snapshot for the 14 day
retention period. Each snapshot contains seven days of scripted backups.

Procedure
The Managed Volumes page appears with two tabs, SLA Managed Volumes and Managed Volumes.
3. Select an SLA Managed Volume or a Managed Volume.
To create an SLA Domain, click + and create the SLA Domain.
6. Click Next.
7. Review the SLA Domain settings.
8. Click Submit.
Result
The Rubrik cluster saves the settings and begins managing the snapshots of the Managed Volume or SLA
Managed Volume.
Snapshot-level protection
Individual on-demand snapshots of a Managed Volume can be managed using SLA policies that are
different from the associated Managed Volume.
For some business purposes, specific Managed Volume snapshots should be managed differently from the
other snapshots of the Managed Volume. Business requirements may be satisfied by specifying a longer
retention period, a different replication policy, or a different archival policy.
To assign SLA policies to a Managed Volume snapshot that are different from those assigned to the
Managed Volume, the snapshot must be an on-demand snapshot initiated from the Rubrik CDM web
UI. On-demand snapshots of Managed Volumes can be assigned SLA Domains different from the SLA
Domain set for the Managed Volume as a whole. These individual SLA Domain assignments override the
assignments made on the Managed Volume.
To set an on-demand snapshot of a Managed Volume as unmanaged, specify Forever at the time the
snapshot is taken. The Rubrik cluster handles a snapshot with the Forever setting as follows:
• Snapshot labeled as On Demand
• No automatic expiration of the snapshot

• Manual expiration of the snapshot permitted
• Snapshot accessible through the Snapshot Management page
Specifying Managed Volume snapshot assignment

To provide separate SLA policy-based management of an Managed Volume snapshot, create an on-demand
snapshot of the Managed Volume and assign a different protection setting to the snapshot.
Procedure
The local page for the Managed Volume appears.
4. Click Manage Snapshot Operations.
The Managed Snapshot Operations dialog box appears.
5. Click Begin Snapshot.
The Rubrik cluster sets the Managed Volume to read-write and the Managed Snapshot Operations
dialog box changes.
6. Click Take Snapshot.
7. Select an SLA Domain for the snapshot, or select Forever.
Optionally, to create an SLA Domain for the snapshot, click +.
The Rubrik cluster creates a snapshot of the files in the managed volume.
The Activity Log message for the job includes the timestamp for the backup that is the basis for the
snapshot.
Result
The Rubrik cluster lists the snapshot on the Snapshots card of the Managed Volume local page.
Creating a Live Mount from a Managed Volume snapshot

A Live Mount of a Managed Volume snapshot enables access to the data in that snapshot.
Prerequisites
• Manage and protect at least one Managed Volume.
• Successfully complete at least one snapshot of the Managed Volume.
Context
The Rubrik cluster shares the Live Mount over the SMB/CIFS protocol. Because live mounts are optimized
for faster read operations, restoring from a live mount can offer performance advantages over other
recovery methods.
Procedure

The Recovery Points card displays the Day view and a list of snapshots for that day.
5. Open the ellipsis menu for the snapshot to live mount and click Export.
6. Optional: Configure Subnet (Optional).
7. Optional: Configure Client Name Patterns (Optional).
The Rubrik cluster allows only hosts identified in the client name patterns to access the shares live
mounted from the Managed Volume snapshots.
When the Client Name Patterns field is empty or contains a single asterisk (*), the Rubrik cluster
allows any host to access the live mounted shares from the NFS-protocol Managed Volume. Live
mounts of managed volumes using SMB do not support a Client Name Patterns field that is empty or
contains an asterisk.
8. Click Export.
Result
The Rubrik cluster creates the Live Mount of the selected snapshot. Active Live Mounts are listed in Live
Mounts > Managed Volumes.
Deleting an unmanaged on-demand snapshot

The Rubrik cluster retains an unmanaged snapshot of a Managed Volume until the snapshot is manually
deleted.
Procedure
4. In the Snapshots card, navigate to the Day view that shows the on-demand snapshot.
The Rubrik CDM web UI uses a camera icon to represent an on-demand snapshot.
5. Open the ellipsis menu for the snapshot and click Delete.
6. Click Delete.
Result
The Rubrik cluster removes the selected on-demand snapshot.
Viewing a Managed Volume local page

The Managed Volume local page includes sections for the Action, Overview, and Snapshots cards.
Context
Access the Managed Volume local page to view information about a managed volume.
Procedure
1. From the left-side menu of the Rubrik CDM web UI, click Servers & Apps > Managed Volumes.

Result
The local host page for the selected Managed Volume appears.
Action bar
The Action bar provides the actions available for the selected Managed Volume.
Action Description
Manage When the Managed Volume is in a read-only state, changes the state to writable in
snapshot order to receive backup data. When the Managed Volume is in a writable state, takes a
operations snapshot and changes the state to read-only.
Manage Opens the Manage Protection dialog box to assign a Managed Volume to an SLA
Protection Domain.
Overview card
The Overview card provides a summary of the Managed Volumes.
Field Description
Total Snapshots Total number of retained snapshots for the selected managed volume,
including snapshots stored locally and at archival locations.
Channels The number of channels configured for the Managed Volume. Click View
for additional details.
Provisioned Size The amount of space that was provisioned for the managed volume.
Used Size The current amount of space used by the Managed Volume.
SLA Domain The name of the SLA Domain for the Managed Volume.
Live Mount The number of active Live Mounts.
Oldest Snapshot Timestamp for the oldest snapshot associated with the managed volume.
When the SLA Domain has an active archival policy, the oldest snapshot
resides at the archival location.
Latest Snapshot Timestamps for the most recent successful snapshot of the managed
volume.
Snapshots card
The Snapshots card provides the ability to browse the snapshots that reside on the local Rubrik cluster and
on the archival location for the selected Managed Volume.
The Snapshots card provides access to snapshot information through a series of calendar views. Each
calendar view uses color spots to indicate the presence of snapshots on a date and to indicate the status
of SLA Domain compliance for the Managed Volume on that date.
The Snapshots card also provides the ability to search for files across all of the snapshots of the Managed
Volume.

Chapter 26
SLA Managed Volumes
SLA Managed Volumes
An SLA Managed Volume is associated with an SLA Domain that schedules and initiates the backups that
go to the Managed Volume.
An SLA Managed Volume provides a service-level agreement that orchestrates the backups that go into a
Managed Volume. SLA Managed Volumes consist of two primary components: a backup script or command
to run on the data host and an SLA Domain assignment to provide backup management. The SLA Domain
schedules and manages the backups.
Rubrik CDM controls the mount management of the SLA Managed Volumes on the Rubrik cluster as well as
the hosts.
Rubrik CDM has greater flexibility with the sizing of SLA Managed Volumes which means that a Rubrik
cluster can support a greater number of SLA Managed Volumes than Managed Volumes.
The following table describes the differences between Managed Volumes and SLA Managed Volumes.
Description Managed Volume SLA Managed Volume

RBS required No Yes
SLA Domain initiated backups No Yes
Backup frequency control in No Yes
Rubrik CDM
Floating IP address requirement Yes No
Cloud cluster Supported without failover Supported with failover
Invoke begin/end snapshots APIs; Yes No
deploy cUrl
An SLA Managed Volume is visible to user accounts with a custom role, only if the role includes access to
the Windows or Linux host associated with the SLA Managed Volume.
Related Tasks
SLA Managed Volume settings

The SLA Managed Volume settings change with file sharing protocol of the host.
Component Protocol Setting

Volume Name NFS and SMB The name of the SLA Managed
Volume.
Provisioned Size (GB) NFS and SMB Create the SLA Managed Volume
with sufficient space to contain
SLA Managed Volumes 05/25/2022 | 723

all the data from the recovery
period, and provide additional
space for unexpected data
growth.
For example, a 1 TB data source
with a 5% change rate requires
approximately 1.3 TB for a 7 day
recovery period and 1.6 TB for a
14 day recovery period. Managed
Volumes can be increased in
size as needed, but cannot be
decreased in size.
Subnet (optional) NFS and SMB When VLAN tagging is enabled

on the Rubrik cluster, configure
a subnet mask value, in CIDR
format, to direct the network
traffic of the SLA Managed
Volume to a specific VLAN.
Create all SLA Managed Volumes
on the same subnet to enable
optimal load balancing.
Number of Channels (optional) NFS and SMB SLA Managed Volumes have the
following requirements:
• Number of channels per SLA
Managed Volume cannot
exceed the number of nodes
in the Rubrik cluster.
• The recommendation is for
one channel per SLA Managed
Volume.
• To support SLA Managed
Volumes over 128 TB in size,
create more than one channel.
When backing up Oracle
databases to an SLA Managed
Volume, the recommendation
is to use the same number of
SLA Managed Volume channels
as RMAN channels. An RMAN
channel must write to the same
SLA Managed Volume channel on
all backup jobs.
IP or Hostname NFS and SMB The IP address or hostname of

the client host.
Application Tags (optional) NFS and SMB Application tags specify the type
of application content in the
Managed Volume. The Rubrik
cluster optimizes the use of
CPU and memory during data

reduction based on the selected
type. When no tag is selected,
data reduction uses more CPU
and memory.
Username NFS The user account used to execute
backup scripts.
Mount point paths on the host NFS The full path to mount the
channels on the NFS host.
The number of fields corresponds
to the number of channels
specified.
Domain SMB The name of the Active Directory

domain of the SMB Server.
Usernames SMB The domain user account used to
run the Rubrik Backup Service on
the Windows host.
Active Directory Groups (optional) SMB The Active Directory groups that
require backup and restore access
to the SMB shares.
Mount point paths on the host SMB The full path to mount the
channels on the SMB host.
The number of fields corresponds
to the number of channels
specified.
Command to run on the host NFS and SMB The command or full path to the
script to perform backup on the
host.
Enable pre-backup and post- NFS and SMB Enables pre-backup and post-
backup commands backup options for:
• Command to run before
backup
• Option to cancel backup if pre-
backup command fails
• Command to run after
successful backup
• Command to run after failed
backup
The commands and scripts
have an associated timeout
value. Rubrik CDM terminates
the commands or scripts if the
runtime exceeds the timeout
value.
The pre-backup and post-backup
scripts have limited access to
the SLA Managed Volume. The

pre-backup script has read-
only access to the SLA Managed
Volume before the backup begins.
The post-backup script has read-
only access to the SLA Managed
Volume only after a successful
backup.
Related Tasks
Creating NFS SLA Managed Volumes
Create an SLA Managed Volume for a Linux host running the NFS file sharing protocol.
Creating SMB SLA Managed Volume
Create an SLA Managed Volume for a Windows host running the SMB file sharing protocol.
Related reference
Prohibited mount points and script directories for SLA Managed Volumes
For SLA Managed Volumes, Rubrik CDM prevents the use of some paths as mount points and host-side
script locations.
Prohibited mount points and script directories for SLA Managed

Volumes
script locations.
Operating System Prohibited mount points Prohibited script directory paths

Linux • /bin • /boot
• /boot • /etc
• /dev • /lost+found
• /etc • /proc
• /lib • /run
• /lost+found • /sys
• /media • /dev
• /opt
• /proc
• /run
• /sbin
• /srv
• /sys
• /usr
• /var
Solaris • /bin • /dev

• /dev • /etc
• /etc • /kernel
• /kernel • /platform
• /lib • /proc
• /opt • /vol
• /platform

Operating System Prohibited mount points Prohibited script directory paths
• /proc
• /sbin
• /usr
• /var
• /vol
Creating NFS SLA Managed Volumes

Create an SLA Managed Volume for a Linux host running the NFS file sharing protocol.
Prerequisites
Install the Rubrik Backup Service (RBS) on the NFS host and add the host to the Rubrik cluster.
Procedure
The Managed Volumes page appears with SLA Managed Volumes tab selected.
The Add SLA Managed Volume wizard starts with the Managed Volume Settings page highlighted.
4. In Volume Name, type the volume name.
5. In Provisioned Size (GB), type the provisioned size in gigabytes.
6. Optional: In Subnet, configure the subnet mask value in CIDR format.
This step is required when VLAN tagging is enabled.
Complete this optional step when multiple channels are required.
8. Click on IP or Hostname.
A list of available IP addresses and hostnames appears.
9. Select the host.
10. Optional: In Applications Tags, select a tag.
11. Click Next and provide the protocol settings.
The Rubrik cluster automatically identifies the protocol as NFS. Type a username and the full path to
mount the NFS export on the export target.
If the full path value that is provided is /mnt/nfs/xyz, the parent folders /mnt/nfs/ must already
exist. Rubrik CDM creates folder xyz as part of the backup and removes it when the backup is
complete.
12. Click Next.
The Backup Command Settings page appears.
13. In Command to run on the host, type the name of an OS command or the full path of a script.
The command or the backup script can run on the data host with applicable parameters.
14. Optional: Select Enable pre-backup and post-backup commands.
Use this option to enable fields for setting actions that occur before and after the backup.
Additional backup options appear.
15. Optional: In Command to run before backup, type a text string and an integer.
The text string represents the full path to the script on the host or a single OS command that will run
before the backup runs. The integer represents the timeout in seconds.

16. Optional: Select or clear Cancel backup if pre-backup command fails.
17. Optional: In Command to run on successful backup, type a text string and an integer.
after the backup completes successfully. The integer represents the timeout in seconds.
18. Optional: In Command to run on backup failure, type a text string and an integer.
if the backup fails. The integer represents the timeout in seconds.
19. Click Submit.
Result
The Rubrik cluster creates the SLA Managed Volume and the new volume appears on the SLA Managed
Volumes tab.
Next task
Assign an SLA Domain to the SLA Managed Volume.
Related Tasks
Adding a host
Related reference
script locations.
Preparing Windows hosts for SLA Managed Volumes

Complete the required tasks for preparing Windows hosts to use SLA Managed Volumes.
Procedure
1. Add the Windows host to the domain controller. Enter the name and password of a user account with
permission to join the domain. Restart the host to apply the changes.
2. Grant administrator privileges to the domain user account.
The domain user account corresponds to the Active Directory user account responsible for taking
backups of SLA Managed Volumes.
3. Install the Rubrik Backup Service (RBS) on the Windows host and add the host to the Rubrik cluster.
4. Change the logon user of RBS running on the host, to the domain user.
5. In the Rubrik cluster, configure SMB security.
Add the domain controller and domain user account details to the Rubrik cluster.
6. Optional: Enable Kerberos Authentication for SMB shares.

By default, Windows does not use Kerberos authentication for hosts that use IPv4 addresses instead
of hostnames.
Result
The Windows host is set up for SLA Managed Volumes.
Next task
Create an SMB SLA Managed Volume on the Rubrik cluster and mount snapshots on the Windows host.
Related Tasks
Adding a host
Directory.

Prerequisites
Prepare the Windows host before creating SMB SLA Managed Volumes.
Procedure
The Add SLA Managed Volume wizard starts with the Managed Volume Settings page highlighted.
4. In Volume Name, type the volume name.
5. In Provisioned Size (GB), type the provisioned size in gigabytes.
Complete this optional step when multiple channels are required.
9. Select the IP address of the SMB client.
Using the SMB protocol to back up to, and restore from SLA Managed Volumes, requires the IP
address of the SMB client for the first backup. After the first backup is successfully completed, the
identification of the Windows host can be changed from the IP address to a DNS short name or a Fully
Qualified Domain Name (FQDN) for subsequent backups.

10. Optional: In Applications Tags, select a tag.
11. Click Next.
The Protocol Settings page appears. The Rubrik cluster automatically identifies the protocol as SMB.
12. In Domain, type the Active Directory domain name.
13. In Usernames, type the name of the domain user account that runs the Rubrik Backup Service on
the host.
14. Optional: In Active Directory Groups, type the names of any groups that have members that
require backup and restore access to the SMB shares.
To ensure SQL Server access, type the name of a group that includes the account that is running the
SQL Server service.
15. In Mount point paths on the host, type the full path to mount the SMB export on the export
target.
For example, if the full path is C:\x\y\z, the parent folders C:\x\y\ must already exist. Rubrik
CDM creates folder z as part of the backup and removes it when the backup is complete. Rubrik CDM
fails the mount if folder z already exists on the path.
16. Click Next.
The Backup Command Settings page appears.
17. In Command to run on the host, type the name of an OS command or the full path of a script.
The command or the backup script can run on the data host with applicable parameters. Scripts with
extensions ".bat", ".cmd", or ".ps1" can be used.
For example, to run the powershell script at C:\ps_script.ps1, type the following command.
powershell C:\ps_script.ps1
18. Optional: Select Enable pre-backup and post-backup commands.

Use this option to enable fields for setting actions that occur before and after the backup.
Additional backup options appear.
19. Optional: In Command to run before backup, type a text string and an integer.
before the backup runs. The integer represents the timeout in seconds.
20. Optional: Select or clear Cancel backup if pre-backup command fails.
21. Optional: In Command to run on successful backup, type a text string and an integer.
after the backup completes successfully. The integer represents the timeout in seconds.
22. Optional: In Command to run on backup failure, type a text string and an integer.
if the backup fails. The integer represents the timeout in seconds.
23. Click Submit.
Result
The Rubrik cluster creates the SLA Managed Volume and the new volume appears on the SLA Managed
Volumes tab.
Next task
Assign an SLA Domain to the SLA Managed Volume.
Related Tasks
Preparing Windows hosts for SLA Managed Volumes
Complete the required tasks for preparing Windows hosts to use SLA Managed Volumes.
Editing the stored information for a host

When the IPv4 address or hostname of a host changes, the associated host entry should be edited to
provide the new address or hostname.
Related reference
script locations.
Custom SLA Domains for SLA Managed Volumes

Customize SLA Domains for SLA Managed Volumes based on backup requirements.
Custom SLA Domains provide the ability to create data protection policies that meet the requirements of
various groups of data sources in an enterprise.
SLA Domains with backup frequency specified in the Minute Rule are applicable only to Managed Volume
objects. Rubrik CDM does not allow the assignment of SLA Domains with a Minute Rule to any other
protectable objects.
For SLA Managed Volumes, an SLA Domain with a Minute Rule is useful for scheduling transaction log
backups. With the minimum allowed value of 15 minutes, the Minute Rule enables transaction log backups
as frequently as every 15 minutes.
Example: Sample SLA Domain for transaction log backups
Create an SLA Domain with the following configuration:

• Set the Minute Rule to take snapshots every 15 minutes and keep snapshots for 1 day.
• Set the Daily Rule to take snapshots every 1 day and keep snapshots for 7 days.
Assigning this SLA Domain to an SLA Managed Volume created for log backups, allows for log backups
every 15 minutes for a day and rolls up the snapshots into a single daily backup of all log backups for the
day.
Related Tasks

Recovering SLA Managed Volumes

Recover an SLA Managed Volume from a snapshot.
Context
In a recovery workflow, specify a host and a mount point for mounting the channel of an SLA Managed
Volume snapshot.
Procedure
3. In the Name column, click the name of the SLA Managed Volume whose snapshots need to be
recovered.
The Overview, Snapshots, and Activities cards for the SLA Managed Volume appear.
4. In the calendar view of the Snapshots card, click the date of the snapshot to restore. Alternatively,
search for a file by entering a file name string in Search by File Name.
After selecting a date, a list of snapshots taken on that date appears in the Snapshots card.
5. Open the ellipsis menu next to a snapshot and click Mount Snapshot.
8. Select a host to mount the snapshot.
9. In Full path to mount point, type the full path to the location.
10. Click Export.
Result
The SLA Managed Volume snapshot mount appears in the Live Mounts section of the host.
Next task
Manually run the recovery script on the snapshot mount.
Rubrik CDM Version 5.3 Technical Note, SLA Managed Volume Restores using the API, describes how to
restore an SLA Managed Volume snapshot using the Rubrik REST API framework.
SLA Managed Volumes backup failure

Failover semantics to handle the failure of SLA Managed Volume backups.
SLA Managed Volumes trigger host-side scripts to backup data on one or more channels. To ensure the
integrity of the backed-up data,the host-side backup script must contain the failover semantics to handle
any failure of a backup in an SLA Managed Volume.
In the event of a failure during the transfer of data over any of the SLA Managed Volume channels,
ensuring a valid backup depends on the host-side script detecting the failure and handling it correctly.

• If the script does not include the failover logic to retry the transfer of data to other available channels,
then the script must fail with a non-zero exit code.
• If the script includes a failover logic, the logic must attempt to copy all the data over to the other
available channels. To prevent any data loss, the data to be copied must include all the data that was
successfully ingested to the channel up to the point when the channel failed, along with the data that
could not be ingested when the channel failed.
If the attempt to transfer data over other channels also fails, or if there exists only a single channel, then
the script must fail with a non-zero exit code.
The termination of the backup script with a non-zero exit code causes the SLA Managed Volume backup to
fail. At this point, the Rubrik cluster will retry the backup after restoring the state of any failed channels to
that of the last successful backup.
In addition to the backup script, SLA Managed Volumes also support pre-backup and post-backup host-
side scripts. Rubrik CDM provides the ability to launch post-backup scripts after a successful or a failed SLA
Managed Volume backup. If you need to delete the host-side data after a backup, add the logic to delete
the data in a post-backup script that is triggered only after a successful backup of the data.
Error handling in backup scripts

SLA Managed Volume backup scripts must handle backup failures.
To prevent undetected incomplete backups, it is crucial for the host-side backup script to handle errors that
might occur during the backup process, and exit with a non-zero error code in the case of a backup failure.
The following example shows how the failure to handle errors may lead to a false positive outcome where
an SLA Managed Volume backup may be considered successful even though it failed.
Example: Backup script without an error handling block
The following script takes the backup of the file /root/backup.tar on to the /mnt/rubrik location on
the host machine.
#!/bin/bash
# Command to take backup

cp /root/backup.tar /mnt/rubrik/backup.tar
# Command to list contents of the mount

ls /mnt/rubrik
Note that the script does not include any error handling logic. Consider a scenario where the command
to take the backup fails but the command to list the contents of the mount succeeds. In this scenario,
although the backup fails, yet the script returns the exit code value of 0 due to the success of the ls
command.
As a result, the Rubrik cluster wrongly considers the failed backup attempt as successful.
Example: Backup script with an error handling block
The following script adds the logic to handle errors that might occur while taking the backup of the file /
root/backup.tar on to the /mnt/rubrik location on the host machine.
#!/bin/bash

# Command to take backup
cp /root/backup.tar /mnt/rubrik/backup.tar
# Error handling block

if [ $? -eq 0 ]
then
echo "Backup succeeded"
else
echo "Backup failed" >&2
exit 1
fi
# List contents of the mount

ls /mnt/rubrik
In this case, if the backup command fails, the above script will exit with a non-zero exit code causing the
backup to be marked as failed. At this point, the Rubrik cluster will retry the backup.

Chapter 27
The Snapshot Management page of the web UI displays the retention SLA Domains for all scheduled
snapshots associated with relic, replicated relic, or unprotected data sources. The Snapshot Management
page also displays the combined number of on-demand snapshots and retrieved snapshots in a separate
column. The Snapshot Management page enables changes to the retention policy or deletion of a given
snapshot.
Snapshots are included in the count on the Snapshot Management page in the following situations:
• When the status of a data source is changed from protected to unprotected.
When the SLA Domain of a data source is changed to Do Not Protect, the status of the data source
changes to Unprotected. The choices for handling existing snapshots include expire immediately, keep
forever, and assign to the current SLA Domain for retention. If snapshots are kept forever or assigned
to the current SLA Domain, they can be managed from the Snapshot Management page.
• When a snapshot is taken on demand, independent of the schedule specified in the assigned SLA
Domain.
When the on-demand snapshot job is created, the retention period is specified by assigning an SLA
Domain or by choosing Forever. If an SLA Domain is assigned, the maximum retention period from that
SLA Domain is applied to the snapshot. If the Forever option is selected, the snapshot is retained until it
is manually deleted. All on-demand snapshots can be managed from the Snapshot Management page.
• When a data source or the data source configuration is deleted from the Rubrik cluster.
In this case, the data source becomes a relic. No new snapshots are taken of this data source. The
retention period for the existing snapshots is derived from the original SLA Domain. Any snapshots
taken before the data source was disconnected are moved to the Snapshot Management page, where a
retention policy can be assigned.
• When a snapshot resides on a replication target that is no longer associated with the replication source.
Once the replication relationship is broken, the data source becomes a replication relic. Snapshots of
replicated relics can be managed from the Snapshot Management page.
• When the snapshot is retrieved from an archival location.
An SLA Domain specifies data management policies for protected objects, including the retention period.
The retention period is the length of time snapshots or backups of protected objects are retained. A Rubrik
cluster stores a snapshot or a backup until the specified retention period expires. A retention period is
affected by the specified calendar period as well as the length of time set.
An on-demand snapshot is assigned an SLA Domain with a retention period of 45 days and a snapshot
frequency of 30 days, or monthly. Assuming the on-demand snapshot is assigned to this SLA Domain on
July 1, the 45-day period ends August 15.
Because the frequency of the assigned SLA Domain is monthly, the on-demand snapshot does not expire
until the end of the month. The on-demand snapshot expires September 1.
Retention management 05/25/2022 | 735

Related concepts
Protection policies
The SLA Domain feature has default protection policies and user configured protection policies.

The protected object level provides information for all supported virtual machines, Windows, Linux hosts
and NAS filesets, and databases.
This page provides information about the individual snapshots for the selected protected object and relic
object.
This page also provides a centralized view of all snapshots on legal hold.
Related concepts
Legal Hold page
Use a legal hold to retain snapshots while the legal hold is applied.
Related reference
Types of snapshots
Each snapshot is a fully functional, current copy of the source object.
Opening the Snapshot Management page

To work with snapshots, open the Snapshot Management page.
Procedure
2. On the left-side menu, click Snapshot Management.
The data source level of the Snapshot Management page appears.
Result
The data source level of the Snapshot Management page provides information about snapshots listed by
their data sources.
Related reference
Types of snapshots
Types of snapshots
Type Description
Protected A snapshot created according to the rules and policies defined by the SLA
Domain that is associated with a protected object.
Relic A snapshot of an object that is managed by, but is no longer accessible to the
Rubrik cluster.

Type Description
Replicated relic The remote replicated object whose data source is removed from replication
location configuration. The snapshots will only be available on the replication
target cluster.
Unprotected A snapshot that is not assigned to a Local SLA Domain, either through
inheritance or through individual assignment.
Remote unprotected A snapshot of an object that is recovered from a reader archival location.
The snapshot may be present on the archival target, on the cluster after
downloading it from the archival target, or both.
On-demand A snapshot of an object that the Rubrik cluster creates at the direction of an
authorized user. The user initiates the snapshot through the UI of the Rubrik
cluster that is associated with the object, or through an API call to the Rubrik
cluster that is associated with the object.
Downloaded A snapshot downloaded from an archival location.
Unmanaged Snapshots data source fields

Details about the fields at the data source level for Unmanaged Snapshots.
Field Description
Name The value in the Name column depends on the type of data source:
• Virtual machine–Name of the data source virtual machine. Click a name
value to open the associated local host page.
• Application–Application reference name for the data source; for example,
the name assigned to a database. Click a name value to open the
associated Recovery Points card page.
• Fileset–Fileset name for the data source host fileset. Click a name value
to open the local host page associated with the selected fileset and host
pairing.
Location The value in the Location column depends on the type of data source:
• Virtual machine–vCenter Server cluster/host path of the data source virtual
machine. Click a location value to open the Clusters/Hosts tab of the Virtual
Machines page.
• Application–IPv4 address or host name of the application host and name of
the application instance for the data source. Click a location value to open
the Hosts/Instances tab of the SQL Server DBs page.
• Fileset–IPv4 address of the host for the data source host fileset. Click a
location value to open the Hosts page.

Field Description
Object Availability Accessibility of the data source:
• Protected–The data source is accessible and protected through an SLA
Domain.
• Relic–The data source is no longer accessible to the Rubrik cluster.
• Unprotected–The data source is accessible, but the SLA Domain
assignment has been changed to Do Not Protect.
• Replicated Relic–The replication target’s data source is no longer accessible
• Remote Unprotected–The data source is recovered from an archival
location through a connect-as-reader operation.
Retention SLA Name of the SLA Domain that is assigned to the data source. The Retention
SLA refers to the portion of the SLA Domain that specifies the retention policy.
Snapshots The total number of snapshots of all types .
Hovering over the snapshot count shows the last time this data source was
refreshed.
If snapshots from a remote unprotected data source have not been refreshed,
this column displays 'Refresh'.
Local Storage Total local storage space occupied by the snapshots associated with the
selected data source.
Archival Storage Total archival storage space occupied by the snapshots associated with the
selected data source.
Related tasks
Filters available at the data source level

Display specific subsets of information on the data source level of the Snapshot Management page by
applying the provided filters.
For each data source that meets the filter criterion, the following information is displayed:
• The current retention SLA assigned to the data source.
• The number of existing snapshots that are not subject to the current retention SLA.
• The combined number of on-demand snapshots and snapshots downloaded from archival locations.
Reader location object refresh

Refreshing reader location objects synchronizes the recovery view of the reader cluster with the actual
contents of the archival location.
Because the owner cluster can change the contents of the archival target, the recovery view of the reader
cluster might not be synchronized with the actual contents of the archival location. Refreshing an object
that has previously recovered snapshot data synchronizes the reader cluster with the latest snapshot
metadata for that object. This operation must be manually initiated.
The operation captures the view of the contents that are on the archival location when you run the refresh.
If the owner cluster added new snapshots to the archival location, the snapshots become visible to the

reader cluster. The operation then retrieves the metadata for new snapshots and updates the reader
cluster for the object with the new metadata.
If the owner cluster deleted any snapshots from the archival location, they are removed from the reader
cluster during the refresh.
The time required for the refresh operation to complete depends on the number and the size of the files
for which you are retrieving metadata.

Prerequisites
Connect to a reader archival location, as described in Connecting to a reader archival location.
Context
Procedure
The object level of the Snapshot Management page appears.
3. Select objects and click Refresh from Remote.
The Refresh from Remote dialog appears.
4. Click Refresh.
The Rubrik cluster creates a background job.
Result
After the refresh, the reader cluster is synchronized with the latest content for the selected object
Viewing the object level of the Snapshot Management page

To work with unmanaged snapshots, open the object level of the Snapshot Management page.
Procedure
The Snapshot Management page appears.
3. Click a number in the Snapshots column to view the snapshots for that data source.
Result
For the selected data source, the object level of the Snapshot Management page appears.
Information available at the object level

The object level displays information about the individual snapshots for a selected data source.
Field Description
Snapshot Date & Date and time that the snapshot was taken.
Time
Type Type of snapshot. Type can be one of the following:

Field Description
• On Demand–The snapshot was created through the on-demand snapshot
process or the on-demand backup process.
• Policy based snapshots are created based on the policies and rules of an
• Retrieved – The snapshot was retrieved from an archival location.
Retrieved snapshots and on-demand snapshots that are not assigned to an SLA
Domain are included in both Relic and Unprotected listings.
Local Expiration Date The expiration date for the snapshot as determined by the SLA Domain.
Archival Location
The archival location and the expiration date for the snapshot on that archival
Archival Expiration location.
Date
Replication Location 1
The replication location and the expiration date for the snapshot on that
Replication Expiration replication location.
Date
Replication Location 2
The replication location and the expiration date for the snapshot on that
Replication Expiration replication location.
Date
Filters available at the object level

Display specific subsets of information on the object level of the Snapshot Management page by using the
provided filters.
Filter View
On Demand Filter for On Demand snapshots.
Retrieved Snapshot retrieved from the archival location.
Policy based Snapshots created by the SLA Domain policies applied to the data source.
Relic data sources

A data source is designated as a relic if it is managed by, but is no longer accessible to the Rubrik cluster.
The designation of the data source as a relic is attached to the universally unique identifier (UUID) that the
Rubrik cluster assigned to the data source when the data source was added.
A data source can become a relic and later become accessible again to the Rubrik cluster. In that case, the
type of the data source determines whether the Rubrik cluster can attempt to associate the history and
backups from before the data source became a relic with the newly accessible data source.
For data source types where it is possible to attempt to associate previous history and data, changes on
the data source host can prevent successful association.
• ‘relic event’ refers to the event that caused the data source to become a relic.
• ‘pre-relic’ means the virtual machine, application instance, or host and fileset pair that existed before
the relic event.

Rubrik cluster actions for relic events
Detailed information about Rubrik cluster actions for relic events.
Data source type Relic event sequence Rubrik cluster action

virtual machine The Rubrik cluster loses connection Scan the vSphere metadata for the virtual
with the virtual machine host, machine. If the virtual machine is identical to
then the Rubrik cluster establishes the pre-relic virtual machine, then assign the
connection with the virtual machine original UUID and associate the original history
host. and data.
virtual machine The virtual machine is moved to Scan the vSphere metadata for the virtual
a vCenter Server state that blocks machine. If the virtual machine is identical to
the Rubrik cluster, then the virtual the pre-relic virtual machine, then assign the
machine is moved out of the vCenter original UUID and associate the original history
Server state that blocks the Rubrik and data.
cluster.
application The Rubrik cluster loses connection Scan the application instance for an identical
with the application host or data source.
application instance, then the Rubrik
cluster regains the connection. If a data source that is identical to the pre-relic
data source is found, then assign the original
UUID and associate the pre-relic history and
data with the discovered data source.
application A user manually deletes the Scan the application instance for an identical
application host in the web UI, then data source.
a user adds the application host in
the web UI. If a data source that is identical to the pre-relic
data source is found, then assign the original
UUID and associate the pre-relic history and
data with the discovered data source.
application An issue during a host side scan of If the data source is identical to the pre-relic
the application instances causes the data source, then assign the original UUID and
data source instance to be missed, associate the pre-relic history and data with
then the data source appears in a the discovered data source.
subsequent host side scan.
file system The Rubrik cluster loses connection If the host is identical to the pre-relic host,
with the file system host, then then assign the original UUID and associate
the Rubrik cluster regains the the pre-relic fileset, history, and data with the
connection. discovered host.
file system For a host and fileset pair, a user The original host and fileset pair remains a
manually deletes the host in the web relic. The Rubrik cluster treats the added host
UI, then a user adds the host in the and fileset pair as new, assigns a new UUID,
web UI and pairs it with the same and does not associate pre-relic history and
fileset. data with the new host and fileset pair.
file system A user manually deletes the fileset The original host and fileset pair remains a
that is paired with a host in the web relic. The Rubrik cluster treats the added host
UI, then a user creates an identical and fileset pair as new, assigns a new UUID,
fileset in the web UI and pairs it with and does not associate pre-relic history and
the same host. data with the new host and fileset pair.

Legal Hold page
Use a legal hold to retain snapshots while the legal hold is applied.
A legal hold prevents changes to a specified backup to meet legal requirements. A legal hold preserves a
snapshot indefinitely. When the associated SLA Domain includes an archival policy, the legal also preserves
a copy of the snapshot at the archival location. Snapshots placed on legal hold do not expire regardless of
the SLA Domain policy. An administrator can access snapshots on legal hold by recovering the files in the
snapshot or by downloading a CSV version of the file.
When configuring a legal hold for a snapshot, the administrator can select the Hold in place option. When
Hold in place is enabled, the Rubrik cluster retains the snapshot at the archival location. If Hold in place is
not applied, the snapshot is kept only in the location with the maximum length of retention. If archival is
enabled, this location is the archival location.
When a legal hold is no longer required, remove the legal hold. The snapshot reverts to the SLA Domain
retention setting applied before enabling the legal hold. If there is no SLA Domain policy, the snapshot is
unmanaged.
Enabling the Two-Person Rule (TPR) for editing Legal Hold requires approval from an account with the TPR
approver role.
Related concepts
The two-person rule
Related tasks
Placing a legal hold on a snapshot
Place a legal hold on a snapshot to prevent the Rubrik cluster from expiring and removing the snapshot at
the end of the assigned retention period.
Downloading a snapshot on legal hold
Rubrik CDM permits the download of snapshots that are subject to a legal hold.
Removing a legal hold from a snapshot
Use Rubrik CDM to remove a legal hold from a snapshot.
Removing a legal hold from the Snapshot Retention card
Remove a legal hold from the calendar entry associated with the snapshot.
Related reference
Legal hold limitations

The legal hold feature has some limitations.
Log backups for SQL Server databases, Oracle databases, and managed volumes are not included when a
snapshot is placed on legal hold. Direct Archive filesets cannot be placed on legal hold.
Replicated snapshots from the source cluster cannot be placed on legal hold. Replicated snapshots from
the target cluster can be placed on legal hold.
Information about legal holds do not propagate from the source cluster to the target cluster, and vice
versa. For example, when the snapshots of a protected object replicate to a target cluster, and the
snapshots of that protected object are placed on legal hold on the source cluster, the corresponding
snapshots on the target cluster are not automatically placed on legal hold. Snapshots on the target
cluster expire according to the SLA Domain policy. A similar situation occurs in reverse; when a replicated

snapshot is placed under legal hold, the corresponding snapshot on the source cluster is not automatically
placed under legal hold and expires according to the SLA Domain policy.
Related tasks
Viewing legal hold summary information

Use the Rubrik CDM web UI to view summary information for snapshots that have a legal hold.
Procedure
3. Click Legal Hold.
The Legal Hold page appears, and includes three columns.
Column Name Description

Object Name Name of the object that contains a legal hold
Object Type Type of object with a legal hold
Legal Hold Snapshots Number of snapshots of the object with a legal
hold. Click the number to view details about the
snapshots.
Result
Rubrik CDM displays the legal hold summary information.

Procedure
3. Click the name of a data object.
The local host page for the selected data object appears.
4. On the calendar, select a snapshot date.
The Snapshots card displays the snapshots taken for that date.
5. From the ellipsis menu next to the snapshot to place on legal hold, select Place on Legal Hold.
6. Select Hold snapshot(s) in-place box.
7. Click Submit.
The Submit Two-Person Rule Request dialog box appears only when Enabling Two-Person Rule for
Changes to Legal Hold Status is enabled. Otherwise, you will not see this dialog box.
The Two-Person Rule generates a review request. After the request is approved, the Rubrik cluster
applies the legal hold.

Result
The Rubrik cluster places the snapshot on legal hold. Snapshots with a legal hold include a scale icon on
their listing.
Downloading a snapshot on legal hold

Rubrik CDM permits the download of snapshots that are subject to a legal hold.
Procedure
3. Select the Legal Hold tab.
4. From the Legal Hold list, select an object.
The local page for the object appears.
5. On the calendar, select a snapshot date.
The Snapshots card displays the snapshots taken for that date. Snapshots with a legal hold include a
scale icon on their listing.
6. Click the ellipsis next to the snapshot to download.
Rubrik CDM displays Recover Files.
8. Select the box next to the snapshot to download.
9. Click Next.
10. Click Download with Checksum.
Use the SHA1 checksum to authenticate the snapshot after download.
11. Click Finish.
Result
Rubrik CDM displays legal hold summary information.
Removing a legal hold

There are two methods of removing a legal hold.
Removing a legal hold from a snapshot

Use Rubrik CDM to remove a legal hold from a snapshot.
Procedure
3. Select the Legal Hold tab.
Rubrik CDM displays the Legal Hold page, listing information about all snapshots that have a legal
hold.
4. Click the number next to the snapshot in the Legal Hold Snapshots column.
5. Select the box associated with the legal hold to remove.
6. Click the Remove Legal Hold button.
Rubrik CDM displays a message asking for confirmation of the removal.

7. Click Remove.
Result
Rubrik CDM removes the legal hold from the snapshot.
Related concepts
The two-person rule
Related reference
Removing a legal hold from the Snapshot Retention card

Remove a legal hold from the calendar entry associated with the snapshot.
Procedure
3. Click the name of a snapshot.
4. Click the snapshot date.
The Snapshots card displays the snapshots taken for that date. Snapshots with a legal hold include a
scale icon on their listing.
5. Click the ellipsis next to the snapshot.
6. Click Remove Legal Hold.
Rubrik CDM displays a message asking for confirmation of the removal.
7. Click Remove.
Result
The Rubrik cluster removes the legal hold from the snapshot.
Related concepts
The two-person rule
Related reference

Unprotecting a data source

Change the SLA assignment for a data source to No SLA and choose how to handle the retention policy for
existing snapshots.
Procedure
3. In the Name column, click the name of the data source.
The local host page or Recovery Points card page appears with the Manage Protection button
activated.
5. Select Do Not Protect.
The Existing Snapshot Management section appears.
6. Select an option for Existing Snapshot Retention.
• Keep forever
7. Click Next.
The impact of the SLA assignment change are provided.
10. Click Submit.
Result
The snapshot is no longer protected.

page.
Procedure
The Snapshot Management page appears, set to the Snapshot Retention tab.
3. In the line corresponding to the protectable object, click the number listed in the Snapshots column.
The Snapshot Management page displays a list of the snapshots for the protectable object.
4. Select a set of snapshots and click Change Retention.

• SLA Domain
The snapshots are retained at all locations for the maximum retention specified by the chosen SLA
Domain.
• Retain Forever
6. Click Next.
7. Review the effects of the change and click Submit.
Result
Rubrik CDM updates the retention policy for the selected snapshots.
Changing the retention policy for a protectable object

Change the retention policy for snapshots of a specified protectable object on the Snapshot Management
page.
Procedure
The Snapshot Management page appears, set to the Snapshot Retention tab.
3. Select a set of protectable objects and click Change Retention.
• SLA Domain
The snapshots are retained at all locations for the maximum retention period specified by the
chosen SLA Domain.
• Retain Forever
5. Click Next.
The changes made to the SLA Domain also apply to on-demand and downloaded snapshots.
The summary information describes the effect of the changes on existing, new, on-demand, and
downloaded snapshots.
7. Review the effects of the change and click Submit.
Result
Rubrik CDM updates the retention policy for snapshots of the selected protectable objects.

Context
Only snapshots with the Retain Forever retention policy can be manually deleted. A snapshot cannot be
deleted if it is protected by an SLA Domain
Procedure
3. Select a data source.
Select multiple data source entries to remove all snapshots whose Retention SLA is Forever for every
data source in the selection group.
The Delete Snapshots button becomes active.
4. Click Delete Snapshots.
5. Click Delete.
The Submit Two-Person Rule Request dialog box appears only when the Two-Person Rule for Delete
Snapshots is enabled. Otherwise, you will not see this dialog box.
Result
Rubrik CDM removes all the snapshots associated with the selected data source.
Related concepts
The two-person rule
Related reference
Removing individual snapshots for a data source

Select and remove individual snapshots whose Retention SLA is Remain Forever for a data source.
Procedure
3. Click a number in the Snapshots column corresponding to a data source.
For the selected data source and snapshot type, the object level of the Snapshot Management page
appears.
4. Select a snapshot with a Retention SLA set to Forever.
Select multiple snapshots to remove all snapshots in the selection group.

6. Click Delete.
The Submit Two-Person Rule Request dialog box appears only when the Two-Person Rule for Delete
Snapshots is enabled. Otherwise, you will not see this dialog box.
Result
The Rubrik cluster removes all the selected snapshots.
Related concepts
The two-person rule
Related reference
Removing snapshots retrieved from an archive

Select and remove snapshots that were retrieved from an archival location.
Context
The Rubrik cluster removes the snapshot data from local storage and from the archival location.
A retrieved snapshot cannot be deleted unless it has the Forever retention setting. To delete a snapshot
with a specific retention period, first change the retention setting to Forever.
Procedure
The object level page of Snapshot Retention appears.
3. Click Filter Object and select the type of protected object to search for.
4. In the Snapshots column, click the number associated with a particular protected object.
The object level page of the selected protected object appears.
5. Select a snapshot with a retention setting of Forever.
Select multiple snapshots to remove the retrieved content for all snapshots in the selection group.
Deleting a snapshot permanently deletes both the local copy and the archived copy of that snapshot.
7. Click Delete.
Result
The Rubrik cluster deletes all the retrieved content for the selected group of snapshots.

Chapter 28
Reports
Reports
The Rubrik CDM web UI provides a reports summary and a gallery of reports. The gallery includes default
reports and custom reports created from templates.
The Reports section of the Rubrik CDM web UI offers two views: a Summary view and a Gallery view.
The Summary view provides a graphical representation of the current status of various tasks, divided into
cards. Each card contains a link to a report with more details.
The Gallery view displays both default and custom reports. Any of the default reports can be used as
templates to create customized reports with different fields and graphs, as well as custom filtering along
several different dimensions.
Summary view
The Reports Summary page provides a high-level view of statistics for key areas of the Rubrik cluster. The
statistics are collected from the default reports.
Statistics Description
Daily Protection Tasks by Status Indicates the number of protection tasks that succeeded, the
number that were canceled, and the number that failed. Links
to the Protection Tasks Details report.
Local Snapshot Storage Shows a time series graph of storage used on a daily basis.
Links to the System Capacity report.
SLA Compliance Shows the number of objects in compliance and the number
of objects out of compliance. Links to the SLA Compliance
Summary report.
System Capacity Summarizes the amount of storage used and estimates how
long it will take to reach full capacity at the current rate. Links
to the System Capacity report.
Weekly Protection Tasks by SLA Domain Summarizes the status (Successful, Failed, or Canceled) of
each protection task associated with a given SLA Domain.
Links to the Protection Tasks Summary report.
Viewing report summary information

View the summary information on the Reports Summary page.
Procedure
2. On the left-side menu, select Reports > Summary.
Rubrik CDM displays summary information collected from the default reports.
3. Click View Report in any individual tile.
Reports 05/25/2022 | 750

Result
The report summary information appears.
Displaying a report
Use the Rubrik CDM web UI to display default and custom reports.
Procedure
2. On the left-side menu, select Reports > Gallery.
A list of all available reports appears.
3. Optional: To search the list, type a string into the Search by Name field.
• To filter the list by template, select a template type from the Filter Template menu.
• To filter the list by type, select Default or Custom from the Filter Type menu.
4. Click the name of a report.
The selected report appears.
Result
The Gallery view includes eight default reports. Each report consists of two charts and a information. The
information in the reports is refreshed every hour.
Default reports
The Gallery view includes eight default reports. Each report consists of two charts and a table of
information. The information in the reports is refreshed every hour.
Report name Description

SLA Compliance Summary Summarizes information about compliance with the policies set forth
in each SLA Domain. The compliance calculation includes on-demand
snapshots.
Object Backup Task Summary Provides information about scheduled backup tasks that are triggered
by an SLA protection policy. The report does not include information
about on-demand backup tasks.
Information includes the total number of daily expected backup tasks
for each object along with the number of successful, failed, canceled
and missed tasks.
Note: This report does not include information for the current day.
Object Indexing Summary Provides the indexing status for the latest local snapshot, the time
stamp of the latest successfully indexed snapshot, and the number
of indexed local snapshots. Includes charts that display the indexing
summary by SLA Domain, and the indexing summary by object name.
Protection Tasks Summary Displays the weekly number of backup and replication tasks by
status, the status of weekly tasks by SLA Domain, and a summary
table with more detailed information.
Protection Tasks Details Displays the daily number of protection tasks by status, daily failed
tasks by object name, and a summary table with more detailed
information.
Reports 05/25/2022 | 751

Report name Description
Recovery Tasks Details Displays the total number of recovery tasks in the last month, the
number of recovery tasks by status, a chart of failed recovery tasks
sorted by object name, and a summary table with more detailed
information.
Object Protection Summary Displays the storage usage of each SLA Domain, the level of SLA
compliance by SLA Domain, and a summary table with more detailed
information.
Capacity Over Time Displays the average storage used on the Rubrik cluster for the
current month and the three previous months. The report is
refreshed every hour.
The average monthly storage is calculated by taking the average of
the storage values for each day in the month. The storage value for a
given day is calculated by taking the average of the storage used at
four sampling points in that day.
The report also includes a summary table with more detailed
information.
System Capacity Displays the usage of local storage by SLA Domain, the usage growth
over time by SLA Domain, and a summary table with more detailed
information.
Custom reports
Each default report can be used as a template for creating customized reports. Customized reports include
two charts, a table, and optional filters.
For each chart, select an attribute and a measure, and the type of chart used to visualize the data (such
as a donut chart, vertical chart, horizontal chart, or line chart). For the table, select any combination of
measures and attributes as column headings.
A measure is something that can be counted or calculated; for example, the number of successful tasks, or
the effective throughput.
An attribute is a characteristic of the data that does not change; for example, the name or location of an
object.
Object logical size

Rubrik CDM reports the logical size of the latest snapshot of an object. The definition of object logical size
depends on the object type.
Object type Definition of logical size

VMware virtual machine The full provisioned size of the virtual machine disks as reported by VMware.
The reported size is not reduced by the amount of unused disk space.
Nutanix virtual machine The full provisioned size of the virtual disks. The reported size is not reduced
by the amount of unused disk space.
HyperV virtual machine The size of the VHD or VHDX file stored as a sparse file. The reported size
does not represent the actual size of the guest OS; it is only the physical size
of the VHDX file on the host.
Reports 05/25/2022 | 752

Object type Definition of logical size
Cloud Native virtual The current capacity of all the EBS volumes that are attached to the EC2
machine virtual machine instance.
Fileset The logical size of the EXT4 volumes created for storing the file system
hierarchy. The logical size is proportional to the sum of the sizes of the files
reported by the host, plus the metadata overhead. The minimum size of the
EXT4 file system is 4 GB. For file sets where the size of the files on the host is
less than 4 GB, the logical size can be significantly higher than the sum of the
size of the files.
MS SQL database For snapshots, the sum of the sizes of all database files as shown in the host
file systems. Database files have .mdf, .ldf, or .ndf extensions. For log
backups, logical size is the actual log backup file size as generated by SQL
Server’s Backup Log command.
Types of charts
Charts provide a graphical representation of the data gathered in a report.
Chart Type Description

Donut A ring shape with the length of the arcs proportional to the percentage of the
total.
Vertical A chart that displays vertical bars with the length of the bars proportional to
the value.
Horizontal A chart that displays horizontal bars with the length of the bars proportional to
the value.
Line A chart that displays a series of data points connected by line segments.
Stacked Vertical A vertical chart where the bars have individual segments with lengths
proportional to the percentage of the total value of each bar.
Stacked Horizontal A horizontal chart where the bars have individual segments with lengths
proportional to the percentage of the total value of each bar.
Chart measures
The measures available for custom report charts. Each chart has one measure.
Measure Description Default report templates with this

measure
Archival Snapshot Lag Integer representing the • SLA Compliance Summary
difference between ingested • Object Protection Summary
snapshots and snapshots
successfully transferred to the
archival location.
Archive Data Reduction The percentage of reduction in • System Capacity
total data size of the archive. • Capacity Over Time
• Object Protection Summary
Reports 05/25/2022 | 753

measure
Archive Dedup Ratio The deduplication ratio achieved • System Capacity
by the archive. • Capacity Over Time
Archive Effective Data Transferred Total amount of data transferred • System Capacity
by the task. • Capacity Over Time
Archive Effective Logical Data Total size of protected data • System Capacity
calculated on the basis of full • Capacity Over Time
backups instead of incremental
differences.
Archive Logical Data Reduction The percentage of reduction • System Capacity
in the size of the backup • Capacity Over Time
calculated on the basis of full
differences.
Archive Logical Dedup Ratio The deduplication ratio • System Capacity
differences.
Archive Storage Amount of cluster storage used • System Capacity
by archived snapshots. • Capacity Over Time
Archive Storage Growth Amount of cluster storage used • System Capacity

by archives in a specified time • Capacity Over Time
period.
Average Duration Average task duration. • Protection Tasks Summary

• Protection Tasks Details
• Recovery Tasks Details
Canceled Tasks Number of canceled tasks. • Protection Tasks Summary

• Object Backup Task Summary
Compliance Count by Status Object count by compliance • SLA Compliance Summary

status. Objects can be out of • Object Protection Summary
compliance or in compliance.
Data Reduction The percentage of reduction in • Protection Tasks Summary
total data size of the backup, • Protection Tasks Details
calculated after deduplication and
compression.
Data Stored Total storage used by objects • Protection Tasks Summary
over the target time period, • Protection Tasks Details
including expired and purged
Reports 05/25/2022 | 754

measure
snapshots, after deduplication
and compression.
Data Transferred The sum of the data transferred • Protection Tasks Summary
for each active snapshot (both • Protection Tasks Details
policy-based and on-demand).
The data transfer size of expired
snapshots is not counted towards
this value.
The size of the data transferred
is measured before deduplication,
compression, and global linking.
Data Transferred vs Stored The ratio of data transferred over • Protection Tasks Summary
the network compared to the • Protection Tasks Details
amount of data stored on the
Rubrik cluster.
Dedup Ratio The ratio of data transferred • Protection Tasks Summary
to data stored, expressed as a • Protection Tasks Details
fraction.
Effective Throughput The ratio of the number of bytes • Protection Tasks Summary
received during a backup divided • Protection Tasks Details
by the length of time for the
backup.
Expected Tasks Number of expected tasks, based • Object Backup Task Summary
on the snapshot schedule defined
in the SLA Domain.
Failed tasks Number of failed tasks. • Protection Tasks Summary
In Compliance A Boolean with a value of • SLA Compliance Summary

Yes when the object is in SLA • Object Protection Summary
compliance and No otherwise.
Local CDP Health The percentage of time a • SLA Compliance Summary
particular virtual machine has • Object Protection Summary
been in a healthy CDP state.
The percentage is calculated
from the ratio of time healthy
to total time enabled. CDP is
considered healthy when the
status is Active. CDP is considered
enabled when the status is Active,
Failed, or Taking Snapshot (when
the snapshot is taken immediately
following a failure).
Reports 05/25/2022 | 755

measure
Local CDP Log Storage The amount of disk space • Object Protection Summary
consumed on the local Rubrik • Capacity Over Time
cluster by CDP logs. For a custom
• System Capacity
report based on Capacity Over
Time, Local CDP Log Storage is
summed over all virtual machines
for the specified time period.
Local CDP Throughput The local network bandwidth • Object Protection Summary
consumed by CDP per virtual • Capacity Over Time
machine. For a custom report
• System Capacity
based on Capacity Over Time,
Local CDP Throughput is summed
over all virtual machines for the
specified time period. Units are
bps (bits per second).
Local Data Reduction The percentage of reduction in • System Capacity
total data size of the backup. • Capacity Over Time
Local Data Transferred The sum of the data transferred • System Capacity
for each active snapshot, both • Capacity Over Time
policy-based and on-demand.
The data transfer size of expired
snapshots is not counted towards
this value.
The size of the data transferred
is measured before deduplication,
compression, and global linking.
Local Dedup Ratio The ratio of data transferred • System Capacity

to data stored, expressed as a • Capacity Over Time
fraction.
Local Effective Logical Data Total size of protected data • System Capacity
differences.
Reports 05/25/2022 | 756

measure
Local Effective Storage Calculation of the equitable • System Capacity
allocation of deduplicated data • Capacity Over Time
assigned to individual snapshots.
This enables a fair distribution
between objects.
For example, a system that
includes duplicate data from five
objects with the same size and
the same data overlap reduces
storage to a total of a combined
10 GB. This data contributes 2
GB to the total Local Effective
Storage for each object (10 GB ÷
5 = 2 GB).
Local Logical Data Reduction The percentage of reduction • System Capacity

in the size of the backup • Capacity Over Time
calculated on the basis of full
differences.
Local Logical Dedup Ratio The deduplication ratio • System Capacity
differences.
Local Metered Data For a protected object, the • System Capacity
amount of data transferred from • Capacity Over Time
the data source to the Rubrik
cluster between two points in
time.
Local Protected Data The sum total of data protected, • System Capacity
including full and incremental • Capacity Over Time
backups, before the application
of deduplication and other
efficiencies
Local Snapshot Count by Index Total number of local snapshots • Object Indexing Summary
Status for all index statuses (indexed,
unindexed, and pending).
Local Snapshots Indexed Number of local snapshots that • Object Indexing Summary
were indexed successfully.
Local Snapshots Pending For Number of local snapshots that • Object Indexing Summary
Indexing are in the process of being
indexed.
Local Snapshots Unindexed Number of local snapshots that • Object Indexing Summary
are not indexed because indexing
failed.
Local Storage Amount of Rubrik cluster storage • SLA Compliance Summary
currently in use. • Capacity Over Time
Reports 05/25/2022 | 757

measure
Local Storage Growth Amount of Rubrik cluster storage • SLA Compliance Summary
used in a specified time period. • Capacity Over Time
Logical Data Protected The total logical size of the • Protection Tasks Summary
protected object for all active • Protection Tasks Details
snapshots, both policy-based and
on-demand.
Logical Data Reduction The ratio of logical data protected • Protection Tasks Summary
percentage.
Logical Dedup Ratio The ratio of logical data protected • Protection Tasks Summary
fraction.
Missed Objects Number of files and folders that • Protection Tasks Summary
failed to back up. • Protection Tasks Details
Missed Tasks Number of tasks that should have • Object Backup Task Summary
been scheduled in a calendar day
according to the SLA, but were
not.
Object Count Total number of objects. • Recovery Task Details
• SLA Compliance Summary
Object Logical Size The logical size of the most • Object Protection Summary
recent unexpired snapshot. • Capacity Over Time
• System Capacity
Out of Compliance A Boolean with a value of • SLA Compliance Summary

No when the object is in SLA • Object Protection Summary
compliance and Yes otherwise.
Provisioned Size Total size allocated to the object • System Capacity
at creation or modification. For • Capacity Over Time
example, if a database or virtual
machine is created with 100GB
of size, the provisioned size is
100GB, regardless of the data
consumed within the object.
Replica Storage Amount of cluster storage used • SLA Compliance Summary
by replicas. • Capacity Over Time
Replica Storage Growth Amount of cluster storage used • SLA Compliance Summary
by replicas in a specified time • Capacity Over Time
period.
Reports 05/25/2022 | 758

measure
Snapshot Count by Data Location A stack chart of local, replica, and • SLA Compliance Summary
archive snapshot counts. • Object Protection Summary
Storage Growth by Data Location A stack chart of storage growth • System Capacity
for local, replica, and archive • Object Protection Summary
snapshots.
Successful Tasks Number of successful tasks. • Protection Tasks Summary
Task Count Total number of tasks. • Protection Tasks Summary

Task Count by Status The number of successful, • Protection Tasks Summary

canceled, and failed tasks. • Protection Tasks Details
Total Files Transferred Total number of files ingested by • Protection Tasks Summary
the Rubrik cluster. • Protection Tasks Details
Total Storage by Data Location A stack chart of local, replica, • System Capacity
and archive physical storage • Object Protection Summary
consumed.
Used Size Actual amount of data consumed • System Capacity
within an object. For example, if • Capacity Over Time
a virtual machine is provisioned
with 100GB of disk space but only
10GB of data has been written to
disk, 10GB is the Used Size.
Chart attributes
The attributes available for custom report charts. Each chart has one attribute.
Attribute Description Reports with this attribute

Cluster Location Specifies whether the cluster is local or All, except Capacity Over Time and
remote. Object Backup Task Summary
Compliance Status Restricts the report to information • SLA Compliance
about compliant, non-compliant, or • Object Protection Summary
unprotected elements.
Day Day the task ran. • Capacity Over Time
Reports 05/25/2022 | 759

Latest Local The indexing status for the most recent Object Indexing Summary
Snapshot Index local snapshot (Success, Failed, or
Status Pending).
Local CDP Status Displays one of the following statuses: • SLA Compliance
• Not Enabled – The CDP-enabled SLA • System Capacity
Domain has not been assigned to a • Object Protection Summary
virtual machine.
• Pending – A CDP-enabled SLA
Domain is assigned, but the system
is waiting for the CDP filter to be
installed, or for the storage policy to
be assigned, or for a successful initial
snapshot. Local CDP Status is also set
to Pending when disks are added or
removed.
• Taking Snapshot – In the process of
taking a snapshot. If the snapshot
is successful, the status changes to
Active.
• Active – CDP is running successfully.
• Failed – CDP failed or a snapshot
failed. CDP can fail if it has problems
handling large bursts of incoming
data, or maintaining its logs, for
example.
Location The definition of location varies by All, except Capacity Over Time
object:
• Virtual machines – The IPv4 address
or FQDN of the vCenter Server.
• SQL Server DBs – The FQDN of the
Window Server and the SQL Server
instance.
• Linux & Unix Hosts – The IPv4
address or FQDN of the Linux or Unix
host.
• Windows Hosts – The IPv4 address or
FQDN of the Windows host.
• Nutanix Cluster – The name of the
cluster.
• Hyper-V Cluster – The name of the
cluster.
• Managed Volume – The name of the
volume.
Month Month the task ran. Capacity Over Time

Object Index Type Indicates whether the object is Object Indexing Summary
Indexable, Unindexable, or Unprotected.
Object Name The name of the object that is the All, except Capacity Over Time
subject of the task.
Reports 05/25/2022 | 760

Object Type Restricts the report to information about All, except Capacity Over Time
objects of the specified types. Supported
object types are:
• Virtual Machine
• Linux & Unix Fileset
• Windows Fileset
• SQL Server DB
• Nutanix Cluster
• Hyper-V Cluster
• Managed Volumes
Quarter Quarter the task ran. Capacity Over Time

SLA Domain Entry is one of the following: All, except Capacity Over Time
• The name of the SLA Domain that

protects the object.
• Unprotected
• Click on the name of the SLA Domain
to manage the domain.
Task Status Icon representing the state of the task at • Protection Tasks Summary
the time of the entry. The status can be: • Protection Tasks Details
• Succeeded • Recovery Tasks Details
• Failed
• Canceled
Task Type Restricts the report to information about • Protection Tasks Summary
tasks of the specified types. Supported • Protection Tasks Details
task types are: • Recovery Tasks Details
• Backup
• Archival
• Replication
Table measures
In addition to charts, reports feature a data table that can be customized with specific measures.
Measure Default Report Template

Archival Object Count • SLA Compliance Summary
• Object Indexing Summary
• Protection Tasks Summary
• Capacity Over Time
• System Capacity
Archival Snapshot Lag • SLA Compliance Summary

Reports 05/25/2022 | 761

Archive Data Reduction • Object Protection Summary
• System Capacity
Archive Dedup Ratio • Object Protection Summary

• System Capacity
Archive Effective Data Transferred • Object Protection Summary

• System Capacity
Archive Effective Logical Data • Object Protection Summary

• System Capacity
Archive Logical Data Reduction • Object Protection Summary

• System Capacity
Archive Logical Dedup Ratio • Object Protection Summary

• System Capacity
Archive Storage • Object Protection Summary

• System Capacity
Archive Storage Growth • Object Protection Summary

• System Capacity
Archived On Demand Snapshots • SLA Compliance Summary

Archived SLA Snapshots • SLA Compliance Summary

Archived Snapshots • SLA Compliance Summary

Average Duration • Protection Tasks Summary
Canceled Tasks • Protection Tasks Summary
Data Reduction • Protection Tasks Summary

Reports 05/25/2022 | 762

Data Stored • Protection Tasks Summary
Data Transferred • Protection Tasks Summary

Data Transferred vs Stored • Protection Tasks Summary
Dedup Ratio • Protection Tasks Summary

Duration • Protection Tasks Details

• Recovery Task Details
Effective Throughput • Protection Tasks Summary

End Time • Protection Tasks Details

Failed Tasks • Protection Tasks Summary
In Compliance • SLA Compliance Summary

Latest Archived Snapshot • SLA Compliance Summary

Latest Local Indexed Snapshot • Object Indexing Summary
Latest Local Snapshot • SLA Compliance Summary

Local Data Reduction • Object Protection Summary

• System Capacity
Local Data Transferred • Object Protection Summary

• System Capacity
Local Dedup Ratio • System Capacity

Local Effective Logical Data • System Capacity

Reports 05/25/2022 | 763

Local Logical Data Reduction • System Capacity
Local Logical Dedup Ratio • System Capacity

Local On Demand Snapshots • SLA Compliance Summary

Local SLA Snapshots • SLA Compliance Summary

Local Snapshots • SLA Compliance Summary

Local Snapshots Indexed • Object Indexing Summary
Local Snapshots Pending For Indexing • Object Indexing Summary
Local Snapshots Unindexed • Object Indexing Summary
Local Storage • System Capacity

Local Storage Growth • System Capacity

Logical Data Protected • Protection Tasks Summary

Logical Data Reduction • Protection Tasks Summary

Logical Dedup Ratio • Protection Tasks Summary

Long Running Tasks • Object Backup Task Summary
Missed Objects • Protection Tasks Summary

Missed Snapshots • SLA Compliance Summary

Reports 05/25/2022 | 764

Object Count • Object Backup Task Summary
• System Capacity
Object Logical Size • System Capacity

On Time Tasks • Object Backup Task Summary
Out of Compliance • SLA Compliance Summary

Protected On • SLA Compliance Summary

• System Capacity
Queued Time • Protection Tasks Details

Replicated Snapshots • SLA Compliance Summary

Replica Storage • System Capacity

Replica Storage Growth • System Capacity

Start Time • Protection Tasks Details

Successful Tasks • Protection Tasks Summary
Task Count • Protection Tasks Summary

Task Count by Status • Protection Tasks Summary
Total Files Transferred • Protection Tasks Summary

Reports 05/25/2022 | 765

Total Snapshots • SLA Compliance Summary
Table attributes
In addition to charts, reports feature a data table that can be customized with specific attributes.
Attribute Default Report Template

Archival Target All except Protection Tasks Summary
Cluster Location All
Compliance Status • SLA Compliance
Current Task Status Object Backup Task Summary

Day • Protection Tasks Summary
Direct Archive All

Failure Reason Recovery Task Details
Hour Protection Tasks Summary
Last Successful Task Object Backup Task Summary
Latest Local Snapshot Index Status Object Indexing Summary
Location All
Month • Protection Tasks Summary
Object Index Type Object Indexing Summary

Object Name All
Object Type All
Organization • SLA Compliance
• System Capacity
Quarter • Protection Tasks Summary

Recovery Point Recovery Task Details

Recovery Point Type Recovery Task Details
Replication Source All
Reports 05/25/2022 | 766

Attribute Default Report Template
Replication Target All
SLA Domain All
Snapshot Consistency Protection Tasks Details
Task Status • Protection Tasks Summary
Task Type • Protection Tasks Details

Username Recovery Task Details

Year Protection Tasks Summary
Report filters
Filters restrict the content that appears in a report.
Filter Description Reports with this filter

Archival Restricts the report to archival objects SLA Compliance Summary
Compliance Status with one of these statuses:
• In Compliance
• Out of Compliance
• Unprotected
Replication Restricts the report to replication objects SLA Compliance Summary

Compliance Status with one of these statuses:
• In Compliance
• Out of Compliance
• Unprotected
Cluster Location Restricts the report to information from All, except Object Backup Task Summary
local or remote clusters.
Compliance Status Restricts the report to objects with one SLA Compliance Summary
of these statuses:
• In Compliance
• Out of Compliance.
Date Restricts the report information to a • Protection Tasks Summary

selected date range. Supported ranges • Protection Tasks Details
are: • Recovery Tasks Details
• Past 24 Hours • Capacity Over Time
• Past 7 Days
• Past 30 Days
• Past Year
• Custom Range, which is a start date
to an end date.
Reports 05/25/2022 | 767

Location Restricts the report to information from All, except Object Task Backup Summary
specified locations. The definition of
location varies by object:
• Virtual machines – The IPv4 address
or FQDN of the vCenter Server.
• SQL Server DBs – The FQDN of the
Window Server and the SQL Server
instance.
• Linux & Unix Hosts – The IPv4
address or FQDN of the Linux or Unix
host.
• Windows Hosts – The IPv4 address or
FQDN of the Windows host.
• Nutanix Cluster – The name of the
cluster.
• Hyper-V Cluster – The name of the
cluster.
• Managed Volume – The name of the
volume.
Search for specific locations by typing
a portion of the name of a location in
Search by Name.
To add a location, click Add next to the
entry for the location.
Object Index Type Restricts the report to information about Object Indexing Summary
objects of the specified index type. Index
types include:
• Indexable
• Unindexable
• Unprotected
Object Name Restricts the report to information from All, except Object Task Backup Summary
selected objects. Search for specific
objects by typing a portion of the object
name in Search by Name.
To add an object, click Add next to the
entry for the object.
Object Type Restricts the report to information about All

the specified object types:
• VMware Virtual Machines
• Linux & Unix Filesets
• Windows Filesets
• SQL Server DBs
• Nutanix Cluster
• Hyper-V Cluster
• Managed Volumes
Reports 05/25/2022 | 768

Range Restricts the report to information from SLA Compliance Summary
the selected time range or number of
snapshots:
• Past 24 Hours
• Past 7 Days
• Past 30 Days
• Past 90 Days
• Past 365 Days
• Last Snapshot
• Last 2 Snapshots
• Last 3 Snapshots
• Start of Protection (Default)
SLA Domain Filters tasks by the selected SLA Domain. All

Search for specific SLA Domains by
typing a portion of the name of an SLA
Domain in Search by Name.
Task Status Restricts the report to information about • Protection Tasks Summary
tasks in the selected statuses: • Protection Tasks Details
• Succeeded • Recovery Tasks Details
• Canceled
• Failed
Task Types Restricts the report to information about • Protection Tasks Summary
tasks of the specified types. Supported • Protection Tasks Details
task types are:
• Backup • Object Protection Summary
• Archival
• Replication
Creating a custom report

Assign the attributes and measures that will appear in the custom report.
Procedure
3. From the Gallery, click Create Report in the top right corner.
4. Enter a name for the report.
5. Select one of the default reports as a report template, then click Next.
6. Configure the top left chart by assigning a chart name, then choose the attribute and the measure
that will appear in the chart.
7. Choose the chart type, then click Next.
8. Repeat step 6 and step 7 for the top-right chart.
9. Select all the attributes and measures that should appear in the table for the report, then click Next.
10. In the left column, select a filter type.
Reports 05/25/2022 | 769

11. From the right-side list, select entries to add to the menu for the selected filter type, then click Finish.
Result
The customized report appears.
Creating a Daily Capacity Over Time report

Use the default Capacity Over Time report to create a custom Daily Capacity Over Time report.
Context
Change each chart’s attribute from Month to Day to see the daily amounts of local data transferred and
storage used. Include the SLA Domain and Object Name attributes in the table to provide an additional
level of sorting. Limit the report data to the last seven days and limit the SLA Domains to a select group.
Procedure
3. From the Gallery, click Create Report in the top right corner.
The Name & Template pane of the Create Report wizard appears.
4. Enter a name for the report, such as Daily Capacity Over Time.
5. Select Capacity Over Time as the report template, then click Next.
The Top Left Chart pane appears.
6. Keep the chart name as Local Data Transferred, choose Day for the attribute, and keep Local
Data Transferred as the measure.
Alternatively, choose a different measure and change the name of the chart to match.
7. Choose Vertical or Line for the chart type, then click Next.
The Top Right Chart pane appears.
8. Keep the chart name as Total Capacity, choose Day for the attribute, and keep Local Storage for
the measure.
Alternatively, choose a different measure and change the name of the chart to match.
9. Choose Vertical or Line for the chart type, then click Next.
The Table pane appears.
10. Select all the attributes and measures that should appear in the table for the report, then click Next.
Clear Month, then select Day, SLA Domain and Object Name in addition to the other default
choices already selected
The Filter pane appears.
11. In the left column, select the Date filter.
12. In the right column, select Past 7 Days to limit the data in the report to the past seven days.
13. In the left column, select SLA Domain.
14. In the right column, select the SLA Domains to include in the report.
15. Click Finish.
Result
The customized report, Daily Capacity Over Time, appears.
Reports 05/25/2022 | 770

Modifying a custom report
Edit existing custom reports to change attributes, measures, and charts as necessary.
Procedure
2. On the left-side menu of the web UI, click Reports > Gallery.
3. Optional: To search the list, type a string in the Search by Name field.
4. From the Gallery, click the name of a custom report.
5. Open the ellipsis menu and select Edit Report.
6. Select options for the charts, data table, and filters, then click Update.
Result
The report is updated with the new information.
Transaction log metadata retention

The retention time for metadata about jobs that protect database transaction logs is 30 days by default.
Reports are constructed from metadata about the jobs the Rubrik cluster performs. The Rubrik cluster
stores metadata in an internal database. The metadata retention time for jobs other than protection jobs
for database transaction logs is one year. Metadata for jobs that protect database transaction jobs can
become voluminous for highly active databases. The retention time of metadata for these jobs can be
changed from the initial default of 30 days.
Changing transaction log metadata retention

Change the retention time of metadata for jobs that protect database transaction logs by making an API
call.
Procedure
1. Log in to the web UI.
4. Complete the Duration and tag fields and click Generate.
5. Click Copy.
7. In a new browser window, navigate to https://cluster_address/docs/v1/playground.
Replace cluster_address with the hostname or IPv4 address of the Rubrik cluster.
The Rubrik REST API Explorer page appears.
8. Click Authorize.
The authorization dialog appears.
9. Paste the token into the value field and click Authorize.
The authorization dialog closes.
10. Click /reports.
A list of API endpoints for reports appear.
11. Click PATCH /report/config.
Reports 05/25/2022 | 771

A text field for the new_values object that contains the new configuration values appears.
13. Type a new value for the "cleanupReportJobInstanceForLogJobs" parameter after the :
character.
The value specifies the retention period in days. The default value is 30.
14. Click Execute.
The page updates with a response code for the API call. A response code of 200 indicates a successful
API call.
Result
Metadata for jobs to protect database transaction logs are retained for the specified number of days.
Exporting a report data table

Export a CSV-formatted version of a report data table to the computer that is running the web browser.
Procedure
5. At the top of the report, click CSV.
Depending on the Download settings of the web browser, one of the following occurs:
• The browser downloads the report to the default download folder.
• The browser opens a Save As dialog box.
6. (Save As dialog box) Select a location on the computer that is running the web browser.
7. (Save As dialog box) Click Save.
Result
The browser downloads the CSV table to the selected location.
Report schedules
The Rubrik cluster can send reports to a list of email recipients according to a set schedule.
The schedule can specify daily reports and monthly reports based on specified requirements.
Scheduling reports
Schedule a report to specify times for the Rubrik cluster to send an HTML email containing the report
charts and the first 100 lines of the report table. The email includes all data from the report table in an
attached CSV file.
Procedure
Reports 05/25/2022 | 772

5. At the top of the report, click Schedule.
The Schedule Report dialog box appears.
6. In Email Address, type a valid email address. To specify multiple recipients, use commas to separate
each address.
7. Optional: Clear the CSV box to omit the CSV file of report data from the report emails.
• For daily emails, click Every Day at and select the time of day when. For example, select 8:00 AM
to send an email to each designated recipient every day at 8:00 AM.
• To send emails on specific days of the week, click Every Week on and select the days of the
week.
For example, select Monday and Thursday. More than one day of the week can be selected.
• For monthly emails, select the date of the month and the time of day when emails should be sent.
For example, select the 15th of the month at 12:00 AM. Only one date can be selected.
8. Optional: To add another schedule, click +.
9. Click Schedule after the last schedule has been entered.
Result
The Rubrik cluster sends reports to the listed email addresses according to the specified schedule.
Changing ownership of a scheduled report email subscription

When a user who owns the subscription to a scheduled report can no longer access the Rubrik cluster, the
cluster administrator can assume ownership of the subscription.
Procedure
1. Log in to the Rubrik CDM web UI as a user with administrative privileges over the cluster.
2. On the left-side menu of the web UI, select Reports > Gallery.
3. Optional: To search the list, type a string into the “Search by Name” field.
The Schedule Report dialog box appears.
6. Click the Owned By menu.
7. Select the current user.
8. Click Schedule.
Result
The assigned user is now the owner of the subscription.
Changing a report schedule

Modify a report subscription to change the recipient email address and to change the subscription
frequency and time.
Procedure
Reports 05/25/2022 | 773

The Schedule Report pane appears.
6. Make changes to the information in the dialog box.
7. Click Schedule.
Result
The Rubrik cluster sends report emails to the recipients listed at the frequency specified in the modified
schedule.
Removing report schedules

Remove a report subscription to stop the Rubrik cluster from sending the report by email.
Procedure
A list of the reports available on the cluster appears.
The Schedule Report pane appears.
6. Click X to delete the schedule from the Schedule Report pane.
7. Click Schedule to confirm changes and return to the report.
Result
The Rubrik cluster removes the report scheduling information.
Reports 05/25/2022 | 774

Chapter 29
System and task information
System and task information
The system and task information that the Rubrik CDM web UI provides through dashboards, notifications,
and alerts.
The Rubrik CDM web UI provides administrative information about the status of protection tasks, protected
objects, Rubrik cluster system status, and Rubrik cluster system tasks.
The Rubrik CDM web UI uses a variety of delivery methods to provide information in the most useful
format based on the type of information, the time-sensitivity of the information, and the historical value of
the information.
The table describes Rubrik CDM web UI information delivery methods.
Method Description
Dashboard Uses graphical elements and text to provide current state information.
The Rubrik CDM web UI refreshes dashboard information automatically.
Dashboards also provide links to reports, logs, and additional dashboards.
Notification message Task message that the Rubrik cluster classifies as time-sensitive, either
because the message indicates a possible issue or because the message
indicates the completion of a manually initiated task.
Activity message Task state message.
Task state is one of the following:
• Canceled
• Failure
• In Progress
• Success
• Warning
• Queued
Data measurements
The Rubrik CDM web UI depicts data values using the decimal definition for the prefixes used with bits and
bytes.
The Rubrik cluster uses the standards promulgated in the Système international d'unités (International
System of Units or SI) for all expressions of data measurements. Under those standards, the prefixes used
with bits (b) and bytes (B) represent decimal multiples of those units, not binary multiples.
Rubrik Non-Rubrik
Decimal value SI prefix Binary value ISO/IEC prefix JEDEC prefix
1000 k - kilo 1024 ki - kibi K- kilo
2 2
1000 M - mega 1024 Mi - mibi M- mega
System and task information 05/25/2022 | 775

Rubrik Non-Rubrik
3 3
1000 G - giga 1024 Gi - gibi G- giga
4 4
1000 T - tera 1024 Ti - tebi T - tera
5 5
1000 P - peta 1024 Pi - pebi
6 6
1000 E - exa 1024 Ei - exbi
7 7
1000 Z - zetta 1024 Zi - zebi
8 8
1000 Y - yotta 1024 Yi - yobi
Dashboards
Dashboards provide information about the current state of various aspects of the Rubrik cluster.
The Rubrik CDM web UI regularly refreshes the information that appears in a dashboard.
The following dashboards are available under the main dashboard in the left-side menu:
• Summary
• Monitoring
• Compliance
• CDP Performance
• System Performance
Viewing the Summary Dashboard

The Summary dashboard provides a comprehensive summary of the activities and status of the local
Rubrik cluster.
Procedure
2. From the left-side menu of the Rubrik CDM web UI, select Dashboard > Summary.
Result
The Summary page appears.
Related reference
Summary Dashboard Details
The Summary dashboard provides information on the activities and status of the local Rubrik cluster.
Summary Dashboard Details

The Summary dashboard provides information on the activities and status of the local Rubrik cluster.
Information type Description

24 Hour Tasks View Displays the numbers for tasks in progress, failed tasks, canceled
tasks, and completed tasks. For currently running tasks, displays the
task type, object name, SLA Domain, and the elapsed time since the
task started.
Performance Stats Provides a time series graph showing the data ingestion throughput
to the local Rubrik cluster for the selected time range. Time ranges
include:

• Last Hour
• Last 2 Hours
• Last 4 Hours
• Last 8 Hours
• Last 12 Hours
• Last 24 Hours
• Last 3 Days
• Last 7 Days
The default time range is 24 hours. Hover over any point on the line
graph to view data ingestion details for that point.
Data reduction and snapshot • Local Data Reduction – Total local storage space reduction for the
statistics data ingested.
• Archival Data Reduction – Total archival storage space reduction for
the data ingested.
• Snapshots – Total number of snapshots ingested.
Cluster health Provides a simple visual indicator of the health of the Rubrik cluster:
green means healthy, orange means one or more nodes needs
attention, and red means unhealthy (contact Rubrik Support). Also
shows the number of healthy nodes.
Live Mounts and Cloud Mounts Displays the current number of Live Mounts and Cloud Mounts for the
• Selected protected object: For the selected type of protected object, the Overview card provides
• vSphere VMs the number of objects that are protected and the number of objects
that are unprotected.
• vCD vApps
• Hyper-V VMs Includes the following links:
• AHV VMs • See all – Links to the page for the specified object type.
• Linux & Unix Hosts • No SLA – Links to page for the specified object type with the No
• Windows Hosts SLA filter applied. This displays objects that have the SLA Domain
• NAS Shares setting of No SLA.
• SQL Server DBs • Do Not Protect – Links to page for the specified object type with
• Oracle DBs the Do Not Protect filter applied. This displays objects that have the
• Managed Volumes SLA Domain setting of Do Not Protect.
• EC2 Instances
SLA Domains Provides the total number of protected objects for the three local SLA
Domains with the most protected objects.
Capacity The System doughnut graph is a graphical representation of total
storage based on snapshot storage usage and available storage. The
Rubrik cluster available storage percentage is provided in the middle
of the donut graph. Mouse over events to reveal storage usage and
capacity details. This view also links to the System Capacity report.

System doughnut graph
The system doughnut graph provides information on the total storage based on the snapshot storage
usage and available storage.

Live mount storage Space used by live mounts.
Snapshot storage Space used to store immutable snapshots.
System storage Space used as storage for the following:
• In-progress data ingestion and file management activity.
• OS reserved space for EXT4 file system metadata and inodes. (~1% of
the total storage)
• Backups of Cassandra snapshot metadata.
• SDFS data that has been marked for garbage collection.
• Data written to active Live Mounts and for in-progress backups of
filesets and Managed Volumes.
• Every Rubrik cluster requires approximately 5% of the total capacity to
handle in-progress jobs and Cassandra snapshots.
Available storage Available space in the system.

Pending snapshots Ingested data before it is optimised into snapshots.
Viewing the Monitoring dashboard

View the Monitoring dashboard to see statistics for in-progress tasks, failed tasks, canceled tasks,
completed tasks, and scheduled tasks.
Context
The In Progress tab shows all tasks that are in progress across the cluster. The Failed, Canceled, and
Completed tabs show tasks from the previous 24 hours. The Scheduled tab shows all upcoming tasks.
Procedure
2. From the left-side menu, select Dashboard > Monitoring.
Result
The Monitoring dashboard appears.
Related reference
Monitoring dashboard details
The Monitoring dashboard displays information for in-progress tasks, failed tasks, canceled tasks,
completed tasks, and scheduled tasks, with a summary tab at the top.
Saving dashboard values in a CSV file

Download a CSV file that contains the table values from the Monitoring dashboard.
Context
Each tab on the monitoring dashboard offers the option to write table values to a CSV file.
Note: For in-progress tasks, the CSV file does not include the following UI table columns by design:

• Activity details
• Estimated time remaining
• Data size
• Data transferred
• Data remaining
For failed tasks, canceled tasks, completed tasks, and scheduled tasks, the corresponding CSV files do not
include activity details.
Procedure
3. Select a tab corresponding to task status.
Tabs include In Progress, Failed, Canceled, Completed, and Scheduled.
4. Optional: Apply one or more filters.
Filters restrict the number of rows in the output table.
Result
The Rubrik cluster writes the values in the table to a CSV file, which is downloaded to the specified
download location.
Configuring email schedules for monitoring information

Specify recipients and schedules for emails containing monitoring information.
Procedure
3. Click Schedule.
The Schedule Monitoring dialog box appears.
To specify multiple recipients, use commas to separate each address.
5. Under Choose Monitoring Data, check the boxes specifying the task status the emails contain.
6. Optional: Clear the CSV box to omit the CSV file of report data from the report emails.
When configuring email schedules for monitoring information, each selected task status results in a
separate CSV file.
7. Specify the email schedule.
Rubrik CDM allows for multiple schedules.
• Daily emails, click Every Day at and select the time of day to send an email to each selected
recipient.
• Emails on specific days of the week, click Every Week on and select the days of the week.
• Monthly emails, select the date of the month and the time of day to send an email to each selected
recipient. Only one date can be selected.
8. Click + to add another schedule.
9. Click Schedule.

Result
Rubrik CDM sends emails to the recipients according to the determined schedules.
Monitoring dashboard details

The Monitoring dashboard displays information for in-progress tasks, failed tasks, canceled tasks,
completed tasks, and scheduled tasks, with a summary tab at the top.
Tab Name Description

In Progress Provides the following information for each in-progress task:
• Status (Active, Starting, Canceling)
The Status column also includes Pause or Resume buttons for pausing or
resuming fileset tasks while the data retrieval is in progress. These buttons can
also be used for pausing and resuming recovery tasks while writing data to the
NAS shares and hosts.
• Task Type (Recovery, Backup, Archival, Replication, Conversion, Log Archival, Log
Shipping, Log Backup, Log Replication)
• Name
• Location
• SLA Domain
• Activity Details (with a link to view a list of activities and a link to download
server logs)
• Start Time
• Elapsed
• Estimated Time Remaining
• Data Size
• Data Transferred
• Data Remaining
• Object Logical Size
• Retries
• Node Name
• Source Cluster
• Start Method (SLA Driven or On-Demand)
Failed Provides the following information for each failed task in the last 24 hours:
• Status (Failed)
• Name
• Location
• SLA Domain
server logs)
• Start Time
• End Time
• Duration
• Last Successful
• Next Task
• Node Name

• Source Cluster
Canceled Provides the following information for each canceled task in the last 24 hours:
• Status (Canceled)
• Name
• Location
• SLA Domain
server logs)
• Start Time
• End Time
• Duration
• Last Successful
• Next Task
• Node Name
• Source Cluster
Completed Provides the following information for each completed task in the last 24 hours:
• Status (Success, Warning)
• Name
• Location
• SLA Domain
server logs)
• Start Time
• End Time
• Duration
• Throughput
• Node Name
• Source Cluster

Scheduled Provides the following information for each scheduled task:
• Status (icon only)
• Task Type (Backup, Archival, Replication, Log Archival, Log Shipping, Log
Backup, Log Replication)
• Name
• Location
• SLA Domain
server logs)
• Start Time
• Last Successful
• First Full (Yes or No)
• Source Cluster
Viewing the Compliance dashboard

The Compliance dashboard provides information about backup compliance.
Procedure
2. From the left-side menu, select Dashboard > Compliance.
Result
The Compliance dashboard appears.
Related reference
Compliance dashboard details
The Compliance dashboard provides summary information across all objects, as well as information for
individual objects.
Select a snapshot range

The Compliance dashboard provides the status for a range of snapshots.
Select the snapshot range from the Snapshot Range menu of the Compliance dashboard. The snapshot
ranges include the last snapshot, last two snapshots, last three snapshots, or all snapshot options.
The snapshot range affects the calculation of the compliance status for each object, and affects the entries
in the Snapshot Present column.
The compliance summary tab at the top shows the number of objects that are in compliance and out of
compliance, based on the number of snapshots chosen for the range. The Rubrik cluster must have taken
all snapshots in the selected range according to the frequency specified in the SLA Domain, and they must
have completed successfully for the associated object to be counted as part of the In Compliance totals.
The associated object is reported as Out of Compliance if any snapshots in the range were missed.
For Snapshot Present to have a Yes entry, there must be at least one snapshot available that completed
successfully and was taken according to the frequency specified in the SLA Domain. Regardless of which
range is selected, there only needs to be one snapshot for the column to have a Yes value.

Compliance dashboard details
The Compliance dashboard provides summary information across all objects, as well as information for
individual objects.

Summary Lists summary information for each of the following categories:
• Total Protected Objects
• Objects In Compliance
• Objects Out of Compliance
• In Compliance (percent)
• Out of Compliance (percent)
Individual data Provides the following information for each data source on the local Rubrik cluster:
source
• Status, where green indicates in compliance and red indicates out of compliance.
• Name
• Location
• SLA Domain
• Latest Local Snapshot
• Snapshot Present
• Awaiting First Full
• Next Scheduled Snapshot
• Latest Replicated Snapshot
• Latest Archived Snapshot
• Replication Snapshot Lag
Viewing the CDP Performance dashboard

The CDP Performance dashboard provides information about objects that are protected by an SLA Domain
with Continuous Data Protection enabled.
Procedure
2. From the left-side menu of the Rubrik CDM web UI, select Dashboard > CDP Performance.
Result
The CDP Performance Monitoring page appears.
Related reference
CDP Performance dashboard details
Information provided by the CDP Performance dashboard.
CDP Performance dashboard details

Information provided by the CDP Performance dashboard.
Column Heading Description

Name Name of the virtual machine.
Location Location of the virtual machine.

Column Heading Description
SLA Domain Name of the SLA Domain with CDP enabled.
CDP Local Status Status of CDP on the local cluster. Status can be:
• Not Enabled
• Pending
• Taking Snapshot
• Active
• Failed
CDP Replication Status of the replication process. Status can be:

Status
• Not Enabled
• Failed
• Healthy
• Initializing
Replication Target The remote cluster specified in the SLA Domain with CDP enabled.
Local Recovery The most recent point to which a virtual machine can be recovered on a local
Point cluster.
When the recovery point is less than 60 seconds old, the display shows relative
times; for example, 10 seconds ago, or 35 seconds ago. Once the recovery point is
more than 60 seconds old, the display shows absolute time; for example, 6/24/19
3:20 PM.
Remote Recovery The most recent point to which a virtual machine can be recovered on a remote
Point cluster. This field is empty if replication is not enabled.
When the recovery point is less than 60 seconds old, the display shows relative
times; for example, 10 seconds ago, or 35 seconds ago. Once the recovery point is
more than 60 seconds old, the display shows absolute time; for example, 6/24/19
3:20 PM.
Latest Local The time of the most recent snapshot.

Snapshot
CDP Healthy Defined as the amount of time CDP is healthy, divided by the amount of time CDP
Percentage is enabled. CDP is considered healthy when the Local CDP Status is Active. CDP is
considered enabled when the status is Active (taking snapshots according to the
CDP-enabled SLA), Taking Snapshot (taking a snapshot following a failure), and
Failed.
Viewing the System Performance dashboard

The System Performance dashboard provides information about the hardware system of the local Rubrik
cluster as well as information about each node.
Procedure
2. From the left-side menu, select Dashboard > System Performance.
Result
The System Performance dashboard appears.

Related reference
System Performance dashboard details
System Performance dashboard details


Cluster Hardware Lists information for each of the following hardware component types:
• Briks
• Nodes
• Cores
• Memory
• SSD
• HDD
Also, provides a link to the Nodes page, which lists the name, status, IP address,
and Brik ID for each node on the local Rubrik cluster.
Individual Node Provides the following information for each node on the local Rubrik cluster:
• Status
• Name
• IP address
• Brik ID
• CPU Utilization
• Data Received
• IOPS
• IO Throughput
In the Status column, the health of each node is represented by a simple visual
indicator: green means healthy, orange means needs attention, and red means
unhealthy.
In the upper-right corner, select Average or Maximum to filter the information for
CPU Utilization, Data Received, Data Transferred, IOPS, and IO Throughput. Select
a time range of Last Hour or Last 10 Minutes.
Viewing performance for a single node

From the System Performance dashboard, access a separate page with more information for a particular
node.
Procedure
2. On the left-side menu, select Dashboard > System Performance.
The System Performance page appears.
3. Click the name of a node.

Result
The page for that node appears, with a summary that includes the Brik ID, IP address, Memory, CPU
utilization, number of cores, and network speed. The page also includes a graph of network utilization for
the past hour, HDD status, and SSD status.
Viewing log backup status from the Databases dashboard

The Databases dashboard provides the date and time when the most recent snapshots and log backups
where taken for all Microsoft SQL and Oracle databases protected by Rubrik.
Procedure
2. From the left-side menu, select Dashboard > Databases.
3. Optional: Filter the log backups according to object type, object name, SLA Domain, and log backup
delay.
Result
The Log backup status dashboard appears.
Log backup status dashboard details

The Log backup status dashboard displays the status for all log backups

Object Name Name of the database providing the backup.
Host/Instance Name of the host or instance on which the database is running
Object Type Type of database, either Microsoft SQL or Oracle.
SLA Domain The SLA domain used to protect the database.
Log backup Configured time for log backup frequency. Displays "N/A" if a database is in simple
frequency recovery mode and "Disabled" if the log backups are disabled.
Last database Date and time of the most recent snapshot. Column includes a double-dash, "--"
backup until the first successful database backup.
Latest Recovery Date and time of the latest recovery point. Column includes a double-dash, "--",
Point until a recovery point exists.
Log backup delay Length of delay before acquiring a successful log backup.
Because the value of this field depends on a former successful backup, this field
remains blank until at least one successful backup exists. Log backup delay specifies
No delay when the latest recovery point is null or when a Microsoft SQL database
is in simple recovery mode.
Example: Log backup delay example.
For example, for a backup frequency of 10 minutes, if the current time is 5:00 pm and the last backup was
taken at 4:00 pm, the log backup delay equals 50 minutes, which is one hour minus 10 minutes. In this
situation, backups were missed during the 50 minute period at: 4:10 pm, 4:20 pm, 4:30 pm, 4:40 pm,

4:50 pm, and 5:00 pm. The database was in compliance until 4:10 pm, and had a log backup delay of 1
minute at 4:11 pm.
Activity Log
sensitive.
The Rubrik cluster creates notifications about tasks that the Rubrik cluster classifies as potentially time-
sensitive. Factors that determine this classification are:
• Task status indicates a possible issue
• Task was manually initiated
Notifications provide information in three status categories: Success, Warning, and Failure. Click on a
warning notification or on a failure notification to open an associated Rubrik CDM web UI dialog box or
Rubrik CDM web UI page that can be helpful in addressing the underlying issue.
The Rubrik CDM web UI provides Activity Log messages that describe the current state of tasks on the
Activity Log messages furnish information about every task that is started on the local Rubrik cluster over
the past 90 days, including tasks that result in a notification.
The top bar of the Rubrik CDM web UI has a globe icon that links to the Activity log page. The globe icon
displays the number of messages added to the Activity Log since the last time the page was accessed.
Viewing Activity Log messages

View recent messages of the Activity Log to see the 15 most recent activity messages.
Procedure
2. Click the globe icon on the top bar of the Rubrik CDM web UI.
The recent messages list of the Activity Log appears.
3. Scroll the list to see all of the most recent notifications.
4. On the recent messages list, click See all.
The Activity Log page appears.
5. Scroll the page to see the messages that the Rubrik cluster generated during the past 90 days.
6. Optional: Filter the Activity Log messages.
7. Optional: In Search by Name, type the name of a notification object.
For example, to view all Activity Log entries for a particular user account, type the name of the user
account in Search by Name.
Note: While partial word search is available when searching by object name, the full user name
should be entered to search by user name in the Activity Log page.
Result
The Rubrik CDM web UI shows matching results as characters are typed. Select one of the displayed
matches to view the Activity Log entries for that object.
Related tasks
Filtering messages

Filter the messages that appear on the Activity Log by status, data source type, message type, and date.
Related reference
Information provided by Activity Log messages
The Rubrik cluster provides detailed task information in the Activity Log messages.
Viewing error chains

View the chain of errors that caused an event to fail.
Context
When available, the web UI includes an error chain for messages with a Failure status.
Procedure
4. From the Status filter menu, select Failure.
The Rubrik CDM web UI shows matching results as characters are typed.
6. Click on an activity in the log.
The Activity Detail dialog box for that activity appears.
7. Click the link under the Possible Cause heading.
The View chain of errors dialog box appears.
Result
The View chain of errors dialog box describes the sequence of errors that caused the event to fail.
Filtering messages
Procedure
4. Click one of the filter menus and select a filter.
The Activity Log displays only messages that match the selected filter.
5. Optional: Select filters from more than one filter menu to further refine the visible notifications.

6. Optional: Click the X next to a filter menu to clear a selected filter.
Result
The Activity Log displays messages that match the selected filters.
Related reference
Activity Log filters
The Activity Log provides filters on four filter menus.
Viewing activity details

The Rubrik cluster provides detailed information for individual Activity Log messages through the Activity
Detail dialog box.
Context
The Activity Detail dialog box provides the status, the log message, and the timestamp of each task
involved in a selected activity.
Procedure
4. Scroll the page to see the activity log.
5. Optional: Filter the Activity Log messages.
The Rubrik CDM web UI shows matching results as characters are typed. Select one of the displayed
matches to view the Activity Log entries for that object.
7. Click on an activity in the log.
The Activity Detail dialog box for that activity appears.
8. Optional: On the Activity Detail dialog box, click Download Logs.
The Rubrik cluster collects the logs that are relevant to the message, combines the logs in a zip file,
and provides a download link for that file.
Result
The Activity Detail dialog box provides detailed information for individual Activity Log messages.
Related tasks
Filtering messages
Related reference


Status Icon representing the state of the task. The possible task states are:
• Canceled
• Failure
• In Progress
• Success
• Warning
• Queued
The Status column also includes Pause or Resume buttons for pausing or resuming
fileset tasks while the data retrieval is in progress. These buttons can also be used for
pausing and resuming recovery tasks while writing data to the NAS shares and hosts.
Name Name of the object that is the subject of the notification.

Message Message that provides a detailed description about the task and the task status.
Date Month, day, and time that the Rubrik cluster generated the message. The format is: M/
DD H:MM{AM|PM} in the time zone of the Rubrik cluster.
Activity Log filters

The Activity Log provides filters on four filter menus.
Filter menu Description

Status Select a status to show only events that have that status type.
• Canceled – Event series with a status of canceled.
• Failure – Event series with a status of Failure.
• In Progress – Event series that are in progress. Includes the percent complete.
• Success – Event series with a status of Success.
• Warning – Event series with a status of Warning.
• Scheduled – Messages about scheduled tasks.
Object Select a type of object to show only notifications for that type.

Filter menu Description
Type Select a type to show only events of that type.
• Archive – Archive-related events.
• Backup – Backup and log backup related events.
• Configuration – Settings related to clusters, keys, network, LDAP, certificates,
subnets, web servers. Includes delete and refresh related events relating to different
object types.
• Conversion and Instantiation – All events related to processes, including launching,
cloud conversion, bolt operations, creating AWS images, and image readiness.
• Diagnostic – Events related to network interfaces and disks.
• Discovery – Events related to Oracle database discovery and real application
clusters.
• Index – Information on all indexing related events.
• Legal Hold – Events related to legal hold activities.
• Recovery – Events concerning data recovery tasks. Includes the statuses across
different object types.
• Replication – Events concerning replication tasks. Includes the statuses across
different object types.
• Upgrade – Events related to upgrades and upgrade statuses.
• User Activity – Events related to user activity.
Date Select a specified date range or configure a custom date range to show messages
generated during that date range.
• Last 2 Hours - Notifications that were generated in the previous 2 hours.
• Last 24 Hours – Notifications that were generated in the previous 24 hours.
• Last 7 Days – Notifications that were generated in the previous 7 days.
• Last 30 Days – Notifications that were generated in the previous 30 days.
• Custom Range – Notifications that were generated within a specified date range.
Related tasks
Specifying a custom date range
The Rubrik CDM web UI provides a custom date range filter in several views. Use this filter to show the
information that was generated during a specified date range.
Specifying a custom date range

The Rubrik CDM web UI provides a custom date range filter in several views. Use this filter to show the
information that was generated during a specified date range.
Procedure
1. Access the Notifications page, the Activity Log, or another view.
2. Click Filter Date > Custom Range.
The Filter By Custom Range dialog box appears:

3. On the left-side calendar, select a day as the earliest end-point of the date range
The calendar date of the selected day appears in From Date.
4. In From Time, select an hour to mark the earliest hour of the day listed in From Date.
5. On the right-side calendar, select a day to mark the latest end-point of the date range.
The calendar date of the selected day appears in To Date.
6. In To Time, select an hour to mark the latest hour of the day listed in To Date.
7. Click Filter.
Result
The Rubrik CDM web UI displays only the information that was generated after the From Date at From
Time and before the To Date at To Time.

Chapter 30
The two-person rule
The two-person rule
The two-person rule (TPR) prevents an individual from independently performing actions that affect critical
data on Rubrik clusters. For performing a proposed action on the Rubrik cluster, TPR requires the approval
of a secondary user with required privileges. This enforces additional security of valuable backup data on a
Rubrik cluster.
TPR configuration and enforcement requires user accounts with the following roles.
• Global administrator
• TPR Admin
• TPR Approver
TPR enforcement begins when the global administrator configures TPR by enabling the feature on the
Rubrik cluster and creating a user account with the TPR Admin role. The global administrator can enable
TPR protection for a set of predefined actions.
While the global administrator can enable TPR protection for actions, disabling TPR protection requires an
approval from a TPR administrator. The TPR administrator is also responsible for creating additional user
accounts with the TPR Approver and TPR Admin roles.
Initiating a TPR-protected action generates a TPR request. A user account with the TPR Approver or TPR
Admin role can review, approve, or deny TPR requests.
Related Concepts
Initial TPR configuration
Configuring the two-person rule for the first time involves creating the first user account with the TPR
Admin role and enabling a policy that enforces the two-person rule on selected actions.
TPR roles
permissions.
Related reference
Actions protected by TPR
A global administrator can enable or disable the two-person rule protection for a predefined set of actions
on a Rubrik cluster. Disabling TPR protection for an action is subject to approval from a TPR administrator.

To start using the two-person rule (TPR) for additional data security, the global administrator must enable
the two-person rule on a Rubrik cluster. During initial configuration, the global administrator creates a new
user account with the TPR Admin role and specifies a TPR policy that lists predefined operations requiring
TPR approval.
The two-person rule 05/25/2022 | 793

Once TPR configuration is complete, only a TPR administrator can grant the TPR Admin and the TPR
Approver roles to additional user accounts.
By default, the TPR policy created during the initial configuration protects retention-locked SLA Domains
from being changed without the consent of a TPR approver. The global administrator can also modify the
TPR policy by enabling TPR for other actions during initial configuration.
Related Concepts
The two-person rule
Related Tasks
Enabling TPR
Process of enabling the two-person rule on a Rubrik cluster and creating a user account with the TPR
administrator role.
Related reference

Action Tasks that require TPR approval

Managing retention locks • Disabling the retention lock feature on the
Rubrik cluster
• Editing or reassigning a retention-locked SLA
Domain with decreased retention or frequency
Reassigning SLA Domains Changing the SLA Domain assigned to an object

Pausing protection • Pausing protection globally for all objects on a
Rubrik cluster
• Pausing protection at the SLA Domain level
Pausing protection at the object level does not
require TPR approval.
Changing legal hold status Removing or changing the legal hold status of
snapshots
Deleting or expiring snapshots Deleting or expiring snapshots
Changing NTP configuration Adding or removing NTP servers to the Rubrik
cluster
Editing SLA Domains Changing the configuration of an SLA Domain
assigned to an object
Related Concepts

Related Tasks
Enabling TPR
administrator role.
Managing actions protected by TPR
Process of enabling or disabling the two-person rule for selected actions on a Rubrik cluster.
Enabling TPR
administrator role.
Context
Only a global administrator can enable the two-person rule (TPR) on a Rubrik cluster.
Procedure
3. From Access Management, click Two-Person Rule.
The Two-Person Rule page appears.
4. Click Enable Two-Person Rule.
The Enable Two-Person Rule wizard starts and the Assign First Two-Person Rule Admin page appears.
5. Optional: In Username, edit the default username for the TPR administrator account.
Rubrik CDM provides a default value for the username that you can change when enabling TPR on the
Rubrik cluster.
6. In Email address, type an email address for the account.
7. In Password, type a secure password.
8. In Confirm Password, type the same password.
9. Optional: Click Enforce MFA Options.
Select this option to enable multi-factor authentication (MFA) for the TPR administrator account.
10. Click Next.
The Select Actions to Protect page of the Enable Two-Person Rule wizard appears.
11. Optional: Select an action to protect using TPR.
The Rubrik cluster allows the selection of actions even after TPR bootstrapping is complete.
Multiple actions can be selected.
12. Click Finish.
The Two-Person Rule Controlled Action page appears with a list of actions and the status of TPR for
each action.
Result
Rubrik CDM creates a new user account with the TPR administrator role and enables the two-person rule
protection for the selected actions.
Related Concepts

Related Tasks
Disabling TPR
Process of disabling the two-person rule on a Rubrik cluster.
Related reference
Adding TPR accounts

Process of creating user accounts with the TPR Admin or TPR Approver roles to monitor and manage TPR
requests.
Context
Only a TPR administrator can assign the TPR Admin and TPR Approver roles to user accounts.
Procedure
3. In Access Management, click Users.
4. Click Add Local User.
The Add Local user dialog box appears.
5. In Username, type a user name.
The Rubrik cluster uses the email address for notifications and alerts.
7. In Password, type a password for the new user account.
8. In Re-Enter Password, type the same password.
9. In Roles (optional), select a role.
Role Description
TprAdmin Assigns the TPR Admin role to the user account.
TprApprover Assigns the TPR Approver role to the user
account.
10. Optional: Enable Enforce Multifactor Authentication.
Select this option to enable multi-factor authentication (MFA) for the new user account.
11. Click Add.
Result
The Rubrik cluster adds a new user account with the selected role to monitor and manage TPR requests.
Related Concepts
The two-person rule
TPR roles

permissions.
TPR roles
permissions.
Rubrik CDM uses three different roles to enforce the two-person rule (TPR) on a Rubrik cluster. These roles
can be assigned to individual user accounts or groups.
A user account with the global administrator role configures TPR on a Rubrik cluster for the first time by
creating a user account with the TPR Admin role along with the first TPR policy. Once TPR is configured,
only a TPR administrator can grant the TPR Admin role to additional user accounts.
The global administrator can also configure notification settings to send email notifications to user
accounts with TPR roles when TPR-related events occur on the Rubrik cluster. By default, the global
administrator receives all email notifications related to TPR events.
A user account with the TPR Admin role is responsible for configuring TPR options and managing TPR
policy change requests initiated by the global administrator. The TPR administrator also creates and
manages user accounts with the TPR Approver and TPR Admin roles.
A user with the TPR Approver role can review, approve, or deny the TPR requests that are initiated when a
TPR-protected action is performed by an RBAC user account.
User accounts with the TPR Admin or TPR Approver roles cannot have any other roles assigned to them.
User accounts with all other roles, except the TPR administrator, TPR approver, and the global
administrator, can request to perform actions protected by TPR on the Rubrik cluster.
The following guidelines can help achieve maximum security from TPR enforcement:
• A user account with the TPR Admin role should not have the TPR Approver role as well, and vice versa.
• At any time, the Rubrik cluster should have at least one user account with the TPR Admin role.
• At any time, the Rubrik cluster should have at least one user account with the TPR Approver role.
• The global administrator should configure the notification settings for the user accounts with TPR roles
to receive notifications about all TPR events.
Related Concepts
The two-person rule
Related Tasks
Related reference
Global administrator role details
A user account with the global administrator role has specific permissions in the two-person rule context.

The following table lists the TPR-related permission grants for a global administrator.

Permission Grant
Enable TPR on the Rubrik cluster Permitted
Disable TPR on the Rubrik cluster Permitted to request the TPR administrator to
disable TPR on the Rubrik cluster
Enable TPR protection for actions Permitted
Disable TPR protection for actions Permitted to request the TPR administrator to
disable TPR on the Rubrik cluster
Perform actions protected by TPR Permitted
Approve TPR request Not permitted
Assign TPR roles Not permitted, except during initial configuration of
TPR
Update TPR options Permitted
Configure email notification settings for user Permitted
accounts with TPR roles
Bypass TPR requirement on actions Not permitted
Related Tasks
Enabling TPR
administrator role.
Disabling TPR
Related reference
TPR Admin role details
A user account with the TPR Admin role has specific permissions in the two-person rule context.

Prerequisites
Enable two-person rule (TPR) on the Rubrik cluster, as described in Enabling TPR.
Context
Only a global administrator can enable TPR protection for selected actions. To disable TPR protection for
actions, a global administrator must submit a TPR request that only a TPR administrator can approve.
Procedure
3. From Access Management, select Two-Person Rule.
The Two-Person Rule Controlled Actions page appears.

4. In Action Group Name, select the action to manage.
Multiple actions can be selected.
5. (For enabling TPR) Click Enable.
6. (For disabling TPR) Click Disable.
The Submit Two-Person Rule Request dialog box appears.
7. Optional: (For disabling TPR) Type additional comments to describe the TPR request.
8. (For disabling TPR) Click Submit.
Result
Based on the selections, the global administrator enables TPR or submits a TPR request to disable TPR for
the selected actions. The Activity Log lists the events associated with the request.
Related Concepts
Activity Log
sensitive.
Related reference
Disabling TPR
Context
Only a global administrator can request the TPR administrator to disable the two-person rule (TPR) on a
Rubrik cluster.
Procedure
4. From the ellipsis menu on the page bar, click Disable Two-Person Rule.
The Manage Two-Person Rule dialog box appears.
5. Click Disable.
The Submit Two-Person Rule Request dialog box appears.
6. Optional: Type additional comments to describe the TPR request.
7. Click Submit.
Result
The global administrator submits a TPR request to disable TPR on the Rubrik cluster. The Activity Log lists
the events associated with the request.
Related Tasks
Enabling TPR

administrator role.

The following table lists the TPR-related permission grants for a TPR administrator.
Permission Grant
Enable TPR on the Rubrik cluster Not permitted
Disable TPR on the Rubrik cluster Permitted to approve request from global
administrator
Enable TPR protection for actions Not permitted
Disable TPR protection for actions Permitted to approve request from global
administrator
Perform actions protected by TPR Not permitted
Approve TPR request Permitted
Assign TPR roles Permitted
Update TPR options Permitted
Related reference

The following table lists the TPR-related permission grants for a TPR approver with respect to the two-
person rule (TPR).
Permission Grant
Enable TPR on the Rubrik cluster Not permitted
Disable TPR on the Rubrik cluster Permitted to approve request from global
administrator
Enable TPR protection for actions Not permitted
Disable TPR protection for actions Permitted to approve request from global
administrator
Perform actions protected by TPR Not permitted
Approve TPR request Permitted
Assign TPR roles Not permitted
Update TPR options Not permitted

Permission Grant
Related reference
TPR requests
Performing an action that is protected by the two-person rule on a Rubrik cluster creates a two-person rule
request.
Only user accounts that are not assigned the TPR Admin and TPR Approver roles can create two-person
rule (TPR) requests by initiating actions protected by TPR. TPR administrators and approvers can only
approve or deny the TPR requests.
The Rubrik CDM web UI lists all the TPR requests on a page, with their details such as the requester, the
time at which the request was made, the expiry time, the description of the request, and the request
status.
The TPR Requests page provides options to approve or deny the requests when a TPR administrator or
approver is logged in to the Rubrik CDM web UI. For all other user accounts, the page provides an option
to cancel a request if the request was generated by the currently logged-in user account.
By default, TPR requests expire after seven days. Global administrators and TPR administrators have the
ability to change this configuration.
Related Tasks
Viewing TPR requests
Process of viewing detailed information about all the TPR requests on the Rubrik cluster.
Managing TPR requests
Only user accounts with TPR Admin or TPR Approver roles can approve or deny TPR requests.
Canceling TPR requests
The user that initiated a TPR request can cancel that request while the request is pending.
Updating the TPR options
Process of updating the number of days for which a TPR request can stay in the pending state before it
expires.
Related reference
TPR request details
The TPR Requests page displays detailed information about the TPR requests on the Rubrik cluster.
TPR request details

The TPR Requests page displays the following details for each two-person rule (TPR) request. The page
also provides options to filter the requests by time and status.
Request detail Description

Action The action that initiated this TPR request.

Request detail Description
Requestor The name of the user account that initiated this
TPR request.
Last Changed The timestamp of the last change on the request.
This displays the time this request was created, if
the request has not changed since then.
Expires On The timestamp when the request will expire.

This is calculated using the request expiration
timeout configured for the Rubrik cluster. The
default value is seven days from the request
creation date.
Requested Change The description of the action that requires TPR

approval.
Status The current state of the request.
• Pending: Request submitted and pending action
from a TPR approver.
• Expired: Request expired without any action
from a TPR approver.
• Denied: Request denied by the TPR approver.
• Canceled: Request canceled by the requester.
• Scheduled: Requested approved and queued for
implementation by the system.
• Unauthorized: Request approved, but could not
be completed due to change in authorization
status of the requester during the time between
request initiation and request approval.
• Failed: Request could not be completed by the
system.
• Done: Request successfully completed.
Related Tasks
expires.

Procedure
2. On the left-side menu, click Two Person Rule > TPR Requests.
The TPR Requests page appears.
3. In Action, click on a TPR request entry.
The TPR Request Detail page appears, with the details of the request submission and the status
changes.

Result
The Rubrik CDM web UI displays the TPR requests along with the status details.
Related reference
TPR request details
Managing TPR requests

Only user accounts with TPR Admin or TPR Approver roles can approve or deny TPR requests.
Procedure
3. From the ellipsis menu of the TPR request, select an action.
Action Description
Approve Approves the pending TPR request. The
requested action or change is then performed.
Deny Denies the pending TPR request.
Based on the selected action, the Approve TPR Request or the Deny TPR Request dialog box appears.
4. Optional: In Additional comments, type the reason for the action selected.
5. (For Approve TPR Request) Click Approve Request.
6. (For Deny TPR Request) Click Deny Request.
Result
The Rubrik cluster performs the requested action for the TPR request and updates the status on the TPR
Requests page. The Activity Log also lists the action taken by the TPR administrator or TPR approver on
the TPR request.
Related Concepts
TPR requests
request.
Canceling TPR requests

The user that initiated a TPR request can cancel that request while the request is pending.
Procedure
3. From the ellipsis menu of the TPR request, click Cancel Request.
The Cancel TPR Request dialog box appears.
4. Optional: In Additional comments about the request, type the reason for cancellation.
5. Click Yes.
Result
The Rubrik cluster cancels the TPR request and updates the status on the TPR Requests page. The Activity
Log also lists the action taken on the TPR request.

Related Concepts
TPR requests
request.

expires.
Context
User accounts with global administrator or TPR administrator roles can configure TPR options.
Procedure
4. From the ellipsis menu on the page bar, click TPR Options.
The TPR Options dialog box appears.
5. In Enter custom time, enable the toggle.
The Set new time field appears.
6. In Set new time, type a number.
The number specifies the number of days for which the TPR request can stay in the pending state
without reaching expiration.
7. Click Save.
Result
The Rubrik cluster saves the new value of the duration for which the TPR request remains valid. The
Activity Log also lists the summary of the configuration change.
Related Concepts
TPR requests
request.

Appendix A
Ports
Ports
Port/Protocol Source Destination Description

22 TCP Local client or cloud Rubrik cluster Provides the ability to launch
instance an SSH session for support and
administration.
25 TCP Rubrik cluster Email server Allows the Rubrik cluster to send
email alerts to administrators. Only
required when the email server
supports this port.
53 UDP Rubrik cluster DNS server Permits hostname resolution.
80 TCP Web UI clients Rubrik cluster Handles redirection of web UI clients
to HTTPS.
88 TCP/UDP Rubrik cluster Active Directory server Permits Kerberos communication for
SMB security. Also required for any
Active Directory integration that was
configured before Rubrik CDM 4.2.
111 TCP 1. VMware ESXi hosts 1. Rubrik cluster 1. Provides an NFS datastore for
2. Oracle database 2. Rubrik cluster ESXi hosts.
host 3. Rubrik cluster 2. Provides NFS access to Managed
3. SAP HANA Volumes.
database host 3. Provides NFS access to Managed
Volumes.
123 UDP Rubrik cluster NTP server Provides access to network time
protocol (NTP) servers for time
synchronization.
123 UDP Rubrik cluster Rubrik cluster Allows NTP synchronization across
nodes of a cluster.
Ports 05/25/2022 | 805

137 UDP 1. Rubrik cluster Rubrik cluster For the respective item in the Source
2. SQL Live Mount column:
host 1. Required for NTLM
3. Hyper-V Server authentication.
4. Windows host 2. Required for Live Mount SQL
databases.
3. Supports communication with
SMB.
4. Supports Volume Group backup
using SMB.
Provides access to Samba share
during backup, export, and live
mounts. However, these are
necessary for Samba only for
NetBIOS over TCP.
138 UDP 1. Rubrik cluster Rubrik cluster For the respective item in the Source
databases.
SMB.
using SMB.
NetBIOS over TCP.
139 TCP 1. Rubrik cluster Rubrik cluster For the respective item in the Source
databases.
SMB.
using SMB.
NetBIOS over TCP.
161 UDP SNMP manager Rubrik cluster Allows the Rubrik cluster to receive
SNMP requests.
Ports 05/25/2022 | 806

162 UDP Rubrik cluster SNMP trap receiver Allows the Rubrik cluster to send
SNMP traps for notifications.
389 TCP Rubrik cluster Active Directory Server Permits LDAP communication for SMB
or LDAP Server security and LDAP Servers.
443 TCP Uses for secure port 443 TCP
describes all uses of secure port 443
TCP.
445 TCP 1. Rubrik cluster 1. Active Directory 1. Required for NTLM
2. SQL Live Mount Server authentication.
host 2. Rubrik cluster 2. Required for Live Mount SQL
3. Hyper-V Server 3. Rubrik cluster databases.
4. Windows host 4. Rubrik cluster 3. Supports communication with
SMB.
using SMB.
464 TCP/UDP Rubrik cluster Active Directory server Permits Kerberos password set/
change communication for SMB
security.
supports this port.
514 TCP Rubrik cluster Syslog server Allows syslog communication to send
system notifications to a remote
syslog server.
supports this port.
623 UDP Remote management IPMI on Rubrik node Provides access to the IPMI system
tool on a Rubrik node.
636 TCP Rubrik cluster Active Directory server Permits secure LDAP (LDAPS)
or LDAP server communication for SMB security and
LDAP servers.
860 TCP/UDP Rubrik cluster iSCSI targets Permits iSCSI data transfers for
Nutanix AHV.
902 TCP Rubrik cluster VMware ESXi hosts Permits network block device (NBD)
data transfers.
1514 TCP CDP Filter Rubrik cluster Used by the CDP Filter to transmit
IOs from the virtual disks to the
Rubrik cluster.
1515 TCP CDP Log Receiver CDP Metadata Service Used by CDP LRS to call APIs
Service (LRS) (MDS) provided by CDP MDS. Used for
internal communication on the Rubrik
cluster.
Ports 05/25/2022 | 807

1516 TCP CDP MDS CDP LRS Used by CDP MDS to call APIs
provided by CDP LRS. Used for
internal communication on the Rubrik
cluster.
2002 TCP 1. Cloud (AWS or 1. Rubrik cluster 1. Allows secure communication
Azure) 2. Bolt-subnet with the cloud provider.
2. Rubrik cluster 3. Rubrik cluster 2. Required for cloud consolidation.
3. Bolt-subnet Replace Bolt-subnet with the
CIDR range of the network
subnet used by Bolt.
3. Required for cloud consolidation.
Replace Bolt-subnet with the
2013 TCP Rubrik cluster Rubrik cluster Allows sharing of statistics between
the nodes of a Rubrik cluster.
2014 TCP Rubrik cluster Rubrik cluster Allows sharing of statistics between
the nodes of a Rubrik cluster.
2015 TCP Rubrik node Rubrik node Used in restoring metadata from
backups.
2200 TCP Rubrik node Rubrik node Allows node-to-node SSH
communication during upgrade.
2049 TCP Rubrik cluster NFS server Permits communication with a NAS
device that is being used as an
archival location.
2049 TCP/ 1. VMware ESXi hosts 1. Rubrik cluster 1. Allows contact with the NFS
UDP 2. Oracle database 2. Rubrik cluster daemon running on the Rubrik
host 3. Rubrik cluster cluster for Live Mount operations.
3. SAP HANA 2. Allows contact with the NFS
database host daemon running on the Rubrik
cluster for Live Mount of
Managed Volume snapshots.
3. Allows contact with the NFS
daemon running on the Rubrik
cluster for Live Mount of
Managed Volume snapshots.
2074 TCP Rubrik cluster Nutanix cluster Permits secure communication

between the Rubrik cluster and the
Nutanix Guest Agent (NGA). The NGA
publishes information such as guest
OS type, status of VM mobility and
VSS services, and more.
3205 TCP/ Rubrik cluster iSCSI targets Permits iSCSI data transfers for
UDP Nutanix AHV.
3260 TCP Rubrik cluster iSCSI targets Permits iSCSI data transfers for
Nutanix AHV.
Ports 05/25/2022 | 808

3268 TCP Rubrik cluster Active Directory Global Permits LDAP communication for
Catalog server LDAP servers.
3269 TCP Rubrik cluster Active Directory Global Permits secure LDAP (LDAPS)
Catalog server communication for LDAP servers.
5353 UDP Rubrik node Rubrik node Allows zeroconf node discovery.
5766-5767 Rubrik cluster Rubrik cluster Allows process arbitration for
TCP CockroachDB encrypted traffic
(also26257) between nodes of a Rubrik cluster.
5900 TCP VNC client IPMI on Rubrik node Permits a virtual networking
connection with the IPMI interface on
a Rubrik node.
7096 TCP Rubrik cluster Rubrik cluster Permits communication between
Rubrik clusters using the Rubrik
Backup Service.
7781 TCP Rubrik cluster Rubrik cluster Permits the Rubrik cluster to load
basic software and configuration
information (bootstrap) during cluster
configuration.
7784 TCP Rubrik node Rubrik node Permits TLS over TCP communication
between nodes within a Rubrik
cluster.
7785 TCP 1. Replication source 1. Replication target 1. Replication data transmission
2. Replication target 2. Replication source 2. Replication data transmission
3. Bolt subnet 3. Bolt subnet 3. Converter to Bolt, Bolt to
4. Rubrik cluster 4. Converter Converter
5. Rubrik cluster 5. Bolt 4. CIDR for Bolt subnet is the
network CIDR range for the
subnet that Bolt runs on in the
cloud. The Converter and Bolt
run in the same subnet, so traffic
must be allowed between them.
5. Enables the Rubrik cluster to
communicate with the Bolt
Converter. In the specific case of
the Rubrik Replication feature,
CDP IO data is pushed to the
Replication target based on the
SLA Configuration.
7790 TCP Rubrik node Rubrik node Enables node-to-node communication

related to the remote cluster service.
8011 TCP Rubrik Envoy Rubrik cluster Establishes a TLS connection between
the Rubrik cluster and Rubrik Envoy
to handle proxy communication
between the Rubrik cluster and a
protected object.
Ports 05/25/2022 | 809

8082, 8086 Rubrik node Rubrik node Allows communication with InfluxDB.
TCP
8077 TCP 1. Rubrik cluster 1. Bolt-subnet 1. Required for cloud consolidation.
2. Bolt-subnet 2. Rubrik cluster Replace Bolt-subnet with the
2. Required for cloud consolidation.
8080 TCP Rubrik node Isilon Allows communication for NAS vendor
API integration.
8081 TCP Rubrik node Rubrik node Allows node-to-node communication
to the Graphite web server.
9440 TCP Nutanix cluster Rubrik cluster Permits communication between
Nutanix Cluster and the Rubrik
cluster.
9638 TCP Rubrik Node Rubrik Node Allows node-to-node communication
for the Rubrik data service to perform
maintenance operations for SAP
HANA workloads, for example,
snapshot expiry or cleanup.
9639 TCP SAP HANA host Rubrik cluster Allows data ingestion from the SAP
HANA host to the Rubrik data service.
10000 TCP Rubrik cluster Rubrik cluster Allows sharing of Rubrik cluster file
system (SDFS) data between the
nodes of a Rubrik cluster.
10001 TCP Rubrik node Rubrik node Allows node-to-node SDFS
communication.
12800-12801 Rubrik cluster 1. Physical Linux or 1. Allows contact with the Rubrik
TCP Unix host Backup Service software on the
2. Windows Server Linux or Unix host.
host 2. Allows contact with the Rubrik
3. Hyper-V host Backup Service software on the
3. Allows contact with the Rubrik
Backup Service software on the
Hyper-V host.
18082 TCP Rubrik cluster QStar host Required for archiving to QStar tape
archive. Remote Admin (C:\qstar
\bin\admin.exe) listens on the
QStar host.
26257 Rubrik cluster Rubrik cluster Allows process arbitration for
TCP (also CockroachDB encrypted traffic
5766-5767) between the nodes of a Rubrik
cluster.
Ports 05/25/2022 | 810

32764 - 1. General NFS client 1. Rubrik cluster 1. Required for all NFS protocol Live
32769 TCP/ 2. VMware ESXi host 2. Rubrik cluster Mounts of Managed Volumes
UDP on a Rubrik cluster. Rubrik
3. Oracle database 3. Rubrik cluster
host 4. Rubrik cluster clusters limit the allocated port
4. SAP HANA range for Managed Volumes and
database host for the mountd, statd, lockd,
and rquotad services to this
inbound TCP/UDP port range.
Also required for Oracle data
sources, which use these ports
when mounting exports on the
NFS client.
2. Provides an NFS datastore for
ESXi hosts.
3. Provides NFS access to Managed
Volumes.
4. Provides NFS access to Managed
Volumes.
58000 TCP Compute gateway Rubrik cluster IPs or Rubrik HotAdd Proxy IPs or subnet.
subnet
To provide the full range of Rubrik cluster features, the Rubrik cluster must be allowed to connect to
the ports listed in Uses for secure port 443 TCP. This list excludes communication for replication and
communication for archival activity.
Related reference
Uses for secure port 443 TCP
Rubrik CDM uses TCP port 443 for secure transmissions in a number of contexts.
Additional network requirements

To provide IPMI management information, Rubrik nodes must be able to receive packets sent from a local
ping program.
Firewalls must be configured to permit traffic that uses the ECHO protocol. The ability to ping a node
permits an administrator to determine if the node address exists and if the node can accept requests.
Uses for secure port 443 TCP

Rubrik CDM uses TCP port 443 for secure transmissions in a number of contexts.
Source Destination Description

Rubrik cluster proxy.rubrik.com Allows access to Rubrik support tunnel,
Rubrik cluster statistics, and error log
upload.
Rubrik cluster ESXi host File level restore.
Rubrik cluster Archival location URL Transmitting data to the archival
location.
Ports 05/25/2022 | 811

Rubrik cluster VMware vCenter Server Information queries about virtual
machines. Also enables secure
communication for pre- and post-scripts
on protected vSphere virtual machines.
Rubrik cluster Rubrik Polaris Allows the Rubrik cluster to access these
endpoints:
• 1e100.net - the generic Google
domain name
• https://*.bc.googleusercontent.com
• https://subdomain.my.rubrik.com,
where subdomain is the customer
account name
• https://accounts.google.com
• https://*.googleapis.com - Google
service API addresses
Rubrik cluster Pure Storage array Invoking Pure Storage REST APIs for
snapshots and queries about volumes.
Rubrik cluster blob-acct.blob.core.windows.net Required for CloudOut to Azure. Replace
blob-acct with the Azure archive blob
For Azure Government, use: storage account name.
blob.core.usgovcloudapi.net.
Rubrik cluster gp-acct.blob.core.windows.net Required for CloudOn with Azure.

Replace gp-acct with the name of a
For Azure Government, use: GPv1 or GPv2 storage account. The
blob.core.usgovcloudapi.net. account cannot be a blob storage
account.
Rubrik cluster blob-acct.blob.core.windows.net Required for CloudOut with Azure.
Replace blob-acct with the Azure archive
blob storage account name.
Rubrik cluster apollo-ingest.s3.amazonaws.com You must use apollo-
ingest.s3.amazonaws.com for product
rubrikstats.s3.amazonaws.com
metrics uploads.
You must use
rubrikstats.s3.amazonaws.com for
support bundle uploads.
The firewall must be open to both of
these upload destinations.
You must not identify resources by using
the IP addresses that result from a name
lookup of the FDQN. The IP addresses
associated with an FDQN can change
over time, resulting in connection issues
that are difficult to troubleshoot.
Rubrik cluster s3.region.amazonaws.com Required for CloudOut to AWS. Replace

region with an AWS region name.
Ports 05/25/2022 | 812

Rubrik cluster kms.region.amazonaws.com Required for CloudOut to AWS only when
AWS KMS encryption keys are used with
the archive. Replace region with an AWS
region name.
Rubrik cluster ec2.region.amazonaws.com Required for CloudOn with AWS. Replace
Rubrik cluster 1. Google domain 1e100.net Required for Rubrik cluster
2. customer.my.rubrik.com communication to Rubrik Polaris.
3. accounts.google.com
4. googleapis.com
Rubrik cluster 1. storage.cloud.google.com Required for CloudOut on GCP.

2. storage.googleapis.com
Rubrik cluster 1. management.azure.com Required for Azure cloud compute

2. management.core.windows.net connectivity for CloudOut and CloudOn
features.
3. login.microsoftonline.com
4. graph.windows.net
Rubrik cluster vCloud Director Used for SSL communication.

Rubrik cluster ESXi Host (esxupdate) Used to download and install the Rubrik
CDP Filter.
Rubrik CDM web UI Rubrik cluster Secure communication between Rubrik
clients CDM web UI client and Rubrik cluster.
Local web browser IPMI on a Rubrik node Web interface with IPMI on a Rubrik
node.
Rubrik Bolt blob-acct.blob.core.windows.net Required for CloudOn with Azure.
Replace blob-acct with the Azure archive
For Azure Government, use: blob storage account name.
blob.core.usgovcloudapi.net.
Rubrik Bolt 1. management.azure.com Required for URL access from Rubrik to

2. management.core.windows.net Azure.
Rubrik Bolt s3.region.amazonaws.com Required for CloudOn with AWS. Replace

Rubrik Bolt kms.region.amazonaws.com Required for CloudOn with AWS only
when AWS KMS encryption keys are
used with the archive. Replace region
with an AWS region name.
Rubrik Bolt sts.region.amazonaws.com Required for CloudOn with AWS only
when the BOLT and Converter image
is shared. Replace region with an AWS
region name.
Ports 05/25/2022 | 813

Rubrik Envoy Rubrik cluster Establishes a TLS connection between
the Rubrik cluster and Rubrik Envoy to
handle proxy communication between
the Rubrik cluster and a protected
object.
Rubrik node NetApp Enables communication for NAS vendor
API integration.
Rubrik cluster inbound ports

Rubrik uses several ports for inbound communication.
To provide IPMI management information, Rubrik nodes must be able to receive packets sent from a local
ping program. Firewalls must be configured to permit traffic that uses the ECHO protocol.
The ability to ping a node permits an administrator to determine if the node address exists and if the node
can accept requests.
To provide the full range of Rubrik cluster features, the Rubrik cluster listens on the ports listed in the
following table.
Port/Protocol Source Description

22 TCP Local client or cloud instance Provides the ability to launch
an SSH session for support and
administration.
80 TCP Web UI clients Handles redirection of web UI
clients to HTTPS.
111 TCP 1. VMware ESXi hosts 1. Provides an NFS datastore
2. Oracle Server for ESXi hosts.
3. SAP HANA host 2. Provides an NFS datastore
4. Managed Volumes for Oracle Server.
3. Provides an NFS datastore
for SAP HANA host.
4. Provides NFS access to
Managed Volumes.
137 UDP Hyper-V host Provides access to Samba share

during backup, export and Live
Mounts.
Required for NetBIOS over TCP.
138 UDP Hyper-V host Provides access to Samba share

Mounts.
139 TCP Hyper-V host Provides access to Samba share

Mounts.
Ports 05/25/2022 | 814

443 TCP 1. Web UI clients 1. Required for secure
2. Oracle database host communication na web UI
3. SAP HANA host client and Rubrik cluster.
4. Rubrik Envoy 2. Required for secure
connection when sending
REST API commands from
the Oracle database host to
the Rubrik cluster.
3. Required for secure
connection when sending
REST API commands from
the SAP HANA database host
4. Required for communication
with Rubrik cluster.
445 TCP 1. Rubrik cluster 1. Required for NTLM

2. SQL Live Mount host authentication.
3. Hyper-V Server 2. Required for Live Mount SQL
4. Windows host databases.
SMB.
4. Supports Volume Group
backup using SMB.
860 TCP/UDP Rubrik cluster Permits iSCSI data transfers for

Nutanix AHV.
1514 TCP CDP Filter Used by CDP Filter to transmit
IOs from the virtual disks to the
Rubrik cluster.
2002 TCP 1. Cloud provider (AWS or 1. Permits secure
Azure) communication with the
2. Bolt-subnet cloud provider.
2. Required for cloud
consolidation. Replace Bolt-
subnet with the CIDR range
of the network subnet used
by Bolt.
2049 TCP/UDP 1. VMware ESXi hosts Permits contact with the NFS
2. Oracle Server daemon running on the Rubrik
cluster for Live Mount operations.
3. SAP HANA host
4. Managed Volumes
3205 TCP/UDP Rubrik cluster Permits iSCSI data transfers for

Nutanix AHV.
5900 TCP VNC client IPMI on Rubrik node.
7096 TCP Rubrik cluster Allows secure communication
among Rubrik clusters and
between nodes within a cluster.
Ports 05/25/2022 | 815

7780 TCP Rubrik node Handles cluster configuration
during cluster operations such as
bootstrap and node add.
8011 TCP Rubrik Envoy Establishes a TLS connection
between the Rubrik cluster and
Rubrik Envoy to handle proxy
communication between the
Rubrik cluster and a protected
object.
8077 TCP 1. Cloud provider (AWS or 1. Permits secure
Azure) communication over SSH
2. Bolt-subnet with the cloud provider for
debugging.
2. Required for cloud
consolidation. Replace Bolt-
subnet with the CIDR range
of the network subnet used
by Bolt.
9639 TCP SAP HANA host Allows data ingestion from the
SAP HANA host to the Rubrik data
service.
9440 TCP Nutanix cluster Permits communication between
a Nutanix cluster and a Rubrik
cluster.
12800-12801 TCP 1. Oracle Server 1. Required for the Rubrik
2. SAP HANA host Backup Service Software
3. SQL Server installed on the Oracle Server
to communicate with the
Rubrik cluster.
2. Required for the Rubrik
Backup Service Software
installed on the SAP HANA
host to communicate with
the Rubrik cluster.
3. Required for the Rubrik
Backup Service Software
installed on the SQL Server
to communicate with the
Rubrik cluster.
32764-32769 TCP/UDP 1. Managed Volume hosts 1. Required for all NFS protocol
2. VMware ESXi hosts Live Mounts of:
3. Oracle Server • Managed Volumes on a
4. SAP HANA host Rubrik cluster
• Oracle Server
Rubrik clusters limit the
allocated port range for the
mountd, statd, lockd and
Ports 05/25/2022 | 816

quoatad services to this
inbound TCP/UDP port range.
for ESXi hosts.
for Oracle Server.
for SAP HANA host.
Rubrik cluster outbound ports

A Rubrik cluster uses several ports for outbound communication.
Port/Protocol Destination Description

25 TCP Email server Allows the Rubrik cluster to send
email alerts to administrators.
Only required when the email
server supports this port.
53 UDP DNS server Allows hostname resolution.
88 TCP/UDP Active Directory server Permits Kerberos communication
for SMB security. Also required for
any Active Directory integration
that was configured before Rubrik
CDM 4.2.
111 TCP Rubrik cluster Allows access to an NFS
datastore for Oracle hosts and
SAP HANA hosts.
123 UDP NTP server Allows access to network time
protocol (NTP) servers for time
synchronization.
389 TCP LDAP server Permits LDAP communication to
LDAP servers.
389 TCP/UDP Active Directory server Permits communication for SMB
security.
443 TCP 1. proxy.rubrik.com Required for:
2. s3.amazonaws.com 1. Rubrik Support tunnel and
3. ESXi host Rubrik cluster statistics.
4. Archival location URL 2. Error log upload.
5. VMware vCenter Server 3. Uploading support bundles.
6. Pure Storage array 4. File level restore.
7. ESXi host 5. Transmitting data to the
8. NetApp archival location.
6. Information queries about
virtual machines.
7. Invoking Pure Storage REST
APIs for snapshots and
queries about volumes.
Ports 05/25/2022 | 817

8. Enabling secure
communication for pre- and
post-scripts on protected
vSphere virtual machines.
9. Communication for NAS
vendor API integration.
445 TCP Active Directory server Required for NTLM

authentication.
464 TCP/UDP Active Directory server Permits Kerberos password set/
change communication for SMB
security.
514 TCP Syslog server Permits syslog communication
to send system notifications to a
remote syslog server.
636 TCP Active Directory server or LDAP Permits secure LDAP (LDAPS)
server communication for SMB security
and LDAP servers.
860 TCP/UDP iSCSI targets Permits iSCSI data transfers for
Nutanix AHV.
902 TCP VMware ESXi hosts Permits network block device
(NBD) data transfers.
2002 TCP Bolt-subnet Required for cloud consolidation.
2074 TCP Nutanix cluster Permits secure communication
between the Rubrik cluster and
the Nutanix Guest Agent (NGA).
The NGA publishes information
such as guest OS type, status of
VM mobility and VSS services,
and more.
2200 TCP Rubrik node Allows node-to-node SSH
communication during upgrade.
3205 TCP/UDP iSCSI targets Permits iSCSI data transfers for
Nutanix AHV.
3260 TCP iSCSI targets Permits iSCSI data transfers for
Nutanix AHV.
Ports 05/25/2022 | 818

3268 TCP Active Directory Global Catalog Permits LDAP communication for
server SMB security and LDAP servers.
3269 TCP Active Directory Global Catalog Permits secure LDAP (LDAPS)
server communication for SMB security
and LDAP servers.
7784 TCP Rubrik node Allows TLS over TCP
communication between nodes
within a Rubrik cluster.
8077 TCP Bolt-subnet Required for cloud consolidation.
8080 TCP Isilon Allows communication for NAS
vendor API integration.
9440 TCP Nutanix cluster Permits communication between
Nutanix cluster and the Rubrik
cluster.
12800-12801 TCP 1. Physical Linux or Unix host Permits contact with the Rubrik
2. Windows Server host Backup Service software on the:
3. Hyper-V host 1. Linux or Unix host.
2. Windows Server host.
3. Hyper-V host.
18082 TCP QStar host Required for archiving to QStar

tape archive. Remote Admin
(C:\qstar\bin\admin.exe)
listens on the QStar host.
Ports used for communication between nodes in a cluster

Rubrik uses several ports for communication between nodes in a cluster.
The nodes of a Rubrik cluster communicate using the ports listed in the following table.

123 UDP Rubrik node Facilitates time synchronization between Rubrik
peer nodes.
2013 TCP Carbon Relay Line Allows sharing of statistics between nodes of a
Receiver Rubrik cluster.
2014 TCP Carbon-Relay Pickle Allows sharing of statistics between nodes of a
Receiver Rubrik cluster.
2015 TCP Rubrik node Used in restoring metadata from backups.
2200 TCP SSH Enables node-to-node SSH communication during
upgrade.
5353 UDP Rubrik node Allows zeroconf node discovery.
Ports 05/25/2022 | 819

5766-5767 TCP Rubrik internal database Allows process arbitration for encrypted
CockroachDB traffic between nodes of a Rubrik
(also 26257)
cluster.
7096 TCP Rubrik cluster Allows secure communication among Rubrik
clusters and between nodes within a cluster.
7780 TCP Rubrik node Handles cluster configuration during cluster
operations such as bootstrap and node add.
7781 TCP Cluster Configuration Permits the Rubrik cluster to load basic software
and configuration information (bootstrap) during
cluster configuration.
7784 TCP Rubrik node Allows TLS over TCP communication among nodes
within a Rubrik cluster.
7790 TCP Rubrik node Handles metadata operations related to replication.
8081 TCP Graphite Enables node-to-node communication to the
Graphite web server.
8082, 8086 TCP Rubrik node Enables communication with InfluxDB.
9638 TCP Rubrik Node Allows node-to-node communication for the Rubrik
data service to perform maintenance operations for
SAP HANA workloads, for example, snapshot expiry
or cleanup.
10000-10003 TCP Rubrik node Allows node-to-node SDFS internal communication.
26257 TCP Rubrik internal database Allows process arbitration for encrypted
CockroachDB traffic between nodes of a Rubrik
(also 5766-5767)
cluster.
Archiving ports
The Rubrik cluster requires a number of outbound ports for archiving.
Port Destination Description

443 TCP blob- Required for transmitting data to the archival
acct.blob.core.windows.netlocation.
region.amazonaws.com Replace blob-acct with the Azure archive blob
storage account name.
Replace region with an AWS region name.
443 TCP storage.cloud.google.com Required for transmitting data to the archival

location.
storage.googleapis.com
2049 TCP NFS server Permits communication with a NAS device that is
being used as an archival location.
Ports 05/25/2022 | 820

Azure ports
Configure the following ports for Azure virtual machines.
Feature Port Source Destination Description

Support 443 TCP Rubrik cluster proxy.rubrik.com Allows access to Rubrik
support tunnel and log
collection service.
CloudOut 443 TCP Rubrik cluster blob- You must replace blob-acct
acct.blob.core.windows.net with the Azure archive blob
CloudOn 443 TCP Rubrik cluster Bolt-subnet You must replace Bolt-subnet
with the CIDR range of the
network subnet used by Bolt.
CloudOn 2002 Rubrik cluster Bolt-subnet You must replace Bolt-subnet
TCP with the CIDR range of the
network subnet used by
Bolt. Only required when
troubleshooting over SSH.
CloudOn 443 TCP Rubrik cluster gp-acct.blob.core.windows.net You must replace gp-acct with
the name of a GPv1 or GPv2
For Azure Government: storage account. The account
gp- cannot be a blob storage
acct.blob.core.usgovcloudapi.netaccount.
CloudOn 443 TCP Rubrik Bolt blob- You must replace blob-acct
acct.blob.core.windows.net with the Azure archive blob
CloudOn 443 TCP Rubrik cluster 1. management.azure.com Required URL access from
2. Rubrik to Azure.
management.core.windows.net
CloudOn 7785 Converter Bolt Connection from the converter

TCP to the Bolt.
GCP ports
The Rubrik cluster requires specific ports to be configured for GCP virtual machines.

collection service.
Ports 05/25/2022 | 821

CloudOut 443 TCP Rubrik cluster storage.cloud.google.com Allows access to Google Cloud
Platform object storage.
storage.googleapis.com
AWS ports
The Rubrik cluster requires the following ports to be configured for AWS virtual machines.

collection service.
CloudOut 443 TCP Rubrik cluster s3.region.amazonaws.com You must replace region with
an AWS region name. For
example: us-west-1.
CloudOut 443 TCP Rubrik cluster kms.region.amazonaws.com You must replace region with
example: us-west-1.
Required only when AWS KMS
encryption keys are used with
the archive.
CloudOn 443 TCP Rubrik cluster ec2.region.amazonaws.com You must replace region with
example: us-west-1.
CloudOn 2002 Rubrik cluster Bolt-subnet You must replaceBolt-subnet
network subnet used by
Bolt. Only required when
troubleshooting over SSH.
CloudOn 443 TCP Rubrik Bolt s3.region.amazonaws.com You must replace region with
example: us-west-1.
CloudOn 443 TCP Rubrik Bolt kms.region.amazonaws.com You must replace region
with an AWS region name.
For example: us-west-1.
Required only when AWS KMS
encryption keys are used with
the archive.
CloudOn 443 TCP Rubrik Bolt sts.region.amazonaws.com Required for CloudOn with
AWS only when the BOLT and
Converter image is shared.
The variable region refers to
an AWS region name.
Ports 05/25/2022 | 822

CloudOn 7785 Converter Bolt Connection from the converter
TCP to the Bolt.

environment.
Port Location Source Destination Purpose

443 TCP Management Rubrik cluster IPs or subnet vCenter, ESXi host vSphere discovery
gateway and command
execution
902 TCP Management Rubrik cluster IPs or ESXi Virtual machine
gateway subnet, Rubrik HotAdd block location
cluster IPs or subnet discovery
8077 TCP Compute Rubrik cluster IPs or subnet Rubrik HotAdd Diagnostics
gateway Proxy IPs or subnet
12800-12801 Compute Rubrik cluster IPs or subnet Workload virtual Support for RBS
TCP gateway machines (optional)
58000 TCP Compute Rubrik cluster IPs or subnet Rubrik HotAdd Proxy command
gateway Proxy IPs or subnet and control
Replication port information

The source Rubrik cluster and the target Rubrik cluster use port 7785 for replication.

7785 TCP 1. Replication source 1. Spray server on the 1. Required for secure
Rubrik cluster replication target communication
2. Replication source Rubrik cluster between replication
Rubrik cluster 2. Remote cluster source and high-
3. Replication target service on the performance HTTP
Rubrik cluster replication target server on target.
4. Replication target Rubrik cluster 2. Replication data
Rubrik cluster 3. Remote cluster transmission.
service on the 3. Replication data
replication source transmission.
Rubrik cluster 4. Permits replication
4. Snapshot server data transmission.
on the replication
source Rubrik
cluster
Ports 05/25/2022 | 823

Appendix B

To provide data management and protection for virtual machines in a vSphere environment, the vCenter
Server role assigned to the Rubrik cluster requires minimum privileges.
To access objects and perform operations on them, the Rubrik cluster account requires access permission
for the vCenter Server and child objects. Propagation of child objects ensures operations succeed.
Rubrik CDM provides vCenter Server diagnostic information on the vCenter Server page. This information
can help to determine whether the assigned account has the required vCenter Server access permissions.
Related tasks
instance.
Related reference
the vCenter Server.
Minimum datastore privileges

The vCenter Server role assigned to a Rubrik cluster must provide minimum datastore privileges on the
vCenter Server.
Allocate space Used by Rubrik to create virtual machines for export. Also used by Rubrik to
provide space for delta files on the datastore when creating a snapshot.
Browse datastore Allows Rubrik to find and download the vmware.log file for a virtual machine
after a failed snapshot and to send the vmware.log file out for support.
Configure datastore Allows Rubrik to connect the datastore on a Rubrik cluster to the vCenter
Server for Live Mount and Instant Recovery.
Low level file operations Allows Rubrik to ingest and to export the contents of snapshot VMDKs.
Move datastore Allows Rubrik to place a Live Mount datastore into a vCenter Server folder to
enhance manageability.
Remove datastore Used by Rubrik to detach a Live Mount datastore that is no longer in use.
Minimum vCenter Server privileges 05/25/2022 | 824

Minimum global privileges
The vCenter Server role assigned to a Rubrik cluster must provide minimum global privileges on the
vCenter Server.
Manage custom Allows Rubrik to create custom attributes on virtual machines.
attributes
Set custom attributes Allows Rubrik to assign custom attributes to virtual machine objects.
Minimum host privileges

The vCenter Server role assigned to a Rubrik cluster must provide minimum host privileges on the vCenter
Server.
Privilege Category Privilege Description

Configuration Storage partition Used by Rubrik for storage partition configuration
configuration when attaching Live Mount datastores to ESXi
hosts.
Allows VMFS datastore and diagnostic partition
management. Users with this privilege can scan for
new storage devices and manage iSCSI.
Configuration Query patch Allows Rubrik CDM to deploy the Rubrik CDP Filter
to the host.
Configuration Maintenance Used by VMware when moving hosts automatically
to maintenance mode to uninstall CDP filter.
Configuration Image configuration Allows changes to the image associated with a host
to support the Rubrik CDP Filter.
Minimum network privileges

The vCenter Server role assigned to a Rubrik cluster must provide minimum network privileges on the
vCenter Server.
Assign network Allows Rubrik to connect Instant Recovery virtual machines to a network when
powering on the virtual machines.

Minimum resource privileges
The vCenter Server role assigned to a Rubrik cluster must provide minimum resource privileges on the
vCenter Server.
Assign virtual machine to resource pool Allows Rubrik to allocate resources on an ESXi host for
powering on virtual machines that are created through the
Export, Live Mount, and Instant Recovery features.
Migrate powered on virtual machine Allows Rubrik to migrate a powered on virtual machine
from the Rubrik datastore to a datastore managed by a
vCenter Server.
Migrate powered off virtual machine Allows Rubrik to migrate a powered off virtual machine
from the Rubrik datastore to a datastore managed by a
vCenter Server.
Query vMotion Allows Rubrik to query a virtual machine to see if it is in
vMotion before starting the snapshot process. Required for
datastore migration.
Minimum sessions privileges

The vCenter Server role assigned to a Rubrik cluster must provide minimum session privileges on the
vCenter Server.
Validate session Used by Rubrik to discover, cache, and reuse previous vCenter Server
sessions.
View and stop sessions Used by Rubrik to discover, cache, and reuse previous vCenter Server
sessions.

the vCenter Server.
Privilege category Privilege Description

Configuration Add existing disk Used by Rubrik when creating virtual machines through the
Configuration Add new disk Used by Rubrik when creating virtual machines through the
Configuration Add or remove Allows Rubrik to remove the network device of the existing
device virtual machine when performing instant recovery with
preserved MAC addresses.

Configuration Advanced (6.5) Required for Live Mount, Instant Recovery, and Export. Also
allows creation of the proxy virtual machine required for
Advanced storage array integration.
configuration (6.7)
Configuration Change resource Allows Rubrik to configure virtual machine resources that are
created in resource pools.
Configuration Disk change Used by Rubrik to enable incremental snapshots, and to
tracking (6.5) reset CBT when required. Resetting CBT is required when a
known VMware issue occurs that results in vSphere failing to
Toggle disk change maintain the setting.
tracking (6.7)
Configuration Disk lease (6.5) Allows Rubrik to acquire leases to permit using VADP for
transferring VMDK contents.
Acquire disk lease
(6.7)
Configuration Remove disk Used by a Rubrik cluster to unmount virtual disks that were
mounted during a Live Mount operation.
Configuration Rename Allows Rubrik to rename the virtual machines during Instant
Recovery.
Configuration Set annotation Allows Rubrik to set a custom attribute on virtual machines to
indicate the time at which the most recent successful backup
completed.
Configuration Settings (6.5) Used by Rubrik to configure virtual machines that are created
through the Export, Live Mount, and Instant Recovery
Modify device features.
Settings (6.7)
Configuration Swapfile placement Allows Rubrik to power on virtual machines that are created
(6.5) through the Export, Live Mount, and Instant Recovery
features.
Change Swapfile
placement (6.7)
Cryptographic Direct Access Provides support for encrypted virtual machines.

Operations
Guest Operations Guest Operation Allows Rubrik to deploy the Rubrik VSS agent into guest
Modifications operating systems when creating application-consistent
snapshots.
Guest Operations Guest Operation Allows Rubrik to start the Rubrik VSS agent on guest
Program Execution operating systems when creating application consistent
snapshots.
Guest Operations Guest Operation Allows Rubrik to monitor and manage the Rubrik VSS agent
Queries while the agent is running on guest operating systems.
Interaction Answer question Allows Rubrik to automatically handle situations where a
virtual machine is in a stuck state waiting for a question to be
answered.
Interaction Backup operation Used by Rubrik to perform backup operations on virtual
on virtual machine machines.

Interaction Device connection Used by Rubrik to connect and disconnect devices attached
(6.5) to virtual machines that are created through the Export, Live
Mount, and Instant Recovery features.
Connect devices
(6.7)
Interaction Guest operating Allows Rubrik to manage a guest operating system along with
system the Rubrik VSS agent when creating application-consistent
management by snapshots.
VIX API
Interaction Power Off Allows Rubrik to power off Live Mount virtual machines and
Instant Recovery virtual machines before deleting the virtual
machine.
Interaction Power On Allows Rubrik to power on Export virtual machines, Live
Mount virtual machines, and Instant Recovery virtual
machines after creating the virtual machine.
Interaction Reset Allows Rubrik to manage Export virtual machines, Live Mount
virtual machines and Instant Recovery virtual machines after
creating the virtual machine.
Interaction Suspend Allows Rubrik to manage Export virtual machines, Live Mount
virtual machines, and Instant Recovery virtual machines after
creating the virtual machine.
Interaction VMware Tools install Allows Rubrik to upgrade VMware Tools on a guest OS as
needed to prevent the guest OS from hanging or crashing
when quiescing for the purpose of taking a snapshot.
Inventory Create new Used by Rubrik to create Export virtual machines, Live Mount
virtual machines, and Instant Recovery virtual machines.
Inventory Move Allows Rubrik to move an original virtual machine into a
“deprecated” folder before replacing the original with an
Instant Recovery virtual machine.
Inventory Register Used by Rubrik to create Export virtual machines, Live Mount
Inventory Remove Allows Rubrik to remove Export virtual machines, Live Mount
Inventory Unregister Allows Rubrik to remove Export virtual machines, Live Mount
Provisioning Allow disk access Allows Rubrik to write to the VMDK files of Export virtual
machines, Live Mount virtual machines, and Instant Recovery
virtual machines.
Provisioning Allow read-only disk Allows Rubrik to read the VMDK contents of Export virtual
access machines, Live Mount virtual machines, and Instant Recovery
virtual machines when backing up the virtual machines.
Provisioning Allow virtual Allows Rubrik to download non-VMDK files of protected
machine download source virtual machines, including configuration files and
support logs.

Provisioning Allow virtual Allows Rubrik to upload non-VMDK files of Export virtual
machine files machines, Live Mount virtual machines, and Instant Recovery
upload virtual machines, when creating and configuring the virtual
machines.
Snapshot Create snapshot Allows Rubrik to create temporary snapshots of virtual
management machines.
Snapshot Remove snapshot Allows Rubrik to remove temporary snapshots of virtual
Snapshot Rename snapshot Allows Rubrik to manage the temporary snapshots of virtual
Snapshot Revert to snapshot Used by Rubrik to create a virtual machine using data from a
management snapshot in Rubrik storage.
Virtual machine Change settings Allows Rubrik to assign storage policy to the CDP enabled
virtual machines.
Minimum profile-driven storage privileges

The vCenter Server role assigned to a Rubrik cluster must provide minimum profile-driven storage
privileges on the vCenter Server.
Profile-driven storage update Allows Rubrik to create and update Storage profiles in order to enable
Continuous Data Protection for virtual machines.
Profile-driven storage view Allows Rubrik to view of defined storage capabilities and storage
profiles in order to manage Continuous Data Protection.
Minimum vSphere tagging privileges

The vCenter Server role assigned to a Rubrik cluster must provide minimum vSphere tagging privileges on
the vCenter Server.
Assign or Unassign Used by Rubrik to reapply tags when recovering virtual machines.
vSphere Tag
Assign or Unassign Used by Rubrik to reapply tags when recovering virtual machines. Required for
vSphere Tag on Object vSphere 7.0 and later.
(7.0)

Appendix C
Active Directory account
Active Directory account

Alternate method of creating and initializing the Active Directory computer account that the Rubrik cluster
uses.
A Rubrik cluster requires a temporary and limited set of permissions to create and initialize a read-
only Active Directory computer account that the Rubrik cluster uses for Active Directory authentication.
Creating this computer account requires the use of an initialization account with broader permissions. The
initialization account connects to a given Active Directory domain only once.
To authenticate users through an Active Directory domain, a Rubrik cluster requires a read-only computer
account with a small set of Active Directory permissions. To ensure that all of the settings for the computer
account are correctly configured, create a single-use initialization account.
The Rubrik cluster uses the initialization account only to create and initialize the required computer
account. After the computer account is created and initialized, delete or disable the initialization account.
Ports 53, 88, and 389 must be open to enable communication to LDAP and Kerberos resources. See Ports
for details.
Initialization account required permissions

Grant the single-use initialization account the required set of permissions.
Access Applies to
Change password Descendant Computer objects
Reset password Descendant Computer objects
Create Computer objects Rubrik account object and Descendant Computer objects
Special > List contents Descendant Computer objects
Special > Read all properties Descendant Computer objects
Special > Write all properties Descendant Computer objects
Special > Read permissions Descendant Computer objects
Active Directory account 05/25/2022 | 830

Delegating initialization account permissions
Use the Windows Server Delegation of Control wizard in the Active Directory Users and Computers MMC
snap-in to create a user account. Use this user account as the initialization account to create and initialize
the Rubrik cluster computer account.
Procedure
1. Open the Active Directory Users and Computers MMC snap-in.
2. In the left-side hierarchy, right-click a folder for the new user account.
3. Click New > User.
4. Configure a user account by filling in the fields and click Next.
5. Type a password and confirm the password.
6. Select User cannot change password and Password never expires.
7. Click Next.
8. Click Finish.
The Active Directory Users and Computers MMC creates the new user account.
9. In the left-side hierarchy, right-click Computers.
10. On the context menu, click Delegate Control.
The Delegation of Control Wizard appears.
11. Click Next.
12. On the Users or Groups pane, click Add.
13. Type the name of the user account.
14. Click Check Names.
The wizard finds the user account.
15. Click OK.
16. Select the name of the user account, and click Next.
17. Select Create a custom task to delegate, and click Next.
18. In Delegate control of, select Only the following objects in the folder.
19. In the selection window, select Computer objects.
20. Select Create selected objects in this folder, and click Next.
21. On the Permissions pane, select General and Property-specific.
22. In the selection window, select each of the following permissions:
• Read
• Write
• Read All Properties
• Write All Properties
• Change Password
• Reset Password
23. Click Next.
24. Click Finish.
Result
The Delegation of Control wizard delegates the selected permissions to the initialization account.

Confirming the delegation of permissions
Use the Windows Server Active Directory Users and Computers MMC snap-in to confirm that the correct
permissions are delegated to the initialization account.
Procedure
1. Open the Active Directory Users and Computers MMC snap-in.
2. Select View > Advanced Features > Computers > Properties.
3. The Computers Properties dialog box appears.
4. Select the Security tab.
5. In Group or user names, select the name of the user account.
6. Use the Permissions for selection window to view the permissions that are assigned to the user
account.
Result
The Windows Server Active Directory Users and Computers MMC snap-in confirms that the correct
permissions are delegated to the initialization account.

Appendix D
Archive preparation
Archive preparation
Archive preparation provides supplemental information about the initial preparation required to use specific
types of archival locations.
Generating an RSA key

Several of the supported archival locations require an RSA key for encrypting the archival data.
Prerequisites
Use a secure computer that has the OpenSSL toolkit installed. For most Linux and Unix distributions,
the standard operating system packages include the OpenSSL toolkit. The OpenSSL toolkit can also be
downloaded and installed on Windows computers.
Procedure
1. On a secure computer, open a terminal window.
2. At the command prompt, type the OpenSSL key generation command.
Type
openssl genrsa -out rubrik_encryption_key.pem 2048
Result
The command generates an RSA key in the current working directory.
Note: Rubrik CDM does not provide a mechanism to recover the RSA key used during archival location
creation. If the RSA key is lost, another Rubrik cluster cannot connect to this archival location as a reader
to enable data recovery. Rubrik recommends that you save the RSA key in a secure location for use during
configuration of an archival location.
Prepare to use Amazon S3 as an archival location

Prepare to use Amazon S3 object storage as an archival location.
When adding an Amazon S3 archival location on a Rubrik cluster, if the specified bucket does not exist,
Rubrik attempts to create the bucket. Users must have the permissions to create a new bucket when
Rubrik prompts for the user credentials.
To prepare an Amazon S3 archival location, log into the AWS console as an IAM user with permissions to
create additional IAM users and to configure user access to AWS resources such as Amazon S3. Complete
these tasks in the specified order:
Archive preparation 05/25/2022 | 833

1. Creating an Amazon S3 bucket
2. Creating a security policy for the bucket
3. Creating a user account with access to the bucket

Create an Amazon S3 bucket to use as the archival target when archiving to Amazon S3. Isolating
permissions at the bucket level provides additional security for the archived data.
Procedure
1. In the AWS Services list, in the Storage section, select S3.
The Amazon S3 page appears.
2. Click + Create bucket.
The Create bucket modal appears.
3. In Bucket name, type a name for the new bucket.
4. Click the information icon next to the Bucket name field to see the requirements for a bucket name.
5. In Region, select the region in which the bucket should be created.
6. Verify that Rubrik supports the selected region.
7. Click Create.
AWS creates the new bucket, and the bucket appears in the list.
8. Select the new bucket.
A page for the bucket appears. The page has tabs for Properties, Permissions, and Management.
9. Click Copy Bucket ARN.
10. Paste the Bucket ARN into a plain text scratch file.
11. Close the dialog box.
Result
Amazon creates the Amazon S3 bucket.
AWS permissions for archiving

The AWS permissions that are required for archiving depend on the encryption method, either KMS or RSA,
and whether consolidation is enabled.
Each of the following configuration options use a unique JSON object.
• AWS archiving with KMS encryption and no consolidation
• AWS archiving with KMS encryption and consolidation
• AWS archiving with RSA encryption and no consolidation
• AWS archiving with RSA encryption and consolidation
JSON objects use specific formatting, including opening and closing braces and brackets. Without the
correct format, the objects fail.
AWS archiving with KMS encryption and no consolidation
The following JSON object supports AWS archiving using KMS encryption with no consolidation.
{
"Version": "2012-10-17",
"Statement": [
{

"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:DescribeKey"
]
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject",
"s3:ListBucketMultipartUploads",
"s3:RestoreObject",
"s3:CreateBucket",
"s3:GetBucketAcl"
],
"Resource": [
"arn:aws:s3:::", { "Ref": "S3BucketName" }, "/*""
]
}
]
}
AWS archiving with KMS encryption and consolidation
The following JSON object supports AWS archiving using KMS encryption with consolidation.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:DescribeKey",
"ec2:CreateImage",
"ec2:CopyImage",
"ec2:DeleteVolume",
"ec2:ImportImage",

"ec2:DetachVolume",
"ec2:CreateTags",
"ec2:RunInstances",
"ec2:GetConsoleOutput",
"ec2:CreateVolume",
"ec2:AttachVolume",
"ec2:ImportVolume",
"ec2:DeleteTags",
"s3:CreateBucket",
"ec2:DescribeTags",
"ec2:DescribeVpcs",
"ec2:DescribeConversionTasks"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject",
"s3:RestoreObject",
"s3:CreateBucket",
"s3:GetBucketAcl"
],
"Resource": [
"arn:aws:s3:::", { "Ref": "S3BucketName" }, "/*"
]
}
]
}

AWS archiving with RSA encryption and no consolidation
The following JSON object supports AWS archiving using RSA encryption with no consolidation.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject",
"s3:RestoreObject",
"s3:CreateBucket",
"s3:GetBucketAcl"
],
"Resource": [
]
}
]
}
AWS archiving with RSA encryption and consolidation
The following JSON object supports AWS archiving using RSA encryption with consolidation.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateImage",
"ec2:CopyImage",
"ec2:DeleteVolume",
"ec2:ImportImage",
"ec2:DetachVolume",
"ec2:CreateTags",
"ec2:RunInstances",
"ec2:GetConsoleOutput",
"ec2:CreateVolume",

"ec2:AttachVolume",
"ec2:ImportVolume",
"ec2:DeleteTags",
"s3:CreateBucket",
"ec2:DescribeTags",
"ec2:DescribeVpcs",
"ec2:DescribeConversionTasks"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject",
"s3:RestoreObject",
"s3:CreateBucket",
"s3:GetBucketAcl"
],
"Resource": [
]
}
]
}

Prerequisites
Select a JSON object from the choices described in AWS permissions for archiving.
Context
Create a security policy with a pre-existing bucket.

With this permission set, the IAM user can create a new bucket, list all buckets in the account and work
with all objects in all buckets in the account.
Procedure
In the next step, pay close attention to the JSON formatting, including opening and closing braces and
brackets.
6. Copy and paste the JSON text for the selected configuration.
7. From Resources section, to the right of bucket, click Add ARN.
8. In the Specify ARN for bucket field, remove the placeholder arn:aws:3::: and paste the bucket
ARN.
9. Click Add.
10. From Resources section, to the right of object, click Add ARN.
11. In the Specify ARN for object field, remove the placeholder arn:aws:3::: and paste the bucket ARN
and add /* at the end of the string.
Remove the placeholder arn:aws:3::: and paste the bucket ARN.
12. Click Add.
13. At the bottom of the page, click Review Policy.
14. In the Name field, type a policy name.
15. At the bottom of the page, click Create policy.
Result
AWS creates the bucket policy and returns to the policy list page.
Related reference
AWS permissions for archiving
The AWS permissions that are required for archiving depend on the encryption method, either KMS or RSA,
and whether consolidation is enabled.

Procedure
3. On the left-side menu, click Users.
4. Click Add user.
The Add user page appears.
5. In the Set user details section, in User name, type a name for the user account.
The user account will be used by the Rubrik cluster to access the bucket.

6. In the Select AWS access type section, in Access type, select Programmatic access.
The Set Permissions page appears with various methods for setting the permissions of the user
account.
A list of the available policies appears.
9. Select the security policy that was created for the bucket, and click Next: Review.
The Review page appears.
AWS creates the user, and a success message appears.
The web browser opens a Save As dialog box.
12. Save the file credentials.csv.
Result
The file contains the Access key ID and Secret access key for the user account and should be securely
stored. Use these values when configuring the Rubrik cluster to use this AWS bucket as an archival
location. The file can be renamed.
Related tasks
Preparing to use GCP as an archival location

Prepare to use Google Cloud Platform (GCP) as an archival location.
Procedure
1. In a web browser, access the Google Cloud Platform portal at https://console.cloud.google.com/.
2. Log in with a Google account username and password.
The Google Cloud Platform page appears.
3. Click the Google Cloud Platform menu icon.
4. From the left side of the pane, select IAM & admin.
The IAM & admin page appears.
5. From the left side of the pane, select Service accounts, then click + Create service Account.
The Create service account page appears.
6. In Service account name, specify the service account name.
7. Click Create.
The Service account permissions page appears.
8. In Select a role, click Storage > Storage Admin.
9. Click Continue.
10. In the Create key (optional) section, click + Create Key.
The Create key page appears.
11. In Key Type, select JSON.
12. Click Create.
The Download Save As page appears.
13. Save the JSON file to a folder.
A message appears confirming the Private key is saved.
14. Click Close.
15. Click Done.

Result
The Google Cloud Platform archival preparation is complete.
Azure permissions for archiving

The Azure permissions that are required for archiving depend on whether consolidation is enabled.
Each of the following configuration options use a unique JSON object.
• Azure archiving with no consolidation
• Azure archiving with consolidation
JSON objects use specific formatting, including opening and closing braces and brackets. Without the
correct format, the objects fail.
Azure archiving with no consolidation
The following JSON object supports Azure archiving with no consolidation.
{
"Name": "Rubrik CloudOut",
"IsCustom": true,
"Description": "Can upload snapshot data to container",
"Actions": [
],
"NotActions": [
],
"AssignableScopes": [
"/subscriptions/<subscription_id>"
]
}
Azure archiving with consolidation
The following JSON object supports Azure archiving using consolidation.
{
"Name": "Rubrik CloudOut",
"IsCustom": true,
"Description": "Can upload snapshot data to container and use compute
for
consolidation",
"Actions": [
"Microsoft.ClassicCompute/virtualMachines/detachDisk/action",
"Microsoft.ClassicCompute/virtualMachines/attachDisk/action",
"Microsoft.Compute/disks/",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachines/delete",
"Microsoft.Compute/virtualMachines/extensions/",
"Microsoft.Compute/virtualMachines/instanceView/read",
"Microsoft.Compute/virtualMachines/powerOff/action",
"Microsoft.Compute/virtualMachines/read",

"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/runCommand/action",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/vmSizes/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/securityRules/read",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/publicIPAddresses/write",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/delete",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourcegroups//read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/",
"Microsoft.Resources/subscriptions/resourcegroups/write",
],
"NotActions": [
],
"AssignableScopes": [
"/subscriptions/<subscription_id>"
]
}
Archive preparation in Azure

Preparing Azure storage for archiving involves creating a storage account in Azure.
Before archiving data from a Rubrik cluster to Azure, you must prepare your Azure subscription by creating
and configuring a storage account and a blob storage container where the data will be stored. The storage
account provides a unique namespace to access the archived data and the container is the actual location
where Azure stores the data.
Rubrik CDM requires an Azure storage account with specific settings, a storage container that does not
allow anonymous access, and an account access key for the configuration of an Azure archival location
on the Rubrik cluster. If a storage container with the specified name does not exist in the Azure storage
account, Rubrik CDM creates a new container with the specified name.
Rubrik CDM supports archiving only to the Standard general-purpose V2 Azure storage account type.
Premium storage accounts are not supported. Rubrik CDM supports the Hot and Cool access tiers of Azure
for archiving data.
Related concepts
Azure storage account access keys
Rubrik CDM requires an access key to access the data in the Azure storage account.
Related tasks

Related reference
Azure storage account settings
Configuration of an Azure archival location in Rubrik CDM requires creating the Azure storage account with
specific settings using the Azure portal.
Azure storage account settings

Configuration of an Azure archival location in Rubrik CDM requires creating the Azure storage account with
specific settings using the Azure portal.
Rubrik CDM requires an Azure storage account configured with specific settings described in the following
tables. The settings are classified by tabs as they appear on the Azure storage account creation page. For
all other Azure storage account settings, the default values are acceptable.
Basics tab
Section Setting Description

Project details Subscription The subscription for the new
storage account.
Project details Resource group A new or existing resource group
within the selected subscription.
Instance details Storage account name A unique name for the new
storage account. Storage account
names must be between 3 and
24 characters in length and may
contain numbers and lowercase
letters only.
This will be the value for the
Storage Account Name field
when configuring an Azure
archival location in Rubrik CDM.
Instance details Region The geographical region for the

storage account.
Instance details Performance The type of storage account.
Rubrik CDM supports archiving
only to the Standard general-
purpose V2 Azure storage
account.
Instance details Redundancy The redundancy level that is

applicable to the type and region
of the storage account.

Advanced tab

Blob storage Access tier Access tier setting depends
on the frequency with which
archived data will be accessed.
Rubrik CDM supports the Hot and
Cool access tiers of Azure.
Networking tab
You may accept the default settings or configure them as per your requirements.
Data protection tab

Tracking Enable versioning for blobs Blob versioning automatically
saves the state of a blob in a
previous version when the blob is
overwritten.
Rubrik CDM does not support
blob-level versioning for archiving
and requires that this setting is
disabled for the storage account.
Encryption tab
Setting Description
Encryption type The type of keys used for data encryption in the
storage account.
You can accept the default option of using
Microsoft-managed keys for encryption.
Enable infrastructure encryption Rubrik CDM does not require this setting to be
enabled.
Related information
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal
Azure storage account access keys

Rubrik CDM requires an access key to access the data in the Azure storage account.
With the creation of a storage account, Azure portal generates two 512-bit storage account access keys to
authorize access to the data in that account. Rubrik CDM requires the access key to access the data in the
storage account. Microsoft allows rotating and regenerating these keys as desired.
You can find the access keys in the Security + networking section of the storage account page on the
Azure portal.

Related concepts
Archive preparation in Azure
Preparing Azure storage for archiving involves creating a storage account in Azure.
Preparing Scality as an archival location

Before using a Scality object storage system as an archival location, obtain an access key and a secret key
for the Scality object storage system.
Preparing to use an NFS share as an archival location

Prepare the settings of an NFS share before using the NFS share as an archival location for a Rubrik
cluster.
Procedure
1. Ensure the /etc/exports listing for the exported file system has the minimum required settings
described in NFS Export settings.
For best results, use the recommended settings.
/expath rsub(rw,secure,root_squash,no_subtree_check)
In this example, /expath is the export point and rsub is the Rubrik cluster subnet, expressed in
Classless Inter-Domain Routing (CIDR) notation. For example, the subnet could be 192.168.2.0/24
for IPv4, or 2001:db8::/32 for IPv6.
2. Set the export point ownership to the anonymous uid/gid of the operating system and permissions
to 755.
chown anonuid:anongid /expath

chmod 755/expath
In this example, anongid is the anonymous group ID of the operating system and expath is the export
point.
3. Optional: To use NFS with Kerberos, add the Rubrik cluster to the Active Directory domain.
The Rubrik cluster can only be added to one Active Directory domain. NFS with Kerberos does not
support multiple Active Directory domains.
Result
NFS is configured for use by Rubrik CDM as an archival location.
NFS Export settings

To use NFS as a Rubrik archival location, the export point must have certain NFS export settings.
Setting Required Description

rw Yes Permits read and write access to the exported file system.
secure No Requires that requests originate on a port within the registered
ports range, from 1024 to 49151.
root_squash No Maps requests from uid/gid 0 to the anonymous uid/gid (anonuid
and anongid).

Setting Required Description
no_subtree_check No Disables subtree checking.
Preparing an Isilon NFS share as an archival location

Prepare an NFS share folder for EMC Isilon before configuring the Rubrik cluster to use the NFS share as
an archival location.
Procedure
1. Join the Isilon to the Active Directory domain.
a. In the OneFS UI, select the Access tab and select Authentication Providers.
b. Create an Active Directory provider and click Enable Secure NFS.
Selecting Enable Secure NFS sets the service principal names for the account and enables mutual
authentication.
2. Set the EMC Isilon SmartConnect zone to the FQDN of the Isilon.
3. Set up DNS to provide both forward, address (A), resolution and reverse, pointer record (PTR),
resolution of the FQDN of the Isilon SmartConnect zone.
Kerberos requires both A and PTR resolution of the FQDN.
4. On the OneFS UI, use the Add an NFS share screen to set up an NFS mount point.
5. Select Enable mount access to subdirectories.
6. Optional: For Security Type(s), select Use Custom and set the Kerberos levels.
7. In Clients, add the IP address range of the Rubrik cluster.
8. Click Always Read-Write Clients.
9. In Map Root User, assign a user with read/write permissions for the exported directory.
10. Add the Rubrik cluster to the Active Directory domain.
11. Optional: Enable Kerberos authentication.
When Kerberos is enabled, add a Rubrik cluster that uses an NFS archival location to only one Active
Directory domain. Multiple Active Directory domains are not supported with an NFS archival location
when using Kerberos.
Result
Isilon NFS is configured for use by Rubrik CDM as an archival location.
Prepare a QStar Integral Volume as an archival location

Prepare a QStar Integral Volume set to use as a tape archival location.
To prepare a QStar Integral Volume as a tape archival location, complete these tasks in this order:
1. Verify the QStar requirement.
2. Set the QStar Integral Volume.
QStar requirements
Complete the QStar initial requirements before setting up a QStar Integral Volume as an archival location.
This table lists the Rubrik cluster requirements for using a QStar Manager instance as an archival location.

QStar Host OS Windows Server 2012 or newer
QStar software QStar Archive Manager version 6.1.5.7053, or newer, for Windows Server
Cache and memory A minimum of 1 TB of dedicated SSD storage per Integral Volume, to use for
QStar caching
A minimum of 32 GB of memory per Integral Volume on the Qstar server
Integral Volumes A maximum of 4 Integral Volumes on a single server

An Integral Volume may not be shared with more than one archival location on
the Rubrik cluster
Tape library Any tape library that is supported by the QStar Archive Manager must be visible
to the Windows Server and available to the QStar Archive Manager instance.
The tape library must have at least two tape drives per Integral Volume to
support concurrent archive and retrieval operations. If more than one Integral
Volume is configured on the server, the total number of tape drives can be fewer
than twice the number of Integral Volumes. In that case, one tape drive per
Integral Volume must be reserved for archival purposes.
Setting up the QStar Integral Volume set

Configure a QStar Integral Volume set to use as a tape archival location.
Procedure
1. As an administrator, open the QStar Archive Manager application.
2. On the left-side menu, select Server.
The server screen appears. The QStar Server Status field displays the status of the server. The status
must be Installed - Running.
3. (If the server is not running) Click Start.
4. On the server screen, start all other services.
5. On the server screen, start QWSD.
6. On the left-side menu, select Media > Online Media.
The online media view appears.
7. In Library Name, select the library that will be used for the archival location.
8. In Characteristics, select a slot that will be assigned to the archival location.
The slot must have a value of Tape in the Type column and have no value in the Set Name column.
Tape indicates that the media in the slot is a tape. An empty value in the Set Name column indicates
that the slot is not assigned to an Integral Volume set.
9. Click Erase.
The QStar Archive Manager erases and initializes the tape.
10. Add any additional slots that will be assigned to the archival location.
11. On the left-side menu, select Integral Volumes > Volume Management.
12. Click Create New Integral Volume.
The New Integral Volume Parameters dialog box appears.
13. Configure the new Integral Volume using the following values.
Field Action

Integral Volume Name Type a name for the Integral Volume set
File System Type TDO
Mount As Select any unused drive letter
Share drive Enable
Real Media Type Tape
Simulated Media Type none
Rewritable/WORM Any
Location Type the full local path to a folder with sufficient
space for the cache or click Browse to find and
select an existing folder.
Cache Size Type the cache size, and select the associated
unit size.
Page Size 1024
14. Click Create.
The QStar Archive Manager creates the new Integral Volume set using the specified parameters.
15. On the left-side menu, under Integral Volumes, select Media Management.
The add/remove media lists appears.
16. In Integral Volume Name, select the name of the Integral Volume set.
17. In Library, select the library.
18. For each tape slot being added to the Integral Volume set, select the tape slot from the right-side list
and click the button to move it to the left-side list.
The QStar Archive Manager assigns the tape slots in the left-side list to the Integral Volume set.
19. On the left-side menu under Integral Volumes, select Volume Management.
20. In Integral Volume Name, select the name of the Integral Volume set.
21. Click Mount.
The QStar Archive Manager mounts the Integral Volume set, and makes the Integral Volume set
available for the Rubrik cluster to use as a tape archival location.
22. Click Properties.
The Properties dialog box appears.
23. (Recommended) In HPC, set the slider to 85%.
This sets the high water mark for the cache to 85%.
24. (Recommended) In LPC, set the slider to 10%.
This sets the low water mark for the cache to 10%.
25. Click OK.
26. Optional: On the left-side menu, under Integral Volumes, select Migration View.
27. Optional: The following tasks are part of this optional configuration task.
a) Select Delayed Archiving.
The Delayed Archiving dialog box appears.
b) Select Enabled.
c) In Age Time, specify values in Days, Hours, and Minutes.
The resulting combination of days, hours, and minutes sets the maximum time that data can reside in
the cache before being written to tape.
28. Click OK.
Result
QStar is configured for use by Rubrik CDM as an archival location.

Appendix E
Node shutdown and reboot
Node shutdown and reboot

Shutting down or rebooting a node terminates the jobs running on that node.
Shutdowns or reboots are necessary in various situations, for example:
• Moving a node from one rack to another
• A node hangs for some reason
• A request from Rubrik Support before performing a debugging or recovery operation
After all jobs have stopped, they are retried on another node. If a node fails, a floating IP failover moves
all workloads to another node.
Determining the status of the node

Determine the status of a node.
Context
Nodes can have statuses of UNKNOWN, OK, BAD, PRE_MAINTENANCE, MAINTENANCE, BOOTSTRAPPING,
UPGRADE, REMOVED. The Rubrik CDM CLI Reference provides information about the node statuses.
Procedure
1. Open an SSH session on the host.
2. Type the cluster get_node_statuses command to determine the status of the node.
Example
This example shows the status of a node.
VRVW4214C6134 >> cluster get_node_statuses

=====================
Getting node statuses
=====================
VRVW4214C6134 OK
Node shutdown and reboot 05/25/2022 | 849

Shutting down the node
Perform a node status check followed by a shutdown of the node hosting the current session.
Procedure
2. Type the cluster poweroff_node command to shut down the node hosting the current session.
To shut down all nodes in the cluster at the same time, use the cluster poweroff_cluster
command.
A warning that this operation powers off the node and terminates running jobs appears along with a
request to "Type yes to continue". See the example, below.
3. Type Yes to confirm.
Result
The node hosting the current session shuts down, and all jobs running on the node are terminated.
Example
This example shuts down a node.
VRVW4214C6134 >> cluster poweroff_node

Warning: This operation will power off the node, any running jobs will be
terminated!!!
Type 'yes' to continue: :
Shutting down the cluster

Shut down all nodes in the cluster.
Procedure
2. Type cluster poweroff_cluster.
Option Description
cluster poweroff_cluster with no option Performs a node status check before shutting
down all nodes in the Rubrik cluster.
During the shutdown period terminates all jobs
running.
cluster poweroff_cluster with -– Shuts down the cluster without performing a

skip_node_status_checkoption status check on the nodes.
This option shuts down only the nodes it can
reach. These nodes need not have an OK status
to be shut down, but they must be reachable to
return any status.
The Rubrik cluster cannot send commands to nodes it cannot reach or communicate with.

A warning that this operation powers off the cluster and terminates running jobs appears along with a
request to "Type yes to continue". See the example, below.
3. Type Yes to confirm the shutdown.
Result
All nodes running in the Rubrik cluster are shut down and all jobs running on the nodes are terminated.
Example
This example shuts down a cluster.
VRVW4214C6134 >> cluster poweroff_cluster

Warning: This operation will power off the entire cluster, any running jobs
will be terminated!!!
Type 'yes' to continue: :
Rebooting the cluster or node

Restart the Rubrik cluster or node that hosts the current Rubrik CDM web UI session.
Procedure
2. Type the cluster reboot command to reboot the cluster or the node.
The syntax is:
cluster reboot {cluster | node}
The command cluster reboot cluster reboots all the reachable nodes in the cluster. The
command cluster reboot node reboots only the node from which the command was executed.
A warning that this operation reboots the cluster or node and terminates running jobs appears along
with a request to "Type yes to continue".
3. Type Yes.
The Rubrik cluster or the current node begins a shutdown and reboot.
Result
The Rubrik cluster or the node that hosts the current Rubrik CDM Web UI session reboots.

Appendix F
Changing the hostname of the node
Changing the hostname of the node

Change Rubrik cluster node hostnames without shutting down the node or cluster.
Procedure
1. As admin, connect to the node that is getting a new hostname.
2. At the Rubrik CLI prompt, type cluster node_hostname_change newname.
Where newname is the new name of the Rubrik cluster node.
Result
The node runs the command and changes its hostname to the new name.
Changing the hostname of the node 05/25/2022 | 852

Appendix G
Audit and change management of
configuration parameters
Audit and change management of configuration parameters

Use the Rubrik REST API to audit the changes made to the configuration parameters on a Rubrik cluster.
Rubrik REST API provides the /config/history endpoints for administrators to audit the changes made
to the configuration parameters on a Rubrik cluster.
The ability to audit the configuration changes allows administrators to track the information related to the
configuration changes, such as, the old and new values of the configuration parameters, the user account
that made the changes, the time of each change, and the name of the cluster or node where the changes
were made.
The /config/history endpoints are applicable to the following configuration parameters:
• Global or cluster wide configuration
• Local or node specific configuration
The GET /config/history/list_updates endpoint provides parameters to filter the configuration
updates that happened within a specific period of time. To ensure that the security of the Rubrik cluster
is not compromised, parameters are available to filter the configuration updates by the name of the user
account that made the updates.
The GET /config/history/ondate endpoint is useful for tracking the old and new values of the
configurations in a given namespace, on a given date. The endpoint provides parameters to further narrow
down the result to a specific configuration, on the entire Rubrik cluster or a single node.
Parameters to filter the list of configuration updates

The results of a GET request to the /config/history/list_updates endpoint can be filtered using the following
parameters.
Query string Required Type Description

parameter
limit Optional Integer Type an integer to specify the maximum number
of matching configuration parameters that will
be returned in the data array of the response.
Available memory may prevent the return of all
elements for very large limit values. When that
occurs, the response includes "hasMore": true.
offset Optional Integer Type an integer to specify the index reference point
to use when determining the elements to include
in a response. The response includes the next
element after the index number specified by offset.
The default value is 0, which means the list page
Audit and change management of configuration parameters 05/25/2022 | 853

parameter
that is provided in the response starts with the first
element in the list.
api_user Optional String Specify the name of an user account. The response
will include the configuration updates made by the
specified user account.
node_id Optional String Specify the name of the node for which the
configuration updates are returned.
If a value for node_id is not specified, the
response will include both local and cluster wide
configuration updates that match the request.
Type cluster to filter the cluster wide
configuration updates.
namespace Optional String Specify the namespace of the configuration

parameter. The response will include the
configuration parameters that belong to the
specified namespace.
For example, managedVolume, blobstore,
local_callisto, are some namespace values in a
Rubrik cluster.
name Optional String Specify the name of the configuration parameter.

The response will include the details of the
specified configuration parameter.
For example, nfsDefaultOptions.
source Optional String Select an option from the drop-down list. The
response will include the configuration parameters
whose values were changed due to the selected
option.
Choose from:
• Unknown
• CustomerApi
• Upgrade
• ResetNode
• Software
• Init
after_time Optional String Specify a time. The response will include the
configuration values that were updated between
the specified time and the time the request was
made.
If before_time is also specified, the response will
include the configuration values that were updated
between the two timestamps.
Format: YYYY-MM-DDTHH:MM:SS.SSSZ
Timezone: UTC

parameter
before_time Optional String Specify a time. The response will include the
configuration values that were updated before the
specified time.
Use in conjunction with the after_time
parameter.
The default value is the timestamp of the request.
Timezone: UTC
Viewing a list of configuration updates

Retrieve a list of configuration updates filtered by various criteria.
Prerequisites
Context
The steps in this task describe how to view the old value and the new value of the configuration
parameters for a Rubrik cluster or node. Use the after_time and before_time filters to narrow down the
results to a specific period of time.
Procedure
2. Click /config/history.
3. Click GET /config/history/list_updates.
The endpoint listing displays a list of parameters that can be used to filter the results.
5. Optional: To filter the results of the GET operation, provide appropriate values for the parameters.
A successful request returns a list of JSON objects representing the configuration updates that are
narrowed down by the filter values.
{
"data": [
{
"nodeId": "cluster",
"namespace": "managedVolume",
"name": "managedVolumeSnapshotExportJobRetries",
"oldValue": "None",
"newValue": "3",
"apiUser": "",
"modifiedDateTime": "2021-02-07T19:32:44.619Z",
"source": "RESET_NODE"
}
]

}
Result
The Rubrik REST API server responds with a JSON object for a specific configuration parameter if the
configuration name is specified. If the configuration name is not specified, the response contains a list of
the configuration values that meet all specified filters.
Related Tasks
Related reference
Parameters to filter the list of configuration updates
The results of a GET request to the /config/history/list_updates endpoint can be filtered using the following
parameters.
HTTP status codes
HTTP status codes provide information on the results of the /config/history API requests.
Parameters to filter configuration values by date

The results of a GET request to the /config/history/ondate endpoint can be filtered using the following
parameters.

parameter
limit Optional Integer Type an integer to specify the maximum number
of matching configuration parameters that will
be returned in the data array of the response.
Available memory may prevent the return of all
elements for very large limit values. When that
occurs, the response includes "hasMore": true.
offset Optional Integer Type an integer to specify the index reference point
to use when determining the elements to include
in a response. The response includes the next
element after the index number specified by offset.
The default value is 0, which means the list page
that is provided in the response starts with the first
element in the list.
node_id Optional String Specify the name of the node for which the
configuration updates are returned.
If a value for node_id is not specified, the
response will include both local and cluster wide
configuration updates that match the request.
Type cluster to filter the cluster wide
configuration updates.
namespace Required String Specify the namespace of the configuration

parameter. The response will include the
configuration parameters that belong to the
specified namespace.

parameter
For example, managedVolume, blobstore,
local_callisto, are some namespace values in a
Rubrik cluster.
name Optional String Specify the name of the configuration parameter.

The response will include the details of the
specified configuration parameter.
For example, nfsDefaultOptions.
on_date Required String Specify a time. The response will include the
configuration values that were in place at the
specified time.
Timezone: UTC
Viewing configuration values by date

Retrieve a list of configuration values on a specified date.
Prerequisites
Context
The steps in this task describe how to get the values of the configuration parameters in a given
namespace, on a specific date, for a Rubrik cluster or node. Provide the name of a configuration parameter
to get the value of the specific parameter.
Procedure
2. Click /config/history.
3. Click GET /config/history/ondate.
The endpoint listing displays a list of parameters that can be used to filter the results.
5. In namespace, type the namespace of the configuration parameter.
namespace is a required parameter.
6. In on_date, type the timestamp to retrieve the value of the configuration parameter at that time.
on_date is a required parameter.
7. Optional: To further filter the results of the GET operation, provide appropriate values for the other
parameters.
A successful request returns a list of JSON objects representing the configuration parameters that are
narrowed down by the filter values.

"data": [
{
"namespace": "managedVolume",
"name": "managedVolumeSnapshotExportJobRetries",
"defaultValue": "3",
"onDate": "2021-02-08T17:00:00.000Z",
"valueOnDate": "3",
"currentValue": "3",
"nodeId": "cluster"
}
]
}
Result
The Rubrik REST API server responds with a JSON object for a specific configuration parameter if the
configuration name is specified along with the namespace and the on_date values. If the configuration
name is not specified, the response contains a list of all the configuration values in the specified
namespace, on the given date.
Related Tasks
Related reference
Parameters to filter configuration values by date
The results of a GET request to the /config/history/ondate endpoint can be filtered using the following
parameters.
HTTP status codes
HTTP status codes


200 OK The request is successful and the Rubrik REST API server returns the
response.
403 Forbidden The request fails because the requestor has insufficient authorization
to perform the requested action.
422 Unprocessable Entity The request fails due to an invalid parameter value.
Used with some Rubrik REST API endpoints when there is a failure of
user authentication.

Rubrik CDM Version 7.0 User Guide (Rev. A5)

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Rubrik CDM Version 7.0 User Guide (Rev. A5)

Uploaded by

Copyright:

Available Formats

Rubrik CDM User Guide

Rubrik Headquarters: Palo Alto, California 94304

Copyright and trademarks

Copyright © 2022 Rubrik Inc.

Registered in the U.S. Trademark Office

Copyright and trademarks 05/25/2022 | ii

Copyright and trademarks 05/25/2022 | iii

Revision Date Description

Rev. A2 March 2022 Limited release.

Web Rubrik Support Portal

Contents 05/25/2022 | vii

Contents 05/25/2022 | viii

Contents 05/25/2022 | xii

Rubrik Backup Service................................................................................................................. 271

Contents 05/25/2022 | xiii

Hyper-V virtual machines............................................................................................................ 295

Contents 05/25/2022 | xiv

AHV virtual machines...................................................................................................................328

vSphere virtual machines............................................................................................................ 365

Contents 05/25/2022 | xvi

Contents 05/25/2022 | xvii

vCloud Director vApps................................................................................................................. 433

VMware Cloud on AWS................................................................................................................ 455

Microsoft Azure VMware Solution...............................................................................................459

Google Cloud VMware Engine..................................................................................................... 463

CloudOn for AWS..........................................................................................................................467

Contents 05/25/2022 | xix

CloudOn for Azure........................................................................................................................491

Amazon EC2 instance backup..................................................................................................... 511

File systems.................................................................................................................................. 521

Contents 05/25/2022 | xxi

Oracle databases.......................................................................................................................... 583

Contents 05/25/2022 | xxii

SQL Server databases.................................................................................................................. 646

Managed Volumes........................................................................................................................ 696

Contents 05/25/2022 | xxv

SLA Managed Volumes.................................................................................................................723

Retention management............................................................................................................... 735

System and task information...................................................................................................... 775

The two-person rule.................................................................................................................... 793

Appendix A: Ports......................................................................................................................... 805

Appendix C: Active Directory account.........................................................................................830

Appendix D: Archive preparation................................................................................................ 833

Appendix E: Node shutdown and reboot.................................................................................... 849

Appendix F: Changing the hostname of the node......................................................................852

Appendix G: Audit and change management of configuration parameters..............................853

Configure a Rubrik cluster and perform other system tasks.

Logging in to the Rubrik CDM web UI

Logging in with a local account

Logging in with an LDAP account

Logging in with Single Sign-on

Federated Access with Polaris

Opening the gear menu

Settings and tasks available through the gear menu

Menu item Description

Nutanix Clusters Add, view, edit, and delete Nutanix Clusters.

SMB Security Configure SMB security to use secure SMB enforcement.

Manage Encryption Configure the Rubrik cluster for encryption.

Organizations Manage local tenant organizations.

About Rubrik Click to display the Rubrik software version.

Adding a physical host

Editing a physical host

Removing a physical host

Providing credentials for a Windows guest OS