Back Up Azure Virtual Machines To A Recovery Services Vault PDF

Table of Contents
Azure Backup Documentation

Overview
What is Azure Backup?
Quickstarts
Back up a VM - Portal
Back up a VM - PowerShell
Back up a VM - CLI
Tutorials
Back up Azure VMs at scale
Restore a disk
Restore individual files
Back up Windows Server
Restore files to Windows Server
Samples
Azure PowerShell
Concepts
FAQ
FAQ on Recovery Services vault
FAQ on Azure VM backup
FAQ on file-folder backup using Azure Backup agent
FAQ on auto-upgrade of backup vault
Role-Based Access Control
Security for hybrid backups
Configure offline-backup
Replace your tape library
How to
Azure Backup Server
Azure Backup Server protection matrix
Install or upgrade
Protect workloads
Recover data from Azure Backup Server
Azure VMs
Prepare the VM
Plan your environment
Back up VMs
Manage and monitor VMs
Restore data from VMs
Configure Azure Backup reports
Data model for Azure Backup reports
Log Analytics data model for Azure Backup
Data Protection Manager
Prepare DPM workloads in Azure portal
Prepare DPM workloads in classic portal
Use System Center DPM to back up Exchange server
Recover data to an alternate DPM server
Use DPM to back up SQL Server workloads
Use DPM to back up a SharePoint farm
Use Azure PowerShell
Azure VMs in Azure portal
Azure VMs in classic portal
DPM in Azure portal
DPM in classic portal
Windows Server in Azure portal
Windows Server in classic portal
Azure SQL Database
Configure long-term backup retention
View backups in a Recovery Services vault
Restore from long-term backup retention
Delete long-term Azure SQL backups
Windows Server
Back up Windows Server files and folders
Back up Windows Server files and folders
Back up Windows Server System State
Recover files from Azure to Windows Server
Restore Windows Server System State
Monitor and manage Recovery Services vaults
Back up and restore using the classic portal
Recovery Services vault
Overview of Recovery Services vaults
Upgrading a Backup vault to Recovery Services vault
Delete a Recovery Services vault
Troubleshoot
Azure VM backup problems in Azure portal
Azure VM backup problems in classic portal
Azure VM Backup fails: Could not communicate with the VM agent for snapshot
status - Snapshot VM sub task timed out
Slow backup of files and folders in Azure Backup
Troubleshoot Azure Backup Server
Reference
Azure PowerShell
.NET
Resources
Azure Roadmap
MSDN forum
Pricing
Pricing calculator
Service updates
Videos
Overview of the features in Azure Backup
10/9/2017 20 min to read Edit Online
Azure Backup is the Azure-based service you can use to back up (or protect) and restore your data in the Microsoft
cloud. Azure Backup replaces your existing on-premises or off-site backup solution with a cloud-based solution
that is reliable, secure, and cost-competitive. Azure Backup offers multiple components that you download and
deploy on the appropriate computer, server, or in the cloud. The component, or agent, that you deploy depends on
what you want to protect. All Azure Backup components (no matter whether you're protecting data on-premises or
in the cloud) can be used to back up data to a Recovery Services vault in Azure. See the Azure Backup components
table (later in this article) for information about which component to use to protect specific data, applications, or
workloads.
Watch a video overview of Azure Backup
Why use Azure Backup?

Traditional backup solutions have evolved to treat the cloud as an endpoint, or static storage destination, similar to
disks or tape. While this approach is simple, it is limited and doesn't take full advantage of an underlying cloud
platform, which translates to an expensive, inefficient solution. Other solutions are expensive because you end up
paying for the wrong type of storage, or storage that you don't need. Other solutions are often inefficient because
they don't offer you the type or amount of storage you need, or administrative tasks require too much time. In
contrast, Azure Backup delivers these key benefits:
Automatic storage management - Hybrid environments often require heterogeneous storage - some on-
premises and some in the cloud. With Azure Backup, there is no cost for using on-premises storage devices. Azure
Backup automatically allocates and manages backup storage, and it uses a pay-as-you-use model. Pay-as-you-use
means that you only pay for the storage that you consume. For more information, see the Azure pricing article.
Unlimited scaling - Azure Backup uses the underlying power and unlimited scale of the Azure cloud to deliver
high-availability - with no maintenance or monitoring overhead. You can set up alerts to provide information
about events, but you don't need to worry about high-availability for your data in the cloud.
Multiple storage options - An aspect of high-availability is storage replication. Azure Backup offers two types of
replication: locally redundant storage and geo-redundant storage. Choose the backup storage option based on
need:
Locally redundant storage (LRS) replicates your data three times (it creates three copies of your data) in a
paired datacenter in the same region. LRS is a low-cost option for protecting your data from local hardware
failures.
Geo-redundant storage (GRS) replicates your data to a secondary region (hundreds of miles away from the
primary location of the source data). GRS costs more than LRS, but GRS provides a higher level of durability
for your data, even if there is a regional outage.
Unlimited data transfer - Azure Backup does not limit the amount of inbound or outbound data you transfer.
Azure Backup also does not charge for the data that is transferred. However, if you use the Azure Import/Export
service to import large amounts of data, there is a cost associated with inbound data. For more information about
this cost, see Offline-backup workflow in Azure Backup. Outbound data refers to data transferred from a Recovery
Services vault during a restore operation.
Data encryption - Data encryption allows for secure transmission and storage of your data in the public cloud.
You store the encryption passphrase locally, and it is never transmitted or stored in Azure. If it is necessary to
restore any of the data, only you have encryption passphrase, or key.
Application-consistent backup - Whether backing up a file server, virtual machine, or SQL database, you need
to know that a recovery point has all required data to restore the backup copy. Azure Backup provides application-
consistent backups, which ensured additional fixes are not needed to restore the data. Restoring application
consistent data reduces the restoration time, allowing you to quickly return to a running state.
Long-term retention - Instead of switching backup copies from disk to tape and moving the tape to an off-site
location, you can use Azure for short-term and long-term retention. Azure doesn't limit the length of time data
remains in a Backup or Recovery Services vault. You can keep data in a vault for as long as you like. Azure Backup
has a limit of 9999 recovery points per protected instance. See the Backup and retention section in this article for
an explanation of how this limit may impact your backup needs.
Which Azure Backup components should I use?

If you aren't sure which Azure Backup component works for your needs, see the following table for information
about what you can protect with each component. The Azure portal provides a wizard, which is built into the
portal, to guide you through choosing the component to download and deploy. The wizard, which is part of the
Recovery Services vault creation, leads you through the steps for selecting a backup goal, and choosing the data or
application to protect.
WHERE ARE BACKUPS

COMPONENT BENEFITS LIMITS WHAT IS PROTECTED? STORED?
Azure Backup (MARS) Back up files and Backup 3x per day Files, Recovery Services
agent folders on physical or Not application Folders vault
virtual Windows OS aware; file, folder, and
(VMs can be on- volume-level restore
premises or in Azure) only,
No separate No support for
backup server Linux.
required.
System Center DPM Application-aware Cannot back up Files, Recovery Services

snapshots (VSS) Oracle workload. Folders, vault,
Full flexibility for Volumes, Locally attached
when to take backups VMs, disk,
Recovery Applications, Tape (on-premises
granularity (all) Workloads only)
Can use Recovery
Services vault
Linux support on
Hyper-V and VMware
VMs
Back up and
restore VMware VMs
using DPM 2012 R2
WHERE ARE BACKUPS
COMPONENT BENEFITS LIMITS WHAT IS PROTECTED? STORED?
Azure Backup Server App aware Cannot back up Files, Recovery Services
snapshots (VSS) Oracle workload. Folders, vault,
Full flexibility for Always requires live Volumes, Locally attached
when to take backups Azure subscription VMs, disk
Recovery No support for Applications,
granularity (all) tape backup Workloads
Can use Recovery
Services vault
Linux support on
Hyper-V and VMware
VMs
Back up and
restore VMware VMs
Does not require a
System Center license
Azure IaaS VM Native backups for Back up VMs once- VMs, Recovery Services
Backup Windows/Linux a-day All disks (using vault
No specific agent Restore VMs only PowerShell)
installation required at disk level
Fabric-level backup Cannot back up
with no backup on-premises
infrastructure needed
What are the deployment scenarios for each component?

CAN BE DEPLOYED ON-
COMPONENT CAN BE DEPLOYED IN AZURE? PREMISES? TARGET STORAGE SUPPORTED
Azure Backup (MARS) agent Yes Yes Recovery Services vault

The Azure Backup agent The Backup agent can
can be deployed on any be deployed on any
Windows Server VM Windows Server VM or
that runs in Azure. physical machine.
System Center DPM Yes Yes Locally attached disk,

Learn more about how Learn more about how Recovery Services vault,
to protect workloads in to protect workloads
Azure by using System and VMs in your tape (on-premises only)
Center DPM. datacenter.
Azure Backup Server Yes Yes Locally attached disk,

Learn more about how Learn more about how Recovery Services vault
to protect workloads in to protect workloads in
Azure by using Azure Azure by using Azure
Backup Server. Backup Server.
CAN BE DEPLOYED ON-
COMPONENT CAN BE DEPLOYED IN AZURE? PREMISES? TARGET STORAGE SUPPORTED
Azure IaaS VM Backup Yes No Recovery Services vault

Part of Azure fabric Use System Center DPM
to back up virtual
Specialized for backup of machines in your
Azure infrastructure as a datacenter.
service (IaaS) virtual
machines.
Which applications and workloads can be backed up?

The following table provides a matrix of the data and workloads that can be protected using Azure Backup. The
Azure Backup solution column has links to the deployment documentation for that solution.
DATA OR WORKLOAD SOURCE ENVIRONMENT AZURE BACKUP SOLUTION
Files and folders Windows Server Azure Backup agent,

System Center DPM (+ the Azure
Backup agent),
Azure Backup Server (includes the
Azure Backup agent)
Files and folders Windows computer Azure Backup agent,

System Center DPM (+ the Azure
Backup agent),
Azure Backup agent)
Hyper-V virtual machine (Windows) Windows Server System Center DPM (+ the Azure
Backup agent),
Azure Backup agent)
Hyper-V virtual machine (Linux) Windows Server System Center DPM (+ the Azure
Backup agent),
Azure Backup agent)
VMware virtual machine Windows Server System Center DPM (+ the Azure
Backup agent),
Azure Backup agent)
DATA OR WORKLOAD SOURCE ENVIRONMENT AZURE BACKUP SOLUTION
Microsoft SQL Server Windows Server System Center DPM (+ the Azure
Backup agent),
Azure Backup agent)
Microsoft SharePoint Windows Server System Center DPM (+ the Azure

Backup agent),
Azure Backup agent)
Microsoft Exchange Windows Server System Center DPM (+ the Azure

Backup agent),
Azure Backup agent)
Azure IaaS VMs (Windows) running in Azure Azure Backup (VM extension)
Azure IaaS VMs (Linux) running in Azure Azure Backup (VM extension)
Linux support
The following table shows the Azure Backup components that have support for Linux.
COMPONENT LINUX (AZURE ENDORSED) SUPPORT
Azure Backup (MARS) agent No (Only Windows based agent)
System Center DPM File-consistent backup of Linux Guest VMs on Hyper-V and
VMWare
VM restore of Hyper-V and VMWare Linux Guest VMs
File-consistent backup not available for Azure VM
Azure Backup Server File-consistent backup of Linux Guest VMs on Hyper-V and
VMWare
VM restore of Hyper-V and VMWare Linux Guest VMs
File-consistent backup not available for Azure VM
Azure IaaS VM Backup Application-consistent backup using pre-script and post-

script framework
Granular file recovery
Restore all VM disks
VM restore
Using Premium Storage VMs with Azure Backup

Azure Backup protects Premium Storage VMs. Azure Premium Storage is solid-state drive (SSD)-based storage
designed to support I/O-intensive workloads. Premium Storage is attractive for virtual machine (VM) workloads.
For more information about Premium Storage, see the article, Premium Storage: High-Performance Storage for
Azure Virtual Machine Workloads.
Back up Premium Storage VMs
While backing up Premium Storage VMs, the Backup service creates a temporary staging location, named
"AzureBackup-", in the Premium Storage account. The size of the staging location is equal to the size of the
recovery point snapshot. Be sure the Premium Storage account has adequate free space to accommodate the
temporary staging location. For more information, see the article, premium storage limitations. Once the backup
job finishes, the staging location is deleted. The price of storage used for the staging location is consistent with all
Premium storage pricing.
NOTE
Do not modify or edit the staging location.
Restore Premium Storage VMs

Premium Storage VMs can be restored to either Premium Storage or to normal storage. Restoring a Premium
Storage VM recovery point back to Premium Storage is the typical process of restoration. However, it can be cost
effective to restore a Premium Storage VM recovery point to standard storage. This type of restoration can be used
if you need a subset of files from the VM.
Using managed disk VMs with Azure Backup

Azure Backup protects managed disk VMs. Managed disks free you from managing storage accounts of virtual
machines and greatly simplify VM provisioning.
Back up managed disk VMs
Backing up VMs on managed disks is no different than backing up Resource Manager VMs. In the Azure portal,
you can configure the backup job directly from the Virtual Machine view or from the Recovery Services vault view.
You can back up VMs on managed disks through RestorePoint collections built on top of managed disks. Azure
Backup also supports backing up managed disk VMs encrypted using Azure Disk encryption(ADE).
Restore managed disk VMs
Azure Backup allows you to restore a complete VM with managed disks, or restore managed disks to a storage
account. Azure manages the managed disks during the restore process. You (the customer) manage the storage
account created as part of the restore process. When restoring managed encrypted VMs, the VM's keys and secrets
should exist in the key vault prior to starting the restore operation.
What are the features of each Backup component?

The following sections provide tables that summarize the availability or support of various features in each Azure
Backup component. See the information following each table for additional support or details.
Storage
AZURE IAAS VM
FEATURE AZURE BACKUP AGENT SYSTEM CENTER DPM AZURE BACKUP SERVER BACKUP
Recovery Services
vault
Disk storage
Tape storage
AZURE IAAS VM
Compression
(in Recovery Services
vault)
Incremental backup
Disk deduplication
The Recovery Services vault is the preferred storage target across all components. System Center DPM and Azure
Backup Server also provide the option to have a local disk copy. However, only System Center DPM provides the
option to write data to a tape storage device.
Compression
Backups are compressed to reduce the required storage space. The only component that does not use
compression is the VM extension. The VM extension copies all backup data from your storage account to the
Recovery Services vault in the same region. No compression is used when transferring the data. Transferring the
data without compression slightly inflates the storage used. However, storing the data without compression allows
for faster restoration, should you need that recovery point.
Disk Deduplication
You can take advantage of deduplication when you deploy System Center DPM or Azure Backup Server on a
Hyper-V virtual machine. Windows Server performs data deduplication (at the host level) on virtual hard disks
(VHDs) that are attached to the virtual machine as backup storage.
NOTE
Deduplication is not available in Azure for any Backup component. When System Center DPM and Backup Server are
deployed in Azure, the storage disks attached to the VM cannot be deduplicated.
Incremental backup explained

Every Azure Backup component supports incremental backup regardless of the target storage (disk, tape, Recovery
Services vault). Incremental backup ensures that backups are storage and time efficient, by transferring only those
changes made since the last backup.
Comparing Full, Differential and Incremental backup
Storage consumption, recovery time objective (RTO), and network consumption varies for each type of backup
method. To keep the backup total cost of ownership (TCO) down, you need to understand how to choose the best
backup solution. The following image compares Full Backup, Differential Backup, and Incremental Backup. In the
image, data source A is composed of 10 storage blocks A1-A10, which are backed up monthly. Blocks A2, A3, A4,
and A9 change in the first month, and block A5 changes in the next month.
With Full Backup, each backup copy contains the entire data source. Full backup consumes a large amount of
network bandwidth and storage, each time a backup copy is transferred.
Differential backup stores only the blocks that changed since the initial full backup, which results in a smaller
amount of network and storage consumption. Differential backups don't retain redundant copies of unchanged
data. However, because the data blocks that remain unchanged between subsequent backups are transferred and
stored, differential backups are inefficient. In the second month, changed blocks A2, A3, A4, and A9 are backed up.
In the third month, these same blocks are backed up again, along with changed block A5. The changed blocks
continue to be backed up until the next full backup happens.
Incremental Backup achieves high storage and network efficiency by storing only the blocks of data that
changed since the previous backup. With incremental backup, there is no need to take regular full backups. In the
example, after the full backup is taken for the first month, changed blocks A2, A3, A4, and A9 are marked as
changed and transferred for the second month. In the third month, only changed block A5 is marked and
transferred. Moving less data saves storage and network resources, which decreases TCO.
Security
AZURE IAAS VM
Network security
(to Azure)
Data security
(in Azure)
Network security
All backup traffic from your servers to the Recovery Services vault is encrypted using Advanced Encryption
Standard 256. The backup data is sent over a secure HTTPS link. The backup data is also stored in the Recovery
Services vault in encrypted form. Only you, the Azure customer, have the passphrase to unlock this data. Microsoft
cannot decrypt the backup data at any point.
WARNING
Once you establish the Recovery Services vault, only you have access to the encryption key. Microsoft never maintains a
copy of your encryption key, and does not have access to the key. If the key is misplaced, Microsoft cannot recover the
backup data.
Data security
Backing up Azure VMs requires setting up encryption within the virtual machine. Use BitLocker on Windows virtual
machines and dm-crypt on Linux virtual machines. Azure Backup does not automatically encrypt backup data that
comes through this path.
Network
AZURE IAAS VM
Network compression
(to backup server)
Network compression
(to Recovery
Services vault)
Network protocol TCP TCP

(to backup server)
Network protocol HTTPS HTTPS HTTPS HTTPS

(to Recovery
Services vault)
The VM extension (on the IaaS VM) reads the data directly from the Azure storage account over the storage
network, so it is not necessary to compress this traffic.
If you use a System Center DPM server or Azure Backup Server as a secondary backup server, compress the data
going from the primary server to the backup server. Compressing data before backing it up to DPM or Azure
Backup Server, saves bandwidth.
Network Throttling
The Azure Backup agent offers network throttling, which allows you to control how network bandwidth is used
during data transfer. Throttling can be helpful if you need to back up data during work hours but do not want the
backup process to interfere with other internet traffic. Throttling for data transfer applies to back up and restore
activities.
Backup and retention

Azure Backup has a limit of 9999 recovery points, also known as backup copies or snapshots, per protected
instance. A protected instance is a computer, server (physical or virtual), or workload configured to back up data to
Azure. For more information, see the section, What is a protected instance. An instance is protected once a backup
copy of data has been saved. The backup copy of data is the protection. If the source data was lost or became
corrupt, the backup copy could restore the source data. The following table shows the maximum backup frequency
for each component. Your backup policy configuration determines how quickly you consume the recovery points.
For example, if you create a recovery point each day, then you can retain recovery points for 27 years before you
run out. If you take a monthly recovery point, you can retain recovery points for 833 years before you run out. The
Backup service does not set an expiration time limit on a recovery point.
AZURE IAAS VM
AZURE BACKUP AGENT SYSTEM CENTER DPM AZURE BACKUP SERVER BACKUP
Backup frequency Three backups per Two backups per day Two backups per day One backup per day
(to Recovery Services day
vault)
Backup frequency Not applicable Every 15 minutes Every 15 minutes Not applicable
(to disk) for SQL Server for SQL Server
Every hour for Every hour for
other workloads other workloads
Retention options Daily, weekly, Daily, weekly, Daily, weekly, Daily, weekly,
monthly, yearly monthly, yearly monthly, yearly monthly, yearly
Maximum recovery 9999 9999 9999 9999

points per protected
instance
Maximum retention Depends on backup Depends on backup Depends on backup Depends on backup
period frequency frequency frequency frequency
Recovery points on Not applicable 64 for File Servers, 64 for File Servers, Not applicable
local disk 448 for Application 448 for Application
Servers Servers
Recovery points on Not applicable Unlimited Not applicable Not applicable

tape
What is a protected instance

A protected instance is a generic reference to a Windows computer, a server (physical or virtual), or SQL database
that has been configured to back up to Azure. An instance is protected once you configure a backup policy for the
computer, server, or database, and create a backup copy of the data. Subsequent copies of the backup data for that
protected instance (which are called recovery points), increase the amount of storage consumed. You can create up
to 9999 recovery points for a protected instance. If you delete a recovery point from storage, it does not count
against the 9999 recovery point total. Some common examples of protected instances are virtual machines,
application servers, databases, and personal computers running the Windows operating system. For example:
A virtual machine running the Hyper-V or Azure IaaS hypervisor fabric. The guest operating systems for the
virtual machine can be Windows Server or Linux.
An application server: The application server can be a physical or virtual machine running Windows Server and
workloads with data that needs to be backed up. Common workloads are Microsoft SQL Server, Microsoft
Exchange server, Microsoft SharePoint server, and the File Server role on Windows Server. To back up these
workloads you need System Center Data Protection Manager (DPM) or Azure Backup Server.
A personal computer, workstation, or laptop running the Windows operating system.
What is a Recovery Services vault?

A Recovery Services vault is an online storage entity in Azure used to hold data such as backup copies, recovery
points, and backup policies. You can use Recovery Services vaults to hold backup data for Azure services and on-
premises servers and workstations. Recovery Services vaults make it easy to organize your backup data, while
minimizing management overhead. You can create as many Recovery Services vaults as you like, within a
subscription.
Backup vaults, which are based on Azure Service Manager, were the first version of the vault. Recovery Services
vaults, which add the Azure Resource Manager model features, are the second version of the vault. See the
Recovery Services vault overview article for a full description of the feature differences. You can no longer create
use the portal to create Backup vaults, but Backup vaults are still supported. You must use the Azure portal to
manage your Backup vaults.
IMPORTANT
You can now upgrade your Backup vaults to Recovery Services vaults. For details, see the article Upgrade a Backup vault to a
Recovery Services vault. Microsoft encourages you to upgrade your Backup vaults to Recovery Services vaults.
After October 15, 2017, you will no longer be able to use PowerShell to create Backup vaults.
By November 1, 2017 any remaining Backup vaults will be automatically upgraded to Recovery Services vaults.
How does Azure Backup differ from Azure Site Recovery?

Azure Backup and Azure Site Recovery are related in that both services back up data and can restore that data.
However, these services serve different purposes in providing business continuity and disaster recovery in your
business. Use Azure Backup to protect and restore data at a more granular level. For example, if a presentation on
a laptop became corrupted, you would use Azure Backup to restore the presentation. If you wanted to replicate the
configuration and data on a VM across another datacenter, use Azure Site Recovery.
Azure Backup protects data on-premises and in the cloud. Azure Site Recovery coordinates virtual-machine and
physical-server replication, failover, and failback. Both services are important because your disaster recovery
solution needs to keep your data safe and recoverable (Backup) and keep your workloads available (Site Recovery)
when outages occur.
The following concepts can help you make important decisions around backup and disaster recovery.
CONCEPT DETAILS BACKUP DISASTER RECOVERY (DR)
Recovery point objective The amount of acceptable Backup solutions have wide Disaster recovery solutions
(RPO) data loss if a recovery needs variability in their acceptable have low RPOs. The DR copy
to be done. RPO. Virtual machine can be behind by a few
backups usually have an seconds or a few minutes.
RPO of one day, while
database backups have
RPOs as low as 15 minutes.
Recovery time objective The amount of time that it Because of the larger RPO, Disaster recovery solutions
(RTO) takes to complete a recovery the amount of data that a have smaller RTOs because
or restore. backup solution needs to they are more in sync with
process is typically much the source. Fewer changes
higher, which leads to longer need to be processed.
RTOs. For example, it can
take days to restore data
from tapes, depending on
the time it takes to
transport the tape from an
off-site location.
CONCEPT DETAILS BACKUP DISASTER RECOVERY (DR)
Retention How long data needs to be For scenarios that require Disaster recovery needs only
stored operational recovery (data operational recovery data,
corruption, inadvertent file which typically takes a few
deletion, OS failure), backup hours or up to a day.
data is typically retained for Because of the fine-grained
30 days or less. data capture used in DR
From a compliance solutions, using DR data for
standpoint, data might need long-term retention is not
to be stored for months or recommended.
even years. Backup data is
ideally suited for archiving in
such cases.
Next steps
Use one of the following tutorials for detailed, step-by-step, instructions for protecting data on Windows Server, or
protecting a virtual machine (VM) in Azure:
Back up Files and Folders
Backup Azure Virtual Machines
For details about protecting other workloads, try one of these articles:
Back up your Windows Server
Back up application workloads
Backup Azure IaaS VMs
Back up a virtual machine in Azure
Azure backups can be created through the Azure portal. This method provides a browser-based user interface to
create and configure Azure backups and all related resources. You can protect your data by taking backups at
regular intervals. Azure Backup creates recovery points that can be stored in geo-redundant recovery vaults. This
article details how to back up a virtual machine (VM) with the Azure portal.
This quick start enables backup on an existing Azure VM. If you need to create a VM, you can create a VM with the
Azure portal.
Log in to Azure
Log in to the Azure portal at http://portal.azure.com.
Select a VM to back up
Create a simple scheduled daily backup to a Recovery Services Vault.
1. In the menu on the left, select Virtual machines.
2. From the list, choose a VM to back up. If you used the sample VM quick start commands, the VM is named
myVM in the myResourceGroup resource group.
3. In the Settings section, choose Backup. The Enable backup window opens.
Enable backup on a VM
A Recovery Services vault is a logical container that stores the backup data for each protected resource, such as
Azure VMs. When the backup job for a protected resource runs, it creates a recovery point inside the Recovery
Services vault. You can then use one of these recovery points to restore data to a given point in time.
1. Select Create new and provide a name for the new vault, such as myRecoveryServicesVault.
2. If not already selected, choose Use existing, then select the resource group of your VM from the drop-
down menu.
By default, the vault is set for Geo-Redundant storage. To further protect your data, this storage redundancy
level ensures that your backup data is replicated to a secondary Azure region that is hundreds of miles away
from the primary region.
You create and use policies to define when a backup job runs and how long the recovery points are stored.
The default protection policy runs a backup job each day and retains recovery points for 30 days. You can
use these default policy values to quickly protect your VM.
3. To accept the default backup policy values, select Enable Backup.
Start a backup job

You can start a backup now rather than wait for the default policy to run the job at the scheduled time. This first
backup job creates a full recovery point. Each backup job after this initial backup creates incremental recovery
points. Incremental recovery points are storage and time-efficient, as they only transfer changes made since the
last backup.
1. On the Backup window for your VM, select Backup now.
2. To accept the backup retention policy of 30 days, leave the default Retain Backup Till date. To start the job,
select Backup.
Monitor the backup job

In the Backup window for your VM, the status of the backup and number of completed restore points are shown.
Once the VM backup job is complete, information on the Last backup time, Latest restore point, and Oldest
restore point is shown on the right-hand side of the Overview window.
Clean up deployment
When no longer needed, you can disable protection on the VM, remove the restore points and Recovery Services
vault, then delete the resource group and associated VM resources
If you are going to continue on to a Backup tutorial that explains how to restore data for your VM, skip the steps in
this section and go to Next steps.
1. Select the Backup option for your VM.
2. Select ...More to show additional options, then choose Stop backup.
3. Select Delete Backup Data from the drop-down menu.
4. In the Type the name of the Backup item dialog, enter your VM name, such as myVM. Select Stop
Backup
Once the VM backup has been stopped and recovery points removed, you can delete the resource group. If
you used an existing VM, you may wish to leave the resource group and VM in place.
5. In the menu on the left, select Resource groups.
6. From the list, choose your resource group. If you used the sample VM quick start commands, the resource
group is named myResourceGroup.
7. Select Delete resource group. To confirm, enter the resource group name, then select Delete.
Next steps
In this quick start, you created a Recovery Services vault, enabled protection on a VM, and created the initial
recovery point. To learn more about Azure Backup and Recovery Services, continue to the tutorials.
Back up multiple Azure VMs
Back up a virtual machine in Azure with PowerShell
The Azure PowerShell module is used to create and manage Azure resources from the command line or in scripts.
You can protect your data by taking backups at regular intervals. Azure Backup creates recovery points that can be
stored in geo-redundant recovery vaults. This article details how to back up a virtual machine (VM) with the Azure
PowerShell module. You can also perform these steps with the Azure CLI or Azure portal.
This quick start enables backup on an existing Azure VM. If you need to create a VM, you can create a VM with
Azure PowerShell.
This quick start requires the Azure PowerShell module version 4.4 or later. Run Get-Module -ListAvailable AzureRM
to find the version. If you need to install or upgrade, see Install Azure PowerShell module.
Log in to Azure
Log in to your Azure subscription with the Login-AzureRmAccount command and follow the on-screen directions.
Login-AzureRmAccount
The first time you use Azure Backup, you must register the Azure Recovery Service provider in your subscription
with Register-AzureRmResourceProvider.
Register-AzureRmResourceProvider -ProviderNamespace "Microsoft.RecoveryServices"
Create a recovery services vault

Create a Recovery Services vault with New-AzureRmRecoveryServicesVault. Specify the same resource group and
location as the VM you wish to protect. If you used the sample script to create your VM, the resource group is
named myResourceGroup, the VM is named myVM, and the resources are in the WestEurope location.
New-AzureRmRecoveryServicesVault `
-ResourceGroupName "myResourceGroup" `
-Name "myRecoveryServicesVault" `
-Location "WestEurope"
By default, the vault is set for Geo-Redundant storage. To further protect your data, this storage redundancy level
ensures that your backup data is replicated to a secondary Azure region that is hundreds of miles away from the
primary region.
To use this vault with the remaining steps, set the vault context with Set-AzureRmRecoveryServicesVaultContext
Get-AzureRmRecoveryServicesVault `
-Name "myRecoveryServicesVault" | Set-AzureRmRecoveryServicesVaultContext
Enable backup for an Azure VM
You create and use policies to define when a backup job runs and how long the recovery points are stored. The
default protection policy runs a backup job each day and retains recovery points for 30 days. You can use these
default policy values to quickly protect your VM. First, set the default policy with Get-
AzureRmRecoveryServicesBackupProtectionPolicy:
$policy = Get-AzureRmRecoveryServicesBackupProtectionPolicy -Name "DefaultPolicy"
To enable backup protection for a VM, use Enable-AzureRmRecoveryServicesBackupProtection. Specify the policy
to use, then the resource group and VM to protect:
Enable-AzureRmRecoveryServicesBackupProtection `
-ResourceGroupName "myResourceGroup" `
-Name "myVM" `
-Policy $policy
Start a backup job

To start a backup now rather than wait for the default policy to run the job at the scheduled time, use Backup-
AzureRmRecoveryServicesBackupItem. This first backup job creates a full recovery point. Each backup job after this
initial backup creates incremental recovery points. Incremental recovery points are storage and time-efficient, as
they only transfer changes made since the last backup.
In the following set of commands, you specify a container in the Recovery Services vault that holds your backup
data with Get-AzureRmRecoveryServicesBackupContainer. Each VM to back up is treated as an item. To start a
backup job, obtain information on your VM item with Get-AzureRmRecoveryServicesBackupItem.
$backupcontainer = Get-AzureRmRecoveryServicesBackupContainer `
-ContainerType "AzureVM" `
-FriendlyName "myVM"
$item = Get-AzureRmRecoveryServicesBackupItem `
-Container $backupcontainer `
-WorkloadType "AzureVM"
Backup-AzureRmRecoveryServicesBackupItem -Item $item
As this first backup job creates a full recovery point, the process can take up to 20 minutes.

To monitor the status of backup jobs, use Get-AzureRmRecoveryservicesBackupJob:
Get-AzureRmRecoveryservicesBackupJob
The output is similar to the following example, which shows the backup job is InProgress:
WorkloadName Operation Status StartTime EndTime JobID

------------ --------- ------ --------- ------- -----
myvm Backup InProgress 9/18/2017 9:38:02 PM 9f9e8f14
myvm ConfigureBackup Completed 9/18/2017 9:33:18 PM 9/18/2017 9:33:51 PM fe79c739
When the Status of the backup job reports Completed, your VM is protected with Recovery Services and has a full
recovery point stored.
Clean up deployment
vault, then delete the resource group and associated VM resources. If you used an existing VM, you can skip the
final Remove-AzureRmResourceGroup cmdlet to leave the resource group and VM in place.
If you are going to continue on to a Backup tutorial that explains how to restore data for your VM, skip the steps in
this section and go to Next steps.
Disable-AzureRmRecoveryServicesBackupProtection -Item $item -RemoveRecoveryPoints

$vault = Get-AzureRmRecoveryServicesVault -Name "myRecoveryServicesVault"
Remove-AzureRmRecoveryServicesVault -Vault $vault
Remove-AzureRmResourceGroup -Name "myResourceGroup"
Next steps
Back up a virtual machine in Azure with the CLI
The Azure CLI is used to create and manage Azure resources from the command line or in scripts. You can protect
your data by taking backups at regular intervals. Azure Backup creates recovery points that can be stored in geo-
redundant recovery vaults. This article details how to back up a virtual machine (VM) in Azure with the Azure CLI.
You can also perform these steps with Azure PowerShell or in the Azure portal.
This quick start enables backup on an existing Azure VM. If you need to create a VM, you can create a VM with the
Azure CLI.
Launch Azure Cloud Shell

The Azure Cloud Shell is a free Bash shell that you can run directly within the Azure portal. It has the Azure CLI
preinstalled and configured to use with your account. Click the Cloud Shell button on the menu in the upper-right
of the Azure portal.
The button launches an interactive shell that you can use to run the steps in this topic:
To install and use the CLI locally, you must run Azure CLI version 2.0.18 or later. To find the CLI version, run . If
you need to install or upgrade, see Install Azure CLI 2.0.

Create a Recovery Services vault with az backup vault create. Specify the same resource group and location as the
VM you wish to protect. If you used the VM quickstart, then you created:
a resource group named myResourceGroup,
a VM named myVM,
resources in the eastus location.
az backup vault create --resource-group myResourceGroup \

--name myRecoveryServicesVault \
--location eastus
By default, the Recovery Services vault is set for Geo-Redundant storage. Geo-Redundant storage ensures your
backup data is replicated to a secondary Azure region that is hundreds of miles away from the primary region.
Enable backup for an Azure VM

Create a protection policy to define: when a backup job runs, and how long the recovery points are stored. The
default protection policy runs a backup job each day and retains recovery points for 30 days. You can use these
default policy values to quickly protect your VM. To enable backup protection for a VM, use az backup protection
enable-for-vm. Specify the resource group and VM to protect, then the policy to use:
az backup protection enable-for-vm \

--resource-group myResourceGroup \
--vault-name myRecoveryServicesVault \
--vm myVM \
--policy-name DefaultPolicy
Start a backup job

To start a backup now rather than wait for the default policy to run the job at the scheduled time, use az backup
protection backup-now. This first backup job creates a full recovery point. Each backup job after this initial backup
creates incremental recovery points. Incremental recovery points are storage and time-efficient, as they only
transfer changes made since the last backup.
The following parameters are used to back up the VM:
--container-name is the name of your VM
--item-name is the name of your VM
--retain-until value should be set to the last available date, in UTC time format (dd-mm-yyyy), that you wish
the recovery point to be available
The following example backs up the VM named myVM and sets the expiration of the recovery point to October 18,
2017:
az backup protection backup-now \

--container-name myVM \
--item-name myVM \
--retain-until 18-10-2017

To monitor the status of backup jobs, use az backup job list:
az backup job list \
--output table
The output is similar to the following example, which shows the backup job is InProgress:
Name Operation Status Item Name Start Time UTC Duration

-------- --------------- ---------- ----------- ------------------- --------------
a0a8e5e6 Backup InProgress myvm 2017-09-19T03:09:21 0:00:48.718366
fe5d0414 ConfigureBackup Completed myvm 2017-09-19T03:03:57 0:00:31.191807
When the Status of the backup job reports Completed, your VM is protected with Recovery Services and has a full
recovery point stored.
Clean up deployment
vault, then delete the resource group and associated VM resources. If you used an existing VM, you can skip the
final az group delete command to leave the resource group and VM in place.
If you want to try a Backup tutorial that explains how to restore data for your VM, go to Next steps.
az backup protection disable \

--item-name myVM \
--delete-backup-data true
az backup vault delete \
--name myRecoveryServicesVault \
az group delete --name myResourceGroup
Next steps
Use Azure portal to back up multiple virtual
machines
When you back up data in Azure, you store that data in an Azure resource called a Recovery Services vault. The
Recovery Services vault resource is available from the Settings menu of most Azure services. The benefit of having
the Recovery Services vault integrated into the Settings menu of most Azure services makes it very easy to back
up data. However, individually working with each database or virtual machine in your business is tedious. What if
you want to back up the data for all virtual machines in one department, or in one location? It is easy to back up
multiple virtual machines by creating a backup policy and applying that policy to the desired virtual machines. This
tutorial explains how to:
Create a Recovery Services vault
Define a backup policy
Apply the backup policy to protect multiple virtual machines
Trigger an on-demand backup job for the protected virtual machines
Log in to the Azure portal

Log in to the Azure portal.

The Recovery Services vault contains the backup data, and the backup policy applied to the protected virtual
machines. Backing up virtual machines is a local process. You cannot back up a virtual machine from one location
to a Recovery Services vault in another location. So, for each Azure location that has virtual machines to be backed
up, at least one Recovery Services vault must exist in that location.
1. On the left-hand menu, select More services and in the services list, type Recovery Services. As you type,
the list of resources filters. When you see Recovery Services vaults in the list, select it to open the Recovery
Services vaults menu.
2. In the Recovery Services vaults menu, click Add to open the Recovery Services vault menu.
3. In the Recovery Services vault menu,

Type myRecoveryServicesVault in Name,
The current subscription ID appears in Subscription. If you have additional subscriptions, you could
choose another subscription for the new vault.
For Resource group select Use existing and choose myResourceGroup. If myResourceGroup doesn't
exist, select Create new and type myResourceGroup.
From the Location drop-down menu, choose West Europe.
Click Create to create your Recovery Services vault.
A Recovery Services vault must be in the same location as the virtual machines being protected. If you have virtual
machines in multiple regions,create a Recovery Services vault in each region. This tutorial creates a Recovery
Services vault in West Europe because that is where myVM (the virtual machine created with the quickstart) was
created.
It can take several minutes for the Recovery Services vault to be created. Monitor the status notifications in the
upper right-hand area of the portal. Once your vault is created, it appears in the list of Recovery Services vaults.
When you create a Recovery Services vault, by default the vault has geo-redundant storage. To provide data
resiliency, geo-redundant storage replicates the data multiple times across two Azure regions.
Set backup policy to protect VMs

After creating the Recovery Services vault, the next step is to configure the vault for the type of data, and to set the
backup policy. Backup policy is the schedule for how often and when recovery points are taken. Policy also
includes the retention range for the recovery points. For this tutorial let's assume your business is a sports
complex with a hotel, stadium, and restaurants and concessions, and you are protecting the data on the virtual
machines. The following steps create a backup policy for the financial data.
1. From the list of Recovery Services vaults, select myRecoveryServicesVault to open its dashboard.
2. On the vault dashboard menu, click Backup to open the Backup menu.
3. On the Backup Goal menu, in the Where is your workload running drop-down menu, choose Azure.
From the What do you want to backup drop-down, choose Virtual machine, and click Backup.
These actions prepare the Recovery Services vault for interacting with a virtual machine. Recovery Services
vaults have a default policy that creates a restore point each day, and retains the restore points for 30 days.
4. To create a new policy, on the Backup policy menu, from the Choose backup policy drop-down menu,
select Create New.
5. In the Backup policy menu, for Policy Name type Finance. Enter the following changes for the Backup
policy:
For Backup frequency set the timezone for Central Time. Since the sports complex is in Texas, the
owner wants the timing to be local. Leave the backup frequency set to Daily at 3:30AM.
For Retention of daily backup point, set the period to 90 days.
For Retention of weekly backup point, use the Monday restore point and retain it for 52 weeks.
For Retention of monthly backup point, use the restore point from First Sunday of the month, and
retain it for 36 months.
Deselect the Retention of yearly backup point option. The leader of Finance doesn't want to keep
data longer than 36 months.
Click OK to create the backup policy.
After creating the backup policy, associate the policy with the virtual machines.
6. In the Select virtual machines dialog select myVM and click OK to deploy the backup policy to the virtual
machines.
All virtual machines that are in the same location, and are not already associated with a backup policy,
appear. myVMH1 and myVMR1 are selected to be associated with the Finance policy.
When the deployment completes, you receive a notification that deployment successfully completed.
Initial backup
You have enabled backup for the Recovery Services vaults, but an initial backup has not been created. It is a
disaster recovery best practice to trigger the first backup, so that your data is protected.
To run an on-demand backup job:
1. On the vault dashboard, click 3 under Backup Items, to open the Backup Items menu.
The Backup Items menu opens.
2. On the Backup Items menu, click Azure Virtual Machine to open the list of virtual machines associated
with the vault.
The Backup Items list opens.
3. On the Backup Items list, click the ellipses ... to open the Context menu.
4. On the Context menu, select Backup now.
The Backup Now menu opens.

5. On the Backup Now menu, enter the last day to retain the recovery point, and click Backup.
Deployment notifications let you know the backup job has been triggered, and that you can monitor the
progress of the job on the Backup jobs page. Depending on the size of your virtual machine, creating the
initial backup may take a while.
When the initial backup job completes, you can see its status in the Backup job menu. The on-demand
backup job created the initial restore point for myVM. If you want to back up other virtual machines, repeat
these steps for each virtual machine.
Clean up resources
If you plan to continue on to work with subsequent tutorials, do not clean up the resources created in this tutorial.
If you do not plan to continue, use the following steps to delete all resources created by this tutorial in the Azure
portal.
1. On the myRecoveryServicesVault dashboard, click 3 under Backup Items, to open the Backup Items
menu.
2. On the Backup Items menu, click Azure Virtual Machine to open the list of virtual machines associated
with the vault.

3. In the Backup Items menu, click the ellipsis to open the Context menu.
4. On the context menu select Stop backup to open Stop Backup menu.
5. In the Stop Backup menu, select the upper drop-down menu and choose Delete Backup Data.
6. In the Type the name of the Backup item dialog, type myVM.
7. Once the backup item is verified (a checkmark appears), Stop backup button is enabled. Click Stop
Backup to stop the policy and delete the restore points.
.
8. In the myRecoveryServicesVault menu, click Delete.
Once the vault is deleted, you return to the list of Recovery Services vaults.
Next steps
In this tutorial you used the Azure portal to:
Set the vault to protect virtual machines
Create a custom backup and retention policy
Assign the policy to protect multiple virtual machines
Trigger an on-demand back up for virtual machines
Continue to the next tutorial to restore an Azure virtual machine from disk.
Restore VMs using CLI
Restore a disk and create a recovered VM in Azure
Azure Backup creates recovery points that are stored in geo-redundant recovery vaults. When you restore from a
recovery point, you can restore the whole VM or individual files. This article explains how to restore a complete VM.
In this tutorial you learn how to:
List and select recovery points
Restore a disk from a recovery point
Create a VM from the restored disk

If you choose to install and use the CLI locally, this tutorial requires that you are running the Azure CLI version
2.0.18 or later. Run az --version to find the version. If you need to install or upgrade, see Install Azure CLI 2.0.
Prerequisites
This tutorial requires a Linux VM that has been protected with Azure Backup. To simulate an accidental VM deletion
and recovery process, you create a VM from a disk in a recovery point. If you need a Linux VM that has been
protected with Azure Backup, see Back up a virtual machine in Azure with the CLI.
Backup overview
When Azure initiates a backup, the backup extension on the VM takes a point-in-time snapshot. The backup
extension is installed on the VM when the first backup is requested. Azure Backup can also take a snapshot of the
underlying storage if the VM is not running when the backup takes place.
By default, Azure Backup takes a file system consistent backup. Once Azure Backup takes the snapshot, the data is
transferred to the Recovery Services vault. To maximize efficiency, Azure Backup identifies and transfers only the
blocks of data that have changed since the previous backup.
When the data transfer is complete, the snapshot is removed and a recovery point is created.
List available recovery points

To restore a disk, you select a recovery point as the source for the recovery data. As the default policy creates a
recovery point each day and retains them for 30 days, you can keep a set of recovery points that allows you to
select a particular point in time for recovery.
To see a list of available recovery points, use az backup recoverypoint list. The recovery point name is used to
recover disks. In this tutorial, we want the most recent recovery point available. The --query [0].name parameter
selects the most recent recovery point name as follows:
az backup recoverypoint list \

--item-name myVM \
--query [0].name \
--output tsv
Restore a VM disk
To restore your disk from the recovery point, you first create an Azure storage account. This storage account is
used to store the restored disk. In additional steps, the restored disk is used to create a VM.
1. To create a storage account, use az storage account create. The storage account name must be all lowercase,
and be globally unique. Replace mystorageaccount with your own unique name:
az storage account create \

--name mystorageaccount \
--sku Standard_LRS
2. Restore the disk from your recovery point with az backup restore restore-disks. Replace mystorageaccount
with the name of the storage account you created in the preceding command. Replace
myRecoveryPointName with the recovery point name you obtained in the output from the previous az
backup recoverypoint list command:
az backup restore restore-disks \

--item-name myVM \
--storage-account mystorageaccount \
--rp-name myRecoveryPointName
Monitor the restore job

To monitor the status of restore job, use az backup job list:
az backup job list \

--output table
The output is similar to the following example, which shows the restore job is InProgress:
Name Operation Status Item Name Start Time UTC Duration

-------- --------------- ---------- ----------- ------------------- --------------
7f2ad916 Restore InProgress myvm 2017-09-19T19:39:52 0:00:34.520850
a0a8e5e6 Backup Completed myvm 2017-09-19T03:09:21 0:15:26.155212
fe5d0414 ConfigureBackup Completed myvm 2017-09-19T03:03:57 0:00:31.191807
When the Status of the restore job reports Completed, the disk has been restored to the storage account.
Convert the restored disk to a Managed Disk

The restore job creates an unmanaged disk. In order to create a VM from the disk, it must first be converted to a
managed disk.
1. Obtain the connection information for your storage account with az storage account show-connection-
string. Replace mystorageaccount with the name of your storage account as follows:
export AZURE_STORAGE_CONNECTION_STRING=$( az storage account show-connection-string \

--output tsv \
--name mystorageaccount )
2. Your unmanaged disk is secured in the storage account. The following commands get information about
your unmanaged disk and create a variable named uri that is used in the next step when you create the
Managed Disk.
container=$(az storage container list --query [0].name -o tsv)

blob=$(az storage blob list --container-name $container --query [0].name -o tsv)
uri=$(az storage blob url --container-name $container --name $blob -o tsv)
3. Now you can create a Managed Disk from your recovered disk with az disk create. The uri variable from the
preceding step is used as the source for your Managed Disk.
az disk create \
--name myRestoredDisk \
--source $uri
4. As you now have a Managed Disk from your restored disk, clean up the unmanaged disk and storage
account with az storage account delete. Replace mystorageaccount with the name of your storage account
as follows:
az storage account delete \

--name mystorageaccount
The final step is to create a VM from the Managed Disk.
1. Create a VM from your Managed Disk with az vm create as follows:
az vm create \
--name myRestoredVM \
--attach-os-disk myRestoredDisk \
--os-type linux
2. To confirm that your VM has been created from your recovered disk, list the VMs in your resource group
with az vm list as follows:
az vm list --resource-group myResourceGroup --output table
Next steps
In this tutorial, you restored a disk from a recovery point and then created a VM from the disk. You learned how to:
Restore a disk from a recovery point
Advance to the next tutorial to learn about restoring individual files from a recovery point.
Restore files to a virtual machine in Azure
Restore files to a virtual machine in Azure
Azure Backup creates recovery points that are stored in geo-redundant recovery vaults. When you restore from a
recovery point, you can restore the whole VM or individual files. This article details how to restore individual files.
In this tutorial you learn how to:
Connect a recovery point to a VM
Restore files from a recovery point

If you choose to install and use the CLI locally, this tutorial requires that you are running the Azure CLI version
2.0.18 or later. Run az --version to find the version. If you need to install or upgrade, see Install Azure CLI 2.0.
Prerequisites
This tutorial requires a Linux VM that has been protected with Azure Backup. To simulate an accidental file deletion
and recovery process, you delete a page from a web server. If you need a Linux VM that runs a webserver and has
been protected with Azure Backup, see Back up a virtual machine in Azure with the CLI.
Backup overview
When Azure initiates a backup, the backup extension on the VM takes a point-in-time snapshot. The backup
extension is installed on the VM when the first backup is requested. Azure Backup can also take a snapshot of the
underlying storage if the VM is not running when the backup takes place.
By default, Azure Backup takes a file system consistent backup. Once Azure Backup takes the snapshot, the data is
transferred to the Recovery Services vault. To maximize efficiency, Azure Backup identifies and transfers only the
blocks of data that have changed since the previous backup.
Delete a file from a VM

If you accidentally delete or make changes to a file, you can restore individual files from a recovery point. This
process allows you to browse the files backed up in a recovery point and restore only the files you need. In this
example, we delete a file from a web server to demonstrate the file-level recovery process.
1. To connect to your VM, obtain the IP address of your VM with az vm show:
az vm show --resource-group myResourceGroup --name myVM -d --query [publicIps] --o tsv
2. To confirm that your web site currently works, open a web browser to the public IP address of your VM.
Leave the web browser window open.
3. Connect to your VM with SSH. Replace publicIpAddress with the public IP address that you obtained in a
previous command:
ssh publicIpAddress
4. Delete the default page from the web server at /var/www/html/index.nginx-debian.html as follows:
sudo rm /var/www/html/index.nginx-debian.html
5. In your web browser, refresh the web page. The web site no longer loads the page, as shown in the
following example:
6. Close the SSH session to your VM as follows:
exit
Generate file recovery script

To restore your files, Azure Backup provides a script to run on your VM that connects your recovery point as a local
drive. You can browse this local drive, restore files to the VM itself, then disconnect the recovery point. Azure
Backup continues to back up your data based on the assigned policy for schedule and retention.
1. To list recovery points for your VM, use az backup recoverypoint list. In this example, we select the most
recent recovery point for the VM named myVM that is protected in myRecoveryServicesVault:
az backup recoverypoint list \

--item-name myVM \
--query [0].name \
--output tsv
2. To obtain the script that connects, or mounts, the recovery point to your VM, use az backup restore files
mount-rp. The following example obtains the script for the VM named myVM that is protected in
myRecoveryServicesVault.
Replace myRecoveryPointName with the name of the recovery point that you obtained in the preceding
command:
az backup restore files mount-rp \

--item-name myVM \
The script is downloaded and a password is displayed, as in the following example:
File downloaded: myVM_we_1571974050985163527.sh. Use password c068a041ce12465
3. To transfer the script to your VM, use Secure Copy (SCP). Provide the name of your downloaded script, and
replace publicIpAddress with the public IP address of your VM. Make sure you include the trailing : at the
end of the SCP command as follows:
scp myVM_we_1571974050985163527.sh 52.174.241.110:
Restore file to your VM

With the recovery script copied to your VM, you can now connect the recovery point and restore files.
1. Connect to your VM with SSH. Replace publicIpAddress with the public IP address of your VM as follows:
ssh publicIpAddress
2. To allow your script to run correctly, add execute permissions with chmod. Enter the name of your own
script:
chmod +x myVM_we_1571974050985163527.sh
3. To mount the recovery point, run the script. Enter the name of your own script:
./myVM_we_1571974050985163527.sh
As the script runs, you are prompted to enter a password to access the recovery point. Enter the password
shown in the output from the previous az backup restore files mount-rp command that generated the
recovery script.
The output from the script gives you the path for the recovery point. The following example output shows
that the recovery point is mounted at /home/azureuser/myVM-20170919213536/Volume1:
Microsoft Azure VM Backup - File Recovery

______________________________________________
Please enter the password as shown on the portal to securely connect to the recovery point. :
c068a041ce12465
Connecting to recovery point using ISCSI service...
Connection succeeded!
Please wait while we attach volumes of the recovery point to this machine...
************ Volumes of the recovery point and their mount paths on this machine ************
Sr.No. | Disk | Volume | MountPath
1) | /dev/sdc | /dev/sdc1 | /home/azureuser/myVM-20170919213536/Volume1
************ Open File Explorer to browse for files. ************
4. Use cp to copy the NGINX default web page from the mounted recovery point back to the original file
location. Replace the /home/azureuser/myVM-20170919213536/Volume1 mount point with your own
location:
sudo cp /home/azureuser/myVM-20170919213536/Volume1/var/www/html/index.nginx-debian.html /var/www/html/

5. In your web browser, refresh the web page. The web site now loads correctly again, as shown in the
following example:
6. Close the SSH session to your VM as follows:
exit
7. Unmount the recovery point from your VM with az backup restore files unmount-rp. The following example
unmounts the recovery point from the VM named myVM in myRecoveryServicesVault.
Replace myRecoveryPointName with the name of your recovery point that you obtained in the previous
commands:
az backup restore files unmount-rp \

--item-name myVM \
Next steps
In this tutorial, you connected a recovery point to a VM and restored files for a web server. You learned how to:
Connect a recovery point to a VM
Restore files from a recovery point
Advance to the next tutorial to learn about how to back up Windows Server to Azure.
Back up Windows Server to Azure
Back up Windows Server to Azure
You can use Azure Backup to protect your Windows Server from corruptions, attacks, and disasters. Azure Backup
provides a lightweight tool known as the Microsoft Azure Recovery Services (MARS) agent. The MARS agent is
installed on the Windows Server to protect files and folders, and server configuration info via Windows Server
System State. This tutorial explains how you can use MARS Agent to back up your Windows Server to Azure. In this
tutorial you learn how to:
Download and set up the MARS Agent
Configure back up times and retention schedule for your servers backups
Perform an ad-hoc back up
Log in to Azure
Log in to the Azure portal at http://portal.azure.com.

Before you can back up Windows Server, you must create a place for the backups, or restore points, to be stored. A
Recovery Services vault is a container in Azure that stores the backups from your Windows Server. Follow the steps
below to create a Recovery Services vault in the Azure portal.
1. On the left-hand menu, select More services and in the services list,type Recovery Services. Click
Recovery Services vaults.
2. On the Recovery Services vaults menu, click Add.
3. In the Recovery Services vault menu,

Type myRecoveryServicesVault in Name.
The current subscription ID appears in Subscription.
For Resource group, select Use existing and choose myResourceGroup. If myResourceGroup doesn't
exist, select Create New and type myResourceGroup.
From the Location drop-down menu, choose West Europe.
Click Create to create your Recovery Services vault.
Once your vault is created, it appears in the list of Recovery Services vaults.
Download Recovery Services agent

The Microsoft Azure Recovery Services (MARS) agent creates an association between Windows Server and your
Recovery Services vault. The following procedure explains how to download the agent to your server.
1. From the list of Recovery Services vaults, select myRecoveryServicesVault to open its dashboard.
2. On the vault dashboard menu, click Backup.
3. On the Backup Goal menu:
for Where is your workload running?, selectOn-premises,
for What do you want to backup?, select Files and folders and System State
4. Click Prepare Infrastructure to open the Prepare infrastructure menu.

5. On the Prepare infrastructure menu, click Download Agent for Windows Server or Windows Client to
download the MARSAgentInstaller.exe.
The installer opens a separate browser and downloads MARSAgentInstaller.exe.
6. Before you run the downloaded file, click the Download button on the Prepare infrastructure blade to
download and save the Vault Credentials file. This file is required for connecting the MARS Agent with the
Recovery Services Vault.
Install and register the agent

1. Locate and double-click the downloaded MARSagentinstaller.exe.
2. The Microsoft Azure Recovery Services Agent Setup Wizard appears. As you go through the wizard,
provide the following information when prompted and click Register.
Location for the installation and cache folder.
Proxy server info if you use a proxy server to connect to the internet.
Your user name and password details if you use an authenticated proxy.
3. At the end of the wizard, click Proceed to Registration and provide the Vault Credentials file you
downloaded in the previous procedure.
4. When prompted, provide an encryption passphrase to encrypt backups from Windows Server. Save the
passphrase in a secure location as Microsoft cannot recover the passphrase if it is lost.
5. Click Finish.
Configure Backup and Retention

You use the Microsoft Azure Recovery Services agent to schedule when backups to Azure, occur on Windows
Server. Execute the following steps on the server where you downloaded the agent.
1. Open the Microsoft Azure Recovery Services agent. You can find it by searching your machine for Microsoft
Azure Backup.
2. In the Recovery Services agent console, click Schedule Backup under the Actions Pane.
3. Click Next to navigate to the Select Items to Back up page.

4. Click Add Items and from the dialog box that opens select System State and files or folders that you want
to back up. Then click OK.
5. Click Next.
6. On the Specify Backup Schedule page, specify the times of the day, or week when backups need to be
triggered for files and folders. System State backup schedule is automatically configured.
7. On the Select Retention Policy page, select the Retention Policy for the backup copy for files and folders.
The retention period of System State backups is automatically set to 60 days.
8. On the Choose Initial Back up Type page, leave the option Automatically over the network selected, and
then click Next.
9. On the Confirmation page, review the information, and then click Finish.
10. After the wizard finishes creating the backup schedule, click Close.
Perform an ad-hoc back up

You have established the schedule when backup jobs run. However, you have not backed up the server. It is a
disaster recovery best practice to run an on-demand backup to ensure data resiliency for your server.
1. In the Microsoft Azure Recovery Services agent console, click Back Up Now.
2. On the Confirmation page, review the settings that the Back Up Now wizard uses to back up your server.
Then click Back Up.
3. Click Close to close the wizard. If you close the wizard before the back up process finishes, the wizard continues
to run in the background.
4. After the initial backup is completed, Job completed status appears in Jobs pane of the MARS agent console.
Next steps
In this tutorial you used the Azure portal to:
Download the Microsoft Azure Recovery Services agent
Install the agent
Configure backup for Windows Server
Perform an on-demand backup
Continue to the next tutorial to recover files from Azure to Windows Server
Restore files from Azure to Windows Server
Recover files from Azure to a Windows Server
Azure Backup enables the recovery of individual items from backups of your Windows Server. Recovering
individual files is helpful if you must quickly restore files that are accidentally deleted. This tutorial covers how you
can use the Microsoft Azure Recovery Services Agent (MARS) agent to recover items from backups you have
already performed in Azure. In this tutorial you learn how to:
Initiate recovery of individual items
Select a recovery point
Restore items from a recovery point
This tutorial assumes you have already performed the steps to Back up a Windows Server to Azure and have at
least one backup of your Windows Server files in Azure.
Initiate recovery of individual items

A helpful user interface wizard named Microsoft Azure Backup is installed with the Microsoft Azure Recovery
Services (MARS) agent. The Microsoft Azure Backup wizard works with the Microsoft Azure Recovery Services
(MARS) agent to retrieve backup data from recovery points stored in Azure. Use the Microsoft Azure Backup wizard
to identify the files or folders you want to restore to Windows Server.
1. Open the Microsoft Azure Backup snap-in. You can find it by searching your machine for Microsoft
Azure Backup.
2. In the wizard, click Recover Data in the Actions Pane of the agent console to start the Recover Data
wizard.
3. On the Getting Started page, select This server (server name) and click Next.
4. On the Select Recovery Mode page, select Individual files and folders and then click Next to begin the
recovery point selection process.
5. On the Select Volume and Date page, select the volume that contains the files or folders you want to
restore, and click Mount. Select a date, and select a time from the drop-down menu that corresponds to a
recovery point. Dates in bold indicate the availability of at least one recovery point on that day.
When you click Mount, Azure Backup makes the recovery point available as a disk. Browse and recover files
from the disk.
Restore items from a recovery point

1. Once the recovery volume is mounted, click Browse to open Windows Explorer and find the files and folders
you wish to recover.
You can open the files directly from the recovery volume and verify the files.
2. In Windows Explorer, copy the files and/or folders you want to restore and paste them to any desired
location on the server.
3. When you are finished restoring the files and/or folders, on the Browse and Recovery Files page of the
Recover Data wizard, click Unmount.
4. Click Yes to confirm that you want to unmount the volume.

Once the snapshot is unmounted, Job Completed appears in the Jobs pane in the agent console.
Next steps
This completes the tutorials on backing up and restoring Windows Server data to Azure. To learn more about Azure
Backup, see the PowerShell sample for backing up encrypted virtual machines.
Back up encrypted VM
Azure Backup PowerShell samples
The following table links to PowerShell script samples that use Azure Backup to back up and restore data.
Back up virtual machines
Back up an encrypted virtual machine to Azure Back up all data on the encrypted virtual machine.
Questions about the Azure Backup service
This article has answers to common questions to help you quickly understand the Azure Backup components. In
some of the answers, there are links to the articles that have comprehensive information. You can ask questions
about Azure Backup by clicking Comments (to the right). Comments appear at the bottom of this article. A
Livefyre account is required to comment. You can also post questions about the Azure Backup service in the
discussion forum.
To quickly scan the sections in this article, use the links to the right, under In this article.
Recovery services vault

Is there any limit on the number of vaults that can be created in each Azure subscription?
Yes. As of September 2016, you can create 25 Recovery Services or backup vaults per subscription. You can
create up to 25 Recovery Services vaults, per supported region of Azure Backup, per subscription. If you need
additional vaults, create an additional subscription.
Are there limits on the number of servers/machines that can be registered against each vault?
Yes, you can register up to 50 machines per vault. For Azure IaaS virtual machines, the limit is 200 VMs per vault.
If you need to register more machines, create another vault.
If my organization has one vault, how can I isolate one server's data from another server when restoring data?
All servers that are registered to the same vault can recover the data backed up by other servers that use the
same passphrase. If you have servers whose backup data you want to isolate from other servers in your
organization, use a designated passphrase for those servers. For example, human resources servers could use one
encryption passphrase, accounting servers another, and storage servers a third.
Can I migrate my backup data or vault between subscriptions?
No. The vault is created at a subscription level and cannot be reassigned to another subscription once its created.
Recovery Services vaults are Resource Manager based. Are Backup vaults (classic mode ) still supported?
All existing Backup vaults in the classic portal continue to be supported. However, you can no longer use the
classic portal to deploy new Backup vaults. Microsoft recommends using Recovery Services vaults for all
deployments because future enhancements apply to Recovery Services vaults, only. If you attempt to create a
Backup vault in the classic portal, you will be redirected to the Azure portal.
Can I migrate a Backup vault to a Recovery Services vault?
Yes, you can now upgrade your Backup vault to a Recovery Services vault. For details, refer the article Upgrade a
Backup vault to a Recovery Services vault.
I backed up my classic VMs in a Backup vault. Can I migrate my VMs from classic mode to Resource Manager
mode and protect them in a Recovery Services vault?
Classic VM recovery points in a backup vault don't automatically migrate to a Recovery Services vault when you
move the VM from classic to Resource Manager mode. Follow these steps to transfer your VM backups:
1. In the Backup vault, go to the Protected Items tab and select the VM. Click Stop Protection. Leave Delete
associated backup data option unchecked.
2. Delete the backup/snapshot extension from the VM.
3. Migrate the virtual machine from classic mode to Resource Manager mode. Make sure the storage and
network information corresponding to the virtual machine is also migrated to Resource Manager mode.
4. Create a Recovery Services vault and configure backup on the migrated virtual machine using Backup action
on top of vault dashboard. For detailed information on backing up a VM to a Recovery Services vault, see the
article, Protect Azure VMs with a Recovery Services vault.
Azure Backup agent

Detailed list of questions are present in FAQ on Azure file-folder backup
Azure VM backup
Detailed list of questions are present in FAQ on Azure VM backup
Back up VMware servers

Can I back up VMware vCenter servers to Azure?
Yes. You can use Azure Backup Server to back up VMware vCenter and ESXi to Azure. For information on the
supported VMware version, see the article, Azure Backup Server protection matrix. For step-by-step instructions,
see Use Azure Backup Server to back up a VMware server.
Azure Backup Server and System Center Data Protection Manager

Can I use Azure Backup Server to create a Bare Metal Recovery (BMR ) backup for a physical server?
Yes.
Can I Register my DPM Server to multiple vaults?
No. A DPM or MABS server can be registered to only one vault.
Which version of System Center Data Protection Manager is supported?
We recommend that you install the latest Azure Backup agent on the latest update rollup (UR) for System Center
Data Protection Manager (DPM). As of August 2016, Update Rollup 11 is the latest update.
I have installed Azure Backup agent to protect my files and folders. Can I now install System Center DPM to
work with Azure Backup agent to protect on-premises application/VM workloads to Azure?
To use Azure Backup with System Center Data Protection Manager (DPM), install DPM first and then install Azure
Backup agent. Installing the Azure Backup components in this order ensures the Azure Backup agent works with
DPM. Installing the Azure Backup agent before installing DPM is not advised or supported.
How Azure Backup works

If I cancel a backup job once it has started, is the transferred backup data deleted?
No. All data transferred into the vault, before the backup job was canceled, stays in the vault. Azure Backup uses a
checkpoint mechanism to occasionally add checkpoints to the backup data during the backup. Because there are
checkpoints in the backup data, the next backup process can validate the integrity of the files. The next backup job
will be incremental to the data previously backed up. Incremental backups only transfer new or changed data,
which equates to better utilization of bandwidth.
If you cancel a backup job for an Azure VM, any transferred data is ignored. The next backup job transfers
incremental data from the last successful backup job.
Are there limits on when or how many times a backup job can be scheduled?
Yes. You can run backup jobs on Windows Server or Windows workstations up to three times/day. You can run
backup jobs on System Center DPM up to twice a day. You can run a backup job for IaaS VMs once a day. You can
use the scheduling policy for Windows Server or Windows workstation to specify daily or weekly schedules.
Using System Center DPM, you can specify daily, weekly, monthly, and yearly schedules.
Why is the size of the data transferred to the Recovery Services vault smaller than the data I backed up?
All the data that is backed up from Azure Backup Agent or SCDPM or Azure Backup Server, is compressed and
encrypted before being transferred. Once the compression and encryption is applied, the data in the backup vault
is 30-40% smaller.
What can I back up

Which operating systems do Azure Backup support?
Azure Backup supports the following list of operating systems for backing up: files and folders, and workload
applications protected using Azure Backup Server and System Center Data Protection Manager (DPM).
OPERATING SYSTEM PLATFORM SKU
Windows 8 and latest SPs 64 bit Enterprise, Pro
Windows 7 and latest SPs 64 bit Ultimate, Enterprise, Professional,

Home Premium, Home Basic, Starter
Windows 8.1 and latest SPs 64 bit Enterprise, Pro
Windows 10 64 bit Enterprise, Pro, Home
Windows Server 2016 64 bit Standard, Datacenter, Essentials
Windows Server 2012 R2 and latest 64 bit Standard, Datacenter, Foundation

SPs
Windows Server 2012 and latest SPs 64 bit Datacenter, Foundation, Standard
Windows Storage Server 2016 and 64 bit Standard, Workgroup

latest SPs
Windows Storage Server 2012 R2 and 64 bit Standard, Workgroup

latest SPs

latest SPs
Windows Server 2012 R2 and latest 64 bit Essential

SPs
Windows Server 2008 R2 SP1 64 bit Standard, Enterprise, Datacenter,

Foundation
Windows Server 2008 SP2 64 bit Standard, Enterprise, Datacenter,

Foundation
For Azure VM backup:

Linux: Azure Backup supports a list of distributions that are endorsed by Azure except Core OS Linux. Other
Bring-Your-Own-Linux distributions also might work as long as the VM agent is available on the virtual
machine and support for Python exists.
Windows Server: Versions older than Windows Server 2008 R2 are not supported.
Is there a limit on the size of each data source being backed up?
There is no limit on the amount of data you can back up to a vault. Azure Backup restricts the maximum size for
the data source, however, these limits are large. As of August 2015, the maximum size for a data source for the
supported operating systems is:
S.NO OPERATING SYSTEM MAXIMUM SIZE OF DATA SOURCE
1 Windows Server 2012 or later 54,400 GB
2 Windows 8 or later 54,400 GB
3 Windows Server 2008, Windows Server 1700 GB

2008 R2
4 Windows 7 1700 GB
The following table explains how each data source size is determined.
DATASOURCE DETAILS
Volume The amount of data being backed up from single volume of a

server or client machine
Hyper-V virtual machine Sum of data of all the VHDs of the virtual machine being
backed up
Microsoft SQL Server database Size of single SQL database size being backed up
Microsoft SharePoint Sum of the content and configuration databases within a

SharePoint farm being backed up
Microsoft Exchange Sum of all Exchange databases in an Exchange server being

backed up
BMR/System State Each individual copy of BMR or system state of the machine
being backed up
For Azure VM backup, each VM can have up to 16 data disks with each data disk being of size 1023GB or less.
Retention policy and recovery points

Is there a difference between the retention policy for DPM and Windows Server/client (that is, on Windows
Server without DPM )?
No, both DPM and Windows Server/client have daily, weekly, monthly, and yearly retention policies.
Can I configure my retention policies selectively i.e. configure weekly and daily but not yearly and monthly?
Yes, the Azure Backup retention structure allows you to have full flexibility in defining the retention policy as per
your requirements.
Can I schedule a backup at 6pm and specify retention policies at a different time?
No. Retention policies can only be applied on backup points. In the following image, the retention policy is
specified for backups taken at 12am and 6pm.
If a backup is retained for a long duration, does it take more time to recover an older data point?
No the time to recover the oldest or the newest point is the same. Each recovery point behaves like a full point.
If each recovery point is like a full point, does it impact the total billable backup storage?
Typical long-term retention point products store backup data as full points. The full points are storage inefficient
but are easier and faster to restore. Incremental copies are storage efficient but require you to restore a chain of
data, which impacts your recovery time. Azure Backup storage architecture gives you the best of both worlds by
optimally storing data for fast restores and incurring low storage costs. This data storage approach ensures that
your ingress and egress bandwidth is used efficiently. Both the amount of data storage and the time needed to
recover the data, is kept to a minimum. Learn more on how incremental backups are efficient.
Is there a limit on the number of recovery points that can be created?
You can create up to 9999 recovery points per protected instance. A protected instance is a computer, server
(physical or virtual), or workload configured to back up data to Azure. For more information, see the explanations
of Backup and retention, and What is a protected instance?
How many recoveries can I perform on the data that is backed up to Azure?
There is no limit on the number of recoveries from Azure Backup.
When restoring data, do I pay for the egress traffic from Azure?
No. Your recoveries are free and you are not charged for the egress traffic.
Azure Backup encryption

Is the data sent to Azure encrypted?
Yes. Data is encrypted on the on-premises server/client/SCDPM machine using AES256 and the data is sent over
a secure HTTPS link.
Is the backup data on Azure encrypted as well?
Yes. The data sent to Azure remains encrypted (at rest). Microsoft does not decrypt the backup data at any point.
When backing up an Azure VM, Azure Backup relies on encryption of the virtual machine. For example, if your VM
is encrypted using Azure Disk Encryption, or some other encryption technology, Azure Backup uses that
encryption to secure your data.
What is the minimum length of encryption key used to encrypt backup data?
The encryption key should be at least 16 characters when you are using Azure backup agent. For Azure VMs,
there is no limit to length of keys used by Azure KeyVault.
What happens if I misplace the encryption key? Can I recover the data (or) can Microsoft recover the data?
The key used to encrypt the backup data is present only on the customer premises. Microsoft does not maintain a
copy in Azure and does not have any access to the key. If the customer misplaces the key, Microsoft cannot
recover the backup data.
Questions about the Azure VM Backup service
This article has answers to common questions to help you quickly understand the Azure VM Backup components.
In some of the answers, there are links to the articles that have comprehensive information. You can also post
questions about the Azure Backup service in the discussion forum.
Configure backup
Do Recovery Services vaults support classic VMs or Resource Manager based VMs?
Recovery Services vaults support both models. You can back up a classic VM (created in the Classic portal), or a
Resource Manager VM (created in the Azure portal) to a Recovery Services vault.
What configurations are not supported by Azure VM backup?
Go through Supported operating systems and Limitations of VM backup
Why can't I see my VM in configure backup wizard?
In Configure backup wizard, Azure Backup only lists VMs that are:
Not already protected You can verify the backup status of a VM by going to VM blade and checking Backup
status from Settings Menu . Learn more on how to Check backup status of a VM
Belongs to same region as VM
Backup
Will on-demand backup job follow same retention schedule as scheduled backups?
No. You should specify the retention range for an on-demand backup job. By default, it is retained for 30 days
when triggered from portal.
I recently enabled Azure Disk Encryption on some VMs. Will my backups continue to work?
You need to give permissions for Azure Backup service to access Key Vault. You can provide these permissions in
PowerShell using steps mentioned in Enable Backup section of PowerShell documentation.
I migrated disks of a VM to managed disks. Will my backups continue to work?
Yes, backups work seamlessly and no need to reconfigure backup.
My VM is shut down. Will an on-demand or a scheduled backup work?
Yes. Even when a machine is shut down backups work and the recovery point is marked as Crash consistent. For
more details, see the data consistency section in this article
Restore
How do I decide between restoring disks versus full VM restore?
Think of Azure full VM restore as a quick create option. Restore VM option changes the names of disks, containers
used by those disks, public IP addresses and network interface names. The change is required to maintain the
uniqueness of resources created during VM creation. But it will not add the VM to availability set.
Use restore disks to:
Customize the VM that gets created from point in time configuration like changing the size
Add configurations, which are not present at the time of backup
Control the naming convention for resources getting created
Add VM to availability set
For any other configuration which can be achieved only by using PowerShell/a declarative template definition
Manage VM backups
What happens when I change a backup policy on VM (s)?
When a new policy is applied on VM(s), schedule and retention of the new policy is followed. If retention is
extended, existing recovery points are marked to keep them as per new policy. If retention is reduced, they are
marked for pruning in the next cleanup job and subsequently deleted.
Questions about the Azure Backup agent
This article has answers to common questions to help you quickly understand the Azure Backup agent
components. In some of the answers, there are links to the articles that have comprehensive information. You can
also post questions about the Azure Backup service in the discussion forum.
Configure backup
Where can I download the latest Azure Backup agent?
You can download the latest agent for backing up Windows Server, System Center DPM, or Windows client, from
here. If you want to back up a virtual machine, use the VM Agent (which automatically installs the proper
extension). The VM Agent is already present on virtual machines created from the Azure gallery.
When configuring the Azure Backup agent, I am prompted to enter the vault credentials. Do vault credentials
expire?
Yes, the vault credentials expire after 48 hours. If the file expires, log in to the Azure portal and download the vault
credentials files from your vault.
What types of drives can I back up files and folders from?
You can't back up the following drives/volumes:
Removable Media: All backup item sources must report as fixed.
Read-only Volumes: The volume must be writable for the volume shadow copy service (VSS) to function.
Offline Volumes: The volume must be online for VSS to function.
Network share: The volume must be local to the server to be backed up using online backup.
Bitlocker-protected volumes: The volume must be unlocked before the backup can occur.
File System Identification: NTFS is the only file system supported.
What file and folder types can I back up from my server?
The following types are supported:
Encrypted
Compressed
Sparse
Compressed + Sparse
Hard Links: Not supported, skipped
Reparse Point: Not supported, skipped
Encrypted + Sparse: Not supported, skipped
Compressed Stream: Not supported, skipped
Sparse Stream: Not supported, skipped
Can I install the Azure Backup agent on an Azure VM already backed by the Azure Backup service using the VM
extension?
Absolutely. Azure Backup provides VM-level backup for Azure VMs using the VM extension. To protect files and
folders on the guest Windows OS, install the Azure Backup agent on the guest Windows OS.
Can I install the Azure Backup agent on an Azure VM to back up files and folders present on temporary storage
provided by the Azure VM?
Yes. Install the Azure Backup agent on the guest Windows OS, and back up files and folders to temporary storage.
Backup jobs fail once temporary storage data is wiped out. Also, if the temporary storage data has been deleted,
you can only restore to non-volatile storage.
What's the minimum size requirement for the cache folder?
The size of the cache folder determines the amount of data that you are backing up. Your cache folder should be
5% of the space required for data storage.
How do I register my server to another datacenter?
Backup data is sent to the datacenter of the vault to which it is registered. The easiest way to change the datacenter
is to uninstall the agent and reinstall the agent and register to a new vault that belongs to desired datacenter.
Does the Azure Backup agent work on a server that uses Windows Server 2012 deduplication?
Yes. The agent service converts the deduplicated data to normal data when it prepares the backup operation. It then
optimizes the data for backup, encrypts the data, and then sends the encrypted data to the online backup service.
Backup
How do I change the cache location specified for the Azure Backup agent?
Use the following list to change the cache location.
1. Stop the Backup engine by executing the following command in an elevated command prompt:
PS C:\> Net stop obengine
2. Do not move the files. Instead, copy the cache space folder to a different drive with sufficient space. The
original cache space can be removed after confirming the backups are working with the new cache space.
3. Update the following registry entries with the path to the new cache space folder.
REGISTRY PATH REGISTRY KEY VALUE
ScratchLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows New cache folder location
Azure Backup\Config
ScratchLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows New cache folder location
Azure Backup\Config\CloudBackupProvider
4. Restart the Backup engine by executing the following command in an elevated command prompt:
PS C:\> Net start obengine
Once the backup creation is successfully completed in the new cache location, you can remove the original cache
folder.
Where can I put the cache folder for the Azure Backup Agent to work as expected?
The following locations for the cache folder are not recommended:
Network share or Removable Media: The cache folder must be local to the server that needs backing up using
online backup. Network locations or removable media like USB drives are not supported.
Offline Volumes: The cache folder must be online for expected backup using Azure Backup Agent.
Are there any attributes of the cache -folder that are not supported?
The following attributes or their combinations are not supported for the cache folder:
Encrypted
De-duplicated
Compressed
Sparse
Reparse-Point
The cache folder and the metadata VHD do not have the necessary attributes for the Azure Backup agent.
Is there a way to adjust the amount of bandwidth used by the Backup service?
Yes, use the Change Properties option in the Backup Agent to adjust bandwidth. You can adjust the amount of
bandwidth and the times when you use that bandwidth. For step-by-step instructions, see Enable network
throttling.
Manage backups
What happens if I rename a Windows server that is backing up data to Azure?
When you rename a server, all currently configured backups are stopped. Register the new name of the server with
the Backup vault. When you register the new name with the vault, the first backup operation is a full backup. If you
need to recover data backed up to the vault with the old server name, use the Another server option in the
Recover Data wizard.
What is the maximum file path length that can be specified in Backup policy using Azure Backup agent?
Azure Backup agent relies on NTFS. The filepath length specification is limited by the Windows API. If the files you
want to protect have a file-path length longer than what is allowed by the Windows API, back up the parent folder
or the disk drive.
What characters are allowed in file path of Azure Backup policy using Azure Backup agent?
Azure Backup agent relies on NTFS. It enables NTFS supported characters as part of file specification.
I receive the warning, "Azure Backups have not been configured for this server" even though I configured a
backup policy
This warning occurs when the backup schedule settings stored on the local server are not the same as the settings
stored in the backup vault. When either the server or the settings have been recovered to a known good state, the
backup schedules can lose synchronization. If you receive this warning, reconfigure the backup policy and then
Run Back Up Now to resynchronize the local server with Azure.
Backup vault upgraded to Recovery Services vault
This article provides an overview of what Recovery Services vault provides, frequently asked questions about
upgrading existing Backup vault to Recovery Services vault, and post-upgrade steps. A Recovery Services vault is
the Azure Resource Manager equivalent of a Backup vault that houses your backup data. The data is typically copies
of data, or configuration information for virtual machines (VMs), workloads, servers, or workstations, whether on-
premises or in Azure.
What is a Recovery Services vault?

A Recovery Services vault is an online storage entity in Azure used to hold data such as backup copies, recovery
points, and backup policies. You can use Recovery Services vaults to hold backup data for various Azure services
such as IaaS VMs (Linux or Windows) and Azure SQL databases. Recovery Services vaults support System Center
DPM, Windows Server, Azure Backup Server, and more. Recovery Services vaults make it easy to organize your
backup data, while minimizing management overhead.
Comparing Recovery Services vaults and Backup vaults

Recovery Services vaults are based on the Azure Resource Manager model of Azure, whereas Backup vaults are
based on the Azure Service Manager model. When you upgrade a Backup vault to a Recovery Services vault, the
backup data remains intact during and after the upgrade process. Recovery Services vaults provide features not
available for Backup vaults, such as:
Enhanced capabilities to help secure backup data: With Recovery Services vaults, Azure Backup
provides security capabilities to protect cloud backups. These security features ensure that you can secure
your backups, and safely recover data from cloud backups even if production and backup servers are
compromised. Learn more
Central monitoring for your hybrid IT environment: With Recovery Services vaults, you can monitor not
only your Azure IaaS VMs but also your on-premises assets from a central portal. Learn more
Role-Based Access Control (RBAC): RBAC provides fine-grained access management control in Azure.
Azure provides various built-in roles, and Azure Backup has three built-in roles to manage recovery points.
Recovery Services vaults are compatible with RBAC, which restricts backup and restore access to the defined
set of user roles. Learn more
Protect all configurations of Azure Virtual Machines: Recovery Services vaults protect Resource
Manager-based VMs including Premium Disks, Managed Disks, and Encrypted VMs. Upgrading a Backup
vault to a Recovery Services vault gives you the opportunity to upgrade your Service Manager-based VMs to
Resource Manager-based VMs. While upgrading the vault, you can retain your Service Manager-based VM
recovery points and configure protection for the upgraded (Resource Manager-enabled) VMs. Learn more
Instant restore for IaaS VMs: Using Recovery Services vaults, you can restore files and folders from an IaaS
VM without restoring the entire VM, which enables faster restore times. Instant restore for IaaS VMs is
available for both Windows and Linux VMs. Learn more
NOTE
If you have items registered to a Backup vault with MARS agent earlier than 2.0.9083.0, download the latest MARS agent
version to take the benefits of all the features of Recovery Services vault.
Managing your Recovery Services vaults

The following screens show a new Recovery Services vault, upgraded from Backup vault, in the Azure portal. The
upgraded vault will be present in a default Resource group named Default-RecoveryServices-ResourceGroup-
geo. Example: If your Backup vault was located in West US, it will be put up in a default RG named Default-
RecoveryServices-ResourceGroup-westus.
NOTE
For CPS Standard customers, Resource group is not changed after the vault upgrade and remains the same as it was before
the upgrade.
The first screen shows the vault dashboard that displays key entities for the vault.
The second screen shows the help links available to help you get started using the Recovery Services vault.
Post-upgrade steps
Recovery Services vault supports specifying time zone information in backup policy. After vault is successfully
upgraded, go to Backup policies from vault settings menu and update the time zone information for each of the
policies configured in the vault. This screen already shows the backup schedule time specified as per local time
zone used when you created policy.
Enhanced security
When a Backup vault is upgraded to a Recovery Services vault, the security settings for that vault are automatically
turned on. When the security settings are on, certain operations such as deleting backups, or changing a
passphrase require an Azure Multi-Factor Authentication PIN. For more information on the enhanced security, see
the article Security features to protect hybrid backups. When the enhanced security is turned on, data is retained up
to 14 days after the recovery point information has been deleted from the vault. Customers are billed for storage of
this security data. Security data retention applies to recovery points taken for the Azure Backup agent, Azure Backup
Server, and System Center Data Protection Manager.
Gather data on your vault

Once you upgrade to a Recovery Services vault, configure reports for Azure Backup (for IaaS VMs and Microsoft
Azure Recovery Services agent), and use Power BI to access the reports. For additional information on gathering
data, see the article, Configure Azure Backup reports.
Frequently asked questions

Does the upgrade plan affect my ongoing backups?
No. Your ongoing backups continue uninterrupted during and after upgrade.
What does this upgrade mean for my existing tooling?
You must update your existing automation or tooling to the Resource Manager deployment model to ensure that it
continues to work after the upgrade. Consult the PowerShell cmdlets references for the Service Manager
deployment model and the Resource Manager deployment model.
Can I roll back after upgrade?
No. Rollback is not supported after the resources have been successfully upgraded.
Can I view my classic vault post upgrade?
No. You cannot view or manage your classic vault post upgrade. You will only be able to use the new Azure portal
for all management actions on the vault.
Why cant I see servers protected by MARS agent in my upgraded vault?
You need to install the latest MARS agent to see all the servers protected by MARS agent in your vault. You can
download the latest version of the agent from here.
I cant see Backup policy for the servers protected by MARS agent after the upgrade
Vaults backup policy might be out of date and therefore could not be synced to the upgraded vault. Please update
the policy to ensure you continue to see your policies in the upgraded vault. To update the policy, go to MARS
agent and update the configured backup policy.
Why cant I update my Backup policy after the upgrade?
This happens when you are on an old backup agent and select the minimum retention period to be less than the
allowed minimum value. When a Backup vault is upgraded to a Recovery Services vault, the security settings for
that vault are automatically turned on. To ensure that there are always a valid number of recovery points available,
there is some minimum retention period that needs to be maintained as per the security feature. For more details,
refer here. Also, you need to update your Azure Backup agents to latest version to take the benefits of the latest
features of Azure Backup.
I have updated my agent, but I still cant see any objects being synced even days after the upgrade
Please check if you have registered the same machine to multiple vaults. Ensure that you are looking at the same
vault to which the MARS Agent is registered. To find out which vault your MARS Agent is registered to, open the
Windows Registry and check the value for ServiceResourceName key under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Azure Backup\Config The vault registered to that MARS
agent will appear there. If the ServiceResourceName key is not visible in your system, reach out to us with the value
of the ResourceId and MachineId keys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Azure
Backup\Config and we will help you resolve the issue.
Why can't I see the jobs information for my resources after upgrade?
Monitoring for backups (MARS agent and IaaS) is a new feature that you get when you upgrade your Backup vault
to Recovery Services vault. The monitoring information takes up to 12 hours to sync with the service.
How do I report an issue?
If any portion of the vault upgrade fails, note the OperationId listed in the error. Microsoft Support will proactively
work to resolve the issue. You can reach out to Support or email us at rsvaultupgrade@service.microsoft.com with
your Subscription ID, vault name and OperationId. We will attempt to resolve the issue as quickly as possible. Do
not retry the operation unless explicitly instructed to do so by Microsoft.
Next steps
Use the following articles for:
Back up an IaaS VM
Back up an Azure Backup Server
Back up a Windows Server
Use Role-Based Access Control to manage Azure
Backup recovery points
Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure. Using RBAC, you can
segregate duties within your team and grant only the amount of access to users that they need to perform their
jobs.
IMPORTANT
Roles provided by Azure Backup are limited to actions that can be performed in Azure portal or Recovery Services vault
PowerShell cmdlets. Actions performed in Azure backup Agent Client UI or System center Data Protection Manager UI or
Azure Backup Server UI are out of control of these roles.
Azure Backup provides 3 built-in roles to control backup management operations. Learn more on Azure RBAC
built-in roles
Backup Contributor - This role has all permissions to create and manage backup except creating Recovery
Services vault and giving access to others. Imagine this role as admin of backup management who can do
every backup management operation.
Backup Operator - This role has permissions to everything a contributor does except removing backup and
managing backup policies. This role is equivalent to contributor except it can't perform destructive operations
such as stop backup with delete data or remove registration of on-premises resources.
Backup Reader - This role has permissions to view all backup management operations. Imagine this role to be a
monitoring person.
If you're looking to define your own roles for even more control, see how to build Custom roles in Azure RBAC.
Mapping Backup built-in roles to backup management actions

The following table captures the Backup management actions and corresponding minimum RBAC role required to
perform that operation.
MANAGEMENT OPERATION MINIMUM RBAC ROLE REQUIRED
Create Recovery Services vault Contributor on Resource group of vault
Enable backup of Azure VMs Backup Operator on vault, Virtual machine contributor on
VMs
On-demand backup of VM Backup operator
Restore VM Backup operator, Resource group contributor in which VM

and Vnets are going to get deployed
Restore disks, individual files from VM backup Backup operator, Virtual machine contributor on VMs
Create backup policy for Azure VM backup Backup contributor

MANAGEMENT OPERATION MINIMUM RBAC ROLE REQUIRED
Modify backup policy of Azure VM backup Backup contributor
Delete backup policy of Azure VM backup Backup contributor
Stop backup (with retain data or delete data) on VM backup Backup contributor
Register on-premises Windows Server/client/SCDPM or Azure Backup operator

Backup Server
Delete registered on-premises Windows Server/client/SCDPM Backup contributor

or Azure Backup Server
Next steps
Role Based Access Control: Get started with RBAC in the Azure portal.
Learn how to manage access with:
PowerShell
Azure CLI
REST API
Role-Based Access Control troubleshooting: Get suggestions for fixing common issues.
Security features to help protect hybrid backups that
use Azure Backup
Concerns about security issues, like malware, ransomware, and intrusion, are increasing. These security issues can
be costly, in terms of both money and data. To guard against such attacks, Azure Backup now provides security
features to help protect hybrid backups. This article covers how to enable and use these features, by using an
Azure Recovery Services agent and Azure Backup Server. These features include:
Prevention. An additional layer of authentication is added whenever a critical operation like changing a
passphrase is performed. This validation is to ensure that such operations can be performed only by users who
have valid Azure credentials.
Alerting. An email notification is sent to the subscription admin whenever a critical operation like deleting
backup data is performed. This email ensures that the user is notified quickly about such actions.
Recovery. Deleted backup data is retained for an additional 14 days from the date of the deletion. This ensures
recoverability of the data within a given time period, so there is no data loss even if an attack happens. Also, a
greater number of minimum recovery points are maintained to guard against corrupt data.
NOTE
Security features should not be enabled if you are using infrastructure as a service (IaaS) VM backup. These features are not
yet available for IaaS VM backup, so enabling them will not have any impact. Security features should be enabled only if you
are using:
Azure Backup agent. Minimum agent version 2.0.9052. After you have enabled these features, you should upgrade to
this agent version to perform critical operations.
Azure Backup Server. Minimum Azure Backup agent version 2.0.9052 with Azure Backup Server update 1.
System Center Data Protection Manager. Minimum Azure Backup agent version 2.0.9052 with Data Protection
Manager 2012 R2 UR12 or Data Protection Manager 2016 UR2.
NOTE
These features are available only for Recovery Services vault. All the newly created Recovery Services vaults have these
features enabled by default. For existing Recovery Services vaults, users enable these features by using the steps mentioned
in the following section. After the features are enabled, they apply to all the Recovery Services agent computers, Azure
Backup Server instances, and Data Protection Manager servers registered with the vault. Enabling this setting is a one-time
action, and you cannot disable these features after enabling them.
Enable security features

If you are creating a Recovery Services vault, you can use all the security features. If you are working with an
existing vault, enable security features by following these steps:
1. Sign in to the Azure portal by using your Azure credentials.
2. Select Browse, and type Recovery Services.
The list of recovery services vaults appears. From this list, select a vault. The selected vault dashboard
opens.
3. From the list of items that appears under the vault, under Settings, click Properties.
4. Under Security Settings, click Update.

The update link opens the Security Settings blade, which provides a summary of the features and lets you
enable them.
5. From the drop-down list Have you configured Azure Multi-Factor Authentication?, select a value to
confirm if you have enabled Azure Multi-Factor Authentication. If it is enabled, you are asked to
authenticate from another device (for example, a mobile phone) while signing in to the Azure portal.
When you perform critical operations in Backup, you have to enter a security PIN, available on the Azure
portal. Enabling Azure Multi-Factor Authentication adds a layer of security. Only authorized users with valid
Azure credentials, and authenticated from a second device, can access the Azure portal.
6. To save security settings, select Enable and click Save. You can select Enable only after you select a value
from the Have you configured Azure Multi-Factor Authentication? list in the previous step.
Recover deleted backup data
Backup retains deleted backup data for an additional 14 days, and does not delete it immediately if the Stop
backup with delete backup data operation is performed. To restore this data in the 14-day period, take the
following steps, depending on what you are using:
For Azure Recovery Services agent users:
1. If the computer where backups were happening is still available, use Recover data to the same machine in
Azure Recovery Services, to recover from all the old recovery points.
2. If this computer is not available, use Recover to an alternate machine to use another Azure Recovery Services
computer to get this data.
For Azure Backup Server users:
1. If the server where backups were happening is still available, re-protect the deleted data sources, and use the
Recover Data feature to recover from all the old recovery points.
2. If this server is not available, use Recover data from another Azure Backup Server to use another Azure Backup
Server instance to get this data.
For Data Protection Manager users:
1. If the server where backups were happening is still available, re-protect the deleted data sources, and use the
Recover Data feature to recover from all the old recovery points.
2. If this server is not available, use Add External DPM to use another Data Protection Manager server to get this
data.
Prevent attacks
Checks have been added to make sure only valid users can perform various operations. These include adding an
extra layer of authentication, and maintaining a minimum retention range for recovery purposes.
Authentication to perform critical operations
As part of adding an extra layer of authentication for critical operations, you are prompted to enter a security PIN
when you perform Stop Protection with Delete data and Change Passphrase operations.
To receive this PIN:
1. Sign in to the Azure portal.
2. Browse to Recovery Services vault > Settings > Properties.
3. Under Security PIN, click Generate. This opens a blade that contains the PIN to be entered in the Azure
Recovery Services agent user interface. This PIN is valid for only five minutes, and it gets generated
automatically after that period.
Maintain a minimum retention range
To ensure that there are always a valid number of recovery points available, the following checks have been
added:
For daily retention, a minimum of seven days of retention should be done.
For weekly retention, a minimum of four weeks of retention should be done.
For monthly retention, a minimum of three months of retention should be done.
For yearly retention, a minimum of one year of retention should be done.
Notifications for critical operations

Typically, when a critical operation is performed, the subscription admin is sent an email notification with details
about the operation. You can configure additional email recipients for these notifications by using the Azure
portal.
The security features mentioned in this article provide defense mechanisms against targeted attacks. More
importantly, if an attack happens, these features give you the ability to recover your data.
Troubleshooting errors
OPERATION ERROR DETAILS RESOLUTION
Policy change The backup policy could not be Cause:

modified. Error: The current operation This error comes when security settings
failed due to an internal service error are enabled, you try to reduce
[0x29834]. Please retry the operation retention range below the minimum
after sometime. If the issue persists, values specified above and you are on
please contact Microsoft support. unsupported version (supported
versions are specified in first note of
this article).
Recommended Action:
In this case, you should set retention
period above the minimum retention
period specified (seven days for daily,
four weeks for weekly, three weeks for
monthly or one year for yearly) to
proceed with policy related udpates.
Optionally, preferred approach would
be to update backup agent, Azure
Backup Server and/or DPM UR to
leverage all the security updates.
Change Passphrase Security PIN entered is incorrect. (ID: Cause:

100130) Provide the correct Security This error comes when you enter
PIN to complete this operation. invalid or expired Security PIN while
performing critical operation (like
change passphrase).
Recommended Action:
To complete the operation, you must
enter valid Security PIN. To get the PIN,
log in to Azure portal and navigate to
Recovery Services vault > Settings >
Properties > Generate Security PIN.
Use this PIN to change passphrase.
Change Passphrase Operation failed. ID: 120002 Cause:

This error comes when security settings
are enabled, you try to change
passphrase and you are on
unsupported version (valid versions
specified in first note of this article).
Recommended Action:
To change passphrase, you must first
update backup agent to minimum
version minimum 2.0.9052, Azure
Backup server to minimum update 1,
and/or DPM to minimum DPM 2012
R2 UR12 or DPM 2016 UR2 (download
links below), then enter valid Security
PIN. To get the PIN, log in to Azure
portal and navigate to Recovery
Services vault > Settings > Properties >
Generate Security PIN. Use this PIN to
change passphrase.
Next steps
Get started with Azure Recovery Services vault to enable these features.
Download the latest Azure Recovery Services agent to help protect Windows computers and guard your
backup data against attacks.
Download the latest Azure Backup Server to help protect workloads and guard your backup data against
attacks.
Download UR12 for System Center 2012 R2 Data Protection Manager or download UR2 for System Center
2016 Data Protection Manager to help protect workloads and guard your backup data against attacks.
Offline-backup workflow in Azure Backup
Azure Backup has several built-in efficiencies that save network and storage costs during the initial full backups of
data to Azure. Initial full backups typically transfer large amounts of data and require more network bandwidth
when compared to subsequent backups that transfer only the deltas/incrementals. Azure Backup compresses the
initial backups. Through the process of offline seeding, Azure Backup can use disks to upload the compressed
initial backup data offline to Azure.
The offline-seeding process of Azure Backup is tightly integrated with the Azure Import/Export service that enables
you to transfer data to Azure by using disks. If you have terabytes (TBs) of initial backup data that needs to be
transferred over a high-latency and low-bandwidth network, you can use the offline-seeding workflow to ship the
initial backup copy on one or more hard drives to an Azure datacenter. This article provides an overview of the
steps that complete this workflow.
Overview
With the offline-seeding capability of Azure Backup and Azure Import/Export, it is simple to upload the data offline
to Azure by using disks. Instead of transferring the initial full copy over the network, the backup data is written to a
staging location. After the copy to the staging location is completed by using the Azure Import/Export tool, this
data is written to one or more SATA drives, depending on the amount of data. These drives are eventually shipped
to the nearest Azure datacenter.
The August 2016 update of Azure Backup (and later) includes the Azure Disk Preparation tool, named
AzureOfflineBackupDiskPrep, that:
Helps you prepare your drives for Azure Import by using the Azure Import/Export tool.
Automatically creates an Azure Import job for the Azure Import/Export service on the Azure classic portal as
opposed to creating the same manually with older versions of Azure Backup.
After the upload of the backup data to Azure is finished, Azure Backup copies the backup data to the backup vault
and the incremental backups are scheduled.
NOTE
To use the Azure Disk Preparation tool, ensure that you have installed the August 2016 update of Azure Backup (or later),
and perform all the steps of the workflow with it. If you are using an older version of Azure Backup, you can prepare the
SATA drive by using the Azure Import/Export tool as detailed in later sections of this article.
Prerequisites
Familiarize yourself with the Azure Import/Export workflow.
Before initiating the workflow, ensure the following:
An Azure Backup vault has been created.
Vault credentials have been downloaded.
The Azure Backup agent has been installed on either Windows Server/Windows client or System Center
Data Protection Manager server, and the computer is registered with the Azure Backup vault.
Download the Azure Publish file settings on the computer from which you plan to back up your data.
Prepare a staging location, which might be a network share or additional drive on the computer. The staging
location is transient storage and is used temporarily during this workflow. Ensure that the staging location has
enough disk space to hold your initial copy. For example, if you are trying to back up a 500-GB file server,
ensure that the staging area is at least 500 GB. (A smaller amount is used due to compression.)
Make sure that youre using a supported drive. Only 2.5 inch SSD, or 2.5 or 3.5-inch SATA II/III internal hard
drives are supported for use with the Import/Export service. You can use hard drives up to 10 TB. Check the
Azure Import/Export service documentation for the latest set of drives that the service supports.
Enable BitLocker on the computer to which the SATA drive writer is connected.
Download the Azure Import/Export tool to the computer to which the SATA drive writer is connected. This step
is not required if you have downloaded and installed the August 2016 update of Azure Backup (or later).
Workflow
The information in this section helps you complete the offline-backup workflow so that your data can be delivered
to an Azure datacenter and uploaded to Azure Storage. If you have questions about the Import service or any
aspect of the process, see the Import service overview documentation referenced earlier.
Initiate offline backup
1. When you schedule a backup, you see the following screen (in Windows Server, Windows client, or System
Center Data Protection Manager).
Here's the corresponding screen in System Center Data Protection Manager:

The description of the inputs is as follows:
Staging Location: The temporary storage location to which the initial backup copy is written. This might
be on a network share or a local computer. If the copy computer and source computer are different, we
recommended that you specify the full network path of the staging location.
Azure Import Job Name: The unique name by which Azure Import service and Azure Backup track the
transfer of data sent on disks to Azure.
Azure Publish Settings: An XML file that contains information about your subscription profile. It also
contains secure credentials that are associated with your subscription. You can download the file.
Provide the local path to the publish settings file.
Azure Subscription ID: The Azure subscription ID for the subscription where you plan to initiate the
Azure Import job. If you have multiple Azure subscriptions, use the ID of the subscription that you want
to associate with the import job.
Azure Storage Account: The classic type storage account in the provided Azure subscription that will
be associated with the Azure Import job.
Azure Storage Container: The name of the destination storage blob in the Azure storage account
where this jobs data is imported.
NOTE
If you have registered your server to an Azure Recovery Services vault from the Azure portal for your
backups and are not on a Cloud Solution Provider (CSP) subscription, you can still create a classic type
storage account from the Azure portal and use it for the offline-backup workflow.
Save all this information because you need to enter it again in following steps. Only the staging
location is required if you used the Azure Disk Preparation tool to prepare the disks.
2. Complete the workflow, and then select Back Up Now in the Azure Backup management console to initiate
the offline-backup copy. The initial backup is written to the staging area as part of this step.
To complete the corresponding workflow in System Center Data Protection Manager, right-click the
Protection Group, and then choose the Create recovery point option. You then choose the Online
Protection option.
After the operation finishes, the staging location is ready to be used for disk preparation.
Prepare a SATA drive and create an Azure Import job by using the Azure Disk Preparation tool
The Azure Disk Preparation tool is available in installation directory of the Recovery Services agent (August 2016
update and later) in the following path.
\Microsoft Azure Recovery Services Agent\Utils\
1. Go to the directory, and copy the AzureOfflineBackupDiskPrep directory to a copy computer on which
the drives to be prepared are mounted. Ensure the following with regard to the copy computer:
The copy computer can access the staging location for the offline-seeding workflow by using the same
network path that was provided in the Initiate offline backup workflow.
BitLocker is enabled on the computer.
The computer can access the Azure portal.
If necessary, the copy computer can be the same as the source computer.
2. Open an elevated command prompt on the copy computer with the Azure Disk Preparation tool directory
as the current directory, and run the following command:
*.\AzureOfflineBackupDiskPrep.exe* s:<*Staging Location Path*> [p:<*Path to PublishSettingsFile*>]
PARAMETER DESCRIPTION
s:<Staging Location Path> Mandatory input that's used to provide the path to the
staging location that you entered in the Initiate offline
backup workflow.
p:<Path to PublishSettingsFile> Optional input that's used to provide the path to the
Azure Publish Settings file that you entered in the
Initiate offline backup workflow.
NOTE
The <Path to PublishSettingFile> value is mandatory when the copy computer and source computer are different.
When you run the command, the tool requests the selection of the Azure Import job that corresponds to the
drives that need to be prepared. If only a single import job is associated with the provided staging location,
you see a screen like the one that follows.
3. Enter the drive letter without the trailing colon for the mounted disk that you want to prepare for transfer to
Azure. Provide confirmation for the formatting of the drive when prompted.
The tool then begins to prepare the disk with the backup data. You may need to attach additional disks
when prompted by the tool in case the provided disk does not have sufficient space for the backup data.
At the end of successful execution of the tool, one or more disks that you provided are prepared for
shipping to Azure. In addition, an import job with the name you provided during the Initiate offline
backup workflow is created on the Azure classic portal. Finally, the tool displays the shipping address to the
Azure datacenter where the disks need to be shipped and the link to locate the import job on the Azure
classic portal.
4. Ship the disks to the address that the tool provided and keep the tracking number for future reference.
5. When you go to the link that the tool displayed, you see the Azure storage account that you specified in the
Initiate offline backup workflow. Here you can see the newly created import job on the
IMPORT/EXPORT tab of the storage account.
6. Click SHIPPING INFO at the bottom of the page to update your contact details as shown in the following
screen. Microsoft uses this info to ship your disks back to you after the import job is finished.
7. Enter the shipping details on the next screen. Provide the Delivery Carrier and Tracking Number details
that correspond to the disks that you shipped to the Azure datacenter.
Complete the workflow
After the import job finishes, initial backup data is available in your storage account. The Recovery Services agent
then copies the contents of the data from this account to the Backup vault or Recovery Services vault, whichever is
applicable. In the next scheduled backup time, the Azure Backup agent performs the incremental backup over the
initial backup copy.
NOTE
The following sections apply to users of earlier versions of Azure Backup who do not have access to the Azure Disk
Preparation tool.
Prepare a SATA drive

1. Download the Microsoft Azure Import/Export Tool to the copy computer. Ensure that the staging location is
accessible from the computer in which you plan to run the next set of commands. If necessary, the copy
computer can be the same as the source computer.
2. Unzip the WAImportExport.zip file. Run the WAImportExport tool that formats the SATA drive, writes the
backup data to the SATA drive, and encrypts it. Before you run the following command, ensure that
BitLocker is enabled on the computer.
*.\WAImportExport.exe PrepImport /j:<*JournalFile*>.jrn /id: <*SessionId*> /sk:<*StorageAccountKey*>
/BlobType:**PageBlob** /t:<*TargetDriveLetter*> /format /encrypt /srcdir:<*staging location*> /dstdir:
<*DestinationBlobVirtualDirectory*>/*
NOTE
If you have installed the August 2016 update of Azure Backup (or later), ensure that the staging location that you
entered is the same as the one on the Back Up Now screen and contains AIB and Base Blob files.
/j:<JournalFile> The path to the journal file. Each drive must have exactly one
journal file. The journal file must not be on the target drive.
The journal file extension is .jrn and is created as part of
running this command.
/id:<SessionId> The session ID identifies a copy session. It is used to ensure

accurate recovery of an interrupted copy session. Files that are
copied in a copy session are stored in a directory named after
the session ID on the target drive.
/sk:<StorageAccountKey> The account key for the storage account to which the data is
imported. The key needs to be the same as it was entered
during backup policy/protection group creation.
/BlobType The type of blob. This workflow succeeds only if PageBlob is

specified. This is not the default option and should be
mentioned in this command.
/t:<TargetDriveLetter> The drive letter without the trailing colon of the target hard
drive for the current copy session.
/format The option to format the drive. Specify this parameter when
the drive needs to be formatted; otherwise, omit it. Before the
tool formats the drive, it prompts for a confirmation from the
console. To suppress the confirmation, specify the /silentmode
parameter.
/encrypt The option to encrypt the drive. Specify this parameter when
the drive has not yet been encrypted with BitLocker and
needs to be encrypted by the tool. If the drive has already
been encrypted with BitLocker, omit this parameter, specify
the /bk parameter, and provide the existing BitLocker key. If
you specify the /format parameter, you must also specify the
/encrypt parameter.
/srcdir:<SourceDirectory> The source directory that contains files to be copied to the

target drive. Ensure that the specified directory name has a
full rather than relative path.
/dstdir:<DestinationBlobVirtualDirectory> The path to the destination virtual directory in your Azure

storage account. Be sure to use valid container names when
you specify the destination virtual directories or blobs. Keep in
mind that container names must be lowercase. This container
name should be the one that you entered during backup
policy/protection group creation.
NOTE
A journal file is created in the WAImportExport folder that captures the entire information of the workflow. You need this file
when you create an import job in the Azure portal.
Create an import job in the Azure portal
1. Go to your storage account in the Azure classic portal, click Import/Export, and then Create Import Job in
the task pane.
2. In step 1 of the wizard, indicate that you have prepared your drive and that you have the drive journal file
available.
3. In step 2 of the wizard, provide contact information for the person who's responsible for this import job.
4. In step 3, upload the drive journal files that you obtained in the previous section.
5. In step 4, enter a descriptive name for the import job that you entered during backup policy/protection
group creation. The name that you enter may contain only lowercase letters, numbers, hyphens, and
underscores, must start with a letter, and cannot contain spaces. The name that you choose is used to track
your jobs while they are in progress and after they are completed.
6. Next, select your datacenter region from the list. The datacenter region indicates the datacenter and address
to which you must ship your package.
7. In step 5, select your return carrier from the list, and enter your carrier account number. Microsoft uses this
account to ship your drives back to you after your import job is completed.
8. Ship the disk and enter the tracking number to track the status of the shipment. After the disk arrives in the
datacenter, it is copied to the storage account, and the status is updated.
Complete the workflow

After the initial backup data is available in your storage account, the Microsoft Azure Recovery Services agent
copies the contents of the data from this account to the Backup vault or Recovery Services vault, whichever is
applicable. In the next schedule backup time, the Azure Backup agent performs the incremental backup over the
initial backup copy.
Next steps
For any questions on the Azure Import/Export workflow, refer to Use the Microsoft Azure Import/Export service
to transfer data to Blob storage.
Refer to the offline-backup section of the Azure Backup FAQ for any questions about the workflow.
Move your long-term storage from tape to the
Azure cloud
Azure Backup and System Center Data Protection Manager customers can:
Back up data in schedules which best suit the organizational needs.
Retain the backup data for longer periods
Make Azure a part of their long-term retention needs (instead of tape).
This article explains how customers can enable backup and retention policies. Customers who use tapes to address
their long-term-retention needs now have a powerful and viable alternative with the availability of this feature.
The feature is enabled in the latest release of the Azure Backup (which is available here). System Center DPM
customers must update to, at least, DPM 2012 R2 UR5 before using DPM with the Azure Backup service.
What is the Backup Schedule?

The backup schedule indicates the frequency of the backup operation. For example, the settings in the following
screen indicate that backups are taken daily at 6pm and at midnight.
Customers can also schedule a weekly backup. For example, the settings in the following screen indicate that
backups are taken every alternate Sunday & Wednesday at 9:30AM and 1:00AM.
What is the Retention Policy?
The retention policy specifies the duration for which the backup must be stored. Rather than just specifying a flat
policy for all backup points, customers can specify different retention policies based on when the backup is taken.
For example, the backup point taken daily, which serves as an operational recovery point, is preserved for 90 days.
The backup point taken at the end of each quarter for audit purposes is preserved for a longer duration.
The total number of retention points specified in this policy is 90 (daily points) + 40 (one each quarter for 10
years) = 130.
Example Putting both together
1. Daily retention policy: Backups taken daily are stored for seven days.
2. Weekly retention policy: Backups taken every day at midnight and 6PM Saturday are preserved for four
weeks
3. Monthly retention policy: Backups taken at midnight and 6pm on the last Saturday of each month are
preserved for 12 months
4. Yearly retention policy: Backups taken at midnight on the last Saturday of every March are preserved for 10
years
The total number of retention points (points from which a customer can restore data) in the preceding diagram
is computed as follows:
two points per day for seven days = 14 recovery points
two points per week for four weeks = 8 recovery points
two points per month for 12 months = 24 recovery points
one point per year per 10 years = 10 recovery points
The total number of recovery points is 56.
NOTE
Azure backup doesn't have a restriction on number of recovery points.
Advanced configuration
By clicking Modify in the preceding screen, customers have further flexibility in specifying retention schedules.
Next Steps
For more information about Azure Backup, see:
Introduction to Azure Backup
Try Azure Backup
Azure Backup Server protection matrix
This article lists the various servers and workloads that you can protect with Azure Backup Server. The following
matrix lists what can be protected with Azure Backup Server v1 and v2.
Protection support matrix

AZURE BACKUP
SERVER AZURE BACKUP AZURE BACKUP PROTECTION AND
WORKLOAD VERSION INSTALLATION SERVER V2 SERVER V1 RECOVERY
System Center VMM 2016, Physical server Y Y All deployment

VMM VMM 2012, SP1, scenarios:
R2 Hyper-V virtual Database
machine
Client computers Windows 10 Physical server Y Y Files

(64-bit and 32-
bit) Hyper-V virtual Protected
machine volumes must be
NTFS. FAT and
VMware virtual FAT32 aren't
machine supported.
Volumes must be
at least 1 GB.
DPM uses
Volume Shadow
Copy Service
(VSS) to take the
data snapshot
and the snapshot
only works if the
volume is at least
1 GB.
Client computers Windows 8.1 Physical server Y Y Files

(64-bit and 32-
bit) Hyper-V virtual Protected
machine volumes must be
NTFS. FAT and
FAT32 aren't
supported.
Volumes must be
at least 1 GB.
DPM uses
Volume Shadow
Copy Service
(VSS) to take the
data snapshot
and the snapshot
only works if the
volume is at least
1 GB.
AZURE BACKUP
Client computers Windows 8.1 Windows virtual Y Y Files

(64-bit and 32- machine in
bit) VMWare Protected
(protects volumes must be
workloads NTFS and at least
running in 1 GB.
Windows virtual
machine in
VMWare)

(64-bit and 32-
bit) On-premises Protected
Hyper-V virtual volumes must be
machine NTFS and at least
1 GB.
Client computers Windows 8 Windows virtual Y Y Files

running in 1 GB.
Windows virtual
machine in
VMWare)

(64-bit and 32-
1 GB.
Client computers Windows 7 Windows virtual Y Y Files

running in 1 GB.
Windows virtual
machine in
VMWare)
Client computers Windows Vista Physical server Y Y Files

(64-bit and 32- with SP2
1 GB.

(64-bit and 32- with SP1
1 GB.
AZURE BACKUP

(64-bit and 32-
1 GB.
Client computers Windows Vista Physical server Y Y Volume, share,

(64-bit and 32- folder, file,
bit) On-premises system
Hyper-V virtual state/bare metal),
machine deduped
volumes
Servers (32-bit Windows Server Azure virtual Y N Volume, share,

and 64-bit) 2016 machine (when folder, file,
workload is Not Nano server system
running as Azure state/bare metal),
virtual machine) deduped
volumes
Windows virtual
machine in
VMWare
(protects
workloads
running in
Windows virtual
machine in
VMWare)
Physical server
On-premises
Hyper-V virtual
machine
Servers (32-bit Windows Server Azure virtual Y Y Volume, share,

and 64-bit) 2012 R2 - machine (when folder, file
Datacenter and workload is
Standard running as Azure DPM must be
virtual machine) running on at
least Windows
Server 2012 R2
to protect
Windows Server
2012 deduped
volumes.
AZURE BACKUP
Servers (32-bit Windows Server Windows virtual Y Y Volume, share,

and 64-bit) 2012 R2 - machine in folder, file,
Datacenter and VMWare system
Standard (protects state/bare metal)
workloads
running in DPM must be
Windows virtual running on
machine in Windows Server
VMWare) 2012 or 2012 R2
to protect
Windows Server
2012 deduped
volumes.
Servers (32-bit Windows Server Physical server Y Y Volume, share,

and 64-bit) 2012/2012 with folder, file,
SP1 - Datacenter On-premises system
and Standard Hyper-V virtual state/bare metal
machine
DPM must be
running on at
least Windows
Server 2012 R2
to protect
Windows Server
2012 deduped
volumes.

and 64-bit) 2012/2012 with machine (when folder, file
SP1 - Datacenter workload is
and Standard running as Azure DPM must be
virtual machine) running on at
least Windows
Server 2012 R2
to protect
Windows Server
2012 deduped
volumes.

and 64-bit) 2012/2012 with machine in folder, file,
SP1 - Datacenter VMWare system
and Standard (protects state/bare metal
workloads
running in DPM must be
Windows virtual running on at
machine in least Windows
VMWare) Server 2012 R2
to protect
Windows Server
2012 deduped
volumes.
AZURE BACKUP

and 64-bit) 2008 R2 SP1 - folder, file,
Standard and On-premises You need to be system
Enterprise Hyper-V virtual running SP1 and state/bare metal
machine install Windows
Management
Frame 4.0

and 64-bit) 2008 R2 SP1 - machine (when folder, file
Standard and workload is You need to be
Enterprise running as Azure running SP1 and
virtual machine) install Windows
Management
Frame 4.0

and 64-bit) 2008 R2 SP1 - machine in folder, file,
Standard and VMWare You need to be system
Enterprise (protects running SP1 and state/bare metal
workloads install Windows
running in Management
Windows virtual Frame 4.0
machine in
VMWare)

and 64-bit) 2008 R2 folder, file,
On-premises system
Hyper-V virtual state/bare metal
machine
Servers (32-bit Windows Server Azure virtual N Y Volume, share,

and 64-bit) 2008 R2 machine (when folder, file
workload is
running as Azure
virtual machine)
Servers (32-bit Windows Server Windows virtual N Y Volume, share,

and 64-bit) 2008 R2 machine in folder, file,
VMWare system
(protects state/bare metal
workloads
running in
Windows virtual
machine in
VMWare)
Servers (32-bit Windows Server Physical server N Y Volume, share,

and 64-bit) 2008 folder, file,
On-premises system
machine
AZURE BACKUP

and 64-bit) 2008 machine in folder, file,
VMWare system
(protects state/bare metal
workloads
running in
Windows virtual
machine in
VMWare)
Servers (32-bit Windows Storage Physical server Y Y Volume, share,

and 64-bit) Server 2008 folder, file,
On-premises system
machine
SQL Server SQL Server 2016 Physical server Y N All deployment

scenarios:
On-premises database
Hyper-V virtual
machine
Azure virtual
machine
Windows virtual
machine in
VMWare
(protects
workloads
running in
Windows virtual
machine in
VMWare)
SQL Server SQL Server 2014 Azure virtual Y Y All deployment

machine (when scenarios:
workload is database
running as Azure
virtual machine)
SQL Server SQL Server 2014 Windows virtual Y Y All deployment

machine in scenarios:
VMWare database
(protects
workloads
running in
Windows virtual
machine in
VMWare)
SQL Server SQL Server 2012 Physical server Y Y All deployment

with SP2 scenarios:
Hyper-V virtual
machine
AZURE BACKUP

with SP2 machine (when scenarios:
running as Azure
virtual machine)

with SP2 machine in scenarios:
VMWare database
(protects
workloads
running in
Windows virtual
machine in
VMWare)
SQL Server SQL Server 2012, Physical server Y Y All deployment

SQL Server 2012 scenarios:
with SP1 On-premises database
Hyper-V virtual
machine
SQL Server SQL Server 2012, Azure virtual Y Y All deployment

SQL Server 2012 machine (when scenarios:
with SP1 workload is database
running as Azure
virtual machine)
SQL Server SQL Server 2012, Windows virtual Y Y All deployment

SQL Server 2012 machine in scenarios:
with SP1 VMWare database
(protects
workloads
running in
Windows virtual
machine in
VMWare)

R2 scenarios:
Hyper-V virtual
machine

R2 machine (when scenarios:
running as Azure
virtual machine)
AZURE BACKUP

R2 machine in scenarios:
VMWare database
(protects
workloads
running in
Windows virtual
machine in
VMWare)

scenarios:
Hyper-V virtual
machine

machine (when scenarios:
running as Azure
virtual machine)

machine in scenarios:
VMWare database
(protects
workloads
running in
Windows virtual
machine in
VMWare)
Exchange Exchange 2016 Physical server Y Y Protect (all

deployment
On-premises scenarios):
Hyper-V virtual Standalone
machine Exchange server,
database under a
database
availability group
(DAG)
Recover (all
deployment
scenarios):
Mailbox, mailbox
databases under
a DAG
AZURE BACKUP
Exchange Exchange 2016 Windows virtual Y Y Protect (all

machine in deployment
VMWare scenarios):
(protects Standalone
workloads Exchange server,
running in database under a
Windows virtual database
machine in availability group
VMWare) (DAG)
Recover (all
deployment
scenarios):
Mailbox, mailbox
databases under
a DAG

deployment
database under a
database
availability group
(DAG)
Recover (all
deployment
scenarios):
Mailbox, mailbox
databases under
a DAG

VMWare scenarios):
VMWare) (DAG)
Recover (all
deployment
scenarios):
Mailbox, mailbox
databases under
a DAG
AZURE BACKUP

deployment
database under a
database
availability group
(DAG)
Recover (all
deployment
scenarios):
Mailbox, mailbox
databases under
a DAG

VMWare scenarios):
VMWare) (DAG)
Recover (all
deployment
scenarios):
Mailbox, mailbox
databases under
a DAG

deployment
Hyper-V virtual Storage group
machine
Recover (all
deployment
scenarios):
Storage group,
database,
mailbox

VMWare scenarios):
(protects Storage group
workloads
running in Recover (all
Windows virtual deployment
machine in scenarios):
VMWare) Storage group,
database,
mailbox
AZURE BACKUP
SharePoint SharePoint 2016 Physical server Y N Protect (all

deployment
On-premises scenarios): Farm,
Hyper-V virtual frontend web
machine server content
Azure virtual Recover (all

machine (when deployment
workload is scenarios): Farm,
running as Azure database, web
virtual machine) application, file or
list item,
Windows virtual SharePoint
machine in search, frontend
VMWare web server
(protects
workloads Note that
running in protecting a
Windows virtual SharePoint farm
machine in that's using the
VMWare) SQL Server 2012
AlwaysOn feature
for the content
databases isn't
supported.
SharePoint SharePoint 2013 Physical server Y Y Protect (all

deployment
Hyper-V virtual frontend web
machine server content
Recover (all
deployment
scenarios): Farm,
database, web
application, file or
list item,
SharePoint
search, frontend
web server
Note that
protecting a
SharePoint farm
that's using the
SQL Server 2012
AlwaysOn feature
for the content
databases isn't
supported.
AZURE BACKUP
SharePoint SharePoint 2013 Azure virtual Y Y Protect (all

running as Azure SharePoint
virtual machine) - search, frontend
DPM 2012 R2 web server
Update Rollup 3 content
onwards
Recover (all
deployment
scenarios): Farm,
database, web
list item,
SharePoint
search, frontend
web server
Note that
protecting a
SharePoint farm
that's using the
SQL Server 2012
AlwaysOn feature
for the content
databases isn't
supported.
SharePoint SharePoint 2013 Windows virtual Y Y Protect (all

VMWare scenarios): Farm,
(protects SharePoint
workloads search, frontend
running in web server
Windows virtual content
machine in
VMWare) Recover (all
deployment
scenarios): Farm,
database, web
list item,
SharePoint
search, frontend
web server
Note that
protecting a
SharePoint farm
that's using the
SQL Server 2012
AlwaysOn feature
for the content
databases isn't
supported.
AZURE BACKUP

deployment
Hyper-V virtual SharePoint
machine search, frontend
web server
content
Recover (all
deployment
scenarios): Farm,
database, web
list item,
SharePoint
search, frontend
web server
SharePoint SharePoint 2010 Azure virtual Y Y Protect (all

running as Azure SharePoint
virtual machine) search, frontend
web server
content
Recover (all
deployment
scenarios): Farm,
database, web
list item,
SharePoint
search, frontend
web server

machine in
deployment
scenarios): Farm,
database, web
list item,
SharePoint
search, frontend
web server
AZURE BACKUP

deployment
Hyper-V virtual SharePoint
machine search, frontend
web server
content
Recover (all
deployment
scenarios): Farm,
database, web
list item,
SharePoint
search, frontend
web server

machine in
deployment
scenarios): Farm,
database, web
list item,
SharePoint
search, frontend
web server
Hyper-V host - Windows Server Physical server Y N Protect: Hyper-V

DPM protection 2016 computers,
agent on Hyper- On-premises cluster shared
V host server, Hyper-V virtual volumes (CSVs)
cluster, or VM machine
Recover: Virtual
machine, Item-
level recovery of
files and folder,
volumes, virtual
hard drives
AZURE BACKUP
Hyper-V host - Windows Server Physical server Y Y Protect: Hyper-V

DPM protection 2012 R2 - computers,
agent on Hyper- Datacenter and On-premises cluster shared
V host server, Standard Hyper-V virtual volumes (CSVs)
Recover: Virtual
machine, Item-
level recovery of
files and folder,
volumes, virtual
hard drives

DPM protection 2012 - computers,
agent on Hyper- Datacenter and On-premises cluster shared
Recover: Virtual
machine, Item-
level recovery of
files and folder,
volumes, virtual
hard drives

DPM protection 2008 R2 SP1 - computers,
agent on Hyper- Enterprise and On-premises cluster shared
Recover: Virtual
machine, Item-
level recovery of
files and folder,
volumes, virtual
hard drives
Hyper-V host - Windows Server Physical server N N Protect: Hyper-V

DPM protection 2008 computers,
agent on Hyper- On-premises cluster shared
V host server, Hyper-V virtual volumes (CSVs)
Recover: Virtual
machine, Item-
level recovery of
files and folder,
volumes, virtual
hard drives
AZURE BACKUP
VMware VMs VMware server On-premises Y Y (with UR1) VMware VMs on

5.5 or 6.0 or 6.5 Hyper-V virtual cluster-shared
machine volumes (CSVs),
NFS, and SAN
storage
Item-level
recovery of files
and folders
available only for
Windows
VMware vApps
not supported
Linux Linux running as On-premises Y Y Hyper-V must be

Hyper-V or Hyper-V virtual running on
VMware guest machine Windows Server
2012 R2 or
Windows Server
2016. Protect:
Entire virtual
machine
Recover: Entire
virtual machine
Cluster support
Azure Backup Server can protect data in the following clustered applications:
File servers
SQL Server
Hyper-V - If you protect a Hyper-V cluster using scaled-out DPM protection, you can't add secondary
protection for the protected Hyper-V workloads.
If you run Hyper-V on Windows Server 2008 R2, make sure to install the update described in KB 975354. If
you run Hyper-V on Windows Server 2008 R2 in a cluster configuration, make sure you install SP2 and KB
971394.
Exchange Server - Azure Backup Server can protect non-shared disk clusters for supported Exchange Server
versions (cluster-continuous replication), and can also protect Exchange Server configured for local
continuous replication.
SQL Server - Azure Backup Server doesn't support backing up SQL Server databases hosted on cluster-
shared volumes (CSVs).
Azure Backup Server can protect cluster workloads that are located in the same domain as the DPM server, and in
a child or trusted domain. If you want to protect data sources in untrusted domains or workgroups, use NTLM or
certificate authentication for a single server, or certificate authentication only for a cluster.
Preparing to back up workloads using Azure Backup
Server
This article explains how to prepare your environment to back up workloads using Azure Backup Server. With
Azure Backup Server, you can protect application workloads such as Hyper-V VMs, Microsoft SQL Server,
SharePoint Server, Microsoft Exchange, and Windows clients from a single console.
NOTE
Azure Backup Server can now protect VMware VMs and provides improved security capabilities. Install the product as
explained in the sections below; apply Update 1 and the latest Azure Backup Agent. To learn more about backing up
VMware servers with Azure Backup Server, see the article, Use Azure Backup Server to back up a VMware server. To learn
about security capabilities, refer to Azure backup security features documentation.
You can also protect Infrastructure as a Service (IaaS) workloads such as VMs in Azure.
NOTE
Azure has two deployment models for creating and working with resources: Resource Manager and classic. This article
provides the information and procedures for restoring VMs deployed using the Resource Manager model.
Azure Backup Server inherits much of the workload backup functionality from Data Protection Manager (DPM).
This article links to DPM documentation to explain some of the shared functionality. Though Azure Backup Server
shares much of the same functionality as DPM. Azure Backup Server does not back up to tape, nor does it
integrate with System Center.
1. Choose an installation platform

The first step towards getting the Azure Backup Server up and running is to set up a Windows Server. Your server
can be in Azure or on-premises.
Using a server in Azure
When choosing a server for running Azure Backup Server, it is recommended you start with a gallery image of
Windows Server 2012 R2 Datacenter. The article, Create your first Windows virtual machine in the Azure portal,
provides a tutorial for getting started with the recommended virtual machine in Azure, even if you've never used
Azure before. The recommended minimum requirements for the server virtual machine (VM) should be: A2
Standard with two cores and 3.5 GB RAM.
Protecting workloads with Azure Backup Server has many nuances. The article, Install DPM as an Azure virtual
machine, helps explain these nuances. Before deploying the machine, read this article completely.
Using an on-premises server
If you do not want to run the base server in Azure, you can run the server on a Hyper-V VM, a VMware VM, or a
physical host. The recommended minimum requirements for the server hardware are two cores and 4 GB RAM.
The supported operating systems are listed in the following table:
OPERATING SYSTEM PLATFORM SKU
Windows Server 2012 R2 and latest 64 bit Standard, Datacenter, Foundation

SPs
Windows Server 2012 and latest SPs 64 bit Datacenter, Foundation, Standard
Windows Storage Server 2012 R2 and 64 bit Standard, Workgroup

latest SPs

latest SPs
You can deduplicate the DPM storage using Windows Server Deduplication. Learn more about how DPM and
deduplication work together when deployed in Hyper-V VMs.
NOTE
Azure Backup Server is designed to run on a dedicated, single-purpose server. You cannot install Azure Backup Server on:
A computer running as a domain controller
A computer on which the Application Server role is installed
A computer that is a System Center Operations Manager management server
A computer on which Exchange Server is running
A computer that is a node of a cluster
Always join Azure Backup Server to a domain. If you plan to move the server to a different domain, it is
recommended that you join the server to the new domain before installing Azure Backup Server. Moving an
existing Azure Backup Server machine to a new domain after deployment is not supported.
2. Recovery Services vault

Whether you send backup data to Azure or keep it locally, the software needs to be connected to Azure. To be
more specific, the Azure Backup Server machine needs to be registered with a recovery services vault.
To create a recovery services vault:
2. On the Hub menu, click Browse and in the list of resources, type Recovery Services. As you begin typing,
the list filters based on your input. Click Recovery Services vault.
The list of Recovery Services vaults is displayed.
The Recovery Services vault blade opens, prompting you to provide a Name, Subscription, Resource
group, and Location.
4. For Name, enter a friendly name to identify the vault. The name needs to be unique for the Azure
subscription. Type a name that contains between 2 and 50 characters. It must start with a letter, and can
contain only letters, numbers, and hyphens.
5. Click Subscription to see the available list of subscriptions. If you are not sure which subscription to use, use
the default (or suggested) subscription. There are multiple choices only if your organizational account is
associated with multiple Azure subscriptions.
6. Click Resource group to see the available list of Resource groups, or click New to create a new Resource
group. For complete information on Resource groups, see Azure Resource Manager overview
7. Click Location to select the geographic region for the vault.
8. Click Create. It can take a while for the Recovery Services vault to be created. Monitor the status notifications
in the upper right-hand area in the portal. Once your vault is created, it opens in the portal.
Set Storage Replication
The storage replication option allows you to choose between geo-redundant storage and locally redundant
storage. By default, your vault has geo-redundant storage. If this vault is your primary vault, leave the storage
option set to geo-redundant storage. Choose locally redundant storage if you want a cheaper option that isn't
quite as durable. Read more about geo-redundant and locally redundant storage options in the Azure Storage
replication overview.
To edit the storage replication setting:
1. Select your vault to open the vault dashboard and the Settings blade. If the Settings blade doesn't open, click
All settings in the vault dashboard.
2. On the Settings blade, click Backup Infrastructure > Backup Configuration to open the Backup
Configuration blade. On the Backup Configuration blade, choose the storage replication option for
your vault.
After choosing the storage option for your vault, you are ready to associate the VM with the vault. To
begin the association, you should discover and register the Azure virtual machines.
3. Software package
Downloading the software package
2. If you already have a Recovery Services vault open, proceed to step 3. If you do not have a Recovery
Services vault open, but are in the Azure portal, on the Hub menu, click Browse.
In the list of resources, type Recovery Services.
As you begin typing, the list will filter based on your input. When you see Recovery Services
vaults, click it.
The list of Recovery Services vaults appears.
From the list of Recovery Services vaults, select a vault.
The selected vault dashboard opens.
3. The Settings blade opens up by default. If it is closed, click on Settings to open the settings blade.
4. Click Backup to open the Getting Started wizard.

In the Getting Started with backup blade that opens, Backup Goals will be auto-selected.
5. In the Backup Goal blade, from the Where is your workload running menu, select On-premises.
From the What do you want to backup? drop-down menu, select the workloads you want to protect
using Azure Backup Server, and then click OK.
The Getting Started with backup wizard switches the Prepare infrastructure option to back up
workloads to Azure.
NOTE
If you only want to back up files and folders, we recommend using the Azure Backup agent and following the
guidance in the article, First look: back up files and folders. If you are going to protect more than files and folders,
or you are planning to expand the protection needs in the future, select those workloads.
6. In the Prepare infrastructure blade that opens, click the Download links for Install Azure Backup Server
and Download vault credentials. You use the vault credentials during registration of Azure Backup Server
to the recovery services vault. The links take you to the Download Center where the software package can
be downloaded.
7. Select all the files and click Next. Download all the files coming in from the Microsoft Azure Backup
download page, and place all the files in the same folder.
Since the download size of all the files together is > 3G, on a 10Mbps download link it may take up to 60
minutes for the download to complete.
Extracting the software package
After you've downloaded all the files, click MicrosoftAzureBackupInstaller.exe. This will start the Microsoft
Azure Backup Setup Wizard to extract the setup files to a location specified by you. Continue through the
wizard and click on the Extract button to begin the extraction process.
WARNING
At least 4GB of free space is required to extract the setup files.
Once the extraction process complete, check the box to launch the freshly extracted setup.exe to begin installing
Microsoft Azure Backup Server and click on the Finish button.
Installing the software package
1. Click Microsoft Azure Backup to launch the setup wizard.
2. On the Welcome screen click the Next button. This takes you to the Prerequisite Checks section. On this
screen, click Check to determine if the hardware and software prerequisites for Azure Backup Server have
been met. If all prerequisites are met successfully, you will see a message indicating that the machine
meets the requirements. Click on the Next button.
3. Microsoft Azure Backup Server requires SQL Server Standard, and the Azure Backup Server installation
package comes bundled with the appropriate SQL Server binaries needed. When starting with a new
Azure Backup Server installation, you should pick the option Install new Instance of SQL Server with
this Setup and click the Check and Install button. Once the prerequisites are successfully installed, click
Next.
If a failure occurs with a recommendation to restart the machine, do so and click Check Again.
NOTE
Azure Backup Server will not work with a remote SQL Server instance. The instance being used by Azure Backup
Server needs to be local.
4. Provide a location for the installation of Microsoft Azure Backup server files and click Next.
The scratch location is a requirement for back up to Azure. Ensure the scratch location is at least 5% of the
data planned to be backed up to the cloud. For disk protection, separate disks need to be configured once
the installation completes. For more information regarding storage pools, see Configure storage pools and
disk storage.
5. Provide a strong password for restricted local user accounts and click Next.
6. Select whether you want to use Microsoft Update to check for updates and click Next.
NOTE
We recommend having Windows Update redirect to Microsoft Update, which offers security and important updates
for Windows and other products like Microsoft Azure Backup Server.
7. Review the Summary of Settings and click Install.
8. The installation happens in phases. In the first phase the Microsoft Azure Recovery Services Agent is
installed on the server. The wizard also checks for Internet connectivity. If Internet connectivity is available
you can proceed with installation, if not, you need to provide proxy details to connect to the Internet.
The next step is to configure the Microsoft Azure Recovery Services Agent. As a part of the configuration,
you will have to provide your vault credentials to register the machine to the recovery services vault. You
will also provide a passphrase to encrypt/decrypt the data sent between Azure and your premises. You can
automatically generate a passphrase or provide your own minimum 16-character passphrase. Continue
with the wizard until the agent has been configured.
9. Once registration of the Microsoft Azure Backup server successfully completes, the overall setup wizard
proceeds to the installation and configuration of SQL Server and the Azure Backup Server components.
Once the SQL Server component installation completes, the Azure Backup Server components are
installed.
When the installation step has completed, the product's desktop icons will have been created as well. Just
double-click the icon to launch the product.
Add backup storage
The first backup copy is kept on storage attached to the Azure Backup Server machine. For more information
about adding disks, see Configure storage pools and disk storage.
NOTE
You need to add backup storage even if you plan to send data to Azure. In the current architecture of Azure Backup
Server, the Azure Backup vault holds the second copy of the data while the local storage holds the first (and mandatory)
backup copy.
4. Network connectivity
Azure Backup Server requires connectivity to the Azure Backup service for the product to work successfully. To
validate whether the machine has the connectivity to Azure, use the Get-DPMCloudConnection cmdlet in the Azure
Backup Server PowerShell console. If the output of the cmdlet is TRUE then connectivity exists, else there is no
connectivity.
At the same time, the Azure subscription needs to be in a healthy state. To find out the state of your subscription
and to manage it, log in to the subscription portal.
Once you know the state of the Azure connectivity and of the Azure subscription, you can use the table below to
find out the impact on the backup/restore functionality offered.
CONNECTIVITY AZURE BACK UP TO RESTORE FROM RESTORE FROM
STATE SUBSCRIPTION AZURE BACK UP TO DISK AZURE DISK
Connected Active Allowed Allowed Allowed Allowed
Connected Expired Stopped Stopped Allowed Allowed
Connected Deprovisioned Stopped Stopped Stopped and Stopped

Azure recovery
points deleted
Lost connectivity Active Stopped Stopped Allowed Allowed

> 15 days
Lost connectivity Expired Stopped Stopped Allowed Allowed

> 15 days
Lost connectivity Deprovisioned Stopped Stopped Stopped and Stopped

> 15 days Azure recovery
points deleted
Recovering from loss of connectivity

If you have a firewall or a proxy that is preventing access to Azure, you need to whitelist the following domain
addresses in the firewall/proxy profile:
www.msftncsi.com
*.Microsoft.com
*.WindowsAzure.com
*.microsoftonline.com
*.windows.net
Once connectivity to Azure has been restored to the Azure Backup Server machine, the operations that can be
performed are determined by the Azure subscription state. The table above has details about the operations
allowed once the machine is "Connected".
Handling subscription states
It is possible to take an Azure subscription from an Expired or Deprovisioned state to the Active state. However
this has some implications on the product behavior while the state is not Active:
A Deprovisioned subscription loses functionality for the period that it is deprovisioned. On turning Active, the
product functionality of backup/restore is revived. The backup data on the local disk also can be retrieved if it
was kept with a sufficiently large retention period. However, the backup data in Azure is irretrievably lost once
the subscription enters the Deprovisioned state.
An Expired subscription only loses functionality for until it has been made Active again. Any backups
scheduled for the period that the subscription was Expired will not run.
Troubleshooting
If Microsoft Azure Backup server fails with errors during the setup phase (or backup or restore), refer to this error
codes document for more information. You can also refer to Azure Backup related FAQs
Next steps
You can get detailed information about preparing your environment for DPM on the Microsoft TechNet site. It
also contains information about supported configurations on which Azure Backup Server can be deployed and
used.
You can use these articles to gain a deeper understanding of workload protection using Microsoft Azure Backup
server.
SQL Server backup
SharePoint server backup
Alternate server backup
Preparing to back up workloads using Azure Backup
Server
This article is about preparing your environment to back up workloads using Azure Backup Server. With Azure
Backup Server, you can protect application workloads such as Hyper-V VMs, Microsoft SQL Server, SharePoint
Server, Microsoft Exchange and Windows clients from a single console.
WARNING
Azure Backup Server inherits the functionality of Data Protection Manager (DPM) for workload backup. You will find pointers
to DPM documentation for some of these capabilities. However Azure Backup Server does not provide protection on tape or
integrate with System Center.
1. Windows Server machine
The first step towards getting the Azure Backup Server up and running is to have a Windows Server machine.
LOCATION MINIMUM REQUIREMENTS ADDITIONAL INSTRUCTIONS
Azure Azure IaaS virtual machine You can start with a simple gallery
image of Windows Server 2012 R2
A2 Standard: 2 cores, 3.5GB RAM Datacenter. Protecting IaaS workloads
using Azure Backup Server (DPM) has
many nuances. Ensure that you read
the article completely before deploying
the machine.
On-premises Hyper-V VM, You can deduplicate the DPM storage

VMWare VM, using Windows Server Deduplication.
or a physical host Learn more about how DPM and
deduplication work together when
2 cores and 4GB RAM deployed in Hyper-V VMs.
NOTE
It is recommended that Azure Backup Server be installed on a machine with Windows Server 2012 R2 Datacenter. A lot of the
prerequisites are automatically covered with the latest version of the Windows operating system.
If you plan to join Azure Backup Server to a domain, it is recommended that you join the physical server or virtual
machine to the domain before installing the Azure Backup Server software. Moving an Azure Backup Server to a
new domain, after deployment, is not supported.
2. Backup vault
Whether you send backup data to Azure or keep it locally, the Azure Backup Server must be registered to a vault. If
you are a new Azure Backup user, and want to use Azure Backup Server, see the Azure portal version of this article -
Prepare to back up workloads using Azure Backup Server.
IMPORTANT
Starting March 2017, you can no longer use the classic portal to create Backup vaults. You can now upgrade your Backup
vaults to Recovery Services vaults. For details, see the article Upgrade a Backup vault to a Recovery Services vault. Microsoft
encourages you to upgrade your Backup vaults to Recovery Services vaults.
After October 15, 2017, you cant use PowerShell to create Backup vaults. By November 1, 2017:
All remaining Backup vaults will be automatically upgraded to Recovery Services vaults.
You won't be able to access your backup data in the classic portal. Instead, use the Azure portal to access your backup
data in Recovery Services vaults.
3. Software package
Downloading the software package

Similar to vault credentials, you can download Microsoft Azure Backup for application workloads from the Quick
Start Page of the backup vault.
1. Click For Application Workloads (Disk to Disk to Cloud). This will take you to the Download Center page
from where the software package can be downloaded.
2. Click Download.
3. Select all the files and click Next. Download all the files coming in from the Microsoft Azure Backup
download page, and place all the files in the same folder.
Since the download size of all the files together is > 3G, on a 10Mbps download link it may take up to 60
minutes for the download to complete.
Extracting the software package
After you've downloaded all the files, click MicrosoftAzureBackupInstaller.exe. This will start the Microsoft
Azure Backup Setup Wizard to extract the setup files to a location specified by you. Continue through the wizard
and click on the Extract button to begin the extraction process.
WARNING
At least 4GB of free space is required to extract the setup files.
Once the extraction process complete, check the box to launch the freshly extracted setup.exe to begin installing
Microsoft Azure Backup Server and click on the Finish button.
Installing the software package
1. Click Microsoft Azure Backup to launch the setup wizard.
2. On the Welcome screen click the Next button. This takes you to the Prerequisite Checks section. On this
screen, click on the Check button to determine if the hardware and software prerequisites for Azure Backup
Server have been met. If all of the prerequisites are have been met successfully, you will see a message
indicating that the machine meets the requirements. Click on the Next button.
3. Microsoft Azure Backup Server requires SQL Server Standard, and the Azure Backup Server installation
package comes bundled with the appropriate SQL Server binaries needed. When starting with a new Azure
Backup Server installation, you should pick the option Install new Instance of SQL Server with this Setup
and click the Check and Install button. Once the prerequisites are successfully installed, click Next.
If a failure occurs with a recommendation to restart the machine, do so and click Check Again.
NOTE
Azure Backup Server will not work with a remote SQL Server instance. The instance being used by Azure Backup
Server needs to be local.
4. Provide a location for the installation of Microsoft Azure Backup server files and click Next.
The scratch location is a requirement for back up to Azure. Ensure the scratch location is at least 5% of the
data planned to be backed up to the cloud. For disk protection, separate disks need to be configured once
the installation completes. For more information regarding storage pools, see Configure storage pools and
disk storage.
5. Provide a strong password for restricted local user accounts and click Next.
6. Select whether you want to use Microsoft Update to check for updates and click Next.
NOTE
We recommend having Windows Update redirect to Microsoft Update, which offers security and important updates
for Windows and other products like Microsoft Azure Backup Server.
7. Review the Summary of Settings and click Install.
8. The installation happens in phases. In the first phase the Microsoft Azure Recovery Services Agent is
installed on the server. The wizard also checks for Internet connectivity. If Internet connectivity is available
you can proceed with installation, if not, you need to provide proxy details to connect to the Internet.
The next step is to configure the Microsoft Azure Recovery Services Agent. As a part of the configuration,
you will have to provide your the vault credentials to register the machine to the backup vault. You will also
provide a passphrase to encrypt/decrypt the data sent between Azure and your premises. You can
automatically generate a passphrase or provide your own minimum 16-character passphrase. Continue with
the wizard until the agent has been configured.
9. Once registration of the Microsoft Azure Backup server successfully completes, the overall setup wizard
proceeds to the installation and configuration of SQL Server and the Azure Backup Server components.
Once the SQL Server component installation completes, the Azure Backup Server components are installed.
When the installation step has completed, the product's desktop icons will have been created as well. Just double-
click the icon to launch the product.
Add backup storage
The first backup copy is kept on storage attached to the Azure Backup Server machine. For more information about
adding disks, see Configure storage pools and disk storage.
NOTE
You need to add backup storage even if you plan to send data to Azure. In the current architecture of Azure Backup Server,
the Azure Backup vault holds the second copy of the data while the local storage holds the first (and mandatory) backup
copy.
4. Network connectivity
Azure Backup Server requires connectivity to the Azure Backup service for the product to work successfully. To
validate whether the machine has the connectivity to Azure, use the Get-DPMCloudConnection commandlet in the
Azure Backup Server PowerShell console. If the output of the commandlet is TRUE then connectivity exists, else
there is no connectivity.
At the same time, the Azure subscription needs to be in a healthy state. To find out the state of your subscription
and to manage it, log in to the subscription portal.
Once you know the state of the Azure connectivity and of the Azure subscription, you can use the table below to
find out the impact on the backup/restore functionality offered.
CONNECTIVITY AZURE RESTORE FROM RESTORE FROM
STATE SUBSCRIPTION BACKUP TO AZURE BACKUP TO DISK AZURE DISK
Connected Active Allowed Allowed Allowed Allowed
Connected Expired Stopped Stopped Allowed Allowed
Connected Deprovisioned Stopped Stopped Stopped and Stopped

Azure recovery
points deleted
Lost connectivity Active Stopped Stopped Allowed Allowed

> 15 days
Lost connectivity Expired Stopped Stopped Allowed Allowed

> 15 days
Lost connectivity Deprovisioned Stopped Stopped Stopped and Stopped

> 15 days Azure recovery
points deleted
Recovering from loss of connectivity

If you have a firewall or a proxy that is preventing access to Azure, you need to whitelist the following domain
addresses in the firewall/proxy profile:
www.msftncsi.com
*.Microsoft.com
*.WindowsAzure.com
*.microsoftonline.com
*.windows.net
Once connectivity to Azure has been restored to the Azure Backup Server machine, the operations that can be
performed are determined by the Azure subscription state. The table above has details about the operations
allowed once the machine is "Connected".
Handling subscription states
It is possible to take an Azure subscription from an Expired or Deprovisioned state to the Active state. However this
has some implications on the product behavior while the state is not Active:
A Deprovisioned subscription loses functionality for the period that it is deprovisioned. On turning Active, the
product functionality of backup/restore is revived. The backup data on the local disk also can be retrieved if it
was kept with a sufficiently large retention period. However, the backup data in Azure is irretrievably lost once
the subscription enters the Deprovisioned state.
An Expired subscription only loses functionality for until it has been made Active again. Any backups scheduled
for the period that the subscription was Expired will not run.
Troubleshooting
If Microsoft Azure Backup server fails with errors during the setup phase (or backup or restore), refer to this error
codes document for more information. You can also refer to Azure Backup related FAQs
Next steps
You can get detailed information about preparing your environment for DPM on the Microsoft TechNet site. It also
contains information about supported configurations on which Azure Backup Server can be deployed and used.
You can use these articles to gain a deeper understanding of workload protection using Microsoft Azure Backup
server.
SQL Server backup
SharePoint server backup
Alternate server backup
Add storage to Azure Backup Server v2
Azure Backup Server v2 comes with System Center 2016 Data Protection Manager Modern Backup Storage.
Modern Backup Storage offers storage savings of 50 percent, backups that are three times faster, and more
efficient storage. It also offers workload-aware storage.
NOTE
To use Modern Backup Storage, you must run Backup Server v2 on Windows Server 2016. If you run Backup Server v2 on an
earlier version of Windows Server, Azure Backup Server can't take advantage of Modern Backup Storage. Instead, it protects
workloads as it does with Backup Server v1. For more information, see the Backup Server version protection matrix.
Volumes in Backup Server v2

Backup Server v2 accepts storage volumes. When you add a volume, Backup Server formats the volume to Resilient
File System (ReFS), which Modern Backup Storage requires. To add a volume, and to expand it later if you need to,
we suggest that you use this workflow:
1. Set up Backup Server v2 on a VM.
2. Create a volume on a virtual disk in a storage pool:
a. Add a disk to a storage pool and create a virtual disk with simple layout.
b. Add any additional disks, and extend the virtual disk.
c. Create volumes on the virtual disk.
3. Add the volumes to Backup Server.
4. Configure workload-aware storage.
Create a volume for Modern Backup Storage

Using Backup Server v2 with volumes as disk storage can help you maintain control over storage. A volume can be
a single disk. However, if you want to extend storage in the future, create a volume out of a disk created by using
storage spaces. This can help if you want to expand the volume for backup storage. This section offers best
practices for creating a volume with this setup.
1. In Server Manager, select File and Storage Services > Volumes > Storage Pools. Under PHYSICAL
DISKS, select New Storage Pool.
2. In the TASKS drop-down box, select New Virtual Disk.
3. Select the storage pool, and then select Add Physical Disk.
4. Select the physical disk, and then select Extend Virtual Disk.
5. Select the virtual disk, and then select New Volume.

6. In the Select the server and disk dialog, select the server and the new disk. Then, select Next.
Add volumes to Backup Server disk storage

To add a volume to Backup Server, in the Management pane, rescan the storage, and then select Add. A list of all
the volumes available to be added for Backup Server Storage appears. After available volumes are added to the list
of selected volumes, you can give them a friendly name to help you manage them. To format these volumes to
ReFS so Backup Server can use the benefits of Modern Backup Storage, select OK.
Set up workload-aware storage
With workload-aware storage, you can select the volumes that preferentially store certain kinds of workloads. For
example, you can set expensive volumes that support a high number of input/output operations per second (IOPS)
to store only the workloads that require frequent, high-volume backups. An example is SQL Server with transaction
logs. Other workloads that are backed up less frequently, like VMs, can be backed up to low-cost volumes.
Update -DPMDiskStorage
You can set up workload-aware storage by using the PowerShell cmdlet Update-DPMDiskStorage, which updates
the properties of a volume in the storage pool on a Data Protection Manager server.
Syntax:
Parameter Set: Volume
Update-DPMDiskStorage [-Volume] <Volume> [[-FriendlyName] <String> ] [[-DatasourceType] <VolumeTag[]> ] [-

Confirm] [-WhatIf] [ <CommonParameters>]
The following screenshot shows the Update-DPMDiskStorage cmdlet in the PowerShell window.
The changes you make by using PowerShell are reflected in the Backup Server Administrator Console.
Next steps
After you install Backup Server, learn how to prepare your server, or begin protecting a workload.
Prepare Backup Server workloads
Use Backup Server to back up a VMware server
Use Backup Server to back up SQL Server
Install Azure Backup Server v2
Azure Backup Server helps protect your virtual machines (VMs), workloads, files and folders, and more. Azure
Backup Server v2 builds on Azure Backup Server v1, and gives you new features that are not available in v1. For a
comparison of features between v1 and v2, see Azure Backup Server protection matrix.
The additional features in Backup Server v2 are an upgrade from Backup Server v1. However, Backup Server v1 is
not a prerequisite for installing Backup Server v2. If you want to upgrade from Backup Server v1 to Backup Server
v2, install Backup Server v2 on the Backup Server protection server. Your existing Backup Server settings remain
intact.
You can install Backup Server v2 on Windows Server 2012 R2 or Windows Server 2016. To take advantage of new
features like System Center 2016 Data Protection Manager Modern Backup Storage, you must install Backup Server
v2 on Windows Server 2016. Before you upgrade to or install Backup Server v2, read about the installation
prerequisites.
NOTE
Azure Backup Server has the same code base as System Center Data Protection Manager. Backup Server v1 is equivalent to
Data Protection Manager 2012 R2, and Backup Server v2 is equivalent to Data Protection Manager 2016. This article
occasionally references the Data Protection Manager documentation.
Upgrade Backup Server to v2

To upgrade from Backup Server v1 to Backup Server v2, make sure your installation has the required updates:
Update the protection agents on the protected servers.
Upgrade Windows Server 2012 R2 to Windows Server 2016.
Upgrade Azure Backup Server Remote Administrator on all production servers.
Ensure that backups are set to continue without restarting your production server.
Upgrade steps for Backup Server v2
1. In the Download Center, download the upgrade installer.
2. After you extract the setup wizard, make sure that Execute setup.exe is selected, and then select Finish.
3. In the Microsoft Azure Backup Server wizard, under Install, select Microsoft Azure Backup Server.
4. On the Welcome page, review the warnings, and then select Next.
5. The setup wizard performs prerequisite checks to make sure your environment can upgrade. On the
Prerequisite Checks page, select Check.
6. Your environment must pass the prerequisite checks. If your environment doesn't pass the checks, note the
issues and fix them. Then, select Check Again. After you pass the prerequisite checks, select Next.
7. On the SQL Settings page, select the relevant option for your SQL installation, and then select Check and
Install.
The checks might take a few minutes. When the checks are finished, select Next.
8. On the Installation Settings page, make any changes to the location where Backup Server is installed, or to
the Scratch Location. Select Next.
9. To finish the setup wizard, select Finish.
Add storage for Modern Backup Storage

To improve backup storage efficiency, Backup Server v2 adds support for volumes. Like Backup Server v1, Backup
Server v2 supports disks.
Add volumes and disks
If you run Backup Server v2 on Windows Server 2016, you can use volumes to store backup data. Volumes offer
storage savings and faster backups. Because volumes are new to Backup Server, you must add them.
When you add a volume to Backup Server, you can give the volume a friendly name. Click the Friendly Name
column of the volume you want to name. You can change the name later, if necessary. You also can use PowerShell
to add or change friendly names for volumes.
To add a volume in the Administrator Console:
1. In the Azure Backup Server Administrator Console, select Management > Disk Storage > Add.
This opens the Add Disk Storage wizard.
2. On the Add Disk Storage page, in the Available volumes box, select a volume, and then select Add.
3. In the Selected volumes box, enter a friendly name for the volume, and then select OK.
If you want to add a disk, the disk must belong to a protection group that has legacy storage. These disks can
only be used for these protection groups. If Backup Server doesn't have sources that have legacy protection,
the disk isn't listed.
For more information about adding disks, see Adding disks to increase legacy storage. You can't give a disk a
friendly name.
Assign workloads to volumes
In Backup Server, you specify which workloads are assigned to which volumes. For example, you can set expensive
volumes that support a high number of input/output operations per second (IOPS) to store only workloads that
require frequent, high-volume backups. An example is SQL Server with transaction logs.
Update-DPMDiskStorage
To update the properties of a volume in the storage pool in Backup Server, use the PowerShell cmdlet Update-
DPMDiskStorage.
Syntax:
Parameter Set: Volume
Update-DPMDiskStorage [-Volume] <Volume> [[-FriendlyName] <String> ] [[-DatasourceType] <VolumeTag[]> ] [-

Confirm] [-WhatIf] [ <CommonParameters>]
All changes that you make by using PowerShell are reflected in the UI.
Protect data sources

To begin protecting data sources, create a protection group. The following steps highlight changes or additions to
the New Protection Group wizard.
To create a protection group:
1. In the Backup Server Administrator Console, select Protection.
2. On the tool ribbon, select New.
This opens the Create New Protection Group wizard.
3. On the Welcome page, select Next.

4. On the Select Protection Group Type page, select the type of protection group you want to create, and
then select Next.
5. On the Select Group Members page, in the Available members pane, the members with protection
agents are listed. For this example, select volume D:\ and E:\ and add them to the Selected members pane.
Select Next.
6. On the Select Data Protection Method page, enter a Protection group name, select the protection
method, and then select Next. If you want short-term protection, you must select the Disk backup method.
7. On the Specify Short-Term Goals page, select the details for Retention range and Synchronization
frequency. Then, select Next. Optionally, to change the schedule for when recovery points are taken, select
Modify.
8. On the Review Disk Storage Allocation page, review details about the data sources you selected, their size,
and values for the space to be provisioned and the target storage volume.
Storage volumes are based on the workload volume allocation (set by using PowerShell) and the available
storage. You can change the storage volumes by selecting other volumes in the drop-down menu. If you
change the value for Target Storage, the value for Available disk storage dynamically changes to reflect
values under Free Space and Underprovisioned Space.
If the data sources grow as planned, the value for the Underprovisioned Space column in Available disk
storage reflects the amount of additional storage that's needed. Use this value to help plan your storage
needs for smooth backups. If the value is zero, there are no potential problems with storage in the
foreseeable future. If the value is a number other than zero, you do not have sufficient storage allocated
(based on your protection policy and the data size of your protected members).
To finish creating your protection group, complete the wizard.
Migrate legacy storage to Modern Backup Storage

After you upgrade to or install Backup Server v2 and upgrade the operating system to Windows Server 2016,
update your protection groups to use Modern Backup Storage. By default, protection groups are not changed. They
continue to function as they were initially set up.
Updating protection groups to use Modern Backup Storage is optional. To update the protection group, stop
protection of all data sources by using the retain data option. Then, add the data sources to a new protection group.
1. In the Administrator Console, select the Protection feature. In the Protection Group Member list, right-
click the member, and then select Stop protection of member.
2. In the Remove from Group dialog box, review the used disk space and the available free space for the
storage pool. The default is to leave the recovery points on the disk and allow them to expire per their
associated retention policy. Click OK.
If you want to immediately return the used disk space to the free storage pool, select the Delete replica on
disk check box to delete the backup data (and recovery points) associated with that member.
3. Create a protection group that uses Modern Backup Storage. Include the unprotected data sources.
Add disks to increase legacy storage

If you want to use legacy storage with Backup Server, you might need to add disks to increase legacy storage.
To add disk storage:
1. In the Administrator Console, select Management > Disk Storage > Add.
2. In the Add Disk Storage dialog, select Add disks.
3. In the list of available disks, select the disks you want to add, select Add, and then select OK.
Update the Data Protection Manager protection agent

Backup Server uses the System Center Data Protection Manager protection agent for updates. If you are upgrading
a protection agent that is not connected to the network, you cannot use the Data Protection Manager Administrator
Console to complete a connected agent upgrade. You must upgrade the protection agent in a nonactive domain
environment. Until the client computer is connected to the network, the Data Protection Manager Administrator
Console shows that the protection agent update is pending.
The following sections describe how to update protection agents for client computers that are connected and client
computers that are not connected.
Update a protection agent for a connected client computer
1. In the Backup Server Administrator Console, select Management > Agents.
2. In the display pane, select the client computers for which you want to update the protection agent.
NOTE
The Agent Updates column indicates when a protection agent update is available for each protected computer. In
the Actions pane, the Update action is available only when a protected computer is selected and updates are
available.
3. To install updated protection agents on the selected computers, in the Actions pane, select Update.
Update a protection agent on a client computer that is not connected
1. In the Backup Server Administrator Console, select Management > Agents.
2. In the display pane, select the client computers for which you want to update the protection agent.
NOTE
The Agent Updates column indicates when a protection agent update is available for each protected computer. In
the Actions pane, the Update action is not available when a protected computer is selected unless updates are
available.
3. To install updated protection agents on the selected computers, select Update.

4. For a client computer that is not connected to the network, until the computer is connected to the network,
the Agent Status column shows a status of Update Pending.
After a client computer is connected to the network, the Agent Updates column for the client computer
shows a status of Updating.
Move legacy Protection groups from old version and sync the new version with Azure
Once Azure Backup Server and the OS are both updated, you are ready to protect new data sources using Modern
Backup Storage. However already protected data sources will continue to be protected in the legacy way as they
were in Azure Backup Server but all new protection will use Modern Backup Storage.
Below steps are to migrate data sources from legacy mode of protection to Modern backup storage.
Add the new volume(s) to the DPM storage pool and assign friendly names and data source tags if desired. For
each data source that is in legacy mode, stop protection of the data sources and Retain Protected Data. This will
allow recovery of old recovery points after migration.
Create a new PG and select the data sources that are to be stored using new format. DPM will do a replica copy
from the legacy backup storage into the Modern Backup Storage volume locally. Note: This will be seen as a post-
recovery operation job All new sync and recovery points will then be stored in Modern Backup Storage. Old
recovery points will be pruned out as they expire and eventually free up the disk space. Once all the legacy
volumes are deleted from the old storage, the disk can be removed from Azure backup and the system. Take a
backup of the Azure DPMDB.
Part 2: -Important items> The new server will need to be named same as the original Azure Backup server. You
cannot change the name of the new Azure backup server if you want to use old storage pool and DPMDB to retain
recovery points -Must have backup of DPMDB as it will need to be restored
1) Shutdown the original Azure backup server or take it off the wire. 2) Reset the machine account in active
directory. 3) Install Server 2016 on new machine and name it the same machine name as the original Azure Backup
server. 4) Join the Domain 5) Install Azure Backup server V2 (Move DPM Storage pool disks from old server and
import) 6) Restore the DPMDB taken from end of part 2 7) Attach the storage from the original backup server to the
new server. 8) From SQL Restore the DPMDB 9) From admin command line on new server cd to Microsoft Azure
Backup install location and bin folder
Path example: C:\windows\system32>cd "c:\Program Files\Microsoft Azure Backup\DPM\DPM\bin\ to Azure
backup Run DPMSYNC -SYNC
10) Run DPMSYNC -SYNC Note If you have added NEW disks to the DPM Storage pool instead of moving the old
ones, then run DPMSYNC -Reallocatereplica
New PowerShell cmdlets in v2

When you install Azure Backup Server v2, two new cmdlets are available:
Mount-DPMRecoveryPoint
Dismount-DPMRecoveryPoint
Next steps
Learn how to prepare your server or begin protecting a workload:
Use Modern Backup Storage with Backup Server
Run an unattended installation of Azure Backup
Server v2
Learn how to run an unattended installation of Azure Backup Server v2.

These steps do not apply if you are installing Azure Backup Server v1.
Install Backup Server v2

1. On the server that hosts Azure Backup Server v2, create a text file. (You can create the file in Notepad or in
another text editor.) Save the file as MABSSetup.ini.
2. Paste the following code in the MABSSetup.ini file. Replace the text inside the brackets (< >) with values from
your environment. The following text is an example:
[OPTIONS]
UserName=administrator
CompanyName=<Microsoft Corporation>
SQLMachineName=localhost
SQLInstanceName=<SQL instance name>
SQLMachineUserName=administrator
SQLMachinePassword=<admin password>
SQLMachineDomainName=<machine domain>
ReportingMachineName=localhost
ReportingInstanceName=<reporting instance name>
SqlAccountPassword=<admin password>
ReportingMachineUserName=<username>
ReportingMachinePassword=<reporting admin password>
ReportingMachineDomainName=<domain>
VaultCredentialFilePath=<vault credential full path and complete name>
SecurityPassphrase=<passphrase>
PassphraseSaveLocation=<passphrase save location>
UseExistingSQL=<1/0 use or do not use existing SQL>
3. Save the file. Then, at an elevated command prompt on the installation server, enter this command:
start /wait <cdlayout path>/Setup.exe /i /f <.ini file path>/setup.ini /L <log path>/setup.log
You can use these flags for the installation:

/f: .ini file path
/l: Log path
/i: Installation path
/x: Uninstall path
Next steps
After you install Backup Server, learn how to prepare your server, or begin protecting a workload.
Add Modern Backup Storage to Backup Server
Back up a VMware server to Azure
This article explains how to configure Azure Backup Server to help protect VMware server workloads. This article
assumes you already have Azure Backup Server installed. If you don't have Azure Backup Server installed, see
Prepare to back up workloads using Azure Backup Server.
Azure Backup Server can back up, or help protect, VMware vCenter Server version 6.5, 6.0 and 5.5.
Create a secure connection to the vCenter Server

By default, Azure Backup Server communicates with each vCenter Server via an HTTPS channel. To turn on the
secure communication, we recommend that you install the VMware Certificate Authority (CA) certificate on Azure
Backup Server. If you don't require secure communication, and would prefer to disable the HTTPS requirement,
see Disable secure communication protocol. To create a secure connection between Azure Backup Server and the
vCenter Server, import the trusted certificate on Azure Backup Server.
Typically, you use a browser on the Azure Backup Server machine to connect to the vCenter Server via the vSphere
Web Client. The first time you use the Azure Backup Server browser to connect to the vCenter Server, the
connection isn't secure. The following image shows the unsecured connection.
To fix this issue, and create a secure connection, download the trusted root CA certificates.
1. In the browser on Azure Backup Server, enter the URL to the vSphere Web Client. The vSphere Web Client
login page appears.
At the bottom of the information for administrators and developers, locate the Download trusted root CA
certificates link.
If you don't see the vSphere Web Client login page, check your browser's proxy settings.
2. Click Download trusted root CA certificates.
The vCenter Server downloads a file to your local computer. The file's name is named download.
Depending on your browser, you receive a message that asks whether to open or save the file.
3. Save the file to a location on Azure Backup Server. When you save the file, add the .zip file name extension.
The file is a .zip file that contains the information about the certificates. With the .zip extension, you can use
the extraction tools.
4. Right-click download.zip, and then select Extract All to extract the contents.
The .zip file extracts its contents to a folder named certs. Two types of files appear in the certs folder. The
root certificate file has an extension that begins with a numbered sequence like .0 and .1.
The CRL file has an extension that begins with a sequence like .r0 or .r1. The CRL file is associated with a
certificate.
5. In the certs folder, right-click the root certificate file, and then click Rename.
Change the root certificate's extension to .crt. When you're asked if you're sure you want to change the
extension, click Yes or OK. Otherwise, you change the file's intended function. The icon for the file changes
to an icon that represents a root certificate.
6. Right-click the root certificate and from the pop-up menu, select Install Certificate.
The Certificate Import Wizard dialog box appears.
7. In the Certificate Import Wizard dialog box, select Local Machine as the destination for the certificate,
and then click Next to continue.
If you're asked if you want to allow changes to the computer, click Yes or OK, to all the changes.
8. On the Certificate Store page, select Place all certificates in the following store, and then click Browse
to choose the certificate store.
The Select Certificate Store dialog box appears.
9. Select Trusted Root Certification Authorities as the destination folder for the certificates, and then click
OK.
The Trusted Root Certification Authorities folder is confirmed as the certificate store. Click Next.
10. On the Completing the Certificate Import Wizard page, verify that the certificate is in the desired folder,
and then click Finish.
A dialog box appears, the successful certificate import is confirmed.

11. Sign in to the vCenter Server to confirm that your connection is secure.
If the certificate import is not successful, and you cannot establish a secure connection, consult the VMware
vSphere documentation on obtaining server certificates.
If you have secure boundaries within your organization, and don't want to turn on the HTTPS protocol, use
the following procedure to disable the secure communications.
Disable secure communication protocol
If your organization doesn't require the HTTPS protocol, use the following steps to disable HTTPS. To disable the
default behavior, create a registry key that ignores the default behavior.
1. Copy and paste the following text into a .txt file.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\VMWare]
"IgnoreCertificateValidation"=dword:00000001
2. Save the file to your Azure Backup Server computer. For the file name, use DisableSecureAuthentication.reg.
3. Double-click the file to activate the registry entry.
Create a role and user account on the vCenter Server

On the vCenter Server, a role is a predefined set of privileges. A vCenter Server administrator creates the roles. To
assign permissions, the administrator pairs user accounts with a role. To establish the necessary user credentials
to back up the vCenter Server computer, create a role with specific privileges, and then associate the user account
with the role.
Azure Backup Server uses a username and password to authenticate with the vCenter Server. Azure Backup Server
uses these credentials as authentication for all backup operations.
To add a vCenter Server role and its privileges for a backup administrator:
1. Sign in to the vCenter Server, and then in the vCenter Server Navigator panel, click Administration.
2. In Administration select Roles, and then in the Roles panel click the add role icon (the + symbol).
The Create Role dialog box appears.
3. In the Create Role dialog box, in the Role name box, enter BackupAdminRole. The role name can be
whatever you like, but it should be recognizable for the role's purpose.
4. Select the privileges for the appropriate version of vCenter, and then click OK. The following table identifies
the required privileges for vCenter 6.0 and vCenter 5.5.
When you select the privileges, click the icon next to the parent label to expand the parent and view the
child privileges. To select the VirtualMachine privileges, you need to go several levels into the parent child
hierarchy. You don't need to select all child privileges within a parent privilege.
After you click OK, the new role appears in the list on the Roles panel.
PRIVILEGES FOR VCENTER 6.0 PRIVILEGES FOR VCENTER 5.5
Datastore.AllocateSpace Datastore.AllocateSpace
Global.ManageCustomFields Global.ManageCustomerFields
Global.SetCustomFields
Host.Local.CreateVM Network.Assign
Network.Assign
Resource.AssignVMToPool
PRIVILEGES FOR VCENTER 6.0 PRIVILEGES FOR VCENTER 5.5
VirtualMachine.Config.AddNewDisk VirtualMachine.Config.AddNewDisk
VirtualMachine.Config.AdvanceConfig VirtualMachine.Config.AdvancedConfig
VirtualMachine.Config.ChangeTracking VirtualMachine.Config.ChangeTracking
VirtualMachine.Config.HostUSBDevice
VirtualMachine.Config.QueryUnownedFiles
VirtualMachine.Config.SwapPlacement VirtualMachine.Config.SwapPlacement
VirtualMachine.Interact.PowerOff VirtualMachine.Interact.PowerOff
VirtualMachine.Inventory.Create VirtualMachine.Inventory.Create
VirtualMachine.Provisioning.DiskRandomAccess
VirtualMachine.Provisioning.DiskRandomRead VirtualMachine.Provisioning.DiskRandomRead
VirtualMachine.State.CreateSnapshot VirtualMachine.State.CreateSnapshot
VirtualMachine.State.RemoveSnapshot VirtualMachine.State.RemoveSnapshot
Create a vCenter Server user account and permissions

After the role with privileges is set up, create a user account. The user account has a name and password, which
provides the credentials that are used for authentication.
1. To create a user account, in the vCenter Server Navigator panel, click Users and Groups.
The vCenter Users and Groups panel appears.

2. In the vCenter Users and Groups panel, select the Users tab, and then click the add users icon (the +
symbol).
The New User dialog box appears.
3. In the New User dialog box, add the user's information and then click OK. In this procedure, the username
is BackupAdmin.
The new user account appears in the list.

4. To associate the user account with the role, in the Navigator panel, click Global Permissions. In the
Global Permissions panel, select the Manage tab, and then click the add icon (the + symbol).
The Global Permissions Root - Add Permission dialog box appears.

5. In the Global Permission Root - Add Permission dialog box, click Add to choose the user or group.
The Select Users/Groups dialog box appears.
6. In the Select Users/Groups dialog box, choose BackupAdmin and then click Add.
In Users, the domain\username format is used for the user account. If you want to use a different domain,
choose it from the Domain list.
Click OK to add the selected users to the Add Permission dialog box.
7. Now that you've identified the user, assign the user to the role. In Assigned Role, from the drop-down list,
select BackupAdminRole, and then click OK.
On the Manage tab in the Global Permissions panel, the new user account and the associated role appear
in the list.
Establish vCenter Server credentials on Azure Backup Server

Before you add the VMware server to Azure Backup Server, install Update 1 for Azure Backup Server.
1. To open Azure Backup Server, double-click the icon on the Azure Backup Server desktop.
If you can't find the icon on the desktop, open Azure Backup Server from the list of installed apps. The Azure
Backup Server app name is called Microsoft Azure Backup.
2. In the Azure Backup Server console, click Management, click Production Servers, and then on the tool
ribbon, click Manage VMware.
The Manage Credentials dialog box appears.
3. In the Manage Credentials dialog box, click Add to open the Add Credential dialog box.
4. In the Add Credential dialog box, enter a name and a description for the new credential. Then specify the
username and password. The name, Contoso Vcenter credential is used to identify the credential in the next
procedure. Use the same username and password that is used for the vCenter Server. If the vCenter Server
and Azure Backup Server are not in the same domain, in User name, specify the domain.
Click Add to add the new credential to Azure Backup Server. The new credential appears in the list in the
Manage Credentials dialog box.
5. To close the Manage Credentials dialog box, click the X in the upper-right corner.
Add the vCenter Server to Azure Backup Server

Production Server Addition Wizard is used to add the vCenter Server to Azure Backup Server.
To open Production Server Addition Wizard, complete the following procedure:
1. In the Azure Backup Server console, click Management, click Production Servers, and then click Add.
The Production Server Addition Wizard dialog box appears.

2. On the Select Production Server type page, select VMware Servers, and then click Next.
3. In Server Name/IP Address, specify the fully qualified domain name (FQDN) or IP address of the VMware
server. If all the ESXi servers are managed by the same vCenter, you can use the vCenter name.
4. In SSL Port, enter the port that is used to communicate with the VMware server. Use port 443, which is the
default port, unless you know that a different port is required.
5. In Specify Credential, select the credential that you created earlier.
6. Click Add to add the VMware server to the list of Added VMware Servers, and then click Next to move to
the next page in the wizard.
7. In the Summary page, click Add to add the specified VMware server to Azure Backup Server.
The VMware server backup is an agentless backup, and the new server is added immediately. The Finish
page shows you the results.
To add multiple instances of vCenter Server to Azure Backup Server, repeat the previous steps in this
section.
After you add the vCenter Server to Azure Backup Server, the next step is to create a protection group. The
protection group specifies the various details for short or long-term retention, and it is where you define and
apply the backup policy. The backup policy is the schedule for when backups occur, and what is backed up.
Configure a protection group

If you have not used System Center Data Protection Manager or Azure Backup Server before, see Plan for disk
backups to prepare your hardware environment. After you check that you have proper storage, use the Create
New Protection Group wizard to add VMware virtual machines.
1. In the Azure Backup Server console, click Protection, and in the tool ribbon, click New to open the Create
New Protection Group wizard.
The Create New Protection Group wizard dialog box appears.
Click Next to advance to the Select protection group type page.

2. On the Select Protection group type page, select Servers and then click Next. The Select group
members page appears.
3. On the Select group members page, the available members and the selected members appear. Select the
members that you want to protect, and then click Next.
When you select a member, if you select a folder that contains other folders or VMs, those folders and VMs
are also selected. The inclusion of the folders and VMs in the parent folder is called folder-level protection.
To remove a folder or VM, clear the check box.
If a VM, or a folder containing a VM, is already protected to Azure, you cannot select that VM again. That is,
after a VM is protected to Azure, it cannot be protected again, which prevents duplicate recovery points
from being created for one VM. If you want to see which Azure Backup Server instance already protects a
member, point to the member to see the name of the protecting server.
4. On the Select Data Protection Method page, enter a name for the protection group. Short-term
protection (to disk) and online protection are selected. If you want to use online protection (to Azure), you
must use short-term protection to disk. Click Next to proceed to the short-term protection range.
5. On the Specify Short-Term Goals page, for Retention Range, specify the number of days that you want
to retain recovery points that are stored to disk. If you want to change the time and days when recovery
points are taken, click Modify. The short-term recovery points are full backups. They are not incremental
backups. When you are satisfied with the short-term goals, click Next.
6. On the Review Disk Allocation page, review and if necessary, modify the disk space for the VMs. The
recommended disk allocations are based on the retention range that is specified in the Specify Short-
Term Goals page, the type of workload, and the size of the protected data (identified in step 3).
Data size: Size of the data in the protection group.
Disk space: The recommended amount of disk space for the protection group. If you want to modify
this setting, you should allocate total space that is slightly larger than the amount that you estimate each
data source grows.
Colocate data: If you turn on colocation, multiple data sources in the protection can map to a single
replica and recovery point volume. Colocation isn't supported for all workloads.
Automatically grow: If you turn on this setting, if data in the protected group outgrows the initial
allocation, System Center Data Protection Manager tries to increase the disk size by 25 percent.
Storage pool details: Shows the status of the storage pool, including total and remaining disk size.
When you are satisfied with the space allocation, click Next.
7. On the Choose Replica Creation Method page, specify how you want to generate the initial copy, or
replica, of the protected data on Azure Backup Server.
The default is Automatically over the network and Now. If you use the default, we recommend that you
specify an off-peak time. Choose Later and specify a day and time.
For large amounts of data or less-than-optimal network conditions, consider replicating the data offline by
using removable media.
After you have made your choices, click Next.
8. On the Consistency Check Options page, select how and when to automate the consistency checks. You
can run consistency checks when replica data becomes inconsistent, or on a set schedule.
If you don't want to configure automatic consistency checks, you can run a manual check. In the protection
area of the Azure Backup Server console, right-click the protection group and then select Perform
Consistency Check.
Click Next to move to the next page.
9. On the Specify Online Protection Data page, select one or more data sources that you want to protect.
You can select the members individually, or click Select All to choose all members. After you choose the
members, click Next.
10. On the Specify Online Backup Schedule page, specify the schedule to generate recovery points from the
disk backup. After the recovery point is generated, it is transferred to the Recovery Services vault in Azure.
When you are satisfied with the online backup schedule, click Next.
11. On the Specify Online Retention Policy page, indicate how long you want to retain the backup data in
Azure. After the policy is defined, click Next.
There is no time limit for how long you can keep data in Azure. When you store recovery point data in
Azure, the only limit is that you cannot have more than 9999 recovery points per protected instance. In this
example, the protected instance is the VMware server.
12. On the Summary page, review the details for your protection group members and settings, and then click
Create Group.
Next steps
If you use Azure Backup Server to protect VMware workloads, you may be interested in using Azure Backup Server
to help protect a Microsoft Exchange server, a Microsoft SharePoint farm, or a SQL Server database.
For information on problems with registering the agent, configuring the protection group, or backing up jobs, see
Troubleshoot Azure Backup Server.
Back up an Exchange server to Azure Backup with
Azure Backup Server
This article describes how to configure Microsoft Azure Backup Server (MABS) to back up a Microsoft Exchange
server to Azure.
Prerequisites
Before you continue, make sure that Azure Backup Server is installed and prepared.
MABS protection agent

To install the MABS protection agent on the Exchange server, follow these steps:
1. Make sure that the firewalls are correctly configured. See Configure firewall exceptions for the agent.
2. Install the agent on the Exchange server by clicking Management > Agents > Install in MABS Administrator
Console. See Install the MABS protection agent for detailed steps.
Create a protection group for the Exchange server

1. In the MABS Administrator Console, click Protection, and then click New on the tool ribbon to open the Create
2. On the Welcome screen of the wizard click Next.
3. On the Select protection group type screen, select Servers and click Next.
4. Select the Exchange server database that you want to protect and click Next.
NOTE
If you are protecting Exchange 2013, check the Exchange 2013 prerequisites.
In the following example, the Exchange 2010 database is selected.

5. Select the data protection method.
Name the protection group, and then select both of the following options:
I want short-term protection using Disk.
I want online protection.
6. Click Next.
7. Select the Run Eseutil to check data integrity option if you want to check the integrity of the Exchange
Server databases.
After you select this option, backup consistency checking will be run on MABS to avoid the I/O traffic thats
generated by running the eseutil command on the Exchange server.
NOTE
To use this option, you must copy the Ese.dll and Eseutil.exe files to the C:\Program Files\Microsoft Azure
Backup\DPM\DPM\bin directory on the MAB server. Otherwise, the following error is triggered:
8. Click Next.
9. Select the database for Copy Backup, and then click Next.
NOTE
If you do not select Full backup for at least one DAG copy of a database, logs will not be truncated.
10. Configure the goals for Short-Term backup, and then click Next.
11. Review the available disk space, and then click Next.
12. Select the time at which the MAB Server will create the initial replication, and then click Next.
13. Select the consistency check options, and then click Next.
14. Choose the database that you want to back up to Azure, and then click Next. For example:
15. Define the schedule for Azure Backup, and then click Next. For example:
NOTE
Note Online recovery points are based on express full recovery points. Therefore, you must schedule the online
recovery point after the time thats specified for the express full recovery point.
16. Configure the retention policy for Azure Backup, and then click Next.
17. Choose an online replication option and click Next.
If you have a large database, it could take a long time for the initial backup to be created over the network.
To avoid this issue, you can create an offline backup.
18. Confirm the settings, and then click Create Group.

19. Click Close.
Recover the Exchange database

1. To recover an Exchange database, click Recovery in the MABS Administrator Console.
2. Locate the Exchange database that you want to recover.
3. Select an online recovery point from the recovery time drop-down list.
4. Click Recover to start the Recovery Wizard.
For online recovery points, there are five recovery types:
Recover to original Exchange Server location: The data will be recovered to the original Exchange server.
Recover to another database on an Exchange Server: The data will be recovered to another database on
another Exchange server.
Recover to a Recovery Database: The data will be recovered to an Exchange Recovery Database (RDB).
Copy to a network folder: The data will be recovered to a network folder.
Copy to tape: If you have a tape library or a stand-alone tape drive attached and configured on MABS, the
recovery point will be copied to a free tape.
Next steps
Azure Backup FAQ
Back up a SharePoint farm to Azure
You back up a SharePoint farm to Microsoft Azure by using Microsoft Azure Backup Server (MABS) in much the
same way that you back up other data sources. Azure Backup provides flexibility in the backup schedule to create
daily, weekly, monthly, or yearly backup points and gives you retention policy options for various backup points. It
also provides the capability to store local disk copies for quick recovery-time objectives (RTO) and to store copies to
Azure for economical, long-term retention.
SharePoint supported versions and related protection scenarios

Azure Backup for DPM supports the following scenarios:
WORKLOAD VERSION SHAREPOINT DEPLOYMENT PROTECTION AND RECOVERY
SharePoint SharePoint 2013, SharePoint SharePoint deployed as a Protect SharePoint Farm

2010, SharePoint 2007, physical server or Hyper- recovery options: Recovery
SharePoint 3.0 V/VMware virtual machine farm, database, and file or
-------------- list item from disk recovery
SQL AlwaysOn points. Farm and database
recovery from Azure
recovery points.
Before you start

There are a few things you need to confirm before you back up a SharePoint farm to Azure.
Prerequisites
Before you proceed, make sure that you have installed and prepared the Azure Backup Server to protect workloads.
Protection agent
The Protection agent must be installed on the server that's running SharePoint, the servers that are running SQL
Server, and all other servers that are part of the SharePoint farm. For more information about how to set up the
protection agent, see Setup Protection Agent. The one exception is that you install the agent only on a single web
front end (WFE) server. DPM needs the agent on one WFE server only to serve as the entry point for protection.
SharePoint farm
For every 10 million items in the farm, there must be at least 2 GB of space on the volume where the MABS folder
is located. This space is required for catalog generation. For MABS to recover specific items (site collections, sites,
lists, document libraries, folders, individual documents, and list items), catalog generation creates a list of the URLs
that are contained within each content database. You can view the list of URLs in the recoverable item pane in the
Recovery task area of MABS Administrator Console.
SQL Server
MABS runs as a LocalSystem account. To back up SQL Server databases, MABS needs sysadmin privileges on that
account for the server that's running SQL Server. Set NT AUTHORITY\SYSTEM to sysadmin on the server that's
running SQL Server before you back it up.
If the SharePoint farm has SQL Server databases that are configured with SQL Server aliases, install the SQL Server
client components on the front-end Web server that MABS will protect.
SharePoint Server
While performance depends on many factors such as size of SharePoint farm, as general guidance one MABS can
protect a 25 TB SharePoint farm.
What's not supported
MABS that protects a SharePoint farm does not protect search indexes or application service databases. You will
need to configure the protection of these databases separately.
MABS does not provide backup of SharePoint SQL Server databases that are hosted on scale-out file server
(SOFS) shares.
Configure SharePoint protection

Before you can use MABS to protect SharePoint, you must configure the SharePoint VSS Writer service (WSS
Writer service) by using ConfigureSharePoint.exe.
You can find ConfigureSharePoint.exe in the [MABS Installation Path]\bin folder on the front-end web server.
This tool provides the protection agent with the credentials for the SharePoint farm. You run it on a single WFE
server. If you have multiple WFE servers, select just one when you configure a protection group.
To configure the SharePoint VSS Writer service
1. On the WFE server, at a command prompt, go to [MABS installation location]\bin\
2. Enter ConfigureSharePoint -EnableSharePointProtection.
3. Enter the farm administrator credentials. This account should be a member of the local Administrator group on
the WFE server. If the farm administrator isnt a local admin grant the following permissions on the WFE server:
Grant the WSS_Admin_WPG group full control to the DPM folder (%Program Files%\Microsoft Azure
Backup\DPM).
Grant the WSS_Admin_WPG group read access to the DPM Registry key
(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager).
NOTE
Youll need to rerun ConfigureSharePoint.exe whenever theres a change in the SharePoint farm administrator credentials.
Back up a SharePoint farm by using MABS

After you have configured MABS and the SharePoint farm as explained previously, SharePoint can be protected by
MABS.
To protect a SharePoint farm
1. From the Protection tab of the MABS Administrator Console, click New.
2. On the Select Protection Group Type page of the Create New Protection Group wizard, select Servers,
and then click Next.
3. On the Select Group Members screen, select the check box for the SharePoint server you want to protect
and click Next.
NOTE
With the protection agent installed, you can see the server in the wizard. MABS also shows its structure. Because you
ran ConfigureSharePoint.exe, MABS communicates with the SharePoint VSS Writer service and its corresponding SQL
Server databases and recognizes the SharePoint farm structure, the associated content databases, and any
corresponding items.
4. On the Select Data Protection Method page, enter the name of the Protection Group, and select your
preferred protection methods. Click Next.
NOTE
The disk protection method helps to meet short recovery-time objectives.
5. On the Specify Short-Term Goals page, select your preferred Retention range and identify when you
want backups to occur.
NOTE
Because recovery is most often required for data that's less than five days old, we selected a retention range of five
days on disk and ensured that the backup happens during non-production hours, for this example.
6. Review the storage pool disk space allocated for the protection group, and click then Next.
7. For every protection group, MABS allocates disk space to store and manage replicas. At this point, MABS
must create a copy of the selected data. Select how and when you want the replica created, and then click
Next.
NOTE
To make sure that network traffic is not effected, select a time outside production hours.
8. MABS ensures data integrity by performing consistency checks on the replica. There are two available
options. You can define a schedule to run consistency checks, or DPM can run consistency checks
automatically on the replica whenever it becomes inconsistent. Select your preferred option, and then click
Next.
9. On the Specify Online Protection Data page, select the SharePoint farm that you want to protect, and
then click Next.
10. On the Specify Online Backup Schedule page, select your preferred schedule, and then click Next.
NOTE
MABS provides a maximum of two daily backups to Azure from the then available latest disk backup point. Azure
Backup can also control the amount of WAN bandwidth that can be used for backups in peak and off-peak hours by
using Azure Backup Network Throttling.
11. Depending on the backup schedule that you selected, on the Specify Online Retention Policy page, select
the retention policy for daily, weekly, monthly, and yearly backup points.
NOTE
MABS uses a grandfather-father-son retention scheme in which a different retention policy can be chosen for
different backup points.
12. Similar to disk, an initial reference point replica needs to be created in Azure. Select your preferred option to
create an initial backup copy to Azure, and then click Next.
13. Review your selected settings on the Summary page, and then click Create Group. You will see a success
message after the protection group has been created.
Restore a SharePoint item from disk by using MABS
In the following example, the Recovering SharePoint item has been accidentally deleted and needs to be recovered.
1. Open the DPM Administrator Console. All SharePoint farms that are protected by DPM are shown in the
Protection tab.
2. To begin to recover the item, select the Recovery tab.
3. You can search SharePoint for Recovering SharePoint item by using a wildcard-based search within a
recovery point range.
4. Select the appropriate recovery point from the search results, right-click the item, and then select Recover.
5. You can also browse through various recovery points and select a database or item to recover. Select Date >
Recovery time, and then select the correct Database > SharePoint farm > Recovery point > Item.
6. Right-click the item, and then select Recover to open the Recovery Wizard. Click Next.
7. Select the type of recovery that you want to perform, and then click Next.
NOTE
The selection of Recover to original in the example recovers the item to the original SharePoint site.
8. Select the Recovery Process that you want to use.

Select Recover without using a recovery farm if the SharePoint farm has not changed and is the same
as the recovery point that is being restored.
Select Recover using a recovery farm if the SharePoint farm has changed since the recovery point
was created.
9. Provide a staging SQL Server instance location to recover the database temporarily, and provide a staging
file share on MABS and the server that's running SharePoint to recover the item.
MABS attaches the content database that is hosting the SharePoint item to the temporary SQL Server
instance. From the content database, it recovers the item and puts it on the staging file location on MABS.
The recovered item that's on the staging location now needs to be exported to the staging location on the
SharePoint farm.
10. Select Specify recovery options, and apply security settings to the SharePoint farm or apply the security
settings of the recovery point. Click Next.
NOTE
You can choose to throttle the network bandwidth usage. This minimizes impact to the production server during
production hours.
11. Review the summary information, and then click Recover to begin recovery of the file.
12. Now select the Monitoring tab in the MABS Administrator Console to view the Status of the recovery.
NOTE
The file is now restored. You can refresh the SharePoint site to check the restored file.
Restore a SharePoint database from Azure by using DPM
1. To recover a SharePoint content database, browse through various recovery points (as shown previously),
and select the recovery point that you want to restore.
2. Double-click the SharePoint recovery point to show the available SharePoint catalog information.
NOTE
Because the SharePoint farm is protected for long-term retention in Azure, no catalog information (metadata) is
available on MABS. As a result, whenever a point-in-time SharePoint content database needs to be recovered, you
need to catalog the SharePoint farm again.
3. Click Re-catalog.
The Cloud Recatalog status window opens.

After cataloging is finished, the status changes to Success. Click Close.
4. Click the SharePoint object shown in the MABS Recovery tab to get the content database structure. Right-
click the item, and then click Recover.
5. At this point, follow the recovery steps earlier in this article to recover a SharePoint content database from disk.
FAQs
Q: Can I recover a SharePoint item to the original location if SharePoint is configured by using SQL AlwaysOn (with
protection on disk)?
A: Yes, the item can be recovered to the original SharePoint site.
Q: Can I recover a SharePoint database to the original location if SharePoint is configured by using SQL AlwaysOn?
A: Because SharePoint databases are configured in SQL AlwaysOn, they cannot be modified unless the availability
group is removed. As a result, MABS cannot restore a database to the original location. You can recover a SQL
Server database to another SQL Server instance.
Next steps
Learn more about MABS Protection of SharePoint - see Video Series - DPM Protection of SharePoint
Back up SQL Server to Azure With Azure Backup
Server
This article leads you through the configuration steps for backup of SQL Server databases using Microsoft Azure
Backup Server (MABS).
The management of SQL Server database backup to Azure and recovery from Azure involves three steps:
1. Create a backup policy to protect SQL Server databases to Azure.
2. Create on-demand backup copies to Azure.
3. Recover the database from Azure.
Before you start

Before you begin, ensure that you have installed and prepared the Azure Backup Server.
Create a backup policy to protect SQL Server databases to Azure

1. On the Azure Backup Server UI, click the Protection workspace.
2. On the tool ribbon, click New to create a new protection group.
3. MABS shows the start screen with the guidance on creating a Protection Group. Click Next.
4. Select Servers.
5. Expand the SQL Server machine where the databases to be backed up are present. MABS shows various
data sources that can be backed up from that server. Expand the All SQL Shares and select the databases
(in this case we selected ReportServer$MSDPM2012 and ReportServer$MSDPM2012TempDB) to be
backed up. Click Next.
6. Provide a name for the protection group and select the I want online Protection checkbox.
7. In the Specify Short-Term Goals screen, include the necessary inputs to create backup points to disk.
Here we see that Retention range is set to 5 days, Synchronization frequency is set to once every 15
minutes which is the frequency at which backup is taken. Express Full Backup is set to 8:00 P.M.
NOTE
At 8:00 PM (according to the screen input) a backup point is created every day by transferring the data that has
been modified from the previous days 8:00 PM backup point. This process is called Express Full Backup. While the
transaction logs are synchronized every 15 minutes, if there is a need to recover the database at 9:00 PM then the
point is created by replaying the logs from the last express full backup point (8pm in this case).
8. Click Next
MABS shows the overall storage space available and the potential disk space utilization.
By default, MABS creates one volume per data source (SQL Server database) which is used for the initial
backup copy. Using this approach, the Logical Disk Manager (LDM) limits MABS protection to 300 data
sources (SQL Server databases). To work around this limitation, select the Co-locate data in DPM Storage
Pool, option. If you use this option, MABS uses a single volume for multiple data sources, which allows
MABS to protect up to 2000 SQL databases.
If Automatically grow the volumes option is selected, MABS can account for the increased backup
volume as the production data grows. If Automatically grow the volumes option is not selected, MABS
limits the backup storage used to the data sources in the protection group.
9. Administrators are given the choice of transferring this initial backup manually (off network) to avoid
bandwidth congestion or over the network. They can also configure the time at which the initial transfer can
happen. Click Next.
The initial backup copy requires transfer of the entire data source (SQL Server database) from production
server (SQL Server machine) to MABS. This data might be large, and transferring the data over the network
could exceed bandwidth. For this reason, administrators can choose to transfer the initial backup: Manually
(using removable media) to avoid bandwidth congestion, or Automatically over the network (at a
specified time).
Once the initial backup is complete, the rest of the backups are incremental backups on the initial backup
copy. Incremental backups tend to be small and are easily transferred across the network.
10. Choose when you want the consistency check to run and click Next.
MABS can perform a consistency check to check the integrity of the backup point. It calculates the checksum
of the backup file on the production server (SQL Server machine in this scenario) and the backed-up data
for that file at MABS. In the case of a conflict, it is assumed that the backed-up file at MABS is corrupt. MABS
rectifies the backed-up data by sending the blocks corresponding to the checksum mismatch. As the
consistency check is a performance-intensive operation, administrators have the option of scheduling the
consistency check or running it automatically.
11. To specify online protection of the datasources, select the databases to be protected to Azure and click
Next.
12. Administrators can choose backup schedules and retention policies that suit their organization policies.
In this example, backups are taken once a day at 12:00 PM and 8 PM (bottom part of the screen)
NOTE
Its a good practice to have a few short-term recovery points on disk, for quick recovery. These recovery points are
used for operational recovery". Azure serves as a good offsite location with higher SLAs and guaranteed availability.
Best Practice: Make sure that Azure Backups are scheduled after the completion of local disk backups
using DPM. This enables the latest disk backup to be copied to Azure.
13. Choose the retention policy schedule. The details on how the retention policy works are provided at Use
Azure Backup to replace your tape infrastructure article.
In this example:
Backups are taken once a day at 12:00 PM and 8 PM (bottom part of the screen) and are retained for 180
days.
The backup on Saturday at 12:00 P.M. is retained for 104 weeks
The backup on Last Saturday at 12:00 P.M. is retained for 60 months
The backup on Last Saturday of March at 12:00 P.M. is retained for 10 years
14. Click Next and select the appropriate option for transferring the initial backup copy to Azure. You can
choose Automatically over the network or Offline Backup.
Automatically over the network transfers the backup data to Azure as per the schedule chosen for
backup.
How Offline Backup works is explained at Offline Backup workflow in Azure Backup.
Choose the relevant transfer mechanism to send the initial backup copy to Azure and click Next.
15. Once you review the policy details in the Summary screen, click on the Create group button to complete
the workflow. You can click the Close button and monitor the job progress in Monitoring workspace.
On-demand backup of a SQL Server database
While the previous steps created a backup policy, a recovery point is created only when the first backup occurs.
Rather than waiting for the scheduler to kick in, the steps below trigger the creation of a recovery point manually.
1. Wait until the protection group status shows OK for the database before creating the recovery point.
2. Right-click on the database and select Create Recovery Point.

3. Choose Online Protection in the drop-down menu and click OK. This starts the creation of a recovery
point in Azure.
4. You can view the job progress in the Monitoring workspace where you'll find an in progress job like the
one depicted in the next figure.
Recover a SQL Server database from Azure

The following steps are required to recover a protected entity (SQL Server database) from Azure.
1. Open the DPM server Management Console. Navigate to Recovery workspace where you can see the
servers backed up by DPM. Browse the required database (in this case ReportServer$MSDPM2012). Select
a Recovery from time which ends with Online.
2. Right-click the database name and click Recover.
3. DPM shows the details of the recovery point. Click Next. To overwrite the database, select the recovery type
Recover to original instance of SQL Server. Click Next.
In this example, DPM allows recovery of the database to another SQL Server instance or to a standalone
network folder.
4. In the Specify Recovery options screen, you can select the recovery options like Network bandwidth usage
throttling to throttle the bandwidth used by recovery. Click Next.
5. In the Summary screen, you see all the recovery configurations provided so far. Click Recover.
The Recovery status shows the database being recovered. You can click Close to close the wizard and view
the progress in the Monitoring workspace.
Once the recovery is completed, the restored database is application consistent.

Next Steps:
Azure Backup FAQ
Back up system state and restore to bare metal with
Azure Backup Server
Azure Backup Server backs up system state and provides bare-metal recovery (BMR) protection.
System state backup: Backs up operating system files, so you can recover when a computer starts, but system
files and the registry are lost. A system state backup includes:
Domain member: Boot files, COM+ class registration database, registry
Domain controller: Windows Server Active Directory (NTDS), boot files, COM+ class registration database,
registry, system volume (SYSVOL)
Computer that runs cluster services: Cluster server metadata
Computer that runs certificate services: Certificate data
Bare-metal backup: Backs up operating system files and all data on critical volumes (except user data). By
definition, a BMR backup includes a system state backup. It provides protection when a computer won't start and
you have to recover everything.
The following table summarizes what you can back up and recover. For detailed information about app versions
that can be protected with system state and BMR, see What does Azure Backup Server back up?.
RECOVER FROM AZURE

BACKUP SERVER RECOVER FROM SYSTEM
BACKUP ISSUE BACKUP STATE BACKUP BMR
File data Lost file data Y N N
Regular data backup
BMR/system state
backup
File data Lost or damaged N Y Y

operating system
Azure Backup Server
backup of file data
BMR/system state
backup
File data Lost server (data N N Y

volumes intact)
Azure Backup Server
backup of file data
BMR/system state
backup
RECOVER FROM AZURE
File data Lost server (data Y No Yes (BMR, followed by

volumes lost) regular recovery of
Azure Backup Server backed-up file data)
backup of file data
BMR/system state
backup
SharePoint data: Lost site, lists, list Y N N

items, documents
Azure Backup Server
backup of farm data
BMR/system state
backup
SharePoint data: Lost or damaged N Y Y

operating system
Azure Backup Server
backup of farm data
BMR/system state
backup
SharePoint data: Disaster recovery N N N
Azure Backup Server

backup of farm data
BMR/system state
backup
Windows Server 2012 Lost VM Y N N

R2 Hyper-V
Azure Backup Server

backup of Hyper-V
host or guest
BMR/system state
backup of host
Hyper-V Lost or damaged N Y Y

operating system
Azure Backup Server
backup of Hyper-V
host or guest
BMR/system state
backup of host
RECOVER FROM AZURE
Hyper-V Lost Hyper-V host N N Y

(VMs intact)
Azure Backup Server
backup of Hyper-V
host or guest
BMR/system state
backup of host
Hyper-V Lost Hyper-V host N N Y

(VMs lost)
Azure Backup Server BMR, followed by
backup of Hyper-V regular Azure Backup
host or guest Server recovery
BMR/system state
backup of host
SQL Server/Exchange Lost app data Y N N
Azure Backup Server

app backup
BMR/system state
backup
SQL Server/Exchange Lost or damaged N y Y

operating system
Azure Backup Server
app backup
BMR/system state
backup
SQL Server/Exchange Lost server N N Y

(database/transaction
Azure Backup Server logs intact)
app backup
BMR/system state
backup
SQL Server/Exchange Lost server N N Y

(database/transaction
Azure Backup Server logs lost) BMR recovery,
app backup followed by regular
Azure Backup Server
BMR/system state recovery
backup
How system state backup works

When a system state backup runs, Backup Server communicates with Windows Server Backup to request a backup
of the server's system state. By default, Backup Server and Windows Server Backup use the drive that has the most
available free space. Information about this drive is saved in the PSDataSourceConfig.xml file. This is the drive that
Windows Server Backup uses for backups.
You can customize the drive that Backup Server uses for the system state backup. On the protected server, go to
C:\Program Files\Microsoft Data Protection Manager\MABS\Datasources. Open the PSDataSourceConfig.xml file for
editing. Change the <FilesToProtect> value for the drive letter. Save and close the file. If there's a protection group
set to protect the system state of the computer, run a consistency check. If an alert is generated, select Modify
protection group in the alert, and then complete the wizard. Then, run another consistency check.
Note that if the protection server is in a cluster, it's possible that a cluster drive will be selected as the drive with the
most free space. If that drive ownership has been switched to another node and a system state backup runs, the
drive isn't available and the backup fails. In this scenario, modify PSDataSourceConfig.xml to point to a local drive.
Next, Windows Server Backup creates a folder called WindowsImageBackup in the root of the restore folder. As
Windows Server Backup creates the backup, all the data is placed in this folder. When the backup is finished, the file
is transferred to the Backup Server computer. Note the following information:
This folder and its contents are not cleaned up when the backup or transfer is finished. The best way to think of
this is that the space is being reserved for the next time a backup is finished.
The folder is created every time a backup is made. The time and date stamp reflect the time of your last system
state backup.
BMR backup
For BMR (including a system state backup), the backup job is saved directly to a share on the Backup Server
computer. It is not saved to a folder on the protected server.
Backup Server calls Windows Server Backup and shares out the replica volume for that BMR backup. In this case, it
doesn't tell Windows Server Backup to use the drive with the most free space. Instead, it uses the share that was
created for the job.
When the backup is finished, the file is transferred to the Backup Server computer. Logs are stored in
C:\Windows\Logs\WindowsServerBackup.
Prerequisites and limitations

BMR isn't supported for computers that run Windows Server 2003 or for computers that run a client
operating system.
You can't protect BMR and system state for the same computer in different protection groups.
A Backup Server computer can't protect itself for BMR.
Short-term protection to tape (disk-to-tape, or D2T) isn't supported for BMR. Long-term storage to tape
(disk-to-disk-to-tape, or D2D2T) is supported.
For BMR protection, Windows Server Backup must be installed on the protected computer.
For BMR protection, unlike for system state protection, Backup Server doesn't have any space requirements
on the protected computer. Windows Server Backup directly transfers backups to the Backup Server
computer. The backup transfer job doesn't appear in the Backup Server Jobs view.
Backup Server reserves 30 GB of space on the replica volume for BMR. You can change this on the Disk
Allocation page in the Modify Protection Group wizard or by using the Get-DatasourceDiskAllocation and
Set-DatasourceDiskAllocation PowerShell cmdlets. On the recovery point volume, BMR protection requires
about 6 GB for a retention of five days.
Note that you can't reduce the replica volume size to less than 15 GB.
Backup Server doesn't calculate the size of the BMR data source. It assumes 30 GB for all servers. Change
the value based on the size of BMR backups that you expect in your environment. The size of a BMR
backup can be roughly calculated as the sum of used space on all critical volumes. Critical volumes = boot
volume + system volume + volume hosting system state data, such as Active Directory.
If you change from system state protection to BMR protection, BMR protection requires less space on the
recovery point volume. However, the extra space on the volume is not reclaimed. You can manually shrink
the volume size on the Modify Disk Allocation page of the Modify Protection Group wizard or by using the
Get-DatasourceDiskAllocation and Set-DatasourceDiskAllocation PowerShell cmdlets.
If you change from system state protection to BMR protection, BMR protection requires more space on the
replica volume. The volume is automatically extended. If you want to change the default space allocations,
use the Modify-DiskAllocation PowerShell cmdlet.
If you change from BMR protection to system state protection, you need more space on the recovery point
volume. Backup Server might try to automatically increase the volume. If there is insufficient space in the
storage pool, an error occurs.
If you change from BMR protection to system state protection, you need space on the protected computer.
This is because system state protection first writes the replica to the local computer, and then transfers it to
the Backup Server computer.
Before you begin

1. Deploy Azure Backup Server. Verify that Backup Server is correctly deployed. For more information, see:
System requirements for Azure Backup Server
Backup Server protection matrix
2. Set up storage. You can store backup data on disk, on tape, and in the cloud with Azure. For more
information, see Prepare data storage.
3. Set up the protection agent. Install the protection agent on the computer that you want to back up. For
more information, see Deploy the DPM protection agent.
Back up system state and bare metal

Set up a protection group as described in Deploy protection groups. Note that you can't protect BMR and system
state for the same computer in different groups. Also, when you select BMR, system state is automatically enabled.
1. To open the Create New Protection Group wizard in the Backup Server Administrator Console, select
Protection > Actions > Create Protection Group.
2. On the Select Protection Group Type page, select Servers, and then select Next.
3. On the Select Group Members page, expand the computer, and then select either BMR or system state.
Remember that you can't protect both BMR and system state for the same computer in different groups.
Also, when you select BMR, system state is automatically enabled. For more information, see Deploy
protection groups.
4. On the Select Data Protection Method page, select how you want to handle short-term and long-term
backup. Short-term backup is always to disk first, with the option of backing up from the disk to the Azure
cloud by using Azure Backup (short-term or long-term). An alternative to long-term backup to the cloud is to
set up long-term backup to a standalone tape device or tape library that's connected to Backup Server.
5. On the Select Short-Term Goals page, select how you want to back up to short-term storage on disk:
a. For Retention range, select how long you want to keep the data on disk.
b. For Synchronization frequency, select how often you want to run an incremental backup to disk. If you
don't want to set a backup interval, you can check the Just before a recovery point option. Backup
Server will run an express, full backup just before each recovery point is scheduled.
6. If you want to store data on tape for long-term storage, on the Specify Long-Term Goals page, select how
long you want to keep tape data (1-99 years).
a. For Frequency of backup, select how often backup to tape should run. The frequency is based on the
retention range you've selected:
When the retention range is 1-99 years, you can select backups to occur daily, weekly, biweekly,
monthly, quarterly, half-yearly, or yearly.
When the retention range is 1-11 months, you can select backups to occur daily, weekly, biweekly,
or monthly.
When the retention range is 1-4 weeks, you can select backups to occur daily or weekly.
b. On the Select Tape and Library Details page, select the tape and library to use, and whether data
should be compressed and encrypted.
7. On the Review Disk Allocation page, review the storage pool disk space that's allocated for the protection
group.
a. Total Data size is the size of the data you want to back up.
b. Disk space to be provisioned on Azure Backup Server is the space that Backup Server recommends
for the protection group. Backup Server chooses the ideal backup volume based on the settings. However,
you can edit the backup volume choices in Disk allocation details.
c. For workloads, in the drop-down menu, select the preferred storage. Your edits change the values for
Total Storage and Free Storage in the Available Disk Storage pane. Underprovisioned space is the
amount of storage that Backup Server suggests you add to the volume, to ensure smooth backups.
8. On the Choose Replica Creation Method page, select how you want to handle the initial full data
replication. If you choose to replicate over the network, we recommend that you choose an off-peak time. For
large amounts of data or for network conditions that are less than optimal, consider replicating the data
offline by using removable media.
9. On the Choose Consistency Check Options page, select how you want to automate consistency checks.
You can choose to run a check only when replica data becomes inconsistent, or on a schedule. If you don't
want to configure automatic consistency checking, you can run a manual check at any time. To run a manual
check, in the Protection area of the Backup Server Administrator Console, right-click the protection group,
and then select Perform Consistency Check.
10. If you've selected to back up to the cloud by using Azure Backup, on the Specify Online Protection Data
page, make sure that you select the workloads you want to back up to Azure.
11. On the Specify Online Backup Schedule page, select how often incremental backups to Azure will occur.
You can schedule backups to run every day, week, month, and year, and select the time and date at which
they should run. Backups can occur up to twice a day. Each time a backup runs, a data recovery point is
created in Azure from the copy of the backup data stored on the Backup Server disk.
12. On the Specify Online Retention Policy page, select how the recovery points that are created from the
daily, weekly, monthly, and yearly backups are retained in Azure.
13. On the Choose Online Replication page, select how the initial full replication of data occurs. You can
replicate over the network or do an offline backup (offline seeding). Offline backup uses the Azure Import
feature. For more information, see Offline backup workflow in Azure Backup.
14. On the Summary page, review your settings. After you select Create Group, initial replication of the data
occurs. When data replication finishes, on the Status page, the protection group status is OK. Backup then
takes place per the protection group settings.
Recover system state or BMR
You can recover BMR or system state to a network location. If you've backed up BMR, use Windows Recovery
Environment (WinRE) to start your system and connect it to the network. Then, use Windows Server Backup to
recover from the network location. If you've backed up system state, just use Windows Server Backup to recover
from the network location.
Restore BMR
Run recovery on the Backup Server computer:
1. In the Recovery pane, find the computer you want to recover, and then select Bare Metal Recovery.
2. Available recovery points are indicated in bold on the calendar. Select the date and time for the recovery
point that you want to use.
3. On the Select Recovery Type page, select Copy to a network folder.
4. On the Specify Destination page, select where you want to copy the data to. Remember that the selected
destination needs to have enough room. We recommend that you create a new folder.
5. On the Specify Recovery Options page, select the security settings to apply. Then, select whether you want
to use storage area network (SAN)-based hardware snapshots, for quicker recovery. (This is an option only if
you have a SAN with this functionality available, and the ability to create and split a clone to make it writable.
In addition, the protected computer and Backup Server computer must be connected to the same network.)
6. Set up notification options. On the Confirmation page, select Recover.
Set up the share location:
1. In the restore location, go to the folder that has the backup.
2. Share the folder that is one level above WindowsImageBackup so that the root of the shared folder is the
WindowsImageBackup folder. If you don't do this, restore won't find the backup. To connect by using
Windows Recovery Environment (WinRE), you need a share that you can access in WinRE with the correct IP
address and credentials.
Restore the system:
1. Start the computer on which you want to restore the image by using the Windows DVD for the system you
are restoring.
2. On the first page, verify language and locale settings. On the Install page, select Repair your computer.
3. On the System Recovery Options page, select Restore your computer using a system image that you
created earlier.
4. On the Select a system image backup page, select Select a system image > Advanced > Search for a
system image on the network. If a warning appears, select Yes. Go to the share path, enter the credentials,
and then select the recovery point. This scans for specific backups that are available in that recovery point.
Select the recovery point that you want to use.
5. On the Choose how to restore the backup page, select Format and repartition disks. On the next page,
verify settings.
6. To begin the restore, select Finish. A restart is required.
Restore system state
Run recovery in Backup Server:
1. In the Recovery pane, find the computer that you want to recover, and then select Bare Metal Recovery.
2. Available recovery points are indicated in bold on the calendar. Select the date and time for the recovery
point that you want to use.
3. On the Select Recovery Type page, select Copy to a network folder.
4. On the Specify Destination page, select where you want to copy the data. Remember that the selected
destination needs enough room. We recommend that you create a new folder.
5. On the Specify Recovery Options page, select the security settings to apply. Then, select whether you want
to use SAN-based hardware snapshots for quicker recovery. (This is an option only if you have a SAN with
this functionality and the ability to create and split a clone to make it writable. In addition, the protected
computer and Backup Server server must be connected to the same network.)
6. Set up notification options. On the Confirmation page, select Recover.
Run Windows Server Backup:
1. Select Actions > Recover > This Server > Next.
2. Select Another Server, select the Specify Location Type page, and then select Remote shared folder.
Enter the path to the folder that contains the recovery point.
3. On the Select Recovery Type page, select System state.
4. On the Select Location for System State Recovery page, select Original Location.
5. On the Confirmation page, select Recover. After the restore, restart the server.
6. You also can run the system state restore at a command prompt. To do this, start Windows Server Backup on
the computer you want to recover. To get the version identifer, at a command prompt, enter:
wbadmin get versions -backuptarget \<servername\sharename\>
Use the version identifier to start the system state restore. At the command prompt, enter:
wbadmin start systemstaterecovery -version:<versionidentified> -backuptarget:<servername\sharename>
Confirm that you want to start the recovery. You can see the process in the Command Prompt window. A
restore log is created. After the restore, restart the server.
You can use Azure Backup Server to recover the data you've backed up to a Recovery Services vault. The process for
doing so is integrated into the Azure Backup Server management console, and is similar to the recovery workflow
for other Azure Backup components.
NOTE
This article is applicable for System Center Data Protection Manager 2012 R2 with UR7 or later, combined with the latest
Azure Backup agent.
To recover data from an Azure Backup Server:

1. From the Recovery tab of the Azure Backup Server management console, click 'Add External DPM' (at the top
left of the screen).
2. Download new vault credentials from the vault associated with the Azure Backup Server where the data
is being recovered, choose the Azure Backup Server from the list of Azure Backup Servers registered with the
Recovery Services vault, and provide the encryption passphrase associated with the server whose data is
being recovered.
NOTE
Only Azure Backup Servers associated with the same registration vault can recover each others data.
Once the External Azure Backup Server is successfully added, you can browse the data of the external server
and the local Azure Backup Server from the Recovery tab.
3. Browse the available list of production servers protected by the external Azure Backup Server and select the
appropriate data source.
4. Select the month and year from the Recovery points drop down, select the required Recovery date for
when the recovery point was created, and select the Recovery time.
A list of files and folders appears in the bottom pane, which can be browsed and recovered to any location.
5. Right click the appropriate item and click Recover.

6. Review the Recover Selection. Verify the data and time of the backup copy being recovered, as well as the
source from which the backup copy was created. If the selection is incorrect, click Cancel to navigate back to
recovery tab to select appropriate recovery point. If the selection is correct, click Next.
7. Select Recover to an alternate location. Browse to the correct location for the recovery.
8. Choose the option related to create copy, Skip, or Overwrite.
Create copy - creates a copy of the file if there is a name collision.
Skip - if there is a name collision, does not recover the file which leaves the original file.
Overwrite - if there is a name collision, overwrites the existing copy of the file.
Choose the appropriate option to Restore security. You can apply the security settings of the
destination computer where the data is being recovered or the security settings that were applicable
to product at the time the recovery point was created.
Identify whether a Notification is sent, once the recovery successfully completes.
9. The Summary screen lists the options chosen so far. Once you click Recover, the data is recovered to the
appropriate on-premises location.
NOTE
The recovery job can be monitored in the Monitoring tab of the Azure Backup Server.
10. You can click Clear External DPM on the Recovery tab of the DPM server to remove the view of the
external DPM server.
Troubleshooting Error Messages

NO. ERROR MESSAGE TROUBLESHOOTING STEPS
1. This server is not registered to the vault Cause: This error appears when the
specified by the vault credential. vault credential file selected does not
belong to the Recovery Services vault
associated with Azure Backup Server on
which the recovery is attempted.
Resolution: Download the vault
credential file from the Recovery
Services vault to which the Azure
Backup Server is registered.
2. Either the recoverable data is not Cause: There are no other Azure
available or the selected server is not a Backup Servers registered to the
DPM server. Recovery Services vault, or the servers
have not yet uploaded the metadata, or
the selected server is not an Azure
Backup Server (aka Windows Server or
Windows Client).
Resolution: If there are other Azure
Backup Servers registered to the
Recovery Services vault, ensure that the
latest Azure Backup agent is installed.
If there are other Azure Backup Servers
registered to the Recovery Services
vault, wait for a day after installation to
start the recovery process. The nightly
job will upload the metadata for all the
protected backups to cloud. The data
will be available for recovery.
3. No other DPM server is registered to Cause: There are no other Azure

this vault. Backup Servers that are registered to
the vault from which the recovery is
being attempted.
job uploads the metadata for all
4. The encryption passphrase provided Cause: The encryption passphrase used

does not match with passphrase in the process of encrypting the data
associated with the following server: from the Azure Backup Servers data
that is being recovered does not match
the encryption passphrase provided.
The agent is unable to decrypt the data.
Hence the recovery fails.
Resolution: Please provide the exact
same encryption passphrase associated
with the Azure Backup Server whose
data is being recovered.

Why cant I add an external DPM server after installing UR7 and latest Azure Backup agent?
For the DPM servers with data sources that are protected to the cloud (by using an update rollup earlier than
Update Rollup 7), you must wait at least one day after installing the UR7 and latest Azure Backup agent, to start
Add External DPM server. The one-day time period is needed to upload the metadata of the DPM protection
groups to Azure. Protection group metadata is uploaded the first time through a nightly job.
What is the minimum version of the Microsoft Azure Recovery Services agent needed?
The minimum version of the Microsoft Azure Recovery Services agent, or Azure Backup agent, required to enable
this feature is 2.0.8719.0. To view the agent's version: open Control Panel > All Control Panel items > Programs and
features > Microsoft Azure Recovery Services Agent. If the version is less than 2.0.8719.0, download and install the
latest Azure Backup agent.
Next steps:
Azure Backup FAQ
Prepare your environment to back up Resource
Manager-deployed virtual machines
This article provides the steps for preparing your environment to back up a Resource Manager-deployed virtual
machine (VM). The steps shown in the procedures use the Azure portal.
The Azure Backup service has two types of vaults (back up vaults and recovery services vaults) for protecting your
VMs. A backup vault protects VMs deployed using the Classic deployment model. A recovery services vault
protects both Classic-deployed or Resource Manager-deployed VMs. You must use a Recovery Services vault
to protect a Resource Manager-deployed VM.
NOTE
Azure has two deployment models for creating and working with resources: Resource Manager and Classic. See Prepare
your environment to back up Azure virtual machines for details on working with Classic deployment model VMs.
Before you can protect or back up a Resource Manager-deployed virtual machine (VM), make sure these
prerequisites exist:
Create a recovery services vault (or identify an existing recovery services vault) in the same location as your
VM.
Select a scenario, define the backup policy, and define items to protect.
Check the installation of VM Agent on virtual machine.
Check network connectivity
For Linux VMs, in case you want to customize your backup environment for application consistent backups
please follow the steps to configure pre-snapshot and post-snapshot scripts
If you know these conditions already exist in your environment then proceed to the Back up your VMs article. If
you need to set up, or check, any of these prerequisites, this article leads you through the steps to prepare that
prerequisite.
Supported operating system for backup

machine and support for Python exists. However, we do not endorse those distributions for backup.
Limitations when backing up and restoring a VM

Before you prepare your environment, please understand the limitations.
Backing up virtual machines with more than 16 data disks is not supported.
Backing up virtual machines with data disk sizes greater than 1023GB is not supported.
Backing up virtual machines with a reserved IP address and no defined endpoint is not supported.
Backup of VMs encrypted using just BEK is not supported. Backup of Linux VMs encrypted using LUKS
encryption is not supported.
Backup of VMs containing Cluster Shared Volumes(CSV) or Scale out File Server configuration is not
recommended as they require involving all VMs included in the cluster configuration during snapshot task.
Azure Backup doesn't support multi-VM consistency.
Backup data doesn't include network mounted drives attached to VM.
Replacing an existing virtual machine during restore is not supported. If you attempt to restore the VM when
the VM exists, the restore operation fails.
Cross-region backup and restore are not supported.
You can back up virtual machines in all public regions of Azure (see the checklist of supported regions). If the
region that you are looking for is unsupported today, it will not appear in the dropdown list during vault
creation.
Restoring a domain controller (DC) VM that is part of a multi-DC configuration is supported only through
PowerShell. Read more about restoring a multi-DC domain controller.
Restoring virtual machines that have the following special network configurations is supported only through
PowerShell. VMs created using the restore workflow in the UI will not have these network configurations after
the restore operation is complete. To learn more, see Restoring VMs with special network configurations.
Virtual machines under load balancer configuration (internal and external)
Virtual machines with multiple reserved IP addresses
Virtual machines with multiple network adapters
Create a recovery services vault for a VM

A recovery services vault is an entity that stores the backups and recovery points that have been created over time.
The recovery services vault also contains the backup policies associated with the protected virtual machines.
the list will filter based on your input. Click Recovery Services vault.
4. For Name, enter a friendly name to identify the vault. The name needs to be unique for the Azure subscription.
Type a name that contains between 2 and 50 characters. It must start with a letter, and can contain only letters,
numbers, and hyphens.
the default (or suggested) subscription. There will be multiple choices only if your organizational account is
7. Click Location to select the geographic region for the vault. The vault must be in the same region as the
virtual machines that you want to protect.
IMPORTANT
If you are unsure of the location in which your VM exists, close out of the vault creation dialog, and go to the list of
Virtual Machines in the portal. If you have virtual machines in multiple regions, you will need to create a Recovery
Services vault in each region. Create the vault in the first location before going to the next location. There is no need
to specify storage accounts to store the backup data--the Recovery Services vault and the Azure Backup service
handle this automatically.
8. Click Create. It can take a while for the Recovery Services vault to be created. Monitor the status
notifications in the upper right-hand area in the portal. Once your vault is created, it appears in the list of
Recovery Services vaults. If you don't see your vault, click Refresh to
Now that you've created your vault, learn how to set the storage replication.

storage. By default, your vault has geo-redundant storage. Leave the option set to geo-redundant storage if this is
your primary backup. Choose locally redundant storage if you want a cheaper option that isn't quite as durable.
1. On the Recovery Services vaults blade, select your vault. When you click your vault, the Settings blade
(which has the name of the vault at the top) and the vault details blade opens.
2. On the Settings blade, use the vertical slider to scroll down to the Manage section. Click Backup
Infrastructure to open its blade. In the General section click Backup Configuration to open its blade. On
the Backup Configuration blade, choose the storage replication option for your vault. By default, your
vault has geo-redundant storage. If you change the Storage replication type, click Save.
If you are using Azure as a primary backup storage endpoint, continue using geo-redundant storage. If you
are using Azure as a non-primary backup storage endpoint, then choose locally redundant storage. Read
more about geo-redundant and locally redundant storage options in the Azure Storage replication
overview. After choosing the storage option for your vault, you are ready to associate the VM with the vault.
To begin the association, you should discover and register the Azure virtual machines.
Select a backup goal, set policy and define items to protect

Before registering a VM with a vault, run the discovery process to ensure that any new virtual machines that have
been added to the subscription are identified. The process queries Azure for the list of virtual machines in the
subscription, along with additional information like the cloud service name and the region. In the Azure portal,
scenario refers to what you are going to put into the recovery services vault. Policy is the schedule for how often
and when recovery points are taken. Policy also includes the retention range for the recovery points.
1. If you already have a Recovery Services vault open, proceed to step 2. If you do not have a Recovery
Services vault open, then open the Azure portal and on the Hub menu, click More services.
As you begin typing, the list will filter based on your input. When you see Recovery Services
vaults, click it.
The list of Recovery Services vaults appears. If there are no vaults in your subscription, this list will
be empty.
From the list of Recovery Services vaults, select a vault to open its dashboard.
The Settings blade and the vault dashboard for the chosen vault, opens.
2. On the vault dashboard menu click Backup to open the Backup blade.
The Backup and Backup Goal blades open.
3. On the Backup Goal blade, set Where is your workload running to Azure and What do you want to
backup to Virtual machine, then click OK.
This registers the VM extension with the vault. The Backup Goal blade closes and the Backup policy blade
opens.
4. On the Backup policy blade, select the backup policy you want to apply to the vault.
The details of the default policy are listed under the drop-down menu. If you want to create a new policy,
select Create New from the drop-down menu. For instructions on defining a backup policy, see Defining a
backup policy. Click OK to associate the backup policy with the vault.
The Backup policy blade closes and the Select virtual machines blade opens.
5. In the Select virtual machines blade, choose the virtual machines to associate with the specified policy
and click OK.
The selected virtual machine is validated. If you do not see the virtual machines that you expected to see,
check that they exist in the same Azure location as the Recovery Services vault and are not already
protected in another vault. The location of the Recovery Services vault is shown on the vault dashboard.
6. Now that you have defined all settings for the vault, in the Backup blade click Enable Backup. This deploys
the policy to the vault and the VMs. This does not create the initial recovery point for the virtual machine.
After successfully enabling the backup, your backup policy will execute on schedule. If you would like to generate
an on-demand backup job to back up the virtual machines now, see Triggering the Backup job.
If you have problems registering the virtual machine, see the following information on installing the VM Agent
and on Network connectivity. You probably don't need the following information if you are protecting virtual
machines created in Azure. However if you migrated your virtual machines into Azure, then be sure you have
properly installed the VM agent and that your virtual machine can communicate with the virtual network.
Install the VM Agent on the virtual machine

The Azure VM Agent must be installed on the Azure virtual machine for the Backup extension to work. If your VM
was created from the Azure gallery, then the VM Agent is already present on the virtual machine. This information
is provided for the situations where you are not using a VM created from the Azure gallery - for example you
migrated a VM from an on-premises datacenter. In such a case, the VM Agent needs to be installed in order to
protect the virtual machine. Learn about the VM Agent.
If you have problems backing up the Azure VM, check that the Azure VM Agent is correctly installed on the virtual
machine (see the table below). The following table provides additional information about the VM Agent for
Windows and Linux VMs.
OPERATION WINDOWS LINUX
Installing the VM Agent Download and install the agent MSI. Install the latest Linux agent. You will
You will need Administrator privileges need Administrator privileges to
to complete the installation. complete the installation. We
recommend installing agent from your
distribution repository. We do not
recommend installing Linux VM agent
directly from github.
Updating the VM Agent Updating the VM Agent is as simple as Follow the instructions on updating the
reinstalling the VM Agent binaries. Linux VM Agent. We recommend
Ensure that no backup operation is updating agent from your distribution
running while the VM agent is being repository. We do not recommend
updated. updating Linux VM agent directly from
github.
Ensure that no backup operation is
running while the VM Agent is being
updated.
Validating the VM Agent installation Navigate to the N/A

C:\WindowsAzure\Packages folder in
the Azure VM.
You should find the
WaAppAgent.exe file present.
Right-click the file, go to Properties,
and then select the Details tab. The
Product Version field should be
2.6.1198.718 or higher.
Backup extension
Once the VM Agent is installed on the virtual machine, the Azure Backup service installs the backup extension to
the VM Agent. The Azure Backup service seamlessly upgrades and patches the backup extension.
The backup extension is installed by the Backup service whether or not the VM is running. A running VM provides
the greatest chance of getting an application-consistent recovery point. However, the Azure Backup service
continues to back up the VM even if it is turned off, and the extension could not be installed. This is known as
Offline VM. In this case, the recovery point will be crash consistent.
Network connectivity
In order to manage the VM snapshots, the backup extension needs connectivity to the Azure public IP addresses.
Without the right Internet connectivity, the virtual machine's HTTP requests time out and the backup operation
fails. If your deployment has access restrictions in place (through a network security group (NSG), for example),
then choose one of these options for providing a clear path for backup traffic:
Whitelist the Azure datacenter IP ranges - see the article for instructions on how to whitelist the IP addresses.
Deploy an HTTP proxy server for routing traffic.
When deciding which option to use, the trade-offs are between manageability, granular control, and cost.
OPTION ADVANTAGES DISADVANTAGES

Whitelist IP ranges No additional costs. Complex to manage as the impacted IP

ranges change over time.
For opening access in an NSG, use the
Set-AzureNetworkSecurityRule cmdlet. Provides access to the whole of Azure,
and not just Storage.
HTTP proxy Granular control in the proxy over the Additional costs for running a VM with
storage URLs allowed. the proxy software.
Single point of Internet access to VMs.
Not subject to Azure IP address
changes.
Whitelist the Azure datacenter IP ranges

To whitelist the Azure datacenter IP ranges, please see the Azure website for details on the IP ranges, and
instructions.
You can use service tags to allow connections to storage of the specific region using Service Tags. Make
sure that rule which allows access to storage account is having higher priority than rule blocking internet
access.
WARNING
Storage tags are available only in specific regions and are in preview. For list of regions, refer to Service tags for Storage
Using an HTTP proxy for VM backups

When backing up a VM, the backup extension on the VM sends the snapshot management commands to Azure
Storage using an HTTPS API. Route the backup extension traffic through the HTTP proxy since it is the only
component configured for access to the public Internet.
NOTE
There is no recommendation for the proxy software that should be used. Ensure that you pick a proxy that is compatible
with the configuration steps below.
The example image below shows the three configuration steps necessary to use an HTTP proxy:
App VM routes all HTTP traffic bound for the public Internet through Proxy VM.
Proxy VM allows incoming traffic from VMs in the virtual network.
The Network Security Group (NSG) named NSF-lockdown needs a security rule allowing outbound Internet
traffic from Proxy VM.
To use an HTTP proxy to communicating to the public Internet, follow these steps:
Step 1. Configure outgoing network connections
F o r W i n d o w s ma c h i n e s
This will setup proxy server configuration for Local System Account.
1. Download PsExec
2. Run following command from elevated prompt,
psexec -i -s "c:\Program Files\Internet Explorer\iexplore.exe"
It will open internet explorer window.

3. Go to Tools -> Internet Options -> Connections -> LAN settings.
4. Verify proxy settings for System account. Set Proxy IP and port.
5. Close Internet Explorer.
This will set up a machine-wide proxy configuration, and will be used for any outgoing HTTP/HTTPS traffic.
If you have setup a proxy server on a current user account(not a Local System Account), use the following script to
apply them to SYSTEMACCOUNT:
$obj = Get-ItemProperty -Path

Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections"
Set-ItemProperty -Path Registry::HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Connections" -Name DefaultConnectionSettings -Value $obj.DefaultConnectionSettings
Settings\Connections" -Name SavedLegacySettings -Value $obj.SavedLegacySettings
Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
Settings" -Name ProxyEnable -Value $obj.ProxyEnable
Settings" -Name Proxyserver -Value $obj.Proxyserver
NOTE
If you observe "(407) Proxy Authentication Required" in proxy server log, check your authentication is setup correctly.
F o r L i n u x ma c h i n e s
Add the following line to the /etc/environment file:
http_proxy=http://<proxy IP>:<proxy port>

Add the following lines to the /etc/waagent.conf file:
HttpProxy.Host=<proxy IP>
HttpProxy.Port=<proxy port>
Step 2. Allow incoming connections on the proxy server:

1. On the proxy server, open Windows Firewall. The easiest way to access the firewall is to search for
Windows Firewall with Advanced Security.
2. In the Windows Firewall dialog, right-click Inbound Rules and click New Rule....
3. In the New Inbound Rule Wizard, choose the Custom option for the Rule Type and click Next.
4. On the page to select the Program, choose All Programs and click Next.
5. On the Protocol and Ports page, enter the following information and click Next:
for Protocol type choose TCP
for Local port choose Specific Ports, in the field below specify the <Proxy Port> that has been
configured.
for Remote port select All Ports
For the rest of the wizard, click all the way to the end and give this rule a name.
Step 3. Add an exception rule to the NSG:
In an Azure PowerShell command prompt, enter the following command:
The following command adds an exception to the NSG. This exception allows TCP traffic from any port on 10.0.0.5
to any Internet address on port 80 (HTTP) or 443 (HTTPS). If you require a specific port in the public Internet, be
sure to add that port to the -DestinationPortRange as well.
Get-AzureNetworkSecurityGroup -Name "NSG-lockdown" |

Set-AzureNetworkSecurityRule -Name "allow-proxy " -Action Allow -Protocol TCP -Type Outbound -Priority 200 -
SourceAddressPrefix "10.0.0.5/32" -SourcePortRange "*" -DestinationAddressPrefix Internet -
DestinationPortRange "80-443"
These steps use specific names and values for this example. Please use the names and values for your deployment
when entering, or cutting and pasting details into your code.
Now that you know you have network connectivity, you are ready to back up your VM. See Back up Resource
Manager-deployed VMs.
Questions?
If you have questions, or if there is any feature that you would like to see included, send us feedback.
Next steps
Now that you have prepared your environment for backing up your VM, your next logical step is to create a
backup. The planning article provides more detailed information about backing up VMs.
Plan your VM backup infrastructure
Manage virtual machine backups
Application-consistent backup of Azure Linux VMs
(preview)
This article talks about the Linux pre-script and post-script framework, and how it can be used to take application-
consistent backups of Azure Linux VMs.
NOTE
The pre-script and post-script framework is supported only for Azure Resource Manager-deployed Linux virtual machines.
Scripts for application consistency are not supported for Service Manager-deployed virtual machines or Windows virtual
machines.
How the framework works

The framework provides an option to run custom pre-scripts and post-scripts while you're taking VM snapshots.
Pre-scripts are run just before you take the VM snapshot, and post-scripts are run immediately after you take the
VM snapshot. This gives you the flexibility to control your application and environment while you're taking VM
snapshots.
In this scenario, it's important to ensure application-consistent VM backup. The pre-script can invoke application-
native APIs to quiesce the IOs and flush in-memory content to the disk. This ensures that the snapshot is
application-consistent (that is, that the application comes up when the VM is booted post-restore). Post-script can
be used to thaw the IOs. It does this by using application-native APIs so that the application can resume normal
operations post-VM snapshot.
Steps to configure pre-script and post-script

1. Sign in as the root user to the Linux VM that you want to back up.
2. Download VMSnapshotScriptPluginConfig.json from GitHub, and then copy it to the /etc/azure folder
on all the VMs that you're going to back up. Create the /etc/azure directory if it doesn't exist already.
3. Copy the pre-script and post-script for your application on all the VMs that you plan to back up. You can
copy the scripts to any location on the VM. Be sure to update the full path of the script files in the
VMSnapshotScriptPluginConfig.json file.
4. Ensure the following permissions for these files:
VMSnapshotScriptPluginConfig.json: Permission 600. For example, only root user should have
read and write permissions to this file, and no user should have execute permissions.
Pre-script file: Permission 700. For example, only root user should have read, write, and
execute permissions to this file.
Post-script Permission 700. For example, only root user should have read, write, and execute
permissions to this file.
IMPORTANT
The framework gives users a lot of power. Its important that it's secure and that only root user has access to critical
JSON and script files. If the previous requirements aren't met, the script doesn't run. This results in file system/crash
consistent backup.
5. Configure VMSnapshotScriptPluginConfig.json as described here:

pluginName: Leave this field as is or your scripts might not work as expected.
preScriptLocation: Provide the full path of the pre-script on the VM that's going to be backed up.
postScriptLocation: Provide the full path of the post-script on the VM that's going to be backed up.
preScriptParams: Provide the optional parameters that need to be passed to the pre-script. All
parameters should be in quotes, and should be comma-separated if there are multiple parameters.
postScriptParams: Provide the optional parameters that need to be passed to the post-script. All
parameters should be in quotes, and should be comma-separated if there are multiple parameters.
preScriptNoOfRetries: Set the number of times the pre-script should be retried if there is any error
before terminating. Zero means only one try and no retry if there is a failure.
postScriptNoOfRetries: Set the number of times the post-script should be retried if there is any
error before terminating. Zero means only one try and no retry if there is a failure.
timeoutInSeconds: Specify individual timeouts for the pre-script and the post-script.
continueBackupOnFailure: Set this value to true if you want Azure Backup to fall back to a file
system consistent/crash consistent backup if pre-script or post-script fails. Setting this to false fails
the backup in case of script failure (except when you have single-disk VM that falls back to crash-
consistent backup regardless of this setting).
fsFreezeEnabled: Specify whether Linux fsfreeze should be called while you're taking the VM
snapshot to ensure file system consistency. We recommend keeping this setting set to true unless
your application has a dependency on disabling fsfreeze.
6. The script framework is now configured. If the VM backup is already configured, the next backup invokes the
scripts and triggers application-consistent backup. If the VM backup is not configured, configure it by using
Back up Azure virtual machines to Recovery Services vaults.
Troubleshooting
Make sure you add appropriate logging while writing your pre-script and post-script, and review your script logs to
fix any script issues. If you still have problems running scripts, refer to the following table for more information.
ERROR ERROR MESSAGE RECOMMENDED ACTION
Pre-ScriptExecutionFailed The pre-script returned an error, so Look at the failure logs for your script to
backup might not be application- fix the issue.
consistent.
Post-ScriptExecutionFailed The post-script returned an error that Look at the failure logs for your script to
might impact application state. fix the issue and check the application
state.
ERROR ERROR MESSAGE RECOMMENDED ACTION
Pre-ScriptNotFound The pre-script was not found at the Make sure that pre-script is present at
location that's specified in the the path that's specified in the config file
VMSnapshotScriptPluginConfig.json to ensure application-consistent backup.
config file.
Post-ScriptNotFound The post-script wasn't found at the Make sure that post-script is present at
location that's specified in the the path that's specified in the config file
VMSnapshotScriptPluginConfig.json to ensure application-consistent backup.
config file.
IncorrectPluginhostFile The Pluginhost file, which comes with Uninstall the VmSnapshotLinux
the VmSnapshotLinux extension, is extension, and it will automatically be
corrupted, so pre-script and post-script reinstalled with the next backup to fix
cannot run and the backup won't be the problem.
application-consistent.
IncorrectJSONConfigFile The Download the copy from GitHub and

VMSnapshotScriptPluginConfig.json configure it again.
file is incorrect, so pre-script and post-
script cannot run and the backup won't
be application-consistent.
InsufficientPermissionforPre-Script For running scripts, "root" user should Make sure root user is the owner of
be the owner of the file and the file the script file and that only "owner" has
should have 700 permissions (that is, read, write and execute
only "owner" should have read, write, permissions.
and execute permissions).
InsufficientPermissionforPost-Script For running scripts, root user should be Make sure root user is the owner of
the owner of the file and the file should the script file and that only "owner" has
have 700 permissions (that is, only read, write and execute
"owner" should have read, write, and permissions.
execute permissions).
Pre-ScriptTimeout The execution of the application- Check the script and increase the
consistent backup pre-script timed-out. timeout in the
VMSnapshotScriptPluginConfig.json
file that's located at /etc/azure.
Post-ScriptTimeout The execution of the application- Check the script and increase the
consistent backup post-script timed out. timeout in the
VMSnapshotScriptPluginConfig.json
file that's located at /etc/azure.
Next steps
Configure VM backup to a Recovery Services vault
Prepare your environment to back up Azure virtual
machines
Before you can back up an Azure virtual machine (VM), there are three conditions that must exist.
You need to create a backup vault or identify an existing backup vault in the same region as your VM.
Establish network connectivity between the Azure public Internet addresses and the Azure storage endpoints.
Install the VM agent on the VM.
If you know these conditions already exist in your environment then proceed to the Back up your VMs article.
Otherwise, read on, this article will lead you through the steps to prepare your environment to back up an Azure
VM.
Supported operating system for backup

machine and support for Python exists. However, we do not endorse those distributions for backup.
Limitations when backing up and restoring a VM

NOTE
Azure has two deployment models for creating and working with resources: Resource Manager and classic. The following list
provides the limitations when deploying in the classic model.
Backing up virtual machines with more than 16 data disks is not supported.
Backing up virtual machines with a reserved IP address and no defined endpoint is not supported.
Backup data doesn't include network mounted drives attached to VM.
Replacing an existing virtual machine during restore is not supported. First delete the existing virtual machine
and any associated disks, and then restore the data from backup.
Cross-region backup and restore is not supported.
Backing up virtual machines by using the Azure Backup service is supported in all public regions of Azure (see
the checklist of supported regions). If the region that you are looking for is unsupported today, it will not
appear in the dropdown list during vault creation.
Backing up virtual machines by using the Azure Backup service is supported only for select operating system
versions:
Restoring a domain controller (DC) VM that is part of a multi-DC configuration is supported only through
PowerShell. Read more about restoring a multi-DC domain controller.
Restoring virtual machines that have the following special network configurations is supported only through
PowerShell. VMs that you create by using the restore workflow in the UI will not have these network
configurations after the restore operation is complete. To learn more, see Restoring VMs with special network
configurations.
Virtual machines under load balancer configuration (internal and external)
Virtual machines with multiple reserved IP addresses
Virtual machines with multiple network adapters
Create a backup vault for a VM

A backup vault is an entity that stores all the backups and recovery points that have been created over time. The
backup vault also contains the backup policies that will be applied to the virtual machines being backed up.
IMPORTANT
Starting March 2017, you can no longer use the classic portal to create Backup vaults. Existing Backup vaults are still
supported, and it is possible to use Azure PowerShell to create Backup vaults. However, Microsoft recommends you create
Recovery Services vaults for all deployments because future enhancements apply to Recovery Services vaults, only.
This image shows the relationships between the various Azure Backup entities:
Network connectivity
In order to manage the VM snapshots, the backup extension needs connectivity to the Azure public IP addresses.
Without the right Internet connectivity, the virtual machine's HTTP requests time out and the backup operation
fails. If your deployment has access restrictions in place (through a network security group (NSG), for example),
then choose one of these options for providing a clear path for backup traffic:
Whitelist the Azure datacenter IP ranges - see the article for instructions on how to whitelist the IP addresses.
Deploy an HTTP proxy server for routing traffic.
When deciding which option to use, the trade-offs are between manageability, granular control, and cost.
Whitelist IP ranges No additional costs. Complex to manage as the impacted IP

ranges change over time.
For opening access in an NSG, use the
Set-AzureNetworkSecurityRule cmdlet. Provides access to the whole of Azure,
and not just Storage.
HTTP proxy Granular control in the proxy over the Additional costs for running a VM with
storage URLs allowed. To setup the proxy software.
granular control in the proxy,
https://*.blob.core.windows.net/* URL
Pattern needs to be whitelisted. To
whitelist only the storage account used
by the VM,
https://<storageAccount>.blob.core.win
dows.net/* URL pattern needs to be
whitelisted.
Single point of Internet access to VMs.
Not subject to Azure IP address
changes.
Whitelist the Azure datacenter IP ranges

To whitelist the Azure datacenter IP ranges, please see the Azure website for details on the IP ranges, and
instructions.
Using an HTTP proxy for VM backups
When backing up a VM, the backup extension on the VM sends the snapshot management commands to Azure
Storage using an HTTPS API. Route the backup extension traffic through the HTTP proxy since it is the only
component configured for access to the public Internet.
NOTE
There is no recommendation for the proxy software that should be used. Ensure that you pick a proxy that has outbound
stickiness and which is compatible with the configuration steps below. Make sure third party softwares do not modify the
proxy settings
The example image below shows the three configuration steps necessary to use an HTTP proxy:
App VM routes all HTTP traffic bound for the public Internet through Proxy VM.
Proxy VM allows incoming traffic from VMs in the virtual network.
The Network Security Group (NSG) named NSF-lockdown needs a security rule allowing outbound Internet
traffic from Proxy VM.
To use an HTTP proxy to communicating to the public Internet, follow these steps:
Step 1. Configure outgoing network connections
F o r W i n d o w s ma c h i n e s
This will setup proxy server configuration for Local System Account.
1. Download PsExec
2. Run following command from elevated prompt,
psexec -i -s "c:\Program Files\Internet Explorer\iexplore.exe"
It will open internet explorer window.

3. Go to Tools -> Internet Options -> Connections -> LAN settings.
4. Verify proxy settings for System account. Set Proxy IP and port.
This will set up a machine-wide proxy configuration, and will be used for any outgoing HTTP/HTTPS traffic.
If you have setup a proxy server on a current user account(not a Local System Account), use the following script to
apply them to SYSTEMACCOUNT:

Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections"
Settings\Connections" -Name DefaultConnectionSettings -Value $obj.DefaultConnectionSettings
Settings\Connections" -Name SavedLegacySettings -Value $obj.SavedLegacySettings
Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
Settings" -Name ProxyEnable -Value $obj.ProxyEnable
Settings" -Name Proxyserver -Value $obj.Proxyserver
NOTE
If you observe "(407)Proxy Authentication Required" in proxy server log, check your authentication is setup correctly.
F o r L i n u x ma c h i n e s
Add the following line to the /etc/environment file:
http_proxy=http://<proxy IP>:<proxy port>
Add the following lines to the /etc/waagent.conf file:
HttpProxy.Host=<proxy IP>
HttpProxy.Port=<proxy port>
Step 2. Allow incoming connections on the proxy server:

1. On the proxy server, open Windows Firewall. The easiest way to access the firewall is to search for Windows
Firewall with Advanced Security.
2. In the Windows Firewall dialog, right-click Inbound Rules and click New Rule....
3. In the New Inbound Rule Wizard, choose the Custom option for the Rule Type and click Next.
4. On the page to select the Program, choose All Programs and click Next.
5. On the Protocol and Ports page, enter the following information and click Next:
for Protocol type choose TCP

for Local port choose Specific Ports, in the field below specify the <Proxy Port> that has been
configured.
for Remote port select All Ports
For the rest of the wizard, click all the way to the end and give this rule a name.
Step 3. Add an exception rule to the NSG:
In an Azure PowerShell command prompt, enter the following command:
The following command adds an exception to the NSG. This exception allows TCP traffic from any port on 10.0.0.5
to any Internet address on port 80 (HTTP) or 443 (HTTPS). If you require a specific port in the public Internet, be
sure to add that port to the -DestinationPortRange as well.
Get-AzureNetworkSecurityGroup -Name "NSG-lockdown" |

Set-AzureNetworkSecurityRule -Name "allow-proxy " -Action Allow -Protocol TCP -Type Outbound -Priority 200 -
SourceAddressPrefix "10.0.0.5/32" -SourcePortRange "*" -DestinationAddressPrefix Internet -
DestinationPortRange "80-443"
Ensure that you replace the names in the example with the details appropriate to your deployment.
VM agent
Before you can back up the Azure virtual machine, you should ensure that the Azure VM agent is correctly installed
on the virtual machine. Since the VM agent is an optional component at the time that the virtual machine is
created, ensure that the check box for the VM agent is selected before the virtual machine is provisioned.
Manual installation and update
The VM agent is already present in VMs that are created from the Azure gallery. However, virtual machines that
are migrated from on-premises datacenters would not have the VM agent installed. For such VMs, the VM agent
needs to be installed explicitly.
OPERATION WINDOWS LINUX
Installing the VM Agent Download and install the agent MSI. Install the latest Linux agent. You will
You will need Administrator privileges need Administrator privileges to
to complete the installation. complete the installation. We
Update the VM property to indicate recommend installing agent from your
that the agent is installed. distribution repository. We do not
recommend installing Linux VM agent
directly from github.
Updating the VM Agent Updating the VM Agent is as simple as Follow the instructions on updating the
reinstalling the VM Agent binaries. Linux VM Agent. We recommend
Ensure that no backup operation is updating agent from your distribution
running while the VM agent is being repository. We do not recommend
updated. updating Linux VM agent directly from
github.
Ensure that no backup operation is
running while the VM Agent is being
updated.
Validating the VM Agent installation Navigate to the N/A

C:\WindowsAzure\Packages folder in
the Azure VM.
You should find the WaAppAgent.exe
file present.
Right-click the file, go to Properties,
and then select the Details tab. The
Product Version field should be
2.6.1198.718 or higher.
Learn about the VM agent and how to install it.

Backup extension
To back up the virtual machine, the Azure Backup service installs an extension to the VM agent. The Azure Backup
service seamlessly upgrades and patches the backup extension without additional user intervention.
The backup extension is installed if the VM is running. A running VM also provides the greatest chance of getting
an application-consistent recovery point. However, the Azure Backup service will continue to back up the VM--
even if it is turned off, and the extension could not be installed (aka Offline VM). In this case, the recovery point will
be crash consistent as discussed above.
Questions?
Next steps
Now that you have prepared your environment for backing up your VM, your next logical step is to create a
backup. The planning article provides more detailed information about backing up VMs.
Plan your VM backup infrastructure
Manage virtual machine backups
Plan your VM backup infrastructure in Azure
This article provides performance and resource suggestions to help you plan your VM backup infrastructure. It
also defines key aspects of the Backup service; these aspects can be critical in determining your architecture,
capacity planning, and scheduling. If you've prepared your environment, planning is the next step before you
begin to back up VMs. If you need more information about Azure virtual machines, see the Virtual Machines
documentation.
How does Azure back up virtual machines?

When the Azure Backup service initiates a backup job at the scheduled time, it triggers the backup extension to
take a point-in-time snapshot. The Azure Backup service uses the VMSnapshot extension in Windows, and the
VMSnapshotLinux extension in Linux. The extension is installed during the first VM backup. To install the extension,
the VM must be running. If the VM is not running, the Backup service takes a snapshot of the underlying storage
(since no application writes occur while the VM is stopped).
When taking a snapshot of Windows VMs, the Backup service coordinates with the Volume Shadow Copy Service
(VSS) to get a consistent snapshot of the virtual machine's disks. If you're backing up Linux VMs, you can write
your own custom scripts to ensure consistency when taking a VM snapshot. Details on invoking these scripts are
provided later in this article.
Once the Azure Backup service takes the snapshot, the data is transferred to the vault. To maximize efficiency, the
service identifies and transfers only the blocks of data that have changed since the previous backup.
NOTE
1. During the backup process, Azure Backup doesn't include the temporary disk attached to the virtual machine. For more
information, see the blog on temporary storage.
2. Since Azure Backup takes a storage-level snapshot and transfers that snapshot to vault, do not change the storage
account keys until the backup job finishes.
3. For premium VMs, we copy the snapshot to storage account. This is to make sure that Azure Backup service gets
sufficient IOPS for transferring data to vault. This additional copy of storage is charged as per the VM allocated size.
Data consistency
Backing up and restoring business critical data is complicated by the fact that business critical data must be backed
up while the applications that produce the data are running. To address this, Azure Backup supports application-
consistent backups for both Windows and Linux VMs
Windows VM
Azure Backup takes VSS full backups on Windows VMs (read more about VSS full backup). To enable VSS copy
backups, the following registry key needs to be set on the VM.
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\BCDRAGENT]
"USEVSSCOPYBACKUP"="TRUE"
Linux VMs
Azure Backup provides a scripting framework. To ensure application consistency when backing up Linux VMs,
create custom pre-scripts and post-scripts that control the backup workflow and environment. Azure Backup
invokes the pre-script before taking the VM snapshot and invokes the post-script once the VM snapshot job
completes. For more details, see application consistent VM backups using pre-script and post-script.
NOTE
Azure Backup only invokes the customer-written pre- and post-scripts. If the pre-script and post-scripts execute
successfully, Azure Backup marks the recovery point as application consistent. However, the customer is ultimately
responsible for the application consistency when using custom scripts.
This table explains the types of consistency and the conditions that they occur under during Azure VM backup and
restore procedures.
CONSISTENCY VSS-BASED EXPLANATION AND DETAILS

Application consistency Yes for Windows Application consistency is ideal for

workloads as it ensures that:
1. The VM boots up.
2. There is no corruption.
3. There is no data loss.
4. The data is consistent to the
application that uses the data,
by involving the application at
the time of backup--using VSS
or pre/post script.
Windows VMs- Most Microsoft
workloads have VSS writers that do
workload-specific actions related to
data consistency. For example,
Microsoft SQL Server has a VSS writer
that ensures that the writes to the
transaction log file and the database
are done correctly. For Azure Windows
VM backups, to create an application-
consistent recovery point, the backup
extension must invoke the VSS
workflow and complete it before taking
the VM snapshot. For the Azure VM
snapshot to be accurate, the VSS
writers of all Azure VM applications
must complete as well. (Learn the basics
of VSS and dive deep into the details of
how it works).
Linux VMs- Customers can execute
custom pre-script and post-script to
ensure application consistency.
File-system consistency Yes - for Windows-based computers There are two scenarios where the
recovery point can be file-system
consistent:
Backups of Linux VMs in Azure,
without pre-script/post-script or
if pre-script/post-script failed.
VSS failure during backup for
Windows VMs in Azure.
In both these cases, the best that can
be done is to ensure that:
1. The VM boots up.
2. There is no corruption.
3. There is no data loss.
Applications need to implement their
own "fix-up" mechanism on the
restored data.
Crash consistency No This situation is equivalent to a virtual

machine experiencing a "crash"
(through either a soft or hard reset).
Crash consistency typically happens
when the Azure virtual machine is shut
down at the time of backup. A crash-
consistent recovery point provides no
guarantees around the consistency of
the data on the storage medium--
either from the perspective of the
operating system or the application.
Only the data that already exists on the
disk at the time of backup is captured
and backed up.
While there are no guarantees, usually,

the operating system boots, followed
by disk-checking procedure, like chkdsk,
to fix any corruption errors. Any in-
memory data or writes that have not
been transferred to the disk are lost.
The application typically follows with its
own verification mechanism in case
data rollback needs to be done.
As an example, if the transaction log

has entries that are not present in the
database, then the database software
does a rollback until the data is
consistent. When data is spread across
multiple virtual disks (like spanned
volumes), a crash-consistent recovery
point provides no guarantees for the
correctness of the data.
Performance and resource utilization

Like backup software that is deployed on-premises, you should plan for capacity and resource utilization needs
when backing up VMs in Azure. The Azure Storage limits define how to structure VM deployments to get
maximum performance with minimum impact to running workloads.
Pay attention to the following Azure Storage limits when planning backup performance:
Max egress per storage account
Total request rate per storage account
Storage account limits
Backup data copied from a storage account, adds to the input/output operations per second (IOPS) and egress (or
throughput) metrics of the storage account. At the same time, virtual machines are also consuming IOPS and
throughput. The goal is to ensure Backup and virtual machine traffic don't exceed your storage account limits.
Number of disks
The backup process tries to complete a backup job as quickly as possible. In doing so, it consumes as many
resources as it can. However, all I/O operations are limited by the Target Throughput for Single Blob, which has a
limit of 60 MB per second. In an attempt to maximize its speed, the backup process tries to back up each of the
VM's disks in parallel. If a VM has four disks, the service attempts to back up all four disks in parallel. The number
of disks being backed up, is the most important factor in determining storage account backup traffic.
Backup schedule
An additional factor that impacts performance is the backup schedule. If you configure the policies so all VMs are
backed up at the same time, you have scheduled a traffic jam. The backup process attempts to back up all disks in
parallel. To reduce the backup traffic from a storage account, back up different VMs at different time of the day,
with no overlap.
Capacity planning
Putting the previous factors together, you need to plan for the storage account usage needs. Download the VM
backup capacity planning Excel spreadsheet to see the impact of your disk and backup schedule choices.
Backup throughput
For each disk being backed up, Azure Backup reads the blocks on the disk and stores only the changed data
(incremental backup). The following table shows the average Backup service throughput values. Using the
following data, you can estimate the amount of time needed to back up a disk of a given size.
BACKUP OPERATION BEST-CASE THROUGHPUT
Initial backup 160 Mbps
Incremental backup (DR) 640 Mbps
Throughput drops significantly if the changed data (that

needs to be backed up) is dispersed across the disk.
Total VM backup time

While most of the backup time is spent reading and copying data, other operations contribute to the total time
needed to back up a VM:
Time needed to install or update the backup extension.
Snapshot time, which is the time taken to trigger a snapshot. Snapshots are triggered close to the scheduled
backup time.
Queue wait time. Since the Backup service is processing backups from multiple customers, copying backup
data from snapshot to the backup or Recovery Services vault might not start immediately. In times of peak
load, the wait can stretch up to eight hours due to the number of backups being processed. However, the total
VM backup time is less than 24 hours for daily backup policies.
Data transfer time, time needed for backup service to compute the incremental changes from previous backup
and transfer those changes to vault storage.
Why am I observing longer(>12 hours) backup time?
Backup consists of two phases: taking snapshots and transferring the snapshots to the vault. The Backup service
optimizes for storage. When transferring the snapshot data to a vault, the service only transfers incremental
changes from the previous snapshot. To determine the incremental changes, the service computes the checksum
of the blocks. If a block is changed, the block is identified as a block to be sent to the vault. Then the service drills
further into each of the identified blocks, looking for opportunities to minimize the data to transfer. After
evaluating all changed blocks, the service coalesces the changes and sends them to the vault. In some legacy
applications, small, fragmented writes are not optimal for storage. If the snapshot contains many small,
fragmented writes, the service spends additional time processing the data written by the applications. The
recommended application write block from Azure, for applications running inside the VM, is a minimum of 8 KB. If
your application uses a block of less than 8 KB, backup performance is effected. For help with tuning your
application to improve backup performance, see Tuning applications for optimal performance with Azure storage.
Though the article on backup performance uses Premium storage examples, the guidance is applicable for
Standard storage disks.
Total restore time

A restore operation consists of two main sub tasks: Copying data back from the vault to the chosen customer
storage account, and creating the virtual machine. Copying data back from the vault depends on where the
backups are stored internally in Azure, and where the customer storage account is stored. Time taken to copy data
depends upon:
Queue wait time - Since the service processes restore jobs from multiple customers at the same time, restore
requests are put in a queue.
Data copy time - Data is copied from the vault to the customer storage account. Restore time depends on IOPS
and throughput Azure Backup service gets on the selected customer storage account. To reduce the copying
time during the restore process, select a storage account not loaded with other application writes and reads.
Best practices
We suggest following these practices while configuring backups for virtual machines:
Don't schedule more than 10 classic VMs from the same cloud service to back up at the same time. If you want
to back up multiple VMs from same cloud service, stagger the backup start times by an hour.
Do not schedule more than 40 VMs to back up at the same time.
Schedule VM backups during non-peak hours. This way the Backup service uses IOPS for transferring data
from the customer storage account to the vault.
Make sure that a policy is applied on VMs spread across different storage accounts. We suggest no more than
20 total disks from a single storage account be protected by the same backup schedule. If you have greater
than 20 disks in a storage account, spread those VMs across multiple policies to get the required IOPS during
the transfer phase of the backup process.
Do not restore a VM running on Premium storage to same storage account. If the restore operation process
coincides with the backup operation, it reduces the available IOPS for backup.
For Premium VM backup, ensure that storage account that hosts premium disks has atleast 50% free space for
staging snapshot for a successful backup.
Make sure that python version on Linux VMs enabled for backup is 2.7
Data encryption
Azure Backup does not encrypt data as a part of the backup process. However, you can encrypt data within the VM
and back up the protected data seamlessly (read more about backup of encrypted data).
Calculating the cost of protected instances

Azure virtual machines that are backed up through Azure Backup are subject to Azure Backup pricing. The
Protected Instances calculation is based on the actual size of the virtual machine, which is the sum of all the data in
the virtual machine--excluding the resource disk.
Pricing for backing up VMs is not based on the maximum supported size for each data disk attached to the virtual
machine. Pricing is based on the actual data stored in the data disk. Similarly, the backup storage bill is based on
the amount of data that is stored in Azure Backup, which is the sum of the actual data in each recovery point.
For example, take an A2 Standard-sized virtual machine that has two additional data disks with a maximum size of
1 TB each. The following table gives the actual data stored on each of these disks:
DISK TYPE MAX SIZE ACTUAL DATA PRESENT
Operating system disk 1023 GB 17 GB
Local disk / Resource disk 135 GB 5 GB (not included for backup)
Data disk 1 1023 GB 30 GB
Data disk 2 1023 GB 0 GB
The actual size of the virtual machine in this case is 17 GB + 30 GB + 0 GB = 47 GB. This Protected Instance size
(47 GB) becomes the basis for the monthly bill. As the amount of data in the virtual machine grows, the Protected
Instance size used for billing changes accordingly.
Billing does not start until the first successful backup completes. At this point, the billing for both Storage and
Protected Instances begins. Billing continues as long as there is any backup data stored in a vault for the virtual
machine. If you stop protection on the virtual machine, but virtual machine backup data exists in a vault, billing
continues.
Billing for a specified virtual machine stops only if the protection is stopped and all backup data is deleted. When
protection stops and there are no active backup jobs, the size of the last successful VM backup becomes the
Protected Instance size used for the monthly bill.
Questions?
Next steps
Manage virtual machine backup
Restore virtual machines
Troubleshoot VM backup issues
Back up Azure virtual machines to a Recovery
Services vault
This article details how to back up Azure VMs (both Resource Manager-deployed and Classic-deployed) to a
Recovery Services vault. Most of the work for backing up VMs is the preparation. Before you can back up or
protect a VM, you must complete the prerequisites to prepare your environment for protecting your VMs. Once
you have completed the prerequisites, then you can initiate the backup operation to take snapshots of your VM.
The Azure Backup service has two types of vaults - the Backup vault and the Recovery Services vault. The Backup
vault came first. Then the Recovery Services vault came along to support the expanded Resource Manager
deployments. Microsoft recommends using Resource Manager deployments unless you specifically require a
Classic deployment.
DEPLOYMENT PORTAL VAULT
Classic Classic Backup
Resource Manager Azure Recovery Services
NOTE
Backup vaults cannot protect Resource Manager-deployed solutions. However, you can use a Recovery Services vault to
protect classically-deployed servers and VMs.
For more information, see the articles on planning your VM backup infrastructure in Azure and Azure virtual
machines.
Triggering the backup job

The backup policy associated with the Recovery Services vault defines how often and when the backup operation
runs. By default, the first scheduled backup is the initial backup. Until the initial backup occurs, the Last Backup
Status on the Backup Jobs blade shows as Warning(initial backup pending).
Unless your initial backup is due to begin soon, it is recommended that you run Back up Now. The following
procedure starts from the vault dashboard. This procedure serves for running the initial backup job after you have
completed all prerequisites. If the initial backup job has already been run, this procedure is not available. The
associated backup policy determines the next backup job.
To run the initial backup job:
1. On the vault dashboard, click the number under Backup Items, or click the Backup Items tile.
The Backup Items blade opens.
2. On the Backup Items blade, select the item.

3. On the Backup Items list, click the ellipses ... to open the Context menu.
The Context menu appears.
4. On the Context menu, click Backup now.
The Backup Now blade opens.

5. On the Backup Now blade, click the calendar icon, use the calendar control to select the last day this
recovery point is retained, and click Backup.
Deployment notifications let you know the backup job has been triggered, and that you can monitor the
progress of the job on the Backup jobs page. Depending on the size of your VM, creating the initial backup
may take a while.
6. To view or track the status of the initial backup, on the vault dashboard, on the Backup Jobs tile click In
progress.
The Backup Jobs blade opens.
In the Backup jobs blade, you can see the status of all jobs. Check if the backup job for your VM is still in
progress, or if it has finished. When a backup job is finished, the status is Completed.
NOTE
As a part of the backup operation, the Azure Backup service issues a command to the backup extension in each VM
to flush all writes and take a consistent snapshot.
If you run into issues while backing up your virtual machine, see the VM troubleshooting article for help.
Next steps
Now that you have protected your VM, see the following articles to learn about VM management tasks, and how to
restore VMs.
Manage and monitor your virtual machines
Back up and restore encrypted virtual machines with
Azure Backup
This article talks about the steps to back up and restore virtual machines (VMs) by using Azure Backup. It also
provides details about supported scenarios, prerequisites, and troubleshooting steps for error cases.
Supported scenarios
Backup and restore of encrypted VMs is supported only for VMs that use the Azure Resource Manager
deployment model. It's not supported for VMs that use the classic deployment model.
Backup and restore of encrypted VMs is supported for both Windows and Linux VMs that use Azure Disk
Encryption. Disk Encryption uses the industry standard BitLocker feature of Windows and the dm-crypt
feature of Linux to provide encryption of disks.
The following table shows supported scenarios for BitLocker encryption key (BEK)-only and key encryption
key (KEK)-encrypted VMs:
BEK + KEK VMS BEK-ONLY VMS
Nonmanaged VMs Yes Yes
Managed VMs Yes Yes
Prerequisites
The VM was encrypted by using Azure Disk Encryption.
A Recovery Services vault was created and storage replication was set by following the steps in Prepare your
environment for backup.
Backup was given permissions to access a key vault containing keys and secrets for encrypted VMs.
Backup-encrypted VM
Use the following steps to set a backup goal, define a policy, configure items, and trigger a backup.
Configure backup
1. If you already have a Recovery Services vault open, proceed to the next step. If you don't have a Recovery
Services vault open but you're in the Azure portal, on the Hub menu, select Browse.
a. In the list of resources, type Recovery Services.
b. As you begin typing, the list filters based on your input. When you see Recovery Services vaults, select it.
c. The list of Recovery Services vaults appears. Select a vault from the list.
2. From the list of items that appears under the vault, select Backup to start backing up the encrypted VM.
3. On the Backup tile, select Backup goal.

4. Under Where is your workload running?, select Azure. Under What do you want to backup?, select
Virtual machine. Then select OK.
5. Under Choose backup policy, select the backup policy you want to apply to the vault. Then select OK.
The details of the default policy are listed. If you want to create a policy, select Create New from the drop-
down list. After you select OK, the backup policy is associated with the vault.
6. Choose the encrypted VMs to associate with the specified policy, and select OK.
7. This page shows a message about key vaults associated to the encrypted VMs you selected. Backup requires
read-only access to the keys and secrets in the key vault. It uses these permissions to back up the keys and
secrets, along with the associated VMs. You must provide permissions to the backup service to access the key
vault for backups to work. You can provide these permissions by following the steps mentioned in the
following section.
Now that you have defined all settings for the vault, select Enable Backup at the bottom of the page.
Enable Backup deploys the policy to the vault and the VMs.
8. The next phase in preparation is installing the VM Agent or making sure the VM Agent is installed. To do the
same, follow the steps in Prepare your environment for backup.
Trigger a backup job
Follow the steps in Backup Azure VMs to a Recovery Services vault to trigger a backup job.
Continue backups of already backed-up VMs with encryption enabled
If you have VMs already being backed up in a Recovery Services vault that are enabled for encryption later, you
must give permissions to Backup to access the key vault for backups to continue. You can provide these
permissions by following the steps in the following section. Or you can follow the PowerShell steps in the "Enable
backup" section of the PowerShell documentation.
Provide permissions to Backup

Use the following steps to provide relevant permissions to Backup to access the key vault and perform backup of
encrypted VMs.
1. Select More services, and search for Key vaults.
2. From the list of key vaults, select the key vault associated with the encrypted VM that needs to be backed up.
3. Select Access policies, and then select Add new.

4. Select Select principal, and then type Backup Management Service in the search box.
5. Select Backup Management Service, and then select Select.
6. Under Configure from template (optional), select Azure Backup. The required permissions are prefilled
for Key permissions and Secret permissions. If your VM is encrypted by using BEK only, permissions only
for secrets are required, so you must remove the selection for Key permissions.
7. Select OK. Notice that Backup Management Service gets added in Access policies.
8. Select Save to give the required permissions to Backup.
After permissions are successfully provided, you can proceed with enabling backup for encrypted VMs.
Restore an encrypted VM
To restore an encrypted VM, first restore disks by following the steps in the "Restore backed-up disks" section in
Choose a VM restore configuration. After that, you can use one of the following options:
Follow the PowerShell steps in Create a VM from restored disks to create a full VM from restored disks.
Or, use templates to customize a restored VM to create VMs from restored disks. Templates can be used only for
recovery points created after April 26, 2017.
Backup Backup doesn't have sufficient Backup should be provided these

permissions to the key vault for backup permissions by following the steps in
of encrypted VMs. the previous section. Or you can follow
the PowerShell steps in the "Enable
protection" section of the PowerShell
documentation at Use
AzureRM.RecoveryServices.Backup
cmdlets to back up virtual machines.
Restore You can't restore this encrypted VM Create a key vault by using Get started
because the key vault associated with with Azure Key Vault. See Restore a key
this VM doesn't exist. vault key and a secret by using Azure
Backup to restore a key and a secret if
they aren't present.
Restore You can't restore this encrypted VM See Restore a key vault key and a secret
because the key and the secret by using Azure Backup to restore a key
associated with this VM don't exist. and a secret if they aren't present.
Restore Backup doesn't have the authorization As mentioned previously, restore disks
to access resources in your subscription. first by following the steps in the
"Restore backed-up disks" section in
Choose a VM restore configuration.
After that, use PowerShell to create a
VM from restored disks.
Back up Azure virtual machines (classic portal)
This article provides the procedures for backing up a Classic-deployed Azure virtual machine (VM) to a Backup
vault. There are a few tasks you need to take care of before you can back up an Azure virtual machine. If you
haven't already done so, complete the prerequisites to prepare your environment for backing up your VMs.
For additional information, see the articles on planning your VM backup infrastructure in Azure and Azure virtual
machines.
NOTE
Azure has two deployment models for creating and working with resources: Resource Manager and Classic. A Backup vault
can only protect Classic-deployed VMs. You cannot protect Resource Manager-deployed VMs with a Backup vault. See
Back up VMs to Recovery Services vault for details on working with Recovery Services vaults.
Backing up Azure virtual machines involves three key steps:
NOTE
Backing up virtual machines is a local process. You cannot back up virtual machines in one region to a backup vault in
another region. So, you must create a backup vault in each Azure region, where there are VMs that will be backed up.
IMPORTANT
Starting March 2017, you can no longer use the classic portal to create Backup vaults. You can now upgrade your Backup
vaults to Recovery Services vaults. For details, see the article Upgrade a Backup vault to a Recovery Services vault. Microsoft
encourages you to upgrade your Backup vaults to Recovery Services vaults.
Step 1 - Discover Azure virtual machines

To ensure any new virtual machines (VMs) added to the subscription are identified before registering, run the
discovery process. The process queries Azure for the list of virtual machines in the subscription, along with
additional information like the cloud service name and the region.
1. Sign in to the Classic portal
2. In the list of Azure services, click Recovery Services to open the list of Backup and Site Recovery vaults.
3. In the list of Backup vaults, select the vault to back up a VM.

If this is a new vault the portal opens to the Quick Start page.
If the vault has previously been configured, the portal opens to the most recently used menu.
4. From the vault menu (at the top of the page), click Registered Items.
5. From the Type menu, select Azure Virtual Machine.
6. Click DISCOVER at the bottom of the page.

The discovery process may take a few minutes while the virtual machines are being tabulated. There is a
notification at the bottom of the screen that lets you know that the process is running.
The notification changes when the process is complete. If the discovery process did not find the virtual
machines, first ensure the VMs exist. If the VMs exist, ensure the VMs are in the same region as the backup
vault. If the VMs exist and are in the same region, ensure the VMs are not already registered to a backup
vault. If a VM is assigned to a backup vault it is not available to be assigned to other backup vaults.
Once you have discovered the new items, go to Step 2 and register your VMs.
Step 2 - Register Azure virtual machines

You register an Azure virtual machine to associate it with the Azure Backup service. This is typically a one-time
activity.
1. Navigate to the backup vault under Recovery Services in the Azure portal, and then click Registered Items.
2. Select Azure Virtual Machine from the drop-down menu.
3. Click REGISTER at the bottom of the page.

4. In the Register Items shortcut menu, select the virtual machines that you want to register. If there are two
or more virtual machines with the same name, use the cloud service to distinguish between them.
TIP
Multiple virtual machines can be registered at one time.
A job is created for each virtual machine that you've selected.

5. Click View Job in the notification to go to the Jobs page.
The virtual machine also appears in the list of registered items, along with the status of the registration
operation.
When the operation completes, the status changes to reflect the registered state.
Step 3 - Protect Azure virtual machines

Now you can set up a backup and retention policy for the virtual machine. Multiple virtual machines can be
protected by using a single protect action.
Azure Backup vaults created after May 2015 come with a default policy built into the vault. This default policy
comes with a default retention of 30 days and a once-daily backup schedule.
1. Navigate to the backup vault under Recovery Services in the Azure portal, and then click Registered Items.
2. Select Azure Virtual Machine from the drop-down menu.
3. Click PROTECT at the bottom of the page.

The Protect Items wizard appears. The wizard only lists virtual machines that are registered and not
protected. Select the virtual machines that you want to protect.
If there are two or more virtual machines with the same name, use the cloud service to distinguish
between the virtual machines.
TIP
You can protect multiple virtual machines at one time.
4. Choose a backup schedule to back up the virtual machines that you've selected. You can pick from an
existing set of policies or define a new one.
Each backup policy can have multiple virtual machines associated with it. However, the virtual machine can
only be associated with one policy at any given point in time.
NOTE
A backup policy includes a retention scheme for the scheduled backups. If you select an existing backup policy, you
cannot modify the retention options in the next step.
5. Choose a retention range to associate with the backups.

Retention policy specifies the length of time for storing a backup. You can specify different retention
policies based on when the backup is taken. For example, a backup point taken daily (which serves as an
operational recovery point) might be preserved for 90 days. In comparison, a backup point taken at the
end of each quarter (for audit purposes) may need to be preserved for many months or years.
In this example image:

Daily retention policy: Backups taken daily are stored for 30 days.
Weekly retention policy: Backups taken every week on Sunday are preserved for 104 weeks.
Monthly retention policy: Backups taken on the last Sunday of each month are preserved for 120
months.
Yearly retention policy: Backups taken on the first Sunday of every January are preserved for 99
years.
A job is created to configure the protection policy and associate the virtual machines to that policy
for each virtual machine that you've selected.
6. To view the list of Configure Protection jobs, from the vaults menu, click Jobs and select Configure
Protection from the Operation filter.
Initial backup
Once the virtual machine is protected with a policy, it shows up under the Protected Items tab with the status of
Protected - (pending initial backup). By default, the first scheduled backup is the initial backup.
To trigger the initial backup immediately after configuring protection:
1. At the bottom of the Protected Items page, click Backup Now.
The Azure Backup service creates a backup job for the initial backup operation.
2. Click the Jobs tab to view the list of jobs.
NOTE
During the backup operation, the Azure Backup service issues a command to the backup extension in each virtual machine
to flush all write jobs and take a consistent snapshot.
When the initial backup finishes, the status of the virtual machine in the Protected Items tab is Protected.
Viewing backup status and details

Once protected, the virtual machine count also increases in the Dashboard page summary. The Dashboard
page also shows the number of jobs from the last 24 hours that were successful, have failed, and are in progress.
On the Jobs page, use the Status, Operation, or From and To menus to filter the jobs.
Values in the dashboard are refreshed once every 24 hours.
If you run into issues while backing up your virtual machine, look at the VM troubleshooting article for help.
Next steps
Manage and monitor your virtual machines
Manage Azure virtual machine backups
This article provides guidance on managing VM backups, and explains the backup alerts information available in
the portal dashboard. The guidance in this article applies to using VMs with Recovery Services vaults. This article
does not cover the creation of virtual machines, nor does it explain how to protect virtual machines. For a primer
on protecting Azure Resource Manager-deployed VMs in Azure with a Recovery Services vault, see First look:
Back up VMs to a Recovery Services vault.
Manage vaults and protected virtual machines

In the Azure portal, the Recovery Services vault dashboard provides access to information about the vault
including:
the most recent backup snapshot, which is also the latest restore point 
the backup policy 
total size of all backup snapshots 
number of virtual machines that are protected with the vault 
Many management tasks with a virtual machine backup begin with opening the vault in the dashboard. However,
because vaults can be used to protect multiple items (or multiple VMs), to view details about a particular VM,
open the vault item dashboard. The following procedure shows you how to open the vault dashboard and then
continue to the vault item dashboard. There are "tips" in both procedures that point out how to add the vault and
vault item to the Azure dashboard by using the Pin to dashboard command. Pin to dashboard is a way of
creating a shortcut to the vault or item. You can also execute common commands from the shortcut.
TIP
If you have multiple dashboards and blades open, use the dark-blue slider at the bottom of the window to slide the Azure
dashboard back and forth.
Open a Recovery Services vault in the dashboard:

the list filters based on your input. Click Recovery Services vault.
The list of Recovery Services vaults are displayed.
TIP
If you pin a vault to the Azure Dashboard, that vault is immediately accessible when you open the Azure portal. To
pin a vault to the dashboard, in the vault list, right-click the vault, and select Pin to dashboard.
3. From the list of vaults, select the vault to open its dashboard. When you select the vault, the vault
dashboard and the Settings blade open. In the following image, the Contoso-vault dashboard is
highlighted.
Open a vault item dashboard
In the previous procedure you opened the vault dashboard. To open the vault item dashboard:
1. In the vault dashboard, on the Backup Items tile, click Azure Virtual Machines.
The Backup Items blade lists the last backup job for each item. In this example, there is one virtual
machine, demovm-markgal, protected by this vault.
TIP
For ease of access, you can pin a vault item to the Azure Dashboard. To pin a vault item, in the vault item list,
right-click the item and select Pin to dashboard.
2. In the Backup Items blade, click the item to open the vault item dashboard.
The vault item dashboard and its Settings blade open.

From the vault item dashboard, you can accomplish many key management tasks, such as:
change policies or create a new backup policy 
view restore points, and see their consistency state 
on-demand backup of a virtual machine 
stop protecting virtual machines 
resume protection of a virtual machine 
delete a backup data (or recovery point) 
restore backup disks 
For the following procedures, the starting point is the vault item dashboard.
Manage backup policies

1. On the vault item dashboard, click All Settings to open the Settings blade.
2. On the Settings blade, click Backup policy to open that blade.

On the blade, the backup frequency and retention range details are shown.
3. From the Choose backup policy menu:
To change policies, select a different policy and click Save. The new policy is immediately applied to the
vault. 
To create a policy, select Create New.
For instructions on creating a backup policy, see Defining a backup policy.
Defining a backup policy

A backup policy defines a matrix of when the data snapshots are taken, and how long those snapshots are
retained. When defining a policy for backing up a VM, you can trigger a backup job once a day. When you create
a new policy, it is applied to the vault. The backup policy interface looks like this:
To create a policy:
1. Enter a name for the Policy name.
2. Snapshots of your data can be taken at Daily or Weekly intervals. Use the Backup Frequency drop-down
menu to choose whether data snapshots are taken Daily or Weekly.
If you choose a Daily interval, use the highlighted control to select the time of the day for the
snapshot. To change the hour, de-select the hour, and select the new hour.
If you choose a Weekly interval, use the highlighted controls to select the day(s) of the week, and
the time of day to take the snapshot. In the day menu, select one or multiple days. In the hour
menu, select one hour. To change the hour, de-select the selected hour, and select the new hour.
3. By default, all Retention Range options are selected. Uncheck any retention range limit you do not want
to use. Then, specify the interval(s) to use.
Monthly and Yearly retention ranges allow you to specify the snapshots based on a weekly or daily
increment.
NOTE
When protecting a VM, a backup job runs once a day. The time when the backup runs is the same for each
retention range.
4. After setting all options for the policy, at the top of the blade click Save.
The new policy is immediately applied to the vault.
NOTE
While managing backup policies, make sure to follow the best practices for optimal backup performance
On-demand backup of a virtual machine

You can take an on-demand backup of a virtual machine once it is configured for protection. If the initial backup
is pending, on-demand backup creates a full copy of the virtual machine in the Recovery Services vault. If the
initial backup is completed, an on-demand backup will only send changes from the previous snapshot, to the
Recovery Services vault. That is, subsequent backups are always incremental.
NOTE
The retention range for an on-demand backup is the retention value specified for the Daily backup point in the policy. If no
Daily backup point is selected, then the weekly backup point is used.
To trigger an on-demand backup of a virtual machine:

On the vault item dashboard, click Backup now.
The portal makes sure that you want to start an on-demand backup job. Click Yes to start the backup job.
The backup job creates a recovery point. The retention range of the recovery point is the same as retention
range specified in the policy associated with the virtual machine. To track the progress for the job, in the
vault dashboard, click the Backup Jobs tile.
Stop protecting virtual machines

If you choose to stop protecting a virtual machine, you are asked if you want to retain the recovery points. There
are two ways to stop protecting virtual machines:
stop all future backup jobs and delete all recovery points, or
stop all future backup jobs but leave the recovery points
There is a cost associated with leaving the recovery points in storage. However, the benefit of leaving the
recovery points is you can restore the virtual machine later, if desired. For information about the cost of leaving
the recovery points, see the pricing details. If you choose to delete all recovery points, you cannot restore the
virtual machine.
To stop protection for a virtual machine:
1. On the vault item dashboard, click Stop backup.
The Stop Backup blade opens.
2. On the Stop Backup blade, choose whether to retain or delete the backup data. The information box
provides details about your choice.
3. If you chose to retain the backup data, skip to step 4. If you chose to delete backup data, confirm that you
want to stop the backup jobs and delete the recovery points - type the name of the item.
If you aren't sure of the item name, hover over the exclamation mark to view the name. Also, the name of
the item is under Stop Backup at the top of the blade.
4. Optionally provide a Reason or Comment.
5. To stop the backup job for the current item, click
A notification message lets you know the backup jobs have been stopped.
Resume protection of a virtual machine

If the Retain Backup Data option was chosen when protection for the virtual machine was stopped, then it is
possible to resume protection. If the Delete Backup Data option was chosen, then protection for the virtual
machine cannot resume.
To resume protection for the virtual machine
1. On the vault item dashboard, click Resume backup.
The Backup Policy blade opens.
NOTE
When re-protecting the virtual machine, you can choose a different policy than the policy with which virtual
machine was protected initially.
2. Follow the steps in Manage backup policies to assign the policy for the virtual machine.
Once the backup policy is applied to the virtual machine, you see the following message.
Delete Backup data

You can delete the backup data associated with a virtual machine during the Stop backup job, or anytime after
the backup job has completed. It may even be beneficial to wait days or weeks before deleting the recovery
points. Unlike restoring recovery points, when deleting backup data, you cannot choose specific recovery points
to delete. If you choose to delete your backup data, you delete all recovery points associated with the item.
The following procedure assumes the Backup job for the virtual machine has been stopped or disabled. Once the
Backup job is disabled, the Resume backup and Delete backup options are available in the vault item
dashboard.
To delete backup data on a virtual machine with the Backup disabled:

1. On the vault item dashboard, click Delete backup.
The Delete Backup Data blade opens.

2. Type the name of the item to confirm you want to delete the recovery points.
If you aren't sure of the item name, hover over the exclamation mark to view the name. Also, the name of
the item is under Delete Backup Data at the top of the blade.
3. Optionally provide a Reason or Comment.
4. To delete the backup data for the current item, click
A notification message lets you know the backup data has been deleted.
Next steps
For information on re-creating a virtual machine from a recovery point, check out Restore Azure VMs. If you need
information on protecting your virtual machines, see First look: Back up VMs to a Recovery Services vault. For
information on monitoring events, see Monitor alerts for Azure virtual machine backups.
Monitor alerts for Azure virtual machine backups
Alerts are responses from the service that an event threshold has been met or surpassed. Knowing when problems
start can be critical to keeping business costs down. Alerts typically do not occur on a schedule, and so it is helpful
to know as soon as possible after alerts occur. For example, when a backup or restore job fails, an alert occurs
within five minutes of the failure. In the vault dashboard, the Backup Alerts tile displays Critical and Warning-level
events. In the Backup Alerts settings, you can view all events. But what do you do if an alert occurs when you are
working on a separate issue? If you don't know when the alert happens, it could be a minor inconvenience, or it
could compromise data. To make sure the correct people are aware of an alert - when it occurs, configure the
service to send alert notifications via email. For details on setting up email notifications, see Configure notifications.
How do I find information about the alerts?

To view information about the event that threw an alert, you must open the Backup Alerts blade. There are two
ways to open the Backup Alerts blade: either from the Backup Alerts tile in the vault dashboard, or from the Alerts
and Events blade.
To open the Backup Alerts blade from Backup Alerts tile:
On the Backup Alerts tile on the vault dashboard, click Critical or Warning to view the operational events
for that severity level.
To open the Backup Alerts blade from the Alerts and Events blade:
1. From the vault dashboard, click All Settings.

2. On the Settings blade, click Alerts and Events.
3. On the Alerts and Events blade, click Backup Alerts.
The Backup Alerts blade opens and displays the filtered alerts.
4. To view detailed information about a particular alert, from the list of events, click the alert to open its Details
blade.
To customize the attributes displayed in the list, see View additional event attributes
Configure notifications
You can configure the service to send email notifications for the alerts that occurred over the past hour, or when
particular types of events occur.
To set up email notifications for alerts
1. On the Backup Alerts menu, click Configure notifications
The Configure notifications blade opens.

2. On the Configure notifications blade, for Email notifications, click On.
The Recipients and Severity dialogs have a star next to them because that information is required. Provide at
least one email address, and select at least one Severity.
3. In the Recipients (Email) dialog, type the email addresses for who receive the notifications. Use the format:
username@domainname.com. Separate multiple email addresses with a semicolon (;).
4. In the Notify area, choose Per Alert to send notification when the specified alert occurs, or Hourly Digest to
send a summary for the past hour.
5. In the Severity dialog, choose one or more levels that you want to trigger email notification.
6. Click Save.
What alert types are available for Azure IaaS VM backup?
ALERT LEVEL ALERTS SENT
Critical Backup failure, recovery failure
Warning None
Informational None
Are there situations where email isn't sent even if notifications are configured?
There are situations where an alert is not sent, even though the notifications have been properly configured. In the
following situations email notifications are not sent to avoid alert noise:
If notifications are configured to Hourly Digest, and an alert is raised and resolved within the hour.
The job is canceled.
A backup job is triggered and then fails, and another backup job is in progress.
A scheduled backup job for a Resource Manager-enabled VM starts, but the VM no longer exists.
Customize your view of events

The Audit logs setting comes with a pre-defined set of filters and columns showing operational event information.
You can customize the view so that when the Events blade opens, it shows you the information you want.
1. In the vault dashboard, browse to and click Audit Logs to open the Events blade.
The Events blade opens to the operational events filtered just for the current vault.
The blade shows the list of Critical, Error, Warning, and Informational events that occurred in the past week.
The time span is a default value set in the Filter. The Events blade also shows a bar chart tracking when the
events occurred. If you don't want to see the bar chart, in the Events menu, click Hide chart to toggle off the
chart. The default view of Events shows Operation, Level, Status, Resource, and Time information. For
information about exposing additional Event attributes, see the section expanding Event information.
2. For additional information on an operational event, in the Operation column, click an operational event to
open its blade. The blade contains detailed information about the events. Events are grouped by their
correlation ID and a list of the events that occurred in the Time span.
3. To view detailed information about a particular event, from the list of events, click the event to open its
Details blade.
The Event-level information is as detailed as the information gets. If you prefer seeing this much information
about each event, and would like to add this much detail to the Events blade, see the section expanding
Event information.
Customize the event filter

Use the Filter to adjust or choose the information that appears in a particular blade. To filter the event information:
1. In the vault dashboard, browse to and click Audit Logs to open the Events blade.
The Events blade opens to the operational events filtered just for the current vault.
2. On the Events menu, click Filter to open that blade.
3. On the Filter blade, adjust the Level, Time span, and Caller filters. The other filters are not available since
they were set to provide the current information for the Recovery Services vault.
You can specify the Level of event: Critical, Error, Warning, or Informational. You can choose any
combination of event Levels, but you must have at least one Level selected. Toggle the Level on or off. The
Time span filter allows you to specify the length of time for capturing events. If you use a custom Time
span, you can set the start and end times.
4. Once you are ready to query the operations logs using your filter, click Update. The results display in the
Events blade.
View additional event attributes
Using the Columns button, you can enable additional event attributes to appear in the list on the Events blade. The
default list of events displays information for Operation, Level, Status, Resource, and Time. To enable additional
attributes:
1. On the Events blade, click Columns.
The Choose columns blade opens.

2. To select the attribute, click the checkbox. The attribute checkbox toggles on and off.
3. Click Reset to reset the list of attributes in the Events blade. After adding or removing attributes from the list,
use Reset to view the new list of Event attributes.
4. Click Update to update the data in the Event attributes. The following table provides information about each
attribute.
COLUMN NAME DESCRIPTION
Operation The name of the operation
Level The level of the operation, values can be: Informational,

Warning, Error, or Critical
Status Descriptive state of the operation
Resource URL that identifies the resource; also known as the resource ID
Time Time, measured from the current time, when the event
occurred
Caller Who or what called or triggered the event; can be the system,
or a user
Timestamp The time when the event was triggered
Resource Group The associated resource group
Resource Type The internal resource type used by Resource Manager
Subscription ID The associated subscription ID

COLUMN NAME DESCRIPTION
Category Category of the event
Correlation ID Common ID for related events
Use PowerShell to customize alerts

You can get custom alert notifications for the jobs in the portal. To get these jobs, define PowerShell-based alert
rules on the operational logs events. Use PowerShell version 1.3.0 or later.
To define a custom notification to alert for backup failures, use a command like the following script:
PS C:\> $actionEmail = New-AzureRmAlertRuleEmail -CustomEmail contoso@microsoft.com

PS C:\> Add-AzureRmLogAlertRule -Name backupFailedAlert -Location "East US" -ResourceGroup RecoveryServices-
DP2RCXUGWS3MLJF4LKPI3A3OMJ2DI4SRJK6HIJH22HFIHZVVELRQ-East-US -OperationName
Microsoft.RecoveryServices/recoveryServicesVault/Backup -Status Failed -TargetResourceId
/subscriptions/86eeac34-eth9a-4de3-84db-7a27d121967e/resourceGroups/RecoveryServices-
DP2RCXUGWS3MLJF4LKPI3A3OMJ2DI4SRJK6HIJH22HFIHZVVELRQ-East-
US/providers/Microsoft.RecoveryServices/vaults/trinadhVault -Actions $actionEmail
ResourceId : You can get ResourceId from the Audit logs. The ResourceId is a URL provided in the Resource
column of the Operation logs.
OperationName : OperationName is in the format
"Microsoft.RecoveryServices/recoveryServicesVault/EventName" where EventName can be:
Register
Unregister
ConfigureProtection
Backup
Restore
StopProtection
DeleteBackupData
CreateProtectionPolicy
DeleteProtectionPolicy
UpdateProtectionPolicy
Status : Supported values are Started, Succeeded, or Failed.
ResourceGroup : This is the Resource Group to which the resource belongs. You can add the Resource Group
column to the generated logs. Resource Group is one of the available types of event information.
Name : Name of the Alert Rule.
CustomEmail : Specify the custom email address to which you want to send an alert notification
SendToServiceOwners : This option sends alert notifications to all administrators and co-administrators of the
subscription. It can be used in New-AzureRmAlertRuleEmail cmdlet
Limitations on Alerts
Event-based alerts are subject to the following limitations:
1. Alerts are triggered on all virtual machines in the Recovery Services vault. You cannot customize the alert for a
subset of virtual machines in a Recovery Services vault.
2. This feature is in Preview. Learn more
3. Alerts are sent from "alerts-noreply@mail.windowsazure.com". Currently you can't modify the email sender.
Next steps
Event logs enable great post-mortem and audit support for the backup operations. The following operations are
logged:
Register
Unregister
Configure protection
Backup (Both scheduled as well as on-demand backup)
Restore
Stop protection
Delete backup data
Add policy
Delete policy
Update policy
Cancel job
For a broad explanation of events, operations, and audit logs across the Azure services, see the article, View events
and audit logs.
For information on re-creating a virtual machine from a recovery point, check out Restore Azure VMs. If you need
information on protecting your virtual machines, see First look: Back up VMs to a Recovery Services vault. Learn
about the management tasks for VM backups in the article, Manage Azure virtual machine backups.
Manage common Azure Backup jobs and trigger
alerts in the classic portal
This article provides information about common management and monitoring tasks for Classic-model virtual
machines protected in Azure.
NOTE
Azure has two deployment models for creating and working with resources: Resource Manager and Classic. See Prepare your
environment to back up Azure virtual machines for details on working with Classic deployment model VMs.
IMPORTANT
Starting March 2017, you can no longer use the classic portal to create Backup vaults.
Manage protected virtual machines

To manage protected virtual machines:
1. To view and manage backup settings for a virtual machine click the Protected Items tab.
2. Click on the name of a protected item to see the Backup Details tab, which shows you information about
the last backup.
3. To view and manage backup policy settings for a virtual machine click the Policies tab.
The Backup Policies tab shows you the existing policy. You can modify as needed. If you need to create a
new policy click Create on the Policies page. Note that if you want to remove a policy it shouldn't have any
virtual machines associated with it.
4. You can get more information about actions or status for a virtual machine on the Jobs page. Click a job in
the list to get more details, or filter jobs for a specific virtual machine.
On-demand backup of a virtual machine

You can take an on-demand backup of a virtual machine once it is configured for protection. If the initial backup is
pending for the virtual machine, on-demand backup will create a full copy of the virtual machine in Azure backup
vault. If first backup is completed, on-demand backup will only send changes from previous backup to Azure
backup vault i.e. it is always incremental.
NOTE
Retention range of an on-demand backup is set to retention value specified for Daily retention in backup policy
corresponding to the VM.
To take an on-demand backup of a virtual machine:

1. Navigate to the Protected Items page and select Azure Virtual Machine as Type (if not already selected)
and click on Select button.
2. Select the virtual machine on which you want to take an on-demand backup and click on Backup Now
button at the bottom of the page.
This will create a backup job on the selected virtual machine. Retention range of recovery point created
through this job will be same as that specified in the policy associated with the virtual machine.
NOTE
To view the policy associated with a virtual machine, drill down into virtual machine in the Protected Items page and
go to backup policy tab.
3. Once the job is created, you can click on View job button in the toast bar to see the corresponding job in the
jobs page.
4. After successful completion of the job, a recovery point will be created which you can use to restore the virtual
machine. This will also increment the recovery point column value by 1 in Protected Items page.
Stop protecting virtual machines

You can choose to stop the future backups of a virtual machine with the following options:
Retain backup data associated with virtual machine in Azure Backup vault
Delete backup data associated with virtual machine
If you have selected to retain backup data associated with virtual machine, you can use the backup data to restore
the virtual machine. For pricing details for such virtual machines, click here.
To Stop protection for a virtual machine:
1. Navigate to Protected Items page and select Azure virtual machine as the filter type (if not already
selected) and click on Select button.
2. Select the virtual machine and click on Stop Protection at the bottom of the page.
3. By default, Azure Backup doesnt delete the backup data associated with the virtual machine.
If you want to delete backup data, select the check box.
Please select a reason for stopping the backup. While this is optional, providing a reason will help Azure
Backup to work on the feedback and prioritize the customer scenarios.
4. Click on Submit button to submit the Stop protection job. Click on View Job to see the corresponding the
job in Jobs page.
If you have not selected Delete associated backup data option during Stop Protection wizard, then post
job completion, protection status changes to Protection Stopped. The data remains with Azure Backup
until it is explicitly deleted. You can always delete the data by selecting the virtual machine in the Protected
Items page and clicking Delete.
If you have selected the Delete associated backup data option, the virtual machine wont be part of the
Protected Items page.
Re-protect Virtual machine

If you have not selected the Delete associate backup data option in Stop Protection, you can re-protect the
virtual machine by following the steps similar to backing up registered virtual machines. Once protected, this
virtual machine will have backup data retained prior to stop protection and recovery points created after re-protect.
After re-protect, the virtual machines protection status will be changed to Protected if there are recovery points
prior to Stop Protection.
NOTE
When re-protecting the virtual machine, you can choose a different policy than the policy with which virtual machine was
protected initially.
Unregister virtual machines

If you want to remove the virtual machine from the backup vault:
1. Click on the UNREGISTER button at the bottom of the page.
A toast notification will appear at the bottom of the screen requesting confirmation. Click YES to continue.
Delete Backup data

You can delete the backup data associated with a virtual machine, either:
During Stop Protection Job
After a stop protection job is completed on a virtual machine
To delete backup data on a virtual machine, which is in the Protection Stopped state post successful completion of a
Stop Backup job:
1. Navigate to the Protected Items page and select Azure Virtual Machine as type and click the Select
button.
2. Select the virtual machine. The virtual machine will be in Protection Stopped state.
3. Click the DELETE button at the bottom of the page.
4. In the Delete backup data wizard, select a reason for deleting backup data (highly recommended) and click
Submit.
5. This will create a job to delete backup data of selected virtual machine. Click View job to see corresponding
job in Jobs page.
Once the job is completed, the entry corresponding to the virtual machine will be removed from Protected
items page.
Dashboard
On the Dashboard page you can review information about Azure virtual machines, their storage, and jobs
associated with them in the last 24 hours. You can view backup status and any associated backup errors.
NOTE
Values in the dashboard are refreshed once every 24 hours.
Auditing Operations
Azure backup provides review of the "operation logs" of backup operations triggered by the customer making it
easy to see exactly what management operations were performed on the backup vault. Operations logs enable
great post-mortem and audit support for the backup operations.
The following operations are logged in Operation logs:
Register
Unregister
Configure protection
Backup ( Both scheduled as well as on-demand backup through BackupNow)
Restore
Stop protection
Delete backup data
Add policy
Delete policy
Update policy
Cancel job
To view operation logs corresponding to a backup vault:
1. Navigate to Management services in Azure portal, and then click the Operation Logs tab.
2. In the filters, select Backup as Type and specify the backup vault name in service name and click on Submit.
3. In the operations logs, select any operation and click Details to see details corresponding to an operation.
The Details wizard contains information about the operation triggered, job Id, resource on which this
operation is triggered, and start time of the operation.
Alert notifications
You can get custom alert notifications for the jobs in portal. This is achieved by defining PowerShell-based alert
rules on operational logs events. We recommend using PowerShell version 1.3.0 or above.
To define a custom notification to alert for backup failures, a sample command will look like:
PS C:\> $actionEmail = New-AzureRmAlertRuleEmail -CustomEmail contoso@microsoft.com

PS C:\> Add-AzureRmLogAlertRule -Name backupFailedAlert -Location "East US" -ResourceGroup RecoveryServices-
DP2RCXUGWS3MLJF4LKPI3A3OMJ2DI4SRJK6HIJH22HFIHZVVELRQ-East-US -OperationName Microsoft.Backup/backupVault/Backup
-Status Failed -TargetResourceId /subscriptions/86eeac34-eth9a-4de3-84db-
7a27d121967e/resourceGroups/RecoveryServices-DP2RCXUGWS3MLJF4LKPI3A3OMJ2DI4SRJK6HIJH22HFIHZVVELRQ-East-
US/providers/microsoft.backupbvtd2/BackupVault/trinadhVault -Actions $actionEmail
ResourceId: You can get this from Operations Logs popup as described in above section. ResourceUri in details
popup window of an operation is the ResourceId to be supplied for this cmdlet.
OperationName: This will be of the format "Microsoft.Backup/backupvault/" where EventName is one of
Register,Unregister,ConfigureProtection,Backup,Restore,StopProtection,DeleteBackupData,CreateProtectionPolicy,D
eleteProtectionPolicy,UpdateProtectionPolicy
Status: Supported values are- Started, Succeeded and Failed.
ResourceGroup:ResourceGroup of the resource on which operation is triggered. You can obtain this from
ResourceId value. Value between fields /resourceGroups/ and /providers/ in ResourceId value is the value for
ResourceGroup.
Name: Name of the Alert Rule.
CustomEmail: Specify the custom email address to which you want to send alert notification
SendToServiceOwners: This option sends alert notification to all administrators and co-administrators of the
subscription. It can be used in New-AzureRmAlertRuleEmail cmdlet
Limitations on Alerts
Event-based alerts are subjected to the following limitations:
1. Alerts are triggered on all virtual machines in the backup vault. You cannot customize it to get alerts for specific
set of virtual machines in a backup vault.
2. This feature is in Preview. Learn more
3. You will receive alerts from "alerts-noreply@mail.windowsazure.com". Currently you can't modify the email
sender.
Next steps
Restore Azure VMs
Recover files from Azure virtual machine backup
Azure Backup provides the capability to restore Azure virtual machines (VMs) and disks from Azure VM backups,
also known as restore points. This article explains how to recover files and folders from an Azure VM backup.
Restoring files and folders is available only for Azure VMs deployed using the Resource Manager model and
protected to a Recovery services vault.
NOTE
File recovery from an encrypted VM backup is not supported.
Mount the volume and copy files

To restore files or folders from the restore point, go to the virtual machine and choose to the restore point.
1. Sign into the Azure portal and in the left-hand menu, click Virtual machines. From the list of virtual
machines, select the virtual machine to open that virtual machine's dashboard.
2. In the virtual machine's menu, click Backup to open the Backup dashboard.
3. In the Backup dashboard menu, click File Recovery to open its menu.
4. From the Select recovery point drop-down menu, select the recovery point that contains the files you
want. By default, the latest recovery point is already selected.
5. To download the software used to copy files from the recovery point, click Download Executable (for
Windows Azure VM) or Download Script (for Linux Azure VM).
Azure downloads the executable or script to the local computer.
To run the executable or script as an administrator, it is suggested you save the download to your computer.
6. The executable or script is password protected, and requires a password. In the File Recovery menu, click
the copy button to load the password into memory.
7. From the download location (usually the Downloads folder), right-click the executable or script and run it
with Administrator credentials. When prompted, type the password or paste the password from memory,
and press Enter. Once the valid password is entered, the script connects to the recovery point.
If you run the script on a computer with restricted access, ensure there is access to:
download.microsoft.com
Azure endpoints used for Azure VM backups
outbound port 3260
For Linux, the script requires 'open-iscsi' and 'lshw' components to connect to the recovery point. If the
components do not exist on the computer where the script is run, the script asks for permission to install the
components. Provide consent to install the necessary components.
You can run the script on any machine that has the same (or compatible) operating system as the backed-up
VM. See the Compatible OS table for compatible operating systems. If the protected Azure virtual machine
uses Windows Storage Spaces (for Windows Azure VMs) or LVM/RAID Arrays(for Linux VMs), you can't run
the executable or script on the same virtual machine. Instead, run the executable or script on any other
machine with a compatible operating system.
Compatible OS
For Windows
The following table shows the compatibility between server and computer operating systems. When recovering
files, you can't restore files to a previous or future operating system version. For example, you can't restore a file
from a Windows Server 2016 VM to Windows Server 2012 or Windows 8 computer. You can restore files from a
VM to the same server operating system, or to the compatible client operating system.
SERVER OS COMPATIBLE CLIENT OS
Windows Server 2016 Windows 10
Windows Server 2012 R2 Windows 8.1
Windows Server 2012 Windows 8
Windows Server 2008 R2 Windows 7

For Linux
In Linux, the OS of the computer used to restore files must support the file system of the protected virtual machine.
When selecting a computer to run the script, ensure the computer has a compatible OS, and uses one of the
versions identified in the following table:
LINUX OS VERSIONS
Ubuntu 12.04 and above
CentOS 6.5 and above
RHEL 6.7 and above
Debian 7 and above
Oracle Linux 6.4 and above
The script also requires Python and bash components to execute and connect securely to the recovery point.
COMPONENT VERSION
bash 4 and above
python 2.6.6 and above
Identifying Volumes
For Windows
When you run the executable, the operating system mounts the new volumes and assigns drive letters. You can use
Windows Explorer or File Explorer to browse those drives. The drive letters assigned to the volumes may not be the
same letters as the original virtual machine, however, the volume name is preserved. For example, if the volume on
the original virtual machine was Data Disk (E: \ ), that volume can be attached on the local computer as Data
Disk ('Any letter': \ ). Browse through all volumes mentioned in the script output until you find your files/folder.
For Linux
In Linux, the volumes of the recovery point are mounted to the folder where the script is run. The attached disks,
volumes, and the corresponding mount paths are shown accordingly. These mount paths are visible to users
having root level access. Browse through the volumes mentioned in the script output.
Closing the connection
After identifying the files and copying them to a local storage location, remove (or unmount) the additional drives.
To unmount the drives, on the File Recovery menu in the Azure portal, click Unmount Disks.
Once the disks have been unmounted, you receive a message letting you know it was successful. It may take a few
minutes for the connection to refresh so that you can remove the disks.
In Linux, after the connection to the recovery point is severed, the OS doesn't remove the corresponding mount
paths automatically. The mount paths exist as "orphan" volumes and they are visible but throw an error when you
access/write the files. They can be manually removed. The script, when run, identifies any such volumes existing
from any previous recovery points and cleans them up upon consent.
Special configurations
Dynamic Disks
If the protected Azure VM has volumes with one or both of the following characteristics, you can't run the
executable script on the same VM.
Volumes that span multiple disks (spanned and striped volumes)
Fault-tolerant volumes (mirrored and RAID-5 volumes) on dynamic disks
Instead, run the executable script on any other computer with a compatible operating system.
Windows Storage Spaces
Windows Storage Spaces is a Windows technology that enables you to virtualize storage. With Windows Storage
Spaces you can group industry-standard disks into storage pools. Then you use the available space in those storage
pools to create virtual disks, called storage spaces.
If the protected Azure VM uses Windows Storage Spaces, you can't run the executable script on the same VM.
Instead, run the executable script on any other machine with a compatible operating system.
LVM/RAID Arrays
In Linux, Logical volume manager (LVM) and/or software RAID Arrays are used to manage logical volumes over
multiple disks. If the protected Linux VM uses LVM and/or RAID Arrays, you can't run the script on the same VM.
Instead run the script on any other machine with a compatible OS and which supports the file system of the
protected VM.
The following script output displays the LVM and/or RAID Arrays disks and the volumes with the partition type.
To bring these partitions online, run the commands in the following sections.
For LVM Partitions
To list the volume group names under a physical volume.
$ pvs <volume name as shown above in the script output>
To list all logical volumes, names, and their paths in a volume group.
$ lvdisplay <volume-group-name from the pvs commands results>
To mount the logical volumes to the path of your choice.
$ mount <LV path> </mountpath>
For RAID Arrays

The following command displays details about all raid disks.
$ mdadm detail scan
The relevant RAID disk is displayed as /dev/mdm/<RAID array name in the protected VM>
Use the mount command if the RAID disk has physical volumes.
$ mount [RAID Disk Path] [/mountpath]
If the RAID disk has another LVM configured in it, then use the preceding procedure for LVM partitions but use the
volume name in place of the RAID Disk name
Troubleshooting
If you have problems while recovering files from the virtual machines, check the following table for additional
information.
ERROR MESSAGE / SCENARIO PROBABLE CAUSE RECOMMENDED ACTION
Exe output: Exception connecting to the Script is not able to access the recovery Check whether the machine fulfills the
target point previous access requirements.
Exe output: The target has already The script was already executed on the The volumes of the recovery point have
been logged in via an ISCSI session. same machine and the drives have been already been attached. They may NOT
attached be mounted with the same drive letters
of the original VM. Browse through all
the available volumes in the file explorer
for your file
Exe output: This script is invalid The disks have been dismounted from This particular exe is now invalid and
because the disks have been the portal or the 12-hr limit exceeded cant be run. If you want to access the
dismounted via portal/exceeded the files of that recovery point-in-time, visit
12-hr limit. Download a new script the portal for a new exe
from the portal.
On the machine where the exe is run: The ISCSI initiator on the machine is not Wait for some mins after the dismount
The new volumes are not dismounted responding/refreshing its connection to button is pressed. If the new volumes
after the dismount button is clicked the target and maintaining the cache are still not dismounted, please browse
through all the volumes. This forces the
initiator to refresh the connection and
the volume is dismounted with an error
message that the disk is not available
ERROR MESSAGE / SCENARIO PROBABLE CAUSE RECOMMENDED ACTION
Exe output: Script is run successfully but This is a transient error The volumes would have been already
New volumes attached is not attached. Open Explorer to browse. If
displayed on the script output you are using the same machine for
running scripts every time, consider
restarting the machine and the list
should be displayed in the subsequent
exe runs.
Linux specific: Not able to view the The OS of the machine where the script Check whether the recovery point is
desired volumes is run may not recognize the underlying crash consistent or file-consistent. If file
filesystem of the protected VM consistent, run the script on another
machine whose OS recognizes the
protected VM's filesystem
Windows specific: Not able to view the The disks may have been attached but From the disk management screen,
desired volumes the volumes were not configured identify the additional disks related to
the recovery point. If any of these disks
are in offline state try making them
online by right-clicking on the disk and
click 'Online'
Use the Azure portal to restore virtual machines
Protect your data by taking snapshots of your data at defined intervals. These snapshots are known as recovery
points, and they're stored in Recovery Services vaults. If it's necessary to repair or rebuild a virtual machine (VM),
you can restore the VM from any of the saved recovery points. When you restore a recovery point, you can:
Create a new VM, which is a point-in-time representation of your backed-up VM.
Restore disks, and use the template that comes with the process to customize the restored VM, or do an
individual file recovery.
This article explains how to restore a VM to a new VM or restore all backed-up disks. For individual file recovery,
see Recover files from an Azure VM backup.
NOTE
Azure has two deployment models for creating and working with resources: Azure Resource Manager and classic. This article
provides the information and procedures used to restore deployed VMs by using the Resource Manager model.
Restoring a VM or all disks from VM backup involves two steps:

Select a restore point for restore.
Select the restore type, create a new VM or restore disks, and specify the required parameters.
Select a restore point for restore

2. On the Azure menu, select Browse. In the list of services, type Recovery Services. The list of services
adjusts to what you type. When you see Recovery Services vaults, select it.
The list of vaults in the subscription is displayed.
3. From the list, select the vault associated with the VM you want to restore. When you select the vault, its
dashboard opens.
4. In the vault dashboard, on the Backup Items tile, select Azure Virtual Machines.
The Backup Items blade opens and displays the list of Azure VMs.
5. From the list, select a VM to open the dashboard. The VM dashboard opens to the monitoring area, which
contains the Restore points tile.
6. On the VM dashboard menu, select Restore.
The Restore blade opens.

7. On the Restore blade, select Restore point. The Select restore point blade opens.
By default, the dialog box displays all the restore points from the last 30 days. Use the Filter to alter the
time range of the restore points displayed. By default, restore points of all consistencies are displayed.
Modify the All restore points filter to select a specific restore point consistency. For more information
about each type of restoration point, see Data consistency.
Restore point consistency options:
Crash consistent restore points
Application consistent restore points
File-system consistent restore points
All restore points
8. Choose a restore point, and select OK.
The Restore blade shows that the restore point is set.
9. If you're not already there, go to the Restore blade. Ensure that a restore point is selected, and select
Restore configuration. The Restore configuration blade opens.
Choose a VM restore configuration

After you select the restore point, choose a VM restore configuration. To configure the restored VM, you can use
the Azure portal or PowerShell.
1. If you're not already there, go to the Restore blade. Ensure that a restore point is selected, and select
Restore configuration. The Restore configuration blade opens.
2. On the Restore configuration blade, you have two choices:
Create virtual machine
Restore disks
The portal provides a Quick Create option for a restored VM. To customize the VM configuration or the names of
the resources created as part of creating a new VM choice, use PowerShell or the portal to restore backed-up disks.
Use PowerShell commands to attach them to your choice of VM configuration. Or you can use the template that
comes with restored disks to customize the restored VM. For information on how to restore a VM that has multiple
NICs or is under a load balancer, see Restore a VM with special network configurations. If your Windows VM uses
HUB licensing, restore disks and use PowerShell/Template as specified in this article to create the VM. Make sure
that you specify the License Type as "Windows_Server" while you create the VM to avail HUB benefits on the
restored VM.
Create a new VM from a restore point

1. If you're not already there, select a restore point before you begin to create a new VM from a restore point.
After you select a restore point, on the Restore configuration blade, enter or select values for each of the
following fields:
a. Restore Type. Create a virtual machine.
b. Virtual machine name. Provide a name for the VM. The name must be unique to the resource group
(for an Azure Resource Manager-deployed VM) or cloud service (for a classic VM). You can't replace the VM
if it already exists in the subscription.
c. Resource group. Use an existing resource group or create a new one. If you're restoring a classic VM, use
this field to specify the name of a new cloud service. If you're creating a new resource group/cloud service,
the name must be globally unique. Typically, the cloud service name is associated with a public-facing URL:
for example, [cloudservice].cloudapp.net. If you attempt to use a name for the cloud resource group/cloud
service already in use, Azure assigns the resource group/cloud service the same name as the VM. Azure
displays resource groups/cloud services and VMs not associated with any affinity groups. For more
information, see How to migrate from affinity groups to a regional virtual network.
d. Virtual network. Select the virtual network when you create the VM. The field provides all virtual
networks associated with the subscription. The resource group of the VM is displayed in parentheses.
e. Subnet. If the virtual network has subnets, the first subnet is selected by default. If there are additional
subnets, select the subnet you want.
f. Storage Account. This menu lists the storage accounts in the same location as the Recovery Services
vault. Storage accounts that are zone redundant aren't supported. If there are no storage accounts with the
same location as the Recovery Services vault, you must create one before you start the restore operation.
The storage account's replication type is displayed in parentheses.
NOTE
If you restore a Resource Manager-deployed VM, you must identify a virtual network. A virtual network is
optional for a classic VM.
If you restore VMs with managed disks, make sure that the storage account selected isn't enabled for Azure
Storage Service Encryption in its lifetime.
Based on the storage type of the storage account selected (premium or standard), all disks restored will be
either premium or standard disks. We currently don't support a mixed mode of disks when restoring.
2. On the Restore configuration blade, select OK to finalize the restore configuration. On the Restore blade,
select Restore to trigger the restore operation.
Restore backed-up disks
To customize the VM you want to create from backed-up disks different from what is present in the Restore
configuration blade, select Restore disks as the value for Restore Type. This choice asks for a storage account
where disks from backups are to be copied. When you choose a storage account, select an account that shares the
same location as the Recovery Services vault. Storage accounts that are zone redundant aren't supported. If there
are no storage accounts with the same location as the Recovery Services vault, you must create one before you
start the restore operation. The storage account's replication type is displayed in parentheses.
After the restore operation is finished, you can:
Use the template to customize the restored VM
Use the restored disks to attach to an existing VM
Create a new VM by using PowerShell from restored disks
On the Restore configuration blade, select OK to finalize the restore configuration. On the Restore blade, select
Restore to trigger the restore operation.
Track the restore operation

After you trigger the restore operation, the backup service creates a job for tracking the restore operation. The
backup service also creates and temporarily displays the notification in the Notifications area of the portal. If you
don't see the notification, select the Notifications symbol to view your notifications.
To view the operation while it's processing, or to view it when it's finished, open the Backup jobs list.
1. On the Azure menu, select Browse, and in the list of services, type Recovery Services. The list of services
adjusts to what you type. When you see Recovery Services vaults, select it.
The list of vaults in the subscription is displayed.
2. From the list, select the vault associated with the VM you restored. When you select the vault, its dashboard
opens.
3. In the vault dashboard on the Backup Jobs tile, select Azure virtual machines to display the jobs
associated with the vault.
The Backup jobs blade opens and displays the list of jobs.
Use templates to customize a restored VM

After the restore disks operation is finished, use the template that was generated as part of the restore operation to
create a new VM with a configuration different from the backup configuration. You also can use it to customize
names of resources that were created during the process of creating a new VM from a restore point.
NOTE
Templates are added as part of restore disks for recovery points taken after March 1, 2017. They're applicable for
nonmanaged disk VMs. Support for managed disk VMs is coming in upcoming releases.
To get the template that was generated as part of the restore disks option:
1. Go to the restore job details corresponding to the job.
2. On the Restore Job Details screen, select Deploy Template to initiate template deployment.
3. On the Deploy template blade for custom deployment, use template deployment to edit and deploy the
template or append more customizations by authoring a template before you deploy.
4. After you enter the required values, accept the Terms and Conditions and select Purchase.
Post-restore steps
If you use a cloud-init-based Linux distribution, such as Ubuntu, for security reasons, the password is blocked
post restore. Use the VMAccess extension on the restored VM to reset the password. We recommend using SSH
keys on these distributions to avoid resetting the password post restore.
Extensions present during the backup configuration are installed, but they won't be enabled. If you see an issue,
reinstall the extensions.
If the backed-up VM has static IP post restore, the restored VM has a dynamic IP to avoid conflict when you
create a restored VM. Learn more about how you can add a static IP to a restored VM.
A restored VM doesn't have an availability value set. We recommend using the restore disks option to add an
availability set when you create a VM from PowerShell or templates by using restored disks.
Backup for restored VMs

If you restored a VM to the same resource group with the same name as the originally backed-up VM, backup
continues on the VM post restore. If you restored the VM to a different resource group or you specified a different
name for the restored VM, the VM is treated as if it's a new VM. You need to set up backup for the restored VM.
Restore a VM during an Azure datacenter disaster

Azure Backup allows restoring backed-up VMs to the paired datacenter in case the primary datacenter where VMs
are running experiences a disaster and you configured the backup vault to be geo-redundant. During such
scenarios, select a storage account, which is present in a paired datacenter. The rest of the restore process remains
the same. Backup uses the compute service from the paired geo to create the restored VM. For more information,
see Azure datacenter resiliency.
Restore domain controller VMs

Backup of domain controller (DC) VMs is a supported scenario with Backup. However, you must be careful during
the restore process. The correct restore process depends on the structure of the domain. In the simplest case, you
have a single DC in a single domain. More commonly for production loads, you have a single domain with multiple
DCs, perhaps with some DCs on-premises. Finally, you might have a forest with multiple domains.
From an Active Directory perspective, the Azure VM is like any other VM on a modern supported hypervisor. The
major difference with on-premises hypervisors is that there's no VM console available in Azure. A console is
required for certain scenarios, such as recovering by using a bare-metal recovery (BMR)-type backup. However,
VM restore from the backup vault is a full replacement for BMR. Directory Services Restore Mode (DSRM) is also
available, so all Active Directory recovery scenarios are viable. For more information, see Backup and restore
considerations for virtualized domain controllers and Planning for Active Directory forest recovery.
Single DC in a single domain
The VM can be restored (like any other VM) from the Azure portal or by using PowerShell.
Multiple DCs in a single domain
When other DCs of the same domain can be reached over the network, the DC can be restored like any VM. If it's
the last remaining DC in the domain, or a recovery in an isolated network is performed, a forest recovery
procedure must be followed.
Multiple domains in one forest
When other DCs of the same domain can be reached over the network, the DC can be restored like any VM. In all
other cases, we recommend a forest recovery.
Restore VMs with special network configurations

It's possible to back up and restore VMs with the following special network configurations. However, these
configurations require some special consideration while going through the restore process:
VMs under load balancers (internal and external)
VMs with multiple reserved IPs
VMs with multiple NICs
IMPORTANT
When you create the special network configuration for VMs, you must use PowerShell to create VMs from the restored
disks.
To fully re-create the VMs after restoring to disk, follow these steps:
1. Restore the disks from a Recovery Services vault by using PowerShell.
2. Create the VM configuration required for load balancer/multiple NIC/multiple reserved IP by using the
PowerShell cmdlets. Use it to create the VM with the configuration you want:
a. Create a VM in the cloud service with an internal load balancer.
b. Create a VM to connect to an internet-facing load balancer.
c. Create a VM with multiple NICs.
d. Create a VM with multiple reserved IPs.
Next steps
Now that you can restore your VMs, see the troubleshooting article for information on common errors with VMs.
Also, check out the article on managing tasks with your VMs.
Manage virtual machines
Back up and restore encrypted virtual machines with
Azure Backup
This article talks about the steps to back up and restore virtual machines (VMs) by using Azure Backup. It also
provides details about supported scenarios, prerequisites, and troubleshooting steps for error cases.
Supported scenarios
Backup and restore of encrypted VMs is supported only for VMs that use the Azure Resource Manager
deployment model. It's not supported for VMs that use the classic deployment model.
Backup and restore of encrypted VMs is supported for both Windows and Linux VMs that use Azure Disk
Encryption. Disk Encryption uses the industry standard BitLocker feature of Windows and the dm-crypt
feature of Linux to provide encryption of disks.
The following table shows supported scenarios for BitLocker encryption key (BEK)-only and key encryption
key (KEK)-encrypted VMs:
BEK + KEK VMS BEK-ONLY VMS
Nonmanaged VMs Yes Yes
Managed VMs Yes Yes
Prerequisites
The VM was encrypted by using Azure Disk Encryption.
A Recovery Services vault was created and storage replication was set by following the steps in Prepare your
environment for backup.
Backup was given permissions to access a key vault containing keys and secrets for encrypted VMs.
Backup-encrypted VM
Use the following steps to set a backup goal, define a policy, configure items, and trigger a backup.
Configure backup
1. If you already have a Recovery Services vault open, proceed to the next step. If you don't have a Recovery
Services vault open but you're in the Azure portal, on the Hub menu, select Browse.
a. In the list of resources, type Recovery Services.
b. As you begin typing, the list filters based on your input. When you see Recovery Services vaults, select it.
c. The list of Recovery Services vaults appears. Select a vault from the list.
2. From the list of items that appears under the vault, select Backup to start backing up the encrypted VM.
3. On the Backup tile, select Backup goal.

4. Under Where is your workload running?, select Azure. Under What do you want to backup?, select
Virtual machine. Then select OK.
5. Under Choose backup policy, select the backup policy you want to apply to the vault. Then select OK.
The details of the default policy are listed. If you want to create a policy, select Create New from the drop-
down list. After you select OK, the backup policy is associated with the vault.
6. Choose the encrypted VMs to associate with the specified policy, and select OK.
7. This page shows a message about key vaults associated to the encrypted VMs you selected. Backup requires
read-only access to the keys and secrets in the key vault. It uses these permissions to back up the keys and
secrets, along with the associated VMs. You must provide permissions to the backup service to access the key
vault for backups to work. You can provide these permissions by following the steps mentioned in the
following section.
Now that you have defined all settings for the vault, select Enable Backup at the bottom of the page.
Enable Backup deploys the policy to the vault and the VMs.
8. The next phase in preparation is installing the VM Agent or making sure the VM Agent is installed. To do the
same, follow the steps in Prepare your environment for backup.
Follow the steps in Backup Azure VMs to a Recovery Services vault to trigger a backup job.
Continue backups of already backed-up VMs with encryption enabled
If you have VMs already being backed up in a Recovery Services vault that are enabled for encryption later, you
must give permissions to Backup to access the key vault for backups to continue. You can provide these
permissions by following the steps in the following section. Or you can follow the PowerShell steps in the "Enable
backup" section of the PowerShell documentation.
Provide permissions to Backup

Use the following steps to provide relevant permissions to Backup to access the key vault and perform backup of
encrypted VMs.
1. Select More services, and search for Key vaults.
2. From the list of key vaults, select the key vault associated with the encrypted VM that needs to be backed up.
3. Select Access policies, and then select Add new.

4. Select Select principal, and then type Backup Management Service in the search box.
5. Select Backup Management Service, and then select Select.
6. Under Configure from template (optional), select Azure Backup. The required permissions are prefilled
for Key permissions and Secret permissions. If your VM is encrypted by using BEK only, permissions only
for secrets are required, so you must remove the selection for Key permissions.
7. Select OK. Notice that Backup Management Service gets added in Access policies.
8. Select Save to give the required permissions to Backup.
After permissions are successfully provided, you can proceed with enabling backup for encrypted VMs.
Restore an encrypted VM
To restore an encrypted VM, first restore disks by following the steps in the "Restore backed-up disks" section in
Choose a VM restore configuration. After that, you can use one of the following options:
Follow the PowerShell steps in Create a VM from restored disks to create a full VM from restored disks.
Or, use templates to customize a restored VM to create VMs from restored disks. Templates can be used only for
recovery points created after April 26, 2017.
Backup Backup doesn't have sufficient Backup should be provided these

permissions to the key vault for backup permissions by following the steps in
of encrypted VMs. the previous section. Or you can follow
the PowerShell steps in the "Enable
protection" section of the PowerShell
documentation at Use
AzureRM.RecoveryServices.Backup
cmdlets to back up virtual machines.
Restore You can't restore this encrypted VM Create a key vault by using Get started
because the key vault associated with with Azure Key Vault. See Restore a key
this VM doesn't exist. vault key and a secret by using Azure
Backup to restore a key and a secret if
they aren't present.
Restore You can't restore this encrypted VM See Restore a key vault key and a secret
because the key and the secret by using Azure Backup to restore a key
associated with this VM don't exist. and a secret if they aren't present.
Restore Backup doesn't have the authorization As mentioned previously, restore disks
to access resources in your subscription. first by following the steps in the
"Restore backed-up disks" section in
Choose a VM restore configuration.
After that, use PowerShell to create a
VM from restored disks.
Restore virtual machines in Azure
Restore a virtual machine to a new VM from the backups stored in an Azure Backup vault with the following steps.
IMPORTANT
You can now upgrade your Backup vaults to Recovery Services vaults. For details, see the article Upgrade a Backup vault to
a Recovery Services vault. Microsoft encourages you to upgrade your Backup vaults to Recovery Services vaults.
October 15, 2017, you will no longer be able to use PowerShell to create Backup vaults.
Starting November 1, 2017:
Any remaining Backup vaults will be automatically upgraded to Recovery Services vaults.
Restore workflow
Step 1: Choose an item to restore
1. Navigate to the Protected Items tab and select the virtual machine you want to restore to a new VM.
The Recovery Point column in the Protected Items page will tell you the number of recovery points for a
virtual machine. The Newest Recovery Point column tells you the time of the most recent backup from
which a virtual machine can be restored.
2. Click Restore to open the Restore an Item wizard.
Step 2: Pick a recovery point

1. In the select a recovery point screen, you can restore from the newest recovery point, or from a previous
point in time. The default option selected when wizard opens is Newest Recovery Point.
2. To pick an earlier point in time, choose the Select Date option in the dropdown and select a date in the
calendar control by clicking on the calendar icon. In the control, all dates that have recovery points are
filled with a light gray shade and are selectable by the user.
Once you click a date in the calendar control, the recovery points available on that date will be shown in
recovery points table below. The Time column indicates the time at which the snapshot was taken. The
Type column displays the consistency of the recovery point. The table header shows the number of
recovery points available on that day in parentheses.
3. Select the recovery point from the Recovery Points table and click the Next arrow to go to the next screen.
Step 3: Specify a destination location
1. In the Select restore instance screen specify details of where to restore the virtual machine.
Specify the virtual machine name: In a given cloud service, the virtual machine name should be unique.
We don't support over-writing existing VM.
Select a cloud service for the VM: This is mandatory for creating a VM. You can choose to either use
an existing cloud service or create a new cloud service.
Whatever cloud service name is picked should be globally unique. Typically, the cloud service name
gets associated with a public-facing URL in the form of [cloudservice].cloudapp.net. Azure will not
allow you to create a new cloud service if the name has already been used. If you choose to create a
new cloud service, it will be given the same name as the virtual machine in which case the VM
name picked should be unique enough to be applied to the associated cloud service.
We only display cloud services and virtual networks that are not associated with any affinity groups
in the restore instance details. Learn More.
2. Select a storage account for the VM: This is mandatory for creating the VM. You can select from existing
storage accounts in the same region as the Azure Backup vault. We dont support storage accounts that are
Zone redundant or of Premium storage type.
If there are no storage accounts with supported configuration, please create a storage account of supported
configuration prior to starting restore operation.
3. Select a Virtual Network: The virtual network (VNET) for the virtual machine should be selected at the time
of creating the VM. The restore UI shows all the VNETs within this subscription that can be used. It is not
mandatory to select a VNET for the restored VM you will be able to connect to the restored virtual
machine over the internet even if the VNET is not applied.
If the cloud service selected is associated with a virtual network, then you cannot change the virtual
network.
4. Select a subnet: In case the VNET has subnets, by default the first subnet will be selected. Choose the
subnet of your choice from the dropdown options. For subnet details, go to Networks extension in the
portal home page, go to Virtual Networks and select the virtual network and drill down into Configure to
see subnet details.
5. Click the Submit icon in the wizard to submit the details and create a restore job.
Track the Restore operation

Once you have input all the information into the restore wizard and submitted it Azure Backup will try to create a
job to track the restore operation.
If the job creation is successful, you will see a toast notification indicating that the job is created. You can get more
details by clicking the View Job button that will take you to Jobs tab.
Once the restore operation is finished, it will be marked as completed in Jobs tab.
After restoring the virtual machine you may need to re-install the extensions existing on the original VM and
modify the endpoints for the virtual machine in the Azure portal.
Post-Restore steps
If you are using a cloud-init based Linux distribution such as Ubuntu, for security reasons, password will be
blocked post restore. Please use VMAccess extension on the restored VM to reset the password. We recommend
using SSH keys on these distributions to avoid resetting password post restore.
Backup for Restored VMs

If you have restored VM to same cloud service with the same name as originally backed up VM, backup will
continue on the VM post restore. If you have either restored VM to a different cloud service or specified a different
name for restored VM, this will be treated as a new VM and you need to setup backup for restored VM.
Restoring a VM during Azure DataCenter Disaster

Azure Backup allows restoring backed up VMs to the paired data center in case the primary data center where
VMs are running experiences disaster and you configured Backup vault to be geo-redundant. During such
scenarios, you need to select a storage account which is present in paired data center and rest of the restore
process remains same. Azure Backup uses Compute service from paired geo to create the restored virtual
machine. Learn more about Azure Data center resiliency
Restoring Domain Controller VMs

Backup of Domain Controller (DC) virtual machines is a supported scenario with Azure Backup. However, care
must be taken during the restore process. The correct restore process depends on the structure of the domain. In
the simplest case you have a single DC in a single domain. More commonly for production loads, you will have a
single domain with multiple DCs, perhaps with some DCs on premises. Finally, you may have a forest with
multiple domains.
From an Active Directory perspective the Azure VM is like any other VM on a modern supported hypervisor. The
major difference with on-premises hypervisors is that there is no VM console available in Azure. A console is
required for certain scenarios such as recovering using a Bare Metal Recovery (BMR) type backup. However, VM
restore from the backup vault is a full replacement for BMR. Active Directory Restore Mode (DSRM) is also
available, so all Active Directory recovery scenarios are viable. For more background information, please check
Backup and Restore considerations for virtualized Domain Controllers and Planning for Active Directory Forest
Recovery.
Single DC in a single domain
The VM can be restored (like any other VM) from the Azure portal or using PowerShell.
Multiple DCs in a single domain
When other DCs of the same domain can be reached over the network, the DC can be restored like any VM. If it is
the last remaining DC in the domain, or a recovery in an isolated network is performed, a forest recovery
procedure must be followed.
Multiple domains in one forest
When other DCs of the same domain can be reached over the network, the DC can be restored like any VM.
However, in all other cases a forest recovery is recommended.
Restoring VMs with special network configurations

Azure Backup supports backup for following special network configurations of virtual machines.
VMs under load balancer (internal and external)
VMs with multiple reserved IPs
VMs with multiple NICs
These configurations mandate following considerations while restoring them.
TIP
Please use PowerShell based restore flow to recreate the special network configuration of VMs post restore.
Restoring from the UI:
While restoring from UI, always choose a new cloud service. Please note that since portal only takes
mandatory parameters during restore flow, VMs restored using UI will lose the special network configuration they
possess. In other words, restore VMs will be normal VMs without configuration of load balancer or multi NIC or
multiple reserved IP.
Restoring from PowerShell:
PowerShell has the ability to just restore the VM disks from backup and not create the virtual machine. This is
helpful when restoring virtual machines which require special network configurations mentioned above.
In order to fully recreate the virtual machine post restoring disks, follow these steps:
1. Restore the disks from backup vault using Azure Backup PowerShell
2. Create the VM config required for load balancer/multiple NIC/multiple reserved IP using the PowerShell
cmdlets and use it to create the VM of desired configuration.
Create VM in cloud service with Internal Load balancer
Create VM to connect to Internet facing load balancer
Create VM with multiple NICs
Create VM with multiple reserved IPs
Next steps
Manage virtual machines
Restore Key Vault key and secret for encrypted VMs
using Azure Backup
This article talks about using Azure VM Backup to perform restore of encrypted Azure VMs, if your key and secret
do not exist in the key vault. These steps can also be used if you want to maintain a separate copy of key (Key
Encryption Key) and secret (BitLocker Encryption Key) for the restored VM.
Prerequisites
Backup encrypted VMs - Encrypted Azure VMs have been backed up using Azure Backup. Refer the article
Manage backup and restore of Azure VMs using PowerShell for details about how to backup encrypted Azure
VMs.
Configure Azure Key Vault Ensure that key vault to which keys and secrets need to be restored is already
present. Refer the article Get Started with Azure Key Vault for details about key vault management.
Restore disk - Ensure that you have triggered restore job for restoring disks for encrypted VM using
PowerShell steps. This is because this job generates a JSON file in your storage account containing keys and
secrets for the encrypted VM to be restored.
Get key and secret from Azure Backup

NOTE
Once disk has been restored for the encrypted VM, ensure that:
1. $details is populated with restore disk job details, as mentioned in PowerShell steps in Restore the Disks section
2. VM should be created from restored disks only after key and secret is restored to key vault.
Query the restored disk properties for the job details.
PS C:\> $properties = $details.properties

PS C:\> $storageAccountName = $properties["Target Storage Account Name"]
PS C:\> $containerName = $properties["Config Blob Container Name"]
PS C:\> $encryptedBlobName = $properties["Encryption Info Blob Name"]
Set the Azure storage context and restore JSON configuration file containing key and secret details for encrypted
VM.
PS C:\> Set-AzureRmCurrentStorageAccount -Name $storageaccountname -ResourceGroupName '<rg-name>'

PS C:\> $destination_path = 'C:\vmencryption_config.json'
PS C:\> Get-AzureStorageBlobContent -Blob $encryptedBlobName -Container $containerName -Destination
$destination_path
PS C:\> $encryptionObject = Get-Content -Path $destination_path | ConvertFrom-Json
Restore key
Once the JSON file is generated in the destination path mentioned above, generate key blob file from the JSON
and feed it to restore key cmdlet to put the key (KEK) back in the key vault.
PS C:\> $keyDestination = 'C:\keyDetails.blob'
PS C:\> [io.file]::WriteAllBytes($keyDestination,
[System.Convert]::FromBase64String($encryptionObject.OsDiskKeyAndSecretDetails.KeyBackupData))
PS C:\> Restore-AzureKeyVaultKey -VaultName '<target_key_vault_name>' -InputFile $keyDestination
Restore secret
Use the JSON file generated above to get secret name and value and feed it to set secret cmdlet to put the secret
(BEK) back in the key vault. Use these cmdlets if your VM is encrypted using BEK and KEK.
PS C:\> $secretdata = $encryptionObject.OsDiskKeyAndSecretDetails.SecretData

PS C:\> $Secret = ConvertTo-SecureString -String $secretdata -AsPlainText -Force
PS C:\> $secretname = 'B3284AAA-DAAA-4AAA-B393-60CAA848AAAA'
PS C:\> $Tags = @{'DiskEncryptionKeyEncryptionAlgorithm' = 'RSA-OAEP';'DiskEncryptionKeyFileName' = 'B3284AAA-
DAAA-4AAA-B393-60CAA848AAAA.BEK';'DiskEncryptionKeyEncryptionKeyURL' =
$encryptionObject.OsDiskKeyAndSecretDetails.KeyUrl;'MachineName' = 'vm-name'}
PS C:\> Set-AzureKeyVaultSecret -VaultName '<target_key_vault_name>' -Name $secretname -SecretValue $Secret -
ContentType 'Wrapped BEK' -Tags $Tags
If your VM is encrypted using BEK only, generate secret blob file from the JSON and feed it to restore secret
cmdlet to put the secret (BEK) back in the key vault.
PS C:\> $secretDestination = 'C:\secret.blob'

PS C:\> [io.file]::WriteAllBytes($secretDestination,
[System.Convert]::FromBase64String($encryptionObject.OsDiskKeyAndSecretDetails.KeyVaultSecretBackupData))
PS C:\> Restore-AzureKeyVaultSecret -VaultName '<target_key_vault_name>' -InputFile $secretDestination -
Verbose
NOTE
1. Value for $secretname can be obtained by referring to the output of
$encryptionObject.OsDiskKeyAndSecretDetails.SecretUrl and using text after secrets/ e.g. output secret URL is
https://keyvaultname.vault.azure.net/secrets/B3284AAA-DAAA-4AAA-B393-
60CAA848AAAA/xx000000xx0849999f3xx30000003163 and secret name is B3284AAA-DAAA-4AAA-B393-
60CAA848AAAA
2. Value of the tag DiskEncryptionKeyFileName is same as secret name.
Create virtual machine from restored disk

If you have backed up encrypted VM using Azure VM Backup, the PowerShell cmdlets mentioned above help you
restore key and secret back to the key vault. After restoring them, refer the article Manage backup and restore of
Azure VMs using PowerShell to create encrypted VMs from restored disk, key, and secret.
Legacy approach
The approach mentioned above would work for all the recovery points. However, the older approach of getting
key and secret information from recovery point, would be valid for recovery points older than July 11, 2017 for
VMs encrypted using BEK and KEK. Once restore disk job is complete for encrypted VM using PowerShell steps,
ensure that $rp is populated with a valid value.
Restore key
Use the following cmdlets to get key (KEK) information from recovery point and feed it to restore key cmdlet to
put it back in the key vault.
PS C:\> $rp1 = Get-AzureRmRecoveryServicesBackupRecoveryPoint -RecoveryPointId $rp[0].RecoveryPointId -Item
$backupItem -KeyFileDownloadLocation 'C:\Users\downloads'
PS C:\> Restore-AzureKeyVaultKey -VaultName '<target_key_vault_name>' -InputFile 'C:\Users\downloads'
Restore secret
Use the following cmdlets to get secret (BEK) information from recovery point and feed it to set secret cmdlet to
put it back in the key vault.
PS C:\> $secretname = 'B3284AAA-DAAA-4AAA-B393-60CAA848AAAA'

PS C:\> $secretdata = $rp1.KeyAndSecretDetails.SecretData
PS C:\> $Secret = ConvertTo-SecureString -String $secretdata -AsPlainText -Force
PS C:\> $Tags = @{'DiskEncryptionKeyEncryptionAlgorithm' = 'RSA-OAEP';'DiskEncryptionKeyFileName' = 'B3284AAA-
DAAA-4AAA-B393-60CAA848AAAA.BEK';'DiskEncryptionKeyEncryptionKeyURL' =
'https://mykeyvault.vault.azure.net:443/keys/KeyName/84daaac999949999030bf99aaa5a9f9';'MachineName' = 'vm-
name'}
PS C:\> Set-AzureKeyVaultSecret -VaultName '<target_key_vault_name>' -Name $secretname -SecretValue $secret -
Tags $Tags -SecretValue $Secret -ContentType 'Wrapped BEK'
NOTE
1. Value for $secretname can be obtained by referring to the output of $rp1.KeyAndSecretDetails.SecretUrl and using text
after secrets/ e.g. output secret URL is https://keyvaultname.vault.azure.net/secrets/B3284AAA-DAAA-4AAA-B393-
60CAA848AAAA/xx000000xx0849999f3xx30000003163 and secret name is B3284AAA-DAAA-4AAA-B393-
60CAA848AAAA
2. Value of the tag DiskEncryptionKeyFileName is same as secret name.
3. Value for DiskEncryptionKeyEncryptionKeyURL can be obtained from key vault after restoring the keys back and using
Get-AzureKeyVaultKey cmdlet
Next steps
After restoring key and secret back to key vault, refer the article Manage backup and restore of Azure VMs using
PowerShell to create encrypted VMs from restored disk, key and secret.
This article talks about steps to configure reports for Azure Backup using Recovery Services vault, and to access
these reports using Power BI. After performing these steps, you can directly go to Power BI to view all the reports,
customize and create reports.
Supported scenarios
1. Azure Backup reports are supported for Azure virtual machine backup and file/folder backup to cloud using
Azure Recovery Services Agent.
2. Reports for Azure SQL, DPM and Azure Backup Server are not supported at this time.
3. You can view reports across vaults and across subscriptions, if same storage account is configured for each of
the vaults. Storage account selected should be in the same region as recovery services vault.
4. The frequency of scheduled refresh for the reports is 24 hours in Power BI. You can also perform an ad-hoc
refresh of the reports in Power BI, in which case latest data in customer storage account is used for rendering
reports.
Prerequisites
1. Create an Azure storage account to configure it for reports. This storage account is used for storing reports
related data.
2. Create a Power BI account to view, customize, and create your own reports using Power BI portal.
3. Register the resource provider Microsoft.insights if not registered already, with the subscription of storage
account and also with the subscription of Recovery Services vault to enable reporting data to flow to the
storage account. To do the same, you must go to Azure portal > Subscription > Resource providers and check
for this provider to register it.
Configure storage account for reports

Use the following steps to configure the storage account for recovery services vault using Azure portal. This is a
one-time configuration and once storage account is configured, you can go to Power BI directly to view content
pack and leverage reports.
1. If you already have a Recovery Services vault open, proceed to next step. If you do not have a Recovery
Services vault open, but are in the Azure portal, on the Hub menu, click Browse.
As you begin typing, the list filters based on your input. When you see Recovery Services vaults,
click it.
The list of Recovery Services vaults appears. From the list of Recovery Services vaults, select a vault.
2. From the list of items that appears under vault, click Backup Reports under Monitoring and Reports section
to configure the storage account for reports.
3. On the Backup Reports blade, click Configure button. This opens the Azure Application Insights blade which
is used for pushing data to customer storage account.
4. Set the Status toggle button to On and select Archive to a Storage Account check box so that reporting
data can start flowing in to the storage account.
5. Click Storage Account picker and select the storage account from the list for storing reporting data and click
OK.
6. Select AzureBackupReport check box and also move the slider to select retention period for this reporting
data. Reporting data in the storage account is kept for the period selected using this slider.
7. Review all the changes and click Save button on top, as shown in the figure above. This action ensures that all
your changes are saved and storage account is now configured for storing reporting data.
NOTE
Once you configure reports by saving storage account, you should wait for 24 hours for initial data push to complete. You
should import Azure Backup content pack in Power BI only after that time. Refer FAQ section for further details.
View reports in Power BI

After configuring storage account for reports using recovery services vault, it takes around 24 hours for reporting
data to start flowing in. After 24 hours of setting up storage account, use the following steps to view reports in
Power BI:
1. Sign in to Power BI.
2. Click Get Data and click Get under Services in Content Pack Library. Use steps mentioned in Power BI
documentation to access content pack.
3. Type Azure Backup in Search bar and click Get it now.
4. Enter the storage account name configured in step 5 above and click Next button.
5. Enter the storage account key for this storage account. You can view and copy storage access keys by
navigating to your storage account in Azure portal.
6. Click Sign in button. After sign-in is successful, you get Importing data notification.
After some time, you get Success notification after the import is complete. It might take little longer to
import the content pack, if there is a lot of data in the storage account.
7. Once data is imported successfully, Azure Backup content pack is visible in Apps in the navigation pane.
The list now shows Azure Backup dashboard, reports, and dataset with a yellow star indicating newly
imported reports.
8. Click Azure Backup under Dashboards, which shows a set of pinned key reports.
9. To view the complete set of reports, click any report in the dashboard.
10. Click each tab in the reports to view reports in that area.

1. How do I check if reporting data has started flowing in to storage account?
You can go to the storage account configured and select containers. If the container has an entry for
insights-logs-azurebackupreport, it indicates that reporting data has started flowing in.
2. What is the frequency of data push to storage account and Azure Backup content pack in Power
BI?
For Day 0 users, it would take around 24 hours to push data to storage account. Once this initial push is
compelete, data is refreshed with the following frequency shown in the figure below.
Data related to Jobs, Alerts, Backup Items, Vaults, Protected Servers and Policies is pushed to
customer storage account as and when it is logged.
Data related to Storage is pushed to customer storage account every 24 hours.
Power BI has a scheduled refresh once a day. You can perform a manual refresh of the data in Power BI for
the content pack.
3. How long can I retain the reports?
While configuring storage account, you can select retention period of reporting data in the storage account
(using step 6 in Configure storage account for reports section above). Besides that, you can Analyze reports
in excel and save them for a longer retention period, as per your needs.
4. Will I see all my data in reports after configuring the storage account?
All the data generated after "configuring storage account" will be pushed to the storage account and will
be available in reports. However, In Progress Jobs are not pushed for Reporting. Once the job completes
or fails, it is sent to reports.
5. If I have already configured the storage account to view reports, can I change the configuration to
use another storage account?
Yes, you can change the configuration to point to a different storage account. You should use the newly
configured storage account while connecting to Azure Backup content pack. Also, once a different storage
account is configured, new data would flow in this storage account. But older data (before changing the
configuration) would still remain in the older storage account.
6. Can I view reports across vaults and across subscriptions?
Yes, you can configure the same storage account across various vaults to view cross-vault reports. Also, you
can configure the same storage account for vaults across subscriptions. You can then use this storage
account while connecting to Azure Backup content pack in Power BI to view the reports. However, the
storage account selected should be in the same region as recovery services vault.
ERROR DETAILS RESOLUTION
After setting up the storage account for Backup Reports, If you configured storage account successfully, your reporting
Storage Account still shows Not Configured. data will flow in despite this issue. To resolve this issue, go to
Azure portal > More Services > Diagnostic settings > RS vault
> Edit Setting. Delete the previously configured setting and
create a new setting from the same blade. This time set the
field Name to service. This should show the configured
storage account.
After importing Azure Backup content pack in Power BI, the As suggested in this document, you must wait for 24 hours
error 404- container is not found comes up. after configuring reports in Recovery Services vault to see
them correctly in Power BI. If you try to access the reports
before 24 hours, you will get this error since complete data is
not yet present to show valid reports.
Next steps
Now that you have configured the storage account and imported Azure Backup content pack, the next step is to
customize these reports and use reporting data model to create reports. Refer the following articles for more
details.
Using Azure Backup reporting data model
Filtering reports in Power BI
Creating reports in Power BI
Data model for Azure Backup reports
This article describes the Power BI data model used for creating Azure Backup reports. Using this data model, you
can filter existing reports based on relevant fields and more importantly, create your own reports by using tables
and fields in the model.
Creating new reports in Power BI

Power BI provides customization features using which you can create reports using the data model.
Using Azure Backup data model

You can use the following fields provided as part of the data model to create reports and customize existing
reports.
Alert
This table provides basic fields and aggregations over various alert related fields.
FIELD DATA TYPE DESCRIPTION
#AlertsCreatedInPeriod Whole Number Number of alerts created in selected

time period
%ActiveAlertsCreatedInPeriod Percentage Percentage of active alerts in selected

time period
%CriticalAlertsCreatedInPeriod Percentage Percentage of critical alerts in selected

time period
AlertOccurenceDate Date Date when alert was created
AlertSeverity Text Severity of the alert for example, Critical
AlertStatus Text Status of the alert for example, Active
AlertType Text Type of the generated alert for example,

Backup
AlertUniqueId Text Unique Id of the generated alert
AsOnDateTime Date/Time Latest refresh time for the selected row
AvgResolutionTimeInMinsForAlertsCrea Decimal Number Average time (in minutes) to resolve

tedInPeriod alert for selected time period
EntityState Text Current state of the alert object for

example, Active, Deleted
Backup Item
This table provides basic fields and aggregations over various backup item-related fields.
#BackupItems Whole Number Number of backup items
#UnprotectedBackupItems Whole Number Number of backup items stopped for

protection or configured for backups
but backups not started
BackupItemFriendlyName Text Friendly name of backup item
BackupItemId Text Id of backup item
BackupItemName Text Name of backup item
BackupItemType Text Type of backup item for example, VM,

FileFolder
EntityState Text Current state of the backup item object

for example, Active, Deleted
LastBackupDateTime Date/Time Time of last backup for selected backup

item
LastBackupState Text State of last backup for selected backup

item for example, Successful, Failed
LastSuccessfulBackupDateTime Date/Time Time of last successful backup for

selected backup item
ProtectionState Text Current protection state of the backup

item for example, Protected,
ProtectionStopped
Calendar
This table provides details about calendar-related fields.
Date Date Date selected for filtering data
DateKey Text Unique key for each date item
DayDiff Decimal Number Difference in day for filtering data for

example, 0 indicates current day's data,
-1 indicates previous one day's data, 0
and -1 indicate data for current and
previous day
Month Text Month of the year selected for filtering

data, month begins on first day and
ends on 31st day
MonthDate Date Date in the month when month ends,

selected for filtering data
MonthDiff Decimal Number Difference in month for filtering data for

example, 0 indicates current month's
data, -1 indicates previous month's
data, 0 and -1 indicate data for current
and previous month
Week Text Week selected for filtering data, week

begins on Sunday and ends on
Saturday
WeekDate Date Date in the week when week ends,

WeekDiff Decimal Number Difference in week for filtering data for

example, 0 indicates current week's
data, -1 indicates previous week's data,
0 and -1 indicate data for current and
previous week
Year Text Calendar year selected for filtering data
YearDate Date Date in the year when year ends,

Job
This table provides basic fields and aggregations over various job-related fields.
#JobsCreatedInPeriod Whole Number Number of jobs created in the selected

time period
%FailuresForJobsCreatedInPeriod Percentage Percentage overall job failures in the

selected time period
80thPercentileDataTransferredInMBFor Decimal Number 80th percentile value of data transferred

BackupJobsCreatedInPeriod in MB for backup jobs created in the
selected time period
AvgBackupDurationInMinsForJobsCreat Decimal Number Average time in minutes for completed

edInPeriod backup jobs created in selected time
period
AvgRestoreDurationInMinsForJobsCrea Decimal Number Average time in minutes for completed

tedInPeriod restore jobs created in selected time
period
BackupStorageDestination Text Destination of backup storage for

example, Cloud, Disk
EntityState Text Current state of the job object for

JobFailureCode Text Failure Code string because of which job

failure happened
JobOperation Text Operation for which job is run for

example, Backup, Restore, Configure
Backup
JobStartDate Date Date when job started running
JobStartTime Time Time when job started running
JobStatus Text Status of the finished job for example,

Completed, Failed
JobUniqueId Text Unique Id to identify the job
Policy
This table provides basic fields and aggregations over various policy-related fields.
#Policies Whole Number Number of backup policies that exist in

the system
#PoliciesInUse Whole Number Number of policies currently being used

for configuring backups
BackupDaysOfTheWeek Text Days of the week when backups have

been scheduled
BackupFrequency Text Frequency with which backups are run

for example, daily, weekly
BackupTimes Text Date and time when backups are

scheduled
DailyRetentionDuration Whole Number Total retention duration in days for

configured backups
DailyRetentionTimes Text Date and time when daily retention was

configured
EntityState Text Current state of the policy object for

MonthlyRetentionDaysOfTheMonth Text Dates of the month selected for

monthly retention
MonthlyRetentionDaysOfTheWeek Text Days of the week selected for monthly

retention
MonthlyRetentionDuration Decimal Number Total retention duration in months for

configured backups
MonthlyRetentionFormat Text Type of configuration for monthly

retention for example, daily for day
based, weekly for week based
MonthlyRetentionTimes Text Date and time when monthly retention

is configured
MonthlyRetentionWeeksOfTheMonth Text Weeks of the month when monthly

retention is configured for example,
First, Last etc.
PolicyName Text Name of the policy defined
PolicyUniqueId Text Unique Id to identify the policy
RetentionType Text Type of retention policy for example,

Daily, Weekly, Monthly, Yearly
WeeklyRetentionDaysOfTheWeek Text Days of the week selected for weekly

retention
WeeklyRetentionDuration Decimal Number Total weekly retention duration in

weeks for configured backups
WeeklyRetentionTimes Text Date and time when weekly retention is

configured
YearlyRetentionDaysOfTheMonth Text Dates of the month selected for yearly

retention
YearlyRetentionDaysOfTheWeek Text Days of the week selected for yearly

retention
YearlyRetentionDuration Decimal Number Total retention duration in years for

configured backups
YearlyRetentionFormat Text Type of configuration for yearly

retention for example, daily for day
YearlyRetentionMonthsOfTheYear Text Months of the year selected for yearly

retention
YearlyRetentionTimes Text Date and time when yearly retention is

configured
YearlyRetentionWeeksOfTheMonth Text Weeks of the month when yearly

retention is configured for example,
First, Last etc.
Protected Server
This table provides basic fields and aggregations over various protected server-related fields.
#ProtectedServers Whole Number Number of protected servers
AzureBackupAgentOSType Text OS Type of Azure Backup Agent
AzureBackupAgentOSVersion Text OS Version of Azure Backup Agent
AzureBackupAgentUpdateDate Text Date when Agent Backup Agent was

updated
AzureBackupAgentVersion Text Version number of Agent Backup

Version
BackupManagementType Text Provider type for performing backup for

example, IaaSVM, FileFolder
EntityState Text Current state of the protected server

object for example, Active, Deleted
ProtectedServerFriendlyName Text Friendly name of protected server
ProtectedServerName Text Name of protected server
ProtectedServerType Text Type of protected server backed up for

example, IaaSVMContainer
ProtectedServerName Text Name of protected server to which

backup item belongs
RegisteredContainerId Text Id of container registered for backup
Storage
This table provides basic fields and aggregations over various storage-related fields.
#ProtectedInstances Decimal Number Number of protected instances used for

calculating frontend storage in billing,
calculated based on latest value in
selected time

CloudStorageInMB Decimal Number Cloud backup storage used by backups,

calculated based on latest value in
selected time
EntityState Text Current state of the object for example,

Active, Deleted
LastUpdatedDate Date Date when selected row was last

updated
Time
This table provides details about time-related fields.
Hour Time Hour of the day for example, 1:00:00

PM
HourNumber Decimal Number Hour number in the day for example,

13.00
Minute Decimal Number Minute of the hour
PeriodOfTheDay Text Time period slot in the day for example,

12-3 AM
Time Time Time of the day for example, 12:00:01

AM
TimeKey Text Key value to represent time
Vault
This table provides basic fields and aggregations over various vault-related fields.
#Vaults Whole Number Number of vaults
AzureDataCenter Text Data center where vault is located
EntityState Text Current state of the vault object for

StorageReplicationType Text Type of storage replication for the vault

for example, GeoRedundant
SubscriptionId Text Subscription Id of the customer selected

for generating reports
VaultName Text Name of the vault

VaultTags Text Tags associated to the vault
Next steps
Once you review the data model for creating Azure Backup reports, refer the following articles for more details
about creating and viewing reports in Power BI.
Creating reports in Power BI
Filtering reports in Power BI
Log Analytics data model for Azure Backup data
This article describes the data model used for pushing reporting data to Log Analytics. Using this data model, you
can create custom queries, dashboards, and utilize it in OMS.
Using Azure Backup data model

You can use the following fields provided as part of the data model to create visuals, custom queries, and
dashboard as per your requirements.
Alert
This table provides details about alert related fields.
AlertUniqueId_s Text Unique Id of the generated alert
AlertType_s Text Type of the generated alert, for

example, Backup
AlertStatus_s Text Status of the alert, for example, Active
AlertOccurenceDateTime_s Date/Time Date and time when alert was created
AlertSeverity_s Text Severity of the alert, for example, Critical
EventName_s Text This field represents name of this event,

it is always AzureBackupCentralReport
BackupItemUniqueId_s Text Unique Id of the backup item to which

this alert belongs to
SchemaVersion_s Text This field denotes current version of the

schema, it is V1
State_s Text Current state of the alert object, for

BackupManagementType_s Text Provider type for performing backup,

for example, IaaSVM, FileFolder to which
this alert belongs to
OperationName Text This field represents name of the

current operation - Alert
Category Text This field represents category of

diagnostics data pushed to Log
Analytics, it is AzureBackupReport
Resource Text This is the resource for which data is

being collected, it shows Recovery
Services vault name
ProtectedServerUniqueId_s Text Unique Id of the protected to which this

alert belongs to
VaultUniqueId_s Text Unique Id of the protected to which this

alert belongs to
SourceSystem Text Source system of the current data -

Azure
ResourceId Text This field represents resource id for

which data is being collected, it shows
Recovery Services vault resource id
SubscriptionId Text This field represents subscription id of

the resource (RS vault) for which data is
being collected
ResourceGroup Text This field represents resource group of

being collected
ResourceProvider Text This field represents the resource

provider for which data is being
collected - Microsoft.RecoveryServices
ResourceType Text This field represents type of the

resource for which data is being
collected - Vaults
BackupItem
This table provides details about backup item-related fields.

BackupItemUniqueId_s Text Unique Id of the backup item
BackupItemId_s Text Id of backup item
BackupItemName_s Text Name of backup item
BackupItemFriendlyName_s Text Friendly name of backup item
BackupItemType_s Text Type of backup item, for example, VM,

FileFolder
ProtectedServerName_s Text Name of protected server to which

backup item belongs to
ProtectionState_s Text Current protection state of the backup

item, for example, Protected,
ProtectionStopped

schema, it is V1
State_s Text Current state of the backup item object,

for example, Active, Deleted

this backup item belongs to

current operation - BackupItem


Services vault name

Azure


being collected

being collected


collected - Vaults
BackupItemAssociation
This table provides details about backup item associations with various entities.

BackupItemUniqueId_s Text Unique Id of the backup item

schema, it is V1
State_s Text Current state of the backup item

association object, for example, Active,
Deleted

this backup item belongs to

current operation -
BackupItemAssociation


Services vault name
PolicyUniqueId_g Text Unique Id to identify the policy, which

backup item is associated to
ProtectedServerUniqueId_s Text Unique Id of the protected server to

which this backup item belongs to
VaultUniqueId_s Text Unique Id of the vault to which this

backup item belongs to

Azure


being collected

being collected


collected - Vaults
Job
This table provides details about job-related fields.

BackupItemUniqueId_s Text Unique Id of the backup item to which

this job belongs to

schema, it is V1
State_s Text Current state of the job object, for


this job belongs to

current operation - Job


Services vault name
ProtectedServerUniqueId_s Text Unique Id of the protected to which this

job belongs to
VaultUniqueId_s Text Unique Id of the protected to which this

job belongs to
JobOperation_s Text Operation for which job is run for

example, Backup, Restore, Configure
Backup
JobStatus_s Text Status of the finished job, for example,

Completed, Failed
JobFailureCode_s Text Failure Code string because of which job

failure happened
JobStartDateTime_s Date/Time Date and time when job started running
BackupStorageDestination_s Text Destination of backup storage, for

example, Cloud, Disk
JobDurationInSecs_s Number Total job duration in seconds
DataTransferredInMB_s Number Data transferred in MB for this job
JobUniqueId_g Text Unique Id to identify the job

Azure


being collected

being collected


collected - Vaults
Policy
This table provides details about policy-related fields.


schema, it is V1
State_s Text Current state of the policy object, for


this policy belongs to

current operation - Policy


Services vault name
PolicyUniqueId_g Text Unique Id to identify the policy
PolicyName_s Text Name of the policy defined
BackupFrequency_s Text Frequency with which backups are run,

for example, daily, weekly
BackupTimes_s Text Date and time when backups are

scheduled
BackupDaysOfTheWeek_s Text Days of the week when backups have

been scheduled
RetentionDuration_s Whole Number Retention duration for configured

backups
DailyRetentionDuration_s Whole Number Total retention duration in days for

configured backups
DailyRetentionTimes_s Text Date and time when daily retention was

configured
WeeklyRetentionDuration_s Decimal Number Total weekly retention duration in

weeks for configured backups
WeeklyRetentionTimes_s Text Date and time when weekly retention is

configured
WeeklyRetentionDaysOfTheWeek_s Text Days of the week selected for weekly

retention
MonthlyRetentionDuration_s Decimal Number Total retention duration in months for

configured backups
MonthlyRetentionTimes_s Text Date and time when monthly retention

is configured
MonthlyRetentionFormat_s Text Type of configuration for monthly

retention, for example, daily for day
MonthlyRetentionDaysOfTheWeek_s Text Days of the week selected for monthly

retention
MonthlyRetentionWeeksOfTheMonth_s Text Weeks of the month when monthly

retention is configured, for example,
First, Last etc.
YearlyRetentionDuration_s Decimal Number Total retention duration in years for

configured backups
YearlyRetentionTimes_s Text Date and time when yearly retention is

configured
YearlyRetentionMonthsOfTheYear_s Text Months of the year selected for yearly

retention
YearlyRetentionFormat_s Text Type of configuration for yearly

retention, for example, daily for day
YearlyRetentionDaysOfTheMonth_s Text Dates of the month selected for yearly

retention

Azure


being collected

being collected


collected - Vaults
PolicyAssociation
This table provides details about policy associations with various entities.


schema, it is V1
State_s Text Current state of the policy object, for

BackupManagementType_s Text Provider type for performing backup for

example, IaaSVM, FileFolder to which
this policy belongs to

current operation - PolicyAssociation


Services vault name
PolicyUniqueId_g Text Unique Id to identify the policy

policy belongs to

Azure


being collected

being collected


collected - Vaults
ProtectedServer
This table provides details about protected server-related fields.

ProtectedServerName_s Text Name of protected server

schema, it is V1
State_s Text Current state of the protected server

object, for example, Active, Deleted
BackupManagementType_s Text Provider type for performing backup for

example, IaaSVM, FileFolder to which
this protected server belongs to

current operation - ProtectedServer


Services vault name
ProtectedServerUniqueId_s Text Unique Id of the protected server
RegisteredContainerId_s Text Id of container registered for backup
ProtectedServerType_s Text Type of protected server backed up for

example, Windows
ProtectedServerFriendlyName_s Text Friendly name of protected server
AzureBackupAgentVersion_s Text Version number of Agent Backup

Version

Azure


being collected

being collected


collected - Vaults
ProtectedServerAssociation
This table provides details about protected server associations with other entities.


schema, it is V1
State_s Text Current state of the protected server

association object, for example, Active,
Deleted

this protected server belongs to

current operation -
ProtectedServerAssociation


Services vault name
ProtectedServerUniqueId_s Text Unique Id of the protected server

protected server belongs to

Azure


being collected

being collected


collected - Vaults
Storage
This table provides details about storage-related fields.
CloudStorageInBytes_s Decimal Number Cloud backup storage used by backups,

calculated based on latest value
ProtectedInstances_s Decimal Number Number of protected instances used for

calculating frontend storage in billing,
calculated based on latest value


schema, it is V1
State_s Text Current state of the storage object, for


this storage belongs to

current operation - Storage


Services vault name
ProtectedServerUniqueId_s Text Unique Id of the protected server for

which storage is calculated
VaultUniqueId_s Text Unique Id of the vault for storage is

calculated

Azure


being collected

being collected

ResourceType Text This field representse type of the

collected - Vaults
Vault
This table provides details about vault-related fields.


schema, it is V1
State_s Text Current state of the vault object, for


current operation - Vault


Services vault name
VaultUniqueId_s Text Unique Id of the vault
VaultName_s Text Name of the vault
AzureDataCenter_s Text Data center where vault is located

StorageReplicationType_s Text Type of storage replication for the vault,

for example, GeoRedundant

Azure


being collected

being collected


collected - Vaults
Next steps
Once you review the data model for creating Azure Backup reports, you can start creating dashboard in Log
Analytics and OMS.
Preparing to back up workloads to Azure with DPM
This article provides an introduction to using Microsoft Azure Backup to protect your System Center Data
Protection Manager (DPM) servers and workloads. By reading it, youll understand:
How Azure DPM server backup works
The prerequisites to achieve a smooth backup experience
The typical errors encountered and how to deal with them
Supported scenarios
NOTE
Azure has two deployment models for creating and working with resources: Resource Manager and classic. This article
provides the information and procedures for restoring VMs deployed using the Resource Manager model.
System Center DPM backs up file and application data. Data backed up to DPM can be stored on tape, on disk, or
backed up to Azure with Microsoft Azure Backup. DPM interacts with Azure Backup as follows:
DPM deployed as a physical server or on-premises virtual machine If DPM is deployed as a physical
server or as an on-premises Hyper-V virtual machine you can back up data to a Recovery Services vault in
addition to disk and tape backup.
DPM deployed as an Azure virtual machine From System Center 2012 R2 with Update 3, DPM can be
deployed as an Azure virtual machine. If DPM is deployed as an Azure virtual machine you can back up data to
Azure disks attached to the DPM Azure virtual machine, or you can offload the data storage by backing it up to
a Recovery Services vault.
Why backup from DPM to Azure?

The business benefits of using Azure Backup for backing up DPM servers include:
For on-premises DPM deployment, you can use Azure as an alternative to long-term deployment to tape.
For DPM deployments in Azure, Azure Backup allows you to offload storage from the Azure disk, allowing you
to scale up by storing older data in Recovery Services vault and new data on disk.
Prerequisites
Prepare Azure Backup to back up DPM data as follows:
1. Create a Recovery Services vault Create a vault in Azure portal.
2. Download vault credentials Download the credentials which you use to register the DPM server to
Recovery Services vault.
3. Install the Azure Backup Agent From Azure Backup, install the agent on each DPM server.
4. Register the server Register the DPM server to Recovery Services vault.
1. Create a recovery services vault
the list will filter based on your input. Click Recovery Services vault.

4. For Name, enter a friendly name to identify the vault. The name needs to be unique for the Azure subscription.
Type a name that contains between 2 and 50 characters. It must start with a letter, and can contain only letters,
numbers, and hyphens.
the default (or suggested) subscription. There will be multiple choices only if your organizational account is
7. Click Location to select the geographic region for the vault.
8. Click Create. It can take a while for the Recovery Services vault to be created. Monitor the status notifications
in the upper right-hand area in the portal. Once your vault is created, it opens in the portal.
storage. By default, your vault has geo-redundant storage. Leave the option set to geo-redundant storage if this is
your primary backup. Choose locally redundant storage if you want a cheaper option that isn't quite as durable.
Read more about geo-redundant and locally redundant storage options in the Azure Storage replication
overview.
1. Select your vault to open the vault dashboard and the Settings blade. If the Settings blade doesn't open, click
All settings in the vault dashboard.
2. On the Settings blade, click Backup Infrastructure > Backup Configuration to open the Backup
Configuration blade. On the Backup Configuration blade, choose the storage replication option for
your vault.
After choosing the storage option for your vault, you are ready to associate the VM with the vault. To begin
the association, you should discover and register the Azure virtual machines.
2. Download vault credentials
The vault credentials file is a certificate generated by the portal for each backup vault. The portal then uploads the
public key to the Access Control Service (ACS). The private key of the certificate is made available to the user as
part of the workflow which is given as an input in the machine registration workflow. This authenticates the
machine to send backup data to an identified vault in the Azure Backup service.
The vault credential is used only during the registration workflow. It is the users responsibility to ensure that the
vault credentials file is not compromised. If it falls in the hands of any rogue-user, the vault credentials file can be
used to register other machines against the same vault. However, as the backup data is encrypted using a
passphrase which belongs to the customer, existing backup data cannot be compromised. To mitigate this
concern, vault credentials are set to expire in 48hrs. You can download the vault credentials of a recovery services
any number of times but only the latest vault credential file is applicable during the registration workflow.
The vault credential file is downloaded through a secure channel from the Azure portal. The Azure Backup service
is unaware of the private key of the certificate and the private key is not persisted in the portal or the service. Use
the following steps to download the vault credential file to a local machine.
2. Open Recovery Services vault to which to which you want to register DPM machine.
3. Settings blade opens up by default. If it is closed, click on Settings on vault dashboard to open the settings
blade. In Settings blade, click on Properties.
4. On the Properties page, click Download under Backup Credentials. The portal generates the vault
credential file, which is made available for download.
The portal will generate a vault credential using a combination of the vault name and the current date. Click Save
to download the vault credentials to the local account's downloads folder, or select Save As from the Save menu
to specify a location for the vault credentials. It will take up to a minute for the file to be generated.
Note
Ensure that the vault credentials file is saved in a location which can be accessed from your machine. If it is
stored in a file share/SMB, check for the access permissions.
The vault credentials file is used only during the registration workflow.
The vault credentials file expires after 48hrs and can be downloaded from the portal.
3. Install Backup Agent
After creating the Azure Backup vault, an agent should be installed on each of your Windows machines (Windows
Server, Windows client, System Center Data Protection Manager server, or Azure Backup Server machine) that
enables back up of data and applications to Azure.
1. Open Recovery Services vault to which to which you want to register DPM machine.
2. Settings blade opens up by default. If it is closed, click on Settings to open the settings blade. In Settings
blade, click on Properties.
3. On the Settings page, click Download under Azure Backup Agent.
Once the agent is downloaded, double click MARSAgentInstaller.exe to launch the installation of the Azure
Backup agent. Choose the installation folder and scratch folder required for the agent. The cache location
specified must have free space which is at least 5% of the backup data.
4. If you use a proxy server to connect to the internet, in the Proxy configuration screen, enter the proxy server
details. If you use an authenticated proxy, enter the user name and password details in this screen.
5. The Azure Backup agent installs .NET Framework 4.5 and Windows PowerShell (if its not available already) to
complete the installation.
6. Once the agent is installed, Close the window.
7. To Register the DPM Server to the vault, in the Management tab, Click on Online. Then, select Register. It
will open the Register Setup Wizard.
8. If you use a proxy server to connect to the internet, in the Proxy configuration screen, enter the proxy
server details. If you use an authenticated proxy, enter the user name and password details in this screen.
9. In the vault credentials screen, browse to and select the vault credentials file which was previously
downloaded.
The vault credentials file is valid only for 48 hrs (after its downloaded from the portal). If you encounter
any error in this screen (for example, Vault credentials file provided has expired), login to the Azure portal
and download the vault credentials file again.
Ensure that the vault credentials file is available in a location which can be accessed by the setup
application. If you encounter access related errors, copy the vault credentials file to a temporary location in
this machine and retry the operation.
If you encounter an invalid vault credential error (for example, Invalid vault credentials provided") the file
is either corrupted or does not have the latest credentials associated with the recovery service. Retry the
operation after downloading a new vault credential file from the portal. This error is typically seen if the
user clicks on the Download vault credential option in the Azure portal, in quick succession. In this case,
only the second vault credential file is valid.
10. To control the usage of network bandwidth during work, and non-work hours, in the Throttling Setting
screen, you can set the bandwidth usage limits and define the work and non-work hours.
11. In the Recovery Folder Setting screen, browse for the folder where the files downloaded from Azure will
be temporarily staged.
12. In the Encryption setting screen, you can either generate a passphrase or provide a passphrase
(minimum of 16 characters). Remember to save the passphrase in a secure location.
WARNING
If the passphrase is lost or forgotten; Microsoft cannot help in recovering the backup data. The end user owns the
encryption passphrase and Microsoft does not have visibility into the passphrase used by the end user. Please save
the file in a secure location as it is required during a recovery operation.
13. Once you click the Register button, the machine is registered successfully to the vault and you are now ready
to start backing up to Microsoft Azure.
14. When using Data Protection Manager, you can modify the settings specified during the registration workflow
by clicking the Configure option by selecting Online under the Management Tab.
Requirements (and limitations)

DPM can be running as a physical server or a Hyper-V virtual machine installed on System Center 2012 SP1 or
System Center 2012 R2. It can also be running as an Azure virtual machine running on System Center 2012
R2 with at least DPM 2012 R2 Update Rollup 3 or a Windows virtual machine in VMWare running on System
Center 2012 R2 with at least Update Rollup 5.
If youre running DPM with System Center 2012 SP1 you should install Update Roll up 2 for System Center
Data Protection Manager SP1. This is required before you can install the Azure Backup Agent.
The DPM server should have Windows PowerShell and .Net Framework 4.5 installed.
DPM can back up most workloads to Azure Backup. For a full list of whats supported see the Azure Backup
support items below.
Data stored in Azure Backup cant be recovered with the copy to tape option.
Youll need an Azure account with the Azure Backup feature enabled. If you don't have an account, you can
create a free trial account in just a couple of minutes. Read about Azure Backup pricing.
Using Azure Backup requires the Azure Backup Agent to be installed on the servers you want to back up. Each
server must have at least 5 % of the size of the data that is being backed up, available as local free storage. For
example, backing up 100 GB of data requires a minimum of 5 GB of free space in the scratch location.
Data will be stored in the Azure vault storage. Theres no limit to the amount of data you can back up to an
Azure Backup vault but the size of a data source (for example a virtual machine or database) shouldnt exceed
54400 GB.
These file types are supported for back up to Azure:
Encrypted (Full backups only)
Compressed (Incremental backups supported)
Sparse (Incremental backups supported)
Compressed and sparse (Treated as Sparse)
And these are unsupported:
Servers on case-sensitive file systems arent supported.
Hard links (Skipped)
Reparse points (Skipped)
Encrypted and compressed (Skipped)
Encrypted and sparse (Skipped)
Compressed stream
Sparse stream
NOTE
From in System Center 2012 DPM with SP1 onwards you can backup up workloads protected by DPM to Azure using
Microsoft Azure Backup.
Preparing to back up workloads to Azure with DPM
This article provides an introduction to using Microsoft Azure Backup to protect your System Center Data
Protection Manager (DPM) servers and workloads. By reading it, youll understand:
How Azure DPM server backup works
The prerequisites to achieve a smooth backup experience
The typical errors encountered and how to deal with them
Supported scenarios
System Center DPM backs up file and application data. Data backed up to DPM can be stored on tape, on disk, or
backed up to Azure with Microsoft Azure Backup. DPM interacts with Azure Backup as follows:
DPM deployed as a physical server or on-premises virtual machine If DPM is deployed as a physical
server or as an on-premises Hyper-V virtual machine you can back up data to an Azure Backup vault in addition
to disk and tape backup.
DPM deployed as an Azure virtual machine From System Center 2012 R2 with Update 3, DPM can be
deployed as an Azure virtual machine. If DPM is deployed as an Azure virtual machine you can back up data to
Azure disks attached to the DPM Azure virtual machine, or you can offload the data storage by backing it up to
an Azure Backup vault.
Why backup your DPM servers?

The business benefits of using Azure Backup for backing up DPM servers include:
For on-premises DPM deployment, you can use Azure backup as an alternative to long-term deployment to
tape.
For DPM deployments in Azure, Azure Backup allows you to offload storage from the Azure disk, allowing you
to scale up by storing older data in Azure Backup and new data on disk.
How does DPM server backup work?

To back up a virtual machine, first a point-in-time snapshot of the data is needed. The Azure Backup service
initiates the backup job at the scheduled time, and triggers the backup extension to take a snapshot. The backup
extension coordinates with the in-guest VSS service to achieve consistency, and invokes the blob snapshot API of
the Azure Storage service once consistency has been reached. This is done to get a consistent snapshot of the disks
of the virtual machine, without having to shut it down.
After the snapshot has been taken, the data is transferred by the Azure Backup service to the backup vault. The
service takes care of identifying and transferring only the blocks that have changed from the last backup making
the backups storage and network efficient. When the data transfer is completed, the snapshot is removed and a
recovery point is created. This recovery point can be seen in the Azure classic portal.
NOTE
For Linux virtual machines, only file-consistent backup is possible.
Prerequisites
Prepare Azure Backup to back up DPM data as follows:
1. Create a Backup vault. If you haven't created a Backup vault in your subscription, see the Azure portal
version of this article - Prepare to back up workloads to Azure with DPM.
IMPORTANT
Starting March 2017, you can no longer use the classic portal to create Backup vaults. You can now upgrade your
Backup vaults to Recovery Services vaults. For details, see the article Upgrade a Backup vault to a Recovery Services
vault. Microsoft encourages you to upgrade your Backup vaults to Recovery Services vaults.
You won't be able to access your backup data in the classic portal. Instead, use the Azure portal to access your
backup data in Recovery Services vaults.
2. Download vault credentials In Azure Backup, upload the management certificate you created to the
vault.
3. Install the Azure Backup Agent and register the server From Azure Backup, install the agent on each
DPM server and register the DPM server in the backup vault.
Using vault credentials to authenticate with the Azure Backup service

The on-premises server (Windows client or Windows Server or Data Protection Manager server) needs to be
authenticated with a backup vault before it can back up data to Azure. The authentication is achieved using vault
credentials. The concept of vault credentials is similar to the concept of a publish settings file which is used in
Azure PowerShell.
What is the vault credential file?
The vault credentials file is a certificate generated by the portal for each backup vault. The portal then uploads the
public key to the Access Control Service (ACS). The private key of the certificate is made available to the user as
part of the workflow which is given as an input in the machine registration workflow. This authenticates the
machine to send backup data to an identified vault in the Azure Backup service.
The vault credential is used only during the registration workflow. It is the users responsibility to ensure that the
vault credentials file is not compromised. If it falls in the hands of any rogue-user, the vault credentials file can be
used to register other machines against the same vault. However, as the backup data is encrypted using a
passphrase which belongs to the customer, existing backup data cannot be compromised. To mitigate this concern,
vault credentials are set to expire in 48hrs. You can download the vault credentials of a backup vault any number
of times but only the latest vault credential file is applicable during the registration workflow.
Download the vault credential file
The vault credential file is downloaded through a secure channel from the Azure portal. The Azure Backup service
is unaware of the private key of the certificate and the private key is not persisted in the portal or the service. Use
the following steps to download the vault credential file to a local machine.
1. Sign in to the Management Portal
2. Click on Recovery Services in the left navigation pane and select the backup vault which you have created.
Click on the cloud icon to get to the Quick Start view of the backup vault.
3. On the Quick Start page, click Download vault credentials. The portal generates the vault credential file,
which is made available for download.
4. The portal will generate a vault credential using a combination of the vault name and the current date. Click
Save to download the vault credentials to the local account's downloads folder, or select Save As from the Save
menu to specify a location for the vault credentials.
Note
Ensure that the vault credentials is saved in a location which can be accessed from your machine. If it is stored
in a file share/SMB, check for the access permissions.
The vault credentials file is used only during the registration workflow.
The vault credentials file expires after 48hrs and can be downloaded from the portal.
Refer to the Azure Backup FAQ for any questions on the workflow.
Download, install, and register the Azure Backup agent

After creating the Azure Backup vault, an agent should be installed on each of your Windows machines (Windows
Server, Windows client, System Center Data Protection Manager server, or Azure Backup Server machine) that
enables back up of data and applications to Azure.
1. Sign in to the Management Portal
2. Click Recovery Services, then select the backup vault that you want to register with a server. The Quick
Start page for that backup vault appears.
3. On the Quick Start page, click the For Windows Server or System Center Data Protection Manager or
Windows client option under Download Agent. Click Save to copy it to the local machine.
4. Once the agent is installed, double click MARSAgentInstaller.exe to launch the installation of the Azure Backup
agent. Choose the installation folder and scratch folder required for the agent. The cache location specified
must have free space which is at least 5% of the backup data.
5. If you use a proxy server to connect to the internet, in the Proxy configuration screen, enter the proxy server
details. If you use an authenticated proxy, enter the user name and password details in this screen.
6. The Azure Backup agent installs .NET Framework 4.5 and Windows PowerShell (if its not available already) to
complete the installation.
7. Once the agent is installed, click the Proceed to Registration button to continue with the workflow.
8. In the vault credentials screen, browse to and select the vault credentials file which was previously
downloaded.
The vault credentials file is valid only for 48 hrs (after its downloaded from the portal). If you encounter any
error in this screen (e.g Vault credentials file provided has expired), login to the Azure portal and
download the vault credentials file again.
Ensure that the vault credentials file is available in a location which can be accessed by the setup application.
If you encounter access related errors, copy the vault credentials file to a temporary location in this machine
and retry the operation.
If you encounter an invalid vault credential error (e.g Invalid vault credentials provided") the file is either
corrupted or does not have the latest credentials associated with the recovery service. Retry the operation
after downloading a new vault credential file from the portal. This error is typically seen if the user clicks on
the Download vault credential option in the Azure portal, in quick succession. In this case, only the
second vault credential file is valid.
9. In the Encryption setting screen, you can either generate a passphrase or provide a passphrase (minimum
of 16 characters). Remember to save the passphrase in a secure location.
WARNING
If the passphrase is lost or forgotten; Microsoft cannot help in recovering the backup data. The end user owns the
encryption passphrase and Microsoft does not have visibility into the passphrase used by the end user. Please save
the file in a secure location as it is required during a recovery operation.
10. Once you click the Finish button, the machine is registered successfully to the vault and you are now ready to
start backing up to Microsoft Azure.
11. When using Microsoft Azure Backup standalone you can modify the settings specified during the
registration workflow by clicking on the Change Properties option in the Azure Backup mmc snap in.
Alternatively, when using Data Protection Manager, you can modify the settings specified during the
registration workflow by clicking the Configure option by selecting Online under the Management Tab.
Requirements (and limitations)

DPM can be running as a physical server or a Hyper-V virtual machine installed on System Center 2012 SP1 or
System Center 2012 R2. It can also be running as an Azure virtual machine running on System Center 2012 R2
with at least DPM 2012 R2 Update Rollup 3 or a Windows virtual machine in VMWare running on System
Center 2012 R2 with at least Update Rollup 5.
If youre running DPM with System Center 2012 SP1, you should install Update Rollup 2 for System Center
Data Protection Manager SP1. This is required before you can install the Azure Backup Agent.
The DPM server should have Windows PowerShell and .Net Framework 4.5 installed.
DPM can back up most workloads to Azure Backup. For a full list of whats supported see the Azure Backup
support items below.
Data stored in Azure Backup cant be recovered with the copy to tape option.
Youll need an Azure account with the Azure Backup feature enabled. If you don't have an account, you can
create a free trial account in just a couple of minutes. Read about Azure Backup pricing.
Using Azure Backup requires the Azure Backup Agent to be installed on the servers you want to back up. Each
server must have at least 10% of the size of the data that is being backed up, available as local free storage. For
example, backing up 100 GB of data requires a minimum of 10 GB of free space in the scratch location. While
the minimum is 10%, 15% of free local storage space to be used for the cache location is recommended.
Data will be stored in the Azure vault storage. Theres no limit to the amount of data you can back up to an
Azure Backup vault but the size of a data source (for example a virtual machine or database) shouldnt exceed
54,400 GB.
These file types are supported for back up to Azure:
Encrypted (Full backups only)
Compressed (Incremental backups supported)
Sparse (Incremental backups supported)
Compressed and sparse (Treated as Sparse)
And these are unsupported:
Servers on case-sensitive file systems arent supported.
Hard links (Skipped)
Reparse points (Skipped)
Encrypted and compressed (Skipped)
Encrypted and sparse (Skipped)
Compressed stream
Sparse stream
NOTE
From in System Center 2012 DPM with SP1 onwards, you can backup up workloads protected by DPM to Azure using
Microsoft Azure Backup.
Back up an Exchange server to Azure Backup with
System Center 2012 R2 DPM
This article describes how to configure a System Center 2012 R2 Data Protection Manager (DPM) server to back up
a Microsoft Exchange server to Azure Backup.
Updates
To successfully register the DPM server with Azure Backup, you must install the latest update rollup for System
Center 2012 R2 DPM and the latest version of the Azure Backup Agent. Get the latest update rollup from the
Microsoft Catalog.
NOTE
For the examples in this article, version 2.0.8719.0 of the Azure Backup Agent is installed, and Update Rollup 6 is installed on
System Center 2012 R2 DPM.
Prerequisites
Before you continue, make sure that all the prerequisites for using Microsoft Azure Backup to protect workloads
have been met. These prerequisites include the following:
A backup vault on the Azure site has been created.
Agent and vault credentials have been downloaded to the DPM server.
The agent is installed on the DPM server.
The vault credentials were used to register the DPM server.
If you are protecting Exchange 2016, please upgrade to DPM 2012 R2 UR9 or later
DPM protection agent

To install the DPM protection agent on the Exchange server, follow these steps:
1. Make sure that the firewalls are correctly configured. See Configure firewall exceptions for the agent.
2. Install the agent on the Exchange server by clicking Management > Agents > Install in DPM Administrator
Console. See Install the DPM protection agent for detailed steps.
Create a protection group for the Exchange server

1. In the DPM Administrator Console, click Protection, and then click New on the tool ribbon to open the Create
2. On the Welcome screen of the wizard click Next.
3. On the Select protection group type screen, select Servers and click Next.
4. Select the Exchange server database that you want to protect and click Next.
NOTE
If you are protecting Exchange 2013, check the Exchange 2013 prerequisites.
In the following example, the Exchange 2010 database is selected.
5. Select the data protection method.

Name the protection group, and then select both of the following options:
I want short-term protection using Disk.
I want online protection.
6. Click Next.
7. Select the Run Eseutil to check data integrity option if you want to check the integrity of the Exchange
Server databases.
After you select this option, backup consistency checking will be run on the DPM server to avoid the I/O
traffic thats generated by running the eseutil command on the Exchange server.
NOTE
To use this option, you must copy the Ese.dll and Eseutil.exe files to the C:\Program Files\Microsoft System Center
2012 R2\DPM\DPM\bin directory on the DPM server. Otherwise, the following error is triggered:
8. Click Next.
9. Select the database for Copy Backup, and then click Next.
NOTE
If you do not select Full backup for at least one DAG copy of a database, logs will not be truncated.
10. Configure the goals for Short-Term backup, and then click Next.
11. Review the available disk space, and then click Next.
12. Select the time at which the DPM server will create the initial replication, and then click Next.
13. Select the consistency check options, and then click Next.
14. Choose the database that you want to back up to Azure, and then click Next. For example:
15. Define the schedule for Azure Backup, and then click Next. For example:
NOTE
Note Online recovery points are based on express full recovery points. Therefore, you must schedule the online
recovery point after the time thats specified for the express full recovery point.
16. Configure the retention policy for Azure Backup, and then click Next.
17. Choose an online replication option and click Next.
If you have a large database, it could take a long time for the initial backup to be created over the network.
To avoid this issue, you can create an offline backup.
18. Confirm the settings, and then click Create Group.

19. Click Close.
Recover the Exchange database

1. To recover an Exchange database, click Recovery in the DPM Administrator Console.
2. Locate the Exchange database that you want to recover.
3. Select an online recovery point from the recovery time drop-down list.
4. Click Recover to start the Recovery Wizard.
For online recovery points, there are five recovery types:
Recover to original Exchange Server location: The data will be recovered to the original Exchange server.
Recover to another database on an Exchange Server: The data will be recovered to another database on
another Exchange server.
Recover to a Recovery Database: The data will be recovered to an Exchange Recovery Database (RDB).
Copy to a network folder: The data will be recovered to a network folder.
Copy to tape: If you have a tape library or a stand-alone tape drive attached and configured on the DPM
server, the recovery point will be copied to a free tape.
Next steps
Azure Backup FAQ
You can use Azure Backup Server to recover the data you've backed up to a Recovery Services vault. The process
for doing so is integrated into the Azure Backup Server management console, and is similar to the recovery
workflow for other Azure Backup components.
NOTE
This article is applicable for System Center Data Protection Manager 2012 R2 with UR7 or later, combined with the latest
Azure Backup agent.
To recover data from an Azure Backup Server:

1. From the Recovery tab of the Azure Backup Server management console, click 'Add External DPM' (at the
top left of the screen).
2. Download new vault credentials from the vault associated with the Azure Backup Server where the data
is being recovered, choose the Azure Backup Server from the list of Azure Backup Servers registered with
the Recovery Services vault, and provide the encryption passphrase associated with the server whose
NOTE
Only Azure Backup Servers associated with the same registration vault can recover each others data.
Once the External Azure Backup Server is successfully added, you can browse the data of the external
server and the local Azure Backup Server from the Recovery tab.
3. Browse the available list of production servers protected by the external Azure Backup Server and select the
appropriate data source.
4. Select the month and year from the Recovery points drop down, select the required Recovery date for
when the recovery point was created, and select the Recovery time.
A list of files and folders appears in the bottom pane, which can be browsed and recovered to any location.
5. Right click the appropriate item and click Recover.

6. Review the Recover Selection. Verify the data and time of the backup copy being recovered, as well as the
source from which the backup copy was created. If the selection is incorrect, click Cancel to navigate back
to recovery tab to select appropriate recovery point. If the selection is correct, click Next.
7. Select Recover to an alternate location. Browse to the correct location for the recovery.
8. Choose the option related to create copy, Skip, or Overwrite.
Create copy - creates a copy of the file if there is a name collision.
Skip - if there is a name collision, does not recover the file which leaves the original file.
Overwrite - if there is a name collision, overwrites the existing copy of the file.
Choose the appropriate option to Restore security. You can apply the security settings of the
destination computer where the data is being recovered or the security settings that were applicable
to product at the time the recovery point was created.
Identify whether a Notification is sent, once the recovery successfully completes.
9. The Summary screen lists the options chosen so far. Once you click Recover, the data is recovered to the
appropriate on-premises location.
NOTE
The recovery job can be monitored in the Monitoring tab of the Azure Backup Server.
10. You can click Clear External DPM on the Recovery tab of the DPM server to remove the view of the
external DPM server.
Troubleshooting Error Messages

1. This server is not registered to the vault Cause: This error appears when the
specified by the vault credential. vault credential file selected does not
belong to the Recovery Services vault
associated with Azure Backup Server on
which the recovery is attempted.
Resolution: Download the vault
credential file from the Recovery
Services vault to which the Azure
Backup Server is registered.
2. Either the recoverable data is not Cause: There are no other Azure
available or the selected server is not a Backup Servers registered to the
DPM server. Recovery Services vault, or the servers
have not yet uploaded the metadata,
or the selected server is not an Azure
Backup Server (aka Windows Server or
Windows Client).
job will upload the metadata for all the
3. No other DPM server is registered to Cause: There are no other Azure

this vault. Backup Servers that are registered to
the vault from which the recovery is
being attempted.
job uploads the metadata for all
4. The encryption passphrase provided Cause: The encryption passphrase used

does not match with passphrase in the process of encrypting the data
associated with the following server: from the Azure Backup Servers data
that is being recovered does not match
the encryption passphrase provided.
The agent is unable to decrypt the
data. Hence the recovery fails.
Resolution: Please provide the exact
same encryption passphrase associated
with the Azure Backup Server whose

Why cant I add an external DPM server after installing UR7 and latest Azure Backup agent?
For the DPM servers with data sources that are protected to the cloud (by using an update rollup earlier than
Update Rollup 7), you must wait at least one day after installing the UR7 and latest Azure Backup agent, to start
Add External DPM server. The one-day time period is needed to upload the metadata of the DPM protection
groups to Azure. Protection group metadata is uploaded the first time through a nightly job.
What is the minimum version of the Microsoft Azure Recovery Services agent needed?
The minimum version of the Microsoft Azure Recovery Services agent, or Azure Backup agent, required to enable
this feature is 2.0.8719.0. To view the agent's version: open Control Panel > All Control Panel items > Programs
and features > Microsoft Azure Recovery Services Agent. If the version is less than 2.0.8719.0, download and
install the latest Azure Backup agent.
Next steps:
Azure Backup FAQ
Back up SQL Server to Azure as a DPM workload
This article leads you through the configuration steps for backup of SQL Server databases using Azure Backup.
To back up SQL Server databases to Azure, you need an Azure account. If you dont have an account, you can
create a free trial account in just couple of minutes. For details, see Azure Free Trial.
The management of SQL Server database backup to Azure and recovery from Azure involves three steps:
1. Create a backup policy to protect SQL Server databases to Azure.
2. Create on-demand backup copies to Azure.
3. Recover the database from Azure.
Before you start

Before you begin, ensure that all the prerequisites for using Microsoft Azure Backup to protect workloads have
been met. The prerequisites cover tasks such as: creating a backup vault, downloading vault credentials, installing
the Azure Backup Agent, and registering the server with the vault.
Create a backup policy to protect SQL Server databases to Azure

1. On the DPM server, click the Protection workspace.
2. On the tool ribbon, click New to create a new protection group.
3. DPM shows the start screen with the guidance on creating a Protection Group. Click Next.
4. Select Servers.
5. Expand the SQL Server machine where the databases to be backed up are present. DPM shows various data
sources that can be backed up from that server. Expand the All SQL Shares and select the databases (in this
case we selected ReportServer$MSDPM2012 and ReportServer$MSDPM2012TempDB) to be backed up.
Click Next.
6. Provide a name for the protection group and select the I want online Protection checkbox.
7. In the Specify Short-Term Goals screen, include the necessary inputs to create backup points to disk.
Here we see that Retention range is set to 5 days, Synchronization frequency is set to once every 15
minutes which is the frequency at which backup is taken. Express Full Backup is set to 8:00 P.M.
NOTE
At 8:00 PM (according to the screen input) a backup point is created every day by transferring the data that has
been modified from the previous days 8:00 PM backup point. This process is called Express Full Backup. While the
transaction logs are synchronized every 15 minutes, if there is a need to recover the database at 9:00 PM then the
point is created by replaying the logs from the last express full backup point (8pm in this case).
8. Click Next
DPM shows the overall storage space available and the potential disk space utilization.
By default, DPM creates one volume per data source (SQL Server database) which is used for the initial
backup copy. Using this approach, the Logical Disk Manager (LDM) limits DPM protection to 300 data
sources (SQL Server databases). To work around this limitation, select the Co-locate data in DPM Storage
Pool, option. If you use this option, DPM uses a single volume for multiple data sources, which allows DPM
to protect up to 2000 SQL databases.
If Automatically grow the volumes option is selected, DPM can account for the increased backup volume
as the production data grows. If Automatically grow the volumes option is not selected, DPM limits the
backup storage used to the data sources in the protection group.
9. Administrators are given the choice of transferring this initial backup manually (off network) to avoid
bandwidth congestion or over the network. They can also configure the time at which the initial transfer can
happen. Click Next.
The initial backup copy requires transfer of the entire data source (SQL Server database) from production
server (SQL Server machine) to the DPM server. This data might be large, and transferring the data over the
network could exceed bandwidth. For this reason, administrators can choose to transfer the initial backup:
Manually (using removable media) to avoid bandwidth congestion, or Automatically over the network
(at a specified time).
Once the initial backup is complete, the rest of the backups are incremental backups on the initial backup
copy. Incremental backups tend to be small and are easily transferred across the network.
10. Choose when you want the consistency check to run and click Next.
DPM can perform a consistency check to check the integrity of the backup point. It calculates the checksum
of the backup file on the production server (SQL Server machine in this scenario) and the backed-up data
for that file at DPM. In the case of a conflict, it is assumed that the backed-up file at DPM is corrupt. DPM
rectifies the backed-up data by sending the blocks corresponding to the checksum mismatch. As the
consistency check is a performance-intensive operation, administrators have the option of scheduling the
consistency check or running it automatically.
11. To specify online protection of the datasources, select the databases to be protected to Azure and click Next.
12. Administrators can choose backup schedules and retention policies that suit their organization policies.
In this example, backups are taken once a day at 12:00 PM and 8 PM (bottom part of the screen)
NOTE
Its a good practice to have a few short-term recovery points on disk, for quick recovery. These recovery points are
used for operational recovery". Azure serves as a good offsite location with higher SLAs and guaranteed availability.
Best Practice: Make sure that Azure Backups are scheduled after the completion of local disk backups using
DPM. This enables the latest disk backup to be copied to Azure.
13. Choose the retention policy schedule. The details on how the retention policy works are provided at Use
Azure Backup to replace your tape infrastructure article.
In this example:
Backups are taken once a day at 12:00 PM and 8 PM (bottom part of the screen) and are retained for 180
days.
The backup on Saturday at 12:00 P.M. is retained for 104 weeks
The backup on Last Saturday at 12:00 P.M. is retained for 60 months
The backup on Last Saturday of March at 12:00 P.M. is retained for 10 years
14. Click Next and select the appropriate option for transferring the initial backup copy to Azure. You can
choose Automatically over the network or Offline Backup.
Automatically over the network transfers the backup data to Azure as per the schedule chosen for
backup.
How Offline Backup works is explained at Offline Backup workflow in Azure Backup.
Choose the relevant transfer mechanism to send the initial backup copy to Azure and click Next.
15. Once you review the policy details in the Summary screen, click on the Create group button to complete
the workflow. You can click the Close button and monitor the job progress in Monitoring workspace.
On-demand backup of a SQL Server database
While the previous steps created a backup policy, a recovery point is created only when the first backup occurs.
Rather than waiting for the scheduler to kick in, the steps below trigger the creation of a recovery point manually.
1. Wait until the protection group status shows OK for the database before creating the recovery point.
2. Right-click on the database and select Create Recovery Point.

3. Choose Online Protection in the drop-down menu and click OK. This starts the creation of a recovery
point in Azure.
4. You can view the job progress in the Monitoring workspace where you'll find an in progress job like the
one depicted in the next figure.
Recover a SQL Server database from Azure

The following steps are required to recover a protected entity (SQL Server database) from Azure.
1. Open the DPM server Management Console. Navigate to Recovery workspace where you can see the
servers backed up by DPM. Browse the required database (in this case ReportServer$MSDPM2012). Select a
Recovery from time which ends with Online.
2. Right-click the database name and click Recover.
3. DPM shows the details of the recovery point. Click Next. To overwrite the database, select the recovery type
Recover to original instance of SQL Server. Click Next.
In this example, DPM allows recovery of the database to another SQL Server instance or to a standalone
network folder.
4. In the Specify Recovery options screen, you can select the recovery options like Network bandwidth usage
throttling to throttle the bandwidth used by recovery. Click Next.
5. In the Summary screen, you see all the recovery configurations provided so far. Click Recover.
The Recovery status shows the database being recovered. You can click Close to close the wizard and view
the progress in the Monitoring workspace.
Once the recovery is completed, the restored database is application consistent.

Next Steps:
Azure Backup FAQ
Back up a SharePoint farm to Azure
You back up a SharePoint farm to Microsoft Azure by using System Center Data Protection Manager (DPM) in
much the same way that you back up other data sources. Azure Backup provides flexibility in the backup schedule
to create daily, weekly, monthly, or yearly backup points and gives you retention policy options for various backup
points. DPM provides the capability to store local disk copies for quick recovery-time objectives (RTO) and to store
copies to Azure for economical, long-term retention.
SharePoint supported versions and related protection scenarios

Azure Backup for DPM supports the following scenarios:
SHAREPOINT DPM DEPLOYMENT DPM - SYSTEM PROTECTION AND

WORKLOAD VERSION DEPLOYMENT TYPE CENTER 2012 R2 RECOVERY
SharePoint SharePoint 2013, SharePoint Physical server or Supports backup Protect

SharePoint 2010, deployed as a on-premises to Azure from SharePoint Farm
SharePoint 2007, physical server or Hyper-V virtual Update Rollup 5 recovery options:
SharePoint 3.0 Hyper-V/VMware machine Recovery farm,
virtual machine database, and file
-------------- or list item from
SQL AlwaysOn disk recovery
points. Farm and
database
recovery from
Azure recovery
points.
Before you start

There are a few things you need to confirm before you back up a SharePoint farm to Azure.
Prerequisites
Before you proceed, make sure that you have met all the prerequisites for using Microsoft Azure Backup to protect
workloads. Some tasks for prerequisites include: create a backup vault, download vault credentials, install Azure
Backup Agent, and register DPM/Azure Backup Server with the vault.
DPM agent
The DPM agent must be installed on the server that's running SharePoint, the servers that are running SQL Server,
and all other servers that are part of the SharePoint farm. For more information about how to set up the protection
agent, see Setup Protection Agent. The one exception is that you install the agent only on a single web front end
(WFE) server. DPM needs the agent on one WFE server only to serve as the entry point for protection.
SharePoint farm
For every 10 million items in the farm, there must be at least 2 GB of space on the volume where the DPM folder is
located. This space is required for catalog generation. For DPM to recover specific items (site collections, sites, lists,
document libraries, folders, individual documents, and list items), catalog generation creates a list of the URLs that
are contained within each content database. You can view the list of URLs in the recoverable item pane in the
Recovery task area of DPM Administrator Console.
SQL Server
DPM runs as a LocalSystem account. To back up SQL Server databases, DPM needs sysadmin privileges on that
account for the server that's running SQL Server. Set NT AUTHORITY\SYSTEM to sysadmin on the server that's
running SQL Server before you back it up.
If the SharePoint farm has SQL Server databases that are configured with SQL Server aliases, install the SQL Server
client components on the front-end Web server that DPM will protect.
SharePoint Server
While performance depends on many factors such as size of SharePoint farm, as general guidance one DPM server
can protect a 25 TB SharePoint farm.
DPM Update Rollup 5
To begin protection of a SharePoint farm to Azure, you need to install DPM Update Rollup 5 or later. Update Rollup
5 provides the ability to protect a SharePoint farm to Azure if the farm is configured by using SQL AlwaysOn. For
more information, see the blog post that introduces DPM Update Rollup 5
What's not supported
DPM that protects a SharePoint farm does not protect search indexes or application service databases. You will
need to configure the protection of these databases separately.
DPM does not provide backup of SharePoint SQL Server databases that are hosted on scale-out file server
(SOFS) shares.
Configure SharePoint protection

Before you can use DPM to protect SharePoint, you must configure the SharePoint VSS Writer service (WSS Writer
service) by using ConfigureSharePoint.exe.
You can find ConfigureSharePoint.exe in the [DPM Installation Path]\bin folder on the front-end web server. This
tool provides the protection agent with the credentials for the SharePoint farm. You run it on a single WFE server. If
you have multiple WFE servers, select just one when you configure a protection group.
To configure the SharePoint VSS Writer service
1. On the WFE server, at a command prompt, go to [DPM installation location]\bin\
2. Enter ConfigureSharePoint -EnableSharePointProtection.
3. Enter the farm administrator credentials. This account should be a member of the local Administrator group on
the WFE server. If the farm administrator isnt a local admin grant the following permissions on the WFE server:
Grant the WSS_Admin_WPG group full control to the DPM folder (%Program Files%\Microsoft Data
Protection Manager\DPM).
Grant the WSS_Admin_WPG group read access to the DPM Registry key
(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager).
NOTE
Youll need to rerun ConfigureSharePoint.exe whenever theres a change in the SharePoint farm administrator credentials.
Back up a SharePoint farm by using DPM

After you have configured DPM and the SharePoint farm as explained previously, SharePoint can be protected by
DPM.
To protect a SharePoint farm
1. From the Protection tab of the DPM Administrator Console, click New.
2. On the Select Protection Group Type page of the Create New Protection Group wizard, select Servers,
3. On the Select Group Members screen, select the check box for the SharePoint server you want to protect
and click Next.
NOTE
With the DPM agent installed, you can see the server in the wizard. DPM also shows its structure. Because you ran
ConfigureSharePoint.exe, DPM communicates with the SharePoint VSS Writer service and its corresponding SQL
Server databases and recognizes the SharePoint farm structure, the associated content databases, and any
corresponding items.
4. On the Select Data Protection Method page, enter the name of the Protection Group, and select your
preferred protection methods. Click Next.
NOTE
The disk protection method helps to meet short recovery-time objectives. Azure is an economical, long-term
protection target compared to tapes. For more information, see Use Azure Backup to replace your tape infrastructure
5. On the Specify Short-Term Goals page, select your preferred Retention range and identify when you
want backups to occur.
NOTE
Because recovery is most often required for data that's less than five days old, we selected a retention range of five
days on disk and ensured that the backup happens during non-production hours, for this example.
6. Review the storage pool disk space allocated for the protection group, and click then Next.
7. For every protection group, DPM allocates disk space to store and manage replicas. At this point, DPM must
create a copy of the selected data. Select how and when you want the replica created, and then click Next.
NOTE
To make sure that network traffic is not effected, select a time outside production hours.
8. DPM ensures data integrity by performing consistency checks on the replica. There are two available
options. You can define a schedule to run consistency checks, or DPM can run consistency checks
automatically on the replica whenever it becomes inconsistent. Select your preferred option, and then click
Next.
9. On the Specify Online Protection Data page, select the SharePoint farm that you want to protect, and
then click Next.
10. On the Specify Online Backup Schedule page, select your preferred schedule, and then click Next.
NOTE
DPM provides a maximum of two daily backups to Azure at different times. Azure Backup can also control the
amount of WAN bandwidth that can be used for backups in peak and off-peak hours by using Azure Backup
Network Throttling.
11. Depending on the backup schedule that you selected, on the Specify Online Retention Policy page, select
the retention policy for daily, weekly, monthly, and yearly backup points.
NOTE
DPM uses a grandfather-father-son retention scheme in which a different retention policy can be chosen for different
backup points.
12. Similar to disk, an initial reference point replica needs to be created in Azure. Select your preferred option to
create an initial backup copy to Azure, and then click Next.
13. Review your selected settings on the Summary page, and then click Create Group. You will see a success
message after the protection group has been created.
Restore a SharePoint item from disk by using DPM
In the following example, the Recovering SharePoint item has been accidentally deleted and needs to be recovered.
1. Open the DPM Administrator Console. All SharePoint farms that are protected by DPM are shown in the
Protection tab.
2. To begin to recover the item, select the Recovery tab.
3. You can search SharePoint for Recovering SharePoint item by using a wildcard-based search within a
recovery point range.
4. Select the appropriate recovery point from the search results, right-click the item, and then select Recover.
5. You can also browse through various recovery points and select a database or item to recover. Select Date
> Recovery time, and then select the correct Database > SharePoint farm > Recovery point > Item.
6. Right-click the item, and then select Recover to open the Recovery Wizard. Click Next.
7. Select the type of recovery that you want to perform, and then click Next.
NOTE
The selection of Recover to original in the example recovers the item to the original SharePoint site.
8. Select the Recovery Process that you want to use.

Select Recover without using a recovery farm if the SharePoint farm has not changed and is the
same as the recovery point that is being restored.
Select Recover using a recovery farm if the SharePoint farm has changed since the recovery point
was created.
9. Provide a staging SQL Server instance location to recover the database temporarily, and provide a staging
file share on the DPM server and the server that's running SharePoint to recover the item.
DPM attaches the content database that is hosting the SharePoint item to the temporary SQL Server
instance. From the content database, the DPM server recovers the item and puts it on the staging file
location on the DPM server. The recovered item that's on the staging location of the DPM server now needs
to be exported to the staging location on the SharePoint farm.
10. Select Specify recovery options, and apply security settings to the SharePoint farm or apply the security
settings of the recovery point. Click Next.
NOTE
You can choose to throttle the network bandwidth usage. This minimizes impact to the production server during
production hours.
11. Review the summary information, and then click Recover to begin recovery of the file.
12. Now select the Monitoring tab in the DPM Administrator Console to view the Status of the recovery.
NOTE
The file is now restored. You can refresh the SharePoint site to check the restored file.
Restore a SharePoint database from Azure by using DPM
1. To recover a SharePoint content database, browse through various recovery points (as shown previously),
and select the recovery point that you want to restore.
2. Double-click the SharePoint recovery point to show the available SharePoint catalog information.
NOTE
Because the SharePoint farm is protected for long-term retention in Azure, no catalog information (metadata) is
available on the DPM server. As a result, whenever a point-in-time SharePoint content database needs to be
recovered, you need to catalog the SharePoint farm again.
3. Click Re-catalog.
The Cloud Recatalog status window opens.

After cataloging is finished, the status changes to Success. Click Close.
4. Click the SharePoint object shown in the DPM Recovery tab to get the content database structure. Right-
click the item, and then click Recover.
5. At this point, follow the recovery steps earlier in this article to recover a SharePoint content database from disk.
FAQs
Q: Which versions of DPM support SQL Server 2014 and SQL 2012 (SP2)?
A: DPM 2012 R2 with Update Rollup 4 supports both.
Q: Can I recover a SharePoint item to the original location if SharePoint is configured by using SQL AlwaysOn (with
protection on disk)?
A: Yes, the item can be recovered to the original SharePoint site.
Q: Can I recover a SharePoint database to the original location if SharePoint is configured by using SQL AlwaysOn?
A: Because SharePoint databases are configured in SQL AlwaysOn, they cannot be modified unless the availability
group is removed. As a result, DPM cannot restore a database to the original location. You can recover a SQL
Server database to another SQL Server instance.
Next steps
Learn more about DPM Protection of SharePoint - see Video Series - DPM Protection of SharePoint
Review Release Notes for System Center 2012 - Data Protection Manager
Review Release Notes for Data Protection Manager in System Center 2012 SP1
Use AzureRM.RecoveryServices.Backup cmdlets to
back up virtual machines
This article shows you how to use Azure PowerShell cmdlets to back up and recover an Azure virtual machine
(VM) from a Recovery Services vault. A Recovery Services vault is an Azure Resource Manager resource and is
used to protect data and assets in both Azure Backup and Azure Site Recovery services. You can use a Recovery
Services vault to protect Azure Service Manager-deployed VMs, and Azure Resource Manager-deployed VMs.
NOTE
Azure has two deployment models for creating and working with resources: Resource Manager and Classic. This article is for
use with VMs created using the Resource Manager model.
This article walks you through using PowerShell to protect a VM, and restore data from a recovery point.
Concepts
If you are not familiar with the Azure Backup service, for an overview of the service, check out What is Azure
Backup? Before you start, ensure that you cover the essentials about the prerequisites needed to work with Azure
Backup, and the limitations of the current VM backup solution.
To use PowerShell effectively, it is necessary to understand the hierarchy of objects and from where to start.
To view the AzureRm.RecoveryServices.Backup PowerShell cmdlet reference, see the Azure Backup - Recovery
Services Cmdlets in the Azure library.
Setup and Registration

To begin:
1. Download the latest version of PowerShell (the minimum version required is: 1.4.0)
2. Find the Azure Backup PowerShell cmdlets available by typing the following command:
PS C:\> Get-Command *azurermrecoveryservices*
CommandType Name Version Source

----------- ---- ------- ------
Cmdlet Backup-AzureRmRecoveryServicesBackupItem 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Disable-AzureRmRecoveryServicesBackupProtection 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Enable-AzureRmRecoveryServicesBackupProtection 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Get-AzureRmRecoveryServicesBackupContainer 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Get-AzureRmRecoveryServicesBackupItem 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Get-AzureRmRecoveryServicesBackupJob 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Get-AzureRmRecoveryServicesBackupJobDetails 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Get-AzureRmRecoveryServicesBackupManagementServer 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Get-AzureRmRecoveryServicesBackupProperties 1.4.0 AzureRM.RecoveryServices
Cmdlet Get-AzureRmRecoveryServicesBackupProtectionPolicy 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Get-AzureRMRecoveryServicesBackupRecoveryPoint 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Get-AzureRmRecoveryServicesBackupRetentionPolic... 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Get-AzureRmRecoveryServicesBackupSchedulePolicy... 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Get-AzureRmRecoveryServicesVault 1.4.0 AzureRM.RecoveryServices
Cmdlet Get-AzureRmRecoveryServicesVaultSettingsFile 1.4.0 AzureRM.RecoveryServices
Cmdlet New-AzureRmRecoveryServicesBackupProtectionPolicy 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet New-AzureRmRecoveryServicesVault 1.4.0 AzureRM.RecoveryServices
Cmdlet Remove-AzureRmRecoveryServicesProtectionPolicy 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Remove-AzureRmRecoveryServicesVault 1.4.0 AzureRM.RecoveryServices
Cmdlet Restore-AzureRMRecoveryServicesBackupItem 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Set-AzureRmRecoveryServicesBackupProperties 1.4.0 AzureRM.RecoveryServices
Cmdlet Set-AzureRmRecoveryServicesBackupProtectionPolicy 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Set-AzureRmRecoveryServicesVaultContext 1.4.0 AzureRM.RecoveryServices
Cmdlet Stop-AzureRmRecoveryServicesBackupJob 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Unregister-AzureRmRecoveryServicesBackupContainer 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Unregister-AzureRmRecoveryServicesBackupManagem... 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Wait-AzureRmRecoveryServicesBackupJob 1.4.0 AzureRM.RecoveryServices.Backup
The following tasks can be automated with PowerShell:

Back up Azure VMs
Monitor a backup job
Restore an Azure VM

The following steps lead you through creating a Recovery Services vault. A Recovery Services vault is different
than a Backup vault.
1. If you are using Azure Backup for the first time, you must use the Register-AzureRmResourceProvider
cmdlet to register the Azure Recovery Service provider with your subscription.
PS C:\> Register-AzureRmResourceProvider -ProviderNamespace "Microsoft.RecoveryServices"
2. The Recovery Services vault is a Resource Manager resource, so you need to place it within a resource
group. You can use an existing resource group, or create a resource group with the New-
AzureRmResourceGroup cmdlet. When creating a resource group, specify the name and location for the
resource group.
PS C:\> New-AzureRmResourceGroup Name "test-rg" Location "West US"
3. Use the New-AzureRmRecoveryServicesVault cmdlet to create the Recovery Services vault. Be sure to
specify the same location for the vault as was used for the resource group.
PS C:\> New-AzureRmRecoveryServicesVault -Name "testvault" -ResourceGroupName " test-rg" -Location

"West US"
4. Specify the type of storage redundancy to use; you can use Locally Redundant Storage (LRS) or Geo
Redundant Storage (GRS). The following example shows the -BackupStorageRedundancy option for
testvault is set to GeoRedundant.
PS C:\> $vault1 = Get-AzureRmRecoveryServicesVault Name "testvault"

PS C:\> Set-AzureRmRecoveryServicesBackupProperties -Vault $vault1 -BackupStorageRedundancy
GeoRedundant
TIP
Many Azure Backup cmdlets require the Recovery Services vault object as an input. For this reason, it is convenient
to store the Backup Recovery Services vault object in a variable.
View the vaults in a subscription

Use Get-AzureRmRecoveryServicesVault to view the list of all vaults in the current subscription. You can use
this command to check that a new vault was created, or to see the available vaults in the subscription.
Run the command, Get-AzureRmRecoveryServicesVault, to view all vaults in the subscription. The following
example shows the information displayed for each vault.
PS C:\> Get-AzureRmRecoveryServicesVault
Name : Contoso-vault
ID : /subscriptions/1234
Type : Microsoft.RecoveryServices/vaults
Location : WestUS
ResourceGroupName : Contoso-docs-rg
SubscriptionId : 1234-567f-8910-abc
Properties : Microsoft.Azure.Commands.RecoveryServices.ARSVaultProperties
Back up Azure VMs

Use a Recovery Services vault to protect your virtual machines. Before you apply the protection, set the vault
context (the type of data protected in the vault), and verify the protection policy. The protection policy is the
schedule when the backup jobs run, and how long each backup snapshot is retained.
Set vault context
Before enabling protection on a VM, use Set-AzureRmRecoveryServicesVaultContext to set the vault context.
Once the vault context is set, it applies to all subsequent cmdlets. The following example sets the vault context for
the vault, testvault.
PS C:\> Get-AzureRmRecoveryServicesVault -Name "testvault" | Set-AzureRmRecoveryServicesVaultContext
Create a protection policy

When you create a Recovery Services vault, it comes with default protection and retention policies. The default
protection policy triggers a backup job each day at a specified time. The default retention policy retains the daily
recovery point for 30 days. You can use the default policy to quickly protect your VM and edit the policy later with
different details.
Use Get-AzureRmRecoveryServicesBackupProtectionPolicy to view the protection policies in the vault. You
can use this cmdlet to get a specific policy, or to view the policies associated with a workload type. The following
example gets policies for workload type, AzureVM.
PS C:\> Get-AzureRmRecoveryServicesBackupProtectionPolicy -WorkloadType "AzureVM"

Name WorkloadType BackupManagementType BackupTime DaysOfWeek
---- ------------ -------------------- ---------- ----------
DefaultPolicy AzureVM AzureVM 4/14/2016 5:00:00 PM
NOTE
The timezone of the BackupTime field in PowerShell is UTC. However, when the backup time is shown in the Azure portal,
the time is adjusted to your local timezone.
A backup protection policy is associated with at least one retention policy. Retention policy defines how long a
recovery point is kept before it is deleted. Use Get-AzureRmRecoveryServicesBackupRetentionPolicyObject
to view the default retention policy. Similarly you can use Get-
AzureRmRecoveryServicesBackupSchedulePolicyObject to obtain the default schedule policy. The New-
AzureRmRecoveryServicesBackupProtectionPolicy cmdlet creates a PowerShell object that holds backup
policy information. The schedule and retention policy objects are used as inputs to the New-
AzureRmRecoveryServicesBackupProtectionPolicy cmdlet. The following example stores the schedule policy
and the retention policy in variables. The example uses those variables to define the parameters when creating a
protection policy, NewPolicy.
PS C:\> $schPol = Get-AzureRmRecoveryServicesBackupSchedulePolicyObject -WorkloadType "AzureVM"

PS C:\> $retPol = Get-AzureRmRecoveryServicesBackupRetentionPolicyObject -WorkloadType "AzureVM"
PS C:\> New-AzureRmRecoveryServicesBackupProtectionPolicy -Name "NewPolicy" -WorkloadType "AzureVM" -
RetentionPolicy $retPol -SchedulePolicy $schPol
Name WorkloadType BackupManagementType BackupTime DaysOfWeek
---- ------------ -------------------- ---------- ----------
NewPolicy AzureVM AzureVM 4/24/2016 1:30:00 AM
Enable protection
Once you have defined the backup protection policy, you still must enable the policy for an item. Use Enable-
AzureRmRecoveryServicesBackupProtection to enable protection. Enabling protection requires two objects -
the item and the policy. Once the policy has been associated with the vault, the backup workflow is triggered at
the time defined in the policy schedule.
The following example enables protection for the item, V2VM, using the policy, NewPolicy. To enable the
protection on non-encrypted Resource Manager VMs
PS C:\> $pol=Get-AzureRmRecoveryServicesBackupProtectionPolicy -Name "NewPolicy"

PS C:\> Enable-AzureRmRecoveryServicesBackupProtection -Policy $pol -Name "V2VM" -ResourceGroupName "RGName1"
To enable the protection on encrypted VMs (encrypted using BEK and KEK), you need to give the Azure Backup
service permission to read keys and secrets from key vault.
PS C:\> Set-AzureRmKeyVaultAccessPolicy -VaultName "KeyVaultName" -ResourceGroupName "RGNameOfKeyVault" -
PermissionsToKeys backup,get,list -PermissionsToSecrets get,list -ServicePrincipalName 262044b1-e2ce-469f-
a196-69ab7ada62d3
To enable the protection on encrypted VMs (encrypted using BEK only), you need to give the Azure Backup service
permission to read secrets from key vault.
PS C:\> Set-AzureRmKeyVaultAccessPolicy -VaultName "KeyVaultName" -ResourceGroupName "RGNameOfKeyVault" -

PermissionsToSecrets backup,get,list -ServicePrincipalName 262044b1-e2ce-469f-a196-69ab7ada62d3
NOTE
If you are using the Azure Government cloud, then use the value ff281ffe-705c-4f53-9f37-a40e6f2c68f3 for the parameter
-ServicePrincipalName in Set-AzureRmKeyVaultAccessPolicy cmdlet.
For classic VMs

PS C:\> Enable-AzureRmRecoveryServicesBackupProtection -Policy $pol -Name "V1VM" -ServiceName "ServiceName1"
Modify a protection policy

To modify the protection policy, use Set-AzureRmRecoveryServicesBackupProtectionPolicy to modify the
SchedulePolicy or RetentionPolicy objects.
The following example changes the recovery point retention to 365 days.
PS C:\> $retPol = Get-AzureRmRecoveryServicesBackupRetentionPolicyObject -WorkloadType "AzureVM"

PS C:\> $retPol.DailySchedule.DurationCountInDays = 365
PS C:\> $pol= Get-AzureRmRecoveryServicesBackupProtectionPolicy -Name "NewPolicy"
PS C:\> Set-AzureRmRecoveryServicesBackupProtectionPolicy -Policy $pol -RetentionPolicy $RetPol
Trigger a backup
You can use Backup-AzureRmRecoveryServicesBackupItem to trigger a backup job. If it is the initial backup, it
is a full backup. Subsequent backups take an incremental copy. Be sure to use Set-
AzureRmRecoveryServicesVaultContext to set the vault context before triggering the backup job. The
following example assumes vault context was set.
PS C:\> $namedContainer = Get-AzureRmRecoveryServicesBackupContainer -ContainerType "AzureVM" -Status

"Registered" -FriendlyName "V2VM"
PS C:\> $item = Get-AzureRmRecoveryServicesBackupItem -Container $namedContainer -WorkloadType "AzureVM"
PS C:\> $job = Backup-AzureRmRecoveryServicesBackupItem -Item $item
WorkloadName Operation Status StartTime EndTime
JobID
------------ --------- ------ --------- -------
----------
V2VM Backup InProgress 4/23/2016 5:00:30 PM
cf4b3ef5-2fac-4c8e-a215-d2eba4124f27
NOTE
The timezone of the StartTime and EndTime fields in PowerShell is UTC. However, when the time is shown in the Azure
portal, the time is adjusted to your local timezone.
Monitoring a backup job

You can monitor long-running operations, such as backup jobs, without using the Azure portal. To get the status
of an in-progress job, use the Get-AzureRmRecoveryservicesBackupJob cmdlet. This cmdlet gets the backup
jobs for a specific vault, and that vault is specified in the vault context. The following example gets the status of an
in-progress job as an array, and stores the status in the $joblist variable.
PS C:\> $joblist = Get-AzureRmRecoveryservicesBackupJob Status "InProgress"

PS C:\> $joblist[0]
JobID
------------ --------- ------ --------- -------
----------
V2VM Backup InProgress 4/23/2016 5:00:30 PM cf4b3ef5-2fac-
4c8e-a215-d2eba4124f27
Instead of polling these jobs for completion - which is unnecessary additional code - use the Wait-
AzureRmRecoveryServicesBackupJob cmdlet. This cmdlet pauses the execution until either the job completes
or the specified timeout value is reached.
PS C:\> Wait-AzureRmRecoveryServicesBackupJob -Job $joblist[0] -Timeout 43200
Restore an Azure VM
There is a key difference between the restoring a VM using the Azure portal and restoring a VM using PowerShell.
With PowerShell, the restore operation is complete once the disks and configuration information from the
recovery point are created.
NOTE
The restore operation does not create a virtual machine.
To create a virtual machine from disk, see the section, Create the VM from stored disks. The basic steps to restore
an Azure VM are:
Select the VM
Choose a recovery point
Restore the disks
Create the VM from stored disks
The following graphic shows the object hierarchy from the RecoveryServicesVault down to the
BackupRecoveryPoint.
To restore backup data, identify the backed-up item and the recovery point that holds the point-in-time data. Use
the Restore-AzureRmRecoveryServicesBackupItem cmdlet to restore data from the vault to the customer's
account.
Select the VM
To get the PowerShell object that identifies the right backup item, start from the container in the vault, and work
your way down the object hierarchy. To select the container that represents the VM, use the Get-
AzureRmRecoveryServicesBackupContainer cmdlet and pipe that to the Get-
AzureRmRecoveryServicesBackupItem cmdlet.
PS C:\> $namedContainer = Get-AzureRmRecoveryServicesBackupContainer -ContainerType "AzureVM" Status

"Registered" -FriendlyName "V2VM"
PS C:\> $backupitem = Get-AzureRmRecoveryServicesBackupItem Container $namedContainer WorkloadType
"AzureVM"

Use the Get-AzureRmRecoveryServicesBackupRecoveryPoint cmdlet to list all recovery points for the backup
item. Then choose the recovery point to restore. If you are unsure which recovery point to use, it is a good practice
to choose the most recent RecoveryPointType = AppConsistent point in the list.
In the following script, the variable, $rp, is an array of recovery points for the selected backup item, from the past
seven days. The array is sorted in reverse order of time with the latest recovery point at index 0. Use standard
PowerShell array indexing to pick the recovery point. In the example, $rp[0] selects the latest recovery point.
PS C:\> $startDate = (Get-Date).AddDays(-7)

PS C:\> $endDate = Get-Date
PS C:\> $rp = Get-AzureRmRecoveryServicesBackupRecoveryPoint -Item $backupitem -StartDate
$startdate.ToUniversalTime() -EndDate $enddate.ToUniversalTime()
PS C:\> $rp[0]
RecoveryPointAdditionalInfo :
SourceVMStorageType : NormalStorage
Name : 15260861925810
ItemName : VM;iaasvmcontainer;RGName1;V2VM
RecoveryPointId : /subscriptions/XX/resourceGroups/
RGName1/providers/Microsoft.RecoveryServices/vaults/testvault/backupFabrics/Azure/protectionContainers/IaasVM
Container;iaasvmcontainer;RGName1;V2VM/protectedItems/VM;iaasvmcontainer;
RGName1;V2VM/recoveryPoints/15260861925810
RecoveryPointType : AppConsistent
RecoveryPointTime : 4/23/2016 5:02:04 PM
WorkloadType : AzureVM
ContainerName : IaasVMContainer;iaasvmcontainer; RGName1;V2VM
ContainerType : AzureVM
BackupManagementType : AzureVM
Restore the disks

Use the Restore-AzureRmRecoveryServicesBackupItem cmdlet to restore a backup item's data and
configuration to a recovery point. Once you have identified a recovery point, use it as the value for the -
RecoveryPoint parameter. In the previous sample code, $rp[0] was the recovery point to use. In the following
sample code, $rp[0] is the recovery point to use for restoring the disk.
To restore the disks and configuration information:
PS C:\> $restorejob = Restore-AzureRmRecoveryServicesBackupItem -RecoveryPoint $rp[0] -StorageAccountName
"DestAccount" -StorageAccountResourceGroupName "DestRG"
PS C:\> $restorejob
WorkloadName Operation Status StartTime EndTime JobID
------------ --------- ------ --------- ------- ---------
-
V2VM Restore InProgress 4/23/2016 5:00:30 PM
cf4b3ef5-2fac-4c8e-a215-d2eba4124f27
Use the Wait-AzureRmRecoveryServicesBackupJob cmdlet to wait for the Restore job to complete.
PS C:\> Wait-AzureRmRecoveryServicesBackupJob -Job $restorejob -Timeout 43200
Once the Restore job has completed, use the Get-AzureRmRecoveryServicesBackupJobDetails cmdlet to get
the details of the restore operation. The JobDetails property has the information needed to rebuild the VM.
PS C:\> $restorejob = Get-AzureRmRecoveryServicesBackupJob -Job $restorejob

PS C:\> $details = Get-AzureRmRecoveryServicesBackupJobDetails -Job $restorejob
Once you restore the disks, go to the next section to create the VM.
Create a VM from restored disks

After you have restored the disks, use these steps to create and configure the virtual machine from disk.
NOTE
To create encrypted VMs from restored disks, your Azure role must have permission to perform the action,
Microsoft.KeyVault/vaults/deploy/action. If your role does not have this permission, create a custom role with this
action. For more information, see Custom Roles in Azure RBAC.
1. Query the restored disk properties for the job details.
PS C:\> $properties = $details.properties

PS C:\> $storageAccountName = $properties["Target Storage Account Name"]
PS C:\> $containerName = $properties["Config Blob Container Name"]
PS C:\> $blobName = $properties["Config Blob Name"]
2. Set the Azure storage context and restore the JSON configuration file.
PS C:\> Set-AzureRmCurrentStorageAccount -Name $storageaccountname -ResourceGroupName "testvault"

PS C:\> $destination_path = "C:\vmconfig.json"
PS C:\> Get-AzureStorageBlobContent -Container $containerName -Blob $blobName -Destination
$destination_path
PS C:\> $obj = ((Get-Content -Path $destination_path -Raw -Encoding Unicode)).TrimEnd([char]0x00) |
ConvertFrom-Json
3. Use the JSON configuration file to create the VM configuration.
PS C:\> $vm = New-AzureRmVMConfig -VMSize $obj.'properties.hardwareProfile'.vmSize -VMName

"testrestore"
4. Attach the OS disk and data disks. Depending on the configuration of your VMs, refer to the relevant
section to view respective cmdlets:
Non-managed, non-encrypted VMs
Use the following sample for non-managed, non-encrypted VMs.
PS C:\> Set-AzureRmVMOSDisk -VM $vm -Name "osdisk" -VhdUri

$obj.'properties.StorageProfile'.osDisk.vhd.Uri -CreateOption "Attach"
PS C:\> $vm.StorageProfile.OsDisk.OsType = $obj.'properties.StorageProfile'.OsDisk.OsType
PS C:\> foreach($dd in $obj.'properties.StorageProfile'.DataDisks)
{
$vm = Add-AzureRmVMDataDisk -VM $vm -Name "datadisk1" -VhdUri $dd.vhd.Uri -DiskSizeInGB 127 -Lun
$dd.Lun -CreateOption "Attach"
}
Non-managed, encrypted VMs (BEK only )

For non-managed, encrypted VMs (encrypted using BEK only), you need to restore the secret to the key
vault before you can attach disks. For more information, please see the article, Restore an encrypted virtual
machine from an Azure Backup recovery point. The following sample shows how to attach OS and data
disks for encrypted VMs.
PS C:\> $dekUrl =
"https://ContosoKeyVault.vault.azure.net:443/secrets/ContosoSecret007/xx000000xx0849999f3xx30000003163
"
PS C:\> $keyVaultId = "/subscriptions/abcdedf007-4xyz-1a2b-0000-
12a2b345675c/resourceGroups/ContosoRG108/providers/Microsoft.KeyVault/vaults/ContosoKeyVault"
$obj.'properties.storageProfile'.osDisk.vhd.uri -DiskEncryptionKeyUrl $dekUrl -
DiskEncryptionKeyVaultId $keyVaultId -CreateOption "Attach" -Windows
PS C:\> $vm.StorageProfile.OsDisk.OsType = $obj.'properties.storageProfile'.osDisk.osType
PS C:\> foreach($dd in $obj.'properties.storageProfile'.dataDisks)
{
}
Non-managed, encrypted VMs (BEK and KEK)

For non-managed, encrypted VMs (encrypted using BEK and KEK), you need to restore the key and secret
to the key vault before you can attach disks. For more information, please see the article, Restore an
encrypted virtual machine from an Azure Backup recovery point. The following sample shows how to
attach OS and data disks for encrypted VMs.
PS C:\> $dekUrl =
"
PS C:\> $kekUrl =
"https://ContosoKeyVault.vault.azure.net:443/keys/ContosoKey007/x9xxx00000x0000x9b9949999xx0x006"
$obj.'properties.storageProfile'.osDisk.vhd.uri -DiskEncryptionKeyUrl $dekUrl -
DiskEncryptionKeyVaultId $keyVaultId -KeyEncryptionKeyUrl $kekUrl -KeyEncryptionKeyVaultId $keyVaultId
-CreateOption "Attach" -Windows
PS C:\> $vm.StorageProfile.OsDisk.OsType = $obj.'properties.storageProfile'.osDisk.osType
{
}
Managed, non-encrypted VMs

For managed non-encrypted VMs, you'll need to create managed disks from blob storage, and then attach
the disks. For in-depth information, see the article, Attach a data disk to a Windows VM using PowerShell.
The following sample code shows how to attach the data disks for managed non-encrypted VMs.
PS C:\> $storageType = "StandardLRS"

PS C:\> $osDiskName = $vm.Name + "_osdisk"
PS C:\> $osVhdUri = $obj.'properties.storageProfile'.osDisk.vhd.uri
PS C:\> $diskConfig = New-AzureRmDiskConfig -AccountType $storageType -Location "West US" -
CreateOption Import -SourceUri $osVhdUri
PS C:\> $osDisk = New-AzureRmDisk -DiskName $osDiskName -Disk $diskConfig -ResourceGroupName "test"
PS C:\> Set-AzureRmVMOSDisk -VM $vm -ManagedDiskId $osDisk.Id -CreateOption "Attach" -Windows
{
$dataDiskName = $vm.Name + $dd.name ;
$dataVhdUri = $dd.vhd.uri ;
$dataDiskConfig = New-AzureRmDiskConfig -AccountType $storageType -Location "West US" -CreateOption
Import -SourceUri $dataVhdUri ;
$dataDisk2 = New-AzureRmDisk -DiskName $dataDiskName -Disk $dataDiskConfig -ResourceGroupName "test"
;
Add-AzureRmVMDataDisk -VM $vm -Name $dataDiskName -ManagedDiskId $dataDisk2.Id -Lun $dd.Lun -
CreateOption "Attach"
}
Managed, encrypted VMs (BEK only )

For managed encrypted VMs (encrypted using BEK only), you'll need to create managed disks from blob
storage, and then attach the disks. For in-depth information, see the article, Attach a data disk to a
Windows VM using PowerShell. The following sample code shows how to attach the data disks for
managed encrypted VMs.
PS C:\> $dekUrl =
"
PS C:\> Set-AzureRmVMOSDisk -VM $vm -ManagedDiskId $osDisk.Id -DiskEncryptionKeyUrl $dekUrl -
DiskEncryptionKeyVaultId $keyVaultId -CreateOption "Attach" -Windows
{
$dataDisk2 = New-AzureRmDisk -DiskName $dataDiskName -Disk $dataDiskConfig -ResourceGroupName "test" ;
}
Managed, encrypted VMs (BEK and KEK)

For managed encrypted VMs (encrypted using BEK and KEK), you'll need to create managed disks from
blob storage, and then attach the disks. For in-depth information, see the article, Attach a data disk to a
Windows VM using PowerShell. The following sample code shows how to attach the data disks for
managed encrypted VMs.
PS C:\> $dekUrl =
"
PS C:\> $kekUrl =
"https://ContosoKeyVault.vault.azure.net:443/keys/ContosoKey007/x9xxx00000x0000x9b9949999xx0x006"
PS C:\> Set-AzureRmVMOSDisk -VM $vm -ManagedDiskId $osDisk.Id -DiskEncryptionKeyUrl $dekUrl -
DiskEncryptionKeyVaultId $keyVaultId -KeyEncryptionKeyUrl $kekUrl -KeyEncryptionKeyVaultId $keyVaultId
-CreateOption "Attach" -Windows
{
$dataDisk2 = New-AzureRmDisk -DiskName $dataDiskName -Disk $dataDiskConfig -ResourceGroupName "test" ;
}
5. Set the Network settings.
PS C:\> $nicName="p1234"
PS C:\> $pip = New-AzureRmPublicIpAddress -Name $nicName -ResourceGroupName "test" -Location "WestUS"
-AllocationMethod Dynamic
PS C:\> $vnet = Get-AzureRmVirtualNetwork -Name "testvNET" -ResourceGroupName "test"
PS C:\> $nic = New-AzureRmNetworkInterface -Name $nicName -ResourceGroupName "test" -Location "WestUS"
-SubnetId $vnet.Subnets[$subnetindex].Id -PublicIpAddressId $pip.Id
PS C:\> $vm=Add-AzureRmVMNetworkInterface -VM $vm -Id $nic.Id
6. Create the virtual machine.
PS C:\> New-AzureRmVM -ResourceGroupName "test" -Location "WestUS" -VM $vm
Next steps
If you prefer to use PowerShell to engage with your Azure resources, see the PowerShell article, Deploy and
Manage Backup for Windows Server. If you manage DPM backups, see the article, Deploy and Manage Backup for
DPM. Both of these articles have a version for Resource Manager deployments and Classic deployments.
Use AzureRM.Backup cmdlets to back up virtual
machines
This article shows you how to use Azure PowerShell for backup and recovery of Azure VMs. Azure has two
different deployment models for creating and working with resources: Resource Manager and Classic. This article
covers using the Classic deployment model to back up data to a Backup vault. If you have not created a Backup
vault in your subscription, see the Resource Manager version of this article, Use AzureRM.RecoveryServices.Backup
cmdlets to back up virtual machines. Microsoft recommends that most new deployments use the Resource
Manager model.
IMPORTANT
Concepts
This article provides information specific to the PowerShell cmdlets used to back up virtual machines. For
introductory information about protecting Azure VMs, please see Plan your VM backup infrastructure in Azure.
NOTE
Before you start, read the prerequisites required to work with Azure Backup, and the limitations of the current VM backup
solution.
To use PowerShell effectively, take a moment to understand the hierarchy of objects and from where to start.
The two most important flows are enabling protection for a VM, and restoring data from a recovery point. The
focus of this article is to help you become adept at working with the PowerShell cmdlets to enable these two
scenarios.

To begin:
1. Download latest PowerShell (minimum version required is : 1.0.0)
2. Find the Azure Backup PowerShell cmdlets available by typing the following command:
PS C:\> Get-Command *azurermbackup*
CommandType Name Version Source

----------- ---- ------- ------
Cmdlet Backup-AzureRmBackupItem 1.0.1 AzureRM.Backup
Cmdlet Disable-AzureRmBackupProtection 1.0.1 AzureRM.Backup
Cmdlet Enable-AzureRmBackupContainerReregistration 1.0.1 AzureRM.Backup
Cmdlet Enable-AzureRmBackupProtection 1.0.1 AzureRM.Backup
Cmdlet Get-AzureRmBackupContainer 1.0.1 AzureRM.Backup
Cmdlet Get-AzureRmBackupItem 1.0.1 AzureRM.Backup
Cmdlet Get-AzureRmBackupJob 1.0.1 AzureRM.Backup
Cmdlet Get-AzureRmBackupJobDetails 1.0.1 AzureRM.Backup
Cmdlet Get-AzureRmBackupProtectionPolicy 1.0.1 AzureRM.Backup
Cmdlet Get-AzureRmBackupRecoveryPoint 1.0.1 AzureRM.Backup
Cmdlet Get-AzureRmBackupVault 1.0.1 AzureRM.Backup
Cmdlet Get-AzureRmBackupVaultCredentials 1.0.1 AzureRM.Backup
Cmdlet New-AzureRmBackupProtectionPolicy 1.0.1 AzureRM.Backup
Cmdlet New-AzureRmBackupRetentionPolicyObject 1.0.1 AzureRM.Backup
Cmdlet New-AzureRmBackupVault 1.0.1 AzureRM.Backup
Cmdlet Register-AzureRmBackupContainer 1.0.1 AzureRM.Backup
Cmdlet Remove-AzureRmBackupProtectionPolicy 1.0.1 AzureRM.Backup
Cmdlet Remove-AzureRmBackupVault 1.0.1 AzureRM.Backup
Cmdlet Restore-AzureRmBackupItem 1.0.1 AzureRM.Backup
Cmdlet Set-AzureRmBackupProtectionPolicy 1.0.1 AzureRM.Backup
Cmdlet Set-AzureRmBackupVault 1.0.1 AzureRM.Backup
Cmdlet Stop-AzureRmBackupJob 1.0.1 AzureRM.Backup
Cmdlet Unregister-AzureRmBackupContainer 1.0.1 AzureRM.Backup
Cmdlet Wait-AzureRmBackupJob 1.0.1 AzureRM.Backup
The following setup and registration tasks can be automated with PowerShell:
Create a backup vault
Registering the VMs with the Azure Backup service
WARNING
For customers using Azure Backup for the first time, you need to register the Azure Backup provider to be used with your
subscription. This can be done by running the following command: Register-AzureRmResourceProvider -ProviderNamespace
"Microsoft.Backup"
You can create a new backup vault using the New-AzureRmBackupVault cmdlet. The backup vault is an ARM
resource, so you need to place it within a Resource Group. In an elevated Azure PowerShell console, run the
following commands:
PS C:\> New-AzureRmResourceGroup Name test-rg Location West US

PS C:\> $backupvault = New-AzureRmBackupVault ResourceGroupName test-rg Name test-vault Region West
US Storage GeoRedundant
You can get a list of all the backup vaults in a given subscription using the Get-AzureRmBackupVault cmdlet.
NOTE
It is convenient to store the backup vault object into a variable. The vault object is needed as an input for many Azure
Backup cmdlets.
Registering the VMs

The first step towards configuring backup with Azure Backup is to register your machine or VM with an Azure
Backup vault. The Register-AzureRmBackupContainer cmdlet takes the input information of an Azure IaaS
virtual machine and registers it with the specified vault. The register operation associates the Azure virtual machine
with the backup vault and tracks the VM through the backup lifecycle.
Registering your VM with the Azure Backup service creates a top-level container object. A container typically
contains multiple items that can be backed up, but in the case of VMs there will be only one backup item for the
container.
PS C:\> $registerjob = Register-AzureRmBackupContainer -Vault $backupvault -Name "testvm" -ServiceName

"testvm"
Backup Azure VMs

Create a protection policy
It is not mandatory to create a new protection policy to start backup of your VMs. The vault comes with a 'Default
Policy' that can be used to quickly enable protection, and then edited later with the right details. You can get a list
of the policies available in the vault by using the Get-AzureRmBackupProtectionPolicy cmdlet:
PS C:\> Get-AzureRmBackupProtectionPolicy -Vault $backupvault
Name Type ScheduleType BackupTime

---- ---- ------------ ----------
DefaultPolicy AzureVM Daily 26-Aug-15 12:30:00 AM
NOTE
The timezone of the BackupTime field in PowerShell is UTC. However, when the backup time is shown in the Azure portal, the
timezone is aligned to your local system along with the UTC offset.
A backup policy is associated with at least one retention policy. The retention policy defines how long a recovery
point is kept with Azure Backup. The New-AzureRmBackupRetentionPolicy cmdlet creates PowerShell objects
that hold retention policy information. These retention policy objects are used as inputs to the New-
AzureRmBackupProtectionPolicy cmdlet, or directly with the Enable-AzureRmBackupProtection cmdlet.
A backup policy defines when and how often the backup of an item is done. The New-
AzureRmBackupProtectionPolicy cmdlet creates a PowerShell object that holds backup policy information. The
backup policy is used as an input to the Enable-AzureRmBackupProtection cmdlet.
PS C:\> $Daily = New-AzureRmBackupRetentionPolicyObject -DailyRetention -Retention 30

PS C:\> $newpolicy = New-AzureRmBackupProtectionPolicy -Name DailyBackup01 -Type AzureVM -Daily -BackupTime
([datetime]"3:30 PM") -RetentionPolicy $Daily -Vault $backupvault
Name Type ScheduleType BackupTime

---- ---- ------------ ----------
DailyBackup01 AzureVM Daily 01-Sep-15 3:30:00 PM
Enable protection
Enabling protection involves two objects - the Item and the Policy, and both need to belong to the same vault. Once
the policy has been associated with the item, the backup workflow will kick in at the defined schedule.
PS C:\> Get-AzureRmBackupContainer -Type AzureVM -Status Registered -Vault $backupvault | Get-

AzureRmBackupItem | Enable-AzureRmBackupProtection -Policy $newpolicy
Initial backup
The backup schedule will take care of doing the full initial copy for the item and the incremental copy for the
subsequent backups. However, if you want to force the initial backup to happen at a certain time or even
immediately then use the Backup-AzureRmBackupItem cmdlet:
PS C:\> $container = Get-AzureRmBackupContainer -Vault $backupvault -Type AzureVM -Name "testvm"

PS C:\> $backupjob = Get-AzureRmBackupItem -Container $container | Backup-AzureRmBackupItem
PS C:\> $backupjob

------------ --------- ------ --------- -------
testvm Backup InProgress 01-Sep-15 12:24:01 PM 01-Jan-01 12:00:00 AM
NOTE
The timezone of the StartTime and EndTime fields shown in PowerShell is UTC. However, when the similar information is
shown in the Azure portal, the timezone is aligned to your local system clock.
Monitoring a backup job

Most long-running operations in Azure Backup are modelled as a job. This makes it easy to track progress without
having to keep the Azure portal open at all times.
To get the latest status of an in-progress job, use the Get-AzureRmBackupJob cmdlet.
PS C:\> $joblist = Get-AzureRmBackupJob -Vault $backupvault -Status InProgress
PS C:\> $joblist[0]

------------ --------- ------ --------- -------
testvm Backup InProgress 01-Sep-15 12:24:01 PM 01-Jan-01 12:00:00 AM
Instead of polling these jobs for completion - which is unnecessary, additional code - it is simpler to use the Wait-
AzureRmBackupJob cmdlet. When used in a script, the cmdlet will pause the execution until either the job
completes or the specified timeout value is reached.
PS C:\> Wait-AzureRmBackupJob -Job $joblist[0] -Timeout 43200
Restore an Azure VM
In order to restore backup data, you need to identify the backed-up Item and the Recovery Point that holds the
point-in-time data. This information is supplied to the Restore-AzureRmBackupItem cmdlet to initiate a restore of
data from the vault to the customer's account.
Select the VM
To get the PowerShell object that identifies the right backup Item, you need to start from the Container in the vault,
and work your way down object hierarchy. To select the container that represents the VM, use the Get-
AzureRmBackupContainer cmdlet and pipe that to the Get-AzureRmBackupItem cmdlet.
PS C:\> $backupitem = Get-AzureRmBackupContainer -Vault $backupvault -Type AzureVM -name "testvm" | Get-
AzureRmBackupItem

You can now list all the recovery points for the backup item using the Get-AzureRmBackupRecoveryPoint
cmdlet, and choose the recovery point to restore. Typically users pick the most recent AppConsistent point in the
list.
PS C:\> $rp = Get-AzureRmBackupRecoveryPoint -Item $backupitem

PS C:\> $rp
RecoveryPointId RecoveryPointType RecoveryPointTime ContainerName

--------------- ----------------- ----------------- -------------
15273496567119 AppConsistent 01-Sep-15 12:27:38 PM iaasvmcontainer;testvm;testv...
The variable $rp is an array of recovery points for the selected backup item, sorted in reverse order of time - the
latest recovery point is at index 0. Use standard PowerShell array indexing to pick the recovery point. For example:
$rp[0] will select the latest recovery point.
Restoring disks
There is a key difference between the restore operations done through the Azure portal and through Azure
PowerShell. With PowerShell, the restore operation stops at restoring the disks and config information from the
recovery point. It does not create a virtual machine.
WARNING
The Restore-AzureRmBackupItem does not create a VM. It only restores the disks to the specified storage account. This is
not the same behavior you will experience in the Azure portal.
PS C:\> $restorejob = Restore-AzureRmBackupItem -StorageAccountName "DestAccount" -RecoveryPoint $rp[0]
PS C:\> $restorejob

------------ --------- ------ --------- -------
testvm Restore InProgress 01-Sep-15 1:14:01 PM 01-Jan-01 12:00:00 AM
You can get the details of the restore operation using the Get-AzureRmBackupJobDetails cmdlet once the
Restore job has completed. The ErrorDetails property will have the information needed to rebuild the VM.
PS C:\> $restorejob = Get-AzureRmBackupJob -Job $restorejob

PS C:\> $details = Get-AzureRmBackupJobDetails -Job $restorejob
Build the VM
Building the VM out of the restored disks can be done using the older Azure Service Management PowerShell
cmdlets, the new Azure Resource Manager templates, or even using the Azure portal. In a quick example, we will
show how to get there using the Azure Service Management cmdlets.
$properties = $details.Properties
$storageAccountName = $properties["Target Storage Account Name"]

$containerName = $properties["Config Blob Container Name"]
$blobName = $properties["Config Blob Name"]
$keys = Get-AzureStorageKey -StorageAccountName $storageAccountName

$storageAccountKey = $keys.Primary
$storageContext = New-AzureStorageContext -StorageAccountName $storageAccountName -StorageAccountKey
$storageAccountKey
$destination_path = "C:\Users\admin\Desktop\vmconfig.xml"
Get-AzureStorageBlobContent -Container $containerName -Blob $blobName -Destination $destination_path -Context
$storageContext
$obj = [xml](((Get-Content -Path $destination_path -Encoding UniCode)).TrimEnd([char]0x00))

$pvr = $obj.PersistentVMRole
$os = $pvr.OSVirtualHardDisk
$dds = $pvr.DataVirtualHardDisks
$osDisk = Add-AzureDisk -MediaLocation $os.MediaLink -OS $os.OS -DiskName "panbhaosdisk"
$vm = New-AzureVMConfig -Name $pvr.RoleName -InstanceSize $pvr.RoleSize -DiskName $osDisk.DiskName
if (!($dds -eq $null))

{
foreach($d in $dds.DataVirtualHardDisk)
{
$lun = 0
if(!($d.Lun -eq $null))
{
$lun = $d.Lun
}
$name = "panbhadataDisk" + $lun
Add-AzureDisk -DiskName $name -MediaLocation $d.MediaLink
$vm | Add-AzureDataDisk -Import -DiskName $name -LUN $lun
}
}
New-AzureVM -ServiceName "panbhasample" -Location "SouthEast Asia" -VM $vm
For more information on how to build a VM from the restored disks, read about the following cmdlets:
Add-AzureDisk
New-AzureVMConfig
New-AzureVM
Code samples
1. Get the completion status of job sub-tasks
To track the completion status of individual sub-tasks, you can use the Get-AzureRmBackupJobDetails cmdlet:
PS C:\> $details = Get-AzureRmBackupJobDetails -JobId $backupjob.InstanceId -Vault $backupvault

PS C:\> $details.SubTasks
Name Status
---- ------
Take Snapshot Completed
Transfer data to Backup vault InProgress
2. Create a daily/weekly report of backup jobs

Administrators typically want to know what backup jobs ran in the last 24 hours, the status of those backup jobs.
Additionally, the amount of data transferred gives administrators a way to estimate their monthly data usage. The
script below pulls the raw data from the Azure Backup service and displays the information in the PowerShell
console.
param( [Parameter(Mandatory=$True,Position=1)]
[string]$backupvaultname,
[Parameter(Mandatory=$False,Position=2)]
[int]$numberofdays = 7)
#Initialize variables
$DAILYBACKUPSTATS = @()
$backupvault = Get-AzureRmBackupVault -Name $backupvaultname
$enddate = ([datetime]::Today).AddDays(1)
$startdate = ([datetime]::Today)
for( $i = 1; $i -le $numberofdays; $i++ )

{
# We query one day at a time because pulling 7 days of data might be too much
$dailyjoblist = Get-AzureRmBackupJob -Vault $backupvault -From $startdate -To $enddate -Type AzureVM -
Operation Backup
Write-Progress -Activity "Getting job information for the last $numberofdays days" -Status "Day -$i" -
PercentComplete ([int]([decimal]$i*100/$numberofdays))
foreach( $job in $dailyjoblist )

{
#Extract the information for the reports
$newstatsobj = New-Object System.Object
$newstatsobj | Add-Member -Type NoteProperty -Name Date -Value $startdate
$newstatsobj | Add-Member -Type NoteProperty -Name VMName -Value $job.WorkloadName
$newstatsobj | Add-Member -Type NoteProperty -Name Duration -Value $job.Duration
$newstatsobj | Add-Member -Type NoteProperty -Name Status -Value $job.Status
$details = Get-AzureRmBackupJobDetails -Job $job

$newstatsobj | Add-Member -Type NoteProperty -Name BackupSize -Value $details.Properties["Backup
Size"]
$DAILYBACKUPSTATS += $newstatsobj
}
$enddate = $enddate.AddDays(-1)
$startdate = $startdate.AddDays(-1)
}
$DAILYBACKUPSTATS | Out-GridView
If you want to add charting capabilities to this report output, learn from the TechNet blog post Charting with
PowerShell
Next steps
If you prefer using PowerShell to engage with your Azure resources, check out the PowerShell article for protecting
Windows Server, Deploy and Manage Backup for Windows Server. There is also a PowerShell article for managing
DPM backups, Deploy and Manage Backup for DPM. Both of these articles have a version for Resource Manager
deployments as well as Classic deployments.
Deploy and manage backup to Azure for Data
Protection Manager (DPM) servers using PowerShell
This article shows you how to use PowerShell to setup Azure Backup on a DPM server, and to manage backup and
recovery.
Setting up the PowerShell environment

IMPORTANT
Before you work with Azure resources, get familiar with the deployment models: Resource Manager, and classic.
Before you can use PowerShell to manage backups from Data Protection Manager to Azure, you need to have the
right environment in PowerShell. At the start of the PowerShell session, ensure that you run the following
command to import the right modules and allow you to correctly reference the DPM cmdlets:
PS C:> & "C:\Program Files\Microsoft System Center 2012 R2\DPM\DPM\bin\DpmCliInitScript.ps1"
Welcome to the DPM Management Shell!
Full list of cmdlets: Get-Command

Only DPM cmdlets: Get-DPMCommand
Get general help: help
Get help for a cmdlet: help <cmdlet-name> or <cmdlet-name> -?
Get definition of a cmdlet: Get-Command <cmdlet-name> -Syntax
Sample DPM scripts: Get-DPMSampleScript

To begin:
1. Download latest PowerShell (minimum version required is: 1.0.0)
2. Enable the Azure Backup commandlets by switching to AzureResourceManager mode by using the Switch-
AzureMode commandlet:
PS C:\> Switch-AzureMode AzureResourceManager
Installing the Azure Backup agent
Registering with the Azure Backup service
Networking settings
Encryption settings

1. If you are using Azure Backup for the first time, you must use the Register-AzureRMResourceProvider
2. The Recovery Services vault is an ARM resource, so you need to place it within a Resource Group. You can
use an existing resource group, or create a new one. When creating a new resource group, specify the name
and location for the resource group.
PS C:\> New-AzureRmResourceGroup Name "test-rg" Location "West US"
3. Use the New-AzureRmRecoveryServicesVault cmdlet to create a new vault. Be sure to specify the same
location for the vault as was used for the resource group.

"West US"
testVault is set to GeoRedundant.
TIP
PS C:\> $vault1 = Get-AzureRmRecoveryServicesVault Name "testVault"

PS C:\> Set-AzureRmRecoveryServicesBackupProperties -vault $vault1 -BackupStorageRedundancy
GeoRedundant

this command to check that a new vault was created, or to see what vaults are available in the subscription.
Run the command, Get-AzureRmRecoveryServicesVault, and all vaults in the subscription are listed.
Location : WestUS
Installing the Azure Backup agent on a DPM Server

Before you install the Azure Backup agent, you need to have the installer downloaded and present on the Windows
Server. You can get the latest version of the installer from the Microsoft Download Center or from the Recovery
Services vault's Dashboard page. Save the installer to an easily accessible location like C:\Downloads\.
To install the agent, run the following command in an elevated PowerShell console on the DPM server:
PS C:\> MARSAgentInstaller.exe /q
This installs the agent with all the default options. The installation takes a few minutes in the background. If you do
not specify the /nu option the Windows Update window opens at the end of the installation to check for any
updates.
The agent shows up in the list of installed programs. To see the list of installed programs, go to Control Panel >
Programs > Programs and Features.
Installation options
To see all the options available via the commandline, use the following command:
PS C:\> MARSAgentInstaller.exe /?
The available options include:
OPTION DETAILS DEFAULT
/q Quiet installation -
/p:"location" Path to the installation folder for the C:\Program Files\Microsoft Azure
Azure Backup agent. Recovery Services Agent
/s:"location" Path to the cache folder for the Azure C:\Program Files\Microsoft Azure
Backup agent. Recovery Services Agent\Scratch
/m Opt-in to Microsoft Update -
/nu Do not Check for updates after -

installation is complete
/d Uninstalls Microsoft Azure Recovery -

Services Agent
/ph Proxy Host Address -
/po Proxy Host Port Number -
/pu Proxy Host UserName -

/pw Proxy Password -
Registering DPM to a Recovery Services Vault

After you created the Recovery Services vault, download the latest agent and the vault credentials and store it in a
convenient location like C:\Downloads.
PS C:\> $credspath = "C:\downloads"

PS C:\> $credsfilename = Get-AzureRmRecoveryServicesVaultSettingsFile -Backup -Vault $vault1 -Path $credspath
PS C:\> $credsfilename
C:\downloads\testvault\_Sun Apr 10 2016.VaultCredentials
On the DPM server, run the Start-OBRegistration cmdlet to register the machine with the vault.
PS C:\> $cred = $credspath + $credsfilename

PS C:\> Start-OBRegistration-VaultCredentials $cred -Confirm:$false
CertThumbprint :7a2ef2caa2e74b6ed1222a5e89288ddad438df2
SubscriptionID : ef4ab577-c2c0-43e4-af80-af49f485f3d1
ServiceResourceName: testvault
Region :West US
Machine registration succeeded.
Initial configuration settings

Once the DPM Server is registered with the Recovery Services vault, it starts with default subscription settings.
These subscription settings include Networking, Encryption and the Staging area. To change subscription settings
you need to first get a handle on the existing (default) settings using the Get-DPMCloudSubscriptionSetting
cmdlet:
$setting = Get-DPMCloudSubscriptionSetting -DPMServerName "TestingServer"
All modifications are made to this local PowerShell object $setting and then the full object is committed to DPM
and Azure Backup to save them using the Set-DPMCloudSubscriptionSetting cmdlet. You need to use the Commit
flag to ensure that the changes are persisted. The settings will not be applied and used by Azure Backup unless
committed.
PS C:\> Set-DPMCloudSubscriptionSetting -DPMServerName "TestingServer" -SubscriptionSetting $setting -Commit
Networking
If the connectivity of the DPM machine to the Azure Backup service on the internet is through a proxy server, then
the proxy server settings should be provided for successful backups. This is done by using the -ProxyServer and
-ProxyPort , -ProxyUsername and the ProxyPassword parameters with the Set-DPMCloudSubscriptionSetting
cmdlet. In this example, there is no proxy server so we are explicitly clearing any proxy-related information.
PS C:\> Set-DPMCloudSubscriptionSetting -DPMServerName "TestingServer" -SubscriptionSetting $setting -NoProxy
Bandwidth usage can also be controlled with options of -WorkHourBandwidth and -NonWorkHourBandwidth for a
given set of days of the week. In this example, we are not setting any throttling.
PS C:\> Set-DPMCloudSubscriptionSetting -DPMServerName "TestingServer" -SubscriptionSetting $setting -
NoThrottle
Configuring the staging Area

The Azure Backup agent running on the DPM server needs temporary storage for data restored from the cloud
(local staging area). Configure the staging area using the Set-DPMCloudSubscriptionSetting cmdlet and the
-StagingAreaPath parameter.

StagingAreaPath "C:\StagingArea"
In the example above, the staging area will be set to C:\StagingArea in the PowerShell object $setting . Ensure
that the specified folder already exists, or else the final commit of the subscription settings will fail.
Encryption settings
The backup data sent to Azure Backup is encrypted to protect the confidentiality of the data. The encryption
passphrase is the "password" to decrypt the data at the time of restore. It is important to keep this information safe
and secure once it is set.
In the example below, the first command converts the string passphrase123456789 to a secure string and assigns
the secure string to the variable named $Passphrase . the second command sets the secure string in $Passphrase
as the password for encrypting backups.
PS C:\> $Passphrase = ConvertTo-SecureString -string "passphrase123456789" -AsPlainText -Force

EncryptionPassphrase $Passphrase
IMPORTANT
Keep the passphrase information safe and secure once it is set. You will not be able to restore data from Azure without this
passphrase.
At this point, you should have made all the required changes to the $setting object. Remember to commit the
changes.
Protect data to Azure Backup

In this section, you will add a production server to DPM and then protect the data to local DPM storage and then to
Azure Backup. In the examples, we will demonstrate how to back up files and folders. The logic can easily be
extended to backup any DPM-supported data source. All your DPM backups are governed by a Protection Group
(PG) with four parts:
1. Group members is a list of all the protectable objects (also known as Datasources in DPM) that you want to
protect in the same protection group. For example, you may want to protect production VMs in one protection
group and SQL Server databases in another protection group as they may have different backup requirements.
Before you can back up any datasource on a production server you need to make sure the DPM Agent is
installed on the server and is managed by DPM. Follow the steps for installing the DPM Agent and linking it to
the appropriate DPM Server.
2. Data protection method specifies the target backup locations - tape, disk, and cloud. In our example we will
protect data to the local disk and to the cloud.
3. A backup schedule that specifies when backups need to be taken and how often the data should be
synchronized between the DPM Server and the production server.
4. A retention schedule that specifies how long to retain the recovery points in Azure.
Creating a protection group
Start by creating a new Protection Group using the New-DPMProtectionGroup cmdlet.
PS C:\> $PG = New-DPMProtectionGroup -DPMServerName " TestingServer " -Name "ProtectGroup01"
The above cmdlet will create a Protection Group named ProtectGroup01. An existing protection group can also be
modified later to add backup to the Azure cloud. However, to make any changes to the Protection Group - new or
existing - we need to get a handle on a modifiable object using the Get-DPMModifiableProtectionGroup cmdlet.
PS C:\> $MPG = Get-ModifiableProtectionGroup $PG
Adding group members to the Protection Group

Each DPM Agent knows the list of datasources on the server that it is installed on. To add a datasource to the
Protection Group, the DPM Agent needs to first send a list of the datasources back to the DPM server. One or more
datasources are then selected and added to the Protection Group. The PowerShell steps needed to achieve this are:
1. Fetch a list of all servers managed by DPM through the DPM Agent.
2. Choose a specific server.
3. Fetch a list of all datasources on the server.
4. Choose one or more datasources and add them to the Protection Group
The list of servers on which the DPM Agent is installed and is being managed by the DPM Server is acquired with
the Get-DPMProductionServer cmdlet. In this example we will filter and only configure PS with name
productionserver01 for backup.
PS C:\> $server = Get-ProductionServer -DPMServerName "TestingServer" | where {($_.servername) contains

productionserver01}
Now fetch the list of datasources on $server using the Get-DPMDatasource cmdlet. In this example we are
filtering for the volume D:\ that we want to configure for backup. This datasource is then added to the Protection
Group using the Add-DPMChildDatasource cmdlet. Remember to use the modifiable protection group object
$MPG to make the additions.
PS C:\> $DS = Get-Datasource -ProductionServer $server -Inquire | where { $_.Name -contains D:\ }
PS C:\> Add-DPMChildDatasource -ProtectionGroup $MPG -ChildDatasource $DS
Repeat this step as many times as required, until you have added all the chosen datasources to the protection
group. You can also start with just one datasource, and complete the workflow for creating the Protection Group,
and at a later point add more datasources to the Protection Group.
Selecting the data protection method
Once the datasources have been added to the Protection Group, the next step is to specify the protection method
using the Set-DPMProtectionType cmdlet. In this example, the Protection Group is setup for local disk and cloud
backup. You also need to specify the datasource that you want to protect to cloud using the Add-
DPMChildDatasource cmdlet with -Online flag.
PS C:\> Set-DPMProtectionType -ProtectionGroup $MPG -ShortTerm Disk LongTerm Online

PS C:\> Add-DPMChildDatasource -ProtectionGroup $MPG -ChildDatasource $DS Online
Setting the retention range

Set the retention for the backup points using the Set-DPMPolicyObjective cmdlet. While it might seem odd to set
the retention before the backup schedule has been defined, using the Set-DPMPolicyObjective cmdlet
automatically sets a default backup schedule that can then be modified. It is always possible to set the backup
schedule first and the retention policy after.
In the example below, the cmdlet sets the retention parameters for disk backups. This will retain backups for 10
days, and sync data every 6 hours between the production server and the DPM server. The
SynchronizationFrequencyMinutes doesn't define how often a backup point is created, but how often data is copied
to the DPM server. This setting prevents backups from becoming too large.
PS C:\> Set-DPMPolicyObjective ProtectionGroup $MPG -RetentionRangeInDays 10 -SynchronizationFrequencyMinutes

360
For backups going to Azure (DPM refers to them as Online backups) the retention ranges can be configured for
long term retention using a Grandfather-Father-Son scheme (GFS). That is, you can define a combined retention
policy involving daily, weekly, monthly and yearly retention policies. In this example, we create an array
representing the complex retention scheme that we want, and then configure the retention range using the Set-
DPMPolicyObjective cmdlet.
PS C:\> $RRlist = @()

PS C:\> $RRList += (New-Object -TypeName
Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.OMCommon.RetentionRange -ArgumentList 180, Days)
Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.OMCommon.RetentionRange -ArgumentList 104, Weeks)
Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.OMCommon.RetentionRange -ArgumentList 60, Month)
Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.OMCommon.RetentionRange -ArgumentList 10, Years)
PS C:\> Set-DPMPolicyObjective ProtectionGroup $MPG -OnlineRetentionRangeList $RRlist
Set the backup schedule

DPM sets a default backup schedule automatically if you specify the protection objective using the
Set-DPMPolicyObjective cmdlet. To change the default schedules, use the Get-DPMPolicySchedule cmdlet followed
by the Set-DPMPolicySchedule cmdlet.
PS C:\> $onlineSch = Get-DPMPolicySchedule -ProtectionGroup $mpg -LongTerm Online

PS C:\> Set-DPMPolicySchedule -ProtectionGroup $MPG -Schedule $onlineSch[0] -TimesOfDay 02:00
PS C:\> Set-DPMPolicySchedule -ProtectionGroup $MPG -Schedule $onlineSch[1] -TimesOfDay 02:00 -DaysOfWeek
Sa,Su Interval 1
PS C:\> Set-DPMPolicySchedule -ProtectionGroup $MPG -Schedule $onlineSch[2] -TimesOfDay 02:00 -
RelativeIntervals First,Third DaysOfWeek Sa
PS C:\> Set-DPMPolicySchedule -ProtectionGroup $MPG -Schedule $onlineSch[3] -TimesOfDay 02:00 -DaysOfMonth
2,5,8,9 -Months Jan,Jul
PS C:\> Set-DPMProtectionGroup -ProtectionGroup $MPG
In the above example, $onlineSch is an array with four elements that contains the existing online protection
schedule for the Protection Group in the GFS scheme:
1. $onlineSch[0] contains the daily schedule
2. $onlineSch[1] contains the weekly schedule
3. $onlineSch[2] contains the monthly schedule
4. $onlineSch[3] contains the yearly schedule
So if you need to modify the weekly schedule, you need to refer to the $onlineSch[1] .
Initial backup
When backing up a datasource for the first time, DPM needs creates initial replica that creates a full copy of the
datasource to be protected on DPM replica volume. This activity can either be scheduled for a specific time, or can
be triggered manually, using the Set-DPMReplicaCreationMethod cmdlet with the parameter -NOW .
PS C:\> Set-DPMReplicaCreationMethod -ProtectionGroup $MPG -NOW
Changing the size of DPM Replica & recovery point volume

You can also change the size of DPM Replica volume and Shadow Copy volume using Set-
DPMDatasourceDiskAllocation cmdlet as in the following example: Get-DatasourceDiskAllocation -Datasource $DS
Set-DatasourceDiskAllocation -Datasource $DS -ProtectionGroup $MPG -manual -ReplicaArea (2gb) -
ShadowCopyArea (2gb)
Committing the changes to the Protection Group
Finally, the changes need to be committed before DPM can take the backup per the new Protection Group
configuration. This can be achieved using the Set-DPMProtectionGroup cmdlet.
View the backup points

You can use the Get-DPMRecoveryPoint cmdlet to get a list of all recovery points for a datasource. In this example,
we will:
fetch all the PGs on the DPM server and stored in an array $PG
get the datasources corresponding to the $PG[0]
get all the recovery points for a datasource.
PS C:\> $PG = Get-DPMProtectionGroup DPMServerName "TestingServer"

PS C:\> $DS = Get-DPMDatasource -ProtectionGroup $PG[0]
PS C:\> $RecoveryPoints = Get-DPMRecoverypoint -Datasource $DS[0] -Online
Restore data protected on Azure

Restoring data is a combination of a RecoverableItem object and a RecoveryOption object. In the previous section,
we got a list of the backup points for a datasource.
In the example below, we demonstrate how to restore a Hyper-V virtual machine from Azure Backup by combining
backup points with the target for recovery. This example includes:
Creating a recovery option using the New-DPMRecoveryOption cmdlet.
Fetching the array of backup points using the Get-DPMRecoveryPoint cmdlet.
Choosing a backup point to restore from.
PS C:\> $RecoveryOption = New-DPMRecoveryOption -HyperVDatasource -TargetServer "HVDCenter02" -
RecoveryLocation AlternateHyperVServer -RecoveryType Recover -TargetLocation C:\VMRecovery

PS C:\> Restore-DPMRecoverableItem -RecoverableItem $RecoveryPoints[0] -RecoveryOption $RecoveryOption
The commands can easily be extended for any datasource type.
Next steps
For more information about DPM to Azure Backup see Introduction to DPM Backup
Deploy and manage backup to Azure for Data
Protection Manager (DPM) servers using PowerShell
This article explains how to use PowerShell to back up and recover DPM data from a backup vault. Microsoft
recommends using Recovery Services vaults for all new deployments. If you are a new Azure Backup user, use the
article, Deploy and manage Data Protection Manager data to Azure using PowerShell, so you store your data in a
Recovery Services vault.
IMPORTANT
Recovery Services vault. Microsoft encourages you to upgrade your Backup vaults to Recovery Services vaults. After October
15, 2017, you cant use PowerShell to create Backup vaults. By November 1, 2017:
Setting up the PowerShell environment

IMPORTANT
Before you can use PowerShell to manage backups from Data Protection Manager to Azure, you will need to have
the right environment in PowerShell. At the start of the PowerShell session, ensure that you run the following
command to import the right modules and allow you to correctly reference the DPM cmdlets:
PS C:> & "C:\Program Files\Microsoft System Center 2012 R2\DPM\DPM\bin\DpmCliInitScript.ps1"
Welcome to the DPM Management Shell!
Full list of cmdlets: Get-Command

Only DPM cmdlets: Get-DPMCommand
Get general help: help
Get help for a cmdlet: help <cmdlet-name> or <cmdlet-name> -?
Get definition of a cmdlet: Get-Command <cmdlet-name> -Syntax
Sample DPM scripts: Get-DPMSampleScript

To begin:
1. Download latest PowerShell (minimum version required is : 1.0.0)
2. Enable the Azure Backup commandlets by switching to AzureResourceManager mode by using the Switch-
AzureMode commandlet:
PS C:\> Switch-AzureMode AzureResourceManager
Networking settings
Encryption settings
WARNING
subscription. This can be done by running the following command: Register-AzureProvider -ProviderNamespace
"Microsoft.Backup"
You can create a new backup vault using the New-AzureRMBackupVault commandlet. The backup vault is an
ARM resource, so you need to place it within a Resource Group. In an elevated Azure PowerShell console, run the
following commands:
PS C:\> New-AzureResourceGroup Name test-rg -Region West US

PS C:\> $backupvault = New-AzureRMBackupVault ResourceGroupName test-rg Name test-vault Region West
US Storage GRS
You can get a list of all the backup vaults in a given subscription using the Get-AzureRMBackupVault
commandlet.
Installing the Azure Backup agent on a DPM Server
Before you install the Azure Backup agent, you need to have the installer downloaded and present on the Windows
Server. You can get the latest version of the installer from the Microsoft Download Center or from the backup
vault's Dashboard page. Save the installer to an easily accessible location like C:\Downloads\.
To install the agent, run the following command in an elevated PowerShell console on the DPM server:
not specify the /nu option the Windows Update window will open at the end of the installation to check for any
updates.
The agent will show in the list of installed programs. To see the list of installed programs, go to Control Panel >
Programs > Programs and Features.
To see all the options available via the command-line, use the following command:


Services Agent

Before you can register with the Azure Backup service, you need to ensure that the prerequisites are met. You
must:
Have a valid Azure subscription
Have a backup vault
To download the vault credentials, run the Get-AzureBackupVaultCredentials commandlet in an Azure
PowerShell console and store it in a convenient location like C:\Downloads\.
PS C:\> $credspath = "C:\"
PS C:\> $credsfilename = Get-AzureRMBackupVaultCredentials -Vault $backupvault -TargetLocation $credspath
f5303a0b-fae4-4cdb-b44d-0e4c032dde26_backuprg_backuprn_2015-08-11--06-22-35.VaultCredentials
Registering the machine with the vault is done using the Start-DPMCloudRegistration cmdlet:

PS C:\> Start-DPMCloudRegistration -DPMServerName "TestingServer" -VaultCredentialsFilePath $cred
This will register the DPM Server named TestingServer with Microsoft Azure Vault using the specified vault
credentials.
IMPORTANT
Do not use relative paths to specify the vault credentials file. You must provide an absolute path as an input to the cmdlet.
Initial configuration settings

Once the DPM Server is registered with the Azure Backup vault, it will start with default subscription settings.
These subscription settings include Networking, Encryption and the Staging area. To begin changing the
subscription settings you need to first get a handle on the existing (default) settings using the Get-
DPMCloudSubscriptionSetting cmdlet:
$setting = Get-DPMCloudSubscriptionSetting -DPMServerName "TestingServer"
All modifications are made to this local PowerShell object $setting and then the full object is committed to DPM
and Azure Backup to save them using the Set-DPMCloudSubscriptionSetting cmdlet. You need to use the Commit
flag to ensure that the changes are persisted. The settings will not be applied and used by Azure Backup unless
committed.
Networking
If the connectivity of the DPM machine to the Azure Backup service on the internet is through a proxy server, then
the proxy server settings should be provided for backups to succeed. This is done by using the -ProxyServer ,
-ProxyPort , -ProxyUsername and the ProxyPassword parameters with the Set-DPMCloudSubscriptionSetting
cmdlet. In this example, there is no proxy server so we are explicitly clearing any proxy-related information.
PS C:\> Set-DPMCloudSubscriptionSetting -DPMServerName "TestingServer" -SubscriptionSetting $setting -NoProxy
Bandwidth usage can also be controlled with options of -WorkHourBandwidth and -NonWorkHourBandwidth for a
given set of days of the week. In this example we are not setting any throttling.

NoThrottle
Configuring the staging Area

The Azure Backup agent running on the DPM server needs temporary storage for data restored from the cloud
(local staging area). Configure the staging area using the Set-DPMCloudSubscriptionSetting cmdlet and the
-StagingAreaPath parameter.

StagingAreaPath "C:\StagingArea"
In the example above, the staging area will be set to C:\StagingArea in the PowerShell object $setting . Ensure
that the specified folder already exists, or else the final commit of the subscription settings will fail.
Encryption settings
passphrase is the "password" to decrypt the data at the time of restore. It is important to keep this information safe
and secure once it is set.
In the example below, the first command converts the string passphrase123456789 to a secure string and assigns
the secure string to the variable named $Passphrase . the second command sets the secure string in $Passphrase
as the password for encrypting backups.
PS C:\> $Passphrase = ConvertTo-SecureString -string "passphrase123456789" -AsPlainText -Force

EncryptionPassphrase $Passphrase
IMPORTANT
passphrase.
At this point, you should have made all the required changes to the $setting object. Remember to commit the
changes.
Protect data to Azure Backup

In this section, you will add a production server to DPM and then protect the data to local DPM storage and then to
Azure Backup. In the examples we will demonstrate how to back up files and folders. The logic can easily be
extended to backup any DPM-supported data source. All your DPM backups are governed by a Protection Group
(PG) with four parts:
1. Group members is a list of all the protectable objects (also known as Datasources in DPM) that you want to
protect in the same protection group. For example, you may want to protect production VMs in one protection
group and SQL Server databases in another protection group as they may have different backup requirements.
Before you can back up any datasource on a production server you need to make sure the DPM Agent is
installed on the server and is managed by DPM. Follow the steps for installing the DPM Agent and linking it to
the appropriate DPM Server.
2. Data protection method specifies the target backup locations - tape, disk, and cloud. In our example we will
protect data to the local disk and to the cloud.
3. A backup schedule that specifies when backups need to be taken and how often the data should be
synchronized between the DPM Server and the production server.
Creating a protection group
Start by creating a new Protection Group using the New-DPMProtectionGroup cmdlet.
PS C:\> $PG = New-DPMProtectionGroup -DPMServerName " TestingServer " -Name "ProtectGroup01"
The above cmdlet will create a Protection Group named ProtectGroup01. An existing protection group can also be
modified later to add backup to the Azure cloud. However, to make any changes to the Protection Group - new or
existing - we need to get a handle on a modifiable object using the Get-DPMModifiableProtectionGroup cmdlet.
PS C:\> $MPG = Get-ModifiableProtectionGroup $PG
Adding group members to the Protection Group

Each DPM Agent knows the list of datasources on the server that it is installed on. To add a datasource to the
Protection Group, the DPM Agent needs to first send a list of the datasources back to the DPM server. One or more
datasources are then selected and added to the Protection Group. The PowerShell steps needed to get achieve this
are:
1. Fetch a list of all servers managed by DPM through the DPM Agent.
2. Choose a specific server.
3. Fetch a list of all datasources on the server.
4. Choose one or more datasources and add them to the Protection Group
The list of servers on which the DPM Agent is installed and is being managed by the DPM Server is acquired with
the Get-DPMProductionServer cmdlet. In this example we will filter and only configure PS with name
productionserver01 for backup.
PS C:\> $server = Get-ProductionServer -DPMServerName "TestingServer" | where {($_.servername) contains

productionserver01
Now fetch the list of datasources on $server using the Get-DPMDatasource cmdlet. In this example we are
filtering for the volume D:\ which we want to configure for backup. This datasource is then added to the Protection
Group using the Add-DPMChildDatasource cmdlet. Remember to use the modifable protection group object $MPG
to make the additions.
PS C:\> $DS = Get-Datasource -ProductionServer $server -Inquire | where { $_.Name -contains D:\ }
PS C:\> Add-DPMChildDatasource -ProtectionGroup $MPG -ChildDatasource $DS
Repeat this step as many times as required, until you have added all the chosen datasources to the protection
group. You can also start with just one datasource, and complete the workflow for creating the Protection Group,
and at a later point add more datasources to the Protection Group.
Selecting the data protection method
Once the datasources have been added to the Protection Group, the next step is to specify the protection method
using the Set-DPMProtectionType cmdlet. In this example, the Protection Group will be setup for local disk and
cloud backup. You also need to specify the datasource that you want to protect to cloud using the Add-
DPMChildDatasource cmdlet with -Online flag.
PS C:\> Set-DPMProtectionType -ProtectionGroup $MPG -ShortTerm Disk LongTerm Online

PS C:\> Add-DPMChildDatasource -ProtectionGroup $MPG -ChildDatasource $DS Online
Setting the retention range

Set the retention for the backup points using the Set-DPMPolicyObjective cmdlet. While it might seem odd to set
the retention before the backup schedule has been defined, using the Set-DPMPolicyObjective cmdlet
automatically sets a default backup schedule that can then be modified. It is always possible to set the backup
schedule first and the retention policy after.
In the example below, the cmdlet sets the retention parameters for disk backups. This will retain backups for 10
days, and sync data every 6 hours between the production server and the DPM server. The
SynchronizationFrequencyMinutes doesn't define how often a backup point is created, but how often data is copied
to the DPM server; this prevents backups from becoming too large.
PS C:\> Set-DPMPolicyObjective ProtectionGroup $MPG -RetentionRangeInDays 10 -SynchronizationFrequencyMinutes

360
For backups going to Azure (DPM refers to these as Online backups) the retention ranges can be configured for
long term retention using a Grandfather-Father-Son scheme (GFS). That is, you can define a combined retention
policy involving daily, weekly, monthly and yearly retention policies. In this example, we create an array
representing the complex retention scheme that we want, and then configure the retention range using the Set-
DPMPolicyObjective cmdlet.
PS C:\> $RRlist = @()

Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.OMCommon.RetentionRange -ArgumentList 180, Days)
Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.OMCommon.RetentionRange -ArgumentList 104, Weeks)
Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.OMCommon.RetentionRange -ArgumentList 60, Month)
Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.OMCommon.RetentionRange -ArgumentList 10, Years)
PS C:\> Set-DPMPolicyObjective ProtectionGroup $MPG -OnlineRetentionRangeList $RRlist
Set the backup schedule

DPM sets a default backup schedule automatically if you specify the protection objective using the
Set-DPMPolicyObjective cmdlet. To change the default schedules, use the Get-DPMPolicySchedule cmdlet followed
by the Set-DPMPolicySchedule cmdlet.
PS C:\> $onlineSch = Get-DPMPolicySchedule -ProtectionGroup $mpg -LongTerm Online

PS C:\> Set-DPMPolicySchedule -ProtectionGroup $MPG -Schedule $onlineSch[0] -TimesOfDay 02:00
PS C:\> Set-DPMPolicySchedule -ProtectionGroup $MPG -Schedule $onlineSch[1] -TimesOfDay 02:00 -DaysOfWeek
Sa,Su Interval 1
PS C:\> Set-DPMPolicySchedule -ProtectionGroup $MPG -Schedule $onlineSch[2] -TimesOfDay 02:00 -
RelativeIntervals First,Third DaysOfWeek Sa
PS C:\> Set-DPMPolicySchedule -ProtectionGroup $MPG -Schedule $onlineSch[3] -TimesOfDay 02:00 -DaysOfMonth
2,5,8,9 -Months Jan,Jul
In the example above, $onlineSch is an array with four elements that contains the existing online protection
schedule for the Protection Group in the GFS scheme:
1. $onlineSch[0] will contain the daily schedule
2. $onlineSch[1] will contain the weekly schedule
3. $onlineSch[2] will contain the monthly schedule
4. $onlineSch[3] will contain the yearly schedule
So if you need to modify the weekly schedule, you need to refer to the $onlineSch[1] .
Initial backup
When backing up a datasource for the first time, DPM needs to create an initial replica which will create a copy of
the datasource to be protected on DPM replica volume. This activity can either be scheduled for a specific time, or
can be triggered manually, using the Set-DPMReplicaCreationMethod cmdlet with the parameter -NOW .
PS C:\> Set-DPMReplicaCreationMethod -ProtectionGroup $MPG -NOW
Changing the size of DPM Replica & recovery point volume

You can also change the size of DPM Replica volume as well as Shadow Copy volume using Set-
DPMDatasourceDiskAllocation cmdlet as in the below example: Get-DatasourceDiskAllocation -Datasource $DS
Set-DatasourceDiskAllocation -Datasource $DS -ProtectionGroup $MPG -manual -ReplicaArea (2gb) -
ShadowCopyArea (2gb)
Committing the changes to the Protection Group
Finally, the changes need to be committed before DPM can take the backup per the new Protection Group
configuration. This is done using the Set-DPMProtectionGroup cmdlet.
View the backup points

You can use the Get-DPMRecoveryPoint cmdlet to get a list of all recovery points for a datasource. In this example,
we will:
fetch all the PGs on the DPM server which will be stored in an array $PG
get the datasources corresponding to the $PG[0]
get all the recovery points for a datasource.

Restore data protected on Azure

Restoring data is a combination of a RecoverableItem object and a RecoveryOption object. In the previous section,
we got a list of the backup points for a datasource.
In the example below, we demonstrate how to restore a Hyper-V virtual machine from Azure Backup by combining
backup points with the target for recovery. This includes:
Creating a recovery option using the New-DPMRecoveryOption cmdlet.
Fetching the array of backup points using the Get-DPMRecoveryPoint cmdlet.
Choosing a backup point to restore from.
PS C:\> $RecoveryOption = New-DPMRecoveryOption -HyperVDatasource -TargetServer "HVDCenter02" -

RecoveryLocation AlternateHyperVServer -RecoveryType Recover -TargetLocation C:\VMRecovery

PS C:\> Restore-DPMRecoverableItem -RecoverableItem $RecoveryPoints[0] -RecoveryOption $RecoveryOption

The commands can easily be extended for any datasource type.
Next steps
For more information about Azure Backup for DPM see Introduction to DPM Backup
Deploy and manage backup to Azure for Windows
Server/Windows Client using PowerShell
This article shows you how to use PowerShell for setting up Azure Backup on Windows Server or a Windows
client, and managing backup and recovery.
Install Azure PowerShell

IMPORTANT
This article focuses on the Azure Resource Manager (ARM) and the MS Online Backup PowerShell cmdlets that
enable you to use a Recovery Services vault in a resource group.
In October 2015, Azure PowerShell 1.0 was released. This release succeeded the 0.9.8 release and brought about
some significant changes, especially in the naming pattern of the cmdlets. 1.0 cmdlets follow the naming pattern
{verb}-AzureRm{noun}; whereas, the 0.9.8 names do not include Rm (for example, New-AzureRmResourceGroup
instead of New-AzureResourceGroup). When using Azure PowerShell 0.9.8, you must first enable the Resource
Manager mode by running the Switch-AzureMode AzureResourceManager command. This command is not
necessary in 1.0 or later.
If you want to use your scripts written for the 0.9.8 environment, in the 1.0 or later environment, you should
carefully update and test the scripts in a pre-production environment before using them in production to avoid
unexpected impact.
Download the latest PowerShell release (minimum version required is : 1.0.0)
Setting up PowerShell for Resource Manager templates

Before you can use Azure PowerShell with Resource Manager, you will need to have the right Windows
PowerShell and Azure PowerShell versions.
Verify PowerShell versions
Verify you have Windows PowerShell version 3.0 or 4.0. To find the version of Windows PowerShell, type this
command at a Windows PowerShell command prompt.
$PSVersionTable
You will receive the following type of information:

Name Value
---- -----
PSVersion 3.0
WSManStackVersion 3.0
SerializationVersion 1.1.0.1
CLRVersion 4.0.30319.18444
BuildVersion 6.2.9200.16481
PSCompatibleVersions {1.0, 2.0, 3.0}
PSRemotingProtocolVersion 2.2
Verify that the value of PSVersion is 3.0 or 4.0. If not, see Windows Management Framework 3.0 or Windows
Management Framework 4.0.
Set your Azure account and subscription
If you don't already have an Azure subscription, you can activate your MSDN subscriber benefits or sign up for a
free trial.
Open an Azure PowerShell command prompt and log on to Azure with this command.
If you have multiple Azure subscriptions, you can list your Azure subscriptions with this command.
Get-AzureRmSubscription
SubscriptionId : fd22919d-eaca-4f2b-841a-e4ac6770g92e
SubscriptionName : Visual Studio Ultimate with MSDN
Environment : AzureCloud
SupportedModes : AzureServiceManagement,AzureResourceManager
DefaultAccount : johndoe@contoso.com
Accounts : {johndoe@contoso.com}
IsDefault : True
IsCurrent : True
CurrentStorageAccountName :
TenantId : 32fa88b4-86f1-419f-93ab-2d7ce016dba7
You can set the current Azure subscription by running these commands at the Azure PowerShell command
prompt. Replace everything within the quotes, including the < and > characters, with the correct name.
$subscr="<SubscriptionName from the display of Get-AzureRmSubscription>"

Select-AzureRmSubscription -SubscriptionName $subscr -Current
For more information about Azure subscriptions and accounts, see How to: Connect to your subscription.

1. If you are using Azure Backup for the first time, you must use the Register-AzureRMResourceProvider
2. The Recovery Services vault is an ARM resource, so you need to place it within a Resource Group. You can
use an existing resource group, or create a new one. When creating a new resource group, specify the name
and location for the resource group.
PS C:\> New-AzureRmResourceGroup Name "test-rg" Location "WestUS"
3. Use the New-AzureRmRecoveryServicesVault cmdlet to create the new vault. Be sure to specify the
same location for the vault as was used for the resource group.

"WestUS"
testVault is set to GeoRedundant.
TIP
PS C:\> $vault1 = Get-AzureRmRecoveryServicesVault Name "testVault"

PS C:\> Set-AzureRmRecoveryServicesBackupProperties -vault $vault1 -BackupStorageRedundancy
GeoRedundant

this command to check that a new vault was created, or to see what vaults are available in the subscription.
Run the command, Get-AzureRmRecoveryServicesVault, and all vaults in the subscription are listed.
Location : WestUS

Before you install the Azure Backup agent, you need to have the installer downloaded and present on the
Windows Server. You can get the latest version of the installer from the Microsoft Download Center or from the
Recovery Services vault's Dashboard page. Save the installer to an easily accessible location like C:\Downloads\.
Alternatively, use PowerShell to get the downloader:
$MarsAURL = 'Http://Aka.Ms/Azurebackup_Agent'
$WC = New-Object System.Net.WebClient
$WC.DownloadFile($MarsAURL,'C:\downloads\MARSAgentInstaller.EXE')
C:\Downloads\MARSAgentInstaller.EXE /q
To install the agent, run the following command in an elevated PowerShell console:
not specify the /nu option then the Windows Update window will open at the end of the installation to check for
any updates. Once installed, the agent will show in the list of installed programs.
To see the list of installed programs, go to Control Panel > Programs > Programs and Features.


Services Agent

Registering Windows Server or Windows client machine to a Recovery

Services Vault
After you created the Recovery Services vault, download the latest agent and the vault credentials and store it in a
convenient location like C:\Downloads.
PS C:\> $credspath = "C:\downloads"

PS C:\> $credsfilename = Get-AzureRmRecoveryServicesVaultSettingsFile -Backup -Vault $vault1 -Path $credspath
On the Windows Server or Windows client machine, run the Start-OBRegistration cmdlet to register the machine
with the vault. This, and other cmdlets used for backup, are from the MSONLINE module which the Mars
AgentInstaller added as part of the installation process.
The Agent installer does not update the $Env:PSModulePath variable. This means module auto-load fails. To
resolve this you can do the following:
PS C:\> $Env:psmodulepath += ';C:\Program Files\Microsoft Azure Recovery Services Agent\bin\Modules
Alternatively, you can manually load the module in your script as follows:
PS C:\> Import-Module 'C:\Program Files\Microsoft Azure Recovery Services Agent\bin\Modules\MSOnlineBackup'
Once you load the Online Backup cmdlets, you register the vault credentials:

PS C:\> Start-OBRegistration-VaultCredentials $cred -Confirm:$false
CertThumbprint :7a2ef2caa2e74b6ed1222a5e89288ddad438df2
ServiceResourceName: testvault
Region :WestUS
IMPORTANT
Networking settings
When the connectivity of the Windows machine to the internet is through a proxy server, the proxy settings can
also be provided to the agent. In this example, there is no proxy server, so we are explicitly clearing any proxy-
related information.
Bandwidth usage can also be controlled with the options of work hour bandwidth and non-work hour bandwidth for
a given set of days of the week.
Setting the proxy and bandwidth details is done using the Set-OBMachineSetting cmdlet:
PS C:\> Set-OBMachineSetting -NoProxy
Server properties updated successfully.
PS C:\> Set-OBMachineSetting -NoThrottle

Encryption settings
passphrase is the "password" to decrypt the data at the time of restore.
PS C:\> ConvertTo-SecureString -String "Complex!123_STRING" -AsPlainText -Force | Set-OBMachineSetting

PS C:\> $PassPhrase = ConvertTo-SecureString -String "Complex!123_STRING" -AsPlainText -Force
PS C:\> $PassCode = 'AzureR0ckx'
PS C:\> Set-OBMachineSetting -EncryptionPassPhrase $PassPhrase
Server properties updated successfully
IMPORTANT
Keep the passphrase information safe and secure once it is set. You are not be able to restore data from Azure without this
passphrase.
Back up files and folders

All backups from Windows Servers and clients to Azure Backup are governed by a policy. The policy comprises
three parts:
1. A backup schedule that specifies when backups need to be taken and synchronized with the service.
3. A file inclusion/exclusion specification that dictates what should be backed up.
In this document, since we're automating backup, we'll assume nothing has been configured. We begin by
creating a new backup policy using the New-OBPolicy cmdlet.
PS C:\> $newpolicy = New-OBPolicy
At this time the policy is empty and other cmdlets are needed to define what items will be included or excluded,
when backups will run, and where the backups will be stored.
Configuring the backup schedule
The first of the 3 parts of a policy is the backup schedule, which is created using the New-OBSchedule cmdlet. The
backup schedule defines when backups need to be taken. When creating a schedule you need to specify 2 input
parameters:
Days of the week that the backup should run. You can run the backup job on just one day, or every day of the
week, or any combination in between.
Times of the day when the backup should run. You can define up to 3 different times of the day when the
backup will be triggered.
For instance, you could configure a backup policy that runs at 4PM every Saturday and Sunday.
PS C:\> $sched = New-OBSchedule -DaysofWeek Saturday, Sunday -TimesofDay 16:00

The backup schedule needs to be associated with a policy, and this can be achieved by using the Set-OBSchedule
cmdlet.
PS C:> Set-OBSchedule -Policy $newpolicy -Schedule $sched

BackupSchedule : 4:00 PM Saturday, Sunday, Every 1 week(s) DsList : PolicyName : RetentionPolicy : State : New
PolicyState : Valid
Configuring a retention policy

The retention policy defines how long recovery points created from backup jobs are retained. When creating a
new retention policy using the New-OBRetentionPolicy cmdlet, you can specify the number of days that the
backup recovery points need to be retained with Azure Backup. The example below sets a retention policy of 7
days.
PS C:\> $retentionpolicy = New-OBRetentionPolicy -RetentionDays 7
The retention policy must be associated with the main policy using the cmdlet Set-OBRetentionPolicy:
PS C:\> Set-OBRetentionPolicy -Policy $newpolicy -RetentionPolicy $retentionpolicy
BackupSchedule : 4:00 PM
Saturday, Sunday,
Every 1 week(s)
DsList :
PolicyName :
RetentionPolicy : Retention Days : 7
WeeklyLTRSchedule :
Weekly schedule is not set
MonthlyLTRSchedule :
Monthly schedule is not set
YearlyLTRSchedule :
Yearly schedule is not set
State : New
PolicyState : Valid
Including and excluding files to be backed up

An OBFileSpec object defines the files to be included and excluded in a backup. This is a set of rules that scope out
the protected files and folders on a machine. You can have as many file inclusion or exclusion rules as required,
and associate them with a policy. When creating a new OBFileSpec object, you can:
Specify the files and folders to be included
Specify the files and folders to be excluded
Specify recursive backup of data in a folder (or) whether only the top-level files in the specified folder should
be backed up.
The latter is achieved by using the -NonRecursive flag in the New-OBFileSpec command.
In the example below, we'll back up volume C: and D: and exclude the OS binaries in the Windows folder and any
temporary folders. To do so we'll create two file specifications using the New-OBFileSpec cmdlet - one for
inclusion and one for exclusion. Once the file specifications have been created, they're associated with the policy
using the Add-OBFileSpec cmdlet.
PS C:\> $inclusions = New-OBFileSpec -FileSpec @("C:\", "D:\")

PS C:\> $exclusions = New-OBFileSpec -FileSpec @("C:\windows", "C:\temp") -Exclude
PS C:\> Add-OBFileSpec -Policy $newpolicy -FileSpec $inclusions
Saturday, Sunday,
Every 1 week(s)
DsList : {DataSource
DatasourceId:0
Name:C:\
FileSpec:FileSpec
FileSpec:C:\
IsExclude:False
IsRecursive:True
, DataSource
DatasourceId:0
Name:D:\
FileSpec:FileSpec
FileSpec:D:\
IsExclude:False
IsRecursive:True
}
PolicyName :
WeeklyLTRSchedule :
YearlyLTRSchedule :
State : New
PolicyState : Valid
PS C:\> Add-OBFileSpec -Policy $newpolicy -FileSpec $exclusions
Saturday, Sunday,
Every 1 week(s)
DatasourceId:0
Name:C:\
FileSpec:FileSpec
FileSpec:C:\
IsExclude:False
IsRecursive:True
,FileSpec
FileSpec:C:\windows
IsExclude:True
IsRecursive:True
,FileSpec
FileSpec:C:\temp
IsExclude:True
IsRecursive:True
, DataSource
DatasourceId:0
Name:D:\
FileSpec:FileSpec
FileSpec:D:\
IsExclude:False
IsRecursive:True
}
PolicyName :
WeeklyLTRSchedule :
YearlyLTRSchedule :
State : New
PolicyState : Valid
Applying the policy

Now the policy object is complete and has an associated backup schedule, retention policy, and an
inclusion/exclusion list of files. This policy can now be committed for Azure Backup to use. Before you apply the
newly created policy ensure that there are no existing backup policies associated with the server by using the
Remove-OBPolicy cmdlet. Removing the policy will prompt for confirmation. To skip the confirmation use the
-Confirm:$false flag with the cmdlet.
PS C:> Get-OBPolicy | Remove-OBPolicy

Microsoft Azure Backup Are you sure you want to remove this backup policy? This will delete all the backed up
data. [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):
Committing the policy object is done using the Set-OBPolicy cmdlet. This will also ask for confirmation. To skip the
confirmation use the -Confirm:$false flag with the cmdlet.
PS C:> Set-OBPolicy -Policy $newpolicy
Microsoft Azure Backup Do you want to save this backup policy ? [Y] Yes [A] Yes to All [N] No [L] No to All
[S] Suspend [?] Help (default is "Y"):
BackupSchedule : 4:00 PM Saturday, Sunday, Every 1 week(s)
DatasourceId:4508156004108672185
Name:C:\
FileSpec:FileSpec
FileSpec:C:\
IsExclude:False
IsRecursive:True,
FileSpec
FileSpec:C:\windows
IsExclude:True
IsRecursive:True,
FileSpec
FileSpec:C:\temp
IsExclude:True
IsRecursive:True,
DataSource
DatasourceId:4508156005178868542
Name:D:\
FileSpec:FileSpec
FileSpec:D:\
IsExclude:False
IsRecursive:True
}
PolicyName : c2eb6568-8a06-49f4-a20e-3019ae411bac
WeeklyLTRSchedule :
YearlyLTRSchedule :
State : Existing PolicyState : Valid
You can view the details of the existing backup policy using the Get-OBPolicy cmdlet. You can drill-down further
using the Get-OBSchedule cmdlet for the backup schedule and the Get-OBRetentionPolicy cmdlet for the retention
policies
PS C:> Get-OBPolicy | Get-OBSchedule
SchedulePolicyName : 71944081-9950-4f7e-841d-32f0a0a1359a
ScheduleRunDays : {Saturday, Sunday}
ScheduleRunTimes : {16:00:00}
State : Existing
PS C:> Get-OBPolicy | Get-OBRetentionPolicy

RetentionDays : 7
RetentionPolicyName : ca3574ec-8331-46fd-a605-c01743a5265e
State : Existing
PS C:> Get-OBPolicy | Get-OBFileSpec

FileName : *
FilePath : \?\Volume{b835d359-a1dd-11e2-be72-2016d8d89f0f}\
FileSpec : D:\
IsExclude : False
IsRecursive : True
FileName : *
FilePath : \?\Volume{cdd41007-a22f-11e2-be6c-806e6f6e6963}\
FileSpec : C:\
IsExclude : False
IsRecursive : True
FileName : *
FilePath : \?\Volume{cdd41007-a22f-11e2-be6c-806e6f6e6963}\windows
FileSpec : C:\windows
IsExclude : True
IsRecursive : True
FileName : *
FilePath : \?\Volume{cdd41007-a22f-11e2-be6c-806e6f6e6963}\temp
FileSpec : C:\temp
IsExclude : True
IsRecursive : True
Performing an ad-hoc backup

Once a backup policy has been set the backups will occur per the schedule. Triggering an ad-hoc backup is also
possible using the Start-OBBackup cmdlet:
PS C:> Get-OBPolicy | Start-OBBackup

Initializing
Taking snapshot of volumes...
Preparing storage...
Generating backup metadata information and preparing the metadata VHD...
Data transfer is in progress. It might take longer since it is the first backup and all data needs to be
transferred...
Data transfer completed and all backed up data is in the cloud. Verifying data integrity...
Data transfer completed
In progress...
Job completed.
The backup operation completed successfully.
Restore data from Azure Backup

This section will guide you through the steps for automating recovery of data from Azure Backup. Doing so
involves the following steps:
1. Pick the source volume
2. Choose a backup point to restore
3. Choose an item to restore
4. Trigger the restore process
Picking the source volume
In order to restore an item from Azure Backup, you first need to identify the source of the item. Since we're
executing the commands in the context of a Windows Server or a Windows client, the machine is already
identified. The next step in identifying the source is to identify the volume containing it. A list of volumes or
sources being backed up from this machine can be retrieved by executing the Get-OBRecoverableSource cmdlet.
This command returns an array of all the sources backed up from this server/client.
PS C:> $source = Get-OBRecoverableSource

PS C:> $source
FriendlyName : C:\
RecoverySourceName : C:\
ServerName : myserver.microsoft.com
FriendlyName : D:\
RecoverySourceName : D:\
Choosing a backup point from which to restore

You retreive a list of backup points by executing the Get-OBRecoverableItem cmdlet with appropriate parameters.
In our example, well choose the latest backup point for the source volume D: and use it to recover a specific file.
PS C:> $rps = Get-OBRecoverableItem -Source $source[1]

IsDir : False
ItemNameFriendly : D:\
ItemNameGuid : \?\Volume{b835d359-a1dd-11e2-be72-2016d8d89f0f}\
LocalMountPoint : D:\
MountPointName : D:\
Name : D:\
PointInTime : 18-Jun-15 6:41:52 AM
ItemSize :
ItemLastModifiedTime :
IsDir : False
Name : D:\
ItemSize :
The object $rps is an array of backup points. The first element is the latest point and the Nth element is the oldest
point. To choose the latest point, we will use $rps[0] .
Choosing an item to restore
To identify the exact file or folder to restore, recursively use the Get-OBRecoverableItem cmdlet. That way the
folder hierarchy can be browsed solely using the Get-OBRecoverableItem .
In this example, if we want to restore the file finances.xls we can reference that using the object $filesFolders[1] .
PS C:> $filesFolders = Get-OBRecoverableItem $rps[0]
PS C:> $filesFolders
IsDir : True
ItemNameFriendly : D:\MyData\
ItemNameGuid : \?\Volume{b835d359-a1dd-11e2-be72-2016d8d89f0f}\MyData\
Name : MyData
ItemSize :
ItemLastModifiedTime : 15-Jun-15 8:49:29 AM
PS C:> $filesFolders = Get-OBRecoverableItem $filesFolders[0]

IsDir : False
ItemNameFriendly : D:\MyData\screenshot.oxps
ItemNameGuid : \?\Volume{b835d359-a1dd-11e2-be72-2016d8d89f0f}\MyData\screenshot.oxps
Name : screenshot.oxps
ItemSize : 228313
IsDir : False
ItemNameFriendly : D:\MyData\finances.xls
ItemNameGuid : \?\Volume{b835d359-a1dd-11e2-be72-2016d8d89f0f}\MyData\finances.xls
Name : finances.xls
ItemSize : 96256
You can also search for items to restore using the Get-OBRecoverableItem cmdlet. In our example, to search for
finances.xls we could get a handle on the file by running this command:
PS C:\> $item = Get-OBRecoverableItem -RecoveryPoint $rps[0] -Location "D:\MyData" -SearchString "finance*"
Triggering the restore process

To trigger the restore process, we first need to specify the recovery options. This can be done by using the New-
OBRecoveryOption cmdlet. For this example, let's assume that we want to restore the files to C:\temp. Let's also
assume that we want to skip files that already exist on the destination folder C:\temp. To create such a recovery
option, use the following command:
PS C:\> $recovery_option = New-OBRecoveryOption -DestinationPath "C:\temp" -OverwriteType Skip
Now trigger the restore process by using the Start-OBRecovery command on the selected $item from the output
of the Get-OBRecoverableItem cmdlet:
PS C:\> Start-OBRecovery -RecoverableItem $item -RecoveryOption $recover_option
Estimating size of backup items...
Job completed.
The recovery operation completed successfully.
Uninstalling the Azure Backup agent

Uninstalling the Azure Backup agent can be done by using the following command:
PS C:\> .\MARSAgentInstaller.exe /d /q
Uninstalling the agent binaries from the machine has some consequences to consider:
It removes the file-filter from the machine, and tracking of changes is stopped.
All policy information is removed from the machine, but the policy information continues to be stored in the
service.
All backup schedules are removed, and no further backups are taken.
However, the data stored in Azure remains and is retained as per the retention policy setup by you. Older points
are automatically aged out.
Remote management
All the management around the Azure Backup agent, policies, and data sources can be done remotely through
PowerShell. The machine that will be managed remotely needs to be prepared correctly.
By default, the WinRM service is configured for manual startup. The startup type must be set to Automatic and the
service should be started. To verify that the WinRM service is running, the value of the Status property should be
Running.
PS C:\> Get-Service WinRM
Status Name DisplayName

------ ---- -----------
Running winrm Windows Remote Management (WS-Manag...
PowerShell should be configured for remoting.
PS C:\> Enable-PSRemoting -force

WinRM is already set up to receive requests on this computer.
WinRM has been updated for remote management.
WinRM firewall exception enabled.
PS C:\> Set-ExecutionPolicy unrestricted -force
The machine can now be managed remotely - starting from the installation of the agent. For example, the
following script copies the agent to the remote machine and installs it.
PS C:\> $dloc = "\\REMOTESERVER01\c$\Windows\Temp"
PS C:\> $agent = "\\REMOTESERVER01\c$\Windows\Temp\MARSAgentInstaller.exe"
PS C:\> $args = "/q"
PS C:\> Copy-Item "C:\Downloads\MARSAgentInstaller.exe" -Destination $dloc - force
PS C:\> $s = New-PSSession -ComputerName REMOTESERVER01

PS C:\> Invoke-Command -Session $s -Script { param($d, $a) Start-Process -FilePath $d $a -Wait } -ArgumentList
$agent $args
Next steps
For more information about Azure Backup for Windows Server/Client see
Back up Windows Servers
Deploy and manage backup to Azure for Windows
Server/Windows Client using PowerShell
This article explains how to use PowerShell to back up Windows Server or Windows workstation data to a backup
vault. Microsoft recommends using Recovery Services vaults for all new deployments. If you are a new Azure
Backup user and have not created a backup vault in your subscription, use the article, Deploy and manage Data
Protection Manager data to Azure using PowerShell so you store your data in a Recovery Services vault.
IMPORTANT
You can now upgrade your Backup vaults to Recovery Services vaults. For details, see the article Upgrade a Backup vault to
a Recovery Services vault. Microsoft encourages you to upgrade your Backup vaults to Recovery Services vaults.
Install Azure PowerShell

IMPORTANT
In October 2015, Azure PowerShell 1.0 was released. This release succeeded the 0.9.8 release and brought about
some significant changes, especially in the naming pattern of the cmdlets. 1.0 cmdlets follow the naming pattern
{verb}-AzureRm{noun}; whereas, the 0.9.8 names do not include Rm (for example, New-AzureRmResourceGroup
instead of New-AzureResourceGroup). When using Azure PowerShell 0.9.8, you must first enable the Resource
Manager mode by running the Switch-AzureMode AzureResourceManager command. This command is not
necessary in 1.0 or later.
If you want to use your scripts written for the 0.9.8 environment, in the 1.0 or later environment, you should
carefully test the scripts in a pre-production environment before using them in production to avoid unexpected
impact.
Download the latest PowerShell release (minimum version required is : 1.0.0)
Setting up PowerShell for Resource Manager templates

Before you can use Azure PowerShell with Resource Manager, you will need to have the right Windows
PowerShell and Azure PowerShell versions.
Verify PowerShell versions
Verify you have Windows PowerShell version 3.0 or 4.0. To find the version of Windows PowerShell, type this
command at a Windows PowerShell command prompt.
$PSVersionTable
Name Value
---- -----
PSVersion 3.0
WSManStackVersion 3.0
SerializationVersion 1.1.0.1
CLRVersion 4.0.30319.18444
BuildVersion 6.2.9200.16481
PSCompatibleVersions {1.0, 2.0, 3.0}
PSRemotingProtocolVersion 2.2
Verify that the value of PSVersion is 3.0 or 4.0. If not, see Windows Management Framework 3.0 or Windows
Management Framework 4.0.
Set your Azure account and subscription
If you don't already have an Azure subscription, you can activate your MSDN subscriber benefits or sign up for a
free trial.
Open an Azure PowerShell command prompt and log on to Azure with this command.
If you have multiple Azure subscriptions, you can list your Azure subscriptions with this command.
Get-AzureRmSubscription
SubscriptionId : fd22919d-eaca-4f2b-841a-e4ac6770g92e
SubscriptionName : Visual Studio Ultimate with MSDN
Environment : AzureCloud
SupportedModes : AzureServiceManagement,AzureResourceManager
DefaultAccount : johndoe@contoso.com
Accounts : {johndoe@contoso.com}
IsDefault : True
IsCurrent : True
CurrentStorageAccountName :
TenantId : 32fa88b4-86f1-419f-93ab-2d7ce016dba7
You can set the current Azure subscription by running these commands at the Azure PowerShell command
prompt. Replace everything within the quotes, including the < and > characters, with the correct name.
$subscr="<SubscriptionName from the display of Get-AzureRmSubscription>"

Select-AzureRmSubscription -SubscriptionName $subscr -Current
For more information about Azure subscriptions and accounts, see How to: Connect to your subscription.

WARNING
subscription. This can be done by running the following command: Register-AzureProvider -ProviderNamespace
"Microsoft.Backup"
You can create a new backup vault using the New-AzureRMBackupVault cmdlet. The backup vault is an ARM
resource, so you need to place it within a Resource Group. In an elevated Azure PowerShell console, run the
following commands:
PS C:\> New-AzureResourceGroup Name test-rg -Region West US

PS C:\> $backupvault = New-AzureRMBackupVault ResourceGroupName test-rg Name test-vault Region West
US Storage GeoRedundant
Use the Get-AzureRMBackupVault cmdlet to list the backup vaults in a subscription.

Before you install the Azure Backup agent, you need to have the installer downloaded and present on the
Windows Server. You can get the latest version of the installer from the Microsoft Download Center or from the
backup vault's Dashboard page. Save the installer to an easily accessible location like C:\Downloads\.
To install the agent, run the following command in an elevated PowerShell console:
not specify the /nu option then the Windows Update window will open at the end of the installation to check for
any updates. Once installed, the agent will show in the list of installed programs.
To see the list of installed programs, go to Control Panel > Programs > Programs and Features.


Services Agent

Before you can register with the Azure Backup service, you need to ensure that the prerequisites are met. You
must:
Have a valid Azure subscription
Have a backup vault
To download the vault credentials, run the Get-AzureRMBackupVaultCredentials cmdlet in an Azure
PowerShell console and store it in a convenient location like C:\Downloads\.
PS C:\> $credspath = "C:\"

PS C:\> $credsfilename = Get-AzureRMBackupVaultCredentials -Vault $backupvault -TargetLocation $credspath
f5303a0b-fae4-4cdb-b44d-0e4c032dde26_backuprg_backuprn_2015-08-11--06-22-35.VaultCredentials
Registering the machine with the vault is done using the Start-OBRegistration cmdlet:

PS C:\> Start-OBRegistration -VaultCredentials $cred -Confirm:$false
CertThumbprint : 7a2ef2caa2e74b6ed1222a5e89288ddad438df2
ServiceResourceName : test-vault
Region : West US

IMPORTANT
Networking settings
When the connectivity of the Windows machine to the internet is through a proxy server, the proxy settings can
also be provided to the agent. In this example, there is no proxy server, so we are explicitly clearing any proxy-
related information.
Bandwidth usage can also be controlled with the options of work hour bandwidth and non-work hour bandwidth for
a given set of days of the week.
Setting the proxy and bandwidth details is done using the Set-OBMachineSetting cmdlet:
PS C:\> Set-OBMachineSetting -NoProxy

PS C:\> Set-OBMachineSetting -NoThrottle

Encryption settings
passphrase is the "password" to decrypt the data at the time of restore.
PS C:\> ConvertTo-SecureString -String "Complex!123_STRING" -AsPlainText -Force | Set-OBMachineSetting

Server properties updated successfully
IMPORTANT
passphrase.
Back up files and folders

All your backups from Windows Servers and clients to Azure Backup are governed by a policy. The policy
comprises three parts:
1. A backup schedule that specifies when backups need to be taken and synchronized with the service.
3. A file inclusion/exclusion specification that dictates what should be backed up.
In this document, since we're automating backup, we'll assume nothing has been configured. We begin by
creating a new backup policy using the New-OBPolicy cmdlet and using it.
PS C:\> $newpolicy = New-OBPolicy
At this time the policy is empty and other cmdlets are needed to define what items will be included or excluded,
when backups will run, and where the backups will be stored.
Configuring the backup schedule
The first of the 3 parts of a policy is the backup schedule, which is created using the New-OBSchedule cmdlet. The
backup schedule defines when backups need to be taken. When creating a schedule you need to specify 2 input
parameters:
Days of the week that the backup should run. You can run the backup job on just one day, or every day of the
week, or any combination in between.
Times of the day when the backup should run. You can define up to 3 different times of the day when the
backup will be triggered.
For instance, you could configure a backup policy that runs at 4PM every Saturday and Sunday.
PS C:\> $sched = New-OBSchedule -DaysofWeek Saturday, Sunday -TimesofDay 16:00
The backup schedule needs to be associated with a policy, and this can be achieved by using the Set-OBSchedule
cmdlet.
PS C:> Set-OBSchedule -Policy $newpolicy -Schedule $sched

BackupSchedule : 4:00 PM Saturday, Sunday, Every 1 week(s) DsList : PolicyName : RetentionPolicy : State : New
PolicyState : Valid
Configuring a retention policy

The retention policy defines how long recovery points created from backup jobs are retained. When creating a
new retention policy using the New-OBRetentionPolicy cmdlet, you can specify the number of days that the
backup recovery points need to be retained with Azure Backup. The example below sets a retention policy of 7
days.
PS C:\> $retentionpolicy = New-OBRetentionPolicy -RetentionDays 7
The retention policy must be associated with the main policy using the cmdlet Set-OBRetentionPolicy:
PS C:\> Set-OBRetentionPolicy -Policy $newpolicy -RetentionPolicy $retentionpolicy
Saturday, Sunday,
Every 1 week(s)
DsList :
PolicyName :
WeeklyLTRSchedule :
YearlyLTRSchedule :
State : New
PolicyState : Valid
Including and excluding files to be backed up

An OBFileSpec object defines the files to be included and excluded in a backup. This is a set of rules that scope out
the protected files and folders on a machine. You can have as many file inclusion or exclusion rules as required,
and associate them with a policy. When creating a new OBFileSpec object, you can:
Specify the files and folders to be included
Specify the files and folders to be excluded
Specify recursive backup of data in a folder (or) whether only the top-level files in the specified folder should
be backed up.
The latter is achieved by using the -NonRecursive flag in the New-OBFileSpec command.
In the example below, we'll back up volume C: and D: and exclude the OS binaries in the Windows folder and any
temporary folders. To do so we'll create two file specifications using the New-OBFileSpec cmdlet - one for
inclusion and one for exclusion. Once the file specifications have been created, they're associated with the policy
using the Add-OBFileSpec cmdlet.
PS C:\> $inclusions = New-OBFileSpec -FileSpec @("C:\", "D:\")
PS C:\> $exclusions = New-OBFileSpec -FileSpec @("C:\windows", "C:\temp") -Exclude
PS C:\> Add-OBFileSpec -Policy $newpolicy -FileSpec $inclusions
Saturday, Sunday,
Every 1 week(s)
DatasourceId:0
Name:C:\
FileSpec:FileSpec
FileSpec:C:\
IsExclude:False
IsRecursive:True
, DataSource
DatasourceId:0
Name:D:\
FileSpec:FileSpec
FileSpec:D:\
IsExclude:False
IsRecursive:True
}
PolicyName :
WeeklyLTRSchedule :
YearlyLTRSchedule :
State : New
PolicyState : Valid
PS C:\> Add-OBFileSpec -Policy $newpolicy -FileSpec $exclusions
Saturday, Sunday,
Every 1 week(s)
DatasourceId:0
Name:C:\
FileSpec:FileSpec
FileSpec:C:\
IsExclude:False
IsRecursive:True
IsRecursive:True
,FileSpec
FileSpec:C:\windows
IsExclude:True
IsRecursive:True
,FileSpec
FileSpec:C:\temp
IsExclude:True
IsRecursive:True
, DataSource
DatasourceId:0
Name:D:\
FileSpec:FileSpec
FileSpec:D:\
IsExclude:False
IsRecursive:True
}
PolicyName :
WeeklyLTRSchedule :
YearlyLTRSchedule :
State : New
PolicyState : Valid
Applying the policy

Now the policy object is complete and has an associated backup schedule, retention policy, and an
inclusion/exclusion list of files. This policy can now be committed for Azure Backup to use. Before you apply the
newly created policy ensure that there are no existing backup policies associated with the server by using the
Remove-OBPolicy cmdlet. Removing the policy will prompt for confirmation. To skip the confirmation use the
-Confirm:$false flag with the cmdlet.
PS C:> Get-OBPolicy | Remove-OBPolicy

Microsoft Azure Backup Are you sure you want to remove this backup policy? This will delete all the backed up
data. [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):
Committing the policy object is done using the Set-OBPolicy cmdlet. This will also ask for confirmation. To skip the
confirmation use the -Confirm:$false flag with the cmdlet.
PS C:> Set-OBPolicy -Policy $newpolicy
Microsoft Azure Backup Do you want to save this backup policy ? [Y] Yes [A] Yes to All [N] No [L] No to All
[S] Suspend [?] Help (default is "Y"):
BackupSchedule : 4:00 PM Saturday, Sunday, Every 1 week(s)
DatasourceId:4508156004108672185
Name:C:\
FileSpec:FileSpec
FileSpec:C:\
IsExclude:False
IsRecursive:True,
FileSpec
FileSpec:C:\windows
IsExclude:True
IsRecursive:True,
FileSpec
FileSpec:C:\temp
IsExclude:True
IsRecursive:True,
DataSource
DatasourceId:4508156005178868542
Name:D:\
FileSpec:FileSpec
FileSpec:D:\
IsExclude:False
IsRecursive:True
}
PolicyName : c2eb6568-8a06-49f4-a20e-3019ae411bac
WeeklyLTRSchedule :
YearlyLTRSchedule :
State : Existing PolicyState : Valid
You can view the details of the existing backup policy using the Get-OBPolicy cmdlet. You can drill-down further
using the Get-OBSchedule cmdlet for the backup schedule and the Get-OBRetentionPolicy cmdlet for the retention
policies
PS C:> Get-OBPolicy | Get-OBSchedule
SchedulePolicyName : 71944081-9950-4f7e-841d-32f0a0a1359a
ScheduleRunDays : {Saturday, Sunday}
ScheduleRunTimes : {16:00:00}
State : Existing
PS C:> Get-OBPolicy | Get-OBRetentionPolicy

RetentionDays : 7
RetentionPolicyName : ca3574ec-8331-46fd-a605-c01743a5265e
State : Existing
PS C:> Get-OBPolicy | Get-OBFileSpec

FileName : *
FilePath : \?\Volume{b835d359-a1dd-11e2-be72-2016d8d89f0f}\
FileSpec : D:\
IsExclude : False
IsRecursive : True
FileName : *
FilePath : \?\Volume{cdd41007-a22f-11e2-be6c-806e6f6e6963}\
FileSpec : C:\
IsExclude : False
IsRecursive : True
FileName : *
FilePath : \?\Volume{cdd41007-a22f-11e2-be6c-806e6f6e6963}\windows
FileSpec : C:\windows
IsExclude : True
IsRecursive : True
FileName : *
FilePath : \?\Volume{cdd41007-a22f-11e2-be6c-806e6f6e6963}\temp
FileSpec : C:\temp
IsExclude : True
IsRecursive : True
Performing an ad-hoc backup

Once a backup policy has been set the backups will occur per the schedule. Triggering an ad-hoc backup is also
possible using the Start-OBBackup cmdlet:
PS C:> Get-OBPolicy | Start-OBBackup

Taking snapshot of volumes...
Preparing storage...
Transferring data...
Verifying backup...
Job completed.
The backup operation completed successfully.
Restore data from Azure Backup

This section will guide you through the steps for automating recovery of data from Azure Backup. Doing so
involves the following steps:
1. Pick the source volume
2. Choose a backup point to restore
3. Choose an item to restore
4. Trigger the restore process
Picking the source volume
In order to restore an item from Azure Backup, you first need to identify the source of the item. Since we're
executing the commands in the context of a Windows Server or a Windows client, the machine is already
identified. The next step in identifying the source is to identify the volume containing it. A list of volumes or
sources being backed up from this machine can be retrieved by executing the Get-OBRecoverableSource cmdlet.
This command returns an array of all the sources backed up from this server/client.
PS C:> $source = Get-OBRecoverableSource

PS C:> $source
FriendlyName : C:\
RecoverySourceName : C:\
FriendlyName : D:\
RecoverySourceName : D:\
Choosing a backup point to restore

The list of backup points can be retrieved by executing the Get-OBRecoverableItem cmdlet with appropriate
parameters. In our example, well choose the latest backup point for the source volume D: and use it to recover a
specific file.
PS C:> $rps = Get-OBRecoverableItem -Source $source[1]

IsDir : False
Name : D:\
ItemSize :
IsDir : False
Name : D:\
ItemSize :
The object $rps is an array of backup points. The first element is the latest point and the Nth element is the oldest
point. To choose the latest point, we will use $rps[0] .
Choosing an item to restore
To identify the exact file or folder to restore, recursively use the Get-OBRecoverableItem cmdlet. That way the
folder hierarchy can be browsed solely using the Get-OBRecoverableItem .
In this example, if we want to restore the file finances.xls we can reference that using the object $filesFolders[1] .
PS C:> $filesFolders = Get-OBRecoverableItem $rps[0]
IsDir : True
ItemNameFriendly : D:\MyData\
ItemNameGuid : \?\Volume{b835d359-a1dd-11e2-be72-2016d8d89f0f}\MyData\
Name : MyData
ItemSize :
PS C:> $filesFolders = Get-OBRecoverableItem $filesFolders[0]

IsDir : False
ItemNameFriendly : D:\MyData\screenshot.oxps
ItemNameGuid : \?\Volume{b835d359-a1dd-11e2-be72-2016d8d89f0f}\MyData\screenshot.oxps
Name : screenshot.oxps
ItemSize : 228313
IsDir : False
ItemNameFriendly : D:\MyData\finances.xls
ItemNameGuid : \?\Volume{b835d359-a1dd-11e2-be72-2016d8d89f0f}\MyData\finances.xls
Name : finances.xls
ItemSize : 96256
You can also search for items to restore using the Get-OBRecoverableItem cmdlet. In our example, to search for
finances.xls we could get a handle on the file by running this command:
PS C:\> $item = Get-OBRecoverableItem -RecoveryPoint $rps[0] -Location "D:\MyData" -SearchString "finance*"
Triggering the restore process

To trigger the restore process, we first need to specify the recovery options. This can be done by using the New-
OBRecoveryOption cmdlet. For this example, let's assume that we want to restore the files to C:\temp. Let's also
assume that we want to skip files that already exist on the destination folder C:\temp. To create such a recovery
option, use the following command:
PS C:\> $recovery_option = New-OBRecoveryOption -DestinationPath "C:\temp" -OverwriteType Skip
Now trigger restore by using the Start-OBRecovery command on the selected $item from the output of the
Get-OBRecoverableItem cmdlet:
PS C:\> Start-OBRecovery -RecoverableItem $item -RecoveryOption $recover_option
Job completed.
The recovery operation completed successfully.
Uninstalling the Azure Backup agent

Uninstalling the Azure Backup agent can be done by using the following command:
PS C:\> .\MARSAgentInstaller.exe /d /q
Uninstalling the agent binaries from the machine has some consequences to consider:
It removes the file-filter from the machine, and tracking of changes is stopped.
All policy information is removed from the machine, but the policy information continues to be stored in the
service.
All backup schedules are removed, and no further backups are taken.
However, the data stored in Azure remains and is retained as per the retention policy setup by you. Older points
are automatically aged out.
Remote management
All the management around the Azure Backup agent, policies, and data sources can be done remotely through
PowerShell. The machine that will be managed remotely needs to be prepared correctly.
By default, the WinRM service is configured for manual startup. The startup type must be set to Automatic and the
service should be started. To verify that the WinRM service is running, the value of the Status property should be
Running.
PS C:\> Get-Service WinRM
Status Name DisplayName

------ ---- -----------
Running winrm Windows Remote Management (WS-Manag...
PowerShell should be configured for remoting.
PS C:\> Enable-PSRemoting -force

WinRM is already set up to receive requests on this computer.
WinRM has been updated for remote management.
WinRM firewall exception enabled.
PS C:\> Set-ExecutionPolicy unrestricted -force
The machine can now be managed remotely - starting from the installation of the agent. For example, the
following script copies the agent to the remote machine and installs it.
PS C:\> $dloc = "\\REMOTESERVER01\c$\Windows\Temp"
PS C:\> $agent = "\\REMOTESERVER01\c$\Windows\Temp\MARSAgentInstaller.exe"
PS C:\> $args = "/q"
PS C:\> Copy-Item "C:\Downloads\MARSAgentInstaller.exe" -Destination $dloc - force
PS C:\> $s = New-PSSession -ComputerName REMOTESERVER01

PS C:\> Invoke-Command -Session $s -Script { param($d, $a) Start-Process -FilePath $d $a -Wait } -ArgumentList
$agent $args
Next steps
For more information about Azure Backup for Windows Server/Client see
Back up Windows Servers
1 min to read
Edit O nline
1 min to read
Edit O nline
1 min to read
Edit O nline
1 min to read
Edit O nline
Back up a Windows Server or client to Azure using
the Resource Manager deployment model
This article explains how to back up your Windows Server (or Windows client) files and folders to Azure with
Azure Backup using the Resource Manager deployment model.
deployments. Microsoft recommends using Resource Manager deployments unless you specifically require a
Classic deployment.
DEPLOYMENT PORTAL VAULT
Classic Classic Backup
Resource Manager Azure Recovery Services
NOTE
protect classically-deployed servers and VMs.
Before you start
To back up a server or client to Azure, you need an Azure account. If you don't have one, you can create a free
account in just a couple of minutes.

A Recovery Services vault is an entity that stores all the backups and recovery points you create over time. The
Recovery Services vault also contains the backup policy applied to the protected files and folders. When you
create a Recovery Services vault, you should also select the appropriate storage redundancy option.
To create a Recovery Services vault
1. If you haven't already done so, sign in to the Azure Portal using your Azure subscription.
2. On the Hub menu, click More services and in the list of resources, type Recovery Services and click
If there are recovery services vaults in the subscription, the vaults are listed.
5. In the Subscription section, use the drop-down menu to choose the Azure subscription. If you use only
one subscription, that subscription appears and you can skip to the next step. If you are not sure which
subscription to use, use the default (or suggested) subscription. There are multiple choices only if your
organizational account is associated with multiple Azure subscriptions.
6. In the Resource group section:
select Create new if you want to create a new Resource group. Or
select Use existing and click the drop-down menu to see the available list of Resource groups.
For complete information on Resource groups, see the Azure Resource Manager overview.
7. Click Location to select the geographic region for the vault. This choice determines the geographic region
where your backup data is sent.
8. At the bottom of the Recovery Services vault blade, click Create.
It can take several minutes for the Recovery Services vault to be created. Monitor the status notifications in
the upper right-hand area of the portal. Once your vault is created, it appears in the list of Recovery
Services vaults. If after several minutes you don't see your vault, click Refresh.
Once you see your vault in the list of Recovery Services vaults, you are ready to set the storage
redundancy.
Set storage redundancy
When you first create a Recovery Services vault you determine how storage is replicated.
1. From the Recovery Services vaults blade, click the new vault.
When you select the vault, the Recovery Services vault blade narrows, and the Settings blade (which has
the name of the vault at the top) and the vault details blade open.
2. In the new vault's Settings blade, use the vertical slide to scroll down to the Manage section, and click
Backup Infrastructure.
The Backup Infrastructure blade opens.
3. In the Backup Infrastructure blade, click Backup Configuration to open the Backup Configuration
blade.
4. Choose the appropriate storage replication option for your vault.
By default, your vault has geo-redundant storage. If you use Azure as a primary backup storage endpoint,
continue to use Geo-redundant. If you don't use Azure as a primary backup storage endpoint, then
choose Locally-redundant, which reduces the Azure storage costs. Read more about geo-redundant and
locally redundant storage options in this Storage redundancy overview.
Now that you've created a vault, prepare your infrastructure to back up files and folders by downloading and
installing the Microsoft Azure Recovery Services agent, downloading vault credentials, and then using those
credentials to register the agent with the vault.
Configure the vault

1. On the Recovery Services vault blade (for the vault you just created), in the Getting Started section, click
Backup, then on the Getting Started with Backup blade, select Backup goal.
The Backup Goal blade opens. If the Recovery Services vault has been previously configured, then the
Backup Goal blades opens when you click Backup on the Recovery Services vault blade.
2. From the Where is your workload running? drop-down menu, select On-premises.
You choose On-premises because your Windows Server or Windows computer is a physical machine that
is not in Azure.
3. From the What do you want to backup? menu, select Files and folders, and click OK.
After clicking OK, a checkmark appears next to Backup goal, and the Prepare infrastructure blade
opens.
4. On the Prepare infrastructure blade, click Download Agent for Windows Server or Windows Client.
If you are using Windows Server Essential, then choose to download the agent for Windows Server
Essential. A pop-up menu prompts you to run or save MARSAgentInstaller.exe.
5. In the download pop-up menu, click Save.

By default, the MARSagentinstaller.exe file is saved to your Downloads folder. When the installer
completes, you will see a pop-up asking if you want to run the installer, or open the folder.
You don't need to install the agent yet. You can install the agent after you have downloaded the vault
credentials.
6. On the Prepare infrastructure blade, click Download.
The vault credentials download to your Downloads folder. After the vault credentials finish downloading,
you see a pop-up asking if you want to open or save the credentials. Click Save. If you accidentally click
Open, let the dialog that attempts to open the vault credentials, fail. You cannot open the vault credentials.
Proceed to the next step. The vault credentials are in the Downloads folder.

NOTE
Enabling backup through the Azure portal is not available, yet. Use the Microsoft Azure Recovery Services Agent to back up
your files and folders.
1. Locate and double-click the MARSagentinstaller.exe from the Downloads folder (or other saved
location).
The installer provides a series of messages as it extracts, installs, and registers the Recovery Services agent.
2. Complete the Microsoft Azure Recovery Services Agent Setup Wizard. To complete the wizard, you need
to:
Choose a location for the installation and cache folder.
Provide your proxy server info if you use a proxy server to connect to the internet.
Provide your user name and password details if you use an authenticated proxy.
Provide the downloaded vault credentials
Save the encryption passphrase in a secure location.
NOTE
If you lose or forget the passphrase, Microsoft cannot help recover the backup data. Save the file in a secure
location. It is required to restore a backup.
The agent is now installed and your machine is registered to the vault. You're ready to configure and schedule
your backup.
Network and Connectivity Requirements

If your machine/proxy has limited internet access, ensure that firewall settings on the machine/proxy are
configured to allow the following URLs:
1. www.msftncsi.com
2. *.Microsoft.com
3. *.WindowsAzure.com
4. *.microsoftonline.com
5. *.windows.ne
Create the backup policy

The backup policy is the schedule when recovery points are taken, and the length of time the recovery points are
retained. Use the Microsoft Azure Backup agent to create the backup policy for files and folders.
To create a backup schedule
1. Open the Microsoft Azure Backup agent. You can find it by searching your machine for Microsoft Azure
Backup.
2. In the Backup agent's Actions pane, click Schedule Backup to launch the Schedule Backup Wizard.
3. On the Getting started page of the Schedule Backup Wizard, click Next.
4. On the Select Items to Backup page, click Add Items.
The Select Items dialog opens.
5. Select the files and folders that you want to protect, and then click OK.
6. In the Select Items to Backup page, click Next.
7. On the Specify Backup Schedule page, specify the backup schedule and click Next.
You can schedule daily (at a maximum rate of three times per day) or weekly backups.
NOTE
For more information about how to specify the backup schedule, see the article Use Azure Backup to replace your
tape infrastructure.
8. On the Select Retention Policy page, choose the specific retention policies the for the backup copy and
click Next.
The retention policy specifies the duration which the backup is stored. Rather than just specifying a flat
policy for all backup points, you can specify different retention policies based on when the backup occurs.
You can modify the daily, weekly, monthly, and yearly retention policies to meet your needs.
9. On the Choose Initial Backup Type page, choose the initial backup type. Leave the option Automatically
over the network selected, and then click Next.
You can back up automatically over the network, or you can back up offline. The remainder of this article
describes the process for backing up automatically. If you prefer to do an offline backup, review the article
Offline backup workflow in Azure Backup for additional information.
Enable network throttling
The Microsoft Azure Backup agent provides network throttling. Throttling controls how network bandwidth is
used during data transfer. This control can be helpful if you need to back up data during work hours but do not
want the backup process to interfere with other Internet traffic. Throttling applies to back up and restore activities.
NOTE
Network throttling is not available on Windows Server 2008 R2 SP1, Windows Server 2008 SP2, or Windows 7 (with service
packs). The Azure Backup network throttling feature engages Quality of Service (QoS) on the local operating system.
Though Azure Backup can protect these operating systems, the version of QoS available on these platforms doesn't work
with Azure Backup network throttling. Network throttling can be used on all other supported operating systems.
To enable network throttling

1. In the Microsoft Azure Backup agent, click Change Properties.
2. On the Throttling tab, select the Enable internet bandwidth usage throttling for backup operations
check box.
3. After you have enabled throttling, specify the allowed bandwidth for backup data transfer during Work
hours and Non-work hours.
The bandwidth values begin at 512 kilobits per second (Kbps) and can go up to 1,023 megabytes per
second (MBps). You can also designate the start and finish for Work hours, and which days of the week
are considered work days. Hours outside of designated work hours are considered non-work hours.
4. Click OK.
To back up files and folders for the first time
1. In the backup agent, click Back Up Now to complete the initial seeding over the network.
2. On the Confirmation page, review the settings that the Back Up Now Wizard will use to back up the machine.
Then click Back Up.
3. Click Close to close the wizard. If you do this before the backup process finishes, the wizard continues to run
in the background.
After the initial backup is completed, the Job completed status appears in the Backup console.
Questions?
Next steps
For additional information about backing up VMs or other workloads, see:
Now that you've backed up your files and folders, you can manage your vaults and servers.
If you need to restore a backup, use this article to restore files to a Windows machine.
Back up Windows system state in Resource Manager
deployment
This article explains how to back up your Windows Server system state to Azure. It's a tutorial intended to walk you
through the basics.
If you want to know more about Azure Backup, read this overview.
If you don't have an Azure subscription, create a free account that lets you access any Azure service.

To back up your files and folders, you need to create a Recovery Services vault in the region where you want to
store the data. You also need to determine how you want your storage replicated.
To create a Recovery Services vault
1. If you haven't already done so, sign in to the Azure Portal using your Azure subscription.
2. On the Hub menu, click More services and in the list of resources, type Recovery Services and click
If there are recovery services vaults in the subscription, the vaults are listed.
5. In the Subscription section, use the drop-down menu to choose the Azure subscription. If you use only one
subscription, that subscription appears and you can skip to the next step. If you are not sure which
subscription to use, use the default (or suggested) subscription. There are multiple choices only if your
organizational account is associated with multiple Azure subscriptions.
6. In the Resource group section:
select Create new if you want to create a Resource group. Or
select Use existing and click the drop-down menu to see the available list of Resource groups.
For complete information on Resource groups, see the Azure Resource Manager overview.
7. Click Location to select the geographic region for the vault. This choice determines the geographic region
where your backup data is sent.
8. At the bottom of the Recovery Services vault blade, click Create.
It can take several minutes for the Recovery Services vault to be created. Monitor the status notifications in
the upper right-hand area of the portal. Once your vault is created, it appears in the list of Recovery Services
vaults. If after several minutes you don't see your vault, click Refresh.
Once you see your vault in the list of Recovery Services vaults, you are ready to set the storage redundancy.
Set storage redundancy for the vault
When you create a Recovery Services vault, make sure storage redundancy is configured the way you want.
1. From the Recovery Services vaults blade, click the new vault.
When you select the vault, the Recovery Services vault blade narrows, and the Settings blade (which has
the name of the vault at the top) and the vault details blade open.
2. In the new vault's Settings blade, use the vertical slide to scroll down to the Manage section, and click Backup
Infrastructure. The Backup Infrastructure blade opens.
3. In the Backup Infrastructure blade, click Backup Configuration to open the Backup Configuration blade.
4. Choose the appropriate storage replication option for your vault.

By default, your vault has geo-redundant storage. If you use Azure as a primary backup storage endpoint,
continue to use Geo-redundant. If you don't use Azure as a primary backup storage endpoint, then choose
Locally-redundant, which reduces the Azure storage costs. Read more about geo-redundant and locally
redundant storage options in this Storage redundancy overview.
Now that you've created a vault, configure it for backing up Windows System State.
Configure the vault

1. On the Recovery Services vault blade (for the vault you just created), in the Getting Started section, click
Backup, then on the Getting Started with Backup blade, select Backup goal.
The Backup Goal blade opens.

2. From the Where is your workload running? drop-down menu, select On-premises.
You choose On-premises because your Windows Server or Windows computer is a physical machine that is
not in Azure.
3. From the What do you want to backup? menu, select System State, and click OK.
After clicking OK, a checkmark appears next to Backup goal, and the Prepare infrastructure blade opens.
4. On the Prepare infrastructure blade, click Download Agent for Windows Server or Windows Client.
If you are using Windows Server Essential, then choose to download the agent for Windows Server Essential.
A pop-up menu prompts you to run or save MARSAgentInstaller.exe.
5. In the download pop-up menu, click Save.

By default, the MARSagentinstaller.exe file is saved to your Downloads folder. When the installer
completes, you will see a pop-up asking if you want to run the installer, or open the folder.
You don't need to install the agent yet. You can install the agent after you have downloaded the vault
credentials.
6. On the Prepare infrastructure blade, click Download.
The vault credentials download to your Downloads folder. After the vault credentials finish downloading, you
see a pop-up asking if you want to open or save the credentials. Click Save. If you accidentally click Open, let
the dialog that attempts to open the vault credentials, fail. You cannot open the vault credentials. Proceed to
the next step. The vault credentials are in the Downloads folder.

NOTE
Enabling backup through the Azure portal is not available, yet. Use the Microsoft Azure Recovery Services Agent to back up
Windows Server System State.
1. Locate and double-click the MARSagentinstaller.exe from the Downloads folder (or other saved location).
The installer provides a series of messages as it extracts, installs, and registers the Recovery Services agent.
2. Complete the Microsoft Azure Recovery Services Agent Setup Wizard. To complete the wizard, you need to:
Choose a location for the installation and cache folder.
Provide your proxy server info if you use a proxy server to connect to the internet.
Provide your user name and password details if you use an authenticated proxy.
Provide the downloaded vault credentials
Save the encryption passphrase in a secure location.
NOTE
If you lose or forget the passphrase, Microsoft cannot help recover the backup data. Save the file in a secure
location. It is required to restore a backup.
The agent is now installed and your machine is registered to the vault. You're ready to configure and schedule your
backup.
Back up Windows Server System State (Preview)

The initial backup includes three tasks:
Enable System State Backup using the Azure Backup agent
Schedule the backup
Back up files and folders for the first time
To complete the initial backup, use the Microsoft Azure Recovery Services agent.
To enable System State backup using the Azure Backup agent
1. In a PowerShell session, run the following command to stop the Azure Backup engine.
2. Open the Windows Registry.
PS C:\> regedit.exe
3. Add the following registry key with the specified DWord Value.
REGISTRY PATH REGISTRY KEY DWORD VALUE
HKEY_LOCAL_MACHINE\SOFTWARE\ TurnOffSSBFeature 2
Microsoft\Windows Azure
Backup\Config\CloudBackupProvider
4. Restart the Backup engine by executing the following command in an elevated command prompt.
To schedule the backup job

1. Open the Microsoft Azure Recovery Services agent. You can find it by searching your machine for Microsoft
Azure Backup.
2. In the Recovery Services agent, click Schedule Backup.
5. Select System State and then click OK.
6. Click Next.
7. The System State Backup and Retention schedule is automatically set to back up every Sunday at 9:00 PM
local time, and the retention period is set to 60 days.
NOTE
System State backup and retention policy is automatically configured. If you back up Files and Folders in addition to
the Windows Server System State, specify only the Backup and Retention policy for file backups from the wizard.
To back up Windows Server System State for the first time
1. Make sure there are no pending updates for Windows Server that require a reboot.
2. In the Recovery Services agent, click Back Up Now to complete the initial seeding over the network.
Then click Back Up.
4. Click Close to close the wizard. If you close the wizard before the backup process finishes, the wizard
continues to run in the background.
5. If you back up Files and Folders on your server, in addition to the Windows Server System State, the Backup
Now wizard will only back up files. To perform an ad hoc System State back up, use the following
PowerShell command:
PS C:\> Start-OBSystemStateBackup

The following questions and answers provide supplementary information.
What is the Staging Volume?
The Staging Volume represents the intermediate location where the natively available, Windows Server Backup
stages the System State Backup. Azure Backup agent then compresses and encrypts this intermediate backup and
sends it via secure HTTPS Protocol to the configured Recovery Services Vault. We strongly recommended you
establish the Staging Volume in a non-Windows-OS volume. If you observe problems with System State
Backups, checking the location of your Staging Volume is the first troubleshooting step.
How can I change the Staging Volume Path specified in the Azure Backup agent?
The Staging Volume is located in the cache folder by default.
1. To change this location, use the following command (in an elevated command prompt):

2. Then update the following registry entries with the path to the new Staging Volume folder.
REGISTRY PATH REGISTRY KEY VALUE
HKEY_LOCAL_MACHINE\Software\Mi SSBStagingPath new staging volume location

crosoft\Windows Azure
Backup\Config\CloudBackupProvider
The Staging Path is case sensitive and must be the exact same casing as what exists on the server.
1. Once you change the Staging volume path, restart the Backup engine: PS C:\> Net start obengine
2. To pick up the changed path, open the Microsoft Azure Recovery Services agent and trigger an ad hoc backup of
System State.
Why is the System State default retention set to 60 days?
The useful life of a system state backup is the same as the "tombstone lifetime" setting for the Windows Server
Active Directory role. The default value for the tombstone lifetime entry is 60 days. This value can be set on the
Directory Service (NTDS) config object.
How do I change the default Backup and Retention Policy for System State?
To change the default Backup and Retention Policy for System State:
1. Stop the Backup engine. Run the following command from an elevated command prompt.
2. Add or update the following registry key entries in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

Azure Backup\Config\CloudBackupProvider.
REGISTRY NAME DESCRIPTION VALUE
SSBScheduleTime Used to configure the time of the DWord: Format HHMM (Decimal) for
backup. Default is 9PM local time. example 2130 for 9:30PM local time
SSBScheduleDays Used to configure the days when DWord: days of the week to run
System State Backup must be backup (decimal) for example 1230
performed at the specified time. schedules backups on Monday,
Individual digits specify days of the Tuesday, Wednesday, and Sunday.
week. 0 represents Sunday, 1 is
Monday, and so on. Default day for
backup is Sunday.
SSBRetentionDays Used to configure the days to retain DWord: Days to retain backup
backup. Default value is 60. (decimal).
Maximum allowed value is 180.
3. Use the following command to restart the backup engine.
4. Open the Microsoft Recovery Services agent.

5. Click Schedule Backup and then click Next until you see the changes reflected.
6. Click Finish to apply the changes.
Questions?
Next steps
Get more details about backing up Windows machines.
Now that you've backed up your files and folders, you can manage your vaults and servers.
If you need to restore a backup, use this article to restore files to a Windows machine.
Restore files to a Windows server or Windows client
machine using Resource Manager deployment
model
This article explains how to restore data from a backup vault. To restore data, you use the Recover Data wizard in
the Microsoft Azure Recovery Services (MARS) agent. When you restore data, it is possible to:
Restore data to the same machine from which the backups were taken.
Restore data to an alternate machine.
In January 2017, Microsoft released a Preview update to the MARS agent. Along with bug fixes, this update
enables Instant Restore, which allows you to mount a writeable recovery point snapshot as a recovery volume.
You can then explore the recovery volume and copy files to a local computer thereby selectively restoring files.
NOTE
The January 2017 Azure Backup update is required if you want to use Instant Restore to restore data. Also the backup data
must be protected in vaults in locales listed in the support article. Consult the January 2017 Azure Backup update for the
latest list of locales that support Instant Restore. Instant Restore is not currently available in all locales.
Instant Restore is available for use in Recovery Services vaults in the Azure portal and Backup vaults in the classic
portal. If you want to use Instant Restore, download the MARS update, and follow the procedures that mention
Instant Restore.
NOTE
Azure has two different deployment models for creating and working with resources: Resource Manager and classic. This
article covers using the Resource Manager deployment model, which Microsoft recommends for new deployments instead
of the classic deployment model.
Use Instant Restore to recover data to the same machine

If you accidentally deleted a file and wish to restore it to the same machine (from which the backup is taken), the
following steps will help you recover the data.
1. Open the Microsoft Azure Backup snap in. If you don't know where the snap in was installed, search the
computer or server for Microsoft Azure Backup.
The desktop app should appear in the search results.
2. Click Recover Data to start the wizard.
3. On the Getting Started pane, to restore the data to the same server or computer, select This server (
<server name> ) and click Next.
4. On the Select Recovery Mode pane, choose Individual files and folders and then click Next.
5. On the Select Volume and Date pane, select the volume that contains the files and/or folders you want to
restore.
On the calendar, select a recovery point. You can restore from any recovery point in time. Dates in bold
indicate the availability of at least one recovery point. Once you select a date, if multiple recovery points are
available, choose the specific recovery point from the Time drop-down menu.
6. Once you have chosen the recovery point to restore, click Mount.
Azure Backup mounts the local recovery point, and uses it as a recovery volume.
7. On the Browse and Recover Files pane, click Browse to open Windows Explorer and find the files and
folders you want.
8. In Windows Explorer, copy the files and/or folders you want to restore and paste them to any location local
to the server or computer. You can open or stream the files directly from the recovery volume and verify
the correct versions are recovered.
9. When you are finished restoring the files and/or folders, on the Browse and Recovery Files pane, click
Unmount. Then click Yes to confirm that you want to unmount the volume.
IMPORTANT
If you do not click Unmount, the Recovery Volume will remain mounted for 6 hours from the time when it was
mounted. However, the mount time is extended upto a maximum of 24 hours in case of an ongoing file-copy. No
backup operations will run while the volume is mounted. Any backup operation scheduled to run during the time
when the volume is mounted, will run after the recovery volume is unmounted.
Use Instant Restore to restore data to an alternate machine

If your entire server is lost, you can still recover data from Azure Backup to a different machine. The following
steps illustrate the workflow.
The terminology used in these steps includes:
Source machine The original machine from which the backup was taken and which is currently unavailable.
Target machine The machine to which the data is being recovered.
Sample vault The Recovery Services vault to which the Source machine and Target machine are registered.
NOTE
Backups can't be restored to a target machine running an earlier version of the operating system. For example, a backup
taken from a Windows 7 computer can be restored on a Windows 8, or later, computer. A backup taken from a Windows 8
computer cannot be restored to a Windows 7 computer.
1. Open the Microsoft Azure Backup snap in on the Target machine.

2. Ensure the Target machine and the Source machine are registered to the same Recovery Services vault.
3. Click Recover Data to open the Recover Data wizard.
4. On the Getting Started pane, select Another server
5. Provide the vault credential file that corresponds to the Sample vault, and click Next.
If the vault credential file is invalid (or expired), download a new vault credential file from the Sample vault
in the Azure portal. Once you provide a valid vault credential, the name of the corresponding Backup Vault
appears.
6. On the Select Backup Server pane, select the Source machine from the list of displayed machines and
provide the passphrase. Then click Next.
7. On the Select Recovery Mode pane, select Individual files and folders and click Next.
restore.
9. Click Mount to locally mount the recovery point as a recovery volume on your Target machine.
folders you want.
11. In Windows Explorer, copy the files and/or folders from the recovery volume and paste them to your
Target machine location. You can open or stream the files directly from the recovery volume and verify the
correct versions are recovered.
IMPORTANT
If you do not click Unmount, the Recovery Volume will remain mounted for 6 hours from the time when it was
mounted. However, the mount time is extended upto a maximum of 24 hours in case of an ongoing file-copy. No
backup operations will run while the volume is mounted. Any backup operation scheduled to run during the time
when the volume is mounted, will run after the recovery volume is unmounted.
Troubleshooting
If Azure Backup does not successfully mount the recovery volume even after several minutes of clicking Mount or
fails to mount the recovery volume with one or more errors, follow the steps below to begin recovering normally.
1. Cancel the ongoing mount process in case it has been running for several minutes.
2. Ensure that you are on the latest version of the Azure Backup agent. To find out the version information of
Azure Backup agent, click on About Microsoft Azure Recovery Services Agent on the Actions pane of
Microsoft Azure Backup console and ensure that the Version number is equal to or higher than the version
mentioned in this article. You can download the latest version from here
3. Go to Device Manager -> Storage Controllers and ensure that you can locate Microsoft iSCSI Initiator.
If you can locate it, directly go to step 7 below.
4. If you cannot locate Microsoft iSCSI Initiator service as mentioned in step 3, check to see if you can find an
entry under Device Manager -> Storage Controllers called Unknown Device with Hardware ID
ROOT\ISCSIPRT.
5. Right click on Unknown Device and select Update Driver Software.
6. Update the driver by selecting the option to Search automatically for updated driver software.
Completion of the update should change Unknown Device to Microsoft iSCSI Initiator as shown below.
7. Go to Task Manager -> Services (Local) -> Microsoft iSCSI Initiator Service.
8. Restart the Microsoft iSCSI Initiator service by right-clicking on the service, clicking on Stop and further
right clicking again and clicking on Start.
9. Retry recovering using Instant Restore.
If the recovery still fails, reboot your server/client. If a reboot is not desirable or the recovery still fails even after
rebooting the server, try recovering from an Alternate Machine, and contact Azure Support by going to Azure
Portal and submitting a support request.
Next steps
Now that you've recovered your files and folders, you can manage your backups.
Restore System State to Windows Server
This article explains how to restore Windows Server System State backups from an Azure Recovery Services vault.
To restore System State, you must have a System State backup (created using the instructions in Back up System
State), and make sure you have installed the latest version of the Microsoft Azure Recovery Services (MARS) agent.
Recovering Windows Server System State data from an Azure Recovery Services vault is a two-step process:
1. Restore System State as files from Azure Backup. When restoring System State as files from Azure Backup,
you can either:
Restore System State to the same server where the backups were taken, or
Restore System State file to an alternate server.
2. Apply the restored System State files to a Windows Server.
Recover System State files to the same server

The following steps explain how to roll back your Windows Server configuration to a previous state. Rolling your
server configuration back to a known, stable state, can be extremely valuable. The following steps restore the
server's System State from a Recovery Services vault.
1. Open the Microsoft Azure Backup snap-in. If you don't know where the snap-in was installed, search the
4. On the Select Recovery Mode pane, choose System State and then click Next.
5. On the calendar in Select Volume and Date pane, select a recovery point.
You can restore from any recovery point in time. Dates in bold indicate the availability of at least one
recovery point. Once you select a date, if multiple recovery points are available, choose the specific recovery
point from the Time drop-down menu.
6. Once you have chosen the recovery point to restore, click Next.
7. On the next pane, specify the destination for the recovered System State files and click Browse to open
Windows Explorer and find the files and folders you want. The option, Create copies so that you have
both versions, creates copies of individual files in an existing System State file archive instead of creating
the copy of the entire System State archive.
8. Verify the details of recovery on the Confirmation pane and click Recover.
9. Copy the WindowsImageBackup directory in the Recovery destination to a non-critical volume of the server.
Usually, the Windows OS volume is the critical volume.
10. Once the recovery is successful, follow the steps in the section, Apply restored System State files to the
Windows Server, to complete the System State recovery process.
Recover System State files to an alternate server

If your Windows Server is corrupted or inaccessible, and you want to restore it to a stable state by recovering the
Windows Server System State, you can restore the corrupted server's System State from another server. Use the
following steps to the restore System State on a separate server.
NOTE
Backups taken from one machine cannot be restored to a machine running an earlier version of the operating system. For
example, backups taken from a Windows Server 2016 machine can't be restored to Windows Server 2012 R2. However, the
inverse is possible. You can use backups from Windows Server 2012 R2 to restore Windows Server 2016.
1. Open the Microsoft Azure Backup snap-in on the Target machine.

2. Ensure that the Target machine and the Source machine are registered to the same Recovery Services vault.
3. Click Recover Data to initiate the workflow.
4. Select Another server
5. Provide the vault credential file that corresponds to the Sample vault. If the vault credential file is invalid (or
expired), download a new vault credential file from the Sample vault in the Azure portal. Once the vault
credential file is provided, the Recovery Services vault associated with the vault credential file appears.
6. On the Select Backup Server pane, select the Source machine from the list of displayed machines.
7. On the Select Recovery Mode pane, choose System State and click Next.
8. On the Calendar in the Select Volume and Date pane, select a recovery point. You can restore from any
recovery point in time. Dates in bold indicate the availability of at least one recovery point. Once you select a
date, if multiple recovery points are available, choose the specific recovery point from the Time drop-down
menu.
9. Once you have chosen the recovery point to restore, click Next.
10. On the Select System State Recovery Mode pane, specify the destination where you want System State
files to be recovered, then click Next.
The option, Create copies so that you have both versions, creates copies of individual files in an existing
System State file archive instead of creating the copy of the entire System State archive.
11. Verify the details of recovery on the Confirmation pane, and click Recover.
12. Copy the WindowsImageBackup directory to a non-critical volume of the server (for example D:). Usually the
Windows OS volume is the critical volume.
13. To complete the recovery process, use the following section to apply the restored System State files on a
Windows Server.
Apply restored System State on a Windows Server

Once you have recovered System State as files using Azure Recovery Services Agent, use the Windows Server
Backup utility to apply the recovered System State to Windows Server. The Windows Server Backup utility is
already available on the server. The following steps explain how to apply the recovered System State.
1. Use the following commands to reboot your server in Directory Services Repair Mode. In an elevated
command prompt:
PS C:\> Bcdedit /set safeboot dsrepair

PS C:\> Shutdown /r /t 0
2. After the reboot, open the Windows Server Backup snap-in. If you don't know where the snap-in was
installed, search the computer or server for Windows Server Backup.
The desktop app appears in the search results.
3. In the snap-in, select Local Backup.
4. On the Local Backup console, in the Actions Pane, click Recover to open the Recovery Wizard.
5. Select the option, A backup stored in another location, and click Next.
6. When specifying the location type, select Remote shared folder if your System State backup was recovered
to another server. If your System State was recovered locally, then select Local drives.
7. Enter the path to the WindowsImageBackup directory, or choose the local drive containing this directory (for
example, D:\WindowsImageBackup), recovered as part of the System State files recovery using Azure
Recovery Services Agent and click Next.
8. Select the System State version that you want to restore, and click Next.
9. In the Select Recovery Type pane, select System State and click Next.
10. For the location of the System State Recovery, select Original Location, and click Next.
11. Review the confirmation details, verify the reboot settings, and click Recover to applly the restored System
State files.
Special considerations for System State recovery on Active Directory

server
System State backup includes Active Directory data. Use the following steps to restore Active Directory Domain
Service (AD DS) from its current state to a previous state.
1. Restart the domain controller in Directory Services Restore Mode (DSRM).
2. Follow the steps here to use Windows Server Backup cmdlets to recover AD DS.
Troubleshoot failed System State restore

If the previous process of applying System State does not complete successfully, use the Windows Recovery
Environment (Win RE) to recover your Windows Server. The following steps explain how to recover using Win RE.
Use This option only if Windows Server does not boot normally after a System State restore. The following process
erases non-system data, use caution.
1. Boot your Windows Server into the Windows Recovery Environment (Win RE).
2. Select Troubleshoot from the three available options.
3. From the Advanced Options screen, select Command Prompt and provide the server administrator
username and password.
4. Provide the server administrator username and password.

5. When you open the command prompt in administrator mode, run following command to get the System
State backup versions.
Wbadmin get versions -backuptarget:<Volume where WindowsImageBackup folder is copied>:
6. Run the following command to get all volumes available in the backup.
Wbadmin get items -version:<copy version from above step> -backuptarget:<Backup volume>
7. The following command recovers all volumes that are part of the System State Backup. Note that this step
recovers only the critical volumes that are part of the System State. All non-System data is erased.
Wbadmin start recovery -items:C: -itemtype:Volume -version:<Backupversion> -backuptarget:<backup target

volume>
Next steps
Now that you've recovered your files and folders, you can manage your backups.
Monitor and manage Azure recovery services vaults
and servers for Windows machines
In this article you'll find an overview of the backup monitor and management tasks available through the Azure
portal and the Microsoft Azure Backup agent. This article assumes you already have an Azure subscription and
have created at least one Recovery Services vault.
NOTE
Azure has two different deployment models for creating and working with resources: Resource Manager and classic. This
article covers using the Resource Manager deployment model, which Microsoft recommends for new deployments instead
of the classic deployment model.
Open a Recovery Services vault

The Recovery Services vault dashboard shows you the details or attributes of a Recovery Services vault.
1. Sign in to the Azure Portal using your Azure subscription.
2. On the Hub menu, click More Services.
3. You want to open a Recovery Services vault. In the dialog box, start typing Recovery Services. As you
begin typing, the list will filter based on your input. Click Recovery Services vaults to display the list of
Recovery Services vaults in your subscription.
The list of Recovery Services vaults opens.
4. From the list of vaults, select the name of the Recovery Services vault you want to open. The Recovery
Services vault dashboard blade opens.
Now that you have opened the Recovery Services vault, try any of the monitoring or management tasks.
Monitor backup jobs and alerts

You monitor jobs and alerts from the Recovery Services vault dashboard, where you see:
Backup alerts details
Files and folders, as well as Azure virtual machines protected in the cloud
Total storage consumed in Azure
Backup job status
Clicking the information in each of these tiles will open the associated blade where you manage related tasks.
From the top of the Dashboard:
Settings provides access available backup tasks.
Backup - helps you back up new files and folders (or Azure VMs) to the Recovery Services vault.
Delete - If a recovery services vault is no longer being used, you can delete it to free up storage space. Delete is
only enabled after all protected servers have been deleted from the vault.
Alerts for backups using Azure backup agent:

ALERT LEVEL ALERTS SENT
Critical Backup failure, recovery failure
Warning Backup completed with warnings (when fewer than one

hundred files are not backed up due to corruption issues, and
more than one million files are successfully backed up)
Informational None
Manage Backup alerts
Click the Backup Alerts tile to open the Backup Alerts blade and manage alerts.
The Backup Alerts tile shows you the number of:

critical alerts unresolved in last 24 hours
warning alerts unresolved in last 24 hours
Clicking on each of these links takes you to the Backup Alerts blade with a filtered view of these alerts (critical or
warning).
From the Backup Alerts blade, you:
Choose the appropriate information to include with your alerts.
Filter alerts for severity, status and start/end times.

Configure notifications for severity, frequency and recipients, as well as turn alerts on or off.
If Per Alert is selected as the Notify frequency no grouping or reduction in emails occurs. Every alert results in 1
notification. This is the default setting and the resolution email is also sent out immediately.
If Hourly Digest is selected as the Notify frequency one email is sent to the user telling them that there are
unresolved new alerts generated in the last hour. A resolution email is sent out at the end of the hour.
Alerts can be sent for the following severity levels:
critical
warning
information
You inactivate the alert with the inactivate button in the job details blade. When you click inactivate, you can
provide resolution notes.
You choose the columns you want to appear as part of the alert with the Choose columns button.
NOTE
From the Settings blade, you manage backup alerts by selecting Monitoring and Reports > Alerts and Events >
Backup Alerts and then clicking Filter or Configure Notifications.
Manage Backup items

Managing on-premises backups is now available in the management portal. In the Backup section of the
dashboard, the Backup Items tile shows the number of backup items protected to the vault.
Click File-Folders in the Backup Items tile.
The Backup Items blade opens with the filter set to File-Folder where you see each specific backup item listed.
If you select a specific backup item from the list, you see the essential details for that item.
NOTE
From the Settings blade, you manage files and folders by selecting Protected Items > Backup Items and then selecting
File-Folders from the drop down menu.
Manage Backup jobs
Backup jobs for both on-premises (when the on-premises server is backing up to Azure) and Azure backups are
visible in the dashboard.
In the Backup section of the dashboard, the Backup job tile shows the number of jobs:
in progress
failed in the last 24 hours.
To manage your backup jobs, click the Backup Jobs tile, which opens the Backup Jobs blade.
You modify the information available in the Backup Jobs blade with the Choose columns button at the top of the
page.
Use the Filter button to select between Files and folders and Azure virtual machine backup.
If you don't see your backed up files and folders, click Filter button at the top of the page and select Files and
folders from the Item Type menu.
NOTE
From the Settings blade, you manage backup jobs by selecting Monitoring and Reports > Jobs > Backup Jobs and
then selecting File-Folders from the drop down menu.
Monitor Backup usage

In the Backup section of the dashboard, the Backup Usage tile shows the storage consumed in Azure. Storage
usage is provided for:
Cloud LRS storage usage associated with the vault
Cloud GRS storage usage associated with the vault
Manage your production servers

To manage your production servers, click Settings.
Under Manage click Backup infrastructure > Production Servers.
The Production Servers blade lists of all your available production servers. Click on a server in the list to open the
server details.
Open the Azure Backup agent

Open the Microsoft Azure Backup agent (you find it by searching your machine for Microsoft Azure Backup).
From the Actions available at the right of the backup agent console you perform the following management
tasks:
Register Server
Schedule Backup
Back Up now
Change Properties
NOTE
To Recover Data, see Restore files to a Windows server or Windows client machine.
Modify the backup schedule

1. In the Microsoft Azure Backup agent click Schedule Backup.
2. In the Schedule Backup Wizard leave the Make changes to backup items or times option selected
and click Next.
3. If you want to add or change items, on the Select Items to Backup screen click Add Items.
You can also set Exclusion Settings from this page in the wizard. If you want to exclude files or file types
read the procedure for adding exclusion settings.
4. Select the files and folders you want to back up and click Okay.
5. Specify the backup schedule and click Next.

You can schedule daily (at a maximum of 3 times per day) or weekly backups.
NOTE
Specifying the backup schedule is explained in detail in this article.
6. Select the Retention Policy for the backup copy and click Next.
7. On the Confirmation screen review the information and click Finish.

8. Once the wizard finishes creating the backup schedule, click Close.
After modifying protection, you can confirm that backups are triggering correctly by going to the Jobs tab
and confirming that changes are reflected in the backup jobs.
Enable Network Throttling

The Azure Backup agent provides a Throttling tab which allows you to control how network bandwidth is used
during data transfer. This control can be helpful if you need to back up data during work hours but do not want
the backup process to interfere with other internet traffic. Throttling of data transfer applies to back up and
restore activities.
To enable throttling:
1. In the Backup agent, click Change Properties.
2. On the Throttling tab, select **Enable internet bandwidth usage throttling for backup operations.
Once you have enabled throttling, specify the allowed bandwidth for backup data transfer during Work
The bandwidth values begin at 512 kilobytes per second (Kbps) and can go up to 1023 megabytes per
second (Mbps). You can also designate the start and finish for Work hours, and which days of the week
are considered Work days. The time outside of the designated Work hours is considered to be non-work
hours.
3. Click OK.
Manage exclusion settings

1. Open the Microsoft Azure Backup agent (you can find it by searching your machine for Microsoft Azure
Backup).

3. In the Schedule Backup Wizard leave the Make changes to backup items or times option selected and
click Next.
4. Click Exclusions Settings.

5. Click Add Exclusion.
6. Select the location and then, click OK.

7. Add the file extension in the File Type field.
Adding an .mp3 extension

To add another extension, click Add Exclusion and enter another file type extension (adding a .jpeg
extension).
8. When you've added all the extensions, click OK.

9. Continue through the Schedule Backup Wizard by clicking Next until the Confirmation page, then click
Finish.
Q1. The backup job status shows as completed in the Azure backup agent, why doesn't it get reflected
immediately in portal?
A1. There is at maximum delay of 15 mins between the backup job status reflected in the Azure backup agent and
the Azure portal.
Q.2 When a backup job fails, how long does it take to raise an alert?
A.2 An alert is raised within 20 mins of the Azure backup failure.
Q3. Is there a case where an email wont be sent if notifications are configured?
A3. Below are the cases when the notification will not be sent in order to reduce the alert noise:
If notifications are configured hourly and an alert is raised and resolved within the hour
Job is canceled.
Second backup job failed because original backup job is in progress.
Troubleshooting Monitoring Issues

Issue: Jobs and/or alerts from the Azure Backup agent do not appear in the portal.
Troubleshooting steps: The process, OBRecoveryServicesManagementAgent , sends the job and alert data to the
Azure Backup service. Occasionally this process can become stuck or shutdown.
1. To verify the process is not running, open Task Manager and check if the OBRecoveryServicesManagementAgent
process is running.
2. Assuming that the process is not running, open Control Panel and browse the list of services. Start or
restart Microsoft Azure Recovery Services Management Agent.
For further information, browse the logs at:
<AzureBackup_agent_install_folder>\Microsoft Azure Recovery Services Agent\Temp\GatewayProvider* For
example:
C:\Program Files\Microsoft Azure Recovery Services Agent\Temp\GatewayProvider0.errlog
Next steps
Restore Windows Server or Windows Client from Azure
To learn more about Azure Backup, see Azure Backup Overview
Visit the Azure Backup Forum
Back up a Windows server or workstation to Azure
using the classic portal
This article covers the procedures that you need to follow to prepare your environment and back up a Windows
server (or workstation) to Azure. It also covers considerations for deploying your backup solution. If you're
interested in trying Azure Backup for the first time, this article quickly walks you through the process.
Azure has two different deployment models for creating and working with resources: Resource Manager and
classic. This article covers using the classic deployment model. Microsoft recommends that most new deployments
use the Resource Manager model.
Before you start

To back up a server or client to Azure, you need an Azure account. If you don't have one, you can create a free
account in just a couple of minutes.

To back up files and folders from a server or client, you need to create a backup vault in the geographic region
where you want to store the data.
IMPORTANT
Starting March 2017, you can no longer use the classic portal to create Backup vaults.
Download the vault credential file

The on-premises machine needs to be authenticated with a backup vault before it can back up data to Azure. The
authentication is achieved through vault credentials. The vault credential file is downloaded through a secure
channel from the classic portal. The certificate private key does not persist in the portal or the service.
To download the vault credential file to a local machine
1. In the left navigation pane, click Recovery Services, and then select the backup vault that you created.
2. On the Quick Start page, click Download vault credentials.
The classic portal generates a vault credential by using a combination of the vault name and the current
date. The vault credentials file is used only during the registration workflow and expires after 48 hours.
The vault credential file can be downloaded from the portal.
3. Click Save to download the vault credential file to the Downloads folder of the local account. You can also
select Save As from the Save menu to specify a location for the vault credential file.
NOTE
Make sure the vault credential file is saved in a location that can be accessed from your machine. If it is stored in a file
share or server message block, verify that you have the permissions to access it.
Download, install, and register the Backup agent

After you create the backup vault and download the vault credential file, an agent must be installed on each of your
Windows machines.
To download, install, and register the agent
1. Click Recovery Services, and then select the backup vault that you want to register with a server.
2. On the Quick Start page, click the agent Agent for Windows Server or System Center Data Protection
Manager or Windows client. Then click Save.
3. After the MARSagentinstaller.exe file has downloaded, click Run (or double-click MARSAgentInstaller.exe
from the saved location).
4. Choose the installation folder and cache folder that are required for the agent, and then click Next. The cache
location you specify must have free space equal to at least 5 percent of the backup data.
5. You can continue to connect to the Internet through the default proxy settings. If you use a proxy server to
connect to the Internet, on the Proxy Configuration page, select the Use custom proxy settings check box, and
then enter the proxy server details. If you use an authenticated proxy, enter the user name and password details,
6. Click Install to begin the agent installation. The Backup agent installs .NET Framework 4.5 and Windows
PowerShell (if its not already installed) to complete the installation.
7. After the agent is installed, click Proceed to Registration to continue with the workflow.
8. On the Vault Identification page, browse to and select the vault credential file that you previously
downloaded.
The vault credential file is valid for only 48 hours after its downloaded from the portal. If you encounter an
error on this page (such as Vault credentials file provided has expired), sign in to the portal and download
the vault credential file again.
Ensure that the vault credential file is available in a location that can be accessed by the setup application. If
you encounter access-related errors, copy the vault credential file to a temporary location on the same
machine and retry the operation.
If you encounter a vault credential error such as Invalid vault credentials provided," the file is damaged or
does not have the latest credentials associated with the recovery service. Retry the operation after
downloading a new vault credential file from the portal. This error can also occur if a user clicks the
Download vault credential option several times in quick succession. In this case, only the last vault
credential file is valid.
9. On the Encryption Setting page, you can either generate a passphrase or provide a passphrase (with a minimum
of 16 characters). Remember to save the passphrase in a secure location.
10. Click Finish. The Register Server Wizard registers the server with Backup.
WARNING
If you lose or forget the passphrase, Microsoft cannot help you recover the backup data. You own the encryption
passphrase, and Microsoft does not have visibility into the passphrase that you use. Save the file in a secure location
because it will be required during a recovery operation.
11. After the encryption key is set, leave the Launch Microsoft Azure Recovery Services Agent check box
selected, and then click Close.
Complete the initial backup

The initial backup includes two key tasks:
Creating the backup schedule
Backing up files and folders for the first time
After the backup policy completes the initial backup, it creates backup points that you can use if you need to
recover the data. The backup policy does this based on the schedule that you define.
To schedule the backup
1. Open the Microsoft Azure Backup agent. (It will open automatically if you left the Launch Microsoft Azure
Recovery Services Agent check box selected when you closed the Register Server Wizard.) You can find it
by searching your machine for Microsoft Azure Backup.
2. In the Backup agent, click Schedule Backup.

5. Select the files and folders that you want to back up, and then click Okay.
6. Click Next.
7. On the Specify Backup Schedule page, specify the backup schedule and click Next.
You can schedule daily (at a maximum rate of three times per day) or weekly backups.
NOTE
For more information about how to specify the backup schedule, see the article Use Azure Backup to replace your
tape infrastructure.
8. On the Select Retention Policy page, select the Retention Policy for the backup copy.
The retention policy specifies the duration for which the backup will be stored. Rather than just specifying a
flat policy for all backup points, you can specify different retention policies based on when the backup
occurs. You can modify the daily, weekly, monthly, and yearly retention policies to meet your needs.
9. On the Choose Initial Backup Type page, choose the initial backup type. Leave the option Automatically
over the network selected, and then click Next.
You can back up automatically over the network, or you can back up offline. The remainder of this article
describes the process for backing up automatically. If you prefer to do an offline backup, review the article
Offline backup workflow in Azure Backup for additional information.
Enable network throttling (optional)
The Backup agent provides network throttling. Throttling controls how network bandwidth is used during data
transfer. This control can be helpful if you need to back up data during work hours but do not want the backup
process to interfere with other Internet traffic. Throttling applies to back up and restore activities.
To enable network throttling
2. On the Throttling tab, select the Enable internet bandwidth usage throttling for backup operations
check box.
3. After you have enabled throttling, specify the allowed bandwidth for backup data transfer during Work
The bandwidth values begin at 512 kilobits per second (Kbps) and can go up to 1,023 megabytes per second
(MBps). You can also designate the start and finish for Work hours, and which days of the week are
considered work days. Hours outside of designated work hours are considered non-work hours.
4. Click OK.
To back up now
1. In the Backup agent, click Back Up Now to complete the initial seeding over the network.
Then click Back Up.
3. Click Close to close the wizard. If you do this before the backup process finishes, the wizard continues to run in
the background.
Next steps
Sign up for a free Azure account.
For additional information about backing up VMs or other workloads, see:
Back up IaaS VMs
Back up workloads to Azure with Microsoft Azure Backup Server
Back up workloads to Azure with DPM
Manage Azure Backup vaults and servers using the
classic deployment model
In this article you'll find an overview of the backup management tasks available through the Azure classic portal
and the Microsoft Azure Backup agent.
IMPORTANT
Azure has two different deployment models for creating and working with resources: Resource Manager and Classic. This
article covers using the Classic deployment model. Microsoft recommends that most new deployments use the Resource
Manager model.
IMPORTANT
Management portal tasks

1. Sign in to the Management Portal.
2. Click Recovery Services, then click the name of backup vault to view the Quick Start page.
By selecting the options at the top of the Quick Start page, you can see the available management tasks.
Dashboard
Select Dashboard to see the usage overview for the server. The usage overview includes:
The number of Windows Servers registered to cloud
The number of Azure virtual machines protected in cloud
The total storage consumed in Azure
The status of recent jobs
At the bottom of the Dashboard you can perform the following tasks:
Manage certificate - If a certificate was used to register the server, then use this to update the certificate. If you
are using vault credentials, do not use Manage certificate.
Delete - Deletes the current backup vault. If a backup vault is no longer being used, you can delete it to free up
storage space. Delete is only enabled after all registered servers have been deleted from the vault.
Registered items
Select Registered Items to view the names of the servers that are registered to this vault.
The Type filter defaults to Azure Virtual Machine. To view the names of the servers that are registered to this vault,
select Windows server from the drop down menu.
From here you can perform the following tasks:
Allow Re-registration - When this option is selected for a server you can use the Registration Wizard in the
on-premises Microsoft Azure Backup agent to register the server with the backup vault a second time. You
might need to re-register due to an error in the certificate or if a server had to be rebuilt.
Delete - Deletes a server from the backup vault. All of the stored data associated with the server is deleted
immediately.
Protected items
Select Protected Items to view the items that have been backed up from the servers.
Configure
From the Configure tab you can select the appropriate storage redundancy option. The best time to select the
storage redundancy option is right after creating a vault and before any machines are registered to it.
WARNING
Once an item has been registered to the vault, the storage redundancy option is locked and cannot be modified.
See this article for more information about storage redundancy.
Microsoft Azure Backup agent tasks

Console
Open the Microsoft Azure Backup agent (you can find it by searching your machine for Microsoft Azure Backup).
From the Actions available at the right of the backup agent console you can perform the following management
tasks:
Register Server
Schedule Backup
Back Up now
Change Properties
NOTE
To Recover Data, see Restore files to a Windows server or Windows client machine.
Modify an existing backup

click Next.
3. If you want to add or change items, on the Select Items to Backup screen click Add Items.
You can also set Exclusion Settings from this page in the wizard. If you want to exclude files or file types
read the procedure for adding exclusion settings.
4. Select the files and folders you want to back up and click Okay.
5. Specify the backup schedule and click Next.

You can schedule daily (at a maximum of 3 times per day) or weekly backups.
NOTE
Specifying the backup schedule is explained in detail in this article.
6. Select the Retention Policy for the backup copy and click Next.
7. On the Confirmation screen review the information and click Finish.

8. Once the wizard finishes creating the backup schedule, click Close.
After modifying protection, you can confirm that backups are triggering correctly by going to the Jobs tab
and confirming that changes are reflected in the backup jobs.
Enable Network Throttling
The Azure Backup agent provides a Throttling tab which allows you to control how network bandwidth is used
during data transfer. This control can be helpful if you need to back up data during work hours but do not want the
backup process to interfere with other internet traffic. Throttling of data transfer applies to back up and restore
activities.
To enable throttling:
2. Select the Enable internet bandwidth usage throttling for backup operations checkbox.
3. Once you have enabled throttling, specify the allowed bandwidth for backup data transfer during Work
The bandwidth values begin at 512 kilobytes per second (Kbps) and can go up to 1023 megabytes per
second (Mbps). You can also designate the start and finish for Work hours, and which days of the week are
considered Work days. The time outside of the designated Work hours is considered to be non-work hours.
4. Click OK.
Exclusion settings
1. Open the Microsoft Azure Backup agent (you can find it by searching your machine for Microsoft Azure
Backup).

click Next.
4. Click Exclusions Settings.

5. Click Add Exclusion.
6. Select the location and then, click OK.

7. Add the file extension in the File Type field.
Adding an .mp3 extension

To add another extension, click Add Exclusion and enter another file type extension (adding a .jpeg
extension).
8. When you've added all the extensions, click OK.

9. Continue through the Schedule Backup Wizard by clicking Next until the Confirmation page, then click
Finish.
Next steps
Restore Windows Server or Windows Client from Azure
To learn more about Azure Backup, see Azure Backup Overview
Visit the Azure Backup Forum
Restore files to a Windows server or Windows client
machine using the classic deployment model
This article explains how to recover data from a backup vault and restore it to a server or computer. Starting in
March 2017, you can no longer create backup vaults in the classic portal.
IMPORTANT
To restore data, you use the Recover Data wizard in the Microsoft Azure Recovery Services (MARS) agent. When
you restore data, it is possible to:
Restore data to the same machine from which the backups were taken.
Restore data to an alternate machine.
In January 2017, Microsoft released a Preview update to the MARS agent. Along with bug fixes, this update enables
Instant Restore, which allows you to mount a writeable recovery point snapshot as a recovery volume. You can
then explore the recovery volume and copy files to a local computer thereby selectively restoring files.
NOTE
The January 2017 Azure Backup update is required if you want to use Instant Restore to restore data. Also the backup data
must be protected in vaults in locales listed in the support article. Consult the January 2017 Azure Backup update for the
latest list of locales that support Instant Restore. Instant Restore is not currently available in all locales.
Instant Restore is available for use in Recovery Services vaults in the Azure portal and Backup vaults in the classic
portal. If you want to use Instant Restore, download the MARS update, and follow the procedures that mention
Instant Restore.
Use Instant Restore to recover data to the same machine

1. Open the Microsoft Azure Backup snap in. If you don't know where the snap in was installed, search the
4. On the Select Recovery Mode pane, choose Individual files and folders and then click Next.
restore.
6. Once you have chosen the recovery point to restore, click Mount.
folders you want.
8. In Windows Explorer, copy the files and/or folders you want to restore and paste them to any location local
to the server or computer. You can open or stream the files directly from the recovery volume and verify the
correct versions are recovered.
IMPORTANT
If you do not click Unmount, the Recovery Volume will remain mounted for six hours from the time when it was
mounted. No backup operations will run while the volume is mounted. Any backup operation scheduled to run
during the time when the volume is mounted, will run after the recovery volume is unmounted.
Recover data to the same machine

1. Open the Microsoft Azure Backup snap in.
3. Select the This server (yourmachinename) option to restore the backed up file on the same machine.
4. Choose to Browse for files or Search for files.
Leave the default option if you plan to restore one or more files whose path is known. If you are not sure
about the folder structure but would like to search for a file, pick the Search for files option. For the
purpose of this section, we will proceed with the default option.
5. Select the volume from which you wish to restore the file.
You can restore from any point in time. Dates which appear in bold in the calendar control indicate the
availability of a restore point. Once a date is selected, based on your backup schedule (and the success of a
backup operation), you can select a point in time from the Time drop down.
6. Select the items to recover. You can multi-select folders/files you wish to restore.
7. Specify the recovery parameters.
You have an option of restoring to the original location (in which the file/folder would be overwritten) or
to another location in the same machine.
If the file/folder you wish to restore exists in the target location, you can create copies (two versions of
the same file), overwrite the files in the target location, or skip the recovery of the files which exist in the
target.
It is highly recommended that you leave the default option of restoring the ACLs on the files which are
being recovered.
8. Once these inputs are provided, click Next. The recovery workflow, which restores the files to this machine, will
begin.
Recover to an alternate machine

If your entire server is lost, you can still recover data from Azure Backup to a different machine. The following steps
illustrate the workflow.
Sample vault The Backup vault to which the Source machine and Target machine are registered.
NOTE
Backups taken from a machine cannot be restored on a machine which is running an earlier version of the operating system.
For example, if backups are taken from a Windows 7 machine, it can be restored on a Windows 8 or above machine.
However, the vice-versa does not hold true.

2. Ensure that the Target machine and the Source machine are registered to the same backup vault.
4. Select Another server

5. Provide the vault credential file that corresponds to the Sample vault. If the vault credential file is invalid (or
expired) download a new vault credential file from the Sample vault in the Azure classic portal. Once the vault
credential file is provided, the backup vault against the vault credential file is displayed.
6. Select the Source machine from the list of displayed machines.
7. Select either the Search for files or Browse for files option. For the purpose of this section, we will use the
Search for files option.
8. Select the volume and date in the next screen. Search for the folder/file name you want to restore.
9. Select the location where the files need to be restored.

10. Provide the encryption passphrase that was provided during Source machines registration to Sample vault.
11. Once the input is provided, click Recover, which triggers the restore of the backed up files to the destination
provided.
Use Instant Restore to restore data to an alternate machine

If your entire server is lost, you can still recover data from Azure Backup to a different machine. The following steps
illustrate the workflow.
NOTE
Backups can't be restored to a target machine running an earlier version of the operating system. For example, a backup
taken from a Windows 7 computer can be restored on a Windows 8, or later, computer. A backup taken from a Windows 8
computer cannot be restored to a Windows 7 computer.

2. Ensure the Target machine and the Source machine are registered to the same Recovery Services vault.
3. Click Recover Data to open the Recover Data wizard.
4. On the Getting Started pane, select Another server

5. Provide the vault credential file that corresponds to the Sample vault, and click Next.
If the vault credential file is invalid (or expired), download a new vault credential file from the Sample vault
in the Azure portal. Once you provide a valid vault credential, the name of the corresponding Backup Vault
appears.
6. On the Select Backup Server pane, select the Source machine from the list of displayed machines and
provide the passphrase. Then click Next.
7. On the Select Recovery Mode pane, select Individual files and folders and click Next.
restore.
9. Click Mount to locally mount the recovery point as a recovery volume on your Target machine.
folders you want.
11. In Windows Explorer, copy the files and/or folders from the recovery volume and paste them to your Target
machine location. You can open or stream the files directly from the recovery volume and verify the correct
versions are recovered.
IMPORTANT
If you do not click Unmount, the Recovery Volume will remain mounted for six hours from the time when it was
mounted. No backup operations will run while the volume is mounted. Any backup operation scheduled to run
during the time when the volume is mounted, will run after the recovery volume is unmounted.
Next steps
Azure Backup FAQ
Visit the Azure Backup Forum.
Learn more
Azure Backup Overview
Backup Azure virtual machines
Backup up Microsoft workloads
Recovery Services vaults overview
This article describes the features of a Recovery Services vault. A Recovery Services vault is a storage entity in
Azure that houses data. The data is typically copies of data, or configuration information for virtual machines (VMs),
workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various Azure
services such as IaaS VMs (Linux or Windows) and Azure SQL databases. Recovery Services vaults support System
Center DPM, Windows Server, Azure Backup Server, and more. Recovery Services vaults make it easy to organize
your backup data, while minimizing management overhead.
Within an Azure subscription, you can create up to 25 Recovery Services vaults.
Comparing Recovery Services vaults and Backup vaults

If you still have Backup vaults, they are being auto-upgraded to Recovery Services vaults. By November 2017, all
Backup vaults have been upgraded to Recovery Services vaults.
Recovery Services vaults are based on the Azure Resource Manager model of Azure, whereas Backup vaults were
based on the Azure Service Manager model. When you upgrade a Backup vault to a Recovery Services vault, the
backup data remains intact during and after the upgrade process. Recovery Services vaults provide features not
available for Backup vaults, such as:
Enhanced capabilities to help secure backup data: With Recovery Services vaults, Azure Backup
provides security capabilities to protect cloud backups. The security features ensure you can secure your
backups, and safely recover data, even if production and backup servers are compromised. Learn more
Central monitoring for your hybrid IT environment: With Recovery Services vaults, you can monitor not
only your Azure IaaS VMs but also your on-premises assets from a central portal. Learn more
Role-Based Access Control (RBAC): RBAC provides fine-grained access management control in Azure.
Azure provides various built-in roles, and Azure Backup has three built-in roles to manage recovery points.
Recovery Services vaults are compatible with RBAC, which restricts backup and restore access to the defined
set of user roles. Learn more
Protect all configurations of Azure Virtual Machines: Recovery Services vaults protect Resource
Manager-based VMs including Premium Disks, Managed Disks, and Encrypted VMs. Upgrading a Backup
vault to a Recovery Services vault gives you the opportunity to upgrade your Service Manager-based VMs
to Resource Manager-based VMs. While upgrading the vault, you can retain your Service Manager-based
VM recovery points and configure protection for the upgraded (Resource Manager-enabled) VMs. Learn
more
Instant restore for IaaS VMs: Using Recovery Services vaults, you can restore files and folders from an
IaaS VM without restoring the entire VM, which enables faster restore times. Instant restore for IaaS VMs is
available for both Windows and Linux VMs. Learn more
Managing your Recovery Services vaults in the portal

Creation and management of Recovery Services vaults in the Azure portal is easy because the Backup service is
integrated into the Azure Settings menu. This integration means you can create or manage a Recovery Services
vault in the context of the target service. For example, to view the recovery points for a VM, select it, and click
Backup in the Settings menu. The backup information specific to that VM appears. In the following example,
ContosoVM is the name of the virtual machine. ContosoVM-demovault is the name of the Recovery Services
vault. You don't need to remember the name of the Recovery Services vault that stores the recovery points, you
can access this information from the virtual machine.
If multiple servers are protected using the same Recovery Services vault, it may be more logical to look at the
Recovery Services vault. You can search for all Recovery Services vaults in the subscription, and choose one from
the list.
The following sections contain links to articles that explain how to use a Recovery Services vault in each type of
activity.
Back up data
Back up an Azure VM
Back up Windows Server or Windows workstation
Back up DPM workloads to Azure
Prepare to back up workloads using Azure Backup Server
Manage recovery points
Manage Azure VM backups
Managing files and folders
Restore data from the vault
Recover individual files from an Azure VM
Restore an Azure VM
Secure the vault
Securing cloud backup data in Recovery Services vaults
Next Steps
Use the following articles to:
Back up an IaaS VM
Back up a Windows Server
Upgrade a Backup vault to a Recovery Services
vault
This article explains how to upgrade a Backup vault to a Recovery Services vault. The upgrade process doesn't
impact any running backup jobs, and no backup data is lost. The primary reasons to upgrade a Backup vault to a
Recovery Services vault:
All features of a Backup vault are retained in a Recovery Services vault.
Recovery Services vaults have more features than Backup vaults, including: better security, integrated
monitoring, faster restores and item-level restores.
Manage backup items from an improved, simplified portal.
New features only apply to Recovery Services vaults.
Impact to operations during upgrade

When upgrading a Backup vault to a Recovery Services vault, there is no impact to your data plane operations.
All backup jobs continue as normal, and any active restore jobs continue without interruption. During the
upgrade, management operations incur a short downtime, and you can't protect new items or create adhoc
backups jobs. Restore jobs for IaaS VMs don't run during the upgrade. The vault upgrade takes under an hour to
complete. Once finished, a Recovery Services vault replaces the Backup vault.
Changes to your automation and tool after upgrading

While preparing your infrastructure for the vault upgrade, you must update your existing automation or tooling
to ensure that it continues to work after the upgrade. Consult the PowerShell cmdlets references for the Service
Manager deployment model and the Resource Manager deployment model.
Before you upgrade

Check the following issues before you upgrade your Backup vaults to Recovery Service vaults.
Minimum agent version: To upgrade your vault, make sure the Microsoft Azure Recovery Services (MARS)
agent is at least version 2.0.9083.0. If the MARS agent is older than 2.0.9083.0, update the agent before
starting the upgrade process.
Instance-based billing model: Recovery Service vaults only support the Instance-based billing model. If
you have a backup vault that is using the older Storage-based billing model, convert the billing model during
upgrade.
No on-going backup configuration operations: During upgrade, access to the management plane is
restricted. Complete all management plane actions and then start the upgrade.
Using PowerShell scripts to upgrade your vaults

You can use PowerShell scripts to upgrade your Backup vaults to Recovery Services vaults. Check that you have
the required PowerShell components to trigger the vault upgrade. PowerShell scripts for Backup vaults do not
work for Recovery Services vaults. Prepare your environment to upgrade the vaults:
1. Install or upgrade Windows Management Framework (WMF) to version 5 or above.
2. Install Azure PowerShell MSI.
3. Download the PowerShell script to upgrade your vaults.
Run the PowerShell script
Use the following script to upgrade your vaults. The following sample script has explanations of the parameters.
RecoveryServicesVaultUpgrade-1.0.2.ps1 -SubscriptionID <subscriptionID> -VaultName <vaultname> -
Location <location> -ResourceType BackupVault -TargetResourceGroupName <rgname>
SubscriptionID - The subscription ID number of the vault that is being upgraded.
VaultName - The name of the Backup vault that is being upgraded.
Location - Location of the vault being upgraded.
ResourceType - Use BackupVault.
TargetResourceGroupName - Since you are upgrading the vault to a Resource Manager-based deployment,
specify a Resource Group. You can use an existing Resource Group, or create one by providing a new name. If
you misspell the name of a Resource Group, you may create a new Resource Group. To learn more about
Resource Groups, read this overview about Resource Groups.
NOTE
Resource Group names have constraints. Be sure to follow the guidance; failure to do so could cause vault upgrades to
fail.
Azure US Government customers need to set the environment to AzureUSGovernment while running the script.
Azure China customers need to set the environment to AzureChinaCloud while running the script.
The following code snippet is an example of what your PowerShell command should look like:
RecoveryServicesVaultUpgrade.ps1 -SubscriptionID 53a3c692-5283-4f0a-baf6-49412f5ebefe -VaultName

"TestVault" -Location "Australia East" -ResourceType BackupVault -TargetResourceGroupName "ContosoRG"
You can also run the script without any parameters and you are asked to provide inputs for all required
parameters.
The PowerShell script prompts you to enter your credentials. Enter your credentials twice: once for the Service
Manager account, and a second time for the Resource Manager account.
Pre -requisites checking
Once you have entered your Azure credentials, Azure checks that your environment meets the following
prerequisites:
Minimum agent version - Upgrading Backup vaults to Recovery Services vaults requires the MARS agent
to be at least version 2.0.9083.0. If you have items registered to a Backup vault with an agent earlier than
2.0.9083.0, the prerequisite check fails. If the prerequisite check fails, update the agent and try to upgrade the
vault again. You can download the latest version of the agent from
http://download.microsoft.com/download/F/4/B/F4B06356-150F-4DB0-8AD8-
95B4DB4BBF7C/MARSAgentInstaller.exe.
On-going configuration jobs: If someone is configuring job for a Backup vault set to be upgraded, or
registering an item, the prerequisite check fails. Complete the configuration, or finish registering the item,
and then start the vault upgrade process.
Storage-based billing model: Recovery Services vaults support the Instance-based billing model. If you
run the vault upgrade on a Backup vault that uses the Storage-based billing model, you are prompted to
upgrade your billing model along with the vault. Otherwise, you can update your billing model first, and then
run the vault upgrade.
Identify a Resource Group for the Recovery Services vault. To take advantage of the Resource Manager
deployment features, you must put a Recovery Services vault in a Resource Group. If you don't know which
Resource Group to use, provide a name and the upgrade process creates the Resource Group for you. The
upgrade process also associates the vault with the new Resource Group.
Once the upgrade process finishes checking the pre-requisites, the process prompts you to start the vault
upgrade. After you confirm, the upgrade process typically takes around 15-20 minutes to complete, depending
on the size of your vault. If you have a large vault, upgrading can take up to 90 minutes.
Managing your Recovery Services vaults

The following screens show a new Recovery Services vault, upgraded from Backup vault, in the Azure portal. The
first screen shows the vault dashboard that displays key entities for the vault.
The second screen shows the help links available to help you get started using the Recovery Services vault.
Post-upgrade steps
Recovery Services vault supports specifying time zone information in backup policy. After vault is successfully
upgraded, go to Backup policies from vault settings menu and update the time zone information for each of the
policies configured in the vault. This screen already shows the backup schedule time specified as per local time
zone used when you created policy.
Enhanced security
When a Backup vault is upgraded to a Recovery Services vault, the security settings for that vault are
automatically turned on. When the security settings are on, certain operations such as deleting backups, or
changing a passphrase require an Azure Multi-Factor Authentication PIN. For more information on the
enhanced security, see the article Security features to protect hybrid backups.
When the enhanced security is turned on, data is retained up to 14 days after the recovery point information has
been deleted from the vault. Customers are billed for storage of this security data. Security data retention
applies to recovery points taken for the Azure Backup agent, Azure Backup Server, and System Center Data
Protection Manager.
Gather data on your vault

Once you upgrade to a Recovery Services vault, configure reports for Azure Backup (for IaaS VMs and Microsoft
Azure Recovery Services (MARS)), and use Power BI to access the reports. For additional information on
gathering data, see the article, Configure Azure Backup reports.

Does the upgrade plan affect my ongoing backups?
No. Your ongoing backups continue uninterrupted during and after upgrade.
If I dont plan on upgrading soon, what happens to my vaults?
Since all new features apply only to Recovery Services vaults, we urge you to upgrade your vaults. Microsoft will
eventually deprecate the classic portal. Starting September 1, 2017, Microsoft will begin auto-upgrading backup
vaults to Recovery Services vaults. By November 1, 2017, Microsoft will complete the upgrade process. Your
vault can be automatically upgraded any time during September or October. Microsoft recommends you
upgrade your vault as soon as possible.
What does this upgrade mean for my existing tooling?
Update your tooling to the Resource Manager deployment model. Recovery Services vaults were created for use
in the Resource Manager deployment model. Planning for the Resource Manager deployment model, and
accounting for the difference in your vaults is important.
During the upgrade, is there much downtime?
It depends on the number of resources that are being upgraded. For smaller deployments (a few tens of
protected instances), the whole upgrade should take less than 20 minutes. For larger deployments, it should
take a max of an hour.
Can I roll back after upgrading?
No. Rollback is not supported after the resources have been successfully upgraded.
Can I validate my subscription or resources to see if they're capable of upgrade?
Yes. The first step in upgrade validates that the resources are capable of upgrade. In case the validation of pre-
requisites fails, you receive messages for all the reasons the upgrade cannot be completed.
What permissions should I have to trigger vault upgrade?
To perform the vault upgrade, you must be added as co-administrator for the subscription in the Azure classic
portal. This is required even if you are already listed as owner in the Azure portal. Try to add a co-administrator
for the subscription in Azure classic portal to find out if you are co-administrator for the subscription. If you are
not able to add a co-administrator, contact a service administrator or co-administrator for the subscription, who
can add you as a co-administrator.
Can I upgrade my CSP-based Backup vault?
No. Currently, you cannot upgrade CSP-based backup vaults. We will add support for upgrading CSP-based
Backup vaults in the next releases.
Can I view my classic vault post upgrade?
No. You cannot view or manage your classic vault post upgrade. You will only be able to use the new Azure
portal for all management actions on the vault.
My upgrade failed, but the machine that held the agent requiring updating, doesn't exist anymore.
What do I do in such a case?
If you need to use the store, the backups of this machine for long-term retention, then you will not be able to
upgrade the vault. In future releases we will add support for upgrading such a vault. If you do not need to store
the backups of this machine anymore, then please unregister this machine from the vault and retry the upgrade.
Why can't I see the jobs information for my resources after upgrade?
Monitoring for backups (MARS agent and IaaS) is a new feature that you get when you upgrade your Backup
vault to Recovery Services vault. The monitoring information takes up to 12 hours to sync with the service.
How do I report an issue?
If any portion of the vault upgrade fails, note the OperationId listed in the error. Microsoft Support will
proactively work to resolve the issue. You can reach out to Support or email us at
rsvaultupgrade@service.microsoft.com with your Subscription ID, vault name and OperationId. We will attempt
to resolve the issue as quickly as possible. Do not retry the operation unless explicitly instructed to do so by
Microsoft.
Next steps
Use the following article to:
Back up an IaaS VM
Back up a Windows Server.
Delete a Recovery Services vault
deployments. Because of the expanded capabilities and the information dependencies that must be stored in the
vault, deleting a Backup or Recovery Services vault can be confusing. This article explains how to delete the vaults in
the classic portal and the Azure portal.
DEPLOYMENT TYPE PORTAL VAULT NAME
Classic Classic Backup vault
Resource Manager Azure Recovery Services vault
NOTE
protect classically deployed servers and VMs.
IMPORTANT
In this article, we use the term, vault, to refer to the generic form of the Backup vault or Recovery Services vault. We
use the formal name, Backup vault, or Recovery Services vault, when it is necessary to distinguish between the
vaults.
Deleting a Recovery Services vault

Deleting a Recovery Services vault is a one-step process - provided the vault doesn't contain any resources. Before
you can delete a Recovery Services vault, you must remove or delete all resources in the vault. If you attempt to
delete a vault that contains resources, you get an error like the following image:
Until you have cleared the resources from the vault, clicking Retry produces the same error. If you're stuck on this
error message, click Cancel and use the following steps to delete the resources in the vault.
Removing the items from a vault protecting a VM
If you already have the Recovery Services vault open, skip to the second step.
1. Open the Azure portal, and from the Dashboard open the vault you want to delete.
If you don't have the Recovery Services vault pinned to the Dashboard, on the Hub menu, click More
Services and in the list of resources, type Recovery Services. As you begin typing, the list filters based on
your input. Click Recovery Services vaults.
The list of Recovery Services vaults is displayed. From the list, select the vault you want to delete.
2. In the vault view, look at the Essentials pane. To delete a vault, there cannot be any protected items. If you
see a number other than zero, under either Backup Items or Backup management servers, you must
remove those items before you can delete the vault.
VMs and Files/Folders are considered Backup Items, and are listed in the Backup Items area of the
Essentials pane. A DPM server is listed in the Backup Management Server area of the Essentials pane.
Replicated Items pertain to the Azure Site Recovery service.
3. To begin removing the protected items from the vault, find the items in the vault. In the vault dashboard click
Settings, and then click Backup items to open that blade.
The Backup Items blade has separate lists, based on the Item Type: Azure Virtual Machines or File-Folders
(see image). The default Item Type list shown is Azure Virtual Machines. To view the list of File-Folders items
in the vault, select File-Folders from the drop-down menu.
4. Before you can delete an item from the vault protecting a VM, you must stop the item's backup job and
delete the recovery point data. For each item in the vault, follow these steps:
a. On the Backup Items blade, right-click the item, and from the context menu, select Stop backup.
The Stop Backup blade opens.

b. On the Stop Backup blade, from the Choose an option menu, select Delete Backup Data > type the
name of the item > and click Stop backup.
Type the name of the item, to verify you want to delete it. The Stop Backup button activates once you verify
the item. If you do not see the dialog box to type the name of the backup item, you chose the Retain
Backup Data option.
Optionally, you can provide a reason why you are deleting the data, and add comments. After you click Stop
Backup, allow the delete job to complete before attempting to delete the vault. To verify that the job has
completed, check the Azure Messages .
Once the job is complete, you receive a message stating the backup process was stopped and the backup
data, for that item, was deleted.
c. After deleting an item in the list, on the Backup Items menu, click Refresh to see the remaining items in
the vault.
When there are no items in the list, scroll to the Essentials pane in the Backup vault blade. There shouldn't
be any Backup items, Backup management servers, or Replicated items listed. If items still appear in
the vault, return to step three and choose a different item type list.
5. When there are no more items in the vault toolbar, click Delete.
6. To verify that you want to delete the vault, click Yes.
The vault is deleted and the portal returns to the New service menu.
What if I stopped the backup process but retained the data?

If you stopped the backup process but accidentally retained the data, you must delete the backup data before you
can delete the vault. To delete the backup data:
1. On the Backup Items blade, right-click the item, and on the context menu click Delete backup data.
The Delete Backup Data blade opens.

2. On the Delete Backup Data blade, type the name of the item, and click Delete.
Once you have deleted the data, return to step 4c and continue with the process.
Delete a vault used to protect a DPM server

Before you can delete a vault used to protect a DPM server, you must clear any recovery points that have been
created, and then unregister the server from the vault.
To delete the data associated with a protection group:
1. In the DPM Administrator Console, click Protection > select a protection group > select the Protection
Group Member > and in the tool ribbon, click Remove.
Select the Protection Group Member to activate the Remove button in the tool ribbon. In the example, the
member is dummyvm9. To select multiple members in the protection group, hold down the Ctrl key while
clicking on the members.
The Stop Protection dialog opens.
2. In the Stop Protection dialog, select Delete protected data, and click Stop Protection.
To delete a vault, you must clear, or delete, the vault of protected data. Depending on the number of
recovery points and data in the protection group, it may take anywhere from a few seconds to several
minutes to delete the data. The Stop Protection dialog shows the status when the job has completed.
3. Continue this process for all members in all protection groups.

Remove all protected data and protection groups.
4. After deleting all members from the protection group, switch to the Azure portal. Open the vault dashboard,
and make sure there are no Backup Items, Backup management servers, or Replicated items. On the
vault toolbar, click Delete.
If there are Backup management servers registered to the vault, you can't delete the vault even if there is no
data in the vault. If you deleted the Backup management servers associated with the vault, but there are
servers listed in the Essentials pane, see Find the Backup management servers registered to the vault.
Delete a vault used to protect a Production server

Before you can delete a vault used to protect a Production server, you must delete or unregister the server from the
vault.
To delete the Production server associated with the vault:
1. In the Azure portal, open the vault dashboard and click Settings > Backup Infrastructure > Production
Servers.
The Production Servers blade opens and lists all Production servers in the vault.
2. On the Production Servers blade, right-click on the server, and click Delete.
The Delete blade opens.

3. On the Delete blade, confirm the server name, and click Delete. You must correctly name the server, to
activate the Delete button.
Once the vault is deleted, you receive a message stating the vault has been deleted. After deleting all servers
in the vault, scroll back to the Essentials pane in the vault dashboard.
4. In the vault dashboard, make sure there are no Backup Items, Backup management servers, or Replicated
items. On the vault toolbar, click Delete.
Delete a backup vault in classic portal

The following instructions are for deleting a Backup vault in the classic portal. Before you can delete the Backup
vault, you must delete the recovery points, or backed up items, and remove the registered servers. The registered
servers are the Windows Server, workstation, or virtual machines that were registered to the vault.
1. Open the Classic portal.
2. From the list of backup vaults, select the vault you want to delete.
The vault dashboard opens. Look at the number of Windows Servers and/or Azure virtual machines
associated with the vault. Also, look at the total storage consumed in Azure. Stop all backup jobs and delete
all data before deleting the vault.
3. Click the Protected Items tab, and then click Stop Protection
The Stop protection of 'your vault' dialog appears.
4. In the Stop protection of 'your vault' dialog, check Delete associated backup data and click .
Optionally, you can choose a reason for stopping protection, and provide a comment.
After deleting the items in the vault, the vault will be empty.
5. In the list of tabs, click Registered Items. The Type drop-down menu, enables you to choose the type of
server registered to the vault. The type can be Windows Server or Azure Virtual Machine. In the following
example, select the virtual machine registered to the vault, and click Unregister.
If you want to delete the registration for a Windows Server, from the Type drop-down menu, select
Windows Server, click to refresh the screen, and then click Delete.
6. In the list of tabs, click Dashboard to open that tab. Verify there are no registered servers or Azure virtual
machines protected in the cloud. Also, verify there is no data in storage. Click Delete to delete the vault.
The Delete Backup vault confirmation screen opens. Select an option why you're deleting the vault, and click
.
The vault is deleted, and you return to the classic portal dashboard.
Find the Backup Management servers registered to the vault
If you have multiple servers registered to a vault, it can be difficult to remember them. To see the servers registered
to the vault, and delete them:
1. Open the vault dashboard.
2. In the Essentials pane, click Settings to open that blade.
3. On the Settings blade, click Backup Infrastructure.

4. On the Backup Infrastructure blade, click Backup Management Servers. The Backup Management
Servers blade opens.
5. To delete a server from the list, right-click the name of the server and then click Delete. The Delete blade
opens.
6. On the Delete blade, provide the name of the server. If it is a long name, you can copy and paste it from the list
of Backup Management Servers. Then click Delete.
Troubleshoot Azure virtual machine backup
You can troubleshoot errors encountered while using Azure Backup with information listed in the table below.
Backup
Error: The specified Disk Configuration is not supported
Currently Azure Backup doesnt support disk sizes greater than 1023GB.
If you have disks greater than 1 TB , attach new disks which are less than 1 TB
Then, copy the data from disk greater than 1TB into newly created disk(s) of size less than 1TB.
Ensure that all data has been copied and remove the disks greater than 1TB
Initiate the backup.
ERROR DETAILS WORKAROUND
Could not perform the operation as VM no longer exists. - This happens when the primary VM is deleted, but the backup
Stop protecting virtual machine without deleting backup data. policy continues looking for a VM to back up. To fix this error:
More details at http://go.microsoft.com/fwlink/? 1. Recreate the virtual machine with the same name and
LinkId=808124 same resource group name [cloud service name],
(OR)
2. Stop protecting virtual machine with or without
deleting the backup data. More details
Snapshot operation failed due to no network connectivity on This error is thrown when you deny the outbound internet
the virtual machine - Ensure that VM has network access. For connectivity on the virtual machine. Internet connectivity is
snapshot to succeed, either whitelist Azure datacenter IP required for VM snapshot extension to take a snapshot of
ranges or set up a proxy server for network access. For more underlying disks of the virtual machine. Learn more on how to
details, refer to http://go.microsoft.com/fwlink/? fix snapshot failures due to blocked network access.
LinkId=800034. If you are already using proxy server, make
sure that proxy server settings are configured correctly
VM agent is unable to communicate with the Azure Backup This error is thrown if there is a problem with the VM Agent
Service. - Ensure the VM has network connectivity and the or network access to the Azure infrastructure is blocked in
VM agent is latest and running. For more information, please some way. Learn more about debugging up VM snapshot
refer to http://go.microsoft.com/fwlink/?LinkId=800034 issues.
If the VM agent is not causing any issues, then restart the
VM. At times an incorrect VM state can cause issues, and
restarting the VM resets this "bad state".
VM is in Failed Provisioning State - Please restart the VM and This occurs when one of the extension failures leads VM state
make sure that the VM is in Running or Shut-down state for to be in failed provisioning state. Go to extensions list and see
backup if there is a failed extension, remove it and try restarting the
virtual machine. If all extensions are in running state, check if
VM agent service is running. If not, restart the VM agent
service.
VMSnapshot extension operation failed for managed disks - This error when Azure Backup service fails to trigger a
Please retry the backup operation. If the issue repeats, follow snapshot. Learn more about debugging VM snapshot issues.
the instructions at 'http://go.microsoft.com/fwlink/?
LinkId=800034'. If it fails further, please contact Microsoft
support
Could not copy the snapshot of the virtual machine, due to In case of premium VMs, we copy the snapshot to storage
insufficient free space in the storage account - Ensure that account. This is to make sure that backup management traffic,
storage account has free space equivalent to the data present which works on snapshot, doesn't limit the number of IOPS
on the premium storage disks attached to the virtual machine available to the application using premium disks. Microsoft
recommends you allocate only 50% of the total storage
account space so the Azure Backup service can copy the
snapshot to storage account and transfer data from this
copied location in storage account to the vault.
Unable to perform the operation as the VM agent is not This error is thrown if there is a problem with the VM Agent
responsive or network access to the Azure infrastructure is blocked in
some way. For Windows VMs, check the VM agent service
status in services and whether the agent appears in programs
in control panel. Try removing the program from control
panel and re-installing the agent as mentioned below. After
re-installing the agent, trigger an adhoc backup to verify.
Recovery services extension operation failed. - Please make This error is thrown when VM agent is out of date. Refer
sure that latest virtual machine agent is present on the virtual Updating the VM Agent section below to update the VM
machine and agent service is running. Please retry backup agent.
operation and if it fails, contact Microsoft support.
Virtual machine doesn't exist. - Please make sure that virtual This happens when the primary VM is deleted but the backup
machine exists or select a different virtual machine. policy continues to look for a VM to perform backup. To fix
this error:
1. Recreate the virtual machine with the same name and
same resource group name [cloud service name],
(OR)
2. Stop protecting the virtual machine without deleting
the backup data. More details
Command execution failed. - Another operation is currently in An existing backup on the VM is running, and a new job
progress on this item. Please wait until the previous operation cannot be started while the existing job is running.
is completed, and then retry
Copying VHDs from the backup vault timed out - Please retry This happens if there is a transient error on storage side or if
the operation in a few minutes. If the problem persists, backup service is not getting sufficient IOPS from storage
contact Microsoft Support. account hosting the VM in order to transfer data within
timeout period to vault. Make sure that you followed Best
practices while setting up backup. Try moving VM to a
different storage account which is not loaded and retry
backup.
Backup failed with an internal error - Please retry the You can get this error for 2 reasons:
operation in a few minutes. If the problem persists, contact 1. There is a transient issue in accessing the VM storage.
Microsoft Support Please check Azure Status to see if there is any on-
going issue related to compute, storage, or
networking in the region. Then retry the backup job
once the issue is resolved.
2. The original VM has been deleted and therefore, the
recovery point cannot be taken. To keep the backup
data for a deleted VM, but remove the backup errors:
Unprotect the VM and choose the option to keep the
data. This action stops the scheduled backup job and
the recurring error messages.
Failed to install the Azure Recovery Services extension on the 1. Check if the VM agent has been installed correctly.
selected item - The VM agent is a prerequisite for the Azure 2. Ensure the flag on the VM config is set correctly.
Recovery Services Extension. Install the Azure VM agent and
restart the registration operation Read more about installing the VM agent, and how to
validate the VM agent installation.
Extension installation failed with the error "COM+ was unable This usually means that the COM+ service is not running.
to talk to the Microsoft Distributed Transaction Coordinator Contact Microsoft support for help on fixing this issue.
Snapshot operation failed with the VSS operation error "This Turn off BitLocker for all drives on the VM and observe if the
drive is locked by BitLocker Drive Encryption. You must VSS issue is resolved
unlock this drive from the Control Panel.
VM is not in a state that allows backups. Check if VM is in a transient state between Running
and Shut down. If it is, wait for the VM state to be one
of them and trigger backup again.
If the VM is a Linux VM and uses [Security Enhanced
Linux] kernel module, you need to exclude the Linux
Agent path(/var/lib/waagent) from security policy to
make sure backup extension gets installed.
Azure Virtual Machine Not Found. This happens when the primary VM is deleted but the backup
policy continues to look for a VM to perform back up. To fix
this error:
1. Recreate the virtual machine with the same name and
same resource group name [cloud service name],
(OR)
2. Disable protection for this VM so the backup jobs will
not be created.
Virtual machine agent is not present on the virtual machine - Read more about VM agent installation, and how to validate
Please install any prerequisite and the VM agent, and then the VM agent installation.
restart the operation.
Snapshot operation failed due to VSS Writers in bad state You need to restart VSS(Volume Shadow copy Service) writers
that are in bad state. To achieve this, from an elevated
command prompt, run vssadmin list writers. Output contains
all VSS writers and their state. For every VSS writer whose
state is not "[1] Stable", restart VSS writer by running
following commands from an elevated command prompt:
net stop serviceName
net start serviceName
Snapshot operation failed due to a parsing failure of the This happens due to changed permissions on the
configuration MachineKeys directory:
%systemdrive%\programdata\microsoft\crypto\rsa\machine
keys
Please run below command and verify that permissions on
MachineKeys directory are default-ones:
icacls
%systemdrive%\programdata\microsoft\crypto\rsa\machine
keys
Default permissions are:

Everyone:(R,W)
BUILTIN\Administrators:(F)
If you see permissions on MachineKeys directory different

than default, please follow below steps to correct permissions,
delete the certificate and trigger the backup.
1. Fix permissions on MachineKeys directory.
Using Explorer Security Properties and Advanced
Security Settings on the directory, reset permissions
back to the default values, remove any extra (than
default) user object from the directory, and ensure
that the Everyone permissions had special access for:
-List folder / read data
-Read attributes
-Read extended attributes
-Create files / write data
-Create folders / append data
-Write attributes
-Write extended attributes
-Read permissions
2. Delete all certificates with field Issued To = "Windows

Azure Service Management for Extensions" or
"Windows Azure CRP Certificate Generator.
Open Certificates(Local computer) console
Delete all certificates (under Personal ->
Certificates) with field Issued To = "Windows
Azure Service Management for Extensions" or
"Windows Azure CRP Certificate Generator.
3. Trigger VM backup.
Validation failed as virtual machine is encrypted with BEK Virtual machine should be encrypted using both BitLocker
alone. Backups can be enabled only for virtual machines Encryption Key and Key Encryption Key. After that, backup
encrypted with both BEK and KEK. should be enabled.
Azure Backup Service does not have sufficient permissions to Backup service should be provided these permissions in
Key Vault for Backup of Encrypted Virtual Machines. PowerShell using steps mentioned in Enable Backup section
of PowerShell documentation.
Installation of snapshot extension failed with error - COM+ Please try to start windows service "COM+ System
was unable to talk to the Microsoft Distributed Transaction Application" (from an elevated command prompt - net start
Coordinator COMSysApp).
If it fails while starting, please follow below steps:
1. Validate that the Logon account of service "Distributed
Transaction Coordinator" is "Network Service". If it is
not, please change it to "Network Service", restart this
service and then try to start service "COM+ System
Application".'
2. If it still fails to start, uninstall/install service
"Distributed Transaction Coordinator" by following
below steps:
- Stop the MSDTC service
- Open a command prompt (cmd)
- Run command msdtc -uninstall
- Run command msdtc -install
- Start the MSDTC service
3. Start windows service "COM+ System Application" and
after it is started, trigger backup from portal.
Snapshot operation failed due to COM+ error The recommended action is to restart windows service
"COM+ System Application" (from an elevated command
prompt - net start COMSysApp). If the issue persists, restart
the VM. If restarting the VM doesn't help, try removing the
VMSnapshot Extension and trigger the backup manually.
Failed to freeze one or more mount-points of the VM to take Use the following steps:
a file-system consistent snapshot 1. Check the file-system state of all mounted devices
using 'tune2fs' command.
Eg: tune2fs -l /dev/sdb1 | grep "Filesystem state"
2. Unmount the devices for which filesystem state is not
clean using 'umount' command
3. Run FileSystemConsistency Check on these devices
using 'fsck' command
4. Mount the devices again and try backup.
Snapshot operation failed due to failure in creating secure 1. Open Registry Editor by running regedit.exe in an
network communication channel elevated mode.
2. Identify all versions of .NetFramework present in
system. They are present under the hierarchy of
registry key
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft"
3. For each .NetFramework present in registry key, add
following key:
"SchUseStrongCrypto"=dword:00000001
Snapshot operation failed due to failure in installation of Navigate to

Visual C++ Redistributable for Visual Studio 2012 C:\Packages\Plugins\Microsoft.Azure.RecoveryServices.VMSna
pshot\agentVersion and install vcredist2012_x64. Make sure
that registry key value for allowing this service installation is
set to correct value i.e. value of registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Msiserver is set to 3 and not 4. If you are still facing issues
with installation, restart installation service by running
MSIEXEC /UNREGISTER followed by MSIEXEC /REGISTER from
an elevated command prompt.
Jobs
Cancellation is not supported for this job type - Please wait None
until the job completes.
The job is not in a cancelable state - Please wait until the job In all likelihood, the job is almost completed. Please wait until
completes. the job is completed.
OR
The selected job is not in a cancelable state - Please wait for
the job to complete.
Cannot cancel the job because it is not in progress - This happens due to a transitory state. Wait for a minute and
Cancellation is only supported for jobs which are in progress. retry the cancel operation.
Please attempt cancel on an in progress job.
Failed to cancel the Job - Please wait till job finishes. None
Restore
Restore failed with Cloud Internal error 1. Cloud service to which you are trying to restore is
configured with DNS settings. You can check
$deployment = Get-AzureDeployment -ServiceName
"ServiceName" -Slot "Production" Get-AzureDns -
DnsSettings $deployment.DnsSettings
If there is Address configured, this means that DNS
settings are configured.
2. Cloud service to which to you are trying to restore is
configured with ReservedIP and existing VMs in cloud
service are in stopped state.
You can check a cloud service has reserved IP by using
following powershell cmdlets:
$deployment = Get-AzureDeployment -ServiceName
"servicename" -Slot "Production"
$dep.ReservedIPName
3. You are trying to restore a virtual machine with
following special network configurations in to same
cloud service.
- Virtual machines under load balancer configuration
(Internal and external)
- Virtual machines with multiple Reserved IPs
- Virtual machines with multiple NICs
Please select a new cloud service in the UI or please
refer to restore considerations for VMs with special
network configurations.
The selected DNS name is already taken - Please specify a The DNS name here refers to the cloud service name (usually
different DNS name and try again. ending with .cloudapp.net). This needs to be unique. If you
encounter this error, you need to choose a different VM name
during restore.
This error is shown only to users of the Azure portal. The

restore operation through PowerShell will succeed because it
only restores the disks and doesn't create the VM. The error
will be faced when the VM is explicitly created by you after the
disk restore operation.
The specified virtual network configuration is not correct - None

Please specify a different virtual network configuration and try
again.
The specified cloud service is using a reserved IP, which None

doesn't match with the configuration of the virtual machine
being restored - Please specify a different cloud service, which
is not using reserved IP, or choose another recovery point to
restore from.
Cloud service has reached limit on number of input end None

points - Retry the operation by specifying a different cloud
service or by using an existing endpoint.
Backup vault and target storage account are in two different None
regions - Ensure that the storage account specified in restore
operation is in the same Azure region as the backup vault.
Storage Account specified for the restore operation is not None

supported - Only Basic/Standard storage accounts with locally
redundant or geo redundant replication settings are
supported. Please select a supported storage account
Type of Storage Account specified for restore operation is not This might happen because of a transient error in Azure
online - Make sure that the storage account specified in Storage or due to an outage. Please choose another storage
restore operation is online account.
Resource Group Quota has been reached - Please delete None

some resource groups from Azure portal or contact Azure
support to increase the limits.
Selected subnet does not exist - Please select a subnet which None
exists
Backup Service does not have authorization to access To resolve this, first Restore Disks using steps mentioned in
resources in your subscription. section Restore backed up disks in Choosing VM restore
configuration. After that, use PowerShell steps mentioned in
Create a VM from restored disks to create full VM from
restored disks.
Backup or Restore taking time

If you see your backup(>12 hours) or restore taking time(>6 hours):
Understand factors contributing to backup time and factors contributing to restore time.
Make sure that you follow Backup best practices.
VM Agent
Setting up the VM Agent
Typically, the VM Agent is already present in VMs that are created from the Azure gallery. However, virtual
machines that are migrated from on-premises datacenters would not have the VM Agent installed. For such VMs,
the VM Agent needs to be installed explicitly.
For Windows VMs:
Download and install the agent MSI. You need Administrator privileges to complete the installation.
For Classic virtual machines, Update the VM property to indicate that the agent is installed. This step is not
required for Resource Manager virtual machines.
For Linux VMs:
Install latest from distribution repository. We strongly recommend installing agent only through distribution
repository. For details on package name, please refer to Linux agent repository
For classic VMs, Update the VM property to indicate that the agent is installed. This step is not required for
Resource Manager virtual machines.
Updating the VM Agent
For Windows VMs:
Updating the VM Agent is as simple as reinstalling the VM Agent binaries. However, you need to ensure that no
backup operation is running while the VM Agent is being updated.
For Linux VMs:
Follow the instructions on Updating Linux VM Agent. We strongly recommend updating agent only through
distribution repository. We do not recommend downloading the agent code from directly github and updating
it. If latest agent is not available for your distribution, please reach out to distribution support for instructions
on how to install latest agent. You can check latest Windows Azure Linux agent information in github
repository.
Validating VM Agent installation
How to check for the VM Agent version on Windows VMs:
1. Log on to the Azure virtual machine and navigate to the folder C:\WindowsAzure\Packages. You should find
the WaAppAgent.exe file present.
2. Right-click the file, go to Properties, and then select the Details tab. The Product Version field should be
2.6.1198.718 or higher
Troubleshoot VM Snapshot Issues

VM backup relies on issuing snapshot commands to underlying storage. Not having access to storage, or delays in
a snapshot task execution can cause the backup job to fail. The following can cause snapshot task failure.
1. Network access to Storage is blocked using NSG
Learn more on how to enable network access to Storage using either WhiteListing of IPs or through proxy
server.
2. VMs with Sql Server backup configured can cause snapshot task delay
By default VM backup issues VSS Full backup on Windows VMs. On VMs that are running Sql Servers and if
Sql Server backup is configured, this might cause delay in snapshot execution. Please set following registry
key if you are experiencing backup failures because of snapshot issues.
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\BCDRAGENT]
"USEVSSCOPYBACKUP"="TRUE"
3. VM status reported incorrectly because VM is shut down in RDP.

If you have Shut down the virtual machine in RDP, please check back in the portal that VM status is reflected
correctly. If not, please shut down the VM in portal using 'Shutdown' option in VM dashboard.
4. If more than four VMs share the same cloud service, configure multiple backup policies to stage the backup
times so no more than four VM backups are started at the same time. Try to spread the backup start times an
hour apart between policies.
5. VM is running at High CPU/Memory.
If the virtual machine is running at High CPU usage(>90%) or memory, snapshot task is queued, delayed and
will eventually gets timed-out. Try on-demand backup in such situations.
Networking
Like all extensions, Backup extension need access to the public internet to work. Not having access to the public
internet can manifest itself in various ways:
The extension installation can fail
The backup operations (like disk snapshot) can fail
Displaying the status of the backup operation can fail
The need for resolving public internet addresses has been articulated here. You need to check the DNS
configurations for the VNET and ensure that the Azure URIs can be resolved.
Once the name resolution is done correctly, access to the Azure IPs also needs to be provided. To unblock access
to the Azure infrastructure, follow one of these steps:
1. WhiteList the Azure datacenter IP ranges.
Get the list of Azure datacenter IPs to be whitelisted.
Unblock the IPs using the New-NetRoute cmdlet. Run this cmdlet within the Azure VM, in an elevated
PowerShell window (run as Administrator).
Add rules to the NSG (if you have one in place) to allow access to the IPs.
2. Create a path for HTTP traffic to flow
If you have some network restriction in place (a Network Security Group, for example) deploy an HTTP
proxy server to route the traffic. Steps to deploy an HTTP Proxy server can found here.
Add rules to the NSG (if you have one in place) to allow access to the INTERNET from the HTTP Proxy.
NOTE
DHCP must be enabled inside the guest for IaaS VM Backup to work. If you need a static private IP, you should configure it
through the platform. The DHCP option inside the VM should be left enabled. View more information about Setting a Static
Internal Private IP.
Troubleshoot Azure virtual machine backup
You can troubleshoot errors encountered while using Azure Backup with information listed in the table below.
Discovery
BACKUP OPERATION ERROR DETAILS WORKAROUND
Discovery Failed to discover new items - Microsoft Retry the discovery process after 15
Azure Backup encountered and internal minutes.
error. Wait for a few minutes and then
try the operation again.
Discovery Failed to discover new items Another None

Discovery operation is already in
progress. Please wait until the current
Discovery operation has completed.
Register
Register Number of data disks attached to the None

virtual machine exceeded the supported
limit - Please detach some data disks on
this virtual machine and retry the
operation. Azure backup supports up to
16 data disks attached to an Azure
virtual machine for backup
Register Microsoft Azure Backup encountered an You can get this error due to one of the
internal error - Wait for a few minutes following unsupported configuration of
and then try the operation again. If the VM on Premium LRS.
issue persists, contact Microsoft Premium storage VMs can be backed
Support. up using recovery services vault. Learn
More
Register Registration failed with Install Agent Check if the OS version of the virtual
operation timeout machine is supported.
Register Command execution failed - Another None

operation is in progress on this item.
Please wait until the previous operation
is completed
Register Virtual machines having virtual hard None

disks stored on Premium storage are
not supported for backup
Register Virtual machine agent is not present on Read more about VM agent installation,
the virtual machine - Please install the and how to validate the VM agent
required pre-requisite, VM agent and installation.
Backup
Backup Could not communicate with the VM This error is thrown if there is a problem
agent for snapshot status. Snapshot with the VM Agent or network access
VM sub task timed out. - Please see the to the Azure infrastructure is blocked in
troubleshooting guide on how to some way. Learn more about
resolve this. debugging up VM snapshot issues.
If the VM agent is not causing any
issues, then restart the VM. At times an
incorrect VM state can cause issues and
restarting the VM resets this "bad
state"
Backup Backup failed with an internal error - Please check if there is a transient issue
Please retry the operation in a few in accessing VM storage. Please check
minutes. If the problem persists, contact Azure Status to see if there is any on-
Microsoft Support going issue related to
compute/storage/network in the region.
Please retry the backup post issue is
mitigated.
Backup Could not perform the operation as VM Backup cannot be performed as the VM
no longer exists. configured for backup has been deleted.
Please stop further backups by going to
Protected items view, select protected
item and click on Stop Protection. You
can retain data by selecting Retain
Backup data option. You can later
resume protection for this virtual
machine by clicking on configure
protection from Registered Items view
Backup Failed to install the Azure Recovery 1. Check if the VM agent has been
Services extension on the selected item installed correctly.
- VM Agent is a pre-requisite for Azure 2. Ensure that the flag on the VM
Recovery Services Extension. Please config is set correctly.
install the Azure VM agent and restart
the registration operation Read more about VM agent installation,
and how to validate the VM agent
installation.
Backup Command execution failed - Another An existing backup or restore job for
operation is currently in progress on the VM is running, and a new job
this item. Please wait until the previous cannot be started while the existing job
operation is completed, and then retry is running.
Backup Extension installation failed with the This usually means that the COM+
error "COM+ was unable to talk to the service is not running. Contact
Microsoft Distributed Transaction Microsoft support for help on fixing this
Coordinator issue.
Backup Snapshot operation failed with the VSS Turn off BitLocker for all drives on the
operation error "This drive is locked by VM and observe if the VSS issue is
BitLocker Drive Encryption. You must resolved
unlock this drive from Control Panel.
Backup Virtual machines having virtual hard None

disks stored on Premium storage are
not supported for backup
Backup Azure Virtual Machine Not Found. This happens when the primary VM is
deleted but the backup policy continues
to look for a VM to perform backup. To
fix this error:
1. Recreate the virtual machine
with the same name and same
resource group name [cloud
service name],
(OR)
2. Disable protection for this VM
so that subsequent backups will
not get triggered.
Backup Virtual machine agent is not present on Read more about VM agent installation,
the virtual machine - Please install the and how to validate the VM agent
required pre-requisite, VM agent and installation.
Jobs
OPERATION ERROR DETAILS WORKAROUND
Cancel job Cancellation is not supported for this None

job type - Please wait until the job
completes.
Cancel job The job is not in a cancelable state - In all likelihood, the job is almost
Please wait until the job completes. completed; please wait until the job
OR completes
The selected job is not in a cancelable
state - Please wait for the job to
complete.
Cancel job Cannot cancel the job because it is not This happens due to a transitory state.
in progress - Cancellation is only Wait for a minute and retry the cancel
supported for jobs which are in operation
progress. Please attempt cancel on an
in progress job.
Cancel job Failed to cancel the Job - Please wait None

until job finishes.
Restore
Restore Restore failed with Cloud Internal error 1. Cloud service to which you are
trying to restore is configured
with DNS settings. You can
check
$deployment = Get-
AzureDeployment -ServiceName
"ServiceName" -Slot
"Production" Get-AzureDns -
DnsSettings
$deployment.DnsSettings
If there is Address configured,
this means that DNS settings
are configured.
2. Cloud service to which to you
are trying to restore is
configured with ReservedIP and
existing VMs in cloud service are
in stopped state.
You can check a cloud service
has reserved IP by using
following powershell cmdlets:
$deployment = Get-
AzureDeployment -ServiceName
"servicename" -Slot "Production"
$dep.ReservedIPName
3. You are trying to restore a
virtual machine with following
special network configurations in
to same cloud service.
- Virtual machines under load
balancer configuration (Internal
and external)
- Virtual machines with multiple
Reserved IPs
- Virtual machines with multiple
NICs
Please select a new cloud service
in the UI or please refer to
restore considerations for VMs
with special network
configurations
Restore The selected DNS name is already taken The DNS name here refers to the cloud
- Please specify a different DNS name service name (usually ending with
and try again. .cloudapp.net). This needs to be unique.
If you encounter this error, you need to
choose a different VM name during
restore.
This error is shown only to users of the

Azure portal. The restore operation
through PowerShell succeeds because it
only restores the disks and doesn't
create the VM. The error will be faced
when the VM is explicitly created by
you after the disk restore operation.
Restore The specified virtual network None

configuration is not correct - Please
specify a different virtual network
configuration and try again.
Restore The specified cloud service is using a None

reserved IP, which doesn't match with
the configuration of the virtual machine
being restored - Please specify a
different cloud service which is not
using reserved IP, or choose another
recovery point to restore from.
Restore Cloud service has reached limit on None

number of input end points - Retry the
operation by specifying a different cloud
service or by using an existing endpoint.
Restore Backup vault and target storage None

account are in two different regions -
Ensure that the storage account
specified in restore operation is in the
same Azure region as the backup vault.
Restore Storage Account specified for the None

restore operation is not supported -
Only Basic/Standard storage accounts
with locally redundant or geo
redundant replication settings are
supported. Please select a supported
storage account
Restore Type of Storage Account specified for This might happen because of a
restore operation is not online - Make transient error in Azure Storage or due
sure that the storage account specified to an outage. Please choose another
in restore operation is online storage account.
Restore Resource Group Quota has been None

reached - Please delete some resource
groups from Azure portal or contact
Azure support to increase the limits.
Restore Selected subnet does not exist - Please None

select a subnet which exists
Policy
Create policy Failed to create the policy - Please None

reduce the retention choices to
continue with policy configuration.
VM Agent
Setting up the VM Agent
Typically, the VM Agent is already present in VMs that are created from the Azure gallery. However, virtual
machines that are migrated from on-premises datacenters would not have the VM Agent installed. For such VMs,
the VM Agent needs to be installed explicitly. Read more about installing the VM agent on an existing VM.
For Windows VMs:
Download and install the agent MSI. You will need Administrator privileges to complete the installation.
Update the VM property to indicate that the agent is installed.
For Linux VMs:
Install latest Linux agent from github.
Update the VM property to indicate that the agent is installed.
Updating the VM Agent
For Windows VMs:
Updating the VM Agent is as simple as reinstalling the VM Agent binaries. However, you need to ensure that no
backup operation is running while the VM Agent is being updated.
For Linux VMs:
Follow the instructions on Updating Linux VM Agent.
Validating VM Agent installation
How to check for the VM Agent version on Windows VMs:
1. Log on to the Azure virtual machine and navigate to the folder C:\WindowsAzure\Packages. You should find the
WaAppAgent.exe file present.
2. Right-click the file, go to Properties, and then select the Details tab. The Product Version field should be
2.6.1198.718 or higher
Troubleshoot Azure Backup failure: Issues with agent
and/or extension
This article provides troubleshooting steps to help you resolve Backup failures related to problems in
communication with VM agent and extension.
If your Azure issue is not addressed in this article, visit the Azure forums on MSDN and the Stack Overflow. You can
post your issue in these forums, or post to @AzureSupport on Twitter. You also can submit an Azure support
request. To submit a support request, on the Azure support page, select Get support.
VM Agent unable to communicate with Azure Backup

After you register and schedule a VM for the Azure Backup service, Backup initiates the job by communicating with
the VM agent to take a point-in-time snapshot. Any of the following conditions might prevent the snapshot from
being triggered, which in turn can lead to Backup failure. Follow below troubleshooting steps in the given order
and retry your operation.
C a u se 1 : T h e V M h a s n o I n t e r n e t a c c e ss
C a u se 2 : T h e a g e n t i s i n st a l l e d i n t h e V M b u t i s u n r e sp o n si v e (fo r W i n d o w s V M s)
C a u se 3 : T h e a g e n t i n st a l l e d i n t h e V M i s o u t o f d a t e (fo r L i n u x V M s)
C a u se 4 : T h e sn a p sh o t st a t u s c a n n o t b e r e t r i e v e d o r a sn a p sh o t c a n n o t b e t a k e n
C a u se 5 : T h e b a c k u p e x t e n si o n fa i l s t o u p d a t e o r l o a d
Snapshot operation failed due to no network connectivity on the virtual

machine
the VM backup extension to take a point-in-time snapshot. Any of the following conditions might prevent the
snapshot from being triggered, which in turn can lead to Backup failure. Follow below troubleshooting steps in the
given order and retry your operation.
VMSnapshot extension operation failed

Unable to perform the operation as the VM Agent is not responsive

Backup failed with an internal error - Please retry the operation in a few
minutes
C a u se 2 : T h e a g e n t i n st a l l e d i n t h e V M b u t u n r e sp o n si v e (fo r W i n d o w s V M s)
The specified Disk configuration is not supported

Currently Azure Backup doesnt support disk sizes greater than 1023GB.
If you have disks greater than 1 TB , attach new disks which are less than 1 TB
Then, copy the data from disk greater than 1TB into newly created disk(s) of size less than 1TB.
Ensure that all data has been copied and remove the disks greater than 1TB
Initiate the backup
Causes and Solutions

The VM has no Internet access
Per the deployment requirement, the VM has no Internet access, or it has restrictions in place that prevent access to
the Azure infrastructure.
To function correctly, the backup extension requires connectivity to the Azure public IP addresses. The extension
sends commands to an Azure Storage endpoint (HTTP URL) to manage the snapshots of the VM. If the extension
has no access to the public Internet, Backup eventually fails.
Solution
To resolve the issue, try one of the methods listed here.
A l l o w a c c e ss t o t h e A z u r e d a t a c e n t e r I P r a n g e s
1. Obtain the list of Azure datacenter IPs to allow access to.

2. Unblock the IPs by running the New-NetRoute cmdlet in the Azure VM in an elevated PowerShell window. Run
the cmdlet as an administrator.
3. To allow access to the IPs, add rules to the network security group, if you have one.
C r e a t e a p a t h fo r H T T P t r a ffi c t o fl o w
1. If you have network restrictions in place (for example, a network security group), deploy an HTTP proxy server
to route the traffic.
2. To allow access to the Internet from the HTTP proxy server, add rules to the network security group, if you have
one.
To learn how to set up an HTTP proxy for VM backups, see Prepare your environment to back up Azure virtual
machines.
In case you are using Managed Disks, you may need an additional port (8443) opening up on the firewalls.
The agent installed in the VM but unresponsive (for Windows VMs)
Solution
The VM Agent might have been corrupted or the service might have been stopped. Re-installing the VM agent
would help get the latest version and restart the communication.
1. Verify whether Windows Guest Agent service running in services (services.msc) of the Virtual Machine. Try
restart the Windows Guest Agent service and initiate the Backup
2. if it is not visible in services, verify in Programs and Features whether Windows Guest agent service is installed.
3. If you are able to view in programs and features uninstall the Windows Guest Agent.
4. Download and install the latest version of agent MSI. You need Administrator privileges to complete the
installation.
5. Then you should be able to view Windows Guest Agent services in services
6. Try running an on-demand/adhoc backup by clicking "Backup Now" in the portal.
Also verify your Virtual Machine has .NET 4.5 installed in the system. It is required for the VM agent to
communicate with the service
The agent installed in the VM is out of date (for Linux VMs)
Solution
Most agent-related or extension-related failures for Linux VMs are caused by issues that affect an outdated VM
agent. To troubleshoot this issue, follow these general guidelines:
1. Follow the instructions for updating the Linux VM agent.
NOTE
We strongly recommend that you update the agent only through a distribution repository. We do not recommend
downloading the agent code directly from GitHub and updating it. If the latest agent is unavailable for your
distribution, contact distribution support for instructions on how to install it. To check for the most recent agent, go
to the Windows Azure Linux agent page in the GitHub repository.
2. Make sure that the Azure agent is running on the VM by running the following command: ps -e
If the process is not running, restart it by using the following commands:

For Ubuntu: service walinuxagent start
For other distributions: service waagent start
3. Configure the auto restart agent.
4. Run a new test backup. If the failure persists, please collect the following logs from the customers VM:
/var/lib/waagent/*.xml
/var/log/waagent.log
/var/log/azure/*
If we require verbose logging for waagent, follow these steps:
1. In the /etc/waagent.conf file, locate the following line: Enable verbose logging (y|n)
2. Change the Logs.Verbose value from n to y.
3. Save the change, and then restart waagent by following the previous steps in this section.
The snapshot status cannot be retrieved or a snapshot cannot be taken
The VM backup relies on issuing a snapshot command to the underlying storage account. Backup can fail either
because it has no access to the storage account or because the execution of the snapshot task is delayed.
Solution
The following conditions can cause snapshot task failure:
CAUSE SOLUTION
The VM has SQL Server backup configured. By default, the VM backup runs a VSS full backup on Windows
VMs. On VMs that are running SQL Server-based servers and
on which SQL Server backup is configured, snapshot execution
delays may occur.
If you are experiencing a Backup failure because of a snapshot

issue, set the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\BCDRA
GENT] "USEVSSCOPYBACKUP"="TRUE"
The VM status is reported incorrectly because the VM is shut If you shut down the VM in Remote Desktop Protocol (RDP),
down in RDP. check the portal to determine whether the VM status is
correct. If its not correct, shut down the VM in the portal by
using the Shutdown option on the VM dashboard.
Many VMs from the same cloud service are configured to Its a best practice to spread out the backup schedules for
back up at the same time. VMs from the same cloud service.
The VM is running at high CPU or memory usage. If the VM is running at high CPU usage (more than 90
percent) or high memory usage, the snapshot task is queued
and delayed, and it eventually times out. In this situation, try
an on-demand backup.
The VM cannot get the host/fabric address from DHCP. DHCP must be enabled inside the guest for the IaaS VM
backup to work. If the VM cannot get the host/fabric address
from DHCP response 245, it cannot download or run any
extensions. If you need a static private IP, you should
configure it through the platform. The DHCP option inside the
VM should be left enabled. For more information, see Setting
a Static Internal Private IP.
The backup extension fails to update or load

If extensions cannot be loaded, Backup fails because a snapshot cannot be taken.
Solution
For Windows guests: Verify that the iaasvmprovider service is enabled and has a startup type of automatic. If the
service is not configured in this way, enable it to determine whether the next backup succeeds.
For Linux guests: Verify the latest version of VMSnapshot for Linux (the extension used by Backup) is 1.0.91.0.
If the backup extension still fails to update or load, you can force the VMSnapshot extension to be reloaded by
uninstalling the extension. The next backup attempt will reload the extension.
To uninstall the extension, do the following:
1. Go to the Azure portal.
2. Locate the VM that has backup problems.
3. Click Settings.
4. Click Extensions.
5. Click Vmsnapshot Extension.
6. Click Uninstall.
This procedure causes the extension to be reinstalled during the next backup.
Troubleshoot slow backup of files and folders in Azure
Backup
This article provides troubleshooting guidance to help you diagnose the cause of slow backup performance for files
and folders when you're using Azure Backup. When you use the Azure Backup agent to back up files, the backup
process might take longer than expected. This delay might be caused by one or more of the following:
There are performance bottlenecks on the computer thats being backed up.
Another process or antivirus software is interfering with the Azure Backup process.
The Backup agent is running on an Azure virtual machine (VM).
You're backing up a large number (millions) of files.
Before you start troubleshooting issues, we recommend that you download and install the latest Azure Backup
agent. We make frequent updates to the Backup agent to fix various issues, add features, and improve performance.
We also strongly recommend that you review the Azure Backup service FAQ to make sure you're not experiencing
any of the common configuration issues.
If your Azure issue is not addressed in this article, visit the Azure forums on MSDN and the Stack Overflow. You can
post your issue in these forums, or post to @AzureSupport on Twitter. You also can submit an Azure support
request. To submit a support request, on the Azure support page, select Get support.
Cause: Performance bottlenecks on the computer

Bottlenecks on the computer that's being backed up can cause delays. For example, the computer's ability to read
or write to disk, or available bandwidth to send data over the network, can cause bottlenecks.
Windows provides a built-in tool that's called Performance Monitor (Perfmon) to detect these bottlenecks.
Here are some performance counters and ranges that can be helpful in diagnosing bottlenecks for optimal backups.
COUNTER STATUS
Logical Disk(Physical Disk)--%idle 100% idle to 50% idle = Healthy

49% idle to 20% idle = Warning or Monitor
19% idle to 0% idle = Critical or Out of Spec
Logical Disk(Physical Disk)--%Avg. Disk Sec Read or Write 0.001 ms to 0.015 ms = Healthy
0.015 ms to 0.025 ms = Warning or Monitor
0.026 ms or longer = Critical or Out of Spec
Logical Disk(Physical Disk)--Current Disk Queue Length (for all 80 requests for more than 6 minutes
instances)
Memory--Pool Non Paged Bytes Less than 60% of pool consumed = Healthy
61% to 80% of pool consumed = Warning or Monitor
Greater than 80% pool consumed = Critical or Out of Spec
Memory--Pool Paged Bytes Less than 60% of pool consumed = Healthy

61% to 80% of pool consumed = Warning or Monitor
Greater than 80% pool consumed = Critical or Out of Spec
COUNTER STATUS
Memory--Available Megabytes 50% of free memory available or more = Healthy

25% of free memory available = Monitor
10% of free memory available = Warning
Less than 100 MB or 5% of free memory available = Critical
or Out of Spec
Processor--\%Processor Time (all instances) Less than 60% consumed = Healthy

61% to 90% consumed = Monitor or Caution
91% to 100% consumed = Critical
NOTE
If you determine that the infrastructure is the culprit, we recommend that you defragment the disks regularly for better
performance.
Cause: Another process or antivirus software interfering with Azure

Backup
We've seen several instances where other processes in the Windows system have negatively affected performance
of the Azure Backup agent process. For example, if you use both the Azure Backup agent and another program to
back up data, or if antivirus software is running and has a lock on files to be backed up, the multiple locks on files
might cause contention. In this situation, the backup might fail, or the job might take longer than expected.
The best recommendation in this scenario is to turn off the other backup program to see whether the backup time
for the Azure Backup agent changes. Usually, making sure that multiple backup jobs are not running at the same
time is sufficient to prevent them from affecting each other.
For antivirus programs, we recommend that you exclude the following files and locations:
C:\Program Files\Microsoft Azure Recovery Services Agent\bin\cbengine.exe as a process
C:\Program Files\Microsoft Azure Recovery Services Agent\ folders
Scratch location (if you're not using the standard location)
Cause: Backup agent running on an Azure virtual machine

If you're running the Backup agent on a VM, performance will be slower than when you run it on a physical
machine. This is expected due to IOPS limitations. However, you can optimize the performance by switching the
data drives that are being backed up to Azure Premium Storage. We're working on fixing this issue, and the fix will
be available in a future release.
Cause: Backing up a large number (millions) of files

Moving a large volume of data will take longer than moving a smaller volume of data. In some cases, backup time
is related to not only the size of the data, but also the number of files or folders. This is especially true when
millions of small files (a few bytes to a few kilobytes) are being backed up.
This behavior occurs because while you're backing up the data and moving it to Azure, Azure is simultaneously
cataloging your files. In some rare scenarios, the catalog operation might take longer than expected.
The following indicators can help you understand the bottleneck and accordingly work on the next steps:
UI is showing progress for the data transfer. The data is still being transferred. The network bandwidth or
the size of data might be causing delays.
UI is not showing progress for the data transfer. Open the logs located at C:\Microsoft Azure Recovery
Services Agent\Temp, and then check for the FileProvider::EndData entry in the logs. This entry signifies that the
data transfer finished and the catalog operation is happening. Don't cancel the backup jobs. Instead, wait a little
longer for the catalog operation to finish. If the problem persists, contact Azure support.
Troubleshoot Azure Backup Server
You can troubleshoot errors encountered while using Azure Backup Server with information listed in the following
table.
Error: Invalid vault credentials provided. The file is either corrupted or

does not have the latest credentials associated with recovery service
Follow these troubleshooting steps to resolve this issue.
Error: The agent operation failed because of a communication error

with the DPM Agent Coordinator service on Server
Error: Setup could not update registry metadata

Installation issues
Installation Setup could not update registry Adjust the registry key,
metadata. This update failure could lead SYSTEM\CurrentControlSet\Control\File
to over usage of storage consumption. System\RefsEnableInlineTrim. Set the
To avoid this please update the ReFS value Dword to 1.
Trimming registry entry.
Installation Setup could not update registry Create the registry key,
metadata. This update failure could lead SOFTWARE\Microsoft Data Protection
to over usage of storage consumption. Manager\Configuration\VolSnapOptimi
To avoid this please update the Volume zation\WriteIds, with an empty string
SnapOptimization registry entry. value.
Registration and Agent related issues

Registering to a vault Invalid vault credentials provided. The To fix this error:
file is either corrupted or does not have 1. Download the latest credentials
the latest credentials associated with file from the vault and try again
recovery service (OR)
2. If the above action didn't work,
try downloading the credentials
to a different local directory or
create a new vault
(OR)
3. Try updating the date and time
settings as stated in this blog
(OR)
4. Check whether c:\windows\temp
has more than 65000 files.
Move stale files to another
location or delete the items in
the Temp folder
(OR)
5. Check the status of certificates
a. Open "Manage Computer
Certificates" (in the Control
Panel)
b. Expand the "Personal" node
and its child node "Certificates"
c. Remove the certificate
"Windows Azure Tools"
d. Retry the registration in the
Azure Backup client
(OR)
6. Check whether any Group policy
is in place
Pushing agent(s) to protected servers The agent operation failed because of a If the recommended action shown in
communication error with the DPM the product doesn't work,
Agent Coordinator service on 1. If you are attaching a computer
<ServerName> from an untrusted domain,
follow these steps
(OR)
2. If you are attaching a computer
from a trusted domain,
troubleshoot using the steps
outlined in this blog
(OR)
3. Try disabling Antivirus as a
troubleshooting step. If it
resolves the issue, modify the
Antivirus settings as suggested
in this article
Pushing agent(s) to protected servers The credentials specified for server are If the recommended action shown in
invalid the product doesn't work,
try to install the protection agent
manually on the production server as
specified in this article
Azure Backup Agent was unable to The Azure Backup Agent was unable to If the recommended action shown in
connect to the Azure Backup service connect to the Azure Backup service. the product doesn't work,
(ID: 100050) 1. Run following command from
elevated prompt, psexec -i -s
"c:\Program Files\Internet
Explorer\iexplore.exe" It will open
internet explorer window.
2. Go to Tools -> Internet Options ->
Connections -> LAN settings.
3. Verify proxy settings for System
account. Set Proxy IP and port.
Azure Backup Agent installation failed The Microsoft Azure Recovery Services Manually install Azure Agent
installation failed. All changes made by
the Microsoft Azure Recovery Services
installation to the system were rolled
back. (ID: 4024)
Configuring protection group

Configuring Protection groups DPM could not enumerate application Click 'Refresh' on the configure
component on protected computer protection group UI screen at the
(Protected computer Name) relevant datasource/component level
Configuring Protection groups Unable to configure protection If the protected server is a SQL server,
please check whether sysadmin role
permissions have been provided to the
system account (NTAuthority\System)
on the protected computer as stated in
this article
Configuring Protection groups There is insufficient free space in the The disks which are added to the
storage pool for this protection group storage pool should not contain a
partition. Delete any existing volumes
on the disks and then add it to the
storage pool
Policy change The backup policy could not be Cause:

modified. Error: The current operation This error comes when security settings
failed due to an internal service error are enabled, you try to reduce retention
[0x29834]. Please retry the operation range below the minimum values
after sometime. If the issue persists, specified above and you are on
please contact Microsoft support. unsupported version (below MAB
version 2.0.9052 and Azure Backup
server update 1).
Recommended Action:
In this case, you should set retention
period above the minimum retention
period specified (seven days for daily,
four weeks for weekly, three weeks for
monthly or one year for yearly) to
proceed with policy related udpates.
Optionally, preferred approach would
be to update backup agent and Azure
Backup Server to leverage all the
security updates.
Backup
Backup Replica is inconsistent Please make sure that automatic

consitency check option in Protection
Group wizard is turned ON. Find more
details about the causes of replica
inconsistency and relevant suggestions
here
1. In case of System State/BMR
backup, please check whether
Windows Server Backup is
installed or not on Protected
Server
2. Check for Space related issues
on DPM storage pool on the
DPM/MABS server and allocate
storage as required
3. Check the state of the Volume
shadow copy service on the
protected server. If it is in
disabled state set it to start
manually and start the service
on the server. Then go back to
the DPM/MABS console and
start the sync with consistency
check job.
Backup An unexpected error occurred while the If the recommended action shown in
job was running, The device is not ready the product doesn't work,
1. Set the Shadow Copy Storage
space to unlimited on the Items
in the protection group and run
the consistency check
(OR)
2. Try deleting the existing
Protection group and create
multiple new ones one with
each individual item in it
Backup If you are backing up only System State, 1. Verify that the WSB on the
verify if there is enough free space on protected machine is installed
the protected computer to store the 2. Verify that enough space is
System State backup present on the protected
computer for the system state:
The easiest way to do this is to
go to the protected computer,
open WSB and click through the
selections and select BMR. The
UI will then tell you how much
space is required for this. Open
WSB -> Local backup -> Backup
schedule -> Select Backup
Configuration -> Full server (size
is displayed). Use this size for
verification.
Backup Online recovery point creation failed If the error message says "Windows
Azure Backup Agent was unable to
create a snapshot of the selected
volume", please try increasing the space
in replica and recovery point volume.
Backup Online recovery point creation failed If the error message says "The Windows
Azure Backup Agent cannot connect to
the OBEngine service", verify that the
OBEngine exists in the list of running
services on the computer. If the
OBEngine service is not running use the
"net start OBEngine" command to start
the OBEngine service.
Backup Online recovery point creation failed If the error message says "The
encryption passphrase for this server is
not set. Please configure an encryption
passphrase" try configuring an
encryption passphrase. If it fails,
1. check whether the scratch
location exists or not. The
location mentioned in the
registry
HKEY_LOCAL_MACHINE\Softwar
e\Microsoft\Windows Azure
Backup\Config with name
ScratchLocation should exist.
2. If the scratch location exists, try
re-registering using the old
passphrase. Whenever you
configure an encryption
passphrase, please save it in a
secure location
Backup Backup failure for BMR If BMR size is huge, retry after moving
some application files to OS drive
Backup Re-protecting VMWare VM on a new VMWare properties are pointed at an

MABS server does not show as available old, retired MABS server. To resolve this
to add. issue: In VCenter (SC-VMM equivalent),
go to 'Summary' tab, and then 'Custom
Attributes'. Delete the old MABS server
name from the 'DPMServer' value. Go
back to the new MABS server and
modify the PG. After using the 'Refresh'
button, the VM will be presented with a
checkbox as available to add to
protection.
Backup Error while accessing files/shared folders Try modifying the antivirus settings as
suggested here
Backup Online recovery point creation jobs for 1. Reset the ctk on VMWare, for the
VMware VM fails. DPM encountered affected VMs
error from VMware while trying to get Check that Independent disk is not in
ChangeTracking information. ErrorCode place on VMWare
- FileFaultFault (ID 33621 ) Stop protection for the affected VMs
and re-protect with Refresh button
Run a CC for the affected VMs
Change Passphrase
Change Passphrase Security PIN entered is incorrect. Cause:

Provide the correct Security PIN to This error comes when you enter invalid
complete this operation. or expired Security PIN while performing
critical operation (like change
passphrase).
Recommended Action:
To complete the operation, you must
enter valid Security PIN. To get the PIN,
log in to Azure portal and navigate to
Recovery Services vault > Settings >
Properties > Generate Security PIN. Use
this PIN to change passphrase.
Change Passphrase Operation failed. ID: 120002 Cause:

This error comes when security settings
are enabled, you try to change
passphrase and you are on
unsupported version.
Recommended Action:
To change passphrase, you must first
update backup agent to minimum
version minimum 2.0.9052 and Azure
Backup server to minimum update 1,
then enter valid Security PIN. To get the
PIN, log in to Azure portal and navigate
to Recovery Services vault > Settings >
Properties > Generate Security PIN. Use
this PIN to change passphrase.
Configure email notifications

Trying to set up email notifications getting Error ID: 2013 Cause:

using Office365 account. Trying to use Office 365 account
Recommended Action:
The first thing to ensure is that Allow
Anonymous Relay on a Receive
Connector for your DPM server is
setup on Exchange. Here is a link on
how to configure this:
http://technet.microsoft.com/en-
us/library/bb232021.aspx
If you can't use an internal SMTP relay
and need to set up using your Office
365 server, you can set up IIS to be a
relay for this.
You will need to configure the DPM
server to be able to relay the SMTP to
O365 using IIS
https://technet.microsoft.com/en-
us/library/aa995718(v=exchg.65).aspx
to setup IIS to relay to O365
Important note: On step 3->g->ii, be
sure to use user@domain.com format
and NOT domain\user
Point DPM to use the local servername
as SMTP server, port 587 and then the
user email that the emails should come
from.
The username and password on the
DPM SMTP setup page should be a
domain account in the domain DPM is
on.
NOTE: When changing the SMTP server
address, make the change to new
settings, close the settings box and then
reopen to be sure it reflects the new
value. Simply changing and testing will
not always take the new settings so
testing this way is best practice.
At any time during this process, you can
clear these settings out by closing DPM
console and editing the following
registry keys:
HKLM\SOFTWARE\Microsoft\Microsoft
Data Protection Manager\Notification\
Delete SMTPPassword and
SMTPUserName keys.
You can add them back in the UI when
you launch it again.

Back Up Azure Virtual Machines To A Recovery Services Vault PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Back Up Azure Virtual Machines To A Recovery Services Vault PDF

Uploaded by

Copyright:

Available Formats

Table of Contents

Azure Backup Documentation

Why use Azure Backup?

Which Azure Backup components should I use?

WHERE ARE BACKUPS

System Center DPM Application-aware Cannot back up Files, Recovery Services

What are the deployment scenarios for each component?

Azure Backup (MARS) agent Yes Yes Recovery Services vault

System Center DPM Yes Yes Locally attached disk,

Azure Backup Server Yes Yes Locally attached disk,

Azure IaaS VM Backup Yes No Recovery Services vault

Which applications and workloads can be backed up?

DATA OR WORKLOAD SOURCE ENVIRONMENT AZURE BACKUP SOLUTION

Files and folders Windows Server Azure Backup agent,

Files and folders Windows computer Azure Backup agent,

Microsoft SharePoint Windows Server System Center DPM (+ the Azure

Microsoft Exchange Windows Server System Center DPM (+ the Azure

COMPONENT LINUX (AZURE ENDORSED) SUPPORT

Azure Backup (MARS) agent No (Only Windows based agent)

File-consistent backup not available for Azure VM

Azure IaaS VM Backup Application-consistent backup using pre-script and post-

Using Premium Storage VMs with Azure Backup

Restore Premium Storage VMs

Using managed disk VMs with Azure Backup

What are the features of each Backup component?

Incremental backup explained

Network protocol TCP TCP

Network protocol HTTPS HTTPS HTTPS HTTPS

Backup and retention

Maximum recovery 9999 9999 9999 9999

Recovery points on Not applicable Unlimited Not applicable Not applicable

What is a protected instance

What is a Recovery Services vault?

How does Azure Backup differ from Azure Site Recovery?

CONCEPT DETAILS BACKUP DISASTER RECOVERY (DR)

Start a backup job

Monitor the backup job

Register-AzureRmResourceProvider -ProviderNamespace "Microsoft.RecoveryServices"

Create a recovery services vault

$policy = Get-AzureRmRecoveryServicesBackupProtectionPolicy -Name "DefaultPolicy"

Start a backup job

Backup-AzureRmRecoveryServicesBackupItem -Item $item

Monitor the backup job

WorkloadName Operation Status StartTime EndTime JobID

Disable-AzureRmRecoveryServicesBackupProtection -Item $item -RemoveRecoveryPoints

Launch Azure Cloud Shell

Create a recovery services vault

az backup vault create --resource-group myResourceGroup \

Enable backup for an Azure VM

az backup protection enable-for-vm \

Start a backup job

az backup protection backup-now \

Monitor the backup job

Name Operation Status Item Name Start Time UTC Duration

az backup protection disable \

Log in to the Azure portal

Create a Recovery Services vault

3. In the Recovery Services vault menu,

Set backup policy to protect VMs

The Backup Items list opens.

The Backup Now menu opens.

The Backup Items list opens.

Launch Azure Cloud Shell

Open File Explorer to browse for files.