Veeam unattended installation with Ansible

There are already a lot of great projects out there for the Veeam unattended installation. One of the most advanced projects is for sure the Chef cookbook for Veeam Backup and Replication. I myself have also already worked on that topic, and have done some rework of the PowerShell script from Timothy Dewin. The Veeam unattended installation with Ansible is the next evolution of my prior project and the first step for further Veeam integration into Ansible.

The Ansible Playbook I have created will install a Veeam Backup & Replication Server 9.5 Update 4a on an unprepared Windows Server (in my case Winddows Server 2019). The Veeam unattended installation with Ansible will install all pre-requirements, the SQL Server Express, the Veeam Backup Catalog, the Veeam Backup & Replication Server, the Veeam Backup & Replication Console and all Veeam Explorers.

A special requirement I have tried to achieve was the use of SQL authentication to the Veeam Database. If SQL authentication is used, all the Veeam services can run in the “Local System” context. The SQL service should be started with normal user privileges Side-by-Side on the Veeam Backup & Replication Server.

Veeam unattended installation

After the user creation, the pre-requirements installation and the SQL Server setup the following installation order needs to be done for the basic Veeam Backup & Replication Server setup:

1. Veeam Backup Catalog
2. Veeam Backup & Replication Server
3. Veeam Backup & Replication Console
4. Veeam Explorers:
   1. Veeam Explorer for Active Directory
   2. Veeam Explorer for Exchange
   3. Veeam Explorer for Oracle
   4. Veeam Explorer for SharePoint
   5. Veeam Explorer for Microsoft SQL
5. Veeam Update 4a

The Veeam Backup Enterprise Manager and the Veeam Cloud Connect Portal are currently not installed yet.

Ansible preperation

In addition to the Ansible Development environment, I have already used for a few other projects, an additional windows server needs to be managed by Ansible (the Veeam Backup & Replication Server).

Unlike Linux/Unix hosts, which use SSH by default, Windows hosts are configured with WinRM for the Ansible access (Windows Remote Management). With WinRM there are several different options that can be used when authenticating with an account.

Option	Local Accounts	Active Directory Accounts	Credential Delegation	HTTP Encryption
Basic	Yes	No	No	No
Certificate	Yes	No	No	No
Kerberos	No	Yes	Yes	Yes
NTLM	Yes	Yes	No	Yes
CredSSP	Yes	Yes	Yes	Yes

I have choosen NTLM with HTTP Encryption (set in group_vars):

---
ansible_user: Administrator
ansible_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_transport: ntlm
ansible_winrm_server_cert_validation: ignore

For the Windows Server preparation to grant WinRM access, I have used the ConfigureRemotingForAnsible.ps1 PowerShell script.

The Ansible Host requires an additional WinRM Python client (pywinrm) for the WinRM management with NTLM authentication:

pip install pywinrm

To verify the access to the Windows box, a simple win_ping task can be executed against the “veeam” inventory group:

Ansible Playbook

The playbook itself includes all required variables for the setup and is executed against an inventory Host Group called “veeam“. This group includes in my case only one Server.

To handle all required installation steps, the win_package Ansible module is used by the playbook. This Ansible module automatically handles most of the required escaping for the arguments but needs a special syntax for complex scenarios (See also: Passing arguments for win_package module).

In a real-world scenario, an additional task for the installation media mount might be added to the playbook. For example my mounting a datastore image with the vmware_guest module.

- name: VBR Community Edition Setup
  hosts: veeam
  gather_facts: yes
  vars:
    vbr_source: "D:\\"
    sql_username: "svc_sql"
    sql_userpassword: !vault |
          $ANSIBLE_VAULT;1.1;AES256
    sql_sapassword: !vault |
          $ANSIBLE_VAULT;1.1;AES256
  tasks:
  - name: Pre - Install 2012 System CLR Types
    win_package:
        path: "{{ vbr_source }}Redistr\\x64\\SQLSysClrTypes.msi"
        state: present
    tags: pre
  - name: Pre - Install 2012 Shared management objects
    win_package:
        path: "{{ vbr_source }}Redistr\\x64\\SharedManagementObjects.msi"
        state: present
    tags: pre
  - name: SQL - Create Local SQL User
    win_user:
        name: "{{ sql_username }}"
        password: "{{ sql_userpassword }}"
        password_never_expires: yes
        state: present
        groups:
            - Users
    tags: pre
  - name: SQL - Install SQL 2016 Express
    win_package:
        path: "{{ vbr_source }}Redistr\\x64\\SqlExpress\\2016SP1\\SQLEXPR_x64_ENU.exe"
        product_id: SQL 2016 Express
        arguments: 
        - '/q'
        - '/ACTION=Install'
        - '/IACCEPTSQLSERVERLICENSETERMS' 
        - '/FEATURES=SQL' 
        - '/INSTANCENAME=VEEAMSQL2016'
        - '/SQLSVCACCOUNT={{ sql_username }}'
        - '/SQLSVCPASSWORD={{ sql_userpassword }}'
        - '/SECURITYMODE=SQL'
        - '/SAPWD={{ sql_sapassword }}'
        - '/ADDCURRENTUSERASSQLADMIN'
        - '/UPDATEENABLED=0'
        - '/TCPENABLED=1'
        - '/NPENABLED=1'
    tags: sql
  - name: Install VBR Catalog
    win_package:
        path: "{{ vbr_source }}Catalog\\VeeamBackupCatalog64.msi"
        state: present
        arguments:
            - 'VBRC_SERVICE_ACCOUNT_TYPE=1'
            - 'ACCEPT_THIRDPARTY_LICENSES=1'
    tags: vbr
  - name: Install VBR Server
    win_package:
        path: "{{ vbr_source }}Backup\\Server.x64.msi"
        state: present
        arguments: "VBR_SERVICE_ACCOUNT_TYPE=1 VBR_SQLSERVER_AUTHENTICATION=1 VBR_SQLSERVER_SERVER=(local)\\VEEAMSQL2016 VBR_SQLSERVER_USERNAME=sa VBR_SQLSERVER_PASSWORD={{ sql_sapassword }} ACCEPT_THIRDPARTY_LICENSES=1 ACCEPTEULA=YES"
    tags: vbr
  - name: Install VBR Console
    win_package:
        path: "{{ vbr_source }}Backup\\Shell.x64.msi"
        state: present
        arguments:
            - 'ACCEPTEULA=YES'
            - 'ACCEPT_THIRDPARTY_LICENSES=1'
    tags: vbr
  - name: Install VBR Explorer for ActiveDirectory
    win_package:
        path: "{{ vbr_source }}Explorers\\VeeamExplorerForActiveDirectory.msi"
        state: present
        arguments:
            - 'ACCEPT_EULA=1'
            - 'ACCEPT_THIRDPARTY_LICENSES=1'
    tags: vbr
  - name: Install VBR Explorer for Exchange
    win_package:
        path: "{{ vbr_source }}Explorers\\VeeamExplorerForExchange.msi"
        state: present
        arguments:
            - 'ACCEPT_EULA=1'
            - 'ACCEPT_THIRDPARTY_LICENSES=1'
    tags: vbr
  - name: Install VBR Explorer for Oracle
    win_package:
        path: "{{ vbr_source }}Explorers\\VeeamExplorerForOracle.msi"
        state: present
        arguments:
            - 'ACCEPT_EULA=1'
            - 'ACCEPT_THIRDPARTY_LICENSES=1'
    tags: vbr
  - name: Install VBR Explorer for SharePoint
    win_package:
        path: "{{ vbr_source }}Explorers\\VeeamExplorerForSharePoint.msi"
        state: present
        arguments:
            - 'ACCEPT_EULA=1'
            - 'ACCEPT_THIRDPARTY_LICENSES=1'
    tags: vbr
  - name: Install VBR Explorer for SQL
    win_package:
        path: "{{ vbr_source }}Explorers\\VeeamExplorerForSQL.msi"
        state: present
        arguments:
            - 'ACCEPT_EULA=1'
            - 'ACCEPT_THIRDPARTY_LICENSES=1'
    tags: vbr
  - name: Install VBR Update 4a
    win_package:
        path: "{{ vbr_source }}Updates\\veeam_backup_9.5.4.2753.update4a_setup.exe"
        product_id: VBR Update 4a
        arguments: "/silent /noreboot VBR_AUTO_UPGRADE=1"
    tags: update

Latest version on GitHub: Veeam_setup.yml