Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

Commvault: Cleanroom Recovery Configuration & Demo in Commvault

Commvault
07/16/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


We are looking at the Commvault dashboard. The first thing we need to do is to configure your control plane backups to go to cloud.commvault.com. To do that, we must click Manage on the left hand side. Click System. Click Maintenance on the right hand side. Click DR Backup Daily. Click More. Click Edit. You are now looking at the settings for your daily control plane backup. The setting that we are specifically looking for is Upload Backup Metadata to Metallic Cloud. You need to ensure that this setting is slid to the right. Once that is done, click Save. Now, all new installations, this is the default setting. However, we need to double check just to make sure. From here, we need to set up AirGet Protect. On the left, we click Storage. Click AirGet Protect. Now, if you want to add a new AirGet Protect storage location, you click Add on the upper right. Now, fill out the information for your AirGet Protect storage. This will be specific to the license you purchased. As you can see here, ours is licensed for cool. Cleanroom Recovery will work with either cool or hot AirGet Protect storage. It is really up to you what you purchase. Finally, on Location, select the location that is most applicable to your environment. For us, we select U.S. Central. After you fill this out, click Save. Now, we will move on to modifying a plan. To do that, we will click Manage on the left and then click Plans. We do this to ensure we have a plan that is storing backup copies in AirGet Protect. To modify an existing plan, you simply click the plan name. Now, click Backup Destinations in the top. Then, on the right-hand side, click Add. Click Copy. In this screen, you fill in the settings that are applicable to the AirGet Protect storage that you just configured in the previous step. Then, click Save. Now, that's it! You have your Commvault software set and ready to use Cleanroom Recovery. The next step is we will initiate a Cleanroom Recovery. We have now logged in to cloud.commvault.com. That is the first step to initiate a Cleanroom Recovery. You simply log in with the account you've already created. The first thing we need to do once we log in is click anywhere in the Security Posture Score tile. From here, all of the Cleanroom cells in your environment will be displayed, if you have multiple. You can simply scroll and find it, or click here to search for it. We will search for Ours since we have multiple. Now, on the right-hand side, you'll notice a column labeled Recovery Validation. You'll notice Ours says 100. That's because we have tested the Recovery Validation before. If you are new, yours will say Start Recovery. Either way, click on the percentage or Start Recovery to get to the Recovery Validation details. We are now looking at all the details for your Recovery Validation. In the bottom, you'll see a list of all of the backups sent to cloud.commvault.com. These are known as backup sets. You'll also see various details about your licensing and tests running, if you have any. For the sake of this demonstration, we are going to go straight to initiating a recovery. To do that, in the bottom table where the backup sets are listed, in the Actions column, you want to click an ellipsis. You can choose any of the backup sets listed on this page. For this demonstration, we'll simply choose the latest one. Click on Start Recovery. This will open up the details about recoveries that you've used and the duration of the recovery you're about to initiate. So simply click Submit. At this point, you'll get an email that says the recovery has been initiated. You can also click here on Recovery Requests. All the requests that you have initiated will show up in the Recovery Requests table. As you can see here, the latest one we have says Creating VM. If you want, you can stay on this page and wait until it says CS Staged. Or you can wait until you get an email that says the recovery is finished. Either is okay. So now we will wait for the control plane to be recovered. Now the CS has been staged. You can see that by the status has changed to CS Staged for the backup set we recovered. Now you have a fully staged control plane. To access that control plane, you can click under the Actions column on the ellipsis next to your backup set and see access details. If for some reason you want to extend how long your current recovery is up, you can click on the Extend Reservation. But for the sake of this demonstration, we're just going to go straight to Access Details. Now you can see all the information you need to recover your console. You may notice that the user is Recovery Manager. That is because every control plane that is recovered is in a read-only state with a limited access user. We do this so security is increased and the initial dependency on Active Directory or LDAP is removed. Now that's it. The control plane is fully recovered. The next stage will be to go on and configure the control plane that has been recovered into the Metallic Cloud. We are now logged in to the recovered control plane that we performed in the previous step. As you can see, the dashboard looks slightly different, and that is because we are logged in as the limited rights user that we also illustrated in the previous step. So the first thing we must do to initiate a recovery test is to add the target to perform a recovery into. To do this, first we must click on Protect, Virtualization, Add Hypervisor on the right-hand side. Then click Microsoft Azure, Next. Now we are going to add the information about our Microsoft Azure subscription. The first thing we do is give it a logical name, and then add in your subscription information as well as credentials to access your subscription. If you don't have credentials already saved, you can create them now. And then select Access Node. For the sake of the demo, I'm going to select the recovered control plane and click Next. Since we don't have any VMs to actually protect, I'm going to click Cancel on this one. And now we can go in and set up the details for the clean room. The first thing we do is after we've clicked Clean Room and then Targets on the left-hand side, we need to add a target. So we need to click Add in the upper right. Give it a logical name. The destination, you can see it already picked the hypervisor that we created. Access Node, I'm going to leave as the recovered control plane. And then you can set this to be whatever you want. I'm going to leave it to default to add a suffix of CRR to my recovered machines. Now, after clicking Next, we want to set up the details for the destination. The first thing is the region. This needs to be the same region as your AirGap Protect storage. So for us, I'm going to search for Central US. Then it'll finish loading the rest of the details. Leave everything else automatic except for Virtual Network. I'm going to select the network that I created specific. I'm also going to tell it to create a public IP address. Submit. Now, we have to create our recovery groups. Click on Recovery Groups on the left. On the upper right, give it a logical name. Select the target which we'll select the target we just created. And then we'll leave the default recovery point as automatic. Click Save. And now we've created our recovery group. We can add entities to this. Every entity added to this will receive the same recovery settings, but that can be customized. So to add entities, you click Add on the right and Virtual Machines. Now this will show you a list of virtual machines you have. I'm going to select our virtual machines from the group we have pre-set up. I'm going to select DNS1 and a Red Hat client. And then click Add. And now we've created the group. As you can see, my Red Hat client gives me a different status than my Windows client. This is because we do some checking before we even initiate the recovery. This, when I hover over it, you can see the name does not match Azure standards. So I can come into Actions, Override Recovery Options, and modify the name to fix that error. That's it. I have now created groups and targets to perform my recovery. The next step is to simply perform my recovery. To do that from the recovery group, we can click Recover All in the upper right. This will recover all of the machines in the recovery group. I'll click Submit. To check, we can click on Jobs and see that the recovery is starting. We can also monitor the status of the machines in the recovery group from the Recovery Groups page. So click on Cleanroom on the left, Recovery Groups, click on your recovery group, and now you can see the status of the machines in that group. Both of these say In Progress because they are currently being recovered. Now, as you can see, everything has been recovered by this recovery status being green and saying Recovered. To show this, I'm going to quickly switch over to the Azure environment. As you can see, there was nothing in there before. I'm going to refresh it. And now you can see that we have both the Red Hat client as well as the Windows client recovered and running. Now go back. That's it. We've now performed a Cleanroom recovery.

TL;DR

  • Cleanroom Recovery requires configuring control plane backups to upload to cloud.commvault.com and setting up AirGap Protect storage (hot or cool tier) as the immutable, air-gapped foundation for isolated recovery operations.
  • Recovery is initiated through the cloud.commvault.com portal, which automatically stages a fully functional control plane with limited-privilege access, eliminating dependencies on potentially compromised Active Directory or LDAP infrastructure.
  • Administrators configure recovery targets (such as Azure) and create recovery groups to organize workloads, with the system performing pre-recovery validation checks to identify potential issues before execution.
  • The entire recovery process—from configuration through workload restoration—can be completed without touching production systems, enabling both recovery validation testing and actual cyber incident response in a secure, isolated environment.
  • Recovered virtual machines run in a completely isolated clean room environment, preventing reinfection and providing a safe space for validation before any potential cutover to production.

Configuring Control Plane and AirGap Protect Storage

The demonstration begins with the foundational configuration steps required to enable Cleanroom Recovery in Commvault Cloud. Administrators must first ensure that control plane backups are configured to upload metadata to cloud.commvault.com by enabling the appropriate setting in the DR Backup Daily maintenance schedule. The next critical step involves setting up AirGap Protect storage, which provides the air-gapped, immutable storage foundation necessary for secure recovery. Commvault supports both hot and cool tier AirGap Protect storage, with the choice depending on organizational licensing and recovery time objectives. Once AirGap Protect storage is configured with the appropriate geographic location, administrators modify backup plans to include a backup copy destination pointing to the newly configured AirGap storage. This ensures that protected workloads have recovery points stored in an isolated, immutable location that cannot be compromised during a cyber incident.

Initiating and Staging the Cleanroom Recovery Environment

Recovery initiation occurs through the cloud.commvault.com portal, where administrators access the Security Posture Score dashboard to view available Cleanroom cells and their recovery validation status. By selecting a backup set and initiating recovery, Commvault automatically stages a fully functional control plane in an isolated environment. This staged control plane operates with a limited-privilege Recovery Manager account, eliminating dependencies on potentially compromised Active Directory or LDAP infrastructure. The read-only nature of this recovered console enhances security by preventing unauthorized modifications during the recovery validation or actual recovery process. Administrators receive email notifications when the control plane staging is complete and can access detailed connection information through the Recovery Requests interface. This staged environment provides a secure foundation for validating recovery readiness or executing actual recovery operations without any risk to production systems.

Configuring Recovery Targets and Executing Workload Recovery

Once the control plane is staged, administrators configure the clean recovery environment by adding hypervisor targets—in this demonstration, Microsoft Azure. The recovered control plane serves as the access node for orchestrating recovery operations into the isolated target environment. Administrators create recovery targets that define destination parameters including region, virtual network, and IP addressing schemes, with the critical requirement that the target region matches the AirGap Protect storage region. Recovery groups organize virtual machines that will be recovered together with consistent settings, though individual machine settings can be overridden as needed. The system performs pre-recovery validation checks, flagging potential issues such as naming convention conflicts with cloud provider standards. Once recovery groups are configured, administrators can initiate recovery with a single click, and the system orchestrates the entire process of restoring virtual machines into the isolated clean room environment. The demonstration concludes by showing successfully recovered Windows and Red Hat virtual machines running in Azure, completely isolated from the original production environment and ready for validation or cutover.

Chapters

0:00 - Introduction and Control Plane Configuration
1:14 - Setting Up AirGap Protect Storage
2:11 - Modifying Backup Plans for Cleanroom
3:06 - Initiating Cleanroom Recovery Process
5:55 - Accessing Recovered Control Plane
7:18 - Adding Azure Hypervisor Target
8:57 - Creating Recovery Targets
10:17 - Configuring Recovery Groups
12:02 - Executing Recovery and Validation

Key Quotes

0:51 "The setting that we are specifically looking for is Upload Backup Metadata to Metallic Cloud. You need to ensure that this setting is slid to the right."
1:47 "Cleanroom Recovery will work with either cool or hot AirGet Protect storage. It is really up to you what you purchase."
6:45 "Every control plane that is recovered is in a read-only state with a limited access user. We do this so security is increased and the initial dependency on Active Directory or LDAP is removed."
9:53 "The region needs to be the same region as your AirGap Protect storage."
11:34 "We do some checking before we even initiate the recovery. This, when I hover over it, you can see the name does not match Azure standards."

FAQ

What is the difference between hot and cool tier AirGap Protect storage for Cleanroom Recovery?

Both hot and cool tier AirGap Protect storage work with Cleanroom Recovery. The choice depends on your licensing and recovery time objectives. Hot tier provides faster access to data, while cool tier offers cost optimization for longer-term retention. The functionality of Cleanroom Recovery remains the same regardless of tier selection.

Why does the recovered control plane use a limited-privilege Recovery Manager account instead of standard admin credentials?

The Recovery Manager account is read-only with limited privileges to enhance security and remove dependencies on Active Directory or LDAP, which may be compromised during a cyber incident. This approach ensures that recovery operations can proceed even if identity infrastructure is unavailable or untrusted, and prevents unauthorized modifications to the recovery environment.

Can I test Cleanroom Recovery without performing an actual recovery of production workloads?

Yes. Cleanroom Recovery is specifically designed to support recovery validation testing without impacting production systems. You can initiate recovery, stage the control plane, configure recovery targets, and even recover test workloads into the isolated environment to validate your recovery readiness before an actual cyber incident occurs.


Categories:
  • » Webinar Library » Commvault
  • » Data Protection » Backup & Recovery
  • » Cybersecurity » Cloud Security
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Data Protection
  • Backup & Recovery
  • Cloud Security
  • Demo
  • Technical Deep Dive
  • How-To
  • Cleanroom Recovery
  • AirGap Protect
  • Cyber Recovery
  • Ransomware Recovery
  • Isolated Recovery Environment
  • Control Plane Backup
  • Azure Recovery Target
  • Recovery Validation
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: Commvault: Cleanroom Recovery Configuration & Demo in Commvault

              XStreaminars (watch here)

              • Jul
                28

                Illumio + Netskope: Zero Trust in the Age of AI Autonomy

                07/28/202601:00 PM ET
                • Jul
                  29

                  Ask Your Cloud Anything: Unlocking Governance Silos in your Environments

                  07/29/202601:00 PM ET
                  More events

                  Industry Events (watch there)

                  • Jul
                    22

                    Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue

                    07/22/202601:00 PM ET
                    • Aug
                      19

                      Becoming Agent Ready: Insights from Cyera's Expertise

                      08/19/202612:00 PM ET
                      More events

                      Upcoming Webinar Calendar

                      • 07/21/2026
                        04:00 AM
                        07/21/2026
                        Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                        https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
                      • 07/22/2026
                        06:30 AM
                        07/22/2026
                        Insights and Strategies for Effective Data Privacy and Protection
                        https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-for-effective-data-privacy-and-protection/
                      • 07/22/2026
                        01:00 PM
                        07/22/2026
                        Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue
                        https://www.truthinit.com/index.php/channel/2029/insights-from-attackers-during-the-fifa-world-cup-a-human-dialogue/
                      • 07/28/2026
                        01:00 PM
                        07/28/2026
                        Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                        https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
                      • 07/29/2026
                        04:00 AM
                        07/29/2026
                        Real-Time Strategies for Safeguarding Against Prompt Injections
                        https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
                      • 07/29/2026
                        01:00 PM
                        07/29/2026
                        Ask Your Cloud Anything: Unlocking Governance Silos in your Environments
                        https://www.truthinit.com/index.php/channel/2048/ask-your-cloud-anything-unlocking-governance-silos-in-your-environments/
                      • 08/19/2026
                        12:00 PM
                        08/19/2026
                        Becoming Agent Ready: Insights from Cyera's Expertise
                        https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
                      • 09/02/2026
                        12:00 PM
                        09/02/2026
                        Unified Data Security in Action: Uncover, Analyze, and Resolve Threats
                        https://www.truthinit.com/index.php/channel/2045/unified-data-security-in-action-uncover-analyze-and-resolve-threats/
                      • 09/30/2026
                        04:00 AM
                        09/30/2026
                        AI Command Center: Optimizing Visibility and Control in Your Operations
                        https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/
                      Truth in IT
                      • Sponsor
                      • About Us
                      • Terms of Service
                      • Privacy Policy
                      • Contact Us
                      • Preference Management
                      Desktop version
                      Standard version