Deploy a configuration server
You deploy an on-premises configuration server when you use Azure Site Recovery for disaster recovery of VMware VMs and physical servers to Azure. The configuration server coordinates communications between on-premises VMware and Azure. It also manages data replication. This article walks you through the steps needed to deploy the configuration server when you're replicating VMware VMs to Azure. If you need to set up a configuration server for physical server replication, see Set up the configuration server for disaster recovery of physical servers to Azure.
Tip
To learn about the role of a configuration server as part of Azure Site Recovery architecture, see VMware to Azure disaster recovery architecture.
Deploy a configuration server through an OVA template
The configuration server must be set up as a highly available VMware VM with certain minimum hardware and sizing requirements. For convenient and easy deployment, Site Recovery provides a downloadable Open Virtualization Application (OVA) template to set up the configuration server that complies with all the mandated requirements listed here.
Prerequisites
Minimum hardware requirements for a configuration server are summarized in the following sections.
Configuration and process server requirements
Hardware requirements
| Component | Requirement |
|---|---|
| CPU cores | 8 |
| RAM | 16 GB |
| Number of disks | 3, including the OS disk, process server cache disk, and retention drive for failback |
| Free disk space (process server cache) | 600 GB |
| Free disk space (retention disk) | 600 GB |
Software requirements
| Component | Requirement |
|---|---|
| Operating system | Windows Server 2012 R2 Windows Server 2016 Note: Windows Server 2019 is only supported for modernized architecture. As classic architecture is under deprecation, no new feature supports will be added to it. We suggest you use the modernized architecture. |
| Operating system locale | English (en-*) |
| Windows Server roles | Don't enable these roles: - Active Directory Domain Services - Internet Information Services - Hyper-V |
| Group policies | Don't enable these group policies: - Prevent access to the command prompt. - Prevent access to registry editing tools. - Trust logic for file attachments. - Turn on Script Execution. Learn more |
| IIS | - No pre-existing default website - No pre-existing website/application listening on port 443 - Enable anonymous authentication - Enable FastCGI setting |
| FIPS (Federal Information Processing Standards) | Do not enable FIPS mode |
Network requirements
| Component | Requirement |
|---|---|
| IP address type | Static |
| Ports | 443 (Control channel orchestration) 9443 (Data transport) |
| NIC type | VMXNET3 (if the configuration server is a VMware VM) |
| Internet access (the server needs access to the following URLs, directly or via proxy): | |
| *.backup.windowsazure.com | Used for replicated data transfer and coordination |
| *.blob.core.windows.net | Used to access storage account that stores replicated data. You can provide the specific URL of your cache storage account. |
| *.hypervrecoverymanager.windowsazure.com | Used for replication management operations and coordination |
| https://login.microsoftonline.com | Used for replication management operations and coordination |
| time.nist.gov | Used to check time synchronization between system and global time |
| time.windows.com | Used to check time synchronization between system and global time |
|
OVF setup needs access to these additional URLs. They're used for access control and identity management by Microsoft Entra ID. |
| https://dev.mysql.com/get/Downloads/MySQLInstaller/mysql-installer-community-5.7.20.0.msi | To complete MySQL download. In a few regions, the download might be redirected to the CDN URL. Ensure that the CDN URL is also approved, if necessary. |
Note
If you have private links connectivity to Site Recovery vault, you do not need any additional internet access for the Configuration Server. An exception to this is while setting up the CS machine using OVA template, you will need access to following URLs over and above private link access - https://www.live.com and https://www.microsoft.com. If you do not wish to allow access to these URLs, please set up the CS using Unified Installer.
Note
While setting up private endpoints to protect VMware and physical machines, you will need to install MySQL on the configuration server manually. Follow the steps here to perform the manual installation.
Required software
| Component | Requirement |
|---|---|
| VMware vSphere PowerCLI | Not required for versions 9.14 and higher |
| MYSQL | MySQL should be installed. You can install manually, or Site Recovery can install it. (Refer to configure settings for more information) |
Note
Upgrading MySQL on the configuration server is not supported.
Sizing and capacity requirements
The following table summarizes capacity requirements for the configuration server. If you're replicating multiple VMware VMs, review the capacity planning considerations and run the Azure Site Recovery Deployment Planner tool.
| CPU | Memory | Cache disk | Data change rate | Replicated machines |
|---|---|---|---|---|
| 8 vCPUs 2 sockets * 4 cores @ 2.5 GHz |
16 GB | 300 GB | 500 GB or less | < 100 machines |
| 12 vCPUs 2 socks * 6 cores @ 2.5 GHz |
18 GB | 600 GB | 500 GB-1 TB | 100 to 150 machines |
| 16 vCPUs 2 socks * 8 cores @ 2.5 GHz |
32 GB | 1 TB | 1-2 TB | 150 -200 machines |
Microsoft Entra permission requirements
You must have a user with one of the following permissions set in Microsoft Entra ID to register the configuration server with Azure Site Recovery services.
The user must have an application developer role to create an application.
- To verify, sign in to the Azure portal.
- Go to Microsoft Entra ID > Roles and administrators.
- Verify that the application developer role is assigned to the user. If not, use a user with this permission or contact an administrator to enable the permission.
If the application developer role can't be assigned, ensure that the Users can register applications flag is set as true for the user to create an identity. To enable these permissions:
- Sign in to the Azure portal.
- Go to Microsoft Entra ID > User settings.
- Under App registrations, Users can register applications, select Yes.
Note
Active Directory Federation Services isn't supported. Use an account managed through Microsoft Entra ID.
Download the template
In the vault, go to Prepare Infrastructure > Source.
In Prepare source, select +Configuration server.
In Add Server, check that Configuration server for VMware appears in Server type.
Download the OVA template for the configuration server.
Tip
You can also download the latest version of the configuration server template directly from the Microsoft Download Center.
Note
The license provided with an OVA template is an evaluation license that's valid for 180 days. After this period, you must procure a license.
Import the template in VMware
Sign in to the VMware vCenter server or vSphere ESXi host by using the VMware vSphere Client.
On the File menu, select Deploy OVF Template to start the Deploy OVF Template wizard.
On Select source, enter the location of the downloaded OVF.
On Review details, select Next.
On Select name and folder and Select configuration, accept the default settings.
On Select storage, for best performance select Thick Provision Eager Zeroed in Select virtual disk format. Use of the thin provisioning option might affect the performance of the configuration server.
On the rest of the wizard pages, accept the default settings.
On Ready to complete:
- To set up the VM with the default settings, select Power on after deployment > Finish.
- To add an additional network interface, clear Power on after deployment, and then select Finish. By default, the configuration server template is deployed with a single NIC. You can add additional NICs after deployment.
Important
Don't change resource configurations, such as memory, cores, and CPU restriction, or modify or delete installed services or files on the configuration server after deployment. These types of changes affect the registration of the configuration server with Azure services and the performance of the configuration server.
Add an additional adapter
Note
Two NICs are required if you plan to retain the IP addresses of the source machines on failover and want to fail back to on-premises later. One NIC is connected to source machines, and the other NIC is used for Azure connectivity.
If you want to add an additional NIC to the configuration server, add it before you register the server in the vault. Adding additional adapters isn't supported after registration.
- In the vSphere Client inventory, right-click the VM and select Edit Settings.
- In Hardware, select Add > Ethernet Adapter. Then select Next.
- Select an adapter type and a network.
- To connect the virtual NIC when the VM is turned on, select Connect at power-on. Then select Next > Finish > OK.
Register the configuration server with Azure Site Recovery services
- From the VMware vSphere Client console, turn on the VM.
- The VM boots up into a Windows Server 2016 installation experience. Accept the license agreement, and enter an administrator password.
- After the installation finishes, sign in to the VM as the administrator.
- The first time you sign in, within a few seconds the Azure Site Recovery Configuration tool starts.
- Enter a name that's used to register the configuration server with Site Recovery. Then select Next.
- The tool checks that the VM can connect to Azure. After the connection is established, select Sign in to sign in to your Azure subscription. a. The credentials must have access to the vault in which you want to register the configuration server. b. Ensure that the chosen user account has permission to create an application in Azure. To enable the required permissions, follow the guidelines in the section Microsoft Entra permission requirements.
- The tool performs some configuration tasks, and then reboots.
- Sign in to the machine again. The configuration server management wizard starts automatically in a few seconds.
Verify connectivity
Make sure the machine can access these URLs based on your environment:
| Name | Commercial URL | Government URL | Description |
|---|---|---|---|
| Microsoft Entra ID | login.microsoftonline.com |
login.microsoftonline.us |
Used for access control and identity management. |
| Backup | *.backup.windowsazure.com |
*.backup.windowsazure.us |
Used for replication data transfer and coordination. |
| Replication | *.hypervrecoverymanager.windowsazure.com |
*.hypervrecoverymanager.windowsazure.us |
Used for replication management operations and coordination. |
| Storage | *.blob.core.windows.net |
*.blob.core.usgovcloudapi.net |
Used for access to the storage account that stores replicated data. |
| Telemetry (optional) | dc.services.visualstudio.com |
dc.services.visualstudio.com |
Used for telemetry. |
| Time synchronization | time.windows.com |
time.nist.gov |
Used to check time synchronization between system and global time in all deployments. |
IP address-based firewall rules should allow communication to all of the Azure URLs that are listed above over HTTPS (443) port. To simplify and limit the IP Ranges, it is recommended that URL filtering be done.
- Commercial IPs - Allow the Azure Datacenter IP Ranges, and the HTTPS (443) port. Allow IP address ranges for the Azure region of your subscription to support the Microsoft Entra ID, Backup, Replication, and Storage URLs.
- Government IPs - Allow the Azure Government Datacenter IP Ranges, and the HTTPS (443) port for all USGov Regions (Virginia, Texas, Arizona, and Iowa) to support Microsoft Entra ID, Backup, Replication, and Storage URLs.
Configure settings
In the configuration server management wizard, select Setup connectivity. From the drop-down boxes, first select the NIC that the in-built process server uses for discovery and push installation of mobility service on source machines. Then select the NIC that the configuration server uses for connectivity with Azure. Select Save. You can't change this setting after it's configured. Don't change the IP address of a configuration server. Ensure that the IP assigned to the configuration server is a static IP and not a DHCP IP.
On Select Recovery Services vault, sign in to Microsoft Azure with the credentials used in step 6 of Register the configuration server with Azure Site Recovery services.
After sign-in, select your Azure subscription and the relevant resource group and vault.
Note
After registration, there's no flexibility to change the recovery services vault. Changing a recovery services vault requires disassociation of the configuration server from the current vault, and the replication of all protected virtual machines under the configuration server is stopped. To learn more, see Manage the configuration server for VMware VM disaster recovery.
On Install third-party software:
Scenario Steps to follow Can I download and install MySQL manually? Yes. Download the MySQL application, place it in the folder C:\Temp\ASRSetup, and then install manually. After you accept the terms and select Download and install, the portal says Already installed. You can proceed to the next step. Can I avoid download of MySQL online? Yes. Place your MySQL installer application in the folder C:\Temp\ASRSetup. Accept the terms, select Download and install, and the portal uses the installer you added to install the application. After installation finishes, proceed to the next step. I want to download and install MySQL through Azure Site Recovery. Accept the license agreement, and select Download and install. After installation finishes, proceed to the next step. On Validate appliance configuration, prerequisites are verified before you continue.
On Configure vCenter Server/vSphere ESXi server, enter the FQDN or IP address of the vCenter server, or vSphere host, where the VMs you want to replicate are located. Enter the port on which the server is listening. Enter a friendly name to be used for the VMware server in the vault.
Enter credentials to be used by the configuration server to connect to the VMware server. Site Recovery uses these credentials to automatically discover VMware VMs that are available for replication. Select Add > Continue. The credentials entered here are locally saved.
On Configure virtual machine credentials, enter the user name and password of virtual machines to automatically install mobility service during replication. For Windows machines, the account needs local administrator privileges on the machines you want to replicate. For Linux, provide details for the root account.
Select Finalize configuration to complete registration.
After registration finishes, open the Azure portal and verify that the configuration server and VMware server are listed on Recovery Services Vault > Manage > Site Recovery Infrastructure > Configuration Servers.
Upgrade the configuration server
To upgrade the configuration server to the latest version, see Manage the configuration server for VMware VM disaster recovery. For instructions on how to upgrade all Site Recovery components, see Service updates in Site Recovery.
Manage the configuration server
To avoid interruptions in ongoing replication, ensure that the IP address of the configuration server doesn't change after the configuration server is registered to a vault. To learn more about common configuration server management tasks, see Manage the configuration server for VMware VM disaster recovery.
Troubleshoot deployment issues
Refer to our troubleshooting article to resolve deployment & connectivity issues.
FAQs
How long is the license provided on a configuration server deployed through OVF valid? What happens if I don't reactivate the license?
The license provided with an OVA template is an evaluation license valid for 180 days. Before expiration, you need to activate the license. Otherwise, it can result in frequent shutdown of the configuration server and cause a hindrance to replication activities. For more information, see Manage the configuration server for VMware VM disaster recovery.
Can I use the VM where the configuration server is installed for different purposes?
No. Use the VM for the sole purpose of the configuration server. Ensure that you follow all the specifications mentioned in Prerequisites for efficient management of disaster recovery.
Can I switch the vault already registered in the configuration server with a newly created vault?
No. After a vault is registered with the configuration server, it can't be changed.
Can I use the same configuration server to protect both physical and virtual machines?
Yes. The same configuration server can be used for replicating physical and virtual machines. However, the physical machine can be failed back only to a VMware VM.
What's the purpose of a configuration server and where is it used?
To learn more about the configuration server and its functionalities, see VMware to Azure replication architecture.
Where can I find the latest version of the configuration server?
For steps to upgrade the configuration server through the portal, see Upgrade the configuration server. For instructions on how to upgrade all Site Recovery components, see Service updates in Site Recovery.
Where can I download the passphrase for configuration server?
To download the passphrase, see Manage the configuration server for VMware VM disaster recovery.
Can I change the passphrase?
No. Don't change the passphrase of the configuration server. A change in the passphrase breaks replication of protected machines and leads to a critical health state.
Where can I download vault registration keys?
In Recovery Services Vault, select Manage > Site Recovery Infrastructure > Configuration Servers. In Servers, select Download registration key to download the vault credentials file.
Can I clone an existing configuration server and use it for replication orchestration?
No. Use of a cloned configuration server component isn't supported. Cloning of a scale-out process server is also an unsupported scenario. Cloning Site Recovery components affects ongoing replications.
Can I change the IP of a configuration server?
No. Don't change the IP address of a configuration server. Ensure that all IPs assigned to the configuration server are static IPs and not DHCP IPs.
Can I set up a configuration server on Azure?
Set up a configuration server in an on-premises environment with a direct line-of-sight with vCenter and to minimize data transfer latencies. You can take scheduled backups of configuration server for failback purposes.
Can I change cache driver on a configuration server or scale-out process server?
No, Cache driver cannot be changed once set up is complete.
For more FAQs on configuration servers, see Configuration server common questions.
Next steps
Set up disaster recovery of VMware VMs to Azure.
Tilbakemeldinger
Kommer snart: Gjennom 2024 faser vi ut GitHub Issues som tilbakemeldingsmekanisme for innhold, og erstatter det med et nytt system for tilbakemeldinger. Hvis du vil ha mer informasjon, kan du se: https://aka.ms/ContentUserFeedback.
Send inn og vis tilbakemelding for