Veeam 11 Error When Editing Backup Job After Upgrade to ESXi Host

After upgrading the ESXi 7.0 host (Update 3), I was receiving the following error in Veeam Backup and Replication 11  (11.0.1.1261) when trying to edit an existing Backup Job:

Host with id ‘a-b-c-d-e’ was not found

The solution was to modify the Veeam database for a guest VM to point to the correct host ID.

  1. Using Microsoft SQL Server Management Studio, navigate to the dbo.BObjects table
    Databases -> VeeamBackup -> Tables -> dbo.BObjects
  2. Right click and Edit Top 200 Rows
  3. Locate the id from the error message in the host_id column
  4. Replace it with the correct host_id (with dashes).  Note – you can get a list of all host IDs by using PowerShell in a Veeam B&R console session with the command Get-VBRServer.  If needed you can also crosscheck the guest VM by matching the object_id column in the database with the Vmid of the VM on the host.

Unable to delete Time Machine Shared Folder in OMV 5

In OpenMediaVault the button may be greyed out if the Shared Folder is still Referenced. References can include file shares but also plugins.  In this case there was a Shared Folder that had been used for Time Machine and after removing the SMB share and verifying plugins, the Delete button was still greyed out.

First you can try to verify what is referencing the shared folder in this OMV file.
/etc/openmediavault/config.xml

Find the shared folder in question and note the UUID. Then search for that UUID in the same file.

In this case I had an afp section with data between the tags <afp> and </afp>. It had the the UUID stored as <sharedfolderref>UUID</sharedfolderref>.

The afp section was used by the the old netatalk plugin that was in OMV 4 but is no longer part of OMV 5 (the system had been upgraded).  However it was not possible to uninstall the plugin since it didn’t appear in the list of available packages.

Alternatively the plugin can be uninstalled via command line. Close the config.xml file then run the console command:

sudo dpkg -P openmediavault-netatalk

Once uninstalled, you can go back to the config.xml file and verify that the afp section was removed automatically.

Refresh the OMV control panel -> Access Rights Management -> Shared Folders. The folder in question should no longer be Referenced and the delete button no longer grayed out.

Set a Quota for Time Machine with SMB on OMV 5.6

This details an OpenMediaVault configuration where an SMB share was created and Time Machine support was enabled for it.  There was a need to limit the size of the Time Machine backups so that it does not consume all available space, and to do that you use the filesystem quotas:

  1. In OpenMediaVault navigate to Storage->File Systems
  2. Select the device that has the Time Machine shared folder
  3. Click the Quota button at the top. 
  4. Note – without any quotas set, Used Capacity for users will show zero even if data is already there.
  5. Set a quota value for the user associated with Time Machine.
  6. Click the grey save button
  7. Click the blue save button
  8. Apply changes
  9. If you click the Quota button again, you can verify that Used Capacity is populating for that user (if data is already in the shared folder).

pfSense IKEv2 VPN for Windows 10 and iOS Devices

Update 06-Feb-2025: added recommendations from NCSC, a list of modifications to the pfSense guide, and an updated command to modify an existing Windows 10 VPN configuration

This is an out of the box workaround if having trouble connecting to a pfSense IKEv2 VPN with iOS and Windows 10 devices after following the pfSense recipe:
https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-mobile-ikev2-eap-mschapv2.html

When iOS clients (version 15) tried to connect, the device error was “An unexpected error occurred.”  In the pfSense logs there were errors similar to:

[IKE] <con-mobile|112> no acceptable proposal found
[IKE] <con-mobile|112> failed to establish CHILD_SA, keeping IKE_SA
[CHD] <con-mobile|112> CHILD_SA con-mobile{71} state change: CREATED => DESTROYING

The following change may work for you:

  • Phase 2 configuration -> Encryption Algorithms -> AES – change to Auto

When Windows 10 clients tried to connect, the device error was “Policy match error”. In the pfSense logs there were errors similar to:
[CFG] <con-mobile|122> no acceptable ENCRYPTION_ALGORITHM found
[IKE] <con-mobile|127> no acceptable proposal found

The following changes may work for you:

  • Phase 1 configuration -> create a new Encryption Algorithm -> Algorithm AES -> Key length 256 bits -> Hash SHA1 -> DH Group 2 (1024 bit)
  • Phase 2 configuration -> Hash Algorithms -> add SHA1

Note: the pfSense recipe indicates a PFS key group is not supported with a manual VPN configuration in iOS, however setting it to 14 (2048 bit) per the recipe did not cause any issues in iOS17. In fact, any value was accepted.

Try the connection again to verify if it is successful.

Long term you may want to consider modifying the default Windows 10 VPN configuration due to Microsoft stating that “these settings aren’t secure for IKE exchanges”:
https://docs.microsoft.com/en-us/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections

Windows supports several different manual configurations, but not all of them are secure:
https://learn.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=windowsserver2025-ps&viewFallbackFrom=win10-ps&preserve-view=true

The recommendations from the NCSC (year 2022) are to use Group 14 or Group 19 to provide adequate security through 2027:
https://www.ncsc.gov.uk/guidance/using-ipsec-protect-data

After creating a VPN connection with the default security settings, you can modify the configuration in Windows using the PowerShell cmdlet Set-VpnConnectionIPsecConfiguration:
https://docs.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=windowsserver2022-ps

To help distinguish the Phase 1 and Phase 2 settings, you can reference this table:
https://serverfault.com/questions/1106128/what-do-the-parameters-of-set-vpnconnectionipsecconfiguration-mean

A modified form of the pfSense guide, but more secure and highly compatible with both iOS and Windows 10:

Phase 1

  • Encryption Algorithm: AES
  • Key length: 256 bits
  • Hash: SHA256
  • DH Group: 14

Phase 2

  • Encryption Algorithms: AES
  • In the dropdown next to AES, choose 256 bits
  • Hash Algorithms: SHA256
  • PFS key group: 14 (2048 bit)

All other settings not mentioned above should be per the guide.

The last step is to replace the default SHA1 and DH Group 2 setting in Windows 10 with the more secure method (2048-bit MODP Group 14). Replace EXAMPLE with the name of the VPN connection you created.

  1. Similar to iOS clients, in pfSense set Phase 2 configuration -> Encryption Algorithms -> AES – change to Auto
  2. Modifying the existing VPN connection using PowerShell:
    Set-VpnConnectionIPsecConfiguration -ConnectionName "EXAMPLE" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup PFS2048
  3. When asked to change the Cryptography Settings, choose Yes to continue.
  4. Try to connect to the VPN

Alternatively, to use the second recommendation by NCSC (Group 19):

Set-VpnConnectionIPsecConfiguration -ConnectionName "EXAMPLE" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup ECP256 -PfsGroup ECP256

 

Autologon User at Startup in Windows Server

This simple method has worked for me in Windows Server versions 2012 R2 through 2022. Create a new .reg file with the contents below, adjusting the USERNAME, PASSWORD strings as appropriate.  Then run it to add to the registry

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DefaultUserName"="USERNAME"
"DefaultPassword"="PASSWORD"
"AutoAdminLogon"="1"

If it is a domain joined machine, then add this line and modify the DOMAIN string.

"DefaultDomainName"="DOMAIN"

Sourced from:
https://community.spiceworks.com/topic/1911274-autologin-autologon-sysinternals-with-windows-10-issue#entry-6360895

More information on this method:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon