This article outlines the essential prerequisites that you must complete before starting tasks like onboarding, discovery, backup, and restore.
Onboarding prerequisites
This section covers the prerequisites that a new or existing tenant must complete before onboarding subscriptions.
Onboarding a new tenant for the first time
If you are a new tenant and onboarding Azure subscriptions for the first time, ensure the following:
To onboard or register subscriptions, ensure that you have the Users can register applications permission enabled for your user account in the Azure environment. For more information, see Enable permissions.
To add a subscription to the Druva console, you must be an administrator or owner of the subscription in the Azure console.
Assign roles and grant access
To assign roles or grant access, ensure you have Microsoft.Authorization/role assignment of Global Administrator. Perform the following steps to assign role:
Login to your Microsoft Azure portal.
Navigate to Microsoft Entra ID > Manage > Users, and select the Admin Account you are using to onboard the subscription.
Select Manage > Assigned Roles and verify if the account has a Global Administrator role.
To assign the role, click Add assignments, locate and select the Global Administrator checkbox and then click Add.
Register Azure Key Vault
Perform the following steps to register the Azure Key Vault service for the subscription that you want to onboard.
Login to your Microsoft Azure portal.
Navigate to Subscriptions and select the subscription that you need to register on Druva.
Scroll to the Resource providers in the Subscription Settings.
Locate Microsoft.KeyVault from the list of resource providers and click Register.
📝 Note
To register multiple subscriptions on Druva, repeat the steps above for each subscription individually.
Enable permissions
Login to your Microsoft Azure portal.
Navigate to Microsoft Entra ID > Manage > User Settings.
Set the Users can register applications toggle to Yes and click Save.
Update access
Login to your Microsoft Azure portal and locate the subscription you wish to onboard.
Under Overview verify that My role is set to Owner.
To update access role, navigate to Access control (IAM) and click Add.Select Add role assignment and search for Owner.
Select the user account you wish to use for onboarding the subscription and then click Review+Assign.
Onboarding an existing tenant
If you are an existing tenant and have already onboarded Azure subscriptions, update your permissions to onboard Azure SQL subscriptions. For more information, see Update Azure Tenant Registration.
Discovery prerequisites
Manual Discovery prerequisites
You must perform manual discovery for SQL servers on Azure virtual machines for the first time. For manual discovery, ensure the following:
If you are an existing tenant, make sure you update your tenant registration permissions for discovering Azure SQL servers on Azure VM.
For discovering SQL Server on Azure VM periodically, ensure that:
SQL Browser should be running
The default port (1434) for sql browser should be open.
You have the sysadmin role.
For discovering named instances, ensure that the port on which the named instance is running is open. Dynamic ports are not supported.
If you delete a database and create a new one on the same resource, use a different name for the new database. Using the same name will prevent the new database from being discovered.
Automatic discovery
Automated DB discovery runs using Windows Authentication under the NT AUTHORITY\SYSTEM account and requires the following permissions to be able to detect the server updates:
VIEW ANY DATABASE
CONNECT SQL
Access to master database
You can add NT Authority\SYSTEM as a sysadmin by running the following SQL command on your SQL Server:
-- Add NT AUTHORITY\SYSTEM as sysadmin
USE [master]
GO
CREATE LOGIN [NT AUTHORITY\SYSTEM] FROM WINDOWS;
GO
ALTER SERVER ROLE [sysadmin] ADD MEMBER [NT AUTHORITY\SYSTEM];
GO
Note: We support automatic discovery using the NT AUTHORITY\SYSTEM user only.
Backup prerequisites
Ensure the following prerequisites are met before initiating backups:
Ensure you have the db_owner role to enable CDC on your database and tables by default.
You can enable CDC manually on your database and tables by running scripts on your database. For more information, see Enable CDC on database and tables.
Set the following parameters for capture and cleanup jobs on your database:
Capture jobs:
EXEC sys.sp_cdc_change_job @job_type = 'capture', @maxtrans = 5000, @maxscans = 100, @continuous = 1, @pollinginterval = 5;
Cleanup jobs:
EXEC sys.sp_cdc_change_job @job_type = 'cleanup', @retention = 1440, @threshold = 50000;
Notes:
The default value of the retention parameter is 1 day.
You can change the value of the threshold parameter based on the performance.
The maximum supported CDC capture job polling interval is 3 hours.
The CDC capture job polling interval must not exceed one-third of the backup expiry window.
If you are backing up a restored database, make sure you do not change it’s authentication type before backup as it may lead to failure of the backup.
Enable CDC on database and tables
Run the following T-SQL commands to enable CDC for your database and tables. Make sure you have the db_owner role.
Enable CDC for database:
EXEC sys.sp_cdc_enable_db;
Enable CDC for all tables:
DECLARE @TableName VARCHAR(100)
DECLARE @TableSchema VARCHAR(100)
DECLARE CDC_Cursor CURSOR FOR
SELECT *
FROM (
SELECT Name,SCHEMA_NAME(schema_id) AS TableSchema
FROM sys.objects
WHERE type = 'u'
AND is_ms_shipped <> 1
AND LOWER(SCHEMA_NAME(schema_id)) not in ('cdc','sys','guest','information_schema')
) CDC
OPEN CDC_Cursor
FETCH NEXT FROM CDC_Cursor INTO @TableName,@TableSchema
WHILE @@FETCH_STATUS = 0
BEGIN
DECLARE @SQL NVARCHAR(1000)
DECLARE @CDC_Status TINYINT
SET @CDC_Status=(SELECT COUNT(*)
FROM cdc.change_tables
WHERE Source_object_id = OBJECT_ID(@TableSchema+'.'+@TableName))
--IF CDC Already Enabled on Table , Print Message
IF @CDC_Status = 1
PRINT 'CDC is already enabled on ' +@TableSchema+'.'+@TableName
+ ' Table'
--IF CDC is not enabled on Table, Enable CDC and Print Message
IF @CDC_Status <> 1
BEGIN
SET @SQL='EXEC sys.sp_cdc_enable_table
@source_schema = '''+@TableSchema+''',
@source_name = ''' + @TableName
+ ''',
@role_name = null;'
EXEC sp_executesql @SQL
PRINT 'CDC enabled on ' +@TableSchema+'.'+ @TableName
+ ' Table successfully'
END
FETCH NEXT FROM CDC_Cursor INTO @TableName,@TableSchema
END
CLOSE CDC_Cursor
DEALLOCATE CDC_Cursor
Azure SQL Database prerequisites
For Azure SQL Database, a vnet rule should be applied to Azure SQL Database for spawning the Druva's Quantum Bridge in the same subnet. Also, while creating a vnet in Azure Console, do one of the following:
Add
Microsoft.SQL Serviceendpoint.
On the SQL server > Networking page, select the Allow Azure services and resources to access this server checkbox and click Save.
Azure SQL managed instance prerequisites
For Azure SQL managed instance ensure that the vnet used for the managed instance has a default subnet to spawn the Druva's Quantum Bridge. The subnet attached to the managed instance is delegated and hence can't be used for Druva's Quantum Bridge.
SQL server on VM prerequisites
For SQL server on VM, ensure the following:
SQL Server and SQL Server Agent services are running.
Port 1434 is open and the SQL Browser service is running.
To connect to instances other than the default instance, make sure the ports on which these instances are running, are opened on firewall. For more information, see Configuring Named Instances in Azure SQL VM.
Make sure the host name does not end with '-', else the backup will fail.
Important: Databases that do not have the aforementioned configurations will either be skipped from the backup or might fail.