Training Guide Configuring Advanced Windows Server 2012 R2 Services(2014)
Chapter 5. Backup and recovery
Data protection is a topic that most people find less than interesting until a server fails or data gets corrupted. When you’ve lost data, being able to recover it becomes the most interesting topic in the universe. Windows Server 2012 and Windows Server 2012 R2 include several different tools that enable you to back up and recover data. Understanding which tool is appropriate for a given situation is important for the 70-412 exam, and it’s the topic of this chapter.
Lessons in this chapter:
Lesson 1: Configuring and managing backups
Lesson 2: Recovering servers
Before you begin
To complete the practice exercises in this chapter, you need to have deployed computers SYD-DC, MEL-DC, CBR-DC, and ADL-DC as described in the Introduction, using the evaluation edition of Windows Server 2012 R2.
Lesson 1: Configuring and managing backups
Windows Server 2012 and Windows Server 2012 R2 include several different tools that you can use to create and manage backups. The primary tool that most people are familiar with is Windows Server Backup, which enables you to back up everything from a single file to an entire server. Windows Server Backup includes the Wbadmin.exe command-line utility and, with Windows Server 2012 and Windows Server 2012 R2, it also includes more than 45 new Windows PowerShell cmdlets. Another backup option is Windows Azure Backup, which enables you to back up files and folders to the Windows Azure cloud. In this lesson you find out how you can use these different technologies to back up Windows Server 2012 and Windows Server 2012 R2.
Note: New name!
Windows Azure is being renamed Microsoft Azure. Expect to see these changes soon.
After this lesson, you will be able to:
Configure Windows Server Backups
Configure Windows Online Backups
Perform role-specific backups
Use Vssadmin to manage VSS settings
Estimated lesson time: 45 minutes
Windows Server Backup
Windows Server Backup is the default backup application included with Windows Server 2012 and Windows Server 2012 R2. Windows Server Backup is a basic backup solution. It only enables you to back up to disk or network share. Tasks such as export to tape for long-term retention require a more sophisticated solution, such as System Center 2012 R2 Data Protection Manager. Windows Server Backup has a minimal level of reporting functionality and has no native functionality that makes it possible for alerts to be sent to an administrator through email in the event that a backup fails.
Windows Server Backup enables you to back up and recover the following:
Full server (all volumes)
System State data
Although you can connect from the Windows Server Backup console to other computers to manage Windows Server Backup remotely, you can only use an instance of Windows Server Backup to back up the local computer. For example, whereas you can back up network shared folders that the computer is able to access, such as a mapped network drive, you can’t configure Windows Server Backup on one computer to do a full volume or System State backup of another computer.
You can configure exclusions for backup jobs run on Windows Server Backup. Exclusions are specific file types that you want to exempt from the backup process. You can configure exclusion on the basis of file type, or you can choose to exclude the contents of entire folders and their subfolders. Figure 5-1 shows an exclusion that stops files with the .tmp extension in the C:\shared-docs folder and its subfolders from being written to backup.
FIGURE 5-1 File exclusions
Users who are local Administrators or members of the Backup Operators group are able to use Windows Server Backup to back up the entire computer, volumes, files, or folders, and the System State. You can grant other security principals this right by editing the Back Up Files And Directories Group Policy item. Windows Server Backup does not encrypt backups by default. When you are backing up data, you can configure access control so that only a user with specific credentials are able to access the backup, such as in Figure 5-2, but this does not encrypt the backup.
FIGURE 5-2 Configure access control
Real World: Security of backups
The security of backups is important. Anyone who has access to backed up data can restore it to a separate location where they have complete access to that data. The security of backed up data is as important as the security of the servers being backed up.
Windows Server Backup enables you to back up to any locally attached disk, to a volume, to the storage area network (SAN), or to any network folder. When configuring a scheduled backup, you should specify a destination volume or disk that is empty. If the disk is local or connected to the SAN, Windows Server Backup performs a full backup at least once every 14 days and incremental backups on subsequent backups. Incremental backups in Windows Server 2012 and Windows Server 2012 R2 use block-level backups rather than file-level backups, meaning that the incremental backups are much smaller. Rather than back up all of the files that have changed since the last backup, only the data blocks that have changed on the hard disk are backed up. For example, if you changed one image in a 25-megabyte (MB) PowerPoint file after it was backed up, only the data blocks associated with that image would be backed up next time, not the whole 25-MB file.
Real World: Back up to different disks
Although you can write backup data to a different volume on the same disk, you should back up data to a different disk so that if your disk fails, you don’t lose both the data being protected and the backup itself.
The exception to the rule about automatic full and incremental backups when a backup is scheduled is when the backup data is written to a network folder. When you back up to a network folder (as opposed to a SAN-connected disk, which appears as local to Windows Server) each backup is a full backup and the previous full backup that was stored on the network share is erased. As only one backup at a time can be stored on a network share, if you choose to back up to this location, you can’t recover data from any backup other than the most recently performed one.
You can modify the performance of full system and full volume backups using the Optimize Backup Performance dialog box, shown in Figure 5-3. You can increase backup performance by using the Faster Backup Performance option. The drawback of selecting this option is that it reduces disk performance on the disks that host the volumes that you are backing up.
FIGURE 5-3 Optimize backups
Windows Server Backup in Windows Server 2012 and Windows Server 2012 R2 has the following new features:
Capability to back up and restore individual Hyper-V hosted virtual machines.
Capability to be configured for how long backups should be stored (backup retention) through Windows PowerShell cmdlets.
Capability to back up volumes exceeding 2 terabytes (TB) in size.
Capability to back up volumes with 4 kilobyte (KB) sector size.
Support for backing up Cluster Shared Volumes.
More Info: Windows Server Backup
To learn more about Windows Server Backup, consult the following article: http://technet.microsoft.com/en-us/library/jj614621.aspx.
Windows Server Backup PowerShell cmdlets
Prior to Windows Server 2012, you used the Wbadmin.exe utility to perform command-line management of Windows Server Backup. Windows Server 2012 and Windows Server 2012 R2 introduce more than 45 new Windows PowerShell cmdlets that can be used for backup and recovery. When using Windows PowerShell, you create backup policies that include all of the settings related to a backup job, such as: what to back up, where to store it, the backup schedule, and backup retention. You can view a list of all Windows Server Backup-related Windows PowerShell cmdlets by typing the following command:
Get-Command –Module WindowsServerBackup
Important cmdlets in this module include:
New-WBPolicy Creates a new backup policy
Add-WBBackupTarget Adds a backup target to a backup policy
Add-WBSystemState Adds the System State to a backup policy
Add-WBVirtualMachine Adds one or more Hyper-V hosted virtual machines to the policy
Add-WBVolume Adds a volume or volumes to the backup policy
Start-WBBackup Starts a one-time backup
Start-WBFileRecovery Starts a file recovery
Start-WBHyperVRecovery Begins the recovery of a Hyper-V virtual machine
Start-WBSystemStateRecovery Begins System State recovery
Start-WBVolumeRecovery Begins the recovery of a volume
More Info: Windows Server Backup PowerShell cmdlets
To learn more about Windows Server Backup PowerShell cmdlets, consult the following article: http://technet.microsoft.com/en-us/library/jj902428(v=wps.620).aspx.
Backing up data with Windows Server Backup
You can back up data using methods with Windows Server Backup. You can configure a scheduled backup, which means a backup occurs according to a scheduled basis. You can also perform a one-off backup. When you perform a one-off backup, you can either use the existing scheduled backup settings, or you can configure a separate set of settings for the one-off backup. For example, you might have configured Windows Server Backup to perform a full server backup twice a day to a locally attached disk. You could connect at any time and perform a one-off backup where you select only specific files and folders and have them written to a location on the network.
Windows Azure Backup
Windows Azure Backup is Microsoft’s cloud-based subscription backup service. You run the client on an Internet-connected computer server that you want to back up, and the backup data is stored on the Windows Azure servers in the cloud. Windows Azure Backup functions as an off-site data storage and recovery location. In the event that a site is lost, you’ll still be able to recover this important data from Windows Azure. The Windows Azure Backup console is shown in Figure 5-4.
FIGURE 5-4 Windows Azure Backup console
You should back up important settings and data to Windows Azure Backup. You don’t need to perform (and Windows Azure Backup doesn’t currently support) a full server backup. If your server hosts a shared folder that stores backup images, it’s technically possible to back up those images to Windows Azure Backup by treating them like normal files, but this would be a waste of resources.
You can run both the Windows Server Backup and Windows Azure Backup clients in parallel. This approach enables you to perform local backups and backups to Windows Azure on the same server. You can then do frequent full server backups locally with infrequent critical data backups to Windows Azure. When you employ this strategy, you will mostly restore data from your local backups. It’s only when something goes drastically wrong that you need to restore data from Windows Azure.
Real World: Brisbane floods
The loss of all servers at a site can seem quite hypothetical when you read about it in books until it happens to people that you know. In January 2011 the Brisbane River broke its banks and flooded the Brisbane central business district. Several large organizations had their datacenters in the basements of buildings in the central business district. The floodwaters were more than high enough to completely submerge the ground floor of these buildings, which meant those basement datacenters were also flooded and all server equipment at those sites was lost.
The key to understanding what data to back up to Windows Azure is that if your organization loses a site to some type of disaster, you can always reinstall operating systems and applications from media that you can easily obtain again. The data stored on your servers, such as documents and settings, is something that you can’t generate from installation media. By storing it in the cloud, you’ll be able to recover it in the event of a disaster after you’ve rebuilt your server infrastructure.
More Info: Windows Azure Backup trial
You can sign up for a Windows Azure trial account, which includes Windows Azure Backup at http://www.windowsazure.com/en-us/pricing/free-trial/. Signing up for the trial account enables you to test Windows Azure before making a financial commitment to the subscription-based service.
Preparing for Windows Azure Backup
Before you can start using Windows Azure Backup to back up data from a server running Windows Server 2012 or Windows Server 2012 R2, you need to take several preliminary steps as shown in Figure 5-5. These include performing the following steps:
Create a backup vault. You create the backup vault within Windows Azure. Backup vaults are the storage locations hosted within Windows Azure that store your backup data. Azure enables you to select a backup vault in an appropriate geographic location.
Upload a specially configured public certificate that identifies the server to the public vault. This certificate can be self-signed using the Makecert.exe utility, can be obtained from an internal certificate authority (CA), or can be obtained from a trusted third-party CA. This certificate is used to identify the server and to secure the backup process.
Download and install the Windows Azure Backup agent to the server that you want to protect.
FIGURE 5-5 Creating a backup vault
After you’ve installed the agent, you need to register the server with Windows Azure Backup. This requires that the private key for the certificate you uploaded to Windows Azure be located in the private certificate store of the computer you are registering. You also need to configure Windows Azure Backup to use a specific backup vault. You select the backup vault on the Vault Identification page of the Register Server Wizard as shown in Figure 5-6. The final step is to configure an encryption passphrase. This passphrase is used to encrypt the data stored in the backup vault. You won’t be able to restore the data to another location even if you have access to the backup vault without providing the encryption passphrase. The passphrase must be a minimum of 16 characters long, and you can save it to an external location such as a universal serial bus (USB) storage device.
FIGURE 5-6 Specify a backup vault
Backing up data to Windows Azure Backup
Scheduling a backup to Windows Azure Backup involves running a wizard very similar to the Schedule Backup Wizard in Windows Server Backup. When running this wizard you:
Select which items to back up. This is file and folder based. Although you can select a volume to back up, you don’t use Windows Azure Backup to perform full volume recovery in the same manner as you would with Windows Server Backup. Windows Azure Backup has a limit of 850 gigabytes (GB) per volume of data per backup operation. When selecting items to backup, you can configure exclusions for file types, folders, or folder trees.
Select a backup schedule. Determine how often a synchronization occurs. You can configure Windows Azure Backup to synchronize up to three times per day. You can also configure bandwidth throttling as shown in Figure 5-7. Throttling enables you to limit the utilization of bandwidth and ensures that your organization’s Internet connection isn’t choked with backup traffic replicating to the recovery vault on Windows Azure during business hours.
FIGURE 5-7 Configuring backup throttling
Configure backup retention. The retention setting, which you configure on the Specify Retention Setting page shown in Figure 5-8, determines how long backup data is stored in Windows Azure before being deleted. You can configure retention for Windows Server Backup when creating a policy in Windows PowerShell.
FIGURE 5-8 Configuring retention settings
More Info: Windows Azure Recovery Services
To learn more about Windows Azure Recovery Services consult the following article: http://www.windowsazure.com/en-us/home/features/recovery-services/.
Role-specifc and application-specific backups
The majority of Windows Server 2012 and Windows Server 2012 R2 roles and features store data in locations that are backed up when you perform a System State backup. System State data is automatically backed up when you perform a full server backup or select it for backup as shown inFigure 5-9. Depending on the roles and features installed on a computer running Windows Server 2012 or Windows Server 2012 R2, the System State can contain the following data:
Local users and groups
COM+ Class Registration database
Active Directory Certificate Services (AD CS) database
Active Directory database (Ntds.dit)
Cluster service information
System files under Windows Resource Protection
Internet Information Services (IIS) settings
FIGURE 5-9 Back up System State
Increasing numbers of applications, such as Exchange Server 2013, also register themselves with Windows Server Backup. This means when you perform a full server backup, you are able to recover data that is relevant to the application only without having to perform a full system restore. Figure 5-10 shows how you can choose to restore Exchange. Support for application registration depends on the application. You can’t select a specific application for back up using Windows Server Backup, but you can restore applications that have registered themselves with Windows Server Backup as long as you’ve performed a full server backup.
FIGURE 5-10 The Recovery Wizard
What do you need to have configured in Windows Azure before you can install and configure the Windows Azure Backup agent on a computer running Windows Server 2012 R2?
Quick check answer
You need to have uploaded the computer certificate to Windows Azure and to have configured a Backup Vault on Windows Azure before you can install and configure the Windows Azure Backup agent on a computer running Windows Server 2012 R2.
Volume Shadow Copy Services (VSS) is a technology that was first introduced with Windows Server 2003 R2 that provides a point-in-time snapshot of the data on a volume as it existed at a specific point in time. VSS enables you to make a consistent backup of a file that is in use, such as a mailbox database or SQL Server database. Prior to the introduction of VSS, you might have needed to take such a database offline to ensure that the backup of that database was consistent. Consistency issues arise when it takes so long to back up a large file or a system that the configuration of the system or the contents of the file have changed during the backup. Windows Server Backup, Windows Azure Backup, and other backup products such as Data Protection Manager use VSS to ensure the data that is backed up is consistent and represents the state of the backed up data as it was at the point when the backup started without having to take files in use offline.
Vssadmin is a command-line utility that enables you to manage volume shadow copy snapshots. Figure 5-11 shows Vssadmin displaying two volume shadow copy snapshots. You can use VSS admin to perform the following tasks:
Configure the location of shadow copy storage
Create a shadow copy
Delete a shadow copy
Delete shadow copy storage
View existing shadow copies
View existing shadow copy storage
View volumes that are configured with shadow copies
View subscribed shadow copy writers and providers (special software that creates and manages shadow copies)
Resize shadow copy storage
FIGURE 5-11 Volume shadow copies
You can also view shadow copy status on a per volume basis through the Previous Versions tab as shown in Figure 5-12. When used with file shares, the VSS snapshots exposed through the Previous Versions functionality enable users to recover previous versions of files and folders without having to restore from backup. To do this, users right-click the parent folder or volume, and click Restore Previous Versions. They are then able to select previous versions of the files that correspond to existing VSS snapshots.
FIGURE 5-12 The Previous Versions tab
Although Vssadmin allows you to create and manage VSS snapshots, you can’t use Vssadmin to configure a schedule for the automatic creation of VSS snapshots. You can configure a schedule for the creation of VSS snapshots on a per-volume basis by right-clicking a volume and clicking Configure Shadow Copies. After you enable shadow copies, you can configure a schedule in the Settings dialog box shown in Figure 5-13. By default, when you enable Shadow Copies, a shadow copy is created at 07:00 and noon every weekday. You can modify the schedule so that copies are created more often. When doing this remember that after the space used to store shadow copies is consumed, older shadow copies are removed to store new versions. The amount of space needed to store shadow copies and the retention period depends on the properties of the data stored on the volume.
FIGURE 5-13 Shadow copy storage
More Info: Vssadmin
To learn more about Vssadmin, consult the following article: http://technet.microsoft.com/en-us/library/cc754968.aspx.
Data Protection Manager
Windows Server Backup is pretty limited in what it can do. You can back up only the one server, and you can have only the one schedule. You can’t use it to perform sophisticated backup and recovery tasks, such as backing up servers and clients remotely or recovering a single user’s Exchange Server 2013 mailbox. Microsoft’s premium backup and recovery product is System Center 2012 R2 Data Protection Manager (DPM). DPM enables you to manage backup and recovery for hundreds of servers and thousands of clients from a single console. It integrates fully into System Center 2012 R2 Operations Manager so that you can be alerted if any one backup or recovery job fails anywhere within your organization. Although the 70-412 exam concentrates on Windows Server Backup and Windows Azure Backup, in a production environment, you use an enterprise backup product, such as DPM or one from a trusted third-party vendor, to manage the backup and recovery of servers and clients.
FIGURE 5-14 DPM Administrator Console
More Info: Data Protection Manager
To learn more about Data Protection Manager, consult the following article: http://technet.microsoft.com/en-us/library/hh758173.aspx.
Windows Server Backup enables you to perform backups of files, folders, the System State, and an entire server.
Windows Server Backup can write backups to a local disk, volume, or network share.
Wbadmin.exe is the command-line version of Windows Server Backup. Windows Server 2012 and Windows Server 2012 R2 also include more than 45 Windows PowerShell cmdlets for Windows Server Backup.
Windows Azure Backup enables you to back up files and folders to Microsoft’s public Windows Azure cloud.
Vssadmin enables you to manage volume shadow copy snapshots.
Answer the following questions to test your knowledge of the information in this lesson. You can find the answers to these questions and explanations of each answer choice in the “Answers” section at the end of this chapter.
1. Which of the following utilities can you use to create a System State backup on a computer running the Windows Server 2012 R2 operating system? (Choose all that apply.)
A. Windows Azure Backup
B. Windows Server Backup
2. You want to delete two volume shadow copy snapshots that reside on a server that you are responsible for managing. Which of the following tools could you use to accomplish this goal?
C. Windows Server Backup
D. Windows Azure Backup
3. You need to configure two standalone non-domain-joined computers running the Server Core version of Windows Server 2012 R2 so that they are able to perform regular full server backups to a special internal hard disk drive. Which of the following tools could you use to accomplish this goal?
C. Windows Azure Backup
D. Windows Server Backup
4. You need to perform regular scheduled backups to an off-site location as a way of ensuring business continuity in the event that all servers in a particular site are lost in a natural or other type of disaster. Which of the following tools could you use to accomplish this goal?
A. Windows Server Backup
C. Windows Azure Backup
Lesson 2: Recovering servers
The true test of any backup is whether you’re able to perform a successful recovery. This is why you should hold regular disaster recovery drills. It’s one thing to have a console inform you that you’ve successfully backed up specific data, but you can only be certain that the data was backed up properly after you have successfully recovered it. In this lesson you find out how to recover data backed up using Windows Server Backup and Windows Azure Backup. You also find out when you need to use the Windows Recovery Environment or boot into Safe Mode.
After this lesson, you will be able to:
Restore from backups
Recover servers using Windows Recovery Environment
Recover servers using Safe Mode
Configure the Boot Configuration Data (BCD) store
Estimated lesson time: 45 minutes
Restore from backups
Windows Server Backup enables you to restore data that has been backed up on the local computer. You can also use it to restore data that was backed up on another computer using Windows Server Backup that is accessible to the local computer, either because it is stored locally or is stored on an accessible shared folder. You can use Windows Server Backup to do the following:
You can use Windows Server Backup to restore files and folders as well as applications.
You can use Windows Server Backup to restore the System State data. After the System State data is restored, you’ll need to restart the computer.
You can use Windows Server Backup to restore any volume except the one that hosts the operating system. If you want to restore the volume that hosts the operating system, you need to boot into the Windows Recovery Environment.
You can use the Windows Recovery Environment to perform a full server restore, also known as a bare metal recovery. When you do this, all existing data and volumes on the server are overwritten with the backed up data.
If multiple backups of the data you want to restore exist, you need to select which version to restore. Figure 5-15 shows the Select Backup Date page of the recovery wizard. If you are unsure which date holds the data you want to restore, you should restore to multiple alternative locations and then perform the comparison. Doing this saves the bother of restoring, figuring out you’ve restored the wrong data, going and doing another restore, and figuring out that isn’t right either.
FIGURE 5-15 Date of backup
Windows Server Backup writes backups to .vhdx files, the same type that are used with Hyper-V as well as when creating disks for Internet Small Computer System Interface (iSCSI) targets and disks in storage pools. Windows Server 2012 and Windows Server 2012 R2 enable you to mount the contents of a virtual hard disk (VHD), which allows you to examine those contents without having to perform a full restoration using Windows Server Backup.
Restore to an alternative location
When you are performing a restoration of data, you can choose to restore data to the original location or to an alternative location. It is not uncommon, when restoring data to the original location, for backup administrators to unintentionally overwrite good live data with older restored data. If you restore to an alternative location, it’s possible to compare the restored data against the current data. It’s important when restoring data that you retain permissions associated with data.
If you choose to restore to the original location, as shown in Figure 5-6, you can configure Windows Server Backup to perform one of the following tasks:
Automatically create copies if an original exists
Overwrite existing versions
Do not recover any item that exists in the recovery destination
FIGURE 5-16 Choosing the recovery location