Introduction to Veeam Backup for Windows Server 2022

Veeam Backup & Replication is one of the most widely used enterprise backup solutions, known for its rich feature set, reliability, and support for both virtual machine and physical server workloads. For Windows Server 2022, Veeam offers two primary deployment paths: agent-based backup for physical servers or cloud VMs using Veeam Agent for Microsoft Windows (VAMW), and full orchestration through Veeam Backup & Replication (VBR) which manages backup jobs centrally across your infrastructure. This guide covers both approaches, from installation through advanced recovery scenarios including SureBackup automated testing.

Veeam Backup and Replication Overview

Veeam Backup & Replication serves as the central management platform. It provides a single console to manage backup jobs for VMware vSphere VMs, Hyper-V VMs, and physical/cloud servers via agents. The VBR server coordinates job scheduling, manages backup repositories, handles replication, and integrates with cloud storage providers (Azure Blob, AWS S3, Wasabi, Backblaze B2, etc.) through scale-out repositories.

For Windows Server 2022 machines, Veeam protects them using Veeam Agent for Microsoft Windows, which can be deployed either standalone (managed on the individual server) or managed centrally by a VBR server. The agent uses CBT (Changed Block Tracking) and VSS to deliver application-consistent incremental-forever backup chains that are extremely storage-efficient compared to traditional full+incremental schedules.

Veeam editions relevant to physical server backup:

Veeam Agent for Microsoft Windows FREE: Standalone, manages a single server, supports backup to local disk, NAS, or cloud. Limited to file-level recovery and volume-level recovery. No integration with VBR.

Veeam Backup Essentials / Enterprise Plus: Full VBR licensing that includes agent management, providing centralized deployment, monitoring, reporting, and advanced features like SureBackup.

Installing Veeam Backup and Replication Server

The VBR server requires a Windows Server or Windows 10/11 machine with at minimum 8 GB RAM (16 GB recommended for production), 4 CPU cores, and SQL Server (Express is bundled for small environments). The VBR server must have network access to all protected servers.

Download the Veeam Backup & Replication ISO from veeam.com (requires free registration). Mount the ISO and run Setup.exe:

# Mount ISO and launch setup (PowerShell, run as admin)
$iso = Mount-DiskImage -ImagePath "C:DownloadsVeeamBackup&Replication_12.x.iso" -PassThru
$driveLetter = ($iso | Get-Volume).DriveLetter
Start-Process "$($driveLetter):setup.exe"

In the setup wizard:

1. Select Veeam Backup & Replication from the component list.

2. Accept the license agreement and provide your license file (or choose Community Edition for up to 10 workloads free).

3. On the System Configuration Check page, the installer validates prerequisites. Missing components (Microsoft .NET Framework 4.7.2, Microsoft Visual C++ Redistributable, SQL Server) are auto-installed.

4. Configure the service account for VBR services (LOCAL SYSTEM is default; for enterprise environments use a dedicated domain service account with local administrator rights).

5. Configure the SQL Server instance. For production, use a full SQL Server instance rather than SQL Express (SQL Express is limited to 10 GB database size, which can be exceeded in large environments).

6. Complete the installation. The VBR console launches automatically after setup.

Installing Veeam Agent for Microsoft Windows (Standalone)

For servers not managed by a VBR server, Veeam Agent for Microsoft Windows (VAMW) provides standalone backup capability. Download the installer from veeam.com (VeeamAgentWindows.exe).

Silent installation via command line:

VeeamAgentWindows.exe /silent /accepteula /acceptthirdpartylicenses

After installation, the Veeam Agent control panel opens. The agent installs a system service (Veeam Agent for Microsoft Windows Service) that runs as SYSTEM and handles backup scheduling, VSS coordination, and CBT driver management.

Verify the CBT (Changed Block Tracking) driver is loaded — this is critical for incremental backup performance:

Get-Service -Name "VeeamCBTService"
sc query VeeamCBTService

The CBT driver tracks which disk blocks have changed since the last backup at the kernel level, enabling Veeam to read only changed blocks during incremental runs rather than scanning the entire volume. This dramatically reduces backup windows for large volumes.

Creating a Backup Job for Windows Server (Agent-Based via VBR)

From the Veeam Backup & Replication console, you can create agent backup jobs that target Windows Server 2022 machines. This approach provides centralized management, reporting, and access to advanced features.

Navigate to Home > Backup Job > Windows computer (agent backup). The New Agent Backup Job wizard opens.

Job Mode: Select Managed by backup server (VBR pushes the agent to target machines) or Managed by agent (agent connects to VBR for coordination). For newly built servers, select Managed by backup server and VBR automatically installs the agent.

Computers: Add individual servers by hostname/IP or add an entire Protection Group (a dynamic group defined by AD OU, CSV file, or manual list). Protection Groups enable automatic protection of new servers joining an OU.

Backup mode: Three options:

Entire computer: Backs up all volumes including OS. Required for bare metal recovery. Creates a backup chain stored in VBR’s proprietary .VBK/.VIB format.

Volume level backup: Select specific volumes. Faster than entire computer if you only need data volumes protected.

File level backup: Granular selection of files/folders. Cannot be used for bare metal recovery but is efficient for data-only protection.

Configuring the Backup Repository

A backup repository is the storage target where Veeam writes backup files. Veeam supports multiple repository types:

Windows server repository: A folder on a local disk or network share on a Windows machine. The simplest option for small environments.

Linux server repository (hardened): Veeam’s immutable repository option. By using a Linux-based XFS repository with immutability enabled, backups are protected from ransomware and administrator-level deletion for the immutability period. Strongly recommended for production environments.

SMB/CIFS share: NAS devices accessible via SMB. Works well for high-capacity, cost-effective storage.

Scale-Out Backup Repository (SOBR): Combines multiple repositories into a single logical target with automatic data placement. Supports adding cloud object storage (S3-compatible) as a capacity tier for automated tiering of older backups to cloud storage.

To add a repository via the VBR console: Navigate to Backup Infrastructure > Backup Repositories > Add Repository. For a Windows server repository:

# PowerShell cmdlet to add a Windows backup repository (Veeam PowerShell Toolkit)
Add-VBRBackupRepository -Name "NAS-Repository-01" -Folder "\nas01VeeamBackups" -Description "Primary NAS backup target" -Type WinServer

For the repository path, consider a dedicated volume formatted with ReFS (Windows) or XFS (Linux). ReFS provides fast clone operations that Veeam uses for synthetic full backup creation, significantly accelerating the creation of full backup files without reading all data from source.

Incremental vs Full Backups and Synthetic Fulls

Veeam’s default backup mode is Incremental-Forever: an initial full backup is taken, followed by incremental backups on all subsequent runs. There is no need for periodic full backups in the traditional sense because Veeam can create Synthetic Full backups by merging the existing full and incremental files entirely within the repository, without reading from the source server again.

This is a key advantage of Veeam: synthetic full creation reads from the repository only (fast local disk-to-disk operation) rather than sending all data across the network from the production server.

Configure synthetic fulls in the backup job schedule:

In the backup job wizard, on the Schedule page, click Advanced > Backup tab. Enable Create synthetic full backup periodically and set it to run on Sunday. This creates a consolidated full backup file each week by merging the week’s incrementals, allowing old incremental files to be cleaned up.

For repositories that support fast clone (ReFS, XFS with reflinks), enable Transform previous backup chains into rollback to use Veeam’s Reverse Incremental mode, which always keeps the latest backup as a full VBK file and stores reverse deltas for older points. This provides the fastest possible restore time for recent recovery points.

CBT (Changed Block Tracking) for Veeam

Veeam’s Changed Block Tracking is implemented via a kernel-mode filter driver (VeeamCBTDriver) that intercepts all disk I/O and records which 64 KB blocks have been written since the last backup. This enables Veeam to:

1. Read only changed blocks during incremental backup runs (not the entire volume).

2. Keep backup windows short even for terabyte-scale volumes with modest daily change rates.

3. Track changes during a live backup, ensuring the backup is consistent with the final state of the volume.

Monitor CBT driver health:

# Check CBT driver version and status
Get-WmiObject -Class Win32_SystemDriver | Where-Object { $_.Name -eq "VeeamCBTDriver" } | Select-Object Name, State, Status

# View CBT statistics from Veeam Agent log
Get-Content "C:ProgramDataVeeamEndpointLogsVeeam.EndPoint.Agent.log" | Select-String "CBT" | Select-Object -Last 20

If CBT becomes corrupted or out of sync (which can happen after ungraceful shutdowns or storage driver issues), Veeam automatically falls back to reading the entire volume for that backup run and then re-establishes CBT. You can force a CBT reset:

# Force CBT reset (agent standalone - run from elevated command prompt)
"C:Program FilesVeeamEndpoint BackupVeeam.Agent.Configurator.exe" /resetCBT

Restoring an Entire VM vs File-Level Recovery

Veeam provides multiple recovery options depending on the scope of what you need to restore.

Bare Metal Recovery (Entire Machine Restore): For a completely failed server, Veeam provides a bootable recovery media (ISO or USB) created with the Veeam Recovery Media wizard. Boot the failed server from this media, connect to the VBR server or backup repository, and select the restore point. The recovery process:

1. Boot from Veeam Recovery Media.

2. On the Veeam Recovery screen, select Bare Metal Recovery.

3. Specify the backup location (VBR server or direct repository path).

4. Select the restore point and target disk(s).

5. Veeam writes the backup data to the new disk. On modern hardware with a fast NAS repository, restoration speed is typically 200-500 MB/s.

File-Level Recovery: For recovering individual files or folders without restoring the entire machine, use Veeam’s file-level recovery wizard. From VBR console, right-click the restore point > Restore guest files > Microsoft Windows.

This mounts the backup as a virtual disk in a Veeam Mount Server (a helper VM or physical machine designated for this purpose), and presents a browseable folder tree in the Veeam Backup Browser. Drag files from the browser to a target location, or use the Restore button to restore directly to the original location with overwrite options.

# Start file-level recovery via VBR PowerShell
$restorePoint = Get-VBRRestorePoint -Name "WS2022-FILESERVER" | Sort-Object CreationTime -Descending | Select-Object -First 1
$session = Start-VBRWindowsFileRestore -RestorePoint $restorePoint
# Opens interactive recovery session; use Stop-VBRWindowsFileRestore when done

Veeam Explorer for Application Item Recovery

Veeam Explorers provide granular, application-aware item recovery from backup files without restoring an entire server. Available Veeam Explorers include Explorer for Microsoft SQL Server, Explorer for Active Directory, Explorer for Microsoft Exchange, Explorer for Microsoft SharePoint, and Explorer for Oracle.

Veeam Explorer for Active Directory allows restoring individual AD objects (user accounts, groups, GPOs, OUs) from a backup without entering DSRM or using authoritative restore procedures. This is invaluable for recovering accidentally deleted user accounts.

To open Veeam Explorer for AD from a Windows Server backup: Right-click restore point in VBR console > Restore application items > Microsoft Active Directory objects. The Explorer mounts the backup, reads the NTDS.DIT offline, and presents the AD object tree. Select the object to restore and click Restore to domain.

Veeam Explorer for SQL Server enables restoring individual SQL databases or even individual tables to a point in time. It supports log shipping replay to restore to any second within the backup+log window, not just the backup snapshot time — provided you have SQL Server transaction log backups integrated with the Veeam job.

# Launch SQL Explorer from PowerShell
$restorePoint = Get-VBRRestorePoint -Name "WS2022-SQL01" | Sort-Object CreationTime -Descending | Select-Object -First 1
Start-VBRSQLRestore -RestorePoint $restorePoint

Veeam Backup Cloud Connect

Veeam Cloud Connect extends the backup infrastructure to cloud service providers (CSPs) or public cloud storage, enabling offsite backup copies without the need to manage your own cloud storage accounts directly. You connect to a Veeam-compatible CSP who hosts a Cloud Gateway that your VBR server connects to over SSL on port 6180.

To add a Cloud Connect service provider in VBR:

Navigate to Backup Infrastructure > Service Providers > Add Service Provider. Enter the DNS hostname of your CSP, provide credentials, and VBR establishes the connection. You can then target cloud repositories for backup copy jobs, effectively creating off-site copies of your critical backups automatically.

Backup Copy Jobs (not to be confused with regular backup jobs) are specifically designed for creating secondary copies at different retention intervals. A typical setup: primary backup job writes to local NAS repository with 14-day retention, backup copy job replicates to cloud connect repository with 30-day or 90-day retention.

# Create a backup copy job targeting a cloud connect repository (VBR PowerShell)
$backupJob = Get-VBRJob -Name "WS2022-FileServer-Backup"
$cloudRepo = Get-VBRBackupRepository -Name "CloudConnect-Provider"
Add-VBRBackupCopyJob -Name "WS2022-FileServer-OffSite" -SourceJob $backupJob -TargetRepository $cloudRepo -RestorePoints 30

SureBackup for Automated Recovery Testing

SureBackup is one of Veeam’s most powerful differentiating features. It automatically verifies that backup files are recoverable by actually booting VMs (or agent backups with Instant Recovery) from the backup in an isolated virtual lab environment, running predefined tests, and generating a pass/fail report — all automatically, on a schedule, without any production impact.

SureBackup requires a VMware vSphere or Hyper-V environment for the virtual lab. While it is primarily designed for VM backups, Veeam can also use Instant Recovery to boot agent backups as VMs for SureBackup testing.

Setup steps for SureBackup:

1. Create a Virtual Lab: In VBR console, navigate to Backup Infrastructure > Virtual Labs > Add Virtual Lab. Configure an isolated network (no production connectivity) on your hypervisor, specifying a proxy appliance that handles routing inside the lab. The production network is mapped to isolated network segments so the recovered VMs cannot accidentally contact production systems.

2. Create an Application Group: An Application Group defines the VMs or agent backups to boot and test. Add your Windows Server 2022 backups to the group and configure startup options (wait for heartbeat, wait for specific ports like 3389 or 80 to become available).

3. Create a SureBackup Job: Navigate to Home > SureBackup Job. Assign the Virtual Lab and Application Group. Configure tests: Veeam runs ping tests, port availability tests, and optionally custom scripts (PowerShell or batch files) that validate application functionality.

# Example custom SureBackup test script (checks IIS responds with HTTP 200)
$response = Invoke-WebRequest -Uri "http://localhost/health-check" -UseBasicParsing -TimeoutSec 30
if ($response.StatusCode -eq 200) { exit 0 } else { exit 1 }

4. Schedule and review reports: SureBackup jobs run on a configurable schedule (weekly is typical). After each run, VBR generates a verification report showing which VMs booted successfully, which tests passed, screenshots of the VM desktop (confirming login screen or application UI), and CRC verification of backup file integrity. Reports can be emailed automatically and are also visible in the VBR console under History > SureBackup.

With SureBackup configured and passing consistently, you gain documented proof of recoverability — a requirement for many compliance frameworks including ISO 27001, SOC 2, and HIPAA.