Veeam

The Backup Decommission Problem -- Retiring Infrastructure, Orphaned Jobs, GFS Archives, and Secure Deletion

Eric Black

Eric Black

8 min read
Veeam v13 Decommission Retention Compliance GFS Archive Orphaned Backups

Veeam v13 Series | Component: VBR v13 | Audience: Backup Administrators, Compliance Teams

Nobody writes runbooks for decommissioning backup infrastructure, and it shows. The documentation covers how to set things up, not how to shut them down responsibly. So when the time comes to retire a VBR server, migrate to new hardware, consolidate repositories, or deal with the backup history of a workload that no longer exists, most teams figure it out as they go and make decisions they later regret.

Two distinct parts, both needing different treatment. The first is retiring active backup infrastructure: the VBR server itself, proxy servers, repositories, or the organization migrating away from Veeam entirely. The second is handling retention obligations on data from workloads that no longer exist: VMs that were decommissioned, applications that were retired, or customers who churned in an MSP context. Both have compliance implications that can outlive the operational need for the infrastructure.

1. Before You Decommission Anything: The Retention Audit

Before touching anything, answer three questions for every backup job and repository in scope:

  • Does any retention obligation extend beyond the planned decommission date? GFS yearly archives set to 7 years mean you have backup data that needs to exist and be restorable for 7 years from the last backup run. If you decommission the repository holding that data, the obligation doesn't go away.
  • Is there an active compliance or legal hold on any data in this backup chain? Legal holds, eDiscovery requests, and regulatory retention requirements don't care that the workload was retired. Check with legal or compliance before deleting backup data for any system that was subject to financial reporting, healthcare data obligations, or active litigation.
  • Who has the authority to approve deletion? Deleting backup data should require sign off from someone outside the IT team: a data owner, a compliance officer, or a manager with accountability for the decision. Document the approval. This matters if someone asks six months later why the data is gone.

2. Handling Orphaned Backup Jobs

Orphaned backup jobs are jobs that no longer have a functioning source. The VM was deleted, the server was retired, the application was decommissioned. VBR shows these as jobs with no objects or jobs that consistently fail to find the source. They're common in environments that have been running for years and accumulate technical debt in the job list.

Orphaned jobs still have restore points in the repository. Disabling or deleting the job doesn't delete the restore points. The restore points stay in the repository and count against capacity until they age out of the retention window and VBR removes them during the next retention processing cycle. If the retention window is 30 days, orphaned restore points will be gone in 30 days after the job stops running. If GFS is enabled with a 7-year yearly archive, one of those restore points will sit in the repository for 7 years.

Never delete restore points directly from the filesystem or object storage bucket. VBR maintains metadata about every restore point in its database. Deleting files directly bypasses the metadata update and leaves VBR with references to data that no longer exists. This causes errors during retention processing, space accounting discrepancies, and potentially causes VBR to fail to write new backup data to the repository because it thinks space is allocated to blocks that are actually gone.

The Right Sequence for Retiring a Job

  1. Verify the retention obligation for this job's data with data owner and compliance.
  2. If the data needs to be retained but doesn't need to be actively protected, export the final restore point to a separate long term retention repository or tape before stopping the job. This preserves the data in a storage location you're actively managing for that purpose.
  3. Disable the job in VBR. Disabling stops new backup runs while leaving existing restore points intact.
  4. After the retention window expires and VBR processes retention (removing aged restore points), verify in VBR that no restore points for this job remain in any repository.
  5. Delete the job from VBR. At this point the job and its data are fully retired.

3. Migrating to New VBR Infrastructure

Migrating to a new VBR server (new hardware, new OS, or consolidating multiple VBR instances) requires moving the configuration database and optionally the backup repositories. The database migration is the critical path: the configuration backup and restore with Migration mode covered in the PostgreSQL article applies here. The repository migration is secondary but deserves its own planning.

Repository Migration Options

  • Keep existing repositories, repoint to new VBR: If the repository hardware isn't changing, update the repository configuration in the new VBR to point to the same storage. Backup chains continue intact. This is the least disruptive path when only the VBR server is changing.
  • Copy repository data to new storage, remap in VBR: If you need to move repository data to new storage hardware, copy the backup files to the new location and update the repository path in VBR before deleting the old copy. VBR should be able to rescan the new path and recognize the existing backup chains. Test this with a single job's data before committing to a full migration.
  • Let retention clean up the old location: For non critical jobs where continuity of backup chains doesn't matter, stopping old jobs and starting new ones targeting new infrastructure is acceptable. Old restore points age out naturally. You lose the historical restore chain depth but gain a clean start on the new infrastructure.

4. GFS Archives After the Job Stops

GFS flagged restore points are the most common source of long lived data retention problems. A backup job with a 7-year GFS yearly archive creates one restore point per year that's flagged as permanent for its retention period. When the workload is decommissioned and the backup job is disabled, those GFS flagged restore points don't disappear. They stay in the repository for the remainder of their retention period.

For most organizations this is the right behavior: regulatory and compliance retention requirements are why you set 7-year GFS in the first place, and they don't expire when the workload does. The operational implication is that decommissioned workload backup data can occupy significant repository space for years after the workload itself is gone. Build this into your capacity planning. A workload with 5 years of 7-year GFS yearly archives still occupies approximately 5 times the full backup size in your repository even after decommission, and it stays there for up to 7 years from the last archive point.

For MSPs managing Cloud Connect tenant repositories, this means churned customers whose data has long term GFS retention may occupy repository space well past the end of the customer relationship. Your service agreement should specify who owns long term retention data after the customer churns and who pays for the storage. The time to clarify this is in the contract, not when a former customer's data is still in your repository two years after they left.

5. Secure Data Deletion

When backup data is genuinely eligible for deletion, delete it through VBR's interface, not by removing files directly. For object storage repositories, VBR's delete operation sends properly sequenced API calls that update metadata before deleting objects. For local repositories, VBR updates its database before removing files. Both paths leave VBR in a consistent state.

For regulated environments where secure deletion is required (HIPAA, PCI, financial data), deleting through VBR's interface removes the data from the repository but doesn't cryptographically wipe the underlying storage. For local disk, secure deletion requires overwriting the freed blocks. For object storage with encryption enabled, deleting the encryption key effectively renders the data unrecoverable without a filesystem level wipe. Document which secure deletion approach applies to each repository type in your environment, and get confirmation from your compliance team that the approach satisfies the applicable requirement.

Key Takeaways

  • Before decommissioning any backup infrastructure, audit retention obligations. GFS archives, legal holds, and regulatory requirements don't expire when the workload does. Get sign off from outside the IT team and document the approval before deleting anything.
  • Disabling a backup job stops new runs but doesn't delete existing restore points. Restore points age out naturally over the retention window. GFS flagged restore points stay for their full GFS retention period regardless of whether the job is running.
  • Don't delete backup files directly from the filesystem or object storage. Always go through VBR's interface. Direct deletion bypasses metadata updates and leaves VBR with broken references that cause errors during retention processing and space accounting.
  • GFS flagged restore points for decommissioned workloads can occupy repository space for years. Build this into capacity planning. A workload with 5 years of 7-year yearly GFS archives occupies roughly 5 full backup sizes in your repository even after decommission.
  • For MSPs, churned customer data with long term GFS retention stays in your repository past the end of the customer relationship. Clarify data ownership and storage cost responsibility in the service agreement before it becomes a dispute with a former customer.
  • Deleting backup data through VBR doesn't cryptographically wipe the underlying storage. For regulated environments requiring secure deletion, document the approach per repository type and confirm with compliance that it satisfies the applicable requirement.

Read more