John Joyner is a System Center MVP & SCOM specialist.  Last month, fellow MVP Robert Hedblom authored a blog post, “Using Azure backup with DPM” that walks through the complete configuration steps of using Azure backup from a System Center Data Protection Manager (DPM) perspective. This month, John authors this complementary post that covers using Azure backup with Windows Server Backup (rather than with DPM).

Introduction:

With the System Center 2012 SP1 release Microsoft presented a new feature that provided a solid cloud-based backup solution for critical production data. Within the Windows Azure Management Portal, Microsoft created something called a Backup Vault that can easily be connected to the Windows Server Backup (WSB) feature in supported server versions by installing a cloud backup agent. If DPM is installed on the Windows server, cloud backup using DPM is also enabled in the DPM application after installing the agent.

The steps to getting started are to first sign up for Azure services, install an Azure Backup agent on your Windows server (or an Azure Backup add-in on Windows Server Essentials computer) and finally register your Windows server. No other application or software is required: Your Windows server will backup file data directly to the Microsoft cloud.

* If you are not currently using Microsoft Azure, follow this link and sign up for a free trial:             http://www.windowsazure.com/en-us/pricing/free-trial/

This blog post will cover:

Considerations for using Cloud Backup with your Windows Server

If you need to quickly setup and configure an off-site backup solution that stores copies of files that are important to your business, there is really no easier solution that enabling Windows Server Cloud Backup to Azure.

There are some considerations that you must keep in mind:

  • Cloud backup is available for these Windows Server operating systems: Windows Server 2008 R2 SP1, Windows Server 2012, and Windows Server 2012 R2.  Windows Server Essentials 2012 and Windows Server Essentials 2012 R2 can also subscribe to Cloud Backup in Azure using an Add-In that integrates with the Essentials Dashboard.
  • Volumes with files to be backed up must be local fixed disks (not network shares) and be formatted with NTFS.
  • Volumes cannot be read-only, and if locked with BitLocker Drive Encryption, must be unlocked before backup.
  • The maximum retention time for your production data in Azure is 30 days.
  • The maximum size of a single backup from a specific volume is 850 GB.
  • The only suitable workload for protection by Windows Server Cloud Backup is the “File and Folder” type. System State and Bare Metal Recovery (BMR), as well as entire system (“C:\”) drive backups are not supported. (Consider Windows Server Backup and DPM for protection of System State and BMR.)
  • Backup of application data like Active Directory, Exchange, SharePoint, and SQL Server is not directly supported. (SQL Server backups you create to ‘flat’ .BAK file(s) could be included in file and folder backups.)

How to configure your Windows servers to enable Cloud Backup using Azure

A preliminary step to using Cloud Backup is to possess a digital certificate that will be uploaded to Azure and be used to protect access to your Backup Vault. Robert Hedblom’s blog post has all the details on making your own self-signed certificate with the makecert tool, or using a valid SSL certificate issued by a Certification Authority (CA) trusted by Microsoft.

The same type of certificate is used by all Azure Backup Vault clients: Windows Server and DPM alike. Windows Server Essentials conveniently has a self-signed certificate ready for you to upload and use with Cloud Backup. There is no need to run the makecert tool if you are setting up Windows Server Essentials for Cloud Backup.

Configure Windows Server for Azure Backup

The steps in “How to configure your DPM servers to enable the online protection using Azure” section from the previously mentioned “Using Azure backup with DPM” blog are identical to those used to configure your Windows servers that don’t involve DPM. To avoid repeating the details that Robert described so well, I refer you to that post for these steps:

1.     Create a Backup Vault in the Recovery Services section of your Azure portal.

2.     Upload the certificate to the Windows Azure Backup Vault (skip this step if using Windows Server Essentials)

3.     Download the agent for your server and install the Windows Azure Backup Agent or Add-in.

Note that when installing the Azure Backup Agent on a Windows Server 2008 R2 SP1 computer, .NET Framework 4 can’t be automatically installed must be present before the Azure Backup Agent can install.

Also note that you can have more than one Backup Vault in each of your Azure subscription(s), but each server can only be registered with one Backup Vault at a time. A server can only backup to the Backup Vault it is registered with, and a server can only restore data (from itself or other servers) that participate in the same Backup Vault.

Windows Server uses the same Azure Backup Agent that DPM does and follows the exact same agent installation steps. Windows Server Essentials has a slightly different procedure detailed next.

Configure the Windows Server Essentials Add-In

If you are connecting Windows Server Essentials to Cloud Backup, from your Azure portal Recovery Services -> Backup Vault dashboard, select to download the Agent for Windows Server Essentials and save the installation file OnlineBackupAddin.wssx:

image

Once you have downloaded OnlineBackupAddin.wssx to your Essentials server, run the file with elevated rights and click Accept for the Software License Terms, and then click Install the Add-in:

image

image

 Upon successfully installing the Windows Server Essentials add-in, click Close:

image

You’ll notice two new Apps installed on your Windows Server Essentials computer in a Windows Azure Backup Agent group (Windows Azure Backup and Windows Azure Backup Shell):

image

Also the Integrate with Windows Azure Backup service will appear Enabled at Home -> Get Started in your Windows Server Essentials Dashboard:

image

How to register your Windows servers

The next step to complete after installing the Azure Backup Agent or Add-In is to register your computer with the Windows Azure Backup Vault that will store your backups in the cloud. The procedures are a little different for Windows Server and Windows Server Essentials.

Registering your Windows Server computer

Launch the Windows Azure Backup application from the desktop icon, Start menu, or Apps page. Click on the Register Server task in the Action pane:

image

If your Windows Server computer needs a proxy server to connect to the Internet, select Use a proxy server for Windows Azure Backup and enter the address, port, and if necessary, authentication credentials.

image

At the Vault Identification page, push the Browse button and select the certificate that resides in the local computer certificate store that matches the .CER file uploaded previously when configuring the Backup Vault in Azure. If this computer is where the makecert utility was run, you may already have the certificate loaded in the local computer store to select.

If you don’t see the certificate to select, export a .PFX certificate file--with password--from a computer in your organization that has the correct certificate in the local computer store. Then import the certificate to the local computer store of the computer you are registering with your Azure Backup Vault.

If you lose track of the correct .CER file, export a certificate file--without password--from a computer that has the correct certificate in the local computer store as the DER encoded binary X.509 type. The produces the correct .CER file to upload.

image

After selecting the correct certificate, the Register Server Wizard will connect to your Azure Backup Vault (using the certificate as an identifier and credential) and the Backup Vault drop-down list will become active. Select your Azure Backup Vault and confirm the Azure datacenter region is correct, then click Next.

image

On the Encryption Setting page, you can enter a complex Passphrase or (recommended) push the Generate Passphrase to create a GUID-based password. Whether you enter your own passphrase or have the Register Server Wizard generate one for you, read carefully the warning to save the file containing the passphrase in a safe, external location such as a removable or network drive. If you ever need to restore data in your vault to a different server, you must know this passphrase or no restore actions can occur.

image

The Register Server Wizard is complete when you see the message Windows Azure Backup is now available for this server.

image

Again, take note of the path and file name were the encryption passphrase is stored for record keeping. Click Close. You are now ready to configure and schedule backup jobs on your Windows computer.

Registering your Windows Server Essentials computer

A nice feature of the Windows Server Essentials Cloud Backup solution is that a ready-to-use self-signed digital certificate already exists on the Essentials computer. There is no need to run the makecert utility.

In your Windows Server Essentials Dashboard, navigate to the Online Backup area and in Step 1, click the small icon to the right of the default certificate, this copies the certificate name and path to your clipboard. Then click on the Upload certificate to Windows Azure Backup vault link—your Azure portal will open in a browser window.

In the Recovery Services -> Backup Vault -> Manage Certificate dialog, browse to locate the certificate to upload and paste your clipboard contents to select the default Windows Server Essentials certificate:

image

Next, proceed to Step 2, Register your server, and click Register:

image

On the Register your server page, the Certificate, Backup vault and Azure datacenter Region will be automatically selected and you just need to click Next.

At the Secure your data page, enter a complex passphrase to be used in the event you need to restore your data to another server. Make sure you keep a record of this passphrase; this is your only opportunity to set and make record of it. (You can change it later if you forget it, but from the original server only, and before you need to restore to a different server.) After the passphrase is validated for the required length and match, click Next.

image

Upon successfully registering the Windows Server Essentials add-in, click Close. You are now ready to configure and schedule backup jobs on your Windows Server Essentials computer.

image

Re-registration Allowed One Time

For both Windows Server and Windows Server Essentials cloud backups, the following information applies. The Backup Vault page in your Windows Azure portal will confirm the names of servers that are registered and includes an Allow Re-registration button:

image

·         Pay attention you can only use the Re-registration feature one time per server, so don’t ‘test’ this feature.

·         Occasionally there may be a problem with the certificate or the subscription that requires that a server be re-registered for backup to occur. This actually means re-running the Register You Server function again on the Windows Server or Windows Server Essentials computer.

·         Re-registration allows a server to regain access to previously created recovery points in the Backup Vault. If a server with the same name attempts to register with a Backup Vault without allowing re-registration first the registration will not succeed.

·         Re-registration is allowed to occur only once per server. If a problem still exists with a server following re-registration, the server must deleted and all previous recovery points will be deleted as well.

How to configure and use Cloud Backup on Windows servers

After registering your server with Cloud Backup, you are ready to perform any final configuration adjustments, like setting a bandwidth throttle, and of course to schedule the backup jobs that will protect your data offsite. For Windows Server, you use the Windows Azure Backup application that is installed by the Azure Backup Agent and for Windows Server Essentials you use the Essentials Dashboard to configure backups.

All the procedures covered in this article can be performed with PowerShell. Consult this link for the corresponding Windows Azure Backup Shell commands: http://msdn.microsoft.com/en-us/library/azure/hh831590.aspx

Configure and use Cloud Backup on Windows Server

Start the Windows Azure Backup application from the desktop icon or Start Menu in Windows Server 2008 R2 SP1, or in Windows Server 2012 / 2012 R2 from the desktop icon, the App page, or in Control Panel -> Administrative Tools -> Windows Server Backup -> Backup.
Open starting Windows Azure Backup for the first time you’ll see the caution that you have not configured any backups yet. You’ll also see in the Actions menu, a Change Properties task:
image

There are three things you can modify in the Change Properties task for Window Server 2012 / 2012 R2, and two things you can modify for Windows Server 2008 R2 SP1. For both versions of Windows Server, you can change the encryption passphrase:

image

Changing the passphrase does not require that you remember the previous passphrase to decrypt earlier backups. The passphrase provides you access to the encryption key that is stored for this server, which does not change. Understand the use of this passphrase is to decrypt restores from the cloud to a different server, which does not have a stored copy of the encryption key.

Also, for all versions of Windows Server, you can specify or change the proxy server configuration from the Proxy Configuration tab.

The Thottling setting can be enabled only on Windows Server 2012 / 2012 R2. Internet usage bandwidth throttling is not available on Windows Server 2008 R2 SP1. If you enable Internet bandwidth usage throttling for backup operations, you can select what hours and days of the week constitute work hours, and different bandwidth usage settings for work hours and non-work hours:

image

After optionally configuring the bandwidth throttling setting on Windows Server 2012 / 2012 R2, you are ready to start your backup operations. Begin by clicking the Schedule Backup task in the Actions pane of the Windows Azure Backup application:

image

The Schedule Backup Wizard will launch and let you know what decisions you will need to have made before beginning the wizard:

image

If you are unclear about your business goals of using Cloud Backup, you might want to pause before proceeding.  Consider especially these items:

·         Cloud Backup for Windows Servers only protects file and folder data. If you need System State or Bare Metal Recovery (BMR) protection, consider also using Windows Backup to a local disk for those features, and Cloud Backup for off-site protection of selected files and folders. (DPM can also protect System State and BMR.)

·         Cloud Backup provides a Disaster Recovery (DR) solution more than a long-term archive solution. 30 days is the maximum retention period at this time for Cloud Backup of Windows Servers. (DPM can provide up to 120 days retention of Cloud Backup protected data.)

·         Cloud Backup may incur storage charges. Consult this link for up to date pricing information on Windows Backup charges for Azure storage: http://azure.microsoft.com/en-us/pricing/details/backup

Press Next when you are ready to make your backup selections. At the Select Items to Backup page, push the Add Items button:

image

You will be presented with C: Drive and other drive letters of disks on the local computer to backup to Azure. Expand the folder tree as necessary to locate and select those files and folders for Cloud Backup. For example, here the Users\Public folder and subfolders have been selected:

image

Click OK when your selections are complete. You can optionally specify files and folders to exclude by pressing the Exclusion Settings button on the Select Items to Backup page. Push the Add Exclusion button, navigate to the file or folder to be excluded, and press OK. If you selected a folder, you can specify if subfolders are to be excluded as well. For example, here the Music folder and subfolders have been excluded from the Users\Public folder previously selected for Cloud Backup:

image

Click OK when you have selected all desired files and folders to backup and added any exclusion(s).

On the Specify Backup Time page, select on which days of the week and at what hours of the day you want Cloud Backup to occur. You can specify from one time per week (the default) up to 21 times per week (daily, maximum 3 times per day). Click Next when your backup schedule is configured.

image

Your final decision is how long to retain protected data in Azure after a backup. You can select from 7, 15, or 30 days retention. Click Next when you have made your selection.

image

The Confirmation page lets you check again that you have entered the desired settings for Cloud Backup. Notice the reminder that you are limited to 850-GB per volume of data that can be backed up on one Backup operation. Click Finish when you are ready to commit the settings.

image

The wizard will notify you that you have successfully created a backup schedule. Press Close to dismiss the wizard. In the lower portion of the Windows Azure Backup Application, observe the Status and Scheduled Backup sections are now populated with your configured settings and Cloud Backup will occur on the indicated schedule:

image

Configure and use Cloud Backup on Windows Server Essentials

Configure backup of files and folders to Azure from Windows Server Essentials from the Windows Server Essentials Dashboard -> Online Backup tab -> Online Backup Step 3: Configure Backup Settings. Click the Configure link:
image

The default selections for Windows Server Essentials will be the Company, Folder Redirection, and Users folders on your server. The Company and Users shares are standard network shares on the Server Essentials computers where employees can conveniently and centrally store copies of documents and projects for shared and remote access using various Essentials utilities like Remote Web Access and the My Server mobile app.

If you enabled folder redirection from the Devices -> Implement Group Policy task in the Essentials Dashboard, the user folders you selected for redirection, such as My Documents, will be automatically included in online backup.

Accept these default selections if they make sense for your organization. Optionally push the Add Folders button and select other files and folders on the Windows Server Essentials computer for online backup:

image

Click OK after selecting any additional non-shared files and folders to add to online backup, then click Next on the Configure Online Backup page.

Next, optionally select to include File History of individual network users. This feature of Windows Server Essentials automatically backs up files that are in the Libraries, Contacts, Desktop, and Favorites folders of network computers that have File History capability. Click Next after making your selection(s).

image

On the Specify the Backup Schedule page, select on which days of the week and at what hours of the day you want Online Backup to occur. You can specify from one time per week up to fourteen times per week (the default is one backup per business day at 10:00 PM). Click Next when your backup schedule is configured.

image

Next decide how long to retain protected data in Azure after a backup. You can select from 7, 15, or 30 days retention. Click Next when you have made your selection.

image

Finally, you have the option to enable bandwidth usage. If you enable Internet bandwidth usage throttling for backup operations, you can select what hours and days of the week constitute work hours, and different bandwidth usage settings for work hours and non-work hours:

image

Click Next and your Windows Server Essentials computer is ready to backup data to the cloud. When you see the Backup Was Successfully Configured page, click Close:

image

How to manually run Cloud Backup jobs

In some scenarios you want to manually launch an immediate backup to the cloud job for your production data. The prerequisite is that you have scheduled your recurring Cloud Backup job(s). Once you have configured scheduled backup, the option to ‘back up now’ is available.

To immediately run your scheduled backup job in Windows Server, from the Actions -> Backup pane of the Windows Azure Backup application, run the Back Up Now task:

image

The Back Up Now Wizard will start and confirm the backup items, and give you the opportunity to change your throttling or proxy server settings. Click the Back Up button to start the on-demand backup job:

image

You can watch the backup progress and see the status in the Jobs section of the Windows Azure Backup application.

To immediately run your scheduled backup job in Windows Server Essentials, from the Online Backup -> Online Backup tab -> Online Backup Tasks pane of the Windows Server Essentials Dashboard, run the Start backup now task:

image

The Start a backup confirmation will appear, click OK start the on-demand backup job:

image

You can watch the backup progress and see the status in the Online Backup -> Backup History tab of the Windows Server Essentials Dashboard.

After you have performed at least one successful cloud backup from Windows Server or Windows Server Essentials, the Protected Items section of your Azure portal -> Recovery Services -> Backup Vault will list the number of recovery points for each drive letter on each server:

image

This is a read-only, informational list. If you need to recover data to a different server, make sure you register the new server to the Backup Vault that lists recovery points for the data to be recovered.

Always keep in mind that bandwidth is very important. It’s always an important thing to verify your network performance from on-premises to Azure. You can use the following tool http://azurespeedtest.azurewebsites.net/ to verify your network latency depending on your closest Azure datacenter.

How to recover production data from Azure

Restore operations from Azure to Windows Servers are relatively simple and quick. Prerequisites for recovering file and folder data are:

·         You have installed the Azure Backup Agent or Add-in on the server you are restoring to (the target server).

·         The target server has a copy of the certificate with private key, imported to the local computer certificate store, which is associated with the .CER certificate file uploaded to the Backup Vault to be restored from.

·         The target server is registered with the Backup Vault.

·         At least one successful backup has been completed.

·         If you are restoring to a different target server than the server the data was backed up from (the source server), you have the passphrase used to encrypt the data from the source server.

Recall that egress of data out of Azure storage during a restore operation can incur costs. If your target server is on-premises (or anywhere other than the Azure datacenter where the Backup Vault exists), there could be an outbound data transfer charge.

Recover Files and Folders from Cloud Backup on Windows Server (Same Server)
To recover files and folders from Cloud Backup on Windows Server, from the Actions -> Backup pane of the Windows Azure Backup application, run the Recover Data task:
image
When the Recover Data Wizard Getting Started page appears, select This server and click Next:
image
When the Select Recovery Mode page appears, select either Browse for files (if you know the folder location and/or file name to be restored) or Search for files (if you are not sure of the folder location and/or file name to be restored) and click Next:
image
On the Select Volume and Date page, select the volume (C:\, D:\, etc.) where the data to be restored resides. After you have selected the volume, the date and time selection area will appear with the day(s) on which backups of the selected volume are available highlighted.
image
Click on the desired date in the calendar display, then select in the drop down list the time of day for the backup to be restored. Click Next when you have selected the desired restore point day and time.
On the Select Items to Recover page, if you selected Browse for files on the Select Recovery Mode page, navigate to the folder containing the items to be restored and select the folder or file to restore:
image
After selecting one or more items in the Items to recover section, the Next button will become active.
If you selected Search for files on the Select Recovery Mode page, instead of seeing the Select Items to Recover page, you will be presented with the Search Items to Recover page:
image
Enter a file specification to search for (such as *.txt) in the File or Folder named box, and push the magnifying glass icon to search for files or folders matching your specification. A list of matching files and folders will appear. Select the item(s) to recover and push Next.
Finally, you need to specify restore options for original or different location:
image
On this page you can also override the default restore settings to create a copy and keep both versions if same-named files result from a restore to original location, and to restore the access control list (ACL) security settings to restored files.  After making optional changes push Next.
The Confirm Your Restore Information page will let you double-check what will be restored from the cloud to your server. Press Next when you have confirmed the information and your restore operation will start:
image

You can watch the backup progress and see the status in the Jobs section of the Windows Azure Backup application.

Recover Files and Folders from Cloud Backup on Windows Server (Different Server)

Recovering files and folders to a different server than the one from which they were backed up is a very similar process to recovery operations to the original server.  I’m going to just point out the differences between a restore to different server compared to restore to same server. Unique prerequisites for recovering file and folder data to a different server are:

·         The target server is registered with the same Backup Vault the source server was backed up to.

·         You have the passphrase used to encrypt the data from the source server.

Start the Recover data task from the Windows Azure Backup application and when the Recover Data Wizard appears, select Another server on the Getting Started page:

image

On the Select Backup Server page, select the name of the source server from where the original backup occurred. If no servers other than the target server have backups in the Backup Vault, you will receive an error message. You won’t see the target server itself listed, only source servers with protected items in the same Backup Vault.
image
Of course you won’t have the option to select Original Location for the Recovery Destination on the Specify Recovery Option page; you will always specify Another location on the target server.
image
Finally on the Confirmation page you will enter the passphrase used to encrypt the data on the source server:
Recover Files and Folders from Cloud Backup on Windows Server Essentials (Same Server)

To restore files and folders in Windows Server Essentials, from the Online Backup -> Online Backup tab -> Online Backup Tasks pane of the Windows Server Essentials Dashboard, run the Restore files and folders task:

image

When the Choose Your Restore Server page appears, select Restore files from the server and click Next:
image
On the Choose a restore point page, select the volume (C:\, D:\, etc.) where the data to be restored resides. After you have selected the volume, the date and time selection area will highlight the day(s) on which backups of the selected volume are available.
image
Click on the desired date in the calendar display, then select in the drop down list the time of day for the backup to be restored. Click Next when you have selected the desired restore point day and time.
Next at the Select Items to Restore page, you can either navigate in the folder tree (in the Select the folder section) to the folder containing the items to be restored, or you can enter a file specification (such as *.txt) in the Search box and push the magnifying glass icon to search for files and folders that match the specification.
image
When you have selected one or more items to restore in the Select the file(s) section, the Next button will become available to proceed.
Finally, you need to specify restore options for original or different location:
image
If you want to override the default restore settings to (1) create a copy and keep both versions if same-named files result from a restore to original location and to (2) restore the access control list (ACL) security settings to restored files, push the Advanced button.  After making optional changes push OK, then push Next.
The Confirm Your Restore Information page will let you double-check what will be restored from the cloud to your server. Press Next when you have confirmed the information and your restore operation will start:
image

You can watch the restore progress and see the status in the Online Backup -> Backup History tab of the Windows Server Essentials Dashboard.

Recover Files and Folders from Cloud Backup on Windows Server Essentials (Different Server)

To restore files and folders in Windows Server Essentials to a different server, from the Online Backup -> Online Backup tab -> Online Backup Tasks pane of the Windows Server Essentials Dashboard, run the Restore files and folders task and select Restore files from another server to this server:

image

On the Choose a server to restore from page, select the name of the source server from where the original backup occurred:

image

Finally on the Confirmation page you will enter the passphrase used to encrypt the data on the source server:

image

About John Joyner

John Joyner is a product development director and senior architect for a managed services provider. A Cloud and Datacenter Management MVP, John is co-author of the four-book series Operations Manager: Unleashed. John is happy to answer any questions around SCOM and can be reached at any of the links below.

You can reach John and find out more about him here:

/Enjoy!

Christian Booth (ChBooth) | Sr. Program Manager | System Center