Veeam

Veeam v13: Backup Validation at Scale

Eric Black

Eric Black

9 min read
Veeam v13 SureBackup Validation Automation PowerShell Scale

Veeam v13 Series | Component: VBR v13, Veeam ONE v13 | Audience: Enterprise Architects, MSP Engineers, Hands on Sysadmins

SureBackup is one of the most underused features in Veeam. Most environments run it on a handful of critical VMs and call it done. The other 200 VMs in the environment have never had their backup data verified. Nobody knows if those backups are actually restorable until someone tries to restore from one.

At scale, manual SureBackup configuration does not work. You need a structured approach: lab orchestration that does not consume production resources, rotating verification schedules that cover your entire VM inventory over time, automated result collection, and reporting that proves to an auditor or a customer that backup data has been verified, not just collected.

This article covers all of it.

1. How SureBackup Actually Works

SureBackup starts a VM directly from a backup file using Instant Recovery technology. It mounts the backup as a datastore, powers the VM on in an isolated virtual lab network, and runs verification tests against it. The VM never touches production storage or networking during the test.

Three things happen during a SureBackup test:

  • Heartbeat check. Confirms the VM powers on and VMware Tools or Hyper-V integration services report a healthy state.
  • Ping test. Confirms network stack is running inside the isolated lab.
  • Application test. For VMs with application aware roles configured (SQL, Exchange, AD, web), Veeam runs a script inside the VM to verify the application is responding. For SQL this means querying the database. For AD this means confirming LDAP responds. For web it means an HTTP check against a configured URL.

If all three pass, the backup is marked as verified. If any fail, SureBackup logs the failure and triggers a Veeam ONE alarm if monitoring is configured.

What SureBackup Does Not Test

SureBackup verifies that a VM starts and its primary application responds. It does not verify data integrity at the application level, replication lag, or whether the data inside the application is complete. A SQL Server that starts and responds to a basic query passes SureBackup even if the database files are partially corrupt. For databases, supplement SureBackup with periodic full restore and integrity check tests for your most critical workloads.

2. Virtual Lab Design for Scale

The virtual lab is the isolated network environment where SureBackup runs VMs. Getting the lab design right is what makes or breaks SureBackup at scale.

Lab Resource Requirements

SureBackup runs VMs from backup files using Instant Recovery. The VM runs directly from the backup datastore with writes going to a redo log. Resource requirements during a SureBackup run:

ResourceRequirementNotes
CPUCores equal to the VMs running concurrently in the labEach VM in the lab uses its configured vCPU count. Limit concurrent VMs to available cores.
RAMSum of RAM for all concurrently running VMsDefault SureBackup runs 1 VM at a time per Application Group. Adjust max concurrent VMs to fit available RAM.
StorageRedo log space only. No full VM copy needed.Redo logs are written to the datastore specified in the Virtual Lab settings. 10 to 20 GB per VM being tested is a conservative estimate.
NetworkIsolated port group. No production network access.The isolated lab network is created automatically. A proxy appliance handles masquerading if lab VMs need outbound access for application tests.

Multiple Lab Design for Large Environments

For environments with 100 or more VMs to verify, use multiple virtual labs assigned to different Application Groups and SureBackup jobs. This parallelizes verification across lab instances without overloading a single lab's resources.

  • Create one virtual lab per cluster or per resource pool if resources are segmented
  • Assign each lab a dedicated redo log datastore so labs do not compete for storage I/O
  • Stagger SureBackup job schedules so labs do not all run simultaneously unless resources support it
  • For MSP environments, consider one lab per tenant tier to isolate test traffic

3. Rotating Verification Schedule

You cannot run all 200 VMs through SureBackup every night. The resource requirements alone make that impractical for most environments. The right approach is a rotating schedule that guarantees every VM in the environment gets verified on a defined cadence.

Schedule Design

TierVerification FrequencyMethod
Tier 1: Critical infrastructure (DCs, core databases, primary app servers)WeeklyDedicated SureBackup job, runs Sunday night
Tier 2: Business applicationsEvery two weeksRotating SureBackup jobs, alternating weeks
Tier 3: Secondary systemsMonthlyMonthly SureBackup job, first Sunday of month
Tier 4: Non productionQuarterly or on demandManual SureBackup or scripted quarterly run

Structure SureBackup Application Groups to match your workload tiers. Group VMs by tier in Veeam ONE Business View and use those groups as the basis for Application Group membership.

4. Automating Verification with PowerShell

For large VM inventories, managing Application Group membership manually does not scale. Use PowerShell to automate group membership updates and to trigger verification runs on demand or on schedule outside of the VBR UI.

Query All VMs Without Recent Verification

PowerShell: Find VMs not verified in the last 30 days
Connect-VBRServer -Server "vbr-server.domain.local"

$cutoffDate = (Get-Date).AddDays(-30)
$results    = @()

# Get all SureBackup sessions and their per-VM task results
$vsbSessions = Get-VSBSession | Sort-Object CreationTime -Descending

# Build a lookup: most recent VSB task result per VM name
$lastVerifiedByVM = @{}
foreach ($session in $vsbSessions) {
    $tasks = Get-VSBTaskSession -Session $session
    foreach ($task in $tasks) {
        if (-not $lastVerifiedByVM.ContainsKey($task.Name)) {
            $lastVerifiedByVM[$task.Name] = $task
        }
    }
}

# Compare against all protected VMs
$allVMs = Get-VBRProtectedVM
foreach ($vm in $allVMs) {
    $lastTask = $lastVerifiedByVM[$vm.Name]
    $neverVerified  = ($lastTask -eq $null)
    $verifiedRecent = (-not $neverVerified -and $lastTask.EndTime -gt $cutoffDate)

    if ($neverVerified -or -not $verifiedRecent) {
        $results += [PSCustomObject]@{
            VMName       = $vm.Name
            BackupJob    = $vm.JobName
            LastVerified = if ($lastTask) { $lastTask.EndTime } else { "Never" }
            LastResult   = if ($lastTask) { $lastTask.Status } else { "Not Run" }
        }
    }
}

$results | Export-Csv -Path "C:\Reports\UnverifiedVMs.csv" -NoTypeInformation
Write-Host "Found $($results.Count) VMs without recent SureBackup verification."

Disconnect-VBRServer

Trigger a SureBackup Job on Demand

PowerShell: Start a SureBackup job and wait for completion
Connect-VBRServer -Server "vbr-server.domain.local"

$job = Get-VSBJob -Name "SureBackup - Tier1 Weekly"

$session = Start-VSBJob -Job $job
Write-Host "SureBackup job started. Session ID: $($session.Id)"

# Wait for completion
do {
    Start-Sleep -Seconds 30
    $session = Get-VSBSession -Id $session.Id
    Write-Host "Status: $($session.State) | $((Get-Date).ToString('HH:mm:ss'))"
} while ($session.State -eq "Working")

Write-Host "Job completed with result: $($session.Result)"

# Export results
$tasks = Get-VSBTaskSession -Session $session
$tasks | Select-Object Name, Result, Details |
    Export-Csv "C:\Reports\SureBackup-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

Disconnect-VBRServer

Automated Custom Verification Script

SureBackup allows custom test scripts to run inside VMs after the heartbeat and ping checks. This is how you verify application specific behavior beyond what the standard tests cover.

Example: Custom SQL verification script (runs inside the VM)
# This script runs INSIDE the VM being tested by SureBackup
# It must exit with code 0 for success, non zero for failure

$server = $env:COMPUTERNAME
$testQuery = "SELECT COUNT(*) FROM sys.databases WHERE state = 0"

try {
    $result = Invoke-Sqlcmd -ServerInstance $server `
                            -Query $testQuery `
                            -QueryTimeout 30
    $onlineDBCount = $result.Column1

    if ($onlineDBCount -gt 0) {
        Write-Host "SUCCESS: $onlineDBCount databases online on $server"
        exit 0
    } else {
        Write-Host "FAILURE: No databases online on $server"
        exit 1
    }
} catch {
    Write-Host "FAILURE: SQL query failed - $($_.Exception.Message)"
    exit 1
}

5. Collecting and Reporting Results at Scale

SureBackup results are stored in the VBR database and surfaced in Veeam ONE reports. For large environments you need both automated result collection and a reporting layer that tells you coverage percentage across the entire VM inventory.

Veeam ONE Reports for Verification Coverage

Three Veeam ONE reports give you the validation picture you need:

  • SureBackup Job Statistics. Job level pass/fail results with timing. Schedule this to email weekly.
  • Protected VMs report. Shows last verified date per VM. Cross reference against your rotation schedule to identify gaps.
  • Backup SLA report. Combines protection status and verification status. The compliance view for auditors.

Building a Verification Coverage Dashboard

The PowerShell script below queries VBR and produces a CSV showing verification coverage across the full VM inventory. Schedule this as a weekly task and email the output to your backup team and management.

PowerShell: Full verification coverage report
Connect-VBRServer -Server "vbr-server.domain.local"

# Build lookup of most recent SureBackup result per VM
$lastVerifiedByVM = @{}
$vsbSessions = Get-VSBSession | Sort-Object CreationTime -Descending

foreach ($session in $vsbSessions) {
    $tasks = Get-VSBTaskSession -Session $session
    foreach ($task in $tasks) {
        if (-not $lastVerifiedByVM.ContainsKey($task.Name)) {
            $lastVerifiedByVM[$task.Name] = $task
        }
    }
}

$report = @()
$allVMs = Get-VBRProtectedVM

foreach ($vm in $allVMs) {
    $lastTask = $lastVerifiedByVM[$vm.Name]
    $daysSince = if ($lastTask) {
        [int]((Get-Date) - $lastTask.EndTime).TotalDays
    } else { 9999 }

    $report += [PSCustomObject]@{
        VMName             = $vm.Name
        BackupJob          = $vm.JobName
        LastVerified       = if ($lastTask) { $lastTask.EndTime.ToString("yyyy-MM-dd HH:mm") } else { "Never" }
        VerificationResult = if ($lastTask) { $lastTask.Status } else { "Not Run" }
        DaysSinceVerified  = $daysSince
    }
}

$totalVMs   = $report.Count
$verifiedOK = ($report | Where-Object {
    $_.VerificationResult -eq "Success" -and $_.DaysSinceVerified -le 30
}).Count
$coverage = if ($totalVMs -gt 0) {
    [math]::Round(($verifiedOK / $totalVMs) * 100, 1)
} else { 0 }

Write-Host "Verification Coverage (last 30 days): $coverage% ($verifiedOK of $totalVMs VMs)"

$report | Sort-Object DaysSinceVerified -Descending |
    Export-Csv "C:\Reports\VerificationCoverage-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

Disconnect-VBRServer

6. SureBackup for MSP Environments

MSPs running Cloud Connect face additional complexity. Tenant VMs stored in cloud repositories need verification too, but running SureBackup against cloud hosted backup data requires either restoring to the SP infrastructure or providing tenants with a self service verification option.

Options for Tenant Backup Verification

MethodHow It WorksProsCons
SP side SureBackupSP runs SureBackup against tenant cloud repository using SP virtual labCentrally managed, SP controls scheduleSP resource consumption, tenant data handled by SP infrastructure
Tenant side SureBackupTenant runs SureBackup against their local backup copy (not cloud copy)No SP resource impact, tenant owns verificationDoes not verify the cloud copy specifically
Scheduled restore testSP periodically restores a sample VM from tenant cloud repo to isolated SP labVerifies actual cloud copy is restorableMore resource intensive, requires scheduling coordination

For MSPs with SLA commitments on tenant backup recoverability, the SP side SureBackup or scheduled restore test is the only approach that actually verifies the cloud copy. Tenant side verification proves their local backup is good but says nothing about what is in your cloud repository.

Key Takeaways

  • SureBackup verifies that a VM starts and its primary application responds. It does not verify application data integrity. Supplement with periodic full restore tests for critical databases.
  • Design virtual labs around your resource constraints. One lab per cluster or resource pool prevents contention. Stagger job schedules to avoid simultaneous lab saturation.
  • A rotating verification schedule is the only practical way to achieve full VM inventory coverage. Tier your VMs and assign verification frequency by tier.
  • PowerShell automates group membership management and result collection at scale. SureBackup results live in VSB sessions and task sessions, not on protected VM objects. Use Get-VSBSession and Get-VSBTaskSession to build a verification history per VM.
  • Custom verification scripts inside VMs give you application specific validation beyond heartbeat and ping. Exit code 0 means pass, non-zero means fail.
  • For MSPs, verifying tenant cloud copies requires SP side SureBackup or periodic restore tests. Tenant side verification does not prove the cloud copy is restorable.
  • Veeam ONE Backup SLA report is the single best view of verification coverage for compliance and audit purposes. Schedule it weekly to a compliance inbox.

Read more