Merge pull request #99829 from vrvkrajesh/master

Added Comments

Author: ShannonLeavitt

articles/backup/backup-azure-file-folder-backup-faq.md

@@ -154,13 +154,13 @@ The Azure Backup agent requires a passphrase (that you provided during registrat
 
 | Original Machine <br> *(source machine where backups were taken)* | Passphrase | Available Options |
 | --- | --- | --- |
-| Available |Lost |If your original machine (where backups were taken) is available and still registered with the same Recovery Services vault, then you will be able to regenerate the passphrase by following these <steps>  |
+| Available |Lost |If your original machine (where backups were taken) is available and still registered with the same Recovery Services vault, then you will be able to regenerate the passphrase by following these [steps](https://docs.microsoft.com/azure/backup/backup-azure-manage-mars#re-generate-passphrase).  |
 | Lost |Lost |Not possible to recover the data or data is not available |
 
 Consider the following conditions:
 - If you uninstall & re-register the agent on the same original machine with
- - *Same passphrase*, then you will be able to restore your backed up data.<br>
- - *Different passphrase*, then you will not be able to restore your backed up data.
+  - *Same passphrase*, then you will be able to restore your backed up data.<br>
+  - *Different passphrase*, then you will not be able to restore your backed up data.
 -	If you install the agent on a *different machine* with<br>
   - the same passphrase (used in the original machine), then you will be able to restore your backed up data.<br>
   - a different passphrase, you will not be able to restore your backed up data.<br>
@@ -172,7 +172,7 @@ If you have the same passphrase (that you provided during registration) of the o
 
 | Original Machine | Passphrase | Available Options |
 | --- | --- | --- |
-| Lost |Available |You can install and register the MARS agent on another machine with the same passphrase that you provided during registration of the original machine. Choose **Recovery Option** > **Another location** to perform your restore. For more information, see
+| Lost |Available |You can install and register the MARS agent on another machine with the same passphrase that you provided during registration of the original machine. Choose **Recovery Option** > **Another location** to perform your restore. For more information, refer to this [article](https://docs.microsoft.com/azure/backup/backup-azure-restore-windows-server#use-instant-restore-to-restore-data-to-an-alternate-machine).
 | Lost |Lost |Not possible to recover the data or data is not available |
 
 

articles/backup/backup-sql-server-azure-troubleshoot.md

@@ -1,5 +1,5 @@
 ---
-title: Troubleshoot SQL Server database backup 
+title: Troubleshoot SQL Server database backup
 description: Troubleshooting information for backing up SQL Server databases running on Azure VMs with Azure Backup.
 ms.topic: troubleshooting
 ms.date: 06/18/2019
@@ -15,6 +15,25 @@ For more information about the backup process and limitations, see [About SQL Se
 
 To configure protection for a SQL Server database on a virtual machine, you must install the **AzureBackupWindowsWorkload** extension on that virtual machine. If you get the error **UserErrorSQLNoSysadminMembership**, it means your SQL Server instance doesn't have the required backup permissions. To fix this error, follow the steps in [Set VM permissions](backup-azure-sql-database.md#set-vm-permissions).
 
+## Troubleshoot discover and configure issues
+After creating and configuring a Recovery Services vault, discovering databases and configuring backup is a two-step process.<br>
+
+![sql](./media/backup-azure-sql-database/sql.png)
+
+During the backup configuration, if the SQL VM and its instances are not visible in the **Discovery DBs in VMs** and **Configure Backup** (refer to above image) ensure that:
+
+### Step 1: Discovery DBs in VMs
+
+- If the VM is not listed in the discovered VM list and also not registered for SQL backup in another vault, then follow the [Discovery SQL Server backup](https://docs.microsoft.com/azure/backup/backup-sql-server-database-azure-vms#discover-sql-server-databases) steps.
+
+### Step 2: Configure Backup
+
+- If the vault in which the SQL VM is registered in the same vault used to protect the databases, then follow the [Configure Backup](https://docs.microsoft.com/azure/backup/backup-sql-server-database-azure-vms#configure-backup) steps.
+
+If the SQL VM needs to be registered in the new vault, then it must be unregistered from the old vault.  Unregistration of a SQL VM from the vault requires all the protected data sources to be stop protected and then you can delete the backed up data. Deleting backed up data is a destructive operation.  After you have reviewed and taken all the precautions to unregister the SQL VM, then register this same VM with a new vault and retry the backup operation.
+
+
+
 ## Error messages
 
 ### Backup type unsupported
@@ -120,18 +139,27 @@ Operation is blocked as you have reached the limit on number of operations permi
 |---|---|---|
 Operation is blocked as the vault has reached its maximum limit for such operations permitted in a span of 24 hours. | When you have reached the maximum permissible limit for an operation in a span of 24 hours, this error comes. This error usually comes when there are at-scale operations such as modify policy or auto-protection. Unlike in the case of CloudDosAbsoluteLimitReached, there is not much you can do to resolve this state, in fact, Azure Backup service will retry the operations internally for all the items in question.<br> For example: If you have a large number of datasources protected with a policy and you try to modify that policy, it will trigger configure protection jobs for each of the protected items and sometimes may hit the maximum limit permissible for such operations per day.| Azure Backup service will automatically retry this operation after 24 hours.
 
+### UserErrorVMInternetConnectivityIssue
+
+| Error message | Possible causes | Recommended action |
+|---|---|---|
+The VM is not able to contact Azure Backup service due to internet connectivity issues. | The VM needs outbound connectivity to Azure Backup Service, Azure Storage or Azure Active Directory services.| - If you use NSG to restrict connectivity, then you should use the AzureBackup service tag to allows outbound access to Azure Backup to Azure Backup Service, Azure Storage or Azure Active Directory services. Follow these [steps](https://aka.ms/nsgrulesforsqlbackup) to grant access.<br>- Ensure DNS is resolving Azure endpoints.<br>- Check if the VM is behind a load balancer blocking internet access. By assigning public IP to the VMs, discovery will work.<br>- Verify there is no firewall/antivirus/proxy that is blocking calls to the above three target services.
+
+
 ## Re-registration failures
 
 Check for one or more of the following symptoms before you trigger the re-register operation:
 
 * All operations (such as backup, restore, and configure backup) are failing on the VM with one of the following error codes: **WorkloadExtensionNotReachable**, **UserErrorWorkloadExtensionNotInstalled**, **WorkloadExtensionNotPresent**, **WorkloadExtensionDidntDequeueMsg**.
 * The **Backup Status** area for the backup item is showing **Not reachable**. Rule out all the other causes that might result in the same status:
 
-  * Lack of permission to perform backup-related operations on the VM  
-  * Shutdown of the VM, so backups can’t take place
-  * Network issues  
+  * Lack of permission to perform backup-related operations on the VM.
+  * Shutdown of the VM, so backups can’t take place.
+  * Network issues.
+
+   ![re-registering VM](./media/backup-azure-sql-database/re-register-vm.png)
+
 
-  !["Not reachable" status in re-registering a VM](./media/backup-azure-sql-database/re-register-vm.png)
 
 * In the case of an Always On availability group, the backups started failing after you changed the backup preference or after a failover.
 

articles/backup/backup-sql-server-database-azure-vms.md

@@ -1,5 +1,5 @@
 ---
-title: Back up SQL Server databases in Azure VMs 
+title: Back up SQL Server databases in Azure VMs
 description: In this article, learn how to back up SQL Server databases on Azure virtual machines with Azure Backup.
 ms.reviewer: vijayts
 ms.topic: conceptual
@@ -37,32 +37,47 @@ For all operations, a SQL Server VM requires connectivity to Azure public IP add
 
 Establish connectivity by using one of the following options:
 
-* **Allow the Azure datacenter IP ranges**. This option allows [IP ranges](https://www.microsoft.com/download/details.aspx?id=41653) in the download. To access a network security group (NSG), use the Set-AzureNetworkSecurityRule cmdlet. If you're safe recipients list only region-specific IPs, you'll also need to update the safe recipients list the Azure Active Directory (Azure AD) service tag to enable authentication.
+#### Allow the Azure datacenter IP ranges
 
-* **Allow access using NSG tags**.  If you use NSG to restrict connectivity, then you should use AzureBackup service tag to allows outbound access to Azure Backup. In addition, you should also allow connectivity for authentication and data transfer by using [rules](https://docs.microsoft.com/azure/virtual-network/security-overview#service-tags)  for Azure AD and Azure Storage. This can be done from portal or PowerShell.
+This option allows the [IP ranges](https://www.microsoft.com/download/details.aspx?id=41653) in the downloaded file. To access a network security group (NSG), use the Set-AzureNetworkSecurityRule cmdlet. If your safe recipients list only includes region-specific IPs, you'll also need to update the safe recipients list the Azure Active Directory (Azure AD) service tag to enable authentication.
 
-    To create a rule using the portal:
+#### Allow access using NSG tags
 
-  * In **All Services**, go to **Network security groups** and select the network security group.
-  * Select **Outbound security rules** under **Settings**.
-  * Select **Add**. Enter all the required details for creating a new rule as described in [security rule settings](https://docs.microsoft.com/azure/virtual-network/manage-network-security-group#security-rule-settings). Ensure the option  **Destination** is set to **Service Tag** and **Destination service tag** is set to **AzureBackup**.
-  * Click **Add**, to save the newly created outbound security rule.
+If you use NSG to restrict connectivity, then you should use AzureBackup service tag to allows outbound access to Azure Backup. In addition, you should also allow connectivity for authentication and data transfer by using [rules](https://docs.microsoft.com/azure/virtual-network/security-overview#service-tags)  for Azure AD and Azure Storage. This can be done from the Azure portal or via PowerShell.
 
-   To create a rule using Powershell:
+To create a rule using the portal:
 
-  * Add Azure account credentials and update the national clouds<br/>
-    ``Add-AzureRmAccount``
-  * Select the NSG subscription<br/>
-    ``Select-AzureRmSubscription "<Subscription Id>"``
-  * Select the NSG<br/>
-    ```$nsg = Get-AzureRmNetworkSecurityGroup -Name "<NSG name>" -ResourceGroupName "<NSG resource group name>"```
-  * Add allow outbound rule for Azure Backup service tag<br/>
-   ```Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name "AzureBackupAllowOutbound" -Access Allow -Protocol * -Direction Outbound -Priority <priority> -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix "AzureBackup" -DestinationPortRange 443 -Description "Allow outbound traffic to Azure Backup service"```
-  * Save the NSG<br/>
-    ```Set-AzureRmNetworkSecurityGroup -NetworkSecurityGroup $nsg```
+  1. In **All Services**, go to **Network security groups** and select the network security group.
+  2. Select **Outbound security rules** under **Settings**.
+  3. Select **Add**. Enter all the required details for creating a new rule as described in [security rule settings](https://docs.microsoft.com/azure/virtual-network/manage-network-security-group#security-rule-settings). Ensure the option  **Destination** is set to **Service Tag** and **Destination service tag** is set to **AzureBackup**.
+  4. Click **Add**, to save the newly created outbound security rule.
 
-* **Allow access by using Azure Firewall tags**. If you're using Azure Firewall, create an application rule by using the AzureBackup [FQDN tag](https://docs.microsoft.com/azure/firewall/fqdn-tags). This allows outbound access to Azure Backup.
-* **Deploy an HTTP proxy server to route traffic**. When you back up a SQL Server database on an Azure VM, the backup extension on the VM uses the HTTPS APIs to send management commands to Azure Backup and data to Azure Storage. The backup extension also uses Azure AD for authentication. Route the backup extension traffic for these three services through the HTTP proxy. The extensions are the only component that's configured for access to the public internet.
+To create a rule using PowerShell:
+
+ 1. Add Azure account credentials and update the national clouds<br/>
+      `Add-AzureRmAccount`<br/>
+
+ 2. Select the NSG subscription<br/>
+      `Select-AzureRmSubscription "<Subscription Id>"`
+
+ 3. Select the NSG<br/>
+    `$nsg = Get-AzureRmNetworkSecurityGroup -Name "<NSG name>" -ResourceGroupName "<NSG resource group name>"`
+
+ 4. Add allow outbound rule for Azure Backup service tag<br/>
+    `Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name "AzureBackupAllowOutbound" -Access Allow -Protocol * -Direction Outbound -Priority <priority> -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix "AzureBackup" -DestinationPortRange 443 -Description "Allow outbound traffic to Azure Backup service"`
+
+ 5. Add allow outbound rule for Storage service tag<br/>
+    `Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name "StorageAllowOutbound" -Access Allow -Protocol * -Direction Outbound -Priority <priority> -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix "Storage" -DestinationPortRange 443 -Description "Allow outbound traffic to Azure Backup service"`
+
+ 6. Add allow outbound rule for AzureActiveDirectory service tag<br/>
+    `Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name "AzureActiveDirectoryAllowOutbound" -Access Allow -Protocol * -Direction Outbound -Priority <priority> -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix "AzureActiveDirectory" -DestinationPortRange 443 -Description "Allow outbound traffic to AzureActiveDirectory service"`
+
+ 7. Save the NSG<br/>
+    `Set-AzureRmNetworkSecurityGroup -NetworkSecurityGroup $nsg`
+
+**Allow access by using Azure Firewall tags**. If you're using Azure Firewall, create an application rule by using the AzureBackup [FQDN tag](https://docs.microsoft.com/azure/firewall/fqdn-tags). This allows outbound access to Azure Backup.
+
+**Deploy an HTTP proxy server to route traffic**. When you back up a SQL Server database on an Azure VM, the backup extension on the VM uses the HTTPS APIs to send management commands to Azure Backup and data to Azure Storage. The backup extension also uses Azure AD for authentication. Route the backup extension traffic for these three services through the HTTP proxy. The extensions are the only component that's configured for access to the public internet.
 
 Connectivity options include the following advantages and disadvantages: