Somewhere between the physical and the virtual
More announcements ...
John Joyner is a System Center MVP & SCOM specialist. Last month, fellow MVP Robert Hedblom authored a blog post, “Using Azure backup with DPM” that walks through the complete configuration steps of using Azure backup from a System Center Data Protection Manager (DPM) perspective. This month, John authors this complementary post that covers using Azure backup with Windows Server Backup (rather than with DPM).
With the System Center 2012 SP1 release Microsoft presented a new feature that provided a solid cloud-based backup solution for critical production data. Within the Windows Azure Management Portal, Microsoft created something called a Backup Vault that can easily be connected to the Windows Server Backup (WSB) feature in supported server versions by installing a cloud backup agent. If DPM is installed on the Windows server, cloud backup using DPM is also enabled in the DPM application after installing the agent.
The steps to getting started are to first sign up for Azure services, install an Azure Backup agent on your Windows server (or an Azure Backup add-in on Windows Server Essentials computer) and finally register your Windows server. No other application or software is required: Your Windows server will backup file data directly to the Microsoft cloud.
* If you are not currently using Microsoft Azure, follow this link and sign up for a free trial: http://www.windowsazure.com/en-us/pricing/free-trial/
This blog post will cover:
If you need to quickly setup and configure an off-site backup solution that stores copies of files that are important to your business, there is really no easier solution that enabling Windows Server Cloud Backup to Azure.
There are some considerations that you must keep in mind:
A preliminary step to using Cloud Backup is to possess a digital certificate that will be uploaded to Azure and be used to protect access to your Backup Vault. Robert Hedblom’s blog post has all the details on making your own self-signed certificate with the makecert tool, or using a valid SSL certificate issued by a Certification Authority (CA) trusted by Microsoft.
The same type of certificate is used by all Azure Backup Vault clients: Windows Server and DPM alike. Windows Server Essentials conveniently has a self-signed certificate ready for you to upload and use with Cloud Backup. There is no need to run the makecert tool if you are setting up Windows Server Essentials for Cloud Backup.
The steps in “How to configure your DPM servers to enable the online protection using Azure” section from the previously mentioned “Using Azure backup with DPM” blog are identical to those used to configure your Windows servers that don’t involve DPM. To avoid repeating the details that Robert described so well, I refer you to that post for these steps:
1. Create a Backup Vault in the Recovery Services section of your Azure portal.
2. Upload the certificate to the Windows Azure Backup Vault (skip this step if using Windows Server Essentials)
3. Download the agent for your server and install the Windows Azure Backup Agent or Add-in.
Note that when installing the Azure Backup Agent on a Windows Server 2008 R2 SP1 computer, .NET Framework 4 can’t be automatically installed must be present before the Azure Backup Agent can install.
Also note that you can have more than one Backup Vault in each of your Azure subscription(s), but each server can only be registered with one Backup Vault at a time. A server can only backup to the Backup Vault it is registered with, and a server can only restore data (from itself or other servers) that participate in the same Backup Vault.
Windows Server uses the same Azure Backup Agent that DPM does and follows the exact same agent installation steps. Windows Server Essentials has a slightly different procedure detailed next.
If you are connecting Windows Server Essentials to Cloud Backup, from your Azure portal Recovery Services -> Backup Vault dashboard, select to download the Agent for Windows Server Essentials and save the installation file OnlineBackupAddin.wssx:
Once you have downloaded OnlineBackupAddin.wssx to your Essentials server, run the file with elevated rights and click Accept for the Software License Terms, and then click Install the Add-in:
Upon successfully installing the Windows Server Essentials add-in, click Close:
You’ll notice two new Apps installed on your Windows Server Essentials computer in a Windows Azure Backup Agent group (Windows Azure Backup and Windows Azure Backup Shell):
Also the Integrate with Windows Azure Backup service will appear Enabled at Home -> Get Started in your Windows Server Essentials Dashboard:
The next step to complete after installing the Azure Backup Agent or Add-In is to register your computer with the Windows Azure Backup Vault that will store your backups in the cloud. The procedures are a little different for Windows Server and Windows Server Essentials.
If your Windows Server computer needs a proxy server to connect to the Internet, select Use a proxy server for Windows Azure Backup and enter the address, port, and if necessary, authentication credentials.
At the Vault Identification page, push the Browse button and select the certificate that resides in the local computer certificate store that matches the .CER file uploaded previously when configuring the Backup Vault in Azure. If this computer is where the makecert utility was run, you may already have the certificate loaded in the local computer store to select.
If you don’t see the certificate to select, export a .PFX certificate file--with password--from a computer in your organization that has the correct certificate in the local computer store. Then import the certificate to the local computer store of the computer you are registering with your Azure Backup Vault.
If you lose track of the correct .CER file, export a certificate file--without password--from a computer that has the correct certificate in the local computer store as the DER encoded binary X.509 type. The produces the correct .CER file to upload.
After selecting the correct certificate, the Register Server Wizard will connect to your Azure Backup Vault (using the certificate as an identifier and credential) and the Backup Vault drop-down list will become active. Select your Azure Backup Vault and confirm the Azure datacenter region is correct, then click Next.
On the Encryption Setting page, you can enter a complex Passphrase or (recommended) push the Generate Passphrase to create a GUID-based password. Whether you enter your own passphrase or have the Register Server Wizard generate one for you, read carefully the warning to save the file containing the passphrase in a safe, external location such as a removable or network drive. If you ever need to restore data in your vault to a different server, you must know this passphrase or no restore actions can occur.
The Register Server Wizard is complete when you see the message Windows Azure Backup is now available for this server.
Again, take note of the path and file name were the encryption passphrase is stored for record keeping. Click Close. You are now ready to configure and schedule backup jobs on your Windows computer.
A nice feature of the Windows Server Essentials Cloud Backup solution is that a ready-to-use self-signed digital certificate already exists on the Essentials computer. There is no need to run the makecert utility.
In your Windows Server Essentials Dashboard, navigate to the Online Backup area and in Step 1, click the small icon to the right of the default certificate, this copies the certificate name and path to your clipboard. Then click on the Upload certificate to Windows Azure Backup vault link—your Azure portal will open in a browser window.
In the Recovery Services -> Backup Vault -> Manage Certificate dialog, browse to locate the certificate to upload and paste your clipboard contents to select the default Windows Server Essentials certificate:
Next, proceed to Step 2, Register your server, and click Register:
On the Register your server page, the Certificate, Backup vault and Azure datacenter Region will be automatically selected and you just need to click Next.
At the Secure your data page, enter a complex passphrase to be used in the event you need to restore your data to another server. Make sure you keep a record of this passphrase; this is your only opportunity to set and make record of it. (You can change it later if you forget it, but from the original server only, and before you need to restore to a different server.) After the passphrase is validated for the required length and match, click Next.
Upon successfully registering the Windows Server Essentials add-in, click Close. You are now ready to configure and schedule backup jobs on your Windows Server Essentials computer.
For both Windows Server and Windows Server Essentials cloud backups, the following information applies. The Backup Vault page in your Windows Azure portal will confirm the names of servers that are registered and includes an Allow Re-registration button:
· Pay attention you can only use the Re-registration feature one time per server, so don’t ‘test’ this feature.
· Occasionally there may be a problem with the certificate or the subscription that requires that a server be re-registered for backup to occur. This actually means re-running the Register You Server function again on the Windows Server or Windows Server Essentials computer.
· Re-registration allows a server to regain access to previously created recovery points in the Backup Vault. If a server with the same name attempts to register with a Backup Vault without allowing re-registration first the registration will not succeed.
· Re-registration is allowed to occur only once per server. If a problem still exists with a server following re-registration, the server must deleted and all previous recovery points will be deleted as well.
After registering your server with Cloud Backup, you are ready to perform any final configuration adjustments, like setting a bandwidth throttle, and of course to schedule the backup jobs that will protect your data offsite. For Windows Server, you use the Windows Azure Backup application that is installed by the Azure Backup Agent and for Windows Server Essentials you use the Essentials Dashboard to configure backups.
All the procedures covered in this article can be performed with PowerShell. Consult this link for the corresponding Windows Azure Backup Shell commands: http://msdn.microsoft.com/en-us/library/azure/hh831590.aspx
There are three things you can modify in the Change Properties task for Window Server 2012 / 2012 R2, and two things you can modify for Windows Server 2008 R2 SP1. For both versions of Windows Server, you can change the encryption passphrase:
Changing the passphrase does not require that you remember the previous passphrase to decrypt earlier backups. The passphrase provides you access to the encryption key that is stored for this server, which does not change. Understand the use of this passphrase is to decrypt restores from the cloud to a different server, which does not have a stored copy of the encryption key.
Also, for all versions of Windows Server, you can specify or change the proxy server configuration from the Proxy Configuration tab.
The Thottling setting can be enabled only on Windows Server 2012 / 2012 R2. Internet usage bandwidth throttling is not available on Windows Server 2008 R2 SP1. If you enable Internet bandwidth usage throttling for backup operations, you can select what hours and days of the week constitute work hours, and different bandwidth usage settings for work hours and non-work hours:
After optionally configuring the bandwidth throttling setting on Windows Server 2012 / 2012 R2, you are ready to start your backup operations. Begin by clicking the Schedule Backup task in the Actions pane of the Windows Azure Backup application:
The Schedule Backup Wizard will launch and let you know what decisions you will need to have made before beginning the wizard:
If you are unclear about your business goals of using Cloud Backup, you might want to pause before proceeding. Consider especially these items:
· Cloud Backup for Windows Servers only protects file and folder data. If you need System State or Bare Metal Recovery (BMR) protection, consider also using Windows Backup to a local disk for those features, and Cloud Backup for off-site protection of selected files and folders. (DPM can also protect System State and BMR.)
· Cloud Backup provides a Disaster Recovery (DR) solution more than a long-term archive solution. 30 days is the maximum retention period at this time for Cloud Backup of Windows Servers. (DPM can provide up to 120 days retention of Cloud Backup protected data.)
· Cloud Backup may incur storage charges. Consult this link for up to date pricing information on Windows Backup charges for Azure storage: http://azure.microsoft.com/en-us/pricing/details/backup
Press Next when you are ready to make your backup selections. At the Select Items to Backup page, push the Add Items button:
You will be presented with C: Drive and other drive letters of disks on the local computer to backup to Azure. Expand the folder tree as necessary to locate and select those files and folders for Cloud Backup. For example, here the Users\Public folder and subfolders have been selected:
Click OK when your selections are complete. You can optionally specify files and folders to exclude by pressing the Exclusion Settings button on the Select Items to Backup page. Push the Add Exclusion button, navigate to the file or folder to be excluded, and press OK. If you selected a folder, you can specify if subfolders are to be excluded as well. For example, here the Music folder and subfolders have been excluded from the Users\Public folder previously selected for Cloud Backup:
Click OK when you have selected all desired files and folders to backup and added any exclusion(s).
On the Specify Backup Time page, select on which days of the week and at what hours of the day you want Cloud Backup to occur. You can specify from one time per week (the default) up to 21 times per week (daily, maximum 3 times per day). Click Next when your backup schedule is configured.
Your final decision is how long to retain protected data in Azure after a backup. You can select from 7, 15, or 30 days retention. Click Next when you have made your selection.
The Confirmation page lets you check again that you have entered the desired settings for Cloud Backup. Notice the reminder that you are limited to 850-GB per volume of data that can be backed up on one Backup operation. Click Finish when you are ready to commit the settings.
The wizard will notify you that you have successfully created a backup schedule. Press Close to dismiss the wizard. In the lower portion of the Windows Azure Backup Application, observe the Status and Scheduled Backup sections are now populated with your configured settings and Cloud Backup will occur on the indicated schedule:
The default selections for Windows Server Essentials will be the Company, Folder Redirection, and Users folders on your server. The Company and Users shares are standard network shares on the Server Essentials computers where employees can conveniently and centrally store copies of documents and projects for shared and remote access using various Essentials utilities like Remote Web Access and the My Server mobile app.
If you enabled folder redirection from the Devices -> Implement Group Policy task in the Essentials Dashboard, the user folders you selected for redirection, such as My Documents, will be automatically included in online backup.
Accept these default selections if they make sense for your organization. Optionally push the Add Folders button and select other files and folders on the Windows Server Essentials computer for online backup:
Click OK after selecting any additional non-shared files and folders to add to online backup, then click Next on the Configure Online Backup page.
Next, optionally select to include File History of individual network users. This feature of Windows Server Essentials automatically backs up files that are in the Libraries, Contacts, Desktop, and Favorites folders of network computers that have File History capability. Click Next after making your selection(s).
On the Specify the Backup Schedule page, select on which days of the week and at what hours of the day you want Online Backup to occur. You can specify from one time per week up to fourteen times per week (the default is one backup per business day at 10:00 PM). Click Next when your backup schedule is configured.
Next decide how long to retain protected data in Azure after a backup. You can select from 7, 15, or 30 days retention. Click Next when you have made your selection.
Finally, you have the option to enable bandwidth usage. If you enable Internet bandwidth usage throttling for backup operations, you can select what hours and days of the week constitute work hours, and different bandwidth usage settings for work hours and non-work hours:
Click Next and your Windows Server Essentials computer is ready to backup data to the cloud. When you see the Backup Was Successfully Configured page, click Close:
In some scenarios you want to manually launch an immediate backup to the cloud job for your production data. The prerequisite is that you have scheduled your recurring Cloud Backup job(s). Once you have configured scheduled backup, the option to ‘back up now’ is available.
To immediately run your scheduled backup job in Windows Server, from the Actions -> Backup pane of the Windows Azure Backup application, run the Back Up Now task:
The Back Up Now Wizard will start and confirm the backup items, and give you the opportunity to change your throttling or proxy server settings. Click the Back Up button to start the on-demand backup job:
You can watch the backup progress and see the status in the Jobs section of the Windows Azure Backup application.
To immediately run your scheduled backup job in Windows Server Essentials, from the Online Backup -> Online Backup tab -> Online Backup Tasks pane of the Windows Server Essentials Dashboard, run the Start backup now task:
The Start a backup confirmation will appear, click OK start the on-demand backup job:
You can watch the backup progress and see the status in the Online Backup -> Backup History tab of the Windows Server Essentials Dashboard.
After you have performed at least one successful cloud backup from Windows Server or Windows Server Essentials, the Protected Items section of your Azure portal -> Recovery Services -> Backup Vault will list the number of recovery points for each drive letter on each server:
This is a read-only, informational list. If you need to recover data to a different server, make sure you register the new server to the Backup Vault that lists recovery points for the data to be recovered.
Always keep in mind that bandwidth is very important. It’s always an important thing to verify your network performance from on-premises to Azure. You can use the following tool http://azurespeedtest.azurewebsites.net/ to verify your network latency depending on your closest Azure datacenter.
Restore operations from Azure to Windows Servers are relatively simple and quick. Prerequisites for recovering file and folder data are:
· You have installed the Azure Backup Agent or Add-in on the server you are restoring to (the target server).
· The target server has a copy of the certificate with private key, imported to the local computer certificate store, which is associated with the .CER certificate file uploaded to the Backup Vault to be restored from.
· The target server is registered with the Backup Vault.
· At least one successful backup has been completed.
· If you are restoring to a different target server than the server the data was backed up from (the source server), you have the passphrase used to encrypt the data from the source server.
Recall that egress of data out of Azure storage during a restore operation can incur costs. If your target server is on-premises (or anywhere other than the Azure datacenter where the Backup Vault exists), there could be an outbound data transfer charge.
Recovering files and folders to a different server than the one from which they were backed up is a very similar process to recovery operations to the original server. I’m going to just point out the differences between a restore to different server compared to restore to same server. Unique prerequisites for recovering file and folder data to a different server are:
· The target server is registered with the same Backup Vault the source server was backed up to.
· You have the passphrase used to encrypt the data from the source server.
Start the Recover data task from the Windows Azure Backup application and when the Recover Data Wizard appears, select Another server on the Getting Started page:
To restore files and folders in Windows Server Essentials, from the Online Backup -> Online Backup tab -> Online Backup Tasks pane of the Windows Server Essentials Dashboard, run the Restore files and folders task:
You can watch the restore progress and see the status in the Online Backup -> Backup History tab of the Windows Server Essentials Dashboard.
To restore files and folders in Windows Server Essentials to a different server, from the Online Backup -> Online Backup tab -> Online Backup Tasks pane of the Windows Server Essentials Dashboard, run the Restore files and folders task and select Restore files from another server to this server:
About John Joyner
John Joyner is a product development director and senior architect for a managed services provider. A Cloud and Datacenter Management MVP, John is co-author of the four-book series Operations Manager: Unleashed. John is happy to answer any questions around SCOM and can be reached at any of the links below.
You can reach John and find out more about him here:
Christian Booth (ChBooth) | Sr. Program Manager | System Center