Professional Documents
Culture Documents
Azure Backup is the Azure-based service you can use to back up (or protect) and restore your data in the Microsoft
cloud. Azure Backup replaces your existing on-premises or off-site backup solution with a cloud-based solution
that is reliable, secure, and cost-competitive. Azure Backup offers multiple components that you download and
deploy on the appropriate computer, server, or in the cloud. The component, or agent, that you deploy depends on
what you want to protect. All Azure Backup components (no matter whether you're protecting data on-premises or
in the cloud) can be used to back up data to a Recovery Services vault in Azure. See the Azure Backup components
table (later in this article) for information about which component to use to protect specific data, applications, or
workloads.
Watch a video overview of Azure Backup
Azure Backup (MARS) Back up files and Backup 3x per day Files, Recovery Services
agent folders on physical or Not application Folders vault
virtual Windows OS aware; file, folder, and
(VMs can be on- volume-level restore
premises or in Azure) only,
No separate No support for
backup server Linux.
required.
Azure Backup Server App aware Cannot back up Files, Recovery Services
snapshots (VSS) Oracle workload. Folders, vault,
Full flexibility for Always requires live Volumes, Locally attached
when to take backups Azure subscription VMs, disk
Recovery No support for Applications,
granularity (all) tape backup Workloads
Can use Recovery
Services vault
Linux support on
Hyper-V and VMware
VMs
Back up and
restore VMware VMs
Does not require a
System Center license
Azure IaaS VM Native backups for Back up VMs once- VMs, Recovery Services
Backup Windows/Linux a-day All disks (using vault
No specific agent Restore VMs only PowerShell)
installation required at disk level
Fabric-level backup Cannot back up
with no backup on-premises
infrastructure needed
Hyper-V virtual machine (Windows) Windows Server System Center DPM (+ the Azure
Backup agent),
Azure Backup Server (includes the
Azure Backup agent)
Hyper-V virtual machine (Linux) Windows Server System Center DPM (+ the Azure
Backup agent),
Azure Backup Server (includes the
Azure Backup agent)
VMware virtual machine Windows Server System Center DPM (+ the Azure
Backup agent),
Azure Backup Server (includes the
Azure Backup agent)
DATA OR WORKLOAD SOURCE ENVIRONMENT AZURE BACKUP SOLUTION
Microsoft SQL Server Windows Server System Center DPM (+ the Azure
Backup agent),
Azure Backup Server (includes the
Azure Backup agent)
Azure IaaS VMs (Windows) running in Azure Azure Backup (VM extension)
Azure IaaS VMs (Linux) running in Azure Azure Backup (VM extension)
Linux support
The following table shows the Azure Backup components that have support for Linux.
System Center DPM File-consistent backup of Linux Guest VMs on Hyper-V and
VMWare
VM restore of Hyper-V and VMWare Linux Guest VMs
Azure Backup Server File-consistent backup of Linux Guest VMs on Hyper-V and
VMWare
VM restore of Hyper-V and VMWare Linux Guest VMs
File-consistent backup not available for Azure VM
NOTE
Do not modify or edit the staging location.
Recovery Services
vault
Disk storage
Tape storage
AZURE IAAS VM
FEATURE AZURE BACKUP AGENT SYSTEM CENTER DPM AZURE BACKUP SERVER BACKUP
Compression
(in Recovery Services
vault)
Incremental backup
Disk deduplication
The Recovery Services vault is the preferred storage target across all components. System Center DPM and Azure
Backup Server also provide the option to have a local disk copy. However, only System Center DPM provides the
option to write data to a tape storage device.
Compression
Backups are compressed to reduce the required storage space. The only component that does not use
compression is the VM extension. The VM extension copies all backup data from your storage account to the
Recovery Services vault in the same region. No compression is used when transferring the data. Transferring the
data without compression slightly inflates the storage used. However, storing the data without compression allows
for faster restoration, should you need that recovery point.
Disk Deduplication
You can take advantage of deduplication when you deploy System Center DPM or Azure Backup Server on a
Hyper-V virtual machine. Windows Server performs data deduplication (at the host level) on virtual hard disks
(VHDs) that are attached to the virtual machine as backup storage.
NOTE
Deduplication is not available in Azure for any Backup component. When System Center DPM and Backup Server are
deployed in Azure, the storage disks attached to the VM cannot be deduplicated.
Network security
(to Azure)
Data security
(in Azure)
Network security
All backup traffic from your servers to the Recovery Services vault is encrypted using Advanced Encryption
Standard 256. The backup data is sent over a secure HTTPS link. The backup data is also stored in the Recovery
Services vault in encrypted form. Only you, the Azure customer, have the passphrase to unlock this data. Microsoft
cannot decrypt the backup data at any point.
WARNING
Once you establish the Recovery Services vault, only you have access to the encryption key. Microsoft never maintains a
copy of your encryption key, and does not have access to the key. If the key is misplaced, Microsoft cannot recover the
backup data.
Data security
Backing up Azure VMs requires setting up encryption within the virtual machine. Use BitLocker on Windows virtual
machines and dm-crypt on Linux virtual machines. Azure Backup does not automatically encrypt backup data that
comes through this path.
Network
AZURE IAAS VM
FEATURE AZURE BACKUP AGENT SYSTEM CENTER DPM AZURE BACKUP SERVER BACKUP
Network compression
(to backup server)
Network compression
(to Recovery
Services vault)
The VM extension (on the IaaS VM) reads the data directly from the Azure storage account over the storage
network, so it is not necessary to compress this traffic.
If you use a System Center DPM server or Azure Backup Server as a secondary backup server, compress the data
going from the primary server to the backup server. Compressing data before backing it up to DPM or Azure
Backup Server, saves bandwidth.
Network Throttling
The Azure Backup agent offers network throttling, which allows you to control how network bandwidth is used
during data transfer. Throttling can be helpful if you need to back up data during work hours but do not want the
backup process to interfere with other internet traffic. Throttling for data transfer applies to back up and restore
activities.
AZURE IAAS VM
AZURE BACKUP AGENT SYSTEM CENTER DPM AZURE BACKUP SERVER BACKUP
Backup frequency Three backups per Two backups per day Two backups per day One backup per day
(to Recovery Services day
vault)
Backup frequency Not applicable Every 15 minutes Every 15 minutes Not applicable
(to disk) for SQL Server for SQL Server
Every hour for Every hour for
other workloads other workloads
Retention options Daily, weekly, Daily, weekly, Daily, weekly, Daily, weekly,
monthly, yearly monthly, yearly monthly, yearly monthly, yearly
Maximum retention Depends on backup Depends on backup Depends on backup Depends on backup
period frequency frequency frequency frequency
Recovery points on Not applicable 64 for File Servers, 64 for File Servers, Not applicable
local disk 448 for Application 448 for Application
Servers Servers
IMPORTANT
You can now upgrade your Backup vaults to Recovery Services vaults. For details, see the article Upgrade a Backup vault to a
Recovery Services vault. Microsoft encourages you to upgrade your Backup vaults to Recovery Services vaults.
After October 15, 2017, you will no longer be able to use PowerShell to create Backup vaults.
By November 1, 2017 any remaining Backup vaults will be automatically upgraded to Recovery Services vaults.
Recovery point objective The amount of acceptable Backup solutions have wide Disaster recovery solutions
(RPO) data loss if a recovery needs variability in their acceptable have low RPOs. The DR copy
to be done. RPO. Virtual machine can be behind by a few
backups usually have an seconds or a few minutes.
RPO of one day, while
database backups have
RPOs as low as 15 minutes.
Recovery time objective The amount of time that it Because of the larger RPO, Disaster recovery solutions
(RTO) takes to complete a recovery the amount of data that a have smaller RTOs because
or restore. backup solution needs to they are more in sync with
process is typically much the source. Fewer changes
higher, which leads to longer need to be processed.
RTOs. For example, it can
take days to restore data
from tapes, depending on
the time it takes to
transport the tape from an
off-site location.
CONCEPT DETAILS BACKUP DISASTER RECOVERY (DR)
Retention How long data needs to be For scenarios that require Disaster recovery needs only
stored operational recovery (data operational recovery data,
corruption, inadvertent file which typically takes a few
deletion, OS failure), backup hours or up to a day.
data is typically retained for Because of the fine-grained
30 days or less. data capture used in DR
From a compliance solutions, using DR data for
standpoint, data might need long-term retention is not
to be stored for months or recommended.
even years. Backup data is
ideally suited for archiving in
such cases.
Next steps
Use one of the following tutorials for detailed, step-by-step, instructions for protecting data on Windows Server, or
protecting a virtual machine (VM) in Azure:
Back up Files and Folders
Backup Azure Virtual Machines
For details about protecting other workloads, try one of these articles:
Back up your Windows Server
Back up application workloads
Backup Azure IaaS VMs
Back up a virtual machine in Azure
9/25/2017 3 min to read Edit Online
Azure backups can be created through the Azure portal. This method provides a browser-based user interface to
create and configure Azure backups and all related resources. You can protect your data by taking backups at
regular intervals. Azure Backup creates recovery points that can be stored in geo-redundant recovery vaults. This
article details how to back up a virtual machine (VM) with the Azure portal.
This quick start enables backup on an existing Azure VM. If you need to create a VM, you can create a VM with the
Azure portal.
Log in to Azure
Log in to the Azure portal at http://portal.azure.com.
Select a VM to back up
Create a simple scheduled daily backup to a Recovery Services Vault.
1. In the menu on the left, select Virtual machines.
2. From the list, choose a VM to back up. If you used the sample VM quick start commands, the VM is named
myVM in the myResourceGroup resource group.
3. In the Settings section, choose Backup. The Enable backup window opens.
Enable backup on a VM
A Recovery Services vault is a logical container that stores the backup data for each protected resource, such as
Azure VMs. When the backup job for a protected resource runs, it creates a recovery point inside the Recovery
Services vault. You can then use one of these recovery points to restore data to a given point in time.
1. Select Create new and provide a name for the new vault, such as myRecoveryServicesVault.
2. If not already selected, choose Use existing, then select the resource group of your VM from the drop-
down menu.
By default, the vault is set for Geo-Redundant storage. To further protect your data, this storage redundancy
level ensures that your backup data is replicated to a secondary Azure region that is hundreds of miles away
from the primary region.
You create and use policies to define when a backup job runs and how long the recovery points are stored.
The default protection policy runs a backup job each day and retains recovery points for 30 days. You can
use these default policy values to quickly protect your VM.
3. To accept the default backup policy values, select Enable Backup.
Clean up deployment
When no longer needed, you can disable protection on the VM, remove the restore points and Recovery Services
vault, then delete the resource group and associated VM resources
If you are going to continue on to a Backup tutorial that explains how to restore data for your VM, skip the steps in
this section and go to Next steps.
1. Select the Backup option for your VM.
2. Select ...More to show additional options, then choose Stop backup.
3. Select Delete Backup Data from the drop-down menu.
4. In the Type the name of the Backup item dialog, enter your VM name, such as myVM. Select Stop
Backup
Once the VM backup has been stopped and recovery points removed, you can delete the resource group. If
you used an existing VM, you may wish to leave the resource group and VM in place.
5. In the menu on the left, select Resource groups.
6. From the list, choose your resource group. If you used the sample VM quick start commands, the resource
group is named myResourceGroup.
7. Select Delete resource group. To confirm, enter the resource group name, then select Delete.
Next steps
In this quick start, you created a Recovery Services vault, enabled protection on a VM, and created the initial
recovery point. To learn more about Azure Backup and Recovery Services, continue to the tutorials.
Back up multiple Azure VMs
Back up a virtual machine in Azure with PowerShell
9/25/2017 4 min to read Edit Online
The Azure PowerShell module is used to create and manage Azure resources from the command line or in scripts.
You can protect your data by taking backups at regular intervals. Azure Backup creates recovery points that can be
stored in geo-redundant recovery vaults. This article details how to back up a virtual machine (VM) with the Azure
PowerShell module. You can also perform these steps with the Azure CLI or Azure portal.
This quick start enables backup on an existing Azure VM. If you need to create a VM, you can create a VM with
Azure PowerShell.
This quick start requires the Azure PowerShell module version 4.4 or later. Run Get-Module -ListAvailable AzureRM
to find the version. If you need to install or upgrade, see Install Azure PowerShell module.
Log in to Azure
Log in to your Azure subscription with the Login-AzureRmAccount command and follow the on-screen directions.
Login-AzureRmAccount
The first time you use Azure Backup, you must register the Azure Recovery Service provider in your subscription
with Register-AzureRmResourceProvider.
New-AzureRmRecoveryServicesVault `
-ResourceGroupName "myResourceGroup" `
-Name "myRecoveryServicesVault" `
-Location "WestEurope"
By default, the vault is set for Geo-Redundant storage. To further protect your data, this storage redundancy level
ensures that your backup data is replicated to a secondary Azure region that is hundreds of miles away from the
primary region.
To use this vault with the remaining steps, set the vault context with Set-AzureRmRecoveryServicesVaultContext
Get-AzureRmRecoveryServicesVault `
-Name "myRecoveryServicesVault" | Set-AzureRmRecoveryServicesVaultContext
Enable backup for an Azure VM
You create and use policies to define when a backup job runs and how long the recovery points are stored. The
default protection policy runs a backup job each day and retains recovery points for 30 days. You can use these
default policy values to quickly protect your VM. First, set the default policy with Get-
AzureRmRecoveryServicesBackupProtectionPolicy:
To enable backup protection for a VM, use Enable-AzureRmRecoveryServicesBackupProtection. Specify the policy
to use, then the resource group and VM to protect:
Enable-AzureRmRecoveryServicesBackupProtection `
-ResourceGroupName "myResourceGroup" `
-Name "myVM" `
-Policy $policy
$backupcontainer = Get-AzureRmRecoveryServicesBackupContainer `
-ContainerType "AzureVM" `
-FriendlyName "myVM"
$item = Get-AzureRmRecoveryServicesBackupItem `
-Container $backupcontainer `
-WorkloadType "AzureVM"
As this first backup job creates a full recovery point, the process can take up to 20 minutes.
Get-AzureRmRecoveryservicesBackupJob
The output is similar to the following example, which shows the backup job is InProgress:
When the Status of the backup job reports Completed, your VM is protected with Recovery Services and has a full
recovery point stored.
Clean up deployment
When no longer needed, you can disable protection on the VM, remove the restore points and Recovery Services
vault, then delete the resource group and associated VM resources. If you used an existing VM, you can skip the
final Remove-AzureRmResourceGroup cmdlet to leave the resource group and VM in place.
If you are going to continue on to a Backup tutorial that explains how to restore data for your VM, skip the steps in
this section and go to Next steps.
Next steps
In this quick start, you created a Recovery Services vault, enabled protection on a VM, and created the initial
recovery point. To learn more about Azure Backup and Recovery Services, continue to the tutorials.
Back up multiple Azure VMs
Back up a virtual machine in Azure with the CLI
10/2/2017 4 min to read Edit Online
The Azure CLI is used to create and manage Azure resources from the command line or in scripts. You can protect
your data by taking backups at regular intervals. Azure Backup creates recovery points that can be stored in geo-
redundant recovery vaults. This article details how to back up a virtual machine (VM) in Azure with the Azure CLI.
You can also perform these steps with Azure PowerShell or in the Azure portal.
This quick start enables backup on an existing Azure VM. If you need to create a VM, you can create a VM with the
Azure CLI.
The button launches an interactive shell that you can use to run the steps in this topic:
To install and use the CLI locally, you must run Azure CLI version 2.0.18 or later. To find the CLI version, run . If
you need to install or upgrade, see Install Azure CLI 2.0.
By default, the Recovery Services vault is set for Geo-Redundant storage. Geo-Redundant storage ensures your
backup data is replicated to a secondary Azure region that is hundreds of miles away from the primary region.
The output is similar to the following example, which shows the backup job is InProgress:
When the Status of the backup job reports Completed, your VM is protected with Recovery Services and has a full
recovery point stored.
Clean up deployment
When no longer needed, you can disable protection on the VM, remove the restore points and Recovery Services
vault, then delete the resource group and associated VM resources. If you used an existing VM, you can skip the
final az group delete command to leave the resource group and VM in place.
If you want to try a Backup tutorial that explains how to restore data for your VM, go to Next steps.
Next steps
In this quick start, you created a Recovery Services vault, enabled protection on a VM, and created the initial
recovery point. To learn more about Azure Backup and Recovery Services, continue to the tutorials.
Back up multiple Azure VMs
Use Azure portal to back up multiple virtual
machines
9/25/2017 6 min to read Edit Online
When you back up data in Azure, you store that data in an Azure resource called a Recovery Services vault. The
Recovery Services vault resource is available from the Settings menu of most Azure services. The benefit of having
the Recovery Services vault integrated into the Settings menu of most Azure services makes it very easy to back
up data. However, individually working with each database or virtual machine in your business is tedious. What if
you want to back up the data for all virtual machines in one department, or in one location? It is easy to back up
multiple virtual machines by creating a backup policy and applying that policy to the desired virtual machines. This
tutorial explains how to:
Create a Recovery Services vault
Define a backup policy
Apply the backup policy to protect multiple virtual machines
Trigger an on-demand backup job for the protected virtual machines
2. On the vault dashboard menu, click Backup to open the Backup menu.
3. On the Backup Goal menu, in the Where is your workload running drop-down menu, choose Azure.
From the What do you want to backup drop-down, choose Virtual machine, and click Backup.
These actions prepare the Recovery Services vault for interacting with a virtual machine. Recovery Services
vaults have a default policy that creates a restore point each day, and retains the restore points for 30 days.
4. To create a new policy, on the Backup policy menu, from the Choose backup policy drop-down menu,
select Create New.
5. In the Backup policy menu, for Policy Name type Finance. Enter the following changes for the Backup
policy:
For Backup frequency set the timezone for Central Time. Since the sports complex is in Texas, the
owner wants the timing to be local. Leave the backup frequency set to Daily at 3:30AM.
For Retention of daily backup point, set the period to 90 days.
For Retention of weekly backup point, use the Monday restore point and retain it for 52 weeks.
For Retention of monthly backup point, use the restore point from First Sunday of the month, and
retain it for 36 months.
Deselect the Retention of yearly backup point option. The leader of Finance doesn't want to keep
data longer than 36 months.
Click OK to create the backup policy.
After creating the backup policy, associate the policy with the virtual machines.
6. In the Select virtual machines dialog select myVM and click OK to deploy the backup policy to the virtual
machines.
All virtual machines that are in the same location, and are not already associated with a backup policy,
appear. myVMH1 and myVMR1 are selected to be associated with the Finance policy.
When the deployment completes, you receive a notification that deployment successfully completed.
Initial backup
You have enabled backup for the Recovery Services vaults, but an initial backup has not been created. It is a
disaster recovery best practice to trigger the first backup, so that your data is protected.
To run an on-demand backup job:
1. On the vault dashboard, click 3 under Backup Items, to open the Backup Items menu.
The Backup Items menu opens.
2. On the Backup Items menu, click Azure Virtual Machine to open the list of virtual machines associated
with the vault.
3. On the Backup Items list, click the ellipses ... to open the Context menu.
4. On the Context menu, select Backup now.
Deployment notifications let you know the backup job has been triggered, and that you can monitor the
progress of the job on the Backup jobs page. Depending on the size of your virtual machine, creating the
initial backup may take a while.
When the initial backup job completes, you can see its status in the Backup job menu. The on-demand
backup job created the initial restore point for myVM. If you want to back up other virtual machines, repeat
these steps for each virtual machine.
Clean up resources
If you plan to continue on to work with subsequent tutorials, do not clean up the resources created in this tutorial.
If you do not plan to continue, use the following steps to delete all resources created by this tutorial in the Azure
portal.
1. On the myRecoveryServicesVault dashboard, click 3 under Backup Items, to open the Backup Items
menu.
2. On the Backup Items menu, click Azure Virtual Machine to open the list of virtual machines associated
with the vault.
5. In the Stop Backup menu, select the upper drop-down menu and choose Delete Backup Data.
6. In the Type the name of the Backup item dialog, type myVM.
7. Once the backup item is verified (a checkmark appears), Stop backup button is enabled. Click Stop
Backup to stop the policy and delete the restore points.
.
8. In the myRecoveryServicesVault menu, click Delete.
Once the vault is deleted, you return to the list of Recovery Services vaults.
Next steps
In this tutorial you used the Azure portal to:
Create a Recovery Services vault
Set the vault to protect virtual machines
Create a custom backup and retention policy
Assign the policy to protect multiple virtual machines
Trigger an on-demand back up for virtual machines
Continue to the next tutorial to restore an Azure virtual machine from disk.
Restore VMs using CLI
Restore a disk and create a recovered VM in Azure
9/29/2017 5 min to read Edit Online
Azure Backup creates recovery points that are stored in geo-redundant recovery vaults. When you restore from a
recovery point, you can restore the whole VM or individual files. This article explains how to restore a complete VM.
In this tutorial you learn how to:
List and select recovery points
Restore a disk from a recovery point
Create a VM from the restored disk
The button launches an interactive shell that you can use to run the steps in this topic:
If you choose to install and use the CLI locally, this tutorial requires that you are running the Azure CLI version
2.0.18 or later. Run az --version to find the version. If you need to install or upgrade, see Install Azure CLI 2.0.
Prerequisites
This tutorial requires a Linux VM that has been protected with Azure Backup. To simulate an accidental VM deletion
and recovery process, you create a VM from a disk in a recovery point. If you need a Linux VM that has been
protected with Azure Backup, see Back up a virtual machine in Azure with the CLI.
Backup overview
When Azure initiates a backup, the backup extension on the VM takes a point-in-time snapshot. The backup
extension is installed on the VM when the first backup is requested. Azure Backup can also take a snapshot of the
underlying storage if the VM is not running when the backup takes place.
By default, Azure Backup takes a file system consistent backup. Once Azure Backup takes the snapshot, the data is
transferred to the Recovery Services vault. To maximize efficiency, Azure Backup identifies and transfers only the
blocks of data that have changed since the previous backup.
When the data transfer is complete, the snapshot is removed and a recovery point is created.
Restore a VM disk
To restore your disk from the recovery point, you first create an Azure storage account. This storage account is
used to store the restored disk. In additional steps, the restored disk is used to create a VM.
1. To create a storage account, use az storage account create. The storage account name must be all lowercase,
and be globally unique. Replace mystorageaccount with your own unique name:
2. Restore the disk from your recovery point with az backup restore restore-disks. Replace mystorageaccount
with the name of the storage account you created in the preceding command. Replace
myRecoveryPointName with the recovery point name you obtained in the output from the previous az
backup recoverypoint list command:
The output is similar to the following example, which shows the restore job is InProgress:
When the Status of the restore job reports Completed, the disk has been restored to the storage account.
2. Your unmanaged disk is secured in the storage account. The following commands get information about
your unmanaged disk and create a variable named uri that is used in the next step when you create the
Managed Disk.
3. Now you can create a Managed Disk from your recovered disk with az disk create. The uri variable from the
preceding step is used as the source for your Managed Disk.
az disk create \
--resource-group myResourceGroup \
--name myRestoredDisk \
--source $uri
4. As you now have a Managed Disk from your restored disk, clean up the unmanaged disk and storage
account with az storage account delete. Replace mystorageaccount with the name of your storage account
as follows:
az vm create \
--resource-group myResourceGroup \
--name myRestoredVM \
--attach-os-disk myRestoredDisk \
--os-type linux
2. To confirm that your VM has been created from your recovered disk, list the VMs in your resource group
with az vm list as follows:
Next steps
In this tutorial, you restored a disk from a recovery point and then created a VM from the disk. You learned how to:
List and select recovery points
Restore a disk from a recovery point
Create a VM from the restored disk
Advance to the next tutorial to learn about restoring individual files from a recovery point.
Restore files to a virtual machine in Azure
Restore files to a virtual machine in Azure
9/29/2017 6 min to read Edit Online
Azure Backup creates recovery points that are stored in geo-redundant recovery vaults. When you restore from a
recovery point, you can restore the whole VM or individual files. This article details how to restore individual files.
In this tutorial you learn how to:
List and select recovery points
Connect a recovery point to a VM
Restore files from a recovery point
The button launches an interactive shell that you can use to run the steps in this topic:
If you choose to install and use the CLI locally, this tutorial requires that you are running the Azure CLI version
2.0.18 or later. Run az --version to find the version. If you need to install or upgrade, see Install Azure CLI 2.0.
Prerequisites
This tutorial requires a Linux VM that has been protected with Azure Backup. To simulate an accidental file deletion
and recovery process, you delete a page from a web server. If you need a Linux VM that runs a webserver and has
been protected with Azure Backup, see Back up a virtual machine in Azure with the CLI.
Backup overview
When Azure initiates a backup, the backup extension on the VM takes a point-in-time snapshot. The backup
extension is installed on the VM when the first backup is requested. Azure Backup can also take a snapshot of the
underlying storage if the VM is not running when the backup takes place.
By default, Azure Backup takes a file system consistent backup. Once Azure Backup takes the snapshot, the data is
transferred to the Recovery Services vault. To maximize efficiency, Azure Backup identifies and transfers only the
blocks of data that have changed since the previous backup.
When the data transfer is complete, the snapshot is removed and a recovery point is created.
2. To confirm that your web site currently works, open a web browser to the public IP address of your VM.
Leave the web browser window open.
3. Connect to your VM with SSH. Replace publicIpAddress with the public IP address that you obtained in a
previous command:
ssh publicIpAddress
4. Delete the default page from the web server at /var/www/html/index.nginx-debian.html as follows:
sudo rm /var/www/html/index.nginx-debian.html
5. In your web browser, refresh the web page. The web site no longer loads the page, as shown in the
following example:
6. Close the SSH session to your VM as follows:
exit
2. To obtain the script that connects, or mounts, the recovery point to your VM, use az backup restore files
mount-rp. The following example obtains the script for the VM named myVM that is protected in
myRecoveryServicesVault.
Replace myRecoveryPointName with the name of the recovery point that you obtained in the preceding
command:
3. To transfer the script to your VM, use Secure Copy (SCP). Provide the name of your downloaded script, and
replace publicIpAddress with the public IP address of your VM. Make sure you include the trailing : at the
end of the SCP command as follows:
ssh publicIpAddress
2. To allow your script to run correctly, add execute permissions with chmod. Enter the name of your own
script:
chmod +x myVM_we_1571974050985163527.sh
3. To mount the recovery point, run the script. Enter the name of your own script:
./myVM_we_1571974050985163527.sh
As the script runs, you are prompted to enter a password to access the recovery point. Enter the password
shown in the output from the previous az backup restore files mount-rp command that generated the
recovery script.
The output from the script gives you the path for the recovery point. The following example output shows
that the recovery point is mounted at /home/azureuser/myVM-20170919213536/Volume1:
Connection succeeded!
Please wait while we attach volumes of the recovery point to this machine...
************ Volumes of the recovery point and their mount paths on this machine ************
4. Use cp to copy the NGINX default web page from the mounted recovery point back to the original file
location. Replace the /home/azureuser/myVM-20170919213536/Volume1 mount point with your own
location:
exit
7. Unmount the recovery point from your VM with az backup restore files unmount-rp. The following example
unmounts the recovery point from the VM named myVM in myRecoveryServicesVault.
Replace myRecoveryPointName with the name of your recovery point that you obtained in the previous
commands:
Next steps
In this tutorial, you connected a recovery point to a VM and restored files for a web server. You learned how to:
List and select recovery points
Connect a recovery point to a VM
Restore files from a recovery point
Advance to the next tutorial to learn about how to back up Windows Server to Azure.
Back up Windows Server to Azure
Back up Windows Server to Azure
9/25/2017 4 min to read Edit Online
You can use Azure Backup to protect your Windows Server from corruptions, attacks, and disasters. Azure Backup
provides a lightweight tool known as the Microsoft Azure Recovery Services (MARS) agent. The MARS agent is
installed on the Windows Server to protect files and folders, and server configuration info via Windows Server
System State. This tutorial explains how you can use MARS Agent to back up your Windows Server to Azure. In this
tutorial you learn how to:
Download and set up the MARS Agent
Configure back up times and retention schedule for your servers backups
Perform an ad-hoc back up
Log in to Azure
Log in to the Azure portal at http://portal.azure.com.
7. On the Select Retention Policy page, select the Retention Policy for the backup copy for files and folders.
The retention period of System State backups is automatically set to 60 days.
8. On the Choose Initial Back up Type page, leave the option Automatically over the network selected, and
then click Next.
9. On the Confirmation page, review the information, and then click Finish.
10. After the wizard finishes creating the backup schedule, click Close.
2. On the Confirmation page, review the settings that the Back Up Now wizard uses to back up your server.
Then click Back Up.
3. Click Close to close the wizard. If you close the wizard before the back up process finishes, the wizard continues
to run in the background.
4. After the initial backup is completed, Job completed status appears in Jobs pane of the MARS agent console.
Next steps
In this tutorial you used the Azure portal to:
Create a Recovery Services vault
Download the Microsoft Azure Recovery Services agent
Install the agent
Configure backup for Windows Server
Perform an on-demand backup
Continue to the next tutorial to recover files from Azure to Windows Server
Restore files from Azure to Windows Server
Recover files from Azure to a Windows Server
9/25/2017 2 min to read Edit Online
Azure Backup enables the recovery of individual items from backups of your Windows Server. Recovering
individual files is helpful if you must quickly restore files that are accidentally deleted. This tutorial covers how you
can use the Microsoft Azure Recovery Services Agent (MARS) agent to recover items from backups you have
already performed in Azure. In this tutorial you learn how to:
Initiate recovery of individual items
Select a recovery point
Restore items from a recovery point
This tutorial assumes you have already performed the steps to Back up a Windows Server to Azure and have at
least one backup of your Windows Server files in Azure.
2. In the wizard, click Recover Data in the Actions Pane of the agent console to start the Recover Data
wizard.
3. On the Getting Started page, select This server (server name) and click Next.
4. On the Select Recovery Mode page, select Individual files and folders and then click Next to begin the
recovery point selection process.
5. On the Select Volume and Date page, select the volume that contains the files or folders you want to
restore, and click Mount. Select a date, and select a time from the drop-down menu that corresponds to a
recovery point. Dates in bold indicate the availability of at least one recovery point on that day.
When you click Mount, Azure Backup makes the recovery point available as a disk. Browse and recover files
from the disk.
You can open the files directly from the recovery volume and verify the files.
2. In Windows Explorer, copy the files and/or folders you want to restore and paste them to any desired
location on the server.
3. When you are finished restoring the files and/or folders, on the Browse and Recovery Files page of the
Recover Data wizard, click Unmount.
Next steps
This completes the tutorials on backing up and restoring Windows Server data to Azure. To learn more about Azure
Backup, see the PowerShell sample for backing up encrypted virtual machines.
Back up encrypted VM
Azure Backup PowerShell samples
9/25/2017 1 min to read Edit Online
The following table links to PowerShell script samples that use Azure Backup to back up and restore data.
Back up an encrypted virtual machine to Azure Back up all data on the encrypted virtual machine.
Questions about the Azure Backup service
9/19/2017 11 min to read Edit Online
This article has answers to common questions to help you quickly understand the Azure Backup components. In
some of the answers, there are links to the articles that have comprehensive information. You can ask questions
about Azure Backup by clicking Comments (to the right). Comments appear at the bottom of this article. A
Livefyre account is required to comment. You can also post questions about the Azure Backup service in the
discussion forum.
To quickly scan the sections in this article, use the links to the right, under In this article.
Azure VM backup
Detailed list of questions are present in FAQ on Azure VM backup
Windows Server 2012 and latest SPs 64 bit Datacenter, Foundation, Standard
4 Windows 7 1700 GB
The following table explains how each data source size is determined.
DATASOURCE DETAILS
Hyper-V virtual machine Sum of data of all the VHDs of the virtual machine being
backed up
Microsoft SQL Server database Size of single SQL database size being backed up
BMR/System State Each individual copy of BMR or system state of the machine
being backed up
For Azure VM backup, each VM can have up to 16 data disks with each data disk being of size 1023GB or less.
This article has answers to common questions to help you quickly understand the Azure VM Backup components.
In some of the answers, there are links to the articles that have comprehensive information. You can also post
questions about the Azure Backup service in the discussion forum.
Configure backup
Do Recovery Services vaults support classic VMs or Resource Manager based VMs?
Recovery Services vaults support both models. You can back up a classic VM (created in the Classic portal), or a
Resource Manager VM (created in the Azure portal) to a Recovery Services vault.
What configurations are not supported by Azure VM backup?
Go through Supported operating systems and Limitations of VM backup
Why can't I see my VM in configure backup wizard?
In Configure backup wizard, Azure Backup only lists VMs that are:
Not already protected You can verify the backup status of a VM by going to VM blade and checking Backup
status from Settings Menu . Learn more on how to Check backup status of a VM
Belongs to same region as VM
Backup
Will on-demand backup job follow same retention schedule as scheduled backups?
No. You should specify the retention range for an on-demand backup job. By default, it is retained for 30 days
when triggered from portal.
I recently enabled Azure Disk Encryption on some VMs. Will my backups continue to work?
You need to give permissions for Azure Backup service to access Key Vault. You can provide these permissions in
PowerShell using steps mentioned in Enable Backup section of PowerShell documentation.
I migrated disks of a VM to managed disks. Will my backups continue to work?
Yes, backups work seamlessly and no need to reconfigure backup.
My VM is shut down. Will an on-demand or a scheduled backup work?
Yes. Even when a machine is shut down backups work and the recovery point is marked as Crash consistent. For
more details, see the data consistency section in this article
Restore
How do I decide between restoring disks versus full VM restore?
Think of Azure full VM restore as a quick create option. Restore VM option changes the names of disks, containers
used by those disks, public IP addresses and network interface names. The change is required to maintain the
uniqueness of resources created during VM creation. But it will not add the VM to availability set.
Use restore disks to:
Customize the VM that gets created from point in time configuration like changing the size
Add configurations, which are not present at the time of backup
Control the naming convention for resources getting created
Add VM to availability set
For any other configuration which can be achieved only by using PowerShell/a declarative template definition
Manage VM backups
What happens when I change a backup policy on VM (s)?
When a new policy is applied on VM(s), schedule and retention of the new policy is followed. If retention is
extended, existing recovery points are marked to keep them as per new policy. If retention is reduced, they are
marked for pruning in the next cleanup job and subsequently deleted.
Questions about the Azure Backup agent
8/16/2017 5 min to read Edit Online
This article has answers to common questions to help you quickly understand the Azure Backup agent
components. In some of the answers, there are links to the articles that have comprehensive information. You can
also post questions about the Azure Backup service in the discussion forum.
Configure backup
Where can I download the latest Azure Backup agent?
You can download the latest agent for backing up Windows Server, System Center DPM, or Windows client, from
here. If you want to back up a virtual machine, use the VM Agent (which automatically installs the proper
extension). The VM Agent is already present on virtual machines created from the Azure gallery.
When configuring the Azure Backup agent, I am prompted to enter the vault credentials. Do vault credentials
expire?
Yes, the vault credentials expire after 48 hours. If the file expires, log in to the Azure portal and download the vault
credentials files from your vault.
What types of drives can I back up files and folders from?
You can't back up the following drives/volumes:
Removable Media: All backup item sources must report as fixed.
Read-only Volumes: The volume must be writable for the volume shadow copy service (VSS) to function.
Offline Volumes: The volume must be online for VSS to function.
Network share: The volume must be local to the server to be backed up using online backup.
Bitlocker-protected volumes: The volume must be unlocked before the backup can occur.
File System Identification: NTFS is the only file system supported.
What file and folder types can I back up from my server?
The following types are supported:
Encrypted
Compressed
Sparse
Compressed + Sparse
Hard Links: Not supported, skipped
Reparse Point: Not supported, skipped
Encrypted + Sparse: Not supported, skipped
Compressed Stream: Not supported, skipped
Sparse Stream: Not supported, skipped
Can I install the Azure Backup agent on an Azure VM already backed by the Azure Backup service using the VM
extension?
Absolutely. Azure Backup provides VM-level backup for Azure VMs using the VM extension. To protect files and
folders on the guest Windows OS, install the Azure Backup agent on the guest Windows OS.
Can I install the Azure Backup agent on an Azure VM to back up files and folders present on temporary storage
provided by the Azure VM?
Yes. Install the Azure Backup agent on the guest Windows OS, and back up files and folders to temporary storage.
Backup jobs fail once temporary storage data is wiped out. Also, if the temporary storage data has been deleted,
you can only restore to non-volatile storage.
What's the minimum size requirement for the cache folder?
The size of the cache folder determines the amount of data that you are backing up. Your cache folder should be
5% of the space required for data storage.
How do I register my server to another datacenter?
Backup data is sent to the datacenter of the vault to which it is registered. The easiest way to change the datacenter
is to uninstall the agent and reinstall the agent and register to a new vault that belongs to desired datacenter.
Does the Azure Backup agent work on a server that uses Windows Server 2012 deduplication?
Yes. The agent service converts the deduplicated data to normal data when it prepares the backup operation. It then
optimizes the data for backup, encrypts the data, and then sends the encrypted data to the online backup service.
Backup
How do I change the cache location specified for the Azure Backup agent?
Use the following list to change the cache location.
1. Stop the Backup engine by executing the following command in an elevated command prompt:
PS C:\> Net stop obengine
2. Do not move the files. Instead, copy the cache space folder to a different drive with sufficient space. The
original cache space can be removed after confirming the backups are working with the new cache space.
3. Update the following registry entries with the path to the new cache space folder.
ScratchLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows New cache folder location
Azure Backup\Config
ScratchLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows New cache folder location
Azure Backup\Config\CloudBackupProvider
4. Restart the Backup engine by executing the following command in an elevated command prompt:
PS C:\> Net start obengine
Once the backup creation is successfully completed in the new cache location, you can remove the original cache
folder.
Where can I put the cache folder for the Azure Backup Agent to work as expected?
The following locations for the cache folder are not recommended:
Network share or Removable Media: The cache folder must be local to the server that needs backing up using
online backup. Network locations or removable media like USB drives are not supported.
Offline Volumes: The cache folder must be online for expected backup using Azure Backup Agent.
Are there any attributes of the cache -folder that are not supported?
The following attributes or their combinations are not supported for the cache folder:
Encrypted
De-duplicated
Compressed
Sparse
Reparse-Point
The cache folder and the metadata VHD do not have the necessary attributes for the Azure Backup agent.
Is there a way to adjust the amount of bandwidth used by the Backup service?
Yes, use the Change Properties option in the Backup Agent to adjust bandwidth. You can adjust the amount of
bandwidth and the times when you use that bandwidth. For step-by-step instructions, see Enable network
throttling.
Manage backups
What happens if I rename a Windows server that is backing up data to Azure?
When you rename a server, all currently configured backups are stopped. Register the new name of the server with
the Backup vault. When you register the new name with the vault, the first backup operation is a full backup. If you
need to recover data backed up to the vault with the old server name, use the Another server option in the
Recover Data wizard.
What is the maximum file path length that can be specified in Backup policy using Azure Backup agent?
Azure Backup agent relies on NTFS. The filepath length specification is limited by the Windows API. If the files you
want to protect have a file-path length longer than what is allowed by the Windows API, back up the parent folder
or the disk drive.
What characters are allowed in file path of Azure Backup policy using Azure Backup agent?
Azure Backup agent relies on NTFS. It enables NTFS supported characters as part of file specification.
I receive the warning, "Azure Backups have not been configured for this server" even though I configured a
backup policy
This warning occurs when the backup schedule settings stored on the local server are not the same as the settings
stored in the backup vault. When either the server or the settings have been recovered to a known good state, the
backup schedules can lose synchronization. If you receive this warning, reconfigure the backup policy and then
Run Back Up Now to resynchronize the local server with Azure.
Backup vault upgraded to Recovery Services vault
10/5/2017 7 min to read Edit Online
This article provides an overview of what Recovery Services vault provides, frequently asked questions about
upgrading existing Backup vault to Recovery Services vault, and post-upgrade steps. A Recovery Services vault is
the Azure Resource Manager equivalent of a Backup vault that houses your backup data. The data is typically copies
of data, or configuration information for virtual machines (VMs), workloads, servers, or workstations, whether on-
premises or in Azure.
NOTE
For CPS Standard customers, Resource group is not changed after the vault upgrade and remains the same as it was before
the upgrade.
The first screen shows the vault dashboard that displays key entities for the vault.
The second screen shows the help links available to help you get started using the Recovery Services vault.
Post-upgrade steps
Recovery Services vault supports specifying time zone information in backup policy. After vault is successfully
upgraded, go to Backup policies from vault settings menu and update the time zone information for each of the
policies configured in the vault. This screen already shows the backup schedule time specified as per local time
zone used when you created policy.
Enhanced security
When a Backup vault is upgraded to a Recovery Services vault, the security settings for that vault are automatically
turned on. When the security settings are on, certain operations such as deleting backups, or changing a
passphrase require an Azure Multi-Factor Authentication PIN. For more information on the enhanced security, see
the article Security features to protect hybrid backups. When the enhanced security is turned on, data is retained up
to 14 days after the recovery point information has been deleted from the vault. Customers are billed for storage of
this security data. Security data retention applies to recovery points taken for the Azure Backup agent, Azure Backup
Server, and System Center Data Protection Manager.
Next steps
Use the following articles for:
Back up an IaaS VM
Back up an Azure Backup Server
Back up a Windows Server
Use Role-Based Access Control to manage Azure
Backup recovery points
10/4/2017 2 min to read Edit Online
Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure. Using RBAC, you can
segregate duties within your team and grant only the amount of access to users that they need to perform their
jobs.
IMPORTANT
Roles provided by Azure Backup are limited to actions that can be performed in Azure portal or Recovery Services vault
PowerShell cmdlets. Actions performed in Azure backup Agent Client UI or System center Data Protection Manager UI or
Azure Backup Server UI are out of control of these roles.
Azure Backup provides 3 built-in roles to control backup management operations. Learn more on Azure RBAC
built-in roles
Backup Contributor - This role has all permissions to create and manage backup except creating Recovery
Services vault and giving access to others. Imagine this role as admin of backup management who can do
every backup management operation.
Backup Operator - This role has permissions to everything a contributor does except removing backup and
managing backup policies. This role is equivalent to contributor except it can't perform destructive operations
such as stop backup with delete data or remove registration of on-premises resources.
Backup Reader - This role has permissions to view all backup management operations. Imagine this role to be a
monitoring person.
If you're looking to define your own roles for even more control, see how to build Custom roles in Azure RBAC.
Enable backup of Azure VMs Backup Operator on vault, Virtual machine contributor on
VMs
Restore disks, individual files from VM backup Backup operator, Virtual machine contributor on VMs
Stop backup (with retain data or delete data) on VM backup Backup contributor
Next steps
Role Based Access Control: Get started with RBAC in the Azure portal.
Learn how to manage access with:
PowerShell
Azure CLI
REST API
Role-Based Access Control troubleshooting: Get suggestions for fixing common issues.
Security features to help protect hybrid backups that
use Azure Backup
8/22/2017 7 min to read Edit Online
Concerns about security issues, like malware, ransomware, and intrusion, are increasing. These security issues can
be costly, in terms of both money and data. To guard against such attacks, Azure Backup now provides security
features to help protect hybrid backups. This article covers how to enable and use these features, by using an
Azure Recovery Services agent and Azure Backup Server. These features include:
Prevention. An additional layer of authentication is added whenever a critical operation like changing a
passphrase is performed. This validation is to ensure that such operations can be performed only by users who
have valid Azure credentials.
Alerting. An email notification is sent to the subscription admin whenever a critical operation like deleting
backup data is performed. This email ensures that the user is notified quickly about such actions.
Recovery. Deleted backup data is retained for an additional 14 days from the date of the deletion. This ensures
recoverability of the data within a given time period, so there is no data loss even if an attack happens. Also, a
greater number of minimum recovery points are maintained to guard against corrupt data.
NOTE
Security features should not be enabled if you are using infrastructure as a service (IaaS) VM backup. These features are not
yet available for IaaS VM backup, so enabling them will not have any impact. Security features should be enabled only if you
are using:
Azure Backup agent. Minimum agent version 2.0.9052. After you have enabled these features, you should upgrade to
this agent version to perform critical operations.
Azure Backup Server. Minimum Azure Backup agent version 2.0.9052 with Azure Backup Server update 1.
System Center Data Protection Manager. Minimum Azure Backup agent version 2.0.9052 with Data Protection
Manager 2012 R2 UR12 or Data Protection Manager 2016 UR2.
NOTE
These features are available only for Recovery Services vault. All the newly created Recovery Services vaults have these
features enabled by default. For existing Recovery Services vaults, users enable these features by using the steps mentioned
in the following section. After the features are enabled, they apply to all the Recovery Services agent computers, Azure
Backup Server instances, and Data Protection Manager servers registered with the vault. Enabling this setting is a one-time
action, and you cannot disable these features after enabling them.
Prevent attacks
Checks have been added to make sure only valid users can perform various operations. These include adding an
extra layer of authentication, and maintaining a minimum retention range for recovery purposes.
Authentication to perform critical operations
As part of adding an extra layer of authentication for critical operations, you are prompted to enter a security PIN
when you perform Stop Protection with Delete data and Change Passphrase operations.
To receive this PIN:
1. Sign in to the Azure portal.
2. Browse to Recovery Services vault > Settings > Properties.
3. Under Security PIN, click Generate. This opens a blade that contains the PIN to be entered in the Azure
Recovery Services agent user interface. This PIN is valid for only five minutes, and it gets generated
automatically after that period.
Maintain a minimum retention range
To ensure that there are always a valid number of recovery points available, the following checks have been
added:
For daily retention, a minimum of seven days of retention should be done.
For weekly retention, a minimum of four weeks of retention should be done.
For monthly retention, a minimum of three months of retention should be done.
For yearly retention, a minimum of one year of retention should be done.
Troubleshooting errors
OPERATION ERROR DETAILS RESOLUTION
OPERATION ERROR DETAILS RESOLUTION
Next steps
Get started with Azure Recovery Services vault to enable these features.
Download the latest Azure Recovery Services agent to help protect Windows computers and guard your
backup data against attacks.
Download the latest Azure Backup Server to help protect workloads and guard your backup data against
attacks.
Download UR12 for System Center 2012 R2 Data Protection Manager or download UR2 for System Center
2016 Data Protection Manager to help protect workloads and guard your backup data against attacks.
Offline-backup workflow in Azure Backup
8/21/2017 12 min to read Edit Online
Azure Backup has several built-in efficiencies that save network and storage costs during the initial full backups of
data to Azure. Initial full backups typically transfer large amounts of data and require more network bandwidth
when compared to subsequent backups that transfer only the deltas/incrementals. Azure Backup compresses the
initial backups. Through the process of offline seeding, Azure Backup can use disks to upload the compressed
initial backup data offline to Azure.
The offline-seeding process of Azure Backup is tightly integrated with the Azure Import/Export service that enables
you to transfer data to Azure by using disks. If you have terabytes (TBs) of initial backup data that needs to be
transferred over a high-latency and low-bandwidth network, you can use the offline-seeding workflow to ship the
initial backup copy on one or more hard drives to an Azure datacenter. This article provides an overview of the
steps that complete this workflow.
Overview
With the offline-seeding capability of Azure Backup and Azure Import/Export, it is simple to upload the data offline
to Azure by using disks. Instead of transferring the initial full copy over the network, the backup data is written to a
staging location. After the copy to the staging location is completed by using the Azure Import/Export tool, this
data is written to one or more SATA drives, depending on the amount of data. These drives are eventually shipped
to the nearest Azure datacenter.
The August 2016 update of Azure Backup (and later) includes the Azure Disk Preparation tool, named
AzureOfflineBackupDiskPrep, that:
Helps you prepare your drives for Azure Import by using the Azure Import/Export tool.
Automatically creates an Azure Import job for the Azure Import/Export service on the Azure classic portal as
opposed to creating the same manually with older versions of Azure Backup.
After the upload of the backup data to Azure is finished, Azure Backup copies the backup data to the backup vault
and the incremental backups are scheduled.
NOTE
To use the Azure Disk Preparation tool, ensure that you have installed the August 2016 update of Azure Backup (or later),
and perform all the steps of the workflow with it. If you are using an older version of Azure Backup, you can prepare the
SATA drive by using the Azure Import/Export tool as detailed in later sections of this article.
Prerequisites
Familiarize yourself with the Azure Import/Export workflow.
Before initiating the workflow, ensure the following:
An Azure Backup vault has been created.
Vault credentials have been downloaded.
The Azure Backup agent has been installed on either Windows Server/Windows client or System Center
Data Protection Manager server, and the computer is registered with the Azure Backup vault.
Download the Azure Publish file settings on the computer from which you plan to back up your data.
Prepare a staging location, which might be a network share or additional drive on the computer. The staging
location is transient storage and is used temporarily during this workflow. Ensure that the staging location has
enough disk space to hold your initial copy. For example, if you are trying to back up a 500-GB file server,
ensure that the staging area is at least 500 GB. (A smaller amount is used due to compression.)
Make sure that youre using a supported drive. Only 2.5 inch SSD, or 2.5 or 3.5-inch SATA II/III internal hard
drives are supported for use with the Import/Export service. You can use hard drives up to 10 TB. Check the
Azure Import/Export service documentation for the latest set of drives that the service supports.
Enable BitLocker on the computer to which the SATA drive writer is connected.
Download the Azure Import/Export tool to the computer to which the SATA drive writer is connected. This step
is not required if you have downloaded and installed the August 2016 update of Azure Backup (or later).
Workflow
The information in this section helps you complete the offline-backup workflow so that your data can be delivered
to an Azure datacenter and uploaded to Azure Storage. If you have questions about the Import service or any
aspect of the process, see the Import service overview documentation referenced earlier.
Initiate offline backup
1. When you schedule a backup, you see the following screen (in Windows Server, Windows client, or System
Center Data Protection Manager).
NOTE
If you have registered your server to an Azure Recovery Services vault from the Azure portal for your
backups and are not on a Cloud Solution Provider (CSP) subscription, you can still create a classic type
storage account from the Azure portal and use it for the offline-backup workflow.
Save all this information because you need to enter it again in following steps. Only the staging
location is required if you used the Azure Disk Preparation tool to prepare the disks.
2. Complete the workflow, and then select Back Up Now in the Azure Backup management console to initiate
the offline-backup copy. The initial backup is written to the staging area as part of this step.
To complete the corresponding workflow in System Center Data Protection Manager, right-click the
Protection Group, and then choose the Create recovery point option. You then choose the Online
Protection option.
After the operation finishes, the staging location is ready to be used for disk preparation.
Prepare a SATA drive and create an Azure Import job by using the Azure Disk Preparation tool
The Azure Disk Preparation tool is available in installation directory of the Recovery Services agent (August 2016
update and later) in the following path.
\Microsoft Azure Recovery Services Agent\Utils\
1. Go to the directory, and copy the AzureOfflineBackupDiskPrep directory to a copy computer on which
the drives to be prepared are mounted. Ensure the following with regard to the copy computer:
The copy computer can access the staging location for the offline-seeding workflow by using the same
network path that was provided in the Initiate offline backup workflow.
BitLocker is enabled on the computer.
The computer can access the Azure portal.
If necessary, the copy computer can be the same as the source computer.
2. Open an elevated command prompt on the copy computer with the Azure Disk Preparation tool directory
as the current directory, and run the following command:
*.\AzureOfflineBackupDiskPrep.exe* s:<*Staging Location Path*> [p:<*Path to PublishSettingsFile*>]
PARAMETER DESCRIPTION
s:<Staging Location Path> Mandatory input that's used to provide the path to the
staging location that you entered in the Initiate offline
backup workflow.
p:<Path to PublishSettingsFile> Optional input that's used to provide the path to the
Azure Publish Settings file that you entered in the
Initiate offline backup workflow.
NOTE
The <Path to PublishSettingFile> value is mandatory when the copy computer and source computer are different.
When you run the command, the tool requests the selection of the Azure Import job that corresponds to the
drives that need to be prepared. If only a single import job is associated with the provided staging location,
you see a screen like the one that follows.
3. Enter the drive letter without the trailing colon for the mounted disk that you want to prepare for transfer to
Azure. Provide confirmation for the formatting of the drive when prompted.
The tool then begins to prepare the disk with the backup data. You may need to attach additional disks
when prompted by the tool in case the provided disk does not have sufficient space for the backup data.
At the end of successful execution of the tool, one or more disks that you provided are prepared for
shipping to Azure. In addition, an import job with the name you provided during the Initiate offline
backup workflow is created on the Azure classic portal. Finally, the tool displays the shipping address to the
Azure datacenter where the disks need to be shipped and the link to locate the import job on the Azure
classic portal.
4. Ship the disks to the address that the tool provided and keep the tracking number for future reference.
5. When you go to the link that the tool displayed, you see the Azure storage account that you specified in the
Initiate offline backup workflow. Here you can see the newly created import job on the
IMPORT/EXPORT tab of the storage account.
6. Click SHIPPING INFO at the bottom of the page to update your contact details as shown in the following
screen. Microsoft uses this info to ship your disks back to you after the import job is finished.
7. Enter the shipping details on the next screen. Provide the Delivery Carrier and Tracking Number details
that correspond to the disks that you shipped to the Azure datacenter.
Complete the workflow
After the import job finishes, initial backup data is available in your storage account. The Recovery Services agent
then copies the contents of the data from this account to the Backup vault or Recovery Services vault, whichever is
applicable. In the next scheduled backup time, the Azure Backup agent performs the incremental backup over the
initial backup copy.
NOTE
The following sections apply to users of earlier versions of Azure Backup who do not have access to the Azure Disk
Preparation tool.
NOTE
If you have installed the August 2016 update of Azure Backup (or later), ensure that the staging location that you
entered is the same as the one on the Back Up Now screen and contains AIB and Base Blob files.
PARAMETER DESCRIPTION
PARAMETER DESCRIPTION
/j:<JournalFile> The path to the journal file. Each drive must have exactly one
journal file. The journal file must not be on the target drive.
The journal file extension is .jrn and is created as part of
running this command.
/sk:<StorageAccountKey> The account key for the storage account to which the data is
imported. The key needs to be the same as it was entered
during backup policy/protection group creation.
/t:<TargetDriveLetter> The drive letter without the trailing colon of the target hard
drive for the current copy session.
/format The option to format the drive. Specify this parameter when
the drive needs to be formatted; otherwise, omit it. Before the
tool formats the drive, it prompts for a confirmation from the
console. To suppress the confirmation, specify the /silentmode
parameter.
/encrypt The option to encrypt the drive. Specify this parameter when
the drive has not yet been encrypted with BitLocker and
needs to be encrypted by the tool. If the drive has already
been encrypted with BitLocker, omit this parameter, specify
the /bk parameter, and provide the existing BitLocker key. If
you specify the /format parameter, you must also specify the
/encrypt parameter.
NOTE
A journal file is created in the WAImportExport folder that captures the entire information of the workflow. You need this file
when you create an import job in the Azure portal.
Create an import job in the Azure portal
1. Go to your storage account in the Azure classic portal, click Import/Export, and then Create Import Job in
the task pane.
2. In step 1 of the wizard, indicate that you have prepared your drive and that you have the drive journal file
available.
3. In step 2 of the wizard, provide contact information for the person who's responsible for this import job.
4. In step 3, upload the drive journal files that you obtained in the previous section.
5. In step 4, enter a descriptive name for the import job that you entered during backup policy/protection
group creation. The name that you enter may contain only lowercase letters, numbers, hyphens, and
underscores, must start with a letter, and cannot contain spaces. The name that you choose is used to track
your jobs while they are in progress and after they are completed.
6. Next, select your datacenter region from the list. The datacenter region indicates the datacenter and address
to which you must ship your package.
7. In step 5, select your return carrier from the list, and enter your carrier account number. Microsoft uses this
account to ship your drives back to you after your import job is completed.
8. Ship the disk and enter the tracking number to track the status of the shipment. After the disk arrives in the
datacenter, it is copied to the storage account, and the status is updated.
Next steps
For any questions on the Azure Import/Export workflow, refer to Use the Microsoft Azure Import/Export service
to transfer data to Blob storage.
Refer to the offline-backup section of the Azure Backup FAQ for any questions about the workflow.
Move your long-term storage from tape to the
Azure cloud
6/27/2017 2 min to read Edit Online
Azure Backup and System Center Data Protection Manager customers can:
Back up data in schedules which best suit the organizational needs.
Retain the backup data for longer periods
Make Azure a part of their long-term retention needs (instead of tape).
This article explains how customers can enable backup and retention policies. Customers who use tapes to address
their long-term-retention needs now have a powerful and viable alternative with the availability of this feature.
The feature is enabled in the latest release of the Azure Backup (which is available here). System Center DPM
customers must update to, at least, DPM 2012 R2 UR5 before using DPM with the Azure Backup service.
Customers can also schedule a weekly backup. For example, the settings in the following screen indicate that
backups are taken every alternate Sunday & Wednesday at 9:30AM and 1:00AM.
What is the Retention Policy?
The retention policy specifies the duration for which the backup must be stored. Rather than just specifying a flat
policy for all backup points, customers can specify different retention policies based on when the backup is taken.
For example, the backup point taken daily, which serves as an operational recovery point, is preserved for 90 days.
The backup point taken at the end of each quarter for audit purposes is preserved for a longer duration.
The total number of retention points specified in this policy is 90 (daily points) + 40 (one each quarter for 10
years) = 130.
Example Putting both together
1. Daily retention policy: Backups taken daily are stored for seven days.
2. Weekly retention policy: Backups taken every day at midnight and 6PM Saturday are preserved for four
weeks
3. Monthly retention policy: Backups taken at midnight and 6pm on the last Saturday of each month are
preserved for 12 months
4. Yearly retention policy: Backups taken at midnight on the last Saturday of every March are preserved for 10
years
The total number of retention points (points from which a customer can restore data) in the preceding diagram
is computed as follows:
two points per day for seven days = 14 recovery points
two points per week for four weeks = 8 recovery points
two points per month for 12 months = 24 recovery points
one point per year per 10 years = 10 recovery points
The total number of recovery points is 56.
NOTE
Azure backup doesn't have a restriction on number of recovery points.
Advanced configuration
By clicking Modify in the preceding screen, customers have further flexibility in specifying retention schedules.
Next Steps
For more information about Azure Backup, see:
Introduction to Azure Backup
Try Azure Backup
Azure Backup Server protection matrix
8/4/2017 12 min to read Edit Online
This article lists the various servers and workloads that you can protect with Azure Backup Server. The following
matrix lists what can be protected with Azure Backup Server v1 and v2.
Volumes must be
at least 1 GB.
DPM uses
Volume Shadow
Copy Service
(VSS) to take the
data snapshot
and the snapshot
only works if the
volume is at least
1 GB.
Volumes must be
at least 1 GB.
DPM uses
Volume Shadow
Copy Service
(VSS) to take the
data snapshot
and the snapshot
only works if the
volume is at least
1 GB.
AZURE BACKUP
SERVER AZURE BACKUP AZURE BACKUP PROTECTION AND
WORKLOAD VERSION INSTALLATION SERVER V2 SERVER V1 RECOVERY
Physical server
On-premises
Hyper-V virtual
machine
Azure virtual
machine
Windows virtual
machine in
VMWare
(protects
workloads
running in
Windows virtual
machine in
VMWare)
Recover (all
deployment
scenarios):
Mailbox, mailbox
databases under
a DAG
AZURE BACKUP
SERVER AZURE BACKUP AZURE BACKUP PROTECTION AND
WORKLOAD VERSION INSTALLATION SERVER V2 SERVER V1 RECOVERY
Recover (all
deployment
scenarios):
Mailbox, mailbox
databases under
a DAG
Recover (all
deployment
scenarios):
Mailbox, mailbox
databases under
a DAG
Recover (all
deployment
scenarios):
Mailbox, mailbox
databases under
a DAG
AZURE BACKUP
SERVER AZURE BACKUP AZURE BACKUP PROTECTION AND
WORKLOAD VERSION INSTALLATION SERVER V2 SERVER V1 RECOVERY
Recover (all
deployment
scenarios):
Mailbox, mailbox
databases under
a DAG
Recover (all
deployment
scenarios):
Mailbox, mailbox
databases under
a DAG
Recover (all
deployment
scenarios): Farm,
database, web
application, file or
list item,
SharePoint
search, frontend
web server
Note that
protecting a
SharePoint farm
that's using the
SQL Server 2012
AlwaysOn feature
for the content
databases isn't
supported.
AZURE BACKUP
SERVER AZURE BACKUP AZURE BACKUP PROTECTION AND
WORKLOAD VERSION INSTALLATION SERVER V2 SERVER V1 RECOVERY
Note that
protecting a
SharePoint farm
that's using the
SQL Server 2012
AlwaysOn feature
for the content
databases isn't
supported.
Note that
protecting a
SharePoint farm
that's using the
SQL Server 2012
AlwaysOn feature
for the content
databases isn't
supported.
AZURE BACKUP
SERVER AZURE BACKUP AZURE BACKUP PROTECTION AND
WORKLOAD VERSION INSTALLATION SERVER V2 SERVER V1 RECOVERY
Recover (all
deployment
scenarios): Farm,
database, web
application, file or
list item,
SharePoint
search, frontend
web server
Recover (all
deployment
scenarios): Farm,
database, web
application, file or
list item,
SharePoint
search, frontend
web server
Recover (all
deployment
scenarios): Farm,
database, web
application, file or
list item,
SharePoint
search, frontend
web server
Recover: Entire
virtual machine
Cluster support
Azure Backup Server can protect data in the following clustered applications:
File servers
SQL Server
Hyper-V - If you protect a Hyper-V cluster using scaled-out DPM protection, you can't add secondary
protection for the protected Hyper-V workloads.
If you run Hyper-V on Windows Server 2008 R2, make sure to install the update described in KB 975354. If
you run Hyper-V on Windows Server 2008 R2 in a cluster configuration, make sure you install SP2 and KB
971394.
Exchange Server - Azure Backup Server can protect non-shared disk clusters for supported Exchange Server
versions (cluster-continuous replication), and can also protect Exchange Server configured for local
continuous replication.
SQL Server - Azure Backup Server doesn't support backing up SQL Server databases hosted on cluster-
shared volumes (CSVs).
Azure Backup Server can protect cluster workloads that are located in the same domain as the DPM server, and in
a child or trusted domain. If you want to protect data sources in untrusted domains or workgroups, use NTLM or
certificate authentication for a single server, or certificate authentication only for a cluster.
Preparing to back up workloads using Azure Backup
Server
8/21/2017 12 min to read Edit Online
This article explains how to prepare your environment to back up workloads using Azure Backup Server. With
Azure Backup Server, you can protect application workloads such as Hyper-V VMs, Microsoft SQL Server,
SharePoint Server, Microsoft Exchange, and Windows clients from a single console.
NOTE
Azure Backup Server can now protect VMware VMs and provides improved security capabilities. Install the product as
explained in the sections below; apply Update 1 and the latest Azure Backup Agent. To learn more about backing up
VMware servers with Azure Backup Server, see the article, Use Azure Backup Server to back up a VMware server. To learn
about security capabilities, refer to Azure backup security features documentation.
You can also protect Infrastructure as a Service (IaaS) workloads such as VMs in Azure.
NOTE
Azure has two deployment models for creating and working with resources: Resource Manager and classic. This article
provides the information and procedures for restoring VMs deployed using the Resource Manager model.
Azure Backup Server inherits much of the workload backup functionality from Data Protection Manager (DPM).
This article links to DPM documentation to explain some of the shared functionality. Though Azure Backup Server
shares much of the same functionality as DPM. Azure Backup Server does not back up to tape, nor does it
integrate with System Center.
Windows Server 2012 and latest SPs 64 bit Datacenter, Foundation, Standard
You can deduplicate the DPM storage using Windows Server Deduplication. Learn more about how DPM and
deduplication work together when deployed in Hyper-V VMs.
NOTE
Azure Backup Server is designed to run on a dedicated, single-purpose server. You cannot install Azure Backup Server on:
A computer running as a domain controller
A computer on which the Application Server role is installed
A computer that is a System Center Operations Manager management server
A computer on which Exchange Server is running
A computer that is a node of a cluster
Always join Azure Backup Server to a domain. If you plan to move the server to a different domain, it is
recommended that you join the server to the new domain before installing Azure Backup Server. Moving an
existing Azure Backup Server machine to a new domain after deployment is not supported.
The Recovery Services vault blade opens, prompting you to provide a Name, Subscription, Resource
group, and Location.
4. For Name, enter a friendly name to identify the vault. The name needs to be unique for the Azure
subscription. Type a name that contains between 2 and 50 characters. It must start with a letter, and can
contain only letters, numbers, and hyphens.
5. Click Subscription to see the available list of subscriptions. If you are not sure which subscription to use, use
the default (or suggested) subscription. There are multiple choices only if your organizational account is
associated with multiple Azure subscriptions.
6. Click Resource group to see the available list of Resource groups, or click New to create a new Resource
group. For complete information on Resource groups, see Azure Resource Manager overview
7. Click Location to select the geographic region for the vault.
8. Click Create. It can take a while for the Recovery Services vault to be created. Monitor the status notifications
in the upper right-hand area in the portal. Once your vault is created, it opens in the portal.
Set Storage Replication
The storage replication option allows you to choose between geo-redundant storage and locally redundant
storage. By default, your vault has geo-redundant storage. If this vault is your primary vault, leave the storage
option set to geo-redundant storage. Choose locally redundant storage if you want a cheaper option that isn't
quite as durable. Read more about geo-redundant and locally redundant storage options in the Azure Storage
replication overview.
To edit the storage replication setting:
1. Select your vault to open the vault dashboard and the Settings blade. If the Settings blade doesn't open, click
All settings in the vault dashboard.
2. On the Settings blade, click Backup Infrastructure > Backup Configuration to open the Backup
Configuration blade. On the Backup Configuration blade, choose the storage replication option for
your vault.
After choosing the storage option for your vault, you are ready to associate the VM with the vault. To
begin the association, you should discover and register the Azure virtual machines.
3. Software package
Downloading the software package
1. Sign in to the Azure portal.
2. If you already have a Recovery Services vault open, proceed to step 3. If you do not have a Recovery
Services vault open, but are in the Azure portal, on the Hub menu, click Browse.
In the list of resources, type Recovery Services.
As you begin typing, the list will filter based on your input. When you see Recovery Services
vaults, click it.
The list of Recovery Services vaults appears.
From the list of Recovery Services vaults, select a vault.
The selected vault dashboard opens.
3. The Settings blade opens up by default. If it is closed, click on Settings to open the settings blade.
5. In the Backup Goal blade, from the Where is your workload running menu, select On-premises.
From the What do you want to backup? drop-down menu, select the workloads you want to protect
using Azure Backup Server, and then click OK.
The Getting Started with backup wizard switches the Prepare infrastructure option to back up
workloads to Azure.
NOTE
If you only want to back up files and folders, we recommend using the Azure Backup agent and following the
guidance in the article, First look: back up files and folders. If you are going to protect more than files and folders,
or you are planning to expand the protection needs in the future, select those workloads.
6. In the Prepare infrastructure blade that opens, click the Download links for Install Azure Backup Server
and Download vault credentials. You use the vault credentials during registration of Azure Backup Server
to the recovery services vault. The links take you to the Download Center where the software package can
be downloaded.
7. Select all the files and click Next. Download all the files coming in from the Microsoft Azure Backup
download page, and place all the files in the same folder.
Since the download size of all the files together is > 3G, on a 10Mbps download link it may take up to 60
minutes for the download to complete.
Extracting the software package
After you've downloaded all the files, click MicrosoftAzureBackupInstaller.exe. This will start the Microsoft
Azure Backup Setup Wizard to extract the setup files to a location specified by you. Continue through the
wizard and click on the Extract button to begin the extraction process.
WARNING
At least 4GB of free space is required to extract the setup files.
Once the extraction process complete, check the box to launch the freshly extracted setup.exe to begin installing
Microsoft Azure Backup Server and click on the Finish button.
Installing the software package
1. Click Microsoft Azure Backup to launch the setup wizard.
2. On the Welcome screen click the Next button. This takes you to the Prerequisite Checks section. On this
screen, click Check to determine if the hardware and software prerequisites for Azure Backup Server have
been met. If all prerequisites are met successfully, you will see a message indicating that the machine
meets the requirements. Click on the Next button.
3. Microsoft Azure Backup Server requires SQL Server Standard, and the Azure Backup Server installation
package comes bundled with the appropriate SQL Server binaries needed. When starting with a new
Azure Backup Server installation, you should pick the option Install new Instance of SQL Server with
this Setup and click the Check and Install button. Once the prerequisites are successfully installed, click
Next.
If a failure occurs with a recommendation to restart the machine, do so and click Check Again.
NOTE
Azure Backup Server will not work with a remote SQL Server instance. The instance being used by Azure Backup
Server needs to be local.
4. Provide a location for the installation of Microsoft Azure Backup server files and click Next.
The scratch location is a requirement for back up to Azure. Ensure the scratch location is at least 5% of the
data planned to be backed up to the cloud. For disk protection, separate disks need to be configured once
the installation completes. For more information regarding storage pools, see Configure storage pools and
disk storage.
5. Provide a strong password for restricted local user accounts and click Next.
6. Select whether you want to use Microsoft Update to check for updates and click Next.
NOTE
We recommend having Windows Update redirect to Microsoft Update, which offers security and important updates
for Windows and other products like Microsoft Azure Backup Server.
7. Review the Summary of Settings and click Install.
8. The installation happens in phases. In the first phase the Microsoft Azure Recovery Services Agent is
installed on the server. The wizard also checks for Internet connectivity. If Internet connectivity is available
you can proceed with installation, if not, you need to provide proxy details to connect to the Internet.
The next step is to configure the Microsoft Azure Recovery Services Agent. As a part of the configuration,
you will have to provide your vault credentials to register the machine to the recovery services vault. You
will also provide a passphrase to encrypt/decrypt the data sent between Azure and your premises. You can
automatically generate a passphrase or provide your own minimum 16-character passphrase. Continue
with the wizard until the agent has been configured.
9. Once registration of the Microsoft Azure Backup server successfully completes, the overall setup wizard
proceeds to the installation and configuration of SQL Server and the Azure Backup Server components.
Once the SQL Server component installation completes, the Azure Backup Server components are
installed.
When the installation step has completed, the product's desktop icons will have been created as well. Just
double-click the icon to launch the product.
Add backup storage
The first backup copy is kept on storage attached to the Azure Backup Server machine. For more information
about adding disks, see Configure storage pools and disk storage.
NOTE
You need to add backup storage even if you plan to send data to Azure. In the current architecture of Azure Backup
Server, the Azure Backup vault holds the second copy of the data while the local storage holds the first (and mandatory)
backup copy.
4. Network connectivity
Azure Backup Server requires connectivity to the Azure Backup service for the product to work successfully. To
validate whether the machine has the connectivity to Azure, use the Get-DPMCloudConnection cmdlet in the Azure
Backup Server PowerShell console. If the output of the cmdlet is TRUE then connectivity exists, else there is no
connectivity.
At the same time, the Azure subscription needs to be in a healthy state. To find out the state of your subscription
and to manage it, log in to the subscription portal.
Once you know the state of the Azure connectivity and of the Azure subscription, you can use the table below to
find out the impact on the backup/restore functionality offered.
CONNECTIVITY AZURE BACK UP TO RESTORE FROM RESTORE FROM
STATE SUBSCRIPTION AZURE BACK UP TO DISK AZURE DISK
Troubleshooting
If Microsoft Azure Backup server fails with errors during the setup phase (or backup or restore), refer to this error
codes document for more information. You can also refer to Azure Backup related FAQs
Next steps
You can get detailed information about preparing your environment for DPM on the Microsoft TechNet site. It
also contains information about supported configurations on which Azure Backup Server can be deployed and
used.
You can use these articles to gain a deeper understanding of workload protection using Microsoft Azure Backup
server.
SQL Server backup
SharePoint server backup
Alternate server backup
Preparing to back up workloads using Azure Backup
Server
8/2/2017 8 min to read Edit Online
This article is about preparing your environment to back up workloads using Azure Backup Server. With Azure
Backup Server, you can protect application workloads such as Hyper-V VMs, Microsoft SQL Server, SharePoint
Server, Microsoft Exchange and Windows clients from a single console.
WARNING
Azure Backup Server inherits the functionality of Data Protection Manager (DPM) for workload backup. You will find pointers
to DPM documentation for some of these capabilities. However Azure Backup Server does not provide protection on tape or
integrate with System Center.
The first step towards getting the Azure Backup Server up and running is to have a Windows Server machine.
Azure Azure IaaS virtual machine You can start with a simple gallery
image of Windows Server 2012 R2
A2 Standard: 2 cores, 3.5GB RAM Datacenter. Protecting IaaS workloads
using Azure Backup Server (DPM) has
many nuances. Ensure that you read
the article completely before deploying
the machine.
NOTE
It is recommended that Azure Backup Server be installed on a machine with Windows Server 2012 R2 Datacenter. A lot of the
prerequisites are automatically covered with the latest version of the Windows operating system.
If you plan to join Azure Backup Server to a domain, it is recommended that you join the physical server or virtual
machine to the domain before installing the Azure Backup Server software. Moving an Azure Backup Server to a
new domain, after deployment, is not supported.
2. Backup vault
Whether you send backup data to Azure or keep it locally, the Azure Backup Server must be registered to a vault. If
you are a new Azure Backup user, and want to use Azure Backup Server, see the Azure portal version of this article -
Prepare to back up workloads using Azure Backup Server.
IMPORTANT
Starting March 2017, you can no longer use the classic portal to create Backup vaults. You can now upgrade your Backup
vaults to Recovery Services vaults. For details, see the article Upgrade a Backup vault to a Recovery Services vault. Microsoft
encourages you to upgrade your Backup vaults to Recovery Services vaults.
After October 15, 2017, you cant use PowerShell to create Backup vaults. By November 1, 2017:
All remaining Backup vaults will be automatically upgraded to Recovery Services vaults.
You won't be able to access your backup data in the classic portal. Instead, use the Azure portal to access your backup
data in Recovery Services vaults.
3. Software package
3. Select all the files and click Next. Download all the files coming in from the Microsoft Azure Backup
download page, and place all the files in the same folder.
Since the download size of all the files together is > 3G, on a 10Mbps download link it may take up to 60
minutes for the download to complete.
Extracting the software package
After you've downloaded all the files, click MicrosoftAzureBackupInstaller.exe. This will start the Microsoft
Azure Backup Setup Wizard to extract the setup files to a location specified by you. Continue through the wizard
and click on the Extract button to begin the extraction process.
WARNING
At least 4GB of free space is required to extract the setup files.
Once the extraction process complete, check the box to launch the freshly extracted setup.exe to begin installing
Microsoft Azure Backup Server and click on the Finish button.
Installing the software package
1. Click Microsoft Azure Backup to launch the setup wizard.
2. On the Welcome screen click the Next button. This takes you to the Prerequisite Checks section. On this
screen, click on the Check button to determine if the hardware and software prerequisites for Azure Backup
Server have been met. If all of the prerequisites are have been met successfully, you will see a message
indicating that the machine meets the requirements. Click on the Next button.
3. Microsoft Azure Backup Server requires SQL Server Standard, and the Azure Backup Server installation
package comes bundled with the appropriate SQL Server binaries needed. When starting with a new Azure
Backup Server installation, you should pick the option Install new Instance of SQL Server with this Setup
and click the Check and Install button. Once the prerequisites are successfully installed, click Next.
If a failure occurs with a recommendation to restart the machine, do so and click Check Again.
NOTE
Azure Backup Server will not work with a remote SQL Server instance. The instance being used by Azure Backup
Server needs to be local.
4. Provide a location for the installation of Microsoft Azure Backup server files and click Next.
The scratch location is a requirement for back up to Azure. Ensure the scratch location is at least 5% of the
data planned to be backed up to the cloud. For disk protection, separate disks need to be configured once
the installation completes. For more information regarding storage pools, see Configure storage pools and
disk storage.
5. Provide a strong password for restricted local user accounts and click Next.
6. Select whether you want to use Microsoft Update to check for updates and click Next.
NOTE
We recommend having Windows Update redirect to Microsoft Update, which offers security and important updates
for Windows and other products like Microsoft Azure Backup Server.
7. Review the Summary of Settings and click Install.
8. The installation happens in phases. In the first phase the Microsoft Azure Recovery Services Agent is
installed on the server. The wizard also checks for Internet connectivity. If Internet connectivity is available
you can proceed with installation, if not, you need to provide proxy details to connect to the Internet.
The next step is to configure the Microsoft Azure Recovery Services Agent. As a part of the configuration,
you will have to provide your the vault credentials to register the machine to the backup vault. You will also
provide a passphrase to encrypt/decrypt the data sent between Azure and your premises. You can
automatically generate a passphrase or provide your own minimum 16-character passphrase. Continue with
the wizard until the agent has been configured.
9. Once registration of the Microsoft Azure Backup server successfully completes, the overall setup wizard
proceeds to the installation and configuration of SQL Server and the Azure Backup Server components.
Once the SQL Server component installation completes, the Azure Backup Server components are installed.
When the installation step has completed, the product's desktop icons will have been created as well. Just double-
click the icon to launch the product.
Add backup storage
The first backup copy is kept on storage attached to the Azure Backup Server machine. For more information about
adding disks, see Configure storage pools and disk storage.
NOTE
You need to add backup storage even if you plan to send data to Azure. In the current architecture of Azure Backup Server,
the Azure Backup vault holds the second copy of the data while the local storage holds the first (and mandatory) backup
copy.
4. Network connectivity
Azure Backup Server requires connectivity to the Azure Backup service for the product to work successfully. To
validate whether the machine has the connectivity to Azure, use the Get-DPMCloudConnection commandlet in the
Azure Backup Server PowerShell console. If the output of the commandlet is TRUE then connectivity exists, else
there is no connectivity.
At the same time, the Azure subscription needs to be in a healthy state. To find out the state of your subscription
and to manage it, log in to the subscription portal.
Once you know the state of the Azure connectivity and of the Azure subscription, you can use the table below to
find out the impact on the backup/restore functionality offered.
CONNECTIVITY AZURE RESTORE FROM RESTORE FROM
STATE SUBSCRIPTION BACKUP TO AZURE BACKUP TO DISK AZURE DISK
Troubleshooting
If Microsoft Azure Backup server fails with errors during the setup phase (or backup or restore), refer to this error
codes document for more information. You can also refer to Azure Backup related FAQs
Next steps
You can get detailed information about preparing your environment for DPM on the Microsoft TechNet site. It also
contains information about supported configurations on which Azure Backup Server can be deployed and used.
You can use these articles to gain a deeper understanding of workload protection using Microsoft Azure Backup
server.
SQL Server backup
SharePoint server backup
Alternate server backup
Add storage to Azure Backup Server v2
6/27/2017 3 min to read Edit Online
Azure Backup Server v2 comes with System Center 2016 Data Protection Manager Modern Backup Storage.
Modern Backup Storage offers storage savings of 50 percent, backups that are three times faster, and more
efficient storage. It also offers workload-aware storage.
NOTE
To use Modern Backup Storage, you must run Backup Server v2 on Windows Server 2016. If you run Backup Server v2 on an
earlier version of Windows Server, Azure Backup Server can't take advantage of Modern Backup Storage. Instead, it protects
workloads as it does with Backup Server v1. For more information, see the Backup Server version protection matrix.
3. Select the storage pool, and then select Add Physical Disk.
4. Select the physical disk, and then select Extend Virtual Disk.
The following screenshot shows the Update-DPMDiskStorage cmdlet in the PowerShell window.
The changes you make by using PowerShell are reflected in the Backup Server Administrator Console.
Next steps
After you install Backup Server, learn how to prepare your server, or begin protecting a workload.
Prepare Backup Server workloads
Use Backup Server to back up a VMware server
Use Backup Server to back up SQL Server
Install Azure Backup Server v2
8/4/2017 11 min to read Edit Online
Azure Backup Server helps protect your virtual machines (VMs), workloads, files and folders, and more. Azure
Backup Server v2 builds on Azure Backup Server v1, and gives you new features that are not available in v1. For a
comparison of features between v1 and v2, see Azure Backup Server protection matrix.
The additional features in Backup Server v2 are an upgrade from Backup Server v1. However, Backup Server v1 is
not a prerequisite for installing Backup Server v2. If you want to upgrade from Backup Server v1 to Backup Server
v2, install Backup Server v2 on the Backup Server protection server. Your existing Backup Server settings remain
intact.
You can install Backup Server v2 on Windows Server 2012 R2 or Windows Server 2016. To take advantage of new
features like System Center 2016 Data Protection Manager Modern Backup Storage, you must install Backup Server
v2 on Windows Server 2016. Before you upgrade to or install Backup Server v2, read about the installation
prerequisites.
NOTE
Azure Backup Server has the same code base as System Center Data Protection Manager. Backup Server v1 is equivalent to
Data Protection Manager 2012 R2, and Backup Server v2 is equivalent to Data Protection Manager 2016. This article
occasionally references the Data Protection Manager documentation.
4. On the Welcome page, review the warnings, and then select Next.
5. The setup wizard performs prerequisite checks to make sure your environment can upgrade. On the
Prerequisite Checks page, select Check.
6. Your environment must pass the prerequisite checks. If your environment doesn't pass the checks, note the
issues and fix them. Then, select Check Again. After you pass the prerequisite checks, select Next.
7. On the SQL Settings page, select the relevant option for your SQL installation, and then select Check and
Install.
The checks might take a few minutes. When the checks are finished, select Next.
8. On the Installation Settings page, make any changes to the location where Backup Server is installed, or to
the Scratch Location. Select Next.
9. To finish the setup wizard, select Finish.
If you want to add a disk, the disk must belong to a protection group that has legacy storage. These disks can
only be used for these protection groups. If Backup Server doesn't have sources that have legacy protection,
the disk isn't listed.
For more information about adding disks, see Adding disks to increase legacy storage. You can't give a disk a
friendly name.
Assign workloads to volumes
In Backup Server, you specify which workloads are assigned to which volumes. For example, you can set expensive
volumes that support a high number of input/output operations per second (IOPS) to store only workloads that
require frequent, high-volume backups. An example is SQL Server with transaction logs.
Update-DPMDiskStorage
To update the properties of a volume in the storage pool in Backup Server, use the PowerShell cmdlet Update-
DPMDiskStorage.
Syntax:
Parameter Set: Volume
All changes that you make by using PowerShell are reflected in the UI.
5. On the Select Group Members page, in the Available members pane, the members with protection
agents are listed. For this example, select volume D:\ and E:\ and add them to the Selected members pane.
Select Next.
6. On the Select Data Protection Method page, enter a Protection group name, select the protection
method, and then select Next. If you want short-term protection, you must select the Disk backup method.
7. On the Specify Short-Term Goals page, select the details for Retention range and Synchronization
frequency. Then, select Next. Optionally, to change the schedule for when recovery points are taken, select
Modify.
8. On the Review Disk Storage Allocation page, review details about the data sources you selected, their size,
and values for the space to be provisioned and the target storage volume.
Storage volumes are based on the workload volume allocation (set by using PowerShell) and the available
storage. You can change the storage volumes by selecting other volumes in the drop-down menu. If you
change the value for Target Storage, the value for Available disk storage dynamically changes to reflect
values under Free Space and Underprovisioned Space.
If the data sources grow as planned, the value for the Underprovisioned Space column in Available disk
storage reflects the amount of additional storage that's needed. Use this value to help plan your storage
needs for smooth backups. If the value is zero, there are no potential problems with storage in the
foreseeable future. If the value is a number other than zero, you do not have sufficient storage allocated
(based on your protection policy and the data size of your protected members).
To finish creating your protection group, complete the wizard.
3. Create a protection group that uses Modern Backup Storage. Include the unprotected data sources.
NOTE
The Agent Updates column indicates when a protection agent update is available for each protected computer. In
the Actions pane, the Update action is available only when a protected computer is selected and updates are
available.
3. To install updated protection agents on the selected computers, in the Actions pane, select Update.
Update a protection agent on a client computer that is not connected
1. In the Backup Server Administrator Console, select Management > Agents.
2. In the display pane, select the client computers for which you want to update the protection agent.
NOTE
The Agent Updates column indicates when a protection agent update is available for each protected computer. In
the Actions pane, the Update action is not available when a protected computer is selected unless updates are
available.
[OPTIONS]
UserName=administrator
CompanyName=<Microsoft Corporation>
SQLMachineName=localhost
SQLInstanceName=<SQL instance name>
SQLMachineUserName=administrator
SQLMachinePassword=<admin password>
SQLMachineDomainName=<machine domain>
ReportingMachineName=localhost
ReportingInstanceName=<reporting instance name>
SqlAccountPassword=<admin password>
ReportingMachineUserName=<username>
ReportingMachinePassword=<reporting admin password>
ReportingMachineDomainName=<domain>
VaultCredentialFilePath=<vault credential full path and complete name>
SecurityPassphrase=<passphrase>
PassphraseSaveLocation=<passphrase save location>
UseExistingSQL=<1/0 use or do not use existing SQL>
3. Save the file. Then, at an elevated command prompt on the installation server, enter this command:
Next steps
After you install Backup Server, learn how to prepare your server, or begin protecting a workload.
Prepare Backup Server workloads
Use Backup Server to back up a VMware server
Use Backup Server to back up SQL Server
Add Modern Backup Storage to Backup Server
Back up a VMware server to Azure
7/24/2017 13 min to read Edit Online
This article explains how to configure Azure Backup Server to help protect VMware server workloads. This article
assumes you already have Azure Backup Server installed. If you don't have Azure Backup Server installed, see
Prepare to back up workloads using Azure Backup Server.
Azure Backup Server can back up, or help protect, VMware vCenter Server version 6.5, 6.0 and 5.5.
To fix this issue, and create a secure connection, download the trusted root CA certificates.
1. In the browser on Azure Backup Server, enter the URL to the vSphere Web Client. The vSphere Web Client
login page appears.
At the bottom of the information for administrators and developers, locate the Download trusted root CA
certificates link.
If you don't see the vSphere Web Client login page, check your browser's proxy settings.
2. Click Download trusted root CA certificates.
The vCenter Server downloads a file to your local computer. The file's name is named download.
Depending on your browser, you receive a message that asks whether to open or save the file.
3. Save the file to a location on Azure Backup Server. When you save the file, add the .zip file name extension.
The file is a .zip file that contains the information about the certificates. With the .zip extension, you can use
the extraction tools.
4. Right-click download.zip, and then select Extract All to extract the contents.
The .zip file extracts its contents to a folder named certs. Two types of files appear in the certs folder. The
root certificate file has an extension that begins with a numbered sequence like .0 and .1.
The CRL file has an extension that begins with a sequence like .r0 or .r1. The CRL file is associated with a
certificate.
5. In the certs folder, right-click the root certificate file, and then click Rename.
Change the root certificate's extension to .crt. When you're asked if you're sure you want to change the
extension, click Yes or OK. Otherwise, you change the file's intended function. The icon for the file changes
to an icon that represents a root certificate.
6. Right-click the root certificate and from the pop-up menu, select Install Certificate.
The Certificate Import Wizard dialog box appears.
7. In the Certificate Import Wizard dialog box, select Local Machine as the destination for the certificate,
and then click Next to continue.
If you're asked if you want to allow changes to the computer, click Yes or OK, to all the changes.
8. On the Certificate Store page, select Place all certificates in the following store, and then click Browse
to choose the certificate store.
The Select Certificate Store dialog box appears.
9. Select Trusted Root Certification Authorities as the destination folder for the certificates, and then click
OK.
The Trusted Root Certification Authorities folder is confirmed as the certificate store. Click Next.
10. On the Completing the Certificate Import Wizard page, verify that the certificate is in the desired folder,
and then click Finish.
2. Save the file to your Azure Backup Server computer. For the file name, use DisableSecureAuthentication.reg.
3. Double-click the file to activate the registry entry.
2. In Administration select Roles, and then in the Roles panel click the add role icon (the + symbol).
The Create Role dialog box appears.
3. In the Create Role dialog box, in the Role name box, enter BackupAdminRole. The role name can be
whatever you like, but it should be recognizable for the role's purpose.
4. Select the privileges for the appropriate version of vCenter, and then click OK. The following table identifies
the required privileges for vCenter 6.0 and vCenter 5.5.
When you select the privileges, click the icon next to the parent label to expand the parent and view the
child privileges. To select the VirtualMachine privileges, you need to go several levels into the parent child
hierarchy. You don't need to select all child privileges within a parent privilege.
After you click OK, the new role appears in the list on the Roles panel.
Datastore.AllocateSpace Datastore.AllocateSpace
Global.ManageCustomFields Global.ManageCustomerFields
Global.SetCustomFields
Host.Local.CreateVM Network.Assign
Network.Assign
Resource.AssignVMToPool
PRIVILEGES FOR VCENTER 6.0 PRIVILEGES FOR VCENTER 5.5
VirtualMachine.Config.AddNewDisk VirtualMachine.Config.AddNewDisk
VirtualMachine.Config.AdvanceConfig VirtualMachine.Config.AdvancedConfig
VirtualMachine.Config.ChangeTracking VirtualMachine.Config.ChangeTracking
VirtualMachine.Config.HostUSBDevice
VirtualMachine.Config.QueryUnownedFiles
VirtualMachine.Config.SwapPlacement VirtualMachine.Config.SwapPlacement
VirtualMachine.Interact.PowerOff VirtualMachine.Interact.PowerOff
VirtualMachine.Inventory.Create VirtualMachine.Inventory.Create
VirtualMachine.Provisioning.DiskRandomAccess
VirtualMachine.Provisioning.DiskRandomRead VirtualMachine.Provisioning.DiskRandomRead
VirtualMachine.State.CreateSnapshot VirtualMachine.State.CreateSnapshot
VirtualMachine.State.RemoveSnapshot VirtualMachine.State.RemoveSnapshot
Click OK to add the selected users to the Add Permission dialog box.
7. Now that you've identified the user, assign the user to the role. In Assigned Role, from the drop-down list,
select BackupAdminRole, and then click OK.
On the Manage tab in the Global Permissions panel, the new user account and the associated role appear
in the list.
If you can't find the icon on the desktop, open Azure Backup Server from the list of installed apps. The Azure
Backup Server app name is called Microsoft Azure Backup.
2. In the Azure Backup Server console, click Management, click Production Servers, and then on the tool
ribbon, click Manage VMware.
The Manage Credentials dialog box appears.
3. In the Manage Credentials dialog box, click Add to open the Add Credential dialog box.
4. In the Add Credential dialog box, enter a name and a description for the new credential. Then specify the
username and password. The name, Contoso Vcenter credential is used to identify the credential in the next
procedure. Use the same username and password that is used for the vCenter Server. If the vCenter Server
and Azure Backup Server are not in the same domain, in User name, specify the domain.
Click Add to add the new credential to Azure Backup Server. The new credential appears in the list in the
Manage Credentials dialog box.
5. To close the Manage Credentials dialog box, click the X in the upper-right corner.
4. In SSL Port, enter the port that is used to communicate with the VMware server. Use port 443, which is the
default port, unless you know that a different port is required.
5. In Specify Credential, select the credential that you created earlier.
6. Click Add to add the VMware server to the list of Added VMware Servers, and then click Next to move to
the next page in the wizard.
7. In the Summary page, click Add to add the specified VMware server to Azure Backup Server.
The VMware server backup is an agentless backup, and the new server is added immediately. The Finish
page shows you the results.
To add multiple instances of vCenter Server to Azure Backup Server, repeat the previous steps in this
section.
After you add the vCenter Server to Azure Backup Server, the next step is to create a protection group. The
protection group specifies the various details for short or long-term retention, and it is where you define and
apply the backup policy. The backup policy is the schedule for when backups occur, and what is backed up.
6. On the Review Disk Allocation page, review and if necessary, modify the disk space for the VMs. The
recommended disk allocations are based on the retention range that is specified in the Specify Short-
Term Goals page, the type of workload, and the size of the protected data (identified in step 3).
Data size: Size of the data in the protection group.
Disk space: The recommended amount of disk space for the protection group. If you want to modify
this setting, you should allocate total space that is slightly larger than the amount that you estimate each
data source grows.
Colocate data: If you turn on colocation, multiple data sources in the protection can map to a single
replica and recovery point volume. Colocation isn't supported for all workloads.
Automatically grow: If you turn on this setting, if data in the protected group outgrows the initial
allocation, System Center Data Protection Manager tries to increase the disk size by 25 percent.
Storage pool details: Shows the status of the storage pool, including total and remaining disk size.
When you are satisfied with the space allocation, click Next.
7. On the Choose Replica Creation Method page, specify how you want to generate the initial copy, or
replica, of the protected data on Azure Backup Server.
The default is Automatically over the network and Now. If you use the default, we recommend that you
specify an off-peak time. Choose Later and specify a day and time.
For large amounts of data or less-than-optimal network conditions, consider replicating the data offline by
using removable media.
After you have made your choices, click Next.
8. On the Consistency Check Options page, select how and when to automate the consistency checks. You
can run consistency checks when replica data becomes inconsistent, or on a set schedule.
If you don't want to configure automatic consistency checks, you can run a manual check. In the protection
area of the Azure Backup Server console, right-click the protection group and then select Perform
Consistency Check.
Click Next to move to the next page.
9. On the Specify Online Protection Data page, select one or more data sources that you want to protect.
You can select the members individually, or click Select All to choose all members. After you choose the
members, click Next.
10. On the Specify Online Backup Schedule page, specify the schedule to generate recovery points from the
disk backup. After the recovery point is generated, it is transferred to the Recovery Services vault in Azure.
When you are satisfied with the online backup schedule, click Next.
11. On the Specify Online Retention Policy page, indicate how long you want to retain the backup data in
Azure. After the policy is defined, click Next.
There is no time limit for how long you can keep data in Azure. When you store recovery point data in
Azure, the only limit is that you cannot have more than 9999 recovery points per protected instance. In this
example, the protected instance is the VMware server.
12. On the Summary page, review the details for your protection group members and settings, and then click
Create Group.
Next steps
If you use Azure Backup Server to protect VMware workloads, you may be interested in using Azure Backup Server
to help protect a Microsoft Exchange server, a Microsoft SharePoint farm, or a SQL Server database.
For information on problems with registering the agent, configuring the protection group, or backing up jobs, see
Troubleshoot Azure Backup Server.
Back up an Exchange server to Azure Backup with
Azure Backup Server
6/27/2017 3 min to read Edit Online
This article describes how to configure Microsoft Azure Backup Server (MABS) to back up a Microsoft Exchange
server to Azure.
Prerequisites
Before you continue, make sure that Azure Backup Server is installed and prepared.
NOTE
If you are protecting Exchange 2013, check the Exchange 2013 prerequisites.
8. Click Next.
9. Select the database for Copy Backup, and then click Next.
NOTE
If you do not select Full backup for at least one DAG copy of a database, logs will not be truncated.
10. Configure the goals for Short-Term backup, and then click Next.
11. Review the available disk space, and then click Next.
12. Select the time at which the MAB Server will create the initial replication, and then click Next.
13. Select the consistency check options, and then click Next.
14. Choose the database that you want to back up to Azure, and then click Next. For example:
15. Define the schedule for Azure Backup, and then click Next. For example:
NOTE
Note Online recovery points are based on express full recovery points. Therefore, you must schedule the online
recovery point after the time thats specified for the express full recovery point.
16. Configure the retention policy for Azure Backup, and then click Next.
17. Choose an online replication option and click Next.
If you have a large database, it could take a long time for the initial backup to be created over the network.
To avoid this issue, you can create an offline backup.
Next steps
Azure Backup FAQ
Back up a SharePoint farm to Azure
6/27/2017 9 min to read Edit Online
You back up a SharePoint farm to Microsoft Azure by using Microsoft Azure Backup Server (MABS) in much the
same way that you back up other data sources. Azure Backup provides flexibility in the backup schedule to create
daily, weekly, monthly, or yearly backup points and gives you retention policy options for various backup points. It
also provides the capability to store local disk copies for quick recovery-time objectives (RTO) and to store copies to
Azure for economical, long-term retention.
NOTE
Youll need to rerun ConfigureSharePoint.exe whenever theres a change in the SharePoint farm administrator credentials.
3. On the Select Group Members screen, select the check box for the SharePoint server you want to protect
and click Next.
NOTE
With the protection agent installed, you can see the server in the wizard. MABS also shows its structure. Because you
ran ConfigureSharePoint.exe, MABS communicates with the SharePoint VSS Writer service and its corresponding SQL
Server databases and recognizes the SharePoint farm structure, the associated content databases, and any
corresponding items.
4. On the Select Data Protection Method page, enter the name of the Protection Group, and select your
preferred protection methods. Click Next.
NOTE
The disk protection method helps to meet short recovery-time objectives.
5. On the Specify Short-Term Goals page, select your preferred Retention range and identify when you
want backups to occur.
NOTE
Because recovery is most often required for data that's less than five days old, we selected a retention range of five
days on disk and ensured that the backup happens during non-production hours, for this example.
6. Review the storage pool disk space allocated for the protection group, and click then Next.
7. For every protection group, MABS allocates disk space to store and manage replicas. At this point, MABS
must create a copy of the selected data. Select how and when you want the replica created, and then click
Next.
NOTE
To make sure that network traffic is not effected, select a time outside production hours.
8. MABS ensures data integrity by performing consistency checks on the replica. There are two available
options. You can define a schedule to run consistency checks, or DPM can run consistency checks
automatically on the replica whenever it becomes inconsistent. Select your preferred option, and then click
Next.
9. On the Specify Online Protection Data page, select the SharePoint farm that you want to protect, and
then click Next.
10. On the Specify Online Backup Schedule page, select your preferred schedule, and then click Next.
NOTE
MABS provides a maximum of two daily backups to Azure from the then available latest disk backup point. Azure
Backup can also control the amount of WAN bandwidth that can be used for backups in peak and off-peak hours by
using Azure Backup Network Throttling.
11. Depending on the backup schedule that you selected, on the Specify Online Retention Policy page, select
the retention policy for daily, weekly, monthly, and yearly backup points.
NOTE
MABS uses a grandfather-father-son retention scheme in which a different retention policy can be chosen for
different backup points.
12. Similar to disk, an initial reference point replica needs to be created in Azure. Select your preferred option to
create an initial backup copy to Azure, and then click Next.
13. Review your selected settings on the Summary page, and then click Create Group. You will see a success
message after the protection group has been created.
Restore a SharePoint item from disk by using MABS
In the following example, the Recovering SharePoint item has been accidentally deleted and needs to be recovered.
1. Open the DPM Administrator Console. All SharePoint farms that are protected by DPM are shown in the
Protection tab.
2. To begin to recover the item, select the Recovery tab.
3. You can search SharePoint for Recovering SharePoint item by using a wildcard-based search within a
recovery point range.
4. Select the appropriate recovery point from the search results, right-click the item, and then select Recover.
5. You can also browse through various recovery points and select a database or item to recover. Select Date >
Recovery time, and then select the correct Database > SharePoint farm > Recovery point > Item.
6. Right-click the item, and then select Recover to open the Recovery Wizard. Click Next.
7. Select the type of recovery that you want to perform, and then click Next.
NOTE
The selection of Recover to original in the example recovers the item to the original SharePoint site.
9. Provide a staging SQL Server instance location to recover the database temporarily, and provide a staging
file share on MABS and the server that's running SharePoint to recover the item.
MABS attaches the content database that is hosting the SharePoint item to the temporary SQL Server
instance. From the content database, it recovers the item and puts it on the staging file location on MABS.
The recovered item that's on the staging location now needs to be exported to the staging location on the
SharePoint farm.
10. Select Specify recovery options, and apply security settings to the SharePoint farm or apply the security
settings of the recovery point. Click Next.
NOTE
You can choose to throttle the network bandwidth usage. This minimizes impact to the production server during
production hours.
11. Review the summary information, and then click Recover to begin recovery of the file.
12. Now select the Monitoring tab in the MABS Administrator Console to view the Status of the recovery.
NOTE
The file is now restored. You can refresh the SharePoint site to check the restored file.
Restore a SharePoint database from Azure by using DPM
1. To recover a SharePoint content database, browse through various recovery points (as shown previously),
and select the recovery point that you want to restore.
2. Double-click the SharePoint recovery point to show the available SharePoint catalog information.
NOTE
Because the SharePoint farm is protected for long-term retention in Azure, no catalog information (metadata) is
available on MABS. As a result, whenever a point-in-time SharePoint content database needs to be recovered, you
need to catalog the SharePoint farm again.
3. Click Re-catalog.
4. Click the SharePoint object shown in the MABS Recovery tab to get the content database structure. Right-
click the item, and then click Recover.
5. At this point, follow the recovery steps earlier in this article to recover a SharePoint content database from disk.
FAQs
Q: Can I recover a SharePoint item to the original location if SharePoint is configured by using SQL AlwaysOn (with
protection on disk)?
A: Yes, the item can be recovered to the original SharePoint site.
Q: Can I recover a SharePoint database to the original location if SharePoint is configured by using SQL AlwaysOn?
A: Because SharePoint databases are configured in SQL AlwaysOn, they cannot be modified unless the availability
group is removed. As a result, MABS cannot restore a database to the original location. You can recover a SQL
Server database to another SQL Server instance.
Next steps
Learn more about MABS Protection of SharePoint - see Video Series - DPM Protection of SharePoint
Back up SQL Server to Azure With Azure Backup
Server
6/27/2017 6 min to read Edit Online
This article leads you through the configuration steps for backup of SQL Server databases using Microsoft Azure
Backup Server (MABS).
The management of SQL Server database backup to Azure and recovery from Azure involves three steps:
1. Create a backup policy to protect SQL Server databases to Azure.
2. Create on-demand backup copies to Azure.
3. Recover the database from Azure.
3. MABS shows the start screen with the guidance on creating a Protection Group. Click Next.
4. Select Servers.
5. Expand the SQL Server machine where the databases to be backed up are present. MABS shows various
data sources that can be backed up from that server. Expand the All SQL Shares and select the databases
(in this case we selected ReportServer$MSDPM2012 and ReportServer$MSDPM2012TempDB) to be
backed up. Click Next.
6. Provide a name for the protection group and select the I want online Protection checkbox.
7. In the Specify Short-Term Goals screen, include the necessary inputs to create backup points to disk.
Here we see that Retention range is set to 5 days, Synchronization frequency is set to once every 15
minutes which is the frequency at which backup is taken. Express Full Backup is set to 8:00 P.M.
NOTE
At 8:00 PM (according to the screen input) a backup point is created every day by transferring the data that has
been modified from the previous days 8:00 PM backup point. This process is called Express Full Backup. While the
transaction logs are synchronized every 15 minutes, if there is a need to recover the database at 9:00 PM then the
point is created by replaying the logs from the last express full backup point (8pm in this case).
8. Click Next
MABS shows the overall storage space available and the potential disk space utilization.
By default, MABS creates one volume per data source (SQL Server database) which is used for the initial
backup copy. Using this approach, the Logical Disk Manager (LDM) limits MABS protection to 300 data
sources (SQL Server databases). To work around this limitation, select the Co-locate data in DPM Storage
Pool, option. If you use this option, MABS uses a single volume for multiple data sources, which allows
MABS to protect up to 2000 SQL databases.
If Automatically grow the volumes option is selected, MABS can account for the increased backup
volume as the production data grows. If Automatically grow the volumes option is not selected, MABS
limits the backup storage used to the data sources in the protection group.
9. Administrators are given the choice of transferring this initial backup manually (off network) to avoid
bandwidth congestion or over the network. They can also configure the time at which the initial transfer can
happen. Click Next.
The initial backup copy requires transfer of the entire data source (SQL Server database) from production
server (SQL Server machine) to MABS. This data might be large, and transferring the data over the network
could exceed bandwidth. For this reason, administrators can choose to transfer the initial backup: Manually
(using removable media) to avoid bandwidth congestion, or Automatically over the network (at a
specified time).
Once the initial backup is complete, the rest of the backups are incremental backups on the initial backup
copy. Incremental backups tend to be small and are easily transferred across the network.
10. Choose when you want the consistency check to run and click Next.
MABS can perform a consistency check to check the integrity of the backup point. It calculates the checksum
of the backup file on the production server (SQL Server machine in this scenario) and the backed-up data
for that file at MABS. In the case of a conflict, it is assumed that the backed-up file at MABS is corrupt. MABS
rectifies the backed-up data by sending the blocks corresponding to the checksum mismatch. As the
consistency check is a performance-intensive operation, administrators have the option of scheduling the
consistency check or running it automatically.
11. To specify online protection of the datasources, select the databases to be protected to Azure and click
Next.
12. Administrators can choose backup schedules and retention policies that suit their organization policies.
In this example, backups are taken once a day at 12:00 PM and 8 PM (bottom part of the screen)
NOTE
Its a good practice to have a few short-term recovery points on disk, for quick recovery. These recovery points are
used for operational recovery". Azure serves as a good offsite location with higher SLAs and guaranteed availability.
Best Practice: Make sure that Azure Backups are scheduled after the completion of local disk backups
using DPM. This enables the latest disk backup to be copied to Azure.
13. Choose the retention policy schedule. The details on how the retention policy works are provided at Use
Azure Backup to replace your tape infrastructure article.
In this example:
Backups are taken once a day at 12:00 PM and 8 PM (bottom part of the screen) and are retained for 180
days.
The backup on Saturday at 12:00 P.M. is retained for 104 weeks
The backup on Last Saturday at 12:00 P.M. is retained for 60 months
The backup on Last Saturday of March at 12:00 P.M. is retained for 10 years
14. Click Next and select the appropriate option for transferring the initial backup copy to Azure. You can
choose Automatically over the network or Offline Backup.
Automatically over the network transfers the backup data to Azure as per the schedule chosen for
backup.
How Offline Backup works is explained at Offline Backup workflow in Azure Backup.
Choose the relevant transfer mechanism to send the initial backup copy to Azure and click Next.
15. Once you review the policy details in the Summary screen, click on the Create group button to complete
the workflow. You can click the Close button and monitor the job progress in Monitoring workspace.
On-demand backup of a SQL Server database
While the previous steps created a backup policy, a recovery point is created only when the first backup occurs.
Rather than waiting for the scheduler to kick in, the steps below trigger the creation of a recovery point manually.
1. Wait until the protection group status shows OK for the database before creating the recovery point.
4. You can view the job progress in the Monitoring workspace where you'll find an in progress job like the
one depicted in the next figure.
3. DPM shows the details of the recovery point. Click Next. To overwrite the database, select the recovery type
Recover to original instance of SQL Server. Click Next.
In this example, DPM allows recovery of the database to another SQL Server instance or to a standalone
network folder.
4. In the Specify Recovery options screen, you can select the recovery options like Network bandwidth usage
throttling to throttle the bandwidth used by recovery. Click Next.
5. In the Summary screen, you see all the recovery configurations provided so far. Click Recover.
The Recovery status shows the database being recovered. You can click Close to close the wizard and view
the progress in the Monitoring workspace.
Azure Backup Server backs up system state and provides bare-metal recovery (BMR) protection.
System state backup: Backs up operating system files, so you can recover when a computer starts, but system
files and the registry are lost. A system state backup includes:
Domain member: Boot files, COM+ class registration database, registry
Domain controller: Windows Server Active Directory (NTDS), boot files, COM+ class registration database,
registry, system volume (SYSVOL)
Computer that runs cluster services: Cluster server metadata
Computer that runs certificate services: Certificate data
Bare-metal backup: Backs up operating system files and all data on critical volumes (except user data). By
definition, a BMR backup includes a system state backup. It provides protection when a computer won't start and
you have to recover everything.
The following table summarizes what you can back up and recover. For detailed information about app versions
that can be protected with system state and BMR, see What does Azure Backup Server back up?.
BMR/system state
backup
BMR/system state
backup
BMR/system state
backup
RECOVER FROM AZURE
BACKUP SERVER RECOVER FROM SYSTEM
BACKUP ISSUE BACKUP STATE BACKUP BMR
BMR/system state
backup
BMR/system state
backup
BMR/system state
backup
BMR/system state
backup
BMR/system state
backup of host
BMR/system state
backup of host
RECOVER FROM AZURE
BACKUP SERVER RECOVER FROM SYSTEM
BACKUP ISSUE BACKUP STATE BACKUP BMR
BMR/system state
backup of host
BMR/system state
backup of host
BMR/system state
backup
BMR/system state
backup
BMR/system state
backup
BMR backup
For BMR (including a system state backup), the backup job is saved directly to a share on the Backup Server
computer. It is not saved to a folder on the protected server.
Backup Server calls Windows Server Backup and shares out the replica volume for that BMR backup. In this case, it
doesn't tell Windows Server Backup to use the drive with the most free space. Instead, it uses the share that was
created for the job.
When the backup is finished, the file is transferred to the Backup Server computer. Logs are stored in
C:\Windows\Logs\WindowsServerBackup.
Use the version identifier to start the system state restore. At the command prompt, enter:
wbadmin start systemstaterecovery -version:<versionidentified> -backuptarget:<servername\sharename>
Confirm that you want to start the recovery. You can see the process in the Command Prompt window. A
restore log is created. After the restore, restart the server.
Recover data from Azure Backup Server
8/21/2017 5 min to read Edit Online
You can use Azure Backup Server to recover the data you've backed up to a Recovery Services vault. The process for
doing so is integrated into the Azure Backup Server management console, and is similar to the recovery workflow
for other Azure Backup components.
NOTE
This article is applicable for System Center Data Protection Manager 2012 R2 with UR7 or later, combined with the latest
Azure Backup agent.
2. Download new vault credentials from the vault associated with the Azure Backup Server where the data
is being recovered, choose the Azure Backup Server from the list of Azure Backup Servers registered with the
Recovery Services vault, and provide the encryption passphrase associated with the server whose data is
being recovered.
NOTE
Only Azure Backup Servers associated with the same registration vault can recover each others data.
Once the External Azure Backup Server is successfully added, you can browse the data of the external server
and the local Azure Backup Server from the Recovery tab.
3. Browse the available list of production servers protected by the external Azure Backup Server and select the
appropriate data source.
4. Select the month and year from the Recovery points drop down, select the required Recovery date for
when the recovery point was created, and select the Recovery time.
A list of files and folders appears in the bottom pane, which can be browsed and recovered to any location.
7. Select Recover to an alternate location. Browse to the correct location for the recovery.
8. Choose the option related to create copy, Skip, or Overwrite.
Create copy - creates a copy of the file if there is a name collision.
Skip - if there is a name collision, does not recover the file which leaves the original file.
Overwrite - if there is a name collision, overwrites the existing copy of the file.
Choose the appropriate option to Restore security. You can apply the security settings of the
destination computer where the data is being recovered or the security settings that were applicable
to product at the time the recovery point was created.
Identify whether a Notification is sent, once the recovery successfully completes.
9. The Summary screen lists the options chosen so far. Once you click Recover, the data is recovered to the
appropriate on-premises location.
NOTE
The recovery job can be monitored in the Monitoring tab of the Azure Backup Server.
10. You can click Clear External DPM on the Recovery tab of the DPM server to remove the view of the
external DPM server.
1. This server is not registered to the vault Cause: This error appears when the
specified by the vault credential. vault credential file selected does not
belong to the Recovery Services vault
associated with Azure Backup Server on
which the recovery is attempted.
Resolution: Download the vault
credential file from the Recovery
Services vault to which the Azure
Backup Server is registered.
2. Either the recoverable data is not Cause: There are no other Azure
available or the selected server is not a Backup Servers registered to the
DPM server. Recovery Services vault, or the servers
have not yet uploaded the metadata, or
the selected server is not an Azure
Backup Server (aka Windows Server or
Windows Client).
Resolution: If there are other Azure
Backup Servers registered to the
Recovery Services vault, ensure that the
latest Azure Backup agent is installed.
If there are other Azure Backup Servers
registered to the Recovery Services
vault, wait for a day after installation to
start the recovery process. The nightly
job will upload the metadata for all the
protected backups to cloud. The data
will be available for recovery.
Next steps:
Azure Backup FAQ
Prepare your environment to back up Resource
Manager-deployed virtual machines
10/17/2017 15 min to read Edit Online
This article provides the steps for preparing your environment to back up a Resource Manager-deployed virtual
machine (VM). The steps shown in the procedures use the Azure portal.
The Azure Backup service has two types of vaults (back up vaults and recovery services vaults) for protecting your
VMs. A backup vault protects VMs deployed using the Classic deployment model. A recovery services vault
protects both Classic-deployed or Resource Manager-deployed VMs. You must use a Recovery Services vault
to protect a Resource Manager-deployed VM.
NOTE
Azure has two deployment models for creating and working with resources: Resource Manager and Classic. See Prepare
your environment to back up Azure virtual machines for details on working with Classic deployment model VMs.
Before you can protect or back up a Resource Manager-deployed virtual machine (VM), make sure these
prerequisites exist:
Create a recovery services vault (or identify an existing recovery services vault) in the same location as your
VM.
Select a scenario, define the backup policy, and define items to protect.
Check the installation of VM Agent on virtual machine.
Check network connectivity
For Linux VMs, in case you want to customize your backup environment for application consistent backups
please follow the steps to configure pre-snapshot and post-snapshot scripts
If you know these conditions already exist in your environment then proceed to the Back up your VMs article. If
you need to set up, or check, any of these prerequisites, this article leads you through the steps to prepare that
prerequisite.
The Recovery Services vault blade opens, prompting you to provide a Name, Subscription, Resource
group, and Location.
4. For Name, enter a friendly name to identify the vault. The name needs to be unique for the Azure subscription.
Type a name that contains between 2 and 50 characters. It must start with a letter, and can contain only letters,
numbers, and hyphens.
5. Click Subscription to see the available list of subscriptions. If you are not sure which subscription to use, use
the default (or suggested) subscription. There will be multiple choices only if your organizational account is
associated with multiple Azure subscriptions.
6. Click Resource group to see the available list of Resource groups, or click New to create a new Resource
group. For complete information on Resource groups, see Azure Resource Manager overview
7. Click Location to select the geographic region for the vault. The vault must be in the same region as the
virtual machines that you want to protect.
IMPORTANT
If you are unsure of the location in which your VM exists, close out of the vault creation dialog, and go to the list of
Virtual Machines in the portal. If you have virtual machines in multiple regions, you will need to create a Recovery
Services vault in each region. Create the vault in the first location before going to the next location. There is no need
to specify storage accounts to store the backup data--the Recovery Services vault and the Azure Backup service
handle this automatically.
8. Click Create. It can take a while for the Recovery Services vault to be created. Monitor the status
notifications in the upper right-hand area in the portal. Once your vault is created, it appears in the list of
Recovery Services vaults. If you don't see your vault, click Refresh to
Now that you've created your vault, learn how to set the storage replication.
2. On the Settings blade, use the vertical slider to scroll down to the Manage section. Click Backup
Infrastructure to open its blade. In the General section click Backup Configuration to open its blade. On
the Backup Configuration blade, choose the storage replication option for your vault. By default, your
vault has geo-redundant storage. If you change the Storage replication type, click Save.
If you are using Azure as a primary backup storage endpoint, continue using geo-redundant storage. If you
are using Azure as a non-primary backup storage endpoint, then choose locally redundant storage. Read
more about geo-redundant and locally redundant storage options in the Azure Storage replication
overview. After choosing the storage option for your vault, you are ready to associate the VM with the vault.
To begin the association, you should discover and register the Azure virtual machines.
From the list of Recovery Services vaults, select a vault to open its dashboard.
The Settings blade and the vault dashboard for the chosen vault, opens.
2. On the vault dashboard menu click Backup to open the Backup blade.
3. On the Backup Goal blade, set Where is your workload running to Azure and What do you want to
backup to Virtual machine, then click OK.
This registers the VM extension with the vault. The Backup Goal blade closes and the Backup policy blade
opens.
4. On the Backup policy blade, select the backup policy you want to apply to the vault.
The details of the default policy are listed under the drop-down menu. If you want to create a new policy,
select Create New from the drop-down menu. For instructions on defining a backup policy, see Defining a
backup policy. Click OK to associate the backup policy with the vault.
The Backup policy blade closes and the Select virtual machines blade opens.
5. In the Select virtual machines blade, choose the virtual machines to associate with the specified policy
and click OK.
The selected virtual machine is validated. If you do not see the virtual machines that you expected to see,
check that they exist in the same Azure location as the Recovery Services vault and are not already
protected in another vault. The location of the Recovery Services vault is shown on the vault dashboard.
6. Now that you have defined all settings for the vault, in the Backup blade click Enable Backup. This deploys
the policy to the vault and the VMs. This does not create the initial recovery point for the virtual machine.
After successfully enabling the backup, your backup policy will execute on schedule. If you would like to generate
an on-demand backup job to back up the virtual machines now, see Triggering the Backup job.
If you have problems registering the virtual machine, see the following information on installing the VM Agent
and on Network connectivity. You probably don't need the following information if you are protecting virtual
machines created in Azure. However if you migrated your virtual machines into Azure, then be sure you have
properly installed the VM agent and that your virtual machine can communicate with the virtual network.
Installing the VM Agent Download and install the agent MSI. Install the latest Linux agent. You will
You will need Administrator privileges need Administrator privileges to
to complete the installation. complete the installation. We
recommend installing agent from your
distribution repository. We do not
recommend installing Linux VM agent
directly from github.
Updating the VM Agent Updating the VM Agent is as simple as Follow the instructions on updating the
reinstalling the VM Agent binaries. Linux VM Agent. We recommend
Ensure that no backup operation is updating agent from your distribution
running while the VM agent is being repository. We do not recommend
updated. updating Linux VM agent directly from
github.
Ensure that no backup operation is
running while the VM Agent is being
updated.
Backup extension
Once the VM Agent is installed on the virtual machine, the Azure Backup service installs the backup extension to
the VM Agent. The Azure Backup service seamlessly upgrades and patches the backup extension.
The backup extension is installed by the Backup service whether or not the VM is running. A running VM provides
the greatest chance of getting an application-consistent recovery point. However, the Azure Backup service
continues to back up the VM even if it is turned off, and the extension could not be installed. This is known as
Offline VM. In this case, the recovery point will be crash consistent.
Network connectivity
In order to manage the VM snapshots, the backup extension needs connectivity to the Azure public IP addresses.
Without the right Internet connectivity, the virtual machine's HTTP requests time out and the backup operation
fails. If your deployment has access restrictions in place (through a network security group (NSG), for example),
then choose one of these options for providing a clear path for backup traffic:
Whitelist the Azure datacenter IP ranges - see the article for instructions on how to whitelist the IP addresses.
Deploy an HTTP proxy server for routing traffic.
When deciding which option to use, the trade-offs are between manageability, granular control, and cost.
HTTP proxy Granular control in the proxy over the Additional costs for running a VM with
storage URLs allowed. the proxy software.
Single point of Internet access to VMs.
Not subject to Azure IP address
changes.
WARNING
Storage tags are available only in specific regions and are in preview. For list of regions, refer to Service tags for Storage
NOTE
There is no recommendation for the proxy software that should be used. Ensure that you pick a proxy that is compatible
with the configuration steps below.
The example image below shows the three configuration steps necessary to use an HTTP proxy:
App VM routes all HTTP traffic bound for the public Internet through Proxy VM.
Proxy VM allows incoming traffic from VMs in the virtual network.
The Network Security Group (NSG) named NSF-lockdown needs a security rule allowing outbound Internet
traffic from Proxy VM.
To use an HTTP proxy to communicating to the public Internet, follow these steps:
Step 1. Configure outgoing network connections
F o r W i n d o w s ma c h i n e s
This will setup proxy server configuration for Local System Account.
1. Download PsExec
2. Run following command from elevated prompt,
NOTE
If you observe "(407) Proxy Authentication Required" in proxy server log, check your authentication is setup correctly.
F o r L i n u x ma c h i n e s
HttpProxy.Host=<proxy IP>
HttpProxy.Port=<proxy port>
2. In the Windows Firewall dialog, right-click Inbound Rules and click New Rule....
3. In the New Inbound Rule Wizard, choose the Custom option for the Rule Type and click Next.
4. On the page to select the Program, choose All Programs and click Next.
5. On the Protocol and Ports page, enter the following information and click Next:
for Protocol type choose TCP
for Local port choose Specific Ports, in the field below specify the <Proxy Port> that has been
configured.
for Remote port select All Ports
For the rest of the wizard, click all the way to the end and give this rule a name.
Step 3. Add an exception rule to the NSG:
In an Azure PowerShell command prompt, enter the following command:
The following command adds an exception to the NSG. This exception allows TCP traffic from any port on 10.0.0.5
to any Internet address on port 80 (HTTP) or 443 (HTTPS). If you require a specific port in the public Internet, be
sure to add that port to the -DestinationPortRange as well.
These steps use specific names and values for this example. Please use the names and values for your deployment
when entering, or cutting and pasting details into your code.
Now that you know you have network connectivity, you are ready to back up your VM. See Back up Resource
Manager-deployed VMs.
Questions?
If you have questions, or if there is any feature that you would like to see included, send us feedback.
Next steps
Now that you have prepared your environment for backing up your VM, your next logical step is to create a
backup. The planning article provides more detailed information about backing up VMs.
Back up virtual machines
Plan your VM backup infrastructure
Manage virtual machine backups
Application-consistent backup of Azure Linux VMs
(preview)
6/27/2017 5 min to read Edit Online
This article talks about the Linux pre-script and post-script framework, and how it can be used to take application-
consistent backups of Azure Linux VMs.
NOTE
The pre-script and post-script framework is supported only for Azure Resource Manager-deployed Linux virtual machines.
Scripts for application consistency are not supported for Service Manager-deployed virtual machines or Windows virtual
machines.
Troubleshooting
Make sure you add appropriate logging while writing your pre-script and post-script, and review your script logs to
fix any script issues. If you still have problems running scripts, refer to the following table for more information.
Pre-ScriptExecutionFailed The pre-script returned an error, so Look at the failure logs for your script to
backup might not be application- fix the issue.
consistent.
Post-ScriptExecutionFailed The post-script returned an error that Look at the failure logs for your script to
might impact application state. fix the issue and check the application
state.
ERROR ERROR MESSAGE RECOMMENDED ACTION
Pre-ScriptNotFound The pre-script was not found at the Make sure that pre-script is present at
location that's specified in the the path that's specified in the config file
VMSnapshotScriptPluginConfig.json to ensure application-consistent backup.
config file.
Post-ScriptNotFound The post-script wasn't found at the Make sure that post-script is present at
location that's specified in the the path that's specified in the config file
VMSnapshotScriptPluginConfig.json to ensure application-consistent backup.
config file.
IncorrectPluginhostFile The Pluginhost file, which comes with Uninstall the VmSnapshotLinux
the VmSnapshotLinux extension, is extension, and it will automatically be
corrupted, so pre-script and post-script reinstalled with the next backup to fix
cannot run and the backup won't be the problem.
application-consistent.
InsufficientPermissionforPre-Script For running scripts, "root" user should Make sure root user is the owner of
be the owner of the file and the file the script file and that only "owner" has
should have 700 permissions (that is, read, write and execute
only "owner" should have read, write, permissions.
and execute permissions).
InsufficientPermissionforPost-Script For running scripts, root user should be Make sure root user is the owner of
the owner of the file and the file should the script file and that only "owner" has
have 700 permissions (that is, only read, write and execute
"owner" should have read, write, and permissions.
execute permissions).
Pre-ScriptTimeout The execution of the application- Check the script and increase the
consistent backup pre-script timed-out. timeout in the
VMSnapshotScriptPluginConfig.json
file that's located at /etc/azure.
Post-ScriptTimeout The execution of the application- Check the script and increase the
consistent backup post-script timed out. timeout in the
VMSnapshotScriptPluginConfig.json
file that's located at /etc/azure.
Next steps
Configure VM backup to a Recovery Services vault
Prepare your environment to back up Azure virtual
machines
10/2/2017 9 min to read Edit Online
Before you can back up an Azure virtual machine (VM), there are three conditions that must exist.
You need to create a backup vault or identify an existing backup vault in the same region as your VM.
Establish network connectivity between the Azure public Internet addresses and the Azure storage endpoints.
Install the VM agent on the VM.
If you know these conditions already exist in your environment then proceed to the Back up your VMs article.
Otherwise, read on, this article will lead you through the steps to prepare your environment to back up an Azure
VM.
Backing up virtual machines with more than 16 data disks is not supported.
Backing up virtual machines with a reserved IP address and no defined endpoint is not supported.
Backup data doesn't include network mounted drives attached to VM.
Replacing an existing virtual machine during restore is not supported. First delete the existing virtual machine
and any associated disks, and then restore the data from backup.
Cross-region backup and restore is not supported.
Backing up virtual machines by using the Azure Backup service is supported in all public regions of Azure (see
the checklist of supported regions). If the region that you are looking for is unsupported today, it will not
appear in the dropdown list during vault creation.
Backing up virtual machines by using the Azure Backup service is supported only for select operating system
versions:
Restoring a domain controller (DC) VM that is part of a multi-DC configuration is supported only through
PowerShell. Read more about restoring a multi-DC domain controller.
Restoring virtual machines that have the following special network configurations is supported only through
PowerShell. VMs that you create by using the restore workflow in the UI will not have these network
configurations after the restore operation is complete. To learn more, see Restoring VMs with special network
configurations.
Virtual machines under load balancer configuration (internal and external)
Virtual machines with multiple reserved IP addresses
Virtual machines with multiple network adapters
IMPORTANT
Starting March 2017, you can no longer use the classic portal to create Backup vaults. Existing Backup vaults are still
supported, and it is possible to use Azure PowerShell to create Backup vaults. However, Microsoft recommends you create
Recovery Services vaults for all deployments because future enhancements apply to Recovery Services vaults, only.
This image shows the relationships between the various Azure Backup entities:
Network connectivity
In order to manage the VM snapshots, the backup extension needs connectivity to the Azure public IP addresses.
Without the right Internet connectivity, the virtual machine's HTTP requests time out and the backup operation
fails. If your deployment has access restrictions in place (through a network security group (NSG), for example),
then choose one of these options for providing a clear path for backup traffic:
Whitelist the Azure datacenter IP ranges - see the article for instructions on how to whitelist the IP addresses.
Deploy an HTTP proxy server for routing traffic.
When deciding which option to use, the trade-offs are between manageability, granular control, and cost.
HTTP proxy Granular control in the proxy over the Additional costs for running a VM with
storage URLs allowed. To setup the proxy software.
granular control in the proxy,
https://*.blob.core.windows.net/* URL
Pattern needs to be whitelisted. To
whitelist only the storage account used
by the VM,
https://<storageAccount>.blob.core.win
dows.net/* URL pattern needs to be
whitelisted.
Single point of Internet access to VMs.
Not subject to Azure IP address
changes.
NOTE
There is no recommendation for the proxy software that should be used. Ensure that you pick a proxy that has outbound
stickiness and which is compatible with the configuration steps below. Make sure third party softwares do not modify the
proxy settings
The example image below shows the three configuration steps necessary to use an HTTP proxy:
App VM routes all HTTP traffic bound for the public Internet through Proxy VM.
Proxy VM allows incoming traffic from VMs in the virtual network.
The Network Security Group (NSG) named NSF-lockdown needs a security rule allowing outbound Internet
traffic from Proxy VM.
To use an HTTP proxy to communicating to the public Internet, follow these steps:
Step 1. Configure outgoing network connections
F o r W i n d o w s ma c h i n e s
This will setup proxy server configuration for Local System Account.
1. Download PsExec
2. Run following command from elevated prompt,
NOTE
If you observe "(407)Proxy Authentication Required" in proxy server log, check your authentication is setup correctly.
F o r L i n u x ma c h i n e s
HttpProxy.Host=<proxy IP>
HttpProxy.Port=<proxy port>
3. In the New Inbound Rule Wizard, choose the Custom option for the Rule Type and click Next.
4. On the page to select the Program, choose All Programs and click Next.
5. On the Protocol and Ports page, enter the following information and click Next:
Ensure that you replace the names in the example with the details appropriate to your deployment.
VM agent
Before you can back up the Azure virtual machine, you should ensure that the Azure VM agent is correctly installed
on the virtual machine. Since the VM agent is an optional component at the time that the virtual machine is
created, ensure that the check box for the VM agent is selected before the virtual machine is provisioned.
Manual installation and update
The VM agent is already present in VMs that are created from the Azure gallery. However, virtual machines that
are migrated from on-premises datacenters would not have the VM agent installed. For such VMs, the VM agent
needs to be installed explicitly.
Installing the VM Agent Download and install the agent MSI. Install the latest Linux agent. You will
You will need Administrator privileges need Administrator privileges to
to complete the installation. complete the installation. We
Update the VM property to indicate recommend installing agent from your
that the agent is installed. distribution repository. We do not
recommend installing Linux VM agent
directly from github.
Updating the VM Agent Updating the VM Agent is as simple as Follow the instructions on updating the
reinstalling the VM Agent binaries. Linux VM Agent. We recommend
Ensure that no backup operation is updating agent from your distribution
running while the VM agent is being repository. We do not recommend
updated. updating Linux VM agent directly from
github.
Ensure that no backup operation is
running while the VM Agent is being
updated.
Questions?
If you have questions, or if there is any feature that you would like to see included, send us feedback.
Next steps
Now that you have prepared your environment for backing up your VM, your next logical step is to create a
backup. The planning article provides more detailed information about backing up VMs.
Back up virtual machines
Plan your VM backup infrastructure
Manage virtual machine backups
Plan your VM backup infrastructure in Azure
8/21/2017 12 min to read Edit Online
This article provides performance and resource suggestions to help you plan your VM backup infrastructure. It
also defines key aspects of the Backup service; these aspects can be critical in determining your architecture,
capacity planning, and scheduling. If you've prepared your environment, planning is the next step before you
begin to back up VMs. If you need more information about Azure virtual machines, see the Virtual Machines
documentation.
When the data transfer is complete, the snapshot is removed and a recovery point is created.
NOTE
1. During the backup process, Azure Backup doesn't include the temporary disk attached to the virtual machine. For more
information, see the blog on temporary storage.
2. Since Azure Backup takes a storage-level snapshot and transfers that snapshot to vault, do not change the storage
account keys until the backup job finishes.
3. For premium VMs, we copy the snapshot to storage account. This is to make sure that Azure Backup service gets
sufficient IOPS for transferring data to vault. This additional copy of storage is charged as per the VM allocated size.
Data consistency
Backing up and restoring business critical data is complicated by the fact that business critical data must be backed
up while the applications that produce the data are running. To address this, Azure Backup supports application-
consistent backups for both Windows and Linux VMs
Windows VM
Azure Backup takes VSS full backups on Windows VMs (read more about VSS full backup). To enable VSS copy
backups, the following registry key needs to be set on the VM.
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\BCDRAGENT]
"USEVSSCOPYBACKUP"="TRUE"
Linux VMs
Azure Backup provides a scripting framework. To ensure application consistency when backing up Linux VMs,
create custom pre-scripts and post-scripts that control the backup workflow and environment. Azure Backup
invokes the pre-script before taking the VM snapshot and invokes the post-script once the VM snapshot job
completes. For more details, see application consistent VM backups using pre-script and post-script.
NOTE
Azure Backup only invokes the customer-written pre- and post-scripts. If the pre-script and post-scripts execute
successfully, Azure Backup marks the recovery point as application consistent. However, the customer is ultimately
responsible for the application consistency when using custom scripts.
This table explains the types of consistency and the conditions that they occur under during Azure VM backup and
restore procedures.
File-system consistency Yes - for Windows-based computers There are two scenarios where the
recovery point can be file-system
consistent:
Backups of Linux VMs in Azure,
without pre-script/post-script or
if pre-script/post-script failed.
VSS failure during backup for
Windows VMs in Azure.
In both these cases, the best that can
be done is to ensure that:
1. The VM boots up.
2. There is no corruption.
3. There is no data loss.
Applications need to implement their
own "fix-up" mechanism on the
restored data.
CONSISTENCY VSS-BASED EXPLANATION AND DETAILS
Capacity planning
Putting the previous factors together, you need to plan for the storage account usage needs. Download the VM
backup capacity planning Excel spreadsheet to see the impact of your disk and backup schedule choices.
Backup throughput
For each disk being backed up, Azure Backup reads the blocks on the disk and stores only the changed data
(incremental backup). The following table shows the average Backup service throughput values. Using the
following data, you can estimate the amount of time needed to back up a disk of a given size.
Best practices
We suggest following these practices while configuring backups for virtual machines:
Don't schedule more than 10 classic VMs from the same cloud service to back up at the same time. If you want
to back up multiple VMs from same cloud service, stagger the backup start times by an hour.
Do not schedule more than 40 VMs to back up at the same time.
Schedule VM backups during non-peak hours. This way the Backup service uses IOPS for transferring data
from the customer storage account to the vault.
Make sure that a policy is applied on VMs spread across different storage accounts. We suggest no more than
20 total disks from a single storage account be protected by the same backup schedule. If you have greater
than 20 disks in a storage account, spread those VMs across multiple policies to get the required IOPS during
the transfer phase of the backup process.
Do not restore a VM running on Premium storage to same storage account. If the restore operation process
coincides with the backup operation, it reduces the available IOPS for backup.
For Premium VM backup, ensure that storage account that hosts premium disks has atleast 50% free space for
staging snapshot for a successful backup.
Make sure that python version on Linux VMs enabled for backup is 2.7
Data encryption
Azure Backup does not encrypt data as a part of the backup process. However, you can encrypt data within the VM
and back up the protected data seamlessly (read more about backup of encrypted data).
The actual size of the virtual machine in this case is 17 GB + 30 GB + 0 GB = 47 GB. This Protected Instance size
(47 GB) becomes the basis for the monthly bill. As the amount of data in the virtual machine grows, the Protected
Instance size used for billing changes accordingly.
Billing does not start until the first successful backup completes. At this point, the billing for both Storage and
Protected Instances begins. Billing continues as long as there is any backup data stored in a vault for the virtual
machine. If you stop protection on the virtual machine, but virtual machine backup data exists in a vault, billing
continues.
Billing for a specified virtual machine stops only if the protection is stopped and all backup data is deleted. When
protection stops and there are no active backup jobs, the size of the last successful VM backup becomes the
Protected Instance size used for the monthly bill.
Questions?
If you have questions, or if there is any feature that you would like to see included, send us feedback.
Next steps
Back up virtual machines
Manage virtual machine backup
Restore virtual machines
Troubleshoot VM backup issues
Back up Azure virtual machines to a Recovery
Services vault
8/16/2017 2 min to read Edit Online
This article details how to back up Azure VMs (both Resource Manager-deployed and Classic-deployed) to a
Recovery Services vault. Most of the work for backing up VMs is the preparation. Before you can back up or
protect a VM, you must complete the prerequisites to prepare your environment for protecting your VMs. Once
you have completed the prerequisites, then you can initiate the backup operation to take snapshots of your VM.
The Azure Backup service has two types of vaults - the Backup vault and the Recovery Services vault. The Backup
vault came first. Then the Recovery Services vault came along to support the expanded Resource Manager
deployments. Microsoft recommends using Resource Manager deployments unless you specifically require a
Classic deployment.
NOTE
Backup vaults cannot protect Resource Manager-deployed solutions. However, you can use a Recovery Services vault to
protect classically-deployed servers and VMs.
For more information, see the articles on planning your VM backup infrastructure in Azure and Azure virtual
machines.
Unless your initial backup is due to begin soon, it is recommended that you run Back up Now. The following
procedure starts from the vault dashboard. This procedure serves for running the initial backup job after you have
completed all prerequisites. If the initial backup job has already been run, this procedure is not available. The
associated backup policy determines the next backup job.
To run the initial backup job:
1. On the vault dashboard, click the number under Backup Items, or click the Backup Items tile.
The Backup Items blade opens.
3. On the Backup Items list, click the ellipses ... to open the Context menu.
Deployment notifications let you know the backup job has been triggered, and that you can monitor the
progress of the job on the Backup jobs page. Depending on the size of your VM, creating the initial backup
may take a while.
6. To view or track the status of the initial backup, on the vault dashboard, on the Backup Jobs tile click In
progress.
The Backup Jobs blade opens.
In the Backup jobs blade, you can see the status of all jobs. Check if the backup job for your VM is still in
progress, or if it has finished. When a backup job is finished, the status is Completed.
NOTE
As a part of the backup operation, the Azure Backup service issues a command to the backup extension in each VM
to flush all writes and take a consistent snapshot.
Troubleshooting errors
If you run into issues while backing up your virtual machine, see the VM troubleshooting article for help.
Next steps
Now that you have protected your VM, see the following articles to learn about VM management tasks, and how to
restore VMs.
Manage and monitor your virtual machines
Restore virtual machines
Back up and restore encrypted virtual machines with
Azure Backup
10/13/2017 5 min to read Edit Online
This article talks about the steps to back up and restore virtual machines (VMs) by using Azure Backup. It also
provides details about supported scenarios, prerequisites, and troubleshooting steps for error cases.
Supported scenarios
Backup and restore of encrypted VMs is supported only for VMs that use the Azure Resource Manager
deployment model. It's not supported for VMs that use the classic deployment model.
Backup and restore of encrypted VMs is supported for both Windows and Linux VMs that use Azure Disk
Encryption. Disk Encryption uses the industry standard BitLocker feature of Windows and the dm-crypt
feature of Linux to provide encryption of disks.
The following table shows supported scenarios for BitLocker encryption key (BEK)-only and key encryption
key (KEK)-encrypted VMs:
Prerequisites
The VM was encrypted by using Azure Disk Encryption.
A Recovery Services vault was created and storage replication was set by following the steps in Prepare your
environment for backup.
Backup was given permissions to access a key vault containing keys and secrets for encrypted VMs.
Backup-encrypted VM
Use the following steps to set a backup goal, define a policy, configure items, and trigger a backup.
Configure backup
1. If you already have a Recovery Services vault open, proceed to the next step. If you don't have a Recovery
Services vault open but you're in the Azure portal, on the Hub menu, select Browse.
a. In the list of resources, type Recovery Services.
b. As you begin typing, the list filters based on your input. When you see Recovery Services vaults, select it.
c. The list of Recovery Services vaults appears. Select a vault from the list.
The selected vault dashboard opens.
2. From the list of items that appears under the vault, select Backup to start backing up the encrypted VM.
5. Under Choose backup policy, select the backup policy you want to apply to the vault. Then select OK.
The details of the default policy are listed. If you want to create a policy, select Create New from the drop-
down list. After you select OK, the backup policy is associated with the vault.
6. Choose the encrypted VMs to associate with the specified policy, and select OK.
7. This page shows a message about key vaults associated to the encrypted VMs you selected. Backup requires
read-only access to the keys and secrets in the key vault. It uses these permissions to back up the keys and
secrets, along with the associated VMs. You must provide permissions to the backup service to access the key
vault for backups to work. You can provide these permissions by following the steps mentioned in the
following section.
Now that you have defined all settings for the vault, select Enable Backup at the bottom of the page.
Enable Backup deploys the policy to the vault and the VMs.
8. The next phase in preparation is installing the VM Agent or making sure the VM Agent is installed. To do the
same, follow the steps in Prepare your environment for backup.
Trigger a backup job
Follow the steps in Backup Azure VMs to a Recovery Services vault to trigger a backup job.
Continue backups of already backed-up VMs with encryption enabled
If you have VMs already being backed up in a Recovery Services vault that are enabled for encryption later, you
must give permissions to Backup to access the key vault for backups to continue. You can provide these
permissions by following the steps in the following section. Or you can follow the PowerShell steps in the "Enable
backup" section of the PowerShell documentation.
6. Under Configure from template (optional), select Azure Backup. The required permissions are prefilled
for Key permissions and Secret permissions. If your VM is encrypted by using BEK only, permissions only
for secrets are required, so you must remove the selection for Key permissions.
7. Select OK. Notice that Backup Management Service gets added in Access policies.
8. Select Save to give the required permissions to Backup.
After permissions are successfully provided, you can proceed with enabling backup for encrypted VMs.
Restore an encrypted VM
To restore an encrypted VM, first restore disks by following the steps in the "Restore backed-up disks" section in
Choose a VM restore configuration. After that, you can use one of the following options:
Follow the PowerShell steps in Create a VM from restored disks to create a full VM from restored disks.
Or, use templates to customize a restored VM to create VMs from restored disks. Templates can be used only for
recovery points created after April 26, 2017.
Troubleshooting errors
OPERATION ERROR DETAILS RESOLUTION
Restore You can't restore this encrypted VM Create a key vault by using Get started
because the key vault associated with with Azure Key Vault. See Restore a key
this VM doesn't exist. vault key and a secret by using Azure
Backup to restore a key and a secret if
they aren't present.
Restore You can't restore this encrypted VM See Restore a key vault key and a secret
because the key and the secret by using Azure Backup to restore a key
associated with this VM don't exist. and a secret if they aren't present.
Restore Backup doesn't have the authorization As mentioned previously, restore disks
to access resources in your subscription. first by following the steps in the
"Restore backed-up disks" section in
Choose a VM restore configuration.
After that, use PowerShell to create a
VM from restored disks.
Back up Azure virtual machines (classic portal)
8/2/2017 6 min to read Edit Online
This article provides the procedures for backing up a Classic-deployed Azure virtual machine (VM) to a Backup
vault. There are a few tasks you need to take care of before you can back up an Azure virtual machine. If you
haven't already done so, complete the prerequisites to prepare your environment for backing up your VMs.
For additional information, see the articles on planning your VM backup infrastructure in Azure and Azure virtual
machines.
NOTE
Azure has two deployment models for creating and working with resources: Resource Manager and Classic. A Backup vault
can only protect Classic-deployed VMs. You cannot protect Resource Manager-deployed VMs with a Backup vault. See
Back up VMs to Recovery Services vault for details on working with Recovery Services vaults.
NOTE
Backing up virtual machines is a local process. You cannot back up virtual machines in one region to a backup vault in
another region. So, you must create a backup vault in each Azure region, where there are VMs that will be backed up.
IMPORTANT
Starting March 2017, you can no longer use the classic portal to create Backup vaults. You can now upgrade your Backup
vaults to Recovery Services vaults. For details, see the article Upgrade a Backup vault to a Recovery Services vault. Microsoft
encourages you to upgrade your Backup vaults to Recovery Services vaults.
After October 15, 2017, you cant use PowerShell to create Backup vaults. By November 1, 2017:
All remaining Backup vaults will be automatically upgraded to Recovery Services vaults.
You won't be able to access your backup data in the classic portal. Instead, use the Azure portal to access your backup
data in Recovery Services vaults.
The notification changes when the process is complete. If the discovery process did not find the virtual
machines, first ensure the VMs exist. If the VMs exist, ensure the VMs are in the same region as the backup
vault. If the VMs exist and are in the same region, ensure the VMs are not already registered to a backup
vault. If a VM is assigned to a backup vault it is not available to be assigned to other backup vaults.
Once you have discovered the new items, go to Step 2 and register your VMs.
The virtual machine also appears in the list of registered items, along with the status of the registration
operation.
When the operation completes, the status changes to reflect the registered state.
TIP
You can protect multiple virtual machines at one time.
4. Choose a backup schedule to back up the virtual machines that you've selected. You can pick from an
existing set of policies or define a new one.
Each backup policy can have multiple virtual machines associated with it. However, the virtual machine can
only be associated with one policy at any given point in time.
NOTE
A backup policy includes a retention scheme for the scheduled backups. If you select an existing backup policy, you
cannot modify the retention options in the next step.
Initial backup
Once the virtual machine is protected with a policy, it shows up under the Protected Items tab with the status of
Protected - (pending initial backup). By default, the first scheduled backup is the initial backup.
To trigger the initial backup immediately after configuring protection:
1. At the bottom of the Protected Items page, click Backup Now.
The Azure Backup service creates a backup job for the initial backup operation.
2. Click the Jobs tab to view the list of jobs.
NOTE
During the backup operation, the Azure Backup service issues a command to the backup extension in each virtual machine
to flush all write jobs and take a consistent snapshot.
When the initial backup finishes, the status of the virtual machine in the Protected Items tab is Protected.
Troubleshooting errors
If you run into issues while backing up your virtual machine, look at the VM troubleshooting article for help.
Next steps
Manage and monitor your virtual machines
Restore virtual machines
Manage Azure virtual machine backups
6/27/2017 9 min to read Edit Online
This article provides guidance on managing VM backups, and explains the backup alerts information available in
the portal dashboard. The guidance in this article applies to using VMs with Recovery Services vaults. This article
does not cover the creation of virtual machines, nor does it explain how to protect virtual machines. For a primer
on protecting Azure Resource Manager-deployed VMs in Azure with a Recovery Services vault, see First look:
Back up VMs to a Recovery Services vault.
TIP
If you have multiple dashboards and blades open, use the dark-blue slider at the bottom of the window to slide the Azure
dashboard back and forth.
TIP
If you pin a vault to the Azure Dashboard, that vault is immediately accessible when you open the Azure portal. To
pin a vault to the dashboard, in the vault list, right-click the vault, and select Pin to dashboard.
3. From the list of vaults, select the vault to open its dashboard. When you select the vault, the vault
dashboard and the Settings blade open. In the following image, the Contoso-vault dashboard is
highlighted.
Open a vault item dashboard
In the previous procedure you opened the vault dashboard. To open the vault item dashboard:
1. In the vault dashboard, on the Backup Items tile, click Azure Virtual Machines.
The Backup Items blade lists the last backup job for each item. In this example, there is one virtual
machine, demovm-markgal, protected by this vault.
TIP
For ease of access, you can pin a vault item to the Azure Dashboard. To pin a vault item, in the vault item list,
right-click the item and select Pin to dashboard.
2. In the Backup Items blade, click the item to open the vault item dashboard.
If you choose a Weekly interval, use the highlighted controls to select the day(s) of the week, and
the time of day to take the snapshot. In the day menu, select one or multiple days. In the hour
menu, select one hour. To change the hour, de-select the selected hour, and select the new hour.
3. By default, all Retention Range options are selected. Uncheck any retention range limit you do not want
to use. Then, specify the interval(s) to use.
Monthly and Yearly retention ranges allow you to specify the snapshots based on a weekly or daily
increment.
NOTE
When protecting a VM, a backup job runs once a day. The time when the backup runs is the same for each
retention range.
4. After setting all options for the policy, at the top of the blade click Save.
The new policy is immediately applied to the vault.
NOTE
While managing backup policies, make sure to follow the best practices for optimal backup performance
NOTE
The retention range for an on-demand backup is the retention value specified for the Daily backup point in the policy. If no
Daily backup point is selected, then the weekly backup point is used.
The portal makes sure that you want to start an on-demand backup job. Click Yes to start the backup job.
The backup job creates a recovery point. The retention range of the recovery point is the same as retention
range specified in the policy associated with the virtual machine. To track the progress for the job, in the
vault dashboard, click the Backup Jobs tile.
2. On the Stop Backup blade, choose whether to retain or delete the backup data. The information box
provides details about your choice.
3. If you chose to retain the backup data, skip to step 4. If you chose to delete backup data, confirm that you
want to stop the backup jobs and delete the recovery points - type the name of the item.
If you aren't sure of the item name, hover over the exclamation mark to view the name. Also, the name of
the item is under Stop Backup at the top of the blade.
4. Optionally provide a Reason or Comment.
5. To stop the backup job for the current item, click
A notification message lets you know the backup jobs have been stopped.
NOTE
When re-protecting the virtual machine, you can choose a different policy than the policy with which virtual
machine was protected initially.
2. Follow the steps in Manage backup policies to assign the policy for the virtual machine.
Once the backup policy is applied to the virtual machine, you see the following message.
If you aren't sure of the item name, hover over the exclamation mark to view the name. Also, the name of
the item is under Delete Backup Data at the top of the blade.
3. Optionally provide a Reason or Comment.
4. To delete the backup data for the current item, click
A notification message lets you know the backup data has been deleted.
Next steps
For information on re-creating a virtual machine from a recovery point, check out Restore Azure VMs. If you need
information on protecting your virtual machines, see First look: Back up VMs to a Recovery Services vault. For
information on monitoring events, see Monitor alerts for Azure virtual machine backups.
Monitor alerts for Azure virtual machine backups
8/10/2017 8 min to read Edit Online
Alerts are responses from the service that an event threshold has been met or surpassed. Knowing when problems
start can be critical to keeping business costs down. Alerts typically do not occur on a schedule, and so it is helpful
to know as soon as possible after alerts occur. For example, when a backup or restore job fails, an alert occurs
within five minutes of the failure. In the vault dashboard, the Backup Alerts tile displays Critical and Warning-level
events. In the Backup Alerts settings, you can view all events. But what do you do if an alert occurs when you are
working on a separate issue? If you don't know when the alert happens, it could be a minor inconvenience, or it
could compromise data. To make sure the correct people are aware of an alert - when it occurs, configure the
service to send alert notifications via email. For details on setting up email notifications, see Configure notifications.
To open the Backup Alerts blade from the Alerts and Events blade:
4. To view detailed information about a particular alert, from the list of events, click the alert to open its Details
blade.
To customize the attributes displayed in the list, see View additional event attributes
Configure notifications
You can configure the service to send email notifications for the alerts that occurred over the past hour, or when
particular types of events occur.
To set up email notifications for alerts
1. On the Backup Alerts menu, click Configure notifications
Warning None
Informational None
Are there situations where email isn't sent even if notifications are configured?
There are situations where an alert is not sent, even though the notifications have been properly configured. In the
following situations email notifications are not sent to avoid alert noise:
If notifications are configured to Hourly Digest, and an alert is raised and resolved within the hour.
The job is canceled.
A backup job is triggered and then fails, and another backup job is in progress.
A scheduled backup job for a Resource Manager-enabled VM starts, but the VM no longer exists.
The Events blade opens to the operational events filtered just for the current vault.
The blade shows the list of Critical, Error, Warning, and Informational events that occurred in the past week.
The time span is a default value set in the Filter. The Events blade also shows a bar chart tracking when the
events occurred. If you don't want to see the bar chart, in the Events menu, click Hide chart to toggle off the
chart. The default view of Events shows Operation, Level, Status, Resource, and Time information. For
information about exposing additional Event attributes, see the section expanding Event information.
2. For additional information on an operational event, in the Operation column, click an operational event to
open its blade. The blade contains detailed information about the events. Events are grouped by their
correlation ID and a list of the events that occurred in the Time span.
3. To view detailed information about a particular event, from the list of events, click the event to open its
Details blade.
The Event-level information is as detailed as the information gets. If you prefer seeing this much information
about each event, and would like to add this much detail to the Events blade, see the section expanding
Event information.
The Events blade opens to the operational events filtered just for the current vault.
2. On the Events menu, click Filter to open that blade.
3. On the Filter blade, adjust the Level, Time span, and Caller filters. The other filters are not available since
they were set to provide the current information for the Recovery Services vault.
You can specify the Level of event: Critical, Error, Warning, or Informational. You can choose any
combination of event Levels, but you must have at least one Level selected. Toggle the Level on or off. The
Time span filter allows you to specify the length of time for capturing events. If you use a custom Time
span, you can set the start and end times.
4. Once you are ready to query the operations logs using your filter, click Update. The results display in the
Events blade.
View additional event attributes
Using the Columns button, you can enable additional event attributes to appear in the list on the Events blade. The
default list of events displays information for Operation, Level, Status, Resource, and Time. To enable additional
attributes:
1. On the Events blade, click Columns.
Resource URL that identifies the resource; also known as the resource ID
Time Time, measured from the current time, when the event
occurred
Caller Who or what called or triggered the event; can be the system,
or a user
ResourceId : You can get ResourceId from the Audit logs. The ResourceId is a URL provided in the Resource
column of the Operation logs.
OperationName : OperationName is in the format
"Microsoft.RecoveryServices/recoveryServicesVault/EventName" where EventName can be:
Register
Unregister
ConfigureProtection
Backup
Restore
StopProtection
DeleteBackupData
CreateProtectionPolicy
DeleteProtectionPolicy
UpdateProtectionPolicy
Status : Supported values are Started, Succeeded, or Failed.
ResourceGroup : This is the Resource Group to which the resource belongs. You can add the Resource Group
column to the generated logs. Resource Group is one of the available types of event information.
Name : Name of the Alert Rule.
CustomEmail : Specify the custom email address to which you want to send an alert notification
SendToServiceOwners : This option sends alert notifications to all administrators and co-administrators of the
subscription. It can be used in New-AzureRmAlertRuleEmail cmdlet
Limitations on Alerts
Event-based alerts are subject to the following limitations:
1. Alerts are triggered on all virtual machines in the Recovery Services vault. You cannot customize the alert for a
subset of virtual machines in a Recovery Services vault.
2. This feature is in Preview. Learn more
3. Alerts are sent from "alerts-noreply@mail.windowsazure.com". Currently you can't modify the email sender.
Next steps
Event logs enable great post-mortem and audit support for the backup operations. The following operations are
logged:
Register
Unregister
Configure protection
Backup (Both scheduled as well as on-demand backup)
Restore
Stop protection
Delete backup data
Add policy
Delete policy
Update policy
Cancel job
For a broad explanation of events, operations, and audit logs across the Azure services, see the article, View events
and audit logs.
For information on re-creating a virtual machine from a recovery point, check out Restore Azure VMs. If you need
information on protecting your virtual machines, see First look: Back up VMs to a Recovery Services vault. Learn
about the management tasks for VM backups in the article, Manage Azure virtual machine backups.
Manage common Azure Backup jobs and trigger
alerts in the classic portal
8/10/2017 8 min to read Edit Online
This article provides information about common management and monitoring tasks for Classic-model virtual
machines protected in Azure.
NOTE
Azure has two deployment models for creating and working with resources: Resource Manager and Classic. See Prepare your
environment to back up Azure virtual machines for details on working with Classic deployment model VMs.
IMPORTANT
Starting March 2017, you can no longer use the classic portal to create Backup vaults.
You can now upgrade your Backup vaults to Recovery Services vaults. For details, see the article Upgrade a Backup vault to a
Recovery Services vault. Microsoft encourages you to upgrade your Backup vaults to Recovery Services vaults.
After October 15, 2017, you cant use PowerShell to create Backup vaults. By November 1, 2017:
All remaining Backup vaults will be automatically upgraded to Recovery Services vaults.
You won't be able to access your backup data in the classic portal. Instead, use the Azure portal to access your backup
data in Recovery Services vaults.
The Backup Policies tab shows you the existing policy. You can modify as needed. If you need to create a
new policy click Create on the Policies page. Note that if you want to remove a policy it shouldn't have any
virtual machines associated with it.
4. You can get more information about actions or status for a virtual machine on the Jobs page. Click a job in
the list to get more details, or filter jobs for a specific virtual machine.
2. Select the virtual machine on which you want to take an on-demand backup and click on Backup Now
button at the bottom of the page.
This will create a backup job on the selected virtual machine. Retention range of recovery point created
through this job will be same as that specified in the policy associated with the virtual machine.
NOTE
To view the policy associated with a virtual machine, drill down into virtual machine in the Protected Items page and
go to backup policy tab.
3. Once the job is created, you can click on View job button in the toast bar to see the corresponding job in the
jobs page.
4. After successful completion of the job, a recovery point will be created which you can use to restore the virtual
machine. This will also increment the recovery point column value by 1 in Protected Items page.
3. By default, Azure Backup doesnt delete the backup data associated with the virtual machine.
Please select a reason for stopping the backup. While this is optional, providing a reason will help Azure
Backup to work on the feedback and prioritize the customer scenarios.
4. Click on Submit button to submit the Stop protection job. Click on View Job to see the corresponding the
job in Jobs page.
If you have not selected Delete associated backup data option during Stop Protection wizard, then post
job completion, protection status changes to Protection Stopped. The data remains with Azure Backup
until it is explicitly deleted. You can always delete the data by selecting the virtual machine in the Protected
Items page and clicking Delete.
If you have selected the Delete associated backup data option, the virtual machine wont be part of the
Protected Items page.
NOTE
When re-protecting the virtual machine, you can choose a different policy than the policy with which virtual machine was
protected initially.
A toast notification will appear at the bottom of the screen requesting confirmation. Click YES to continue.
2. Select the virtual machine. The virtual machine will be in Protection Stopped state.
3. Click the DELETE button at the bottom of the page.
4. In the Delete backup data wizard, select a reason for deleting backup data (highly recommended) and click
Submit.
5. This will create a job to delete backup data of selected virtual machine. Click View job to see corresponding
job in Jobs page.
Once the job is completed, the entry corresponding to the virtual machine will be removed from Protected
items page.
Dashboard
On the Dashboard page you can review information about Azure virtual machines, their storage, and jobs
associated with them in the last 24 hours. You can view backup status and any associated backup errors.
NOTE
Values in the dashboard are refreshed once every 24 hours.
Auditing Operations
Azure backup provides review of the "operation logs" of backup operations triggered by the customer making it
easy to see exactly what management operations were performed on the backup vault. Operations logs enable
great post-mortem and audit support for the backup operations.
The following operations are logged in Operation logs:
Register
Unregister
Configure protection
Backup ( Both scheduled as well as on-demand backup through BackupNow)
Restore
Stop protection
Delete backup data
Add policy
Delete policy
Update policy
Cancel job
To view operation logs corresponding to a backup vault:
1. Navigate to Management services in Azure portal, and then click the Operation Logs tab.
2. In the filters, select Backup as Type and specify the backup vault name in service name and click on Submit.
3. In the operations logs, select any operation and click Details to see details corresponding to an operation.
The Details wizard contains information about the operation triggered, job Id, resource on which this
operation is triggered, and start time of the operation.
Alert notifications
You can get custom alert notifications for the jobs in portal. This is achieved by defining PowerShell-based alert
rules on operational logs events. We recommend using PowerShell version 1.3.0 or above.
To define a custom notification to alert for backup failures, a sample command will look like:
ResourceId: You can get this from Operations Logs popup as described in above section. ResourceUri in details
popup window of an operation is the ResourceId to be supplied for this cmdlet.
OperationName: This will be of the format "Microsoft.Backup/backupvault/" where EventName is one of
Register,Unregister,ConfigureProtection,Backup,Restore,StopProtection,DeleteBackupData,CreateProtectionPolicy,D
eleteProtectionPolicy,UpdateProtectionPolicy
Status: Supported values are- Started, Succeeded and Failed.
ResourceGroup:ResourceGroup of the resource on which operation is triggered. You can obtain this from
ResourceId value. Value between fields /resourceGroups/ and /providers/ in ResourceId value is the value for
ResourceGroup.
Name: Name of the Alert Rule.
CustomEmail: Specify the custom email address to which you want to send alert notification
SendToServiceOwners: This option sends alert notification to all administrators and co-administrators of the
subscription. It can be used in New-AzureRmAlertRuleEmail cmdlet
Limitations on Alerts
Event-based alerts are subjected to the following limitations:
1. Alerts are triggered on all virtual machines in the backup vault. You cannot customize it to get alerts for specific
set of virtual machines in a backup vault.
2. This feature is in Preview. Learn more
3. You will receive alerts from "alerts-noreply@mail.windowsazure.com". Currently you can't modify the email
sender.
Next steps
Restore Azure VMs
Recover files from Azure virtual machine backup
9/28/2017 8 min to read Edit Online
Azure Backup provides the capability to restore Azure virtual machines (VMs) and disks from Azure VM backups,
also known as restore points. This article explains how to recover files and folders from an Azure VM backup.
Restoring files and folders is available only for Azure VMs deployed using the Resource Manager model and
protected to a Recovery services vault.
NOTE
File recovery from an encrypted VM backup is not supported.
4. From the Select recovery point drop-down menu, select the recovery point that contains the files you
want. By default, the latest recovery point is already selected.
5. To download the software used to copy files from the recovery point, click Download Executable (for
Windows Azure VM) or Download Script (for Linux Azure VM).
To run the executable or script as an administrator, it is suggested you save the download to your computer.
6. The executable or script is password protected, and requires a password. In the File Recovery menu, click
the copy button to load the password into memory.
7. From the download location (usually the Downloads folder), right-click the executable or script and run it
with Administrator credentials. When prompted, type the password or paste the password from memory,
and press Enter. Once the valid password is entered, the script connects to the recovery point.
If you run the script on a computer with restricted access, ensure there is access to:
download.microsoft.com
Azure endpoints used for Azure VM backups
outbound port 3260
For Linux, the script requires 'open-iscsi' and 'lshw' components to connect to the recovery point. If the
components do not exist on the computer where the script is run, the script asks for permission to install the
components. Provide consent to install the necessary components.
You can run the script on any machine that has the same (or compatible) operating system as the backed-up
VM. See the Compatible OS table for compatible operating systems. If the protected Azure virtual machine
uses Windows Storage Spaces (for Windows Azure VMs) or LVM/RAID Arrays(for Linux VMs), you can't run
the executable or script on the same virtual machine. Instead, run the executable or script on any other
machine with a compatible operating system.
Compatible OS
For Windows
The following table shows the compatibility between server and computer operating systems. When recovering
files, you can't restore files to a previous or future operating system version. For example, you can't restore a file
from a Windows Server 2016 VM to Windows Server 2012 or Windows 8 computer. You can restore files from a
VM to the same server operating system, or to the compatible client operating system.
LINUX OS VERSIONS
The script also requires Python and bash components to execute and connect securely to the recovery point.
COMPONENT VERSION
Identifying Volumes
For Windows
When you run the executable, the operating system mounts the new volumes and assigns drive letters. You can use
Windows Explorer or File Explorer to browse those drives. The drive letters assigned to the volumes may not be the
same letters as the original virtual machine, however, the volume name is preserved. For example, if the volume on
the original virtual machine was Data Disk (E: \ ), that volume can be attached on the local computer as Data
Disk ('Any letter': \ ). Browse through all volumes mentioned in the script output until you find your files/folder.
For Linux
In Linux, the volumes of the recovery point are mounted to the folder where the script is run. The attached disks,
volumes, and the corresponding mount paths are shown accordingly. These mount paths are visible to users
having root level access. Browse through the volumes mentioned in the script output.
Closing the connection
After identifying the files and copying them to a local storage location, remove (or unmount) the additional drives.
To unmount the drives, on the File Recovery menu in the Azure portal, click Unmount Disks.
Once the disks have been unmounted, you receive a message letting you know it was successful. It may take a few
minutes for the connection to refresh so that you can remove the disks.
In Linux, after the connection to the recovery point is severed, the OS doesn't remove the corresponding mount
paths automatically. The mount paths exist as "orphan" volumes and they are visible but throw an error when you
access/write the files. They can be manually removed. The script, when run, identifies any such volumes existing
from any previous recovery points and cleans them up upon consent.
Special configurations
Dynamic Disks
If the protected Azure VM has volumes with one or both of the following characteristics, you can't run the
executable script on the same VM.
Volumes that span multiple disks (spanned and striped volumes)
Fault-tolerant volumes (mirrored and RAID-5 volumes) on dynamic disks
Instead, run the executable script on any other computer with a compatible operating system.
Windows Storage Spaces
Windows Storage Spaces is a Windows technology that enables you to virtualize storage. With Windows Storage
Spaces you can group industry-standard disks into storage pools. Then you use the available space in those storage
pools to create virtual disks, called storage spaces.
If the protected Azure VM uses Windows Storage Spaces, you can't run the executable script on the same VM.
Instead, run the executable script on any other machine with a compatible operating system.
LVM/RAID Arrays
In Linux, Logical volume manager (LVM) and/or software RAID Arrays are used to manage logical volumes over
multiple disks. If the protected Linux VM uses LVM and/or RAID Arrays, you can't run the script on the same VM.
Instead run the script on any other machine with a compatible OS and which supports the file system of the
protected VM.
The following script output displays the LVM and/or RAID Arrays disks and the volumes with the partition type.
To bring these partitions online, run the commands in the following sections.
For LVM Partitions
To list the volume group names under a physical volume.
To list all logical volumes, names, and their paths in a volume group.
$ lvdisplay <volume-group-name from the pvs commands results>
The relevant RAID disk is displayed as /dev/mdm/<RAID array name in the protected VM>
Use the mount command if the RAID disk has physical volumes.
If the RAID disk has another LVM configured in it, then use the preceding procedure for LVM partitions but use the
volume name in place of the RAID Disk name
Troubleshooting
If you have problems while recovering files from the virtual machines, check the following table for additional
information.
Exe output: Exception connecting to the Script is not able to access the recovery Check whether the machine fulfills the
target point previous access requirements.
Exe output: The target has already The script was already executed on the The volumes of the recovery point have
been logged in via an ISCSI session. same machine and the drives have been already been attached. They may NOT
attached be mounted with the same drive letters
of the original VM. Browse through all
the available volumes in the file explorer
for your file
Exe output: This script is invalid The disks have been dismounted from This particular exe is now invalid and
because the disks have been the portal or the 12-hr limit exceeded cant be run. If you want to access the
dismounted via portal/exceeded the files of that recovery point-in-time, visit
12-hr limit. Download a new script the portal for a new exe
from the portal.
On the machine where the exe is run: The ISCSI initiator on the machine is not Wait for some mins after the dismount
The new volumes are not dismounted responding/refreshing its connection to button is pressed. If the new volumes
after the dismount button is clicked the target and maintaining the cache are still not dismounted, please browse
through all the volumes. This forces the
initiator to refresh the connection and
the volume is dismounted with an error
message that the disk is not available
ERROR MESSAGE / SCENARIO PROBABLE CAUSE RECOMMENDED ACTION
Exe output: Script is run successfully but This is a transient error The volumes would have been already
New volumes attached is not attached. Open Explorer to browse. If
displayed on the script output you are using the same machine for
running scripts every time, consider
restarting the machine and the list
should be displayed in the subsequent
exe runs.
Linux specific: Not able to view the The OS of the machine where the script Check whether the recovery point is
desired volumes is run may not recognize the underlying crash consistent or file-consistent. If file
filesystem of the protected VM consistent, run the script on another
machine whose OS recognizes the
protected VM's filesystem
Windows specific: Not able to view the The disks may have been attached but From the disk management screen,
desired volumes the volumes were not configured identify the additional disks related to
the recovery point. If any of these disks
are in offline state try making them
online by right-clicking on the disk and
click 'Online'
Use the Azure portal to restore virtual machines
10/6/2017 11 min to read Edit Online
Protect your data by taking snapshots of your data at defined intervals. These snapshots are known as recovery
points, and they're stored in Recovery Services vaults. If it's necessary to repair or rebuild a virtual machine (VM),
you can restore the VM from any of the saved recovery points. When you restore a recovery point, you can:
Create a new VM, which is a point-in-time representation of your backed-up VM.
Restore disks, and use the template that comes with the process to customize the restored VM, or do an
individual file recovery.
This article explains how to restore a VM to a new VM or restore all backed-up disks. For individual file recovery,
see Recover files from an Azure VM backup.
NOTE
Azure has two deployment models for creating and working with resources: Azure Resource Manager and classic. This article
provides the information and procedures used to restore deployed VMs by using the Resource Manager model.
3. From the list, select the vault associated with the VM you want to restore. When you select the vault, its
dashboard opens.
4. In the vault dashboard, on the Backup Items tile, select Azure Virtual Machines.
The Backup Items blade opens and displays the list of Azure VMs.
5. From the list, select a VM to open the dashboard. The VM dashboard opens to the monitoring area, which
contains the Restore points tile.
By default, the dialog box displays all the restore points from the last 30 days. Use the Filter to alter the
time range of the restore points displayed. By default, restore points of all consistencies are displayed.
Modify the All restore points filter to select a specific restore point consistency. For more information
about each type of restoration point, see Data consistency.
Restore point consistency options:
Crash consistent restore points
Application consistent restore points
File-system consistent restore points
All restore points
8. Choose a restore point, and select OK.
The Restore blade shows that the restore point is set.
9. If you're not already there, go to the Restore blade. Ensure that a restore point is selected, and select
Restore configuration. The Restore configuration blade opens.
NOTE
If you restore a Resource Manager-deployed VM, you must identify a virtual network. A virtual network is
optional for a classic VM.
If you restore VMs with managed disks, make sure that the storage account selected isn't enabled for Azure
Storage Service Encryption in its lifetime.
Based on the storage type of the storage account selected (premium or standard), all disks restored will be
either premium or standard disks. We currently don't support a mixed mode of disks when restoring.
2. On the Restore configuration blade, select OK to finalize the restore configuration. On the Restore blade,
select Restore to trigger the restore operation.
Restore backed-up disks
To customize the VM you want to create from backed-up disks different from what is present in the Restore
configuration blade, select Restore disks as the value for Restore Type. This choice asks for a storage account
where disks from backups are to be copied. When you choose a storage account, select an account that shares the
same location as the Recovery Services vault. Storage accounts that are zone redundant aren't supported. If there
are no storage accounts with the same location as the Recovery Services vault, you must create one before you
start the restore operation. The storage account's replication type is displayed in parentheses.
After the restore operation is finished, you can:
Use the template to customize the restored VM
Use the restored disks to attach to an existing VM
Create a new VM by using PowerShell from restored disks
On the Restore configuration blade, select OK to finalize the restore configuration. On the Restore blade, select
Restore to trigger the restore operation.
2. From the list, select the vault associated with the VM you restored. When you select the vault, its dashboard
opens.
3. In the vault dashboard on the Backup Jobs tile, select Azure virtual machines to display the jobs
associated with the vault.
The Backup jobs blade opens and displays the list of jobs.
NOTE
Templates are added as part of restore disks for recovery points taken after March 1, 2017. They're applicable for
nonmanaged disk VMs. Support for managed disk VMs is coming in upcoming releases.
To get the template that was generated as part of the restore disks option:
1. Go to the restore job details corresponding to the job.
2. On the Restore Job Details screen, select Deploy Template to initiate template deployment.
3. On the Deploy template blade for custom deployment, use template deployment to edit and deploy the
template or append more customizations by authoring a template before you deploy.
4. After you enter the required values, accept the Terms and Conditions and select Purchase.
Post-restore steps
If you use a cloud-init-based Linux distribution, such as Ubuntu, for security reasons, the password is blocked
post restore. Use the VMAccess extension on the restored VM to reset the password. We recommend using SSH
keys on these distributions to avoid resetting the password post restore.
Extensions present during the backup configuration are installed, but they won't be enabled. If you see an issue,
reinstall the extensions.
If the backed-up VM has static IP post restore, the restored VM has a dynamic IP to avoid conflict when you
create a restored VM. Learn more about how you can add a static IP to a restored VM.
A restored VM doesn't have an availability value set. We recommend using the restore disks option to add an
availability set when you create a VM from PowerShell or templates by using restored disks.
To fully re-create the VMs after restoring to disk, follow these steps:
1. Restore the disks from a Recovery Services vault by using PowerShell.
2. Create the VM configuration required for load balancer/multiple NIC/multiple reserved IP by using the
PowerShell cmdlets. Use it to create the VM with the configuration you want:
a. Create a VM in the cloud service with an internal load balancer.
b. Create a VM to connect to an internet-facing load balancer.
c. Create a VM with multiple NICs.
d. Create a VM with multiple reserved IPs.
Next steps
Now that you can restore your VMs, see the troubleshooting article for information on common errors with VMs.
Also, check out the article on managing tasks with your VMs.
Troubleshooting errors
Manage virtual machines
Back up and restore encrypted virtual machines with
Azure Backup
10/13/2017 5 min to read Edit Online
This article talks about the steps to back up and restore virtual machines (VMs) by using Azure Backup. It also
provides details about supported scenarios, prerequisites, and troubleshooting steps for error cases.
Supported scenarios
Backup and restore of encrypted VMs is supported only for VMs that use the Azure Resource Manager
deployment model. It's not supported for VMs that use the classic deployment model.
Backup and restore of encrypted VMs is supported for both Windows and Linux VMs that use Azure Disk
Encryption. Disk Encryption uses the industry standard BitLocker feature of Windows and the dm-crypt
feature of Linux to provide encryption of disks.
The following table shows supported scenarios for BitLocker encryption key (BEK)-only and key encryption
key (KEK)-encrypted VMs:
Prerequisites
The VM was encrypted by using Azure Disk Encryption.
A Recovery Services vault was created and storage replication was set by following the steps in Prepare your
environment for backup.
Backup was given permissions to access a key vault containing keys and secrets for encrypted VMs.
Backup-encrypted VM
Use the following steps to set a backup goal, define a policy, configure items, and trigger a backup.
Configure backup
1. If you already have a Recovery Services vault open, proceed to the next step. If you don't have a Recovery
Services vault open but you're in the Azure portal, on the Hub menu, select Browse.
a. In the list of resources, type Recovery Services.
b. As you begin typing, the list filters based on your input. When you see Recovery Services vaults, select it.
c. The list of Recovery Services vaults appears. Select a vault from the list.
The selected vault dashboard opens.
2. From the list of items that appears under the vault, select Backup to start backing up the encrypted VM.
5. Under Choose backup policy, select the backup policy you want to apply to the vault. Then select OK.
The details of the default policy are listed. If you want to create a policy, select Create New from the drop-
down list. After you select OK, the backup policy is associated with the vault.
6. Choose the encrypted VMs to associate with the specified policy, and select OK.
7. This page shows a message about key vaults associated to the encrypted VMs you selected. Backup requires
read-only access to the keys and secrets in the key vault. It uses these permissions to back up the keys and
secrets, along with the associated VMs. You must provide permissions to the backup service to access the key
vault for backups to work. You can provide these permissions by following the steps mentioned in the
following section.
Now that you have defined all settings for the vault, select Enable Backup at the bottom of the page.
Enable Backup deploys the policy to the vault and the VMs.
8. The next phase in preparation is installing the VM Agent or making sure the VM Agent is installed. To do the
same, follow the steps in Prepare your environment for backup.
Trigger a backup job
Follow the steps in Backup Azure VMs to a Recovery Services vault to trigger a backup job.
Continue backups of already backed-up VMs with encryption enabled
If you have VMs already being backed up in a Recovery Services vault that are enabled for encryption later, you
must give permissions to Backup to access the key vault for backups to continue. You can provide these
permissions by following the steps in the following section. Or you can follow the PowerShell steps in the "Enable
backup" section of the PowerShell documentation.
6. Under Configure from template (optional), select Azure Backup. The required permissions are prefilled
for Key permissions and Secret permissions. If your VM is encrypted by using BEK only, permissions only
for secrets are required, so you must remove the selection for Key permissions.
7. Select OK. Notice that Backup Management Service gets added in Access policies.
8. Select Save to give the required permissions to Backup.
After permissions are successfully provided, you can proceed with enabling backup for encrypted VMs.
Restore an encrypted VM
To restore an encrypted VM, first restore disks by following the steps in the "Restore backed-up disks" section in
Choose a VM restore configuration. After that, you can use one of the following options:
Follow the PowerShell steps in Create a VM from restored disks to create a full VM from restored disks.
Or, use templates to customize a restored VM to create VMs from restored disks. Templates can be used only for
recovery points created after April 26, 2017.
Troubleshooting errors
OPERATION ERROR DETAILS RESOLUTION
Restore You can't restore this encrypted VM Create a key vault by using Get started
because the key vault associated with with Azure Key Vault. See Restore a key
this VM doesn't exist. vault key and a secret by using Azure
Backup to restore a key and a secret if
they aren't present.
Restore You can't restore this encrypted VM See Restore a key vault key and a secret
because the key and the secret by using Azure Backup to restore a key
associated with this VM don't exist. and a secret if they aren't present.
Restore Backup doesn't have the authorization As mentioned previously, restore disks
to access resources in your subscription. first by following the steps in the
"Restore backed-up disks" section in
Choose a VM restore configuration.
After that, use PowerShell to create a
VM from restored disks.
Restore virtual machines in Azure
8/11/2017 8 min to read Edit Online
Restore a virtual machine to a new VM from the backups stored in an Azure Backup vault with the following steps.
IMPORTANT
You can now upgrade your Backup vaults to Recovery Services vaults. For details, see the article Upgrade a Backup vault to
a Recovery Services vault. Microsoft encourages you to upgrade your Backup vaults to Recovery Services vaults.
October 15, 2017, you will no longer be able to use PowerShell to create Backup vaults.
Starting November 1, 2017:
Any remaining Backup vaults will be automatically upgraded to Recovery Services vaults.
You won't be able to access your backup data in the classic portal. Instead, use the Azure portal to access your backup
data in Recovery Services vaults.
Restore workflow
Step 1: Choose an item to restore
1. Navigate to the Protected Items tab and select the virtual machine you want to restore to a new VM.
The Recovery Point column in the Protected Items page will tell you the number of recovery points for a
virtual machine. The Newest Recovery Point column tells you the time of the most recent backup from
which a virtual machine can be restored.
2. Click Restore to open the Restore an Item wizard.
Once you click a date in the calendar control, the recovery points available on that date will be shown in
recovery points table below. The Time column indicates the time at which the snapshot was taken. The
Type column displays the consistency of the recovery point. The table header shows the number of
recovery points available on that day in parentheses.
3. Select the recovery point from the Recovery Points table and click the Next arrow to go to the next screen.
Step 3: Specify a destination location
1. In the Select restore instance screen specify details of where to restore the virtual machine.
Specify the virtual machine name: In a given cloud service, the virtual machine name should be unique.
We don't support over-writing existing VM.
Select a cloud service for the VM: This is mandatory for creating a VM. You can choose to either use
an existing cloud service or create a new cloud service.
Whatever cloud service name is picked should be globally unique. Typically, the cloud service name
gets associated with a public-facing URL in the form of [cloudservice].cloudapp.net. Azure will not
allow you to create a new cloud service if the name has already been used. If you choose to create a
new cloud service, it will be given the same name as the virtual machine in which case the VM
name picked should be unique enough to be applied to the associated cloud service.
We only display cloud services and virtual networks that are not associated with any affinity groups
in the restore instance details. Learn More.
2. Select a storage account for the VM: This is mandatory for creating the VM. You can select from existing
storage accounts in the same region as the Azure Backup vault. We dont support storage accounts that are
Zone redundant or of Premium storage type.
If there are no storage accounts with supported configuration, please create a storage account of supported
configuration prior to starting restore operation.
3. Select a Virtual Network: The virtual network (VNET) for the virtual machine should be selected at the time
of creating the VM. The restore UI shows all the VNETs within this subscription that can be used. It is not
mandatory to select a VNET for the restored VM you will be able to connect to the restored virtual
machine over the internet even if the VNET is not applied.
If the cloud service selected is associated with a virtual network, then you cannot change the virtual
network.
4. Select a subnet: In case the VNET has subnets, by default the first subnet will be selected. Choose the
subnet of your choice from the dropdown options. For subnet details, go to Networks extension in the
portal home page, go to Virtual Networks and select the virtual network and drill down into Configure to
see subnet details.
5. Click the Submit icon in the wizard to submit the details and create a restore job.
If the job creation is successful, you will see a toast notification indicating that the job is created. You can get more
details by clicking the View Job button that will take you to Jobs tab.
Once the restore operation is finished, it will be marked as completed in Jobs tab.
After restoring the virtual machine you may need to re-install the extensions existing on the original VM and
modify the endpoints for the virtual machine in the Azure portal.
Post-Restore steps
If you are using a cloud-init based Linux distribution such as Ubuntu, for security reasons, password will be
blocked post restore. Please use VMAccess extension on the restored VM to reset the password. We recommend
using SSH keys on these distributions to avoid resetting password post restore.
TIP
Please use PowerShell based restore flow to recreate the special network configuration of VMs post restore.
Restoring from the UI:
While restoring from UI, always choose a new cloud service. Please note that since portal only takes
mandatory parameters during restore flow, VMs restored using UI will lose the special network configuration they
possess. In other words, restore VMs will be normal VMs without configuration of load balancer or multi NIC or
multiple reserved IP.
Restoring from PowerShell:
PowerShell has the ability to just restore the VM disks from backup and not create the virtual machine. This is
helpful when restoring virtual machines which require special network configurations mentioned above.
In order to fully recreate the virtual machine post restoring disks, follow these steps:
1. Restore the disks from backup vault using Azure Backup PowerShell
2. Create the VM config required for load balancer/multiple NIC/multiple reserved IP using the PowerShell
cmdlets and use it to create the VM of desired configuration.
Create VM in cloud service with Internal Load balancer
Create VM to connect to Internet facing load balancer
Create VM with multiple NICs
Create VM with multiple reserved IPs
Next steps
Troubleshooting errors
Manage virtual machines
Restore Key Vault key and secret for encrypted VMs
using Azure Backup
8/28/2017 4 min to read Edit Online
This article talks about using Azure VM Backup to perform restore of encrypted Azure VMs, if your key and secret
do not exist in the key vault. These steps can also be used if you want to maintain a separate copy of key (Key
Encryption Key) and secret (BitLocker Encryption Key) for the restored VM.
Prerequisites
Backup encrypted VMs - Encrypted Azure VMs have been backed up using Azure Backup. Refer the article
Manage backup and restore of Azure VMs using PowerShell for details about how to backup encrypted Azure
VMs.
Configure Azure Key Vault Ensure that key vault to which keys and secrets need to be restored is already
present. Refer the article Get Started with Azure Key Vault for details about key vault management.
Restore disk - Ensure that you have triggered restore job for restoring disks for encrypted VM using
PowerShell steps. This is because this job generates a JSON file in your storage account containing keys and
secrets for the encrypted VM to be restored.
Set the Azure storage context and restore JSON configuration file containing key and secret details for encrypted
VM.
Restore key
Once the JSON file is generated in the destination path mentioned above, generate key blob file from the JSON
and feed it to restore key cmdlet to put the key (KEK) back in the key vault.
PS C:\> $keyDestination = 'C:\keyDetails.blob'
PS C:\> [io.file]::WriteAllBytes($keyDestination,
[System.Convert]::FromBase64String($encryptionObject.OsDiskKeyAndSecretDetails.KeyBackupData))
PS C:\> Restore-AzureKeyVaultKey -VaultName '<target_key_vault_name>' -InputFile $keyDestination
Restore secret
Use the JSON file generated above to get secret name and value and feed it to set secret cmdlet to put the secret
(BEK) back in the key vault. Use these cmdlets if your VM is encrypted using BEK and KEK.
If your VM is encrypted using BEK only, generate secret blob file from the JSON and feed it to restore secret
cmdlet to put the secret (BEK) back in the key vault.
NOTE
1. Value for $secretname can be obtained by referring to the output of
$encryptionObject.OsDiskKeyAndSecretDetails.SecretUrl and using text after secrets/ e.g. output secret URL is
https://keyvaultname.vault.azure.net/secrets/B3284AAA-DAAA-4AAA-B393-
60CAA848AAAA/xx000000xx0849999f3xx30000003163 and secret name is B3284AAA-DAAA-4AAA-B393-
60CAA848AAAA
2. Value of the tag DiskEncryptionKeyFileName is same as secret name.
Legacy approach
The approach mentioned above would work for all the recovery points. However, the older approach of getting
key and secret information from recovery point, would be valid for recovery points older than July 11, 2017 for
VMs encrypted using BEK and KEK. Once restore disk job is complete for encrypted VM using PowerShell steps,
ensure that $rp is populated with a valid value.
Restore key
Use the following cmdlets to get key (KEK) information from recovery point and feed it to restore key cmdlet to
put it back in the key vault.
PS C:\> $rp1 = Get-AzureRmRecoveryServicesBackupRecoveryPoint -RecoveryPointId $rp[0].RecoveryPointId -Item
$backupItem -KeyFileDownloadLocation 'C:\Users\downloads'
PS C:\> Restore-AzureKeyVaultKey -VaultName '<target_key_vault_name>' -InputFile 'C:\Users\downloads'
Restore secret
Use the following cmdlets to get secret (BEK) information from recovery point and feed it to set secret cmdlet to
put it back in the key vault.
NOTE
1. Value for $secretname can be obtained by referring to the output of $rp1.KeyAndSecretDetails.SecretUrl and using text
after secrets/ e.g. output secret URL is https://keyvaultname.vault.azure.net/secrets/B3284AAA-DAAA-4AAA-B393-
60CAA848AAAA/xx000000xx0849999f3xx30000003163 and secret name is B3284AAA-DAAA-4AAA-B393-
60CAA848AAAA
2. Value of the tag DiskEncryptionKeyFileName is same as secret name.
3. Value for DiskEncryptionKeyEncryptionKeyURL can be obtained from key vault after restoring the keys back and using
Get-AzureKeyVaultKey cmdlet
Next steps
After restoring key and secret back to key vault, refer the article Manage backup and restore of Azure VMs using
PowerShell to create encrypted VMs from restored disk, key and secret.
Configure Azure Backup reports
10/3/2017 7 min to read Edit Online
This article talks about steps to configure reports for Azure Backup using Recovery Services vault, and to access
these reports using Power BI. After performing these steps, you can directly go to Power BI to view all the reports,
customize and create reports.
Supported scenarios
1. Azure Backup reports are supported for Azure virtual machine backup and file/folder backup to cloud using
Azure Recovery Services Agent.
2. Reports for Azure SQL, DPM and Azure Backup Server are not supported at this time.
3. You can view reports across vaults and across subscriptions, if same storage account is configured for each of
the vaults. Storage account selected should be in the same region as recovery services vault.
4. The frequency of scheduled refresh for the reports is 24 hours in Power BI. You can also perform an ad-hoc
refresh of the reports in Power BI, in which case latest data in customer storage account is used for rendering
reports.
Prerequisites
1. Create an Azure storage account to configure it for reports. This storage account is used for storing reports
related data.
2. Create a Power BI account to view, customize, and create your own reports using Power BI portal.
3. Register the resource provider Microsoft.insights if not registered already, with the subscription of storage
account and also with the subscription of Recovery Services vault to enable reporting data to flow to the
storage account. To do the same, you must go to Azure portal > Subscription > Resource providers and check
for this provider to register it.
3. On the Backup Reports blade, click Configure button. This opens the Azure Application Insights blade which
is used for pushing data to customer storage account.
4. Set the Status toggle button to On and select Archive to a Storage Account check box so that reporting
data can start flowing in to the storage account.
5. Click Storage Account picker and select the storage account from the list for storing reporting data and click
OK.
6. Select AzureBackupReport check box and also move the slider to select retention period for this reporting
data. Reporting data in the storage account is kept for the period selected using this slider.
7. Review all the changes and click Save button on top, as shown in the figure above. This action ensures that all
your changes are saved and storage account is now configured for storing reporting data.
NOTE
Once you configure reports by saving storage account, you should wait for 24 hours for initial data push to complete. You
should import Azure Backup content pack in Power BI only after that time. Refer FAQ section for further details.
4. Enter the storage account name configured in step 5 above and click Next button.
5. Enter the storage account key for this storage account. You can view and copy storage access keys by
navigating to your storage account in Azure portal.
6. Click Sign in button. After sign-in is successful, you get Importing data notification.
After some time, you get Success notification after the import is complete. It might take little longer to
import the content pack, if there is a lot of data in the storage account.
7. Once data is imported successfully, Azure Backup content pack is visible in Apps in the navigation pane.
The list now shows Azure Backup dashboard, reports, and dataset with a yellow star indicating newly
imported reports.
8. Click Azure Backup under Dashboards, which shows a set of pinned key reports.
9. To view the complete set of reports, click any report in the dashboard.
10. Click each tab in the reports to view reports in that area.
Power BI has a scheduled refresh once a day. You can perform a manual refresh of the data in Power BI for
the content pack.
3. How long can I retain the reports?
While configuring storage account, you can select retention period of reporting data in the storage account
(using step 6 in Configure storage account for reports section above). Besides that, you can Analyze reports
in excel and save them for a longer retention period, as per your needs.
4. Will I see all my data in reports after configuring the storage account?
All the data generated after "configuring storage account" will be pushed to the storage account and will
be available in reports. However, In Progress Jobs are not pushed for Reporting. Once the job completes
or fails, it is sent to reports.
5. If I have already configured the storage account to view reports, can I change the configuration to
use another storage account?
Yes, you can change the configuration to point to a different storage account. You should use the newly
configured storage account while connecting to Azure Backup content pack. Also, once a different storage
account is configured, new data would flow in this storage account. But older data (before changing the
configuration) would still remain in the older storage account.
6. Can I view reports across vaults and across subscriptions?
Yes, you can configure the same storage account across various vaults to view cross-vault reports. Also, you
can configure the same storage account for vaults across subscriptions. You can then use this storage
account while connecting to Azure Backup content pack in Power BI to view the reports. However, the
storage account selected should be in the same region as recovery services vault.
Troubleshooting errors
ERROR DETAILS RESOLUTION
After setting up the storage account for Backup Reports, If you configured storage account successfully, your reporting
Storage Account still shows Not Configured. data will flow in despite this issue. To resolve this issue, go to
Azure portal > More Services > Diagnostic settings > RS vault
> Edit Setting. Delete the previously configured setting and
create a new setting from the same blade. This time set the
field Name to service. This should show the configured
storage account.
After importing Azure Backup content pack in Power BI, the As suggested in this document, you must wait for 24 hours
error 404- container is not found comes up. after configuring reports in Recovery Services vault to see
them correctly in Power BI. If you try to access the reports
before 24 hours, you will get this error since complete data is
not yet present to show valid reports.
Next steps
Now that you have configured the storage account and imported Azure Backup content pack, the next step is to
customize these reports and use reporting data model to create reports. Refer the following articles for more
details.
Using Azure Backup reporting data model
Filtering reports in Power BI
Creating reports in Power BI
Data model for Azure Backup reports
6/27/2017 7 min to read Edit Online
This article describes the Power BI data model used for creating Azure Backup reports. Using this data model, you
can filter existing reports based on relevant fields and more importantly, create your own reports by using tables
and fields in the model.
Backup Item
This table provides basic fields and aggregations over various backup item-related fields.
FIELD DATA TYPE DESCRIPTION
Calendar
This table provides details about calendar-related fields.
Job
This table provides basic fields and aggregations over various job-related fields.
Policy
This table provides basic fields and aggregations over various policy-related fields.
Protected Server
This table provides basic fields and aggregations over various protected server-related fields.
Storage
This table provides basic fields and aggregations over various storage-related fields.
Time
This table provides details about time-related fields.
Vault
This table provides basic fields and aggregations over various vault-related fields.
Next steps
Once you review the data model for creating Azure Backup reports, refer the following articles for more details
about creating and viewing reports in Power BI.
Creating reports in Power BI
Filtering reports in Power BI
Log Analytics data model for Azure Backup data
7/25/2017 14 min to read Edit Online
This article describes the data model used for pushing reporting data to Log Analytics. Using this data model, you
can create custom queries, dashboards, and utilize it in OMS.
BackupItem
This table provides details about backup item-related fields.
BackupItemAssociation
This table provides details about backup item associations with various entities.
FIELD DATA TYPE DESCRIPTION
Job
This table provides details about job-related fields.
Policy
This table provides details about policy-related fields.
PolicyAssociation
This table provides details about policy associations with various entities.
FIELD DATA TYPE DESCRIPTION
ProtectedServer
This table provides details about protected server-related fields.
FIELD DATA TYPE DESCRIPTION
ProtectedServerAssociation
This table provides details about protected server associations with other entities.
Storage
This table provides details about storage-related fields.
Vault
This table provides details about vault-related fields.
Next steps
Once you review the data model for creating Azure Backup reports, you can start creating dashboard in Log
Analytics and OMS.
Preparing to back up workloads to Azure with DPM
8/21/2017 11 min to read Edit Online
This article provides an introduction to using Microsoft Azure Backup to protect your System Center Data
Protection Manager (DPM) servers and workloads. By reading it, youll understand:
How Azure DPM server backup works
The prerequisites to achieve a smooth backup experience
The typical errors encountered and how to deal with them
Supported scenarios
NOTE
Azure has two deployment models for creating and working with resources: Resource Manager and classic. This article
provides the information and procedures for restoring VMs deployed using the Resource Manager model.
System Center DPM backs up file and application data. Data backed up to DPM can be stored on tape, on disk, or
backed up to Azure with Microsoft Azure Backup. DPM interacts with Azure Backup as follows:
DPM deployed as a physical server or on-premises virtual machine If DPM is deployed as a physical
server or as an on-premises Hyper-V virtual machine you can back up data to a Recovery Services vault in
addition to disk and tape backup.
DPM deployed as an Azure virtual machine From System Center 2012 R2 with Update 3, DPM can be
deployed as an Azure virtual machine. If DPM is deployed as an Azure virtual machine you can back up data to
Azure disks attached to the DPM Azure virtual machine, or you can offload the data storage by backing it up to
a Recovery Services vault.
Prerequisites
Prepare Azure Backup to back up DPM data as follows:
1. Create a Recovery Services vault Create a vault in Azure portal.
2. Download vault credentials Download the credentials which you use to register the DPM server to
Recovery Services vault.
3. Install the Azure Backup Agent From Azure Backup, install the agent on each DPM server.
4. Register the server Register the DPM server to Recovery Services vault.
1. Create a recovery services vault
To create a recovery services vault:
1. Sign in to the Azure portal.
2. On the Hub menu, click Browse and in the list of resources, type Recovery Services. As you begin typing,
the list will filter based on your input. Click Recovery Services vault.
The Recovery Services vault blade opens, prompting you to provide a Name, Subscription, Resource
group, and Location.
4. For Name, enter a friendly name to identify the vault. The name needs to be unique for the Azure subscription.
Type a name that contains between 2 and 50 characters. It must start with a letter, and can contain only letters,
numbers, and hyphens.
5. Click Subscription to see the available list of subscriptions. If you are not sure which subscription to use, use
the default (or suggested) subscription. There will be multiple choices only if your organizational account is
associated with multiple Azure subscriptions.
6. Click Resource group to see the available list of Resource groups, or click New to create a new Resource
group. For complete information on Resource groups, see Azure Resource Manager overview
7. Click Location to select the geographic region for the vault.
8. Click Create. It can take a while for the Recovery Services vault to be created. Monitor the status notifications
in the upper right-hand area in the portal. Once your vault is created, it opens in the portal.
Set Storage Replication
The storage replication option allows you to choose between geo-redundant storage and locally redundant
storage. By default, your vault has geo-redundant storage. Leave the option set to geo-redundant storage if this is
your primary backup. Choose locally redundant storage if you want a cheaper option that isn't quite as durable.
Read more about geo-redundant and locally redundant storage options in the Azure Storage replication
overview.
To edit the storage replication setting:
1. Select your vault to open the vault dashboard and the Settings blade. If the Settings blade doesn't open, click
All settings in the vault dashboard.
2. On the Settings blade, click Backup Infrastructure > Backup Configuration to open the Backup
Configuration blade. On the Backup Configuration blade, choose the storage replication option for
your vault.
After choosing the storage option for your vault, you are ready to associate the VM with the vault. To begin
the association, you should discover and register the Azure virtual machines.
2. Download vault credentials
The vault credentials file is a certificate generated by the portal for each backup vault. The portal then uploads the
public key to the Access Control Service (ACS). The private key of the certificate is made available to the user as
part of the workflow which is given as an input in the machine registration workflow. This authenticates the
machine to send backup data to an identified vault in the Azure Backup service.
The vault credential is used only during the registration workflow. It is the users responsibility to ensure that the
vault credentials file is not compromised. If it falls in the hands of any rogue-user, the vault credentials file can be
used to register other machines against the same vault. However, as the backup data is encrypted using a
passphrase which belongs to the customer, existing backup data cannot be compromised. To mitigate this
concern, vault credentials are set to expire in 48hrs. You can download the vault credentials of a recovery services
any number of times but only the latest vault credential file is applicable during the registration workflow.
The vault credential file is downloaded through a secure channel from the Azure portal. The Azure Backup service
is unaware of the private key of the certificate and the private key is not persisted in the portal or the service. Use
the following steps to download the vault credential file to a local machine.
1. Sign in to the Azure portal.
2. Open Recovery Services vault to which to which you want to register DPM machine.
3. Settings blade opens up by default. If it is closed, click on Settings on vault dashboard to open the settings
blade. In Settings blade, click on Properties.
4. On the Properties page, click Download under Backup Credentials. The portal generates the vault
credential file, which is made available for download.
The portal will generate a vault credential using a combination of the vault name and the current date. Click Save
to download the vault credentials to the local account's downloads folder, or select Save As from the Save menu
to specify a location for the vault credentials. It will take up to a minute for the file to be generated.
Note
Ensure that the vault credentials file is saved in a location which can be accessed from your machine. If it is
stored in a file share/SMB, check for the access permissions.
The vault credentials file is used only during the registration workflow.
The vault credentials file expires after 48hrs and can be downloaded from the portal.
3. Install Backup Agent
After creating the Azure Backup vault, an agent should be installed on each of your Windows machines (Windows
Server, Windows client, System Center Data Protection Manager server, or Azure Backup Server machine) that
enables back up of data and applications to Azure.
1. Open Recovery Services vault to which to which you want to register DPM machine.
2. Settings blade opens up by default. If it is closed, click on Settings to open the settings blade. In Settings
blade, click on Properties.
3. On the Settings page, click Download under Azure Backup Agent.
Once the agent is downloaded, double click MARSAgentInstaller.exe to launch the installation of the Azure
Backup agent. Choose the installation folder and scratch folder required for the agent. The cache location
specified must have free space which is at least 5% of the backup data.
4. If you use a proxy server to connect to the internet, in the Proxy configuration screen, enter the proxy server
details. If you use an authenticated proxy, enter the user name and password details in this screen.
5. The Azure Backup agent installs .NET Framework 4.5 and Windows PowerShell (if its not available already) to
complete the installation.
6. Once the agent is installed, Close the window.
7. To Register the DPM Server to the vault, in the Management tab, Click on Online. Then, select Register. It
will open the Register Setup Wizard.
8. If you use a proxy server to connect to the internet, in the Proxy configuration screen, enter the proxy
server details. If you use an authenticated proxy, enter the user name and password details in this screen.
9. In the vault credentials screen, browse to and select the vault credentials file which was previously
downloaded.
The vault credentials file is valid only for 48 hrs (after its downloaded from the portal). If you encounter
any error in this screen (for example, Vault credentials file provided has expired), login to the Azure portal
and download the vault credentials file again.
Ensure that the vault credentials file is available in a location which can be accessed by the setup
application. If you encounter access related errors, copy the vault credentials file to a temporary location in
this machine and retry the operation.
If you encounter an invalid vault credential error (for example, Invalid vault credentials provided") the file
is either corrupted or does not have the latest credentials associated with the recovery service. Retry the
operation after downloading a new vault credential file from the portal. This error is typically seen if the
user clicks on the Download vault credential option in the Azure portal, in quick succession. In this case,
only the second vault credential file is valid.
10. To control the usage of network bandwidth during work, and non-work hours, in the Throttling Setting
screen, you can set the bandwidth usage limits and define the work and non-work hours.
11. In the Recovery Folder Setting screen, browse for the folder where the files downloaded from Azure will
be temporarily staged.
12. In the Encryption setting screen, you can either generate a passphrase or provide a passphrase
(minimum of 16 characters). Remember to save the passphrase in a secure location.
WARNING
If the passphrase is lost or forgotten; Microsoft cannot help in recovering the backup data. The end user owns the
encryption passphrase and Microsoft does not have visibility into the passphrase used by the end user. Please save
the file in a secure location as it is required during a recovery operation.
13. Once you click the Register button, the machine is registered successfully to the vault and you are now ready
to start backing up to Microsoft Azure.
14. When using Data Protection Manager, you can modify the settings specified during the registration workflow
by clicking the Configure option by selecting Online under the Management Tab.
NOTE
From in System Center 2012 DPM with SP1 onwards you can backup up workloads protected by DPM to Azure using
Microsoft Azure Backup.
Preparing to back up workloads to Azure with DPM
8/2/2017 10 min to read Edit Online
This article provides an introduction to using Microsoft Azure Backup to protect your System Center Data
Protection Manager (DPM) servers and workloads. By reading it, youll understand:
How Azure DPM server backup works
The prerequisites to achieve a smooth backup experience
The typical errors encountered and how to deal with them
Supported scenarios
System Center DPM backs up file and application data. Data backed up to DPM can be stored on tape, on disk, or
backed up to Azure with Microsoft Azure Backup. DPM interacts with Azure Backup as follows:
DPM deployed as a physical server or on-premises virtual machine If DPM is deployed as a physical
server or as an on-premises Hyper-V virtual machine you can back up data to an Azure Backup vault in addition
to disk and tape backup.
DPM deployed as an Azure virtual machine From System Center 2012 R2 with Update 3, DPM can be
deployed as an Azure virtual machine. If DPM is deployed as an Azure virtual machine you can back up data to
Azure disks attached to the DPM Azure virtual machine, or you can offload the data storage by backing it up to
an Azure Backup vault.
NOTE
For Linux virtual machines, only file-consistent backup is possible.
Prerequisites
Prepare Azure Backup to back up DPM data as follows:
1. Create a Backup vault. If you haven't created a Backup vault in your subscription, see the Azure portal
version of this article - Prepare to back up workloads to Azure with DPM.
IMPORTANT
Starting March 2017, you can no longer use the classic portal to create Backup vaults. You can now upgrade your
Backup vaults to Recovery Services vaults. For details, see the article Upgrade a Backup vault to a Recovery Services
vault. Microsoft encourages you to upgrade your Backup vaults to Recovery Services vaults.
After October 15, 2017, you cant use PowerShell to create Backup vaults. By November 1, 2017:
All remaining Backup vaults will be automatically upgraded to Recovery Services vaults.
You won't be able to access your backup data in the classic portal. Instead, use the Azure portal to access your
backup data in Recovery Services vaults.
2. Download vault credentials In Azure Backup, upload the management certificate you created to the
vault.
3. Install the Azure Backup Agent and register the server From Azure Backup, install the agent on each
DPM server and register the DPM server in the backup vault.
4. The portal will generate a vault credential using a combination of the vault name and the current date. Click
Save to download the vault credentials to the local account's downloads folder, or select Save As from the Save
menu to specify a location for the vault credentials.
Note
Ensure that the vault credentials is saved in a location which can be accessed from your machine. If it is stored
in a file share/SMB, check for the access permissions.
The vault credentials file is used only during the registration workflow.
The vault credentials file expires after 48hrs and can be downloaded from the portal.
Refer to the Azure Backup FAQ for any questions on the workflow.
3. On the Quick Start page, click the For Windows Server or System Center Data Protection Manager or
Windows client option under Download Agent. Click Save to copy it to the local machine.
4. Once the agent is installed, double click MARSAgentInstaller.exe to launch the installation of the Azure Backup
agent. Choose the installation folder and scratch folder required for the agent. The cache location specified
must have free space which is at least 5% of the backup data.
5. If you use a proxy server to connect to the internet, in the Proxy configuration screen, enter the proxy server
details. If you use an authenticated proxy, enter the user name and password details in this screen.
6. The Azure Backup agent installs .NET Framework 4.5 and Windows PowerShell (if its not available already) to
complete the installation.
7. Once the agent is installed, click the Proceed to Registration button to continue with the workflow.
8. In the vault credentials screen, browse to and select the vault credentials file which was previously
downloaded.
The vault credentials file is valid only for 48 hrs (after its downloaded from the portal). If you encounter any
error in this screen (e.g Vault credentials file provided has expired), login to the Azure portal and
download the vault credentials file again.
Ensure that the vault credentials file is available in a location which can be accessed by the setup application.
If you encounter access related errors, copy the vault credentials file to a temporary location in this machine
and retry the operation.
If you encounter an invalid vault credential error (e.g Invalid vault credentials provided") the file is either
corrupted or does not have the latest credentials associated with the recovery service. Retry the operation
after downloading a new vault credential file from the portal. This error is typically seen if the user clicks on
the Download vault credential option in the Azure portal, in quick succession. In this case, only the
second vault credential file is valid.
9. In the Encryption setting screen, you can either generate a passphrase or provide a passphrase (minimum
of 16 characters). Remember to save the passphrase in a secure location.
WARNING
If the passphrase is lost or forgotten; Microsoft cannot help in recovering the backup data. The end user owns the
encryption passphrase and Microsoft does not have visibility into the passphrase used by the end user. Please save
the file in a secure location as it is required during a recovery operation.
10. Once you click the Finish button, the machine is registered successfully to the vault and you are now ready to
start backing up to Microsoft Azure.
11. When using Microsoft Azure Backup standalone you can modify the settings specified during the
registration workflow by clicking on the Change Properties option in the Azure Backup mmc snap in.
Alternatively, when using Data Protection Manager, you can modify the settings specified during the
registration workflow by clicking the Configure option by selecting Online under the Management Tab.
NOTE
From in System Center 2012 DPM with SP1 onwards, you can backup up workloads protected by DPM to Azure using
Microsoft Azure Backup.
Back up an Exchange server to Azure Backup with
System Center 2012 R2 DPM
9/27/2017 3 min to read Edit Online
This article describes how to configure a System Center 2012 R2 Data Protection Manager (DPM) server to back up
a Microsoft Exchange server to Azure Backup.
Updates
To successfully register the DPM server with Azure Backup, you must install the latest update rollup for System
Center 2012 R2 DPM and the latest version of the Azure Backup Agent. Get the latest update rollup from the
Microsoft Catalog.
NOTE
For the examples in this article, version 2.0.8719.0 of the Azure Backup Agent is installed, and Update Rollup 6 is installed on
System Center 2012 R2 DPM.
Prerequisites
Before you continue, make sure that all the prerequisites for using Microsoft Azure Backup to protect workloads
have been met. These prerequisites include the following:
A backup vault on the Azure site has been created.
Agent and vault credentials have been downloaded to the DPM server.
The agent is installed on the DPM server.
The vault credentials were used to register the DPM server.
If you are protecting Exchange 2016, please upgrade to DPM 2012 R2 UR9 or later
8. Click Next.
9. Select the database for Copy Backup, and then click Next.
NOTE
If you do not select Full backup for at least one DAG copy of a database, logs will not be truncated.
10. Configure the goals for Short-Term backup, and then click Next.
11. Review the available disk space, and then click Next.
12. Select the time at which the DPM server will create the initial replication, and then click Next.
13. Select the consistency check options, and then click Next.
14. Choose the database that you want to back up to Azure, and then click Next. For example:
15. Define the schedule for Azure Backup, and then click Next. For example:
NOTE
Note Online recovery points are based on express full recovery points. Therefore, you must schedule the online
recovery point after the time thats specified for the express full recovery point.
16. Configure the retention policy for Azure Backup, and then click Next.
17. Choose an online replication option and click Next.
If you have a large database, it could take a long time for the initial backup to be created over the network.
To avoid this issue, you can create an offline backup.
Next steps
Azure Backup FAQ
Recover data from Azure Backup Server
8/21/2017 5 min to read Edit Online
You can use Azure Backup Server to recover the data you've backed up to a Recovery Services vault. The process
for doing so is integrated into the Azure Backup Server management console, and is similar to the recovery
workflow for other Azure Backup components.
NOTE
This article is applicable for System Center Data Protection Manager 2012 R2 with UR7 or later, combined with the latest
Azure Backup agent.
2. Download new vault credentials from the vault associated with the Azure Backup Server where the data
is being recovered, choose the Azure Backup Server from the list of Azure Backup Servers registered with
the Recovery Services vault, and provide the encryption passphrase associated with the server whose
data is being recovered.
NOTE
Only Azure Backup Servers associated with the same registration vault can recover each others data.
Once the External Azure Backup Server is successfully added, you can browse the data of the external
server and the local Azure Backup Server from the Recovery tab.
3. Browse the available list of production servers protected by the external Azure Backup Server and select the
appropriate data source.
4. Select the month and year from the Recovery points drop down, select the required Recovery date for
when the recovery point was created, and select the Recovery time.
A list of files and folders appears in the bottom pane, which can be browsed and recovered to any location.
7. Select Recover to an alternate location. Browse to the correct location for the recovery.
8. Choose the option related to create copy, Skip, or Overwrite.
Create copy - creates a copy of the file if there is a name collision.
Skip - if there is a name collision, does not recover the file which leaves the original file.
Overwrite - if there is a name collision, overwrites the existing copy of the file.
Choose the appropriate option to Restore security. You can apply the security settings of the
destination computer where the data is being recovered or the security settings that were applicable
to product at the time the recovery point was created.
Identify whether a Notification is sent, once the recovery successfully completes.
9. The Summary screen lists the options chosen so far. Once you click Recover, the data is recovered to the
appropriate on-premises location.
NOTE
The recovery job can be monitored in the Monitoring tab of the Azure Backup Server.
10. You can click Clear External DPM on the Recovery tab of the DPM server to remove the view of the
external DPM server.
1. This server is not registered to the vault Cause: This error appears when the
specified by the vault credential. vault credential file selected does not
belong to the Recovery Services vault
associated with Azure Backup Server on
which the recovery is attempted.
Resolution: Download the vault
credential file from the Recovery
Services vault to which the Azure
Backup Server is registered.
2. Either the recoverable data is not Cause: There are no other Azure
available or the selected server is not a Backup Servers registered to the
DPM server. Recovery Services vault, or the servers
have not yet uploaded the metadata,
or the selected server is not an Azure
Backup Server (aka Windows Server or
Windows Client).
Resolution: If there are other Azure
Backup Servers registered to the
Recovery Services vault, ensure that the
latest Azure Backup agent is installed.
If there are other Azure Backup Servers
registered to the Recovery Services
vault, wait for a day after installation to
start the recovery process. The nightly
job will upload the metadata for all the
protected backups to cloud. The data
will be available for recovery.
Next steps:
Azure Backup FAQ
Back up SQL Server to Azure as a DPM workload
6/27/2017 6 min to read Edit Online
This article leads you through the configuration steps for backup of SQL Server databases using Azure Backup.
To back up SQL Server databases to Azure, you need an Azure account. If you dont have an account, you can
create a free trial account in just couple of minutes. For details, see Azure Free Trial.
The management of SQL Server database backup to Azure and recovery from Azure involves three steps:
1. Create a backup policy to protect SQL Server databases to Azure.
2. Create on-demand backup copies to Azure.
3. Recover the database from Azure.
3. DPM shows the start screen with the guidance on creating a Protection Group. Click Next.
4. Select Servers.
5. Expand the SQL Server machine where the databases to be backed up are present. DPM shows various data
sources that can be backed up from that server. Expand the All SQL Shares and select the databases (in this
case we selected ReportServer$MSDPM2012 and ReportServer$MSDPM2012TempDB) to be backed up.
Click Next.
6. Provide a name for the protection group and select the I want online Protection checkbox.
7. In the Specify Short-Term Goals screen, include the necessary inputs to create backup points to disk.
Here we see that Retention range is set to 5 days, Synchronization frequency is set to once every 15
minutes which is the frequency at which backup is taken. Express Full Backup is set to 8:00 P.M.
NOTE
At 8:00 PM (according to the screen input) a backup point is created every day by transferring the data that has
been modified from the previous days 8:00 PM backup point. This process is called Express Full Backup. While the
transaction logs are synchronized every 15 minutes, if there is a need to recover the database at 9:00 PM then the
point is created by replaying the logs from the last express full backup point (8pm in this case).
8. Click Next
DPM shows the overall storage space available and the potential disk space utilization.
By default, DPM creates one volume per data source (SQL Server database) which is used for the initial
backup copy. Using this approach, the Logical Disk Manager (LDM) limits DPM protection to 300 data
sources (SQL Server databases). To work around this limitation, select the Co-locate data in DPM Storage
Pool, option. If you use this option, DPM uses a single volume for multiple data sources, which allows DPM
to protect up to 2000 SQL databases.
If Automatically grow the volumes option is selected, DPM can account for the increased backup volume
as the production data grows. If Automatically grow the volumes option is not selected, DPM limits the
backup storage used to the data sources in the protection group.
9. Administrators are given the choice of transferring this initial backup manually (off network) to avoid
bandwidth congestion or over the network. They can also configure the time at which the initial transfer can
happen. Click Next.
The initial backup copy requires transfer of the entire data source (SQL Server database) from production
server (SQL Server machine) to the DPM server. This data might be large, and transferring the data over the
network could exceed bandwidth. For this reason, administrators can choose to transfer the initial backup:
Manually (using removable media) to avoid bandwidth congestion, or Automatically over the network
(at a specified time).
Once the initial backup is complete, the rest of the backups are incremental backups on the initial backup
copy. Incremental backups tend to be small and are easily transferred across the network.
10. Choose when you want the consistency check to run and click Next.
DPM can perform a consistency check to check the integrity of the backup point. It calculates the checksum
of the backup file on the production server (SQL Server machine in this scenario) and the backed-up data
for that file at DPM. In the case of a conflict, it is assumed that the backed-up file at DPM is corrupt. DPM
rectifies the backed-up data by sending the blocks corresponding to the checksum mismatch. As the
consistency check is a performance-intensive operation, administrators have the option of scheduling the
consistency check or running it automatically.
11. To specify online protection of the datasources, select the databases to be protected to Azure and click Next.
12. Administrators can choose backup schedules and retention policies that suit their organization policies.
In this example, backups are taken once a day at 12:00 PM and 8 PM (bottom part of the screen)
NOTE
Its a good practice to have a few short-term recovery points on disk, for quick recovery. These recovery points are
used for operational recovery". Azure serves as a good offsite location with higher SLAs and guaranteed availability.
Best Practice: Make sure that Azure Backups are scheduled after the completion of local disk backups using
DPM. This enables the latest disk backup to be copied to Azure.
13. Choose the retention policy schedule. The details on how the retention policy works are provided at Use
Azure Backup to replace your tape infrastructure article.
In this example:
Backups are taken once a day at 12:00 PM and 8 PM (bottom part of the screen) and are retained for 180
days.
The backup on Saturday at 12:00 P.M. is retained for 104 weeks
The backup on Last Saturday at 12:00 P.M. is retained for 60 months
The backup on Last Saturday of March at 12:00 P.M. is retained for 10 years
14. Click Next and select the appropriate option for transferring the initial backup copy to Azure. You can
choose Automatically over the network or Offline Backup.
Automatically over the network transfers the backup data to Azure as per the schedule chosen for
backup.
How Offline Backup works is explained at Offline Backup workflow in Azure Backup.
Choose the relevant transfer mechanism to send the initial backup copy to Azure and click Next.
15. Once you review the policy details in the Summary screen, click on the Create group button to complete
the workflow. You can click the Close button and monitor the job progress in Monitoring workspace.
On-demand backup of a SQL Server database
While the previous steps created a backup policy, a recovery point is created only when the first backup occurs.
Rather than waiting for the scheduler to kick in, the steps below trigger the creation of a recovery point manually.
1. Wait until the protection group status shows OK for the database before creating the recovery point.
4. You can view the job progress in the Monitoring workspace where you'll find an in progress job like the
one depicted in the next figure.
3. DPM shows the details of the recovery point. Click Next. To overwrite the database, select the recovery type
Recover to original instance of SQL Server. Click Next.
In this example, DPM allows recovery of the database to another SQL Server instance or to a standalone
network folder.
4. In the Specify Recovery options screen, you can select the recovery options like Network bandwidth usage
throttling to throttle the bandwidth used by recovery. Click Next.
5. In the Summary screen, you see all the recovery configurations provided so far. Click Recover.
The Recovery status shows the database being recovered. You can click Close to close the wizard and view
the progress in the Monitoring workspace.
You back up a SharePoint farm to Microsoft Azure by using System Center Data Protection Manager (DPM) in
much the same way that you back up other data sources. Azure Backup provides flexibility in the backup schedule
to create daily, weekly, monthly, or yearly backup points and gives you retention policy options for various backup
points. DPM provides the capability to store local disk copies for quick recovery-time objectives (RTO) and to store
copies to Azure for economical, long-term retention.
NOTE
Youll need to rerun ConfigureSharePoint.exe whenever theres a change in the SharePoint farm administrator credentials.
3. On the Select Group Members screen, select the check box for the SharePoint server you want to protect
and click Next.
NOTE
With the DPM agent installed, you can see the server in the wizard. DPM also shows its structure. Because you ran
ConfigureSharePoint.exe, DPM communicates with the SharePoint VSS Writer service and its corresponding SQL
Server databases and recognizes the SharePoint farm structure, the associated content databases, and any
corresponding items.
4. On the Select Data Protection Method page, enter the name of the Protection Group, and select your
preferred protection methods. Click Next.
NOTE
The disk protection method helps to meet short recovery-time objectives. Azure is an economical, long-term
protection target compared to tapes. For more information, see Use Azure Backup to replace your tape infrastructure
5. On the Specify Short-Term Goals page, select your preferred Retention range and identify when you
want backups to occur.
NOTE
Because recovery is most often required for data that's less than five days old, we selected a retention range of five
days on disk and ensured that the backup happens during non-production hours, for this example.
6. Review the storage pool disk space allocated for the protection group, and click then Next.
7. For every protection group, DPM allocates disk space to store and manage replicas. At this point, DPM must
create a copy of the selected data. Select how and when you want the replica created, and then click Next.
NOTE
To make sure that network traffic is not effected, select a time outside production hours.
8. DPM ensures data integrity by performing consistency checks on the replica. There are two available
options. You can define a schedule to run consistency checks, or DPM can run consistency checks
automatically on the replica whenever it becomes inconsistent. Select your preferred option, and then click
Next.
9. On the Specify Online Protection Data page, select the SharePoint farm that you want to protect, and
then click Next.
10. On the Specify Online Backup Schedule page, select your preferred schedule, and then click Next.
NOTE
DPM provides a maximum of two daily backups to Azure at different times. Azure Backup can also control the
amount of WAN bandwidth that can be used for backups in peak and off-peak hours by using Azure Backup
Network Throttling.
11. Depending on the backup schedule that you selected, on the Specify Online Retention Policy page, select
the retention policy for daily, weekly, monthly, and yearly backup points.
NOTE
DPM uses a grandfather-father-son retention scheme in which a different retention policy can be chosen for different
backup points.
12. Similar to disk, an initial reference point replica needs to be created in Azure. Select your preferred option to
create an initial backup copy to Azure, and then click Next.
13. Review your selected settings on the Summary page, and then click Create Group. You will see a success
message after the protection group has been created.
Restore a SharePoint item from disk by using DPM
In the following example, the Recovering SharePoint item has been accidentally deleted and needs to be recovered.
1. Open the DPM Administrator Console. All SharePoint farms that are protected by DPM are shown in the
Protection tab.
2. To begin to recover the item, select the Recovery tab.
3. You can search SharePoint for Recovering SharePoint item by using a wildcard-based search within a
recovery point range.
4. Select the appropriate recovery point from the search results, right-click the item, and then select Recover.
5. You can also browse through various recovery points and select a database or item to recover. Select Date
> Recovery time, and then select the correct Database > SharePoint farm > Recovery point > Item.
6. Right-click the item, and then select Recover to open the Recovery Wizard. Click Next.
7. Select the type of recovery that you want to perform, and then click Next.
NOTE
The selection of Recover to original in the example recovers the item to the original SharePoint site.
9. Provide a staging SQL Server instance location to recover the database temporarily, and provide a staging
file share on the DPM server and the server that's running SharePoint to recover the item.
DPM attaches the content database that is hosting the SharePoint item to the temporary SQL Server
instance. From the content database, the DPM server recovers the item and puts it on the staging file
location on the DPM server. The recovered item that's on the staging location of the DPM server now needs
to be exported to the staging location on the SharePoint farm.
10. Select Specify recovery options, and apply security settings to the SharePoint farm or apply the security
settings of the recovery point. Click Next.
NOTE
You can choose to throttle the network bandwidth usage. This minimizes impact to the production server during
production hours.
11. Review the summary information, and then click Recover to begin recovery of the file.
12. Now select the Monitoring tab in the DPM Administrator Console to view the Status of the recovery.
NOTE
The file is now restored. You can refresh the SharePoint site to check the restored file.
Restore a SharePoint database from Azure by using DPM
1. To recover a SharePoint content database, browse through various recovery points (as shown previously),
and select the recovery point that you want to restore.
2. Double-click the SharePoint recovery point to show the available SharePoint catalog information.
NOTE
Because the SharePoint farm is protected for long-term retention in Azure, no catalog information (metadata) is
available on the DPM server. As a result, whenever a point-in-time SharePoint content database needs to be
recovered, you need to catalog the SharePoint farm again.
3. Click Re-catalog.
4. Click the SharePoint object shown in the DPM Recovery tab to get the content database structure. Right-
click the item, and then click Recover.
5. At this point, follow the recovery steps earlier in this article to recover a SharePoint content database from disk.
FAQs
Q: Which versions of DPM support SQL Server 2014 and SQL 2012 (SP2)?
A: DPM 2012 R2 with Update Rollup 4 supports both.
Q: Can I recover a SharePoint item to the original location if SharePoint is configured by using SQL AlwaysOn (with
protection on disk)?
A: Yes, the item can be recovered to the original SharePoint site.
Q: Can I recover a SharePoint database to the original location if SharePoint is configured by using SQL AlwaysOn?
A: Because SharePoint databases are configured in SQL AlwaysOn, they cannot be modified unless the availability
group is removed. As a result, DPM cannot restore a database to the original location. You can recover a SQL
Server database to another SQL Server instance.
Next steps
Learn more about DPM Protection of SharePoint - see Video Series - DPM Protection of SharePoint
Review Release Notes for System Center 2012 - Data Protection Manager
Review Release Notes for Data Protection Manager in System Center 2012 SP1
Use AzureRM.RecoveryServices.Backup cmdlets to
back up virtual machines
10/13/2017 16 min to read Edit Online
This article shows you how to use Azure PowerShell cmdlets to back up and recover an Azure virtual machine
(VM) from a Recovery Services vault. A Recovery Services vault is an Azure Resource Manager resource and is
used to protect data and assets in both Azure Backup and Azure Site Recovery services. You can use a Recovery
Services vault to protect Azure Service Manager-deployed VMs, and Azure Resource Manager-deployed VMs.
NOTE
Azure has two deployment models for creating and working with resources: Resource Manager and Classic. This article is for
use with VMs created using the Resource Manager model.
This article walks you through using PowerShell to protect a VM, and restore data from a recovery point.
Concepts
If you are not familiar with the Azure Backup service, for an overview of the service, check out What is Azure
Backup? Before you start, ensure that you cover the essentials about the prerequisites needed to work with Azure
Backup, and the limitations of the current VM backup solution.
To use PowerShell effectively, it is necessary to understand the hierarchy of objects and from where to start.
To view the AzureRm.RecoveryServices.Backup PowerShell cmdlet reference, see the Azure Backup - Recovery
Services Cmdlets in the Azure library.
2. The Recovery Services vault is a Resource Manager resource, so you need to place it within a resource
group. You can use an existing resource group, or create a resource group with the New-
AzureRmResourceGroup cmdlet. When creating a resource group, specify the name and location for the
resource group.
3. Use the New-AzureRmRecoveryServicesVault cmdlet to create the Recovery Services vault. Be sure to
specify the same location for the vault as was used for the resource group.
4. Specify the type of storage redundancy to use; you can use Locally Redundant Storage (LRS) or Geo
Redundant Storage (GRS). The following example shows the -BackupStorageRedundancy option for
testvault is set to GeoRedundant.
TIP
Many Azure Backup cmdlets require the Recovery Services vault object as an input. For this reason, it is convenient
to store the Backup Recovery Services vault object in a variable.
PS C:\> Get-AzureRmRecoveryServicesVault
Name : Contoso-vault
ID : /subscriptions/1234
Type : Microsoft.RecoveryServices/vaults
Location : WestUS
ResourceGroupName : Contoso-docs-rg
SubscriptionId : 1234-567f-8910-abc
Properties : Microsoft.Azure.Commands.RecoveryServices.ARSVaultProperties
NOTE
The timezone of the BackupTime field in PowerShell is UTC. However, when the backup time is shown in the Azure portal,
the time is adjusted to your local timezone.
A backup protection policy is associated with at least one retention policy. Retention policy defines how long a
recovery point is kept before it is deleted. Use Get-AzureRmRecoveryServicesBackupRetentionPolicyObject
to view the default retention policy. Similarly you can use Get-
AzureRmRecoveryServicesBackupSchedulePolicyObject to obtain the default schedule policy. The New-
AzureRmRecoveryServicesBackupProtectionPolicy cmdlet creates a PowerShell object that holds backup
policy information. The schedule and retention policy objects are used as inputs to the New-
AzureRmRecoveryServicesBackupProtectionPolicy cmdlet. The following example stores the schedule policy
and the retention policy in variables. The example uses those variables to define the parameters when creating a
protection policy, NewPolicy.
Enable protection
Once you have defined the backup protection policy, you still must enable the policy for an item. Use Enable-
AzureRmRecoveryServicesBackupProtection to enable protection. Enabling protection requires two objects -
the item and the policy. Once the policy has been associated with the vault, the backup workflow is triggered at
the time defined in the policy schedule.
The following example enables protection for the item, V2VM, using the policy, NewPolicy. To enable the
protection on non-encrypted Resource Manager VMs
To enable the protection on encrypted VMs (encrypted using BEK and KEK), you need to give the Azure Backup
service permission to read keys and secrets from key vault.
PS C:\> Set-AzureRmKeyVaultAccessPolicy -VaultName "KeyVaultName" -ResourceGroupName "RGNameOfKeyVault" -
PermissionsToKeys backup,get,list -PermissionsToSecrets get,list -ServicePrincipalName 262044b1-e2ce-469f-
a196-69ab7ada62d3
PS C:\> $pol=Get-AzureRmRecoveryServicesBackupProtectionPolicy -Name "NewPolicy"
PS C:\> Enable-AzureRmRecoveryServicesBackupProtection -Policy $pol -Name "V2VM" -ResourceGroupName "RGName1"
To enable the protection on encrypted VMs (encrypted using BEK only), you need to give the Azure Backup service
permission to read secrets from key vault.
NOTE
If you are using the Azure Government cloud, then use the value ff281ffe-705c-4f53-9f37-a40e6f2c68f3 for the parameter
-ServicePrincipalName in Set-AzureRmKeyVaultAccessPolicy cmdlet.
Trigger a backup
You can use Backup-AzureRmRecoveryServicesBackupItem to trigger a backup job. If it is the initial backup, it
is a full backup. Subsequent backups take an incremental copy. Be sure to use Set-
AzureRmRecoveryServicesVaultContext to set the vault context before triggering the backup job. The
following example assumes vault context was set.
Instead of polling these jobs for completion - which is unnecessary additional code - use the Wait-
AzureRmRecoveryServicesBackupJob cmdlet. This cmdlet pauses the execution until either the job completes
or the specified timeout value is reached.
Restore an Azure VM
There is a key difference between the restoring a VM using the Azure portal and restoring a VM using PowerShell.
With PowerShell, the restore operation is complete once the disks and configuration information from the
recovery point are created.
NOTE
The restore operation does not create a virtual machine.
To create a virtual machine from disk, see the section, Create the VM from stored disks. The basic steps to restore
an Azure VM are:
Select the VM
Choose a recovery point
Restore the disks
Create the VM from stored disks
The following graphic shows the object hierarchy from the RecoveryServicesVault down to the
BackupRecoveryPoint.
To restore backup data, identify the backed-up item and the recovery point that holds the point-in-time data. Use
the Restore-AzureRmRecoveryServicesBackupItem cmdlet to restore data from the vault to the customer's
account.
Select the VM
To get the PowerShell object that identifies the right backup item, start from the container in the vault, and work
your way down the object hierarchy. To select the container that represents the VM, use the Get-
AzureRmRecoveryServicesBackupContainer cmdlet and pipe that to the Get-
AzureRmRecoveryServicesBackupItem cmdlet.
Use the Wait-AzureRmRecoveryServicesBackupJob cmdlet to wait for the Restore job to complete.
Once the Restore job has completed, use the Get-AzureRmRecoveryServicesBackupJobDetails cmdlet to get
the details of the restore operation. The JobDetails property has the information needed to rebuild the VM.
Once you restore the disks, go to the next section to create the VM.
NOTE
To create encrypted VMs from restored disks, your Azure role must have permission to perform the action,
Microsoft.KeyVault/vaults/deploy/action. If your role does not have this permission, create a custom role with this
action. For more information, see Custom Roles in Azure RBAC.
2. Set the Azure storage context and restore the JSON configuration file.
4. Attach the OS disk and data disks. Depending on the configuration of your VMs, refer to the relevant
section to view respective cmdlets:
Non-managed, non-encrypted VMs
Use the following sample for non-managed, non-encrypted VMs.
PS C:\> $dekUrl =
"https://ContosoKeyVault.vault.azure.net:443/secrets/ContosoSecret007/xx000000xx0849999f3xx30000003163
"
PS C:\> $keyVaultId = "/subscriptions/abcdedf007-4xyz-1a2b-0000-
12a2b345675c/resourceGroups/ContosoRG108/providers/Microsoft.KeyVault/vaults/ContosoKeyVault"
PS C:\> Set-AzureRmVMOSDisk -VM $vm -Name "osdisk" -VhdUri
$obj.'properties.storageProfile'.osDisk.vhd.uri -DiskEncryptionKeyUrl $dekUrl -
DiskEncryptionKeyVaultId $keyVaultId -CreateOption "Attach" -Windows
PS C:\> $vm.StorageProfile.OsDisk.OsType = $obj.'properties.storageProfile'.osDisk.osType
PS C:\> foreach($dd in $obj.'properties.storageProfile'.dataDisks)
{
$vm = Add-AzureRmVMDataDisk -VM $vm -Name "datadisk1" -VhdUri $dd.vhd.Uri -DiskSizeInGB 127 -Lun
$dd.Lun -CreateOption "Attach"
}
PS C:\> $dekUrl =
"https://ContosoKeyVault.vault.azure.net:443/secrets/ContosoSecret007/xx000000xx0849999f3xx30000003163
"
PS C:\> $kekUrl =
"https://ContosoKeyVault.vault.azure.net:443/keys/ContosoKey007/x9xxx00000x0000x9b9949999xx0x006"
PS C:\> $keyVaultId = "/subscriptions/abcdedf007-4xyz-1a2b-0000-
12a2b345675c/resourceGroups/ContosoRG108/providers/Microsoft.KeyVault/vaults/ContosoKeyVault"
PS C:\> Set-AzureRmVMOSDisk -VM $vm -Name "osdisk" -VhdUri
$obj.'properties.storageProfile'.osDisk.vhd.uri -DiskEncryptionKeyUrl $dekUrl -
DiskEncryptionKeyVaultId $keyVaultId -KeyEncryptionKeyUrl $kekUrl -KeyEncryptionKeyVaultId $keyVaultId
-CreateOption "Attach" -Windows
PS C:\> $vm.StorageProfile.OsDisk.OsType = $obj.'properties.storageProfile'.osDisk.osType
PS C:\> foreach($dd in $obj.'properties.storageProfile'.dataDisks)
{
$vm = Add-AzureRmVMDataDisk -VM $vm -Name "datadisk1" -VhdUri $dd.vhd.Uri -DiskSizeInGB 127 -Lun
$dd.Lun -CreateOption "Attach"
}
PS C:\> $dekUrl =
"https://ContosoKeyVault.vault.azure.net:443/secrets/ContosoSecret007/xx000000xx0849999f3xx30000003163
"
PS C:\> $keyVaultId = "/subscriptions/abcdedf007-4xyz-1a2b-0000-
12a2b345675c/resourceGroups/ContosoRG108/providers/Microsoft.KeyVault/vaults/ContosoKeyVault"
PS C:\> $storageType = "StandardLRS"
PS C:\> $osDiskName = $vm.Name + "_osdisk"
PS C:\> $osVhdUri = $obj.'properties.storageProfile'.osDisk.vhd.uri
PS C:\> $diskConfig = New-AzureRmDiskConfig -AccountType $storageType -Location "West US" -
CreateOption Import -SourceUri $osVhdUri
PS C:\> $osDisk = New-AzureRmDisk -DiskName $osDiskName -Disk $diskConfig -ResourceGroupName "test"
PS C:\> Set-AzureRmVMOSDisk -VM $vm -ManagedDiskId $osDisk.Id -DiskEncryptionKeyUrl $dekUrl -
DiskEncryptionKeyVaultId $keyVaultId -CreateOption "Attach" -Windows
PS C:\> foreach($dd in $obj.'properties.storageProfile'.dataDisks)
{
$dataDiskName = $vm.Name + $dd.name ;
$dataVhdUri = $dd.vhd.uri ;
$dataDiskConfig = New-AzureRmDiskConfig -AccountType $storageType -Location "West US" -CreateOption
Import -SourceUri $dataVhdUri ;
$dataDisk2 = New-AzureRmDisk -DiskName $dataDiskName -Disk $dataDiskConfig -ResourceGroupName "test" ;
Add-AzureRmVMDataDisk -VM $vm -Name $dataDiskName -ManagedDiskId $dataDisk2.Id -Lun $dd.Lun -
CreateOption "Attach"
}
PS C:\> $nicName="p1234"
PS C:\> $pip = New-AzureRmPublicIpAddress -Name $nicName -ResourceGroupName "test" -Location "WestUS"
-AllocationMethod Dynamic
PS C:\> $vnet = Get-AzureRmVirtualNetwork -Name "testvNET" -ResourceGroupName "test"
PS C:\> $nic = New-AzureRmNetworkInterface -Name $nicName -ResourceGroupName "test" -Location "WestUS"
-SubnetId $vnet.Subnets[$subnetindex].Id -PublicIpAddressId $pip.Id
PS C:\> $vm=Add-AzureRmVMNetworkInterface -VM $vm -Id $nic.Id
Next steps
If you prefer to use PowerShell to engage with your Azure resources, see the PowerShell article, Deploy and
Manage Backup for Windows Server. If you manage DPM backups, see the article, Deploy and Manage Backup for
DPM. Both of these articles have a version for Resource Manager deployments and Classic deployments.
Use AzureRM.Backup cmdlets to back up virtual
machines
8/2/2017 10 min to read Edit Online
This article shows you how to use Azure PowerShell for backup and recovery of Azure VMs. Azure has two
different deployment models for creating and working with resources: Resource Manager and Classic. This article
covers using the Classic deployment model to back up data to a Backup vault. If you have not created a Backup
vault in your subscription, see the Resource Manager version of this article, Use AzureRM.RecoveryServices.Backup
cmdlets to back up virtual machines. Microsoft recommends that most new deployments use the Resource
Manager model.
IMPORTANT
You can now upgrade your Backup vaults to Recovery Services vaults. For details, see the article Upgrade a Backup vault to a
Recovery Services vault. Microsoft encourages you to upgrade your Backup vaults to Recovery Services vaults.
After October 15, 2017, you cant use PowerShell to create Backup vaults. By November 1, 2017:
All remaining Backup vaults will be automatically upgraded to Recovery Services vaults.
You won't be able to access your backup data in the classic portal. Instead, use the Azure portal to access your backup
data in Recovery Services vaults.
Concepts
This article provides information specific to the PowerShell cmdlets used to back up virtual machines. For
introductory information about protecting Azure VMs, please see Plan your VM backup infrastructure in Azure.
NOTE
Before you start, read the prerequisites required to work with Azure Backup, and the limitations of the current VM backup
solution.
To use PowerShell effectively, take a moment to understand the hierarchy of objects and from where to start.
The two most important flows are enabling protection for a VM, and restoring data from a recovery point. The
focus of this article is to help you become adept at working with the PowerShell cmdlets to enable these two
scenarios.
The following setup and registration tasks can be automated with PowerShell:
Create a backup vault
Registering the VMs with the Azure Backup service
Create a backup vault
WARNING
For customers using Azure Backup for the first time, you need to register the Azure Backup provider to be used with your
subscription. This can be done by running the following command: Register-AzureRmResourceProvider -ProviderNamespace
"Microsoft.Backup"
You can create a new backup vault using the New-AzureRmBackupVault cmdlet. The backup vault is an ARM
resource, so you need to place it within a Resource Group. In an elevated Azure PowerShell console, run the
following commands:
You can get a list of all the backup vaults in a given subscription using the Get-AzureRmBackupVault cmdlet.
NOTE
It is convenient to store the backup vault object into a variable. The vault object is needed as an input for many Azure
Backup cmdlets.
A backup policy is associated with at least one retention policy. The retention policy defines how long a recovery
point is kept with Azure Backup. The New-AzureRmBackupRetentionPolicy cmdlet creates PowerShell objects
that hold retention policy information. These retention policy objects are used as inputs to the New-
AzureRmBackupProtectionPolicy cmdlet, or directly with the Enable-AzureRmBackupProtection cmdlet.
A backup policy defines when and how often the backup of an item is done. The New-
AzureRmBackupProtectionPolicy cmdlet creates a PowerShell object that holds backup policy information. The
backup policy is used as an input to the Enable-AzureRmBackupProtection cmdlet.
Enable protection
Enabling protection involves two objects - the Item and the Policy, and both need to belong to the same vault. Once
the policy has been associated with the item, the backup workflow will kick in at the defined schedule.
Initial backup
The backup schedule will take care of doing the full initial copy for the item and the incremental copy for the
subsequent backups. However, if you want to force the initial backup to happen at a certain time or even
immediately then use the Backup-AzureRmBackupItem cmdlet:
NOTE
The timezone of the StartTime and EndTime fields shown in PowerShell is UTC. However, when the similar information is
shown in the Azure portal, the timezone is aligned to your local system clock.
Instead of polling these jobs for completion - which is unnecessary, additional code - it is simpler to use the Wait-
AzureRmBackupJob cmdlet. When used in a script, the cmdlet will pause the execution until either the job
completes or the specified timeout value is reached.
Restore an Azure VM
In order to restore backup data, you need to identify the backed-up Item and the Recovery Point that holds the
point-in-time data. This information is supplied to the Restore-AzureRmBackupItem cmdlet to initiate a restore of
data from the vault to the customer's account.
Select the VM
To get the PowerShell object that identifies the right backup Item, you need to start from the Container in the vault,
and work your way down object hierarchy. To select the container that represents the VM, use the Get-
AzureRmBackupContainer cmdlet and pipe that to the Get-AzureRmBackupItem cmdlet.
PS C:\> $backupitem = Get-AzureRmBackupContainer -Vault $backupvault -Type AzureVM -name "testvm" | Get-
AzureRmBackupItem
The variable $rp is an array of recovery points for the selected backup item, sorted in reverse order of time - the
latest recovery point is at index 0. Use standard PowerShell array indexing to pick the recovery point. For example:
$rp[0] will select the latest recovery point.
Restoring disks
There is a key difference between the restore operations done through the Azure portal and through Azure
PowerShell. With PowerShell, the restore operation stops at restoring the disks and config information from the
recovery point. It does not create a virtual machine.
WARNING
The Restore-AzureRmBackupItem does not create a VM. It only restores the disks to the specified storage account. This is
not the same behavior you will experience in the Azure portal.
PS C:\> $restorejob = Restore-AzureRmBackupItem -StorageAccountName "DestAccount" -RecoveryPoint $rp[0]
PS C:\> $restorejob
You can get the details of the restore operation using the Get-AzureRmBackupJobDetails cmdlet once the
Restore job has completed. The ErrorDetails property will have the information needed to rebuild the VM.
Build the VM
Building the VM out of the restored disks can be done using the older Azure Service Management PowerShell
cmdlets, the new Azure Resource Manager templates, or even using the Azure portal. In a quick example, we will
show how to get there using the Azure Service Management cmdlets.
$properties = $details.Properties
$destination_path = "C:\Users\admin\Desktop\vmconfig.xml"
Get-AzureStorageBlobContent -Container $containerName -Blob $blobName -Destination $destination_path -Context
$storageContext
For more information on how to build a VM from the restored disks, read about the following cmdlets:
Add-AzureDisk
New-AzureVMConfig
New-AzureVM
Code samples
1. Get the completion status of job sub-tasks
To track the completion status of individual sub-tasks, you can use the Get-AzureRmBackupJobDetails cmdlet:
Name Status
---- ------
Take Snapshot Completed
Transfer data to Backup vault InProgress
[Parameter(Mandatory=$False,Position=2)]
[int]$numberofdays = 7)
#Initialize variables
$DAILYBACKUPSTATS = @()
$backupvault = Get-AzureRmBackupVault -Name $backupvaultname
$enddate = ([datetime]::Today).AddDays(1)
$startdate = ([datetime]::Today)
$enddate = $enddate.AddDays(-1)
$startdate = $startdate.AddDays(-1)
}
$DAILYBACKUPSTATS | Out-GridView
If you want to add charting capabilities to this report output, learn from the TechNet blog post Charting with
PowerShell
Next steps
If you prefer using PowerShell to engage with your Azure resources, check out the PowerShell article for protecting
Windows Server, Deploy and Manage Backup for Windows Server. There is also a PowerShell article for managing
DPM backups, Deploy and Manage Backup for DPM. Both of these articles have a version for Resource Manager
deployments as well as Classic deployments.
Deploy and manage backup to Azure for Data
Protection Manager (DPM) servers using PowerShell
9/29/2017 14 min to read Edit Online
This article shows you how to use PowerShell to setup Azure Backup on a DPM server, and to manage backup and
recovery.
Before you can use PowerShell to manage backups from Data Protection Manager to Azure, you need to have the
right environment in PowerShell. At the start of the PowerShell session, ensure that you run the following
command to import the right modules and allow you to correctly reference the DPM cmdlets:
The following setup and registration tasks can be automated with PowerShell:
Create a Recovery Services vault
Installing the Azure Backup agent
Registering with the Azure Backup service
Networking settings
Encryption settings
2. The Recovery Services vault is an ARM resource, so you need to place it within a Resource Group. You can
use an existing resource group, or create a new one. When creating a new resource group, specify the name
and location for the resource group.
3. Use the New-AzureRmRecoveryServicesVault cmdlet to create a new vault. Be sure to specify the same
location for the vault as was used for the resource group.
4. Specify the type of storage redundancy to use; you can use Locally Redundant Storage (LRS) or Geo
Redundant Storage (GRS). The following example shows the -BackupStorageRedundancy option for
testVault is set to GeoRedundant.
TIP
Many Azure Backup cmdlets require the Recovery Services vault object as an input. For this reason, it is convenient
to store the Backup Recovery Services vault object in a variable.
PS C:\> Get-AzureRmRecoveryServicesVault
Name : Contoso-vault
ID : /subscriptions/1234
Type : Microsoft.RecoveryServices/vaults
Location : WestUS
ResourceGroupName : Contoso-docs-rg
SubscriptionId : 1234-567f-8910-abc
Properties : Microsoft.Azure.Commands.RecoveryServices.ARSVaultProperties
PS C:\> MARSAgentInstaller.exe /q
This installs the agent with all the default options. The installation takes a few minutes in the background. If you do
not specify the /nu option the Windows Update window opens at the end of the installation to check for any
updates.
The agent shows up in the list of installed programs. To see the list of installed programs, go to Control Panel >
Programs > Programs and Features.
Installation options
To see all the options available via the commandline, use the following command:
PS C:\> MARSAgentInstaller.exe /?
/q Quiet installation -
/p:"location" Path to the installation folder for the C:\Program Files\Microsoft Azure
Azure Backup agent. Recovery Services Agent
/s:"location" Path to the cache folder for the Azure C:\Program Files\Microsoft Azure
Backup agent. Recovery Services Agent\Scratch
On the DPM server, run the Start-OBRegistration cmdlet to register the machine with the vault.
All modifications are made to this local PowerShell object $setting and then the full object is committed to DPM
and Azure Backup to save them using the Set-DPMCloudSubscriptionSetting cmdlet. You need to use the Commit
flag to ensure that the changes are persisted. The settings will not be applied and used by Azure Backup unless
committed.
Networking
If the connectivity of the DPM machine to the Azure Backup service on the internet is through a proxy server, then
the proxy server settings should be provided for successful backups. This is done by using the -ProxyServer and
-ProxyPort , -ProxyUsername and the ProxyPassword parameters with the Set-DPMCloudSubscriptionSetting
cmdlet. In this example, there is no proxy server so we are explicitly clearing any proxy-related information.
Bandwidth usage can also be controlled with options of -WorkHourBandwidth and -NonWorkHourBandwidth for a
given set of days of the week. In this example, we are not setting any throttling.
PS C:\> Set-DPMCloudSubscriptionSetting -DPMServerName "TestingServer" -SubscriptionSetting $setting -
NoThrottle
In the example above, the staging area will be set to C:\StagingArea in the PowerShell object $setting . Ensure
that the specified folder already exists, or else the final commit of the subscription settings will fail.
Encryption settings
The backup data sent to Azure Backup is encrypted to protect the confidentiality of the data. The encryption
passphrase is the "password" to decrypt the data at the time of restore. It is important to keep this information safe
and secure once it is set.
In the example below, the first command converts the string passphrase123456789 to a secure string and assigns
the secure string to the variable named $Passphrase . the second command sets the secure string in $Passphrase
as the password for encrypting backups.
IMPORTANT
Keep the passphrase information safe and secure once it is set. You will not be able to restore data from Azure without this
passphrase.
At this point, you should have made all the required changes to the $setting object. Remember to commit the
changes.
The above cmdlet will create a Protection Group named ProtectGroup01. An existing protection group can also be
modified later to add backup to the Azure cloud. However, to make any changes to the Protection Group - new or
existing - we need to get a handle on a modifiable object using the Get-DPMModifiableProtectionGroup cmdlet.
Now fetch the list of datasources on $server using the Get-DPMDatasource cmdlet. In this example we are
filtering for the volume D:\ that we want to configure for backup. This datasource is then added to the Protection
Group using the Add-DPMChildDatasource cmdlet. Remember to use the modifiable protection group object
$MPG to make the additions.
PS C:\> $DS = Get-Datasource -ProductionServer $server -Inquire | where { $_.Name -contains D:\ }
Repeat this step as many times as required, until you have added all the chosen datasources to the protection
group. You can also start with just one datasource, and complete the workflow for creating the Protection Group,
and at a later point add more datasources to the Protection Group.
Selecting the data protection method
Once the datasources have been added to the Protection Group, the next step is to specify the protection method
using the Set-DPMProtectionType cmdlet. In this example, the Protection Group is setup for local disk and cloud
backup. You also need to specify the datasource that you want to protect to cloud using the Add-
DPMChildDatasource cmdlet with -Online flag.
For backups going to Azure (DPM refers to them as Online backups) the retention ranges can be configured for
long term retention using a Grandfather-Father-Son scheme (GFS). That is, you can define a combined retention
policy involving daily, weekly, monthly and yearly retention policies. In this example, we create an array
representing the complex retention scheme that we want, and then configure the retention range using the Set-
DPMPolicyObjective cmdlet.
In the above example, $onlineSch is an array with four elements that contains the existing online protection
schedule for the Protection Group in the GFS scheme:
1. $onlineSch[0] contains the daily schedule
2. $onlineSch[1] contains the weekly schedule
3. $onlineSch[2] contains the monthly schedule
4. $onlineSch[3] contains the yearly schedule
So if you need to modify the weekly schedule, you need to refer to the $onlineSch[1] .
Initial backup
When backing up a datasource for the first time, DPM needs creates initial replica that creates a full copy of the
datasource to be protected on DPM replica volume. This activity can either be scheduled for a specific time, or can
be triggered manually, using the Set-DPMReplicaCreationMethod cmdlet with the parameter -NOW .
Next steps
For more information about DPM to Azure Backup see Introduction to DPM Backup
Deploy and manage backup to Azure for Data
Protection Manager (DPM) servers using PowerShell
8/2/2017 14 min to read Edit Online
This article explains how to use PowerShell to back up and recover DPM data from a backup vault. Microsoft
recommends using Recovery Services vaults for all new deployments. If you are a new Azure Backup user, use the
article, Deploy and manage Data Protection Manager data to Azure using PowerShell, so you store your data in a
Recovery Services vault.
IMPORTANT
You can now upgrade your Backup vaults to Recovery Services vaults. For details, see the article Upgrade a Backup vault to a
Recovery Services vault. Microsoft encourages you to upgrade your Backup vaults to Recovery Services vaults. After October
15, 2017, you cant use PowerShell to create Backup vaults. By November 1, 2017:
All remaining Backup vaults will be automatically upgraded to Recovery Services vaults.
You won't be able to access your backup data in the classic portal. Instead, use the Azure portal to access your backup
data in Recovery Services vaults.
Before you can use PowerShell to manage backups from Data Protection Manager to Azure, you will need to have
the right environment in PowerShell. At the start of the PowerShell session, ensure that you run the following
command to import the right modules and allow you to correctly reference the DPM cmdlets:
The following setup and registration tasks can be automated with PowerShell:
Create a backup vault
Installing the Azure Backup agent
Registering with the Azure Backup service
Networking settings
Encryption settings
Create a backup vault
WARNING
For customers using Azure Backup for the first time, you need to register the Azure Backup provider to be used with your
subscription. This can be done by running the following command: Register-AzureProvider -ProviderNamespace
"Microsoft.Backup"
You can create a new backup vault using the New-AzureRMBackupVault commandlet. The backup vault is an
ARM resource, so you need to place it within a Resource Group. In an elevated Azure PowerShell console, run the
following commands:
You can get a list of all the backup vaults in a given subscription using the Get-AzureRMBackupVault
commandlet.
Installing the Azure Backup agent on a DPM Server
Before you install the Azure Backup agent, you need to have the installer downloaded and present on the Windows
Server. You can get the latest version of the installer from the Microsoft Download Center or from the backup
vault's Dashboard page. Save the installer to an easily accessible location like C:\Downloads\.
To install the agent, run the following command in an elevated PowerShell console on the DPM server:
PS C:\> MARSAgentInstaller.exe /q
This installs the agent with all the default options. The installation takes a few minutes in the background. If you do
not specify the /nu option the Windows Update window will open at the end of the installation to check for any
updates.
The agent will show in the list of installed programs. To see the list of installed programs, go to Control Panel >
Programs > Programs and Features.
Installation options
To see all the options available via the command-line, use the following command:
PS C:\> MARSAgentInstaller.exe /?
/q Quiet installation -
/p:"location" Path to the installation folder for the C:\Program Files\Microsoft Azure
Azure Backup agent. Recovery Services Agent
/s:"location" Path to the cache folder for the Azure C:\Program Files\Microsoft Azure
Backup agent. Recovery Services Agent\Scratch
Registering the machine with the vault is done using the Start-DPMCloudRegistration cmdlet:
This will register the DPM Server named TestingServer with Microsoft Azure Vault using the specified vault
credentials.
IMPORTANT
Do not use relative paths to specify the vault credentials file. You must provide an absolute path as an input to the cmdlet.
All modifications are made to this local PowerShell object $setting and then the full object is committed to DPM
and Azure Backup to save them using the Set-DPMCloudSubscriptionSetting cmdlet. You need to use the Commit
flag to ensure that the changes are persisted. The settings will not be applied and used by Azure Backup unless
committed.
Networking
If the connectivity of the DPM machine to the Azure Backup service on the internet is through a proxy server, then
the proxy server settings should be provided for backups to succeed. This is done by using the -ProxyServer ,
-ProxyPort , -ProxyUsername and the ProxyPassword parameters with the Set-DPMCloudSubscriptionSetting
cmdlet. In this example, there is no proxy server so we are explicitly clearing any proxy-related information.
Bandwidth usage can also be controlled with options of -WorkHourBandwidth and -NonWorkHourBandwidth for a
given set of days of the week. In this example we are not setting any throttling.
In the example above, the staging area will be set to C:\StagingArea in the PowerShell object $setting . Ensure
that the specified folder already exists, or else the final commit of the subscription settings will fail.
Encryption settings
The backup data sent to Azure Backup is encrypted to protect the confidentiality of the data. The encryption
passphrase is the "password" to decrypt the data at the time of restore. It is important to keep this information safe
and secure once it is set.
In the example below, the first command converts the string passphrase123456789 to a secure string and assigns
the secure string to the variable named $Passphrase . the second command sets the secure string in $Passphrase
as the password for encrypting backups.
IMPORTANT
Keep the passphrase information safe and secure once it is set. You will not be able to restore data from Azure without this
passphrase.
At this point, you should have made all the required changes to the $setting object. Remember to commit the
changes.
The above cmdlet will create a Protection Group named ProtectGroup01. An existing protection group can also be
modified later to add backup to the Azure cloud. However, to make any changes to the Protection Group - new or
existing - we need to get a handle on a modifiable object using the Get-DPMModifiableProtectionGroup cmdlet.
Now fetch the list of datasources on $server using the Get-DPMDatasource cmdlet. In this example we are
filtering for the volume D:\ which we want to configure for backup. This datasource is then added to the Protection
Group using the Add-DPMChildDatasource cmdlet. Remember to use the modifable protection group object $MPG
to make the additions.
PS C:\> $DS = Get-Datasource -ProductionServer $server -Inquire | where { $_.Name -contains D:\ }
Repeat this step as many times as required, until you have added all the chosen datasources to the protection
group. You can also start with just one datasource, and complete the workflow for creating the Protection Group,
and at a later point add more datasources to the Protection Group.
Selecting the data protection method
Once the datasources have been added to the Protection Group, the next step is to specify the protection method
using the Set-DPMProtectionType cmdlet. In this example, the Protection Group will be setup for local disk and
cloud backup. You also need to specify the datasource that you want to protect to cloud using the Add-
DPMChildDatasource cmdlet with -Online flag.
For backups going to Azure (DPM refers to these as Online backups) the retention ranges can be configured for
long term retention using a Grandfather-Father-Son scheme (GFS). That is, you can define a combined retention
policy involving daily, weekly, monthly and yearly retention policies. In this example, we create an array
representing the complex retention scheme that we want, and then configure the retention range using the Set-
DPMPolicyObjective cmdlet.
In the example above, $onlineSch is an array with four elements that contains the existing online protection
schedule for the Protection Group in the GFS scheme:
1. $onlineSch[0] will contain the daily schedule
2. $onlineSch[1] will contain the weekly schedule
3. $onlineSch[2] will contain the monthly schedule
4. $onlineSch[3] will contain the yearly schedule
So if you need to modify the weekly schedule, you need to refer to the $onlineSch[1] .
Initial backup
When backing up a datasource for the first time, DPM needs to create an initial replica which will create a copy of
the datasource to be protected on DPM replica volume. This activity can either be scheduled for a specific time, or
can be triggered manually, using the Set-DPMReplicaCreationMethod cmdlet with the parameter -NOW .
Next steps
For more information about Azure Backup for DPM see Introduction to DPM Backup
Deploy and manage backup to Azure for Windows
Server/Windows Client using PowerShell
8/21/2017 17 min to read Edit Online
This article shows you how to use PowerShell for setting up Azure Backup on Windows Server or a Windows
client, and managing backup and recovery.
This article focuses on the Azure Resource Manager (ARM) and the MS Online Backup PowerShell cmdlets that
enable you to use a Recovery Services vault in a resource group.
In October 2015, Azure PowerShell 1.0 was released. This release succeeded the 0.9.8 release and brought about
some significant changes, especially in the naming pattern of the cmdlets. 1.0 cmdlets follow the naming pattern
{verb}-AzureRm{noun}; whereas, the 0.9.8 names do not include Rm (for example, New-AzureRmResourceGroup
instead of New-AzureResourceGroup). When using Azure PowerShell 0.9.8, you must first enable the Resource
Manager mode by running the Switch-AzureMode AzureResourceManager command. This command is not
necessary in 1.0 or later.
If you want to use your scripts written for the 0.9.8 environment, in the 1.0 or later environment, you should
carefully update and test the scripts in a pre-production environment before using them in production to avoid
unexpected impact.
Download the latest PowerShell release (minimum version required is : 1.0.0)
$PSVersionTable
Verify that the value of PSVersion is 3.0 or 4.0. If not, see Windows Management Framework 3.0 or Windows
Management Framework 4.0.
Set your Azure account and subscription
If you don't already have an Azure subscription, you can activate your MSDN subscriber benefits or sign up for a
free trial.
Open an Azure PowerShell command prompt and log on to Azure with this command.
Login-AzureRmAccount
If you have multiple Azure subscriptions, you can list your Azure subscriptions with this command.
Get-AzureRmSubscription
SubscriptionId : fd22919d-eaca-4f2b-841a-e4ac6770g92e
SubscriptionName : Visual Studio Ultimate with MSDN
Environment : AzureCloud
SupportedModes : AzureServiceManagement,AzureResourceManager
DefaultAccount : johndoe@contoso.com
Accounts : {johndoe@contoso.com}
IsDefault : True
IsCurrent : True
CurrentStorageAccountName :
TenantId : 32fa88b4-86f1-419f-93ab-2d7ce016dba7
You can set the current Azure subscription by running these commands at the Azure PowerShell command
prompt. Replace everything within the quotes, including the < and > characters, with the correct name.
For more information about Azure subscriptions and accounts, see How to: Connect to your subscription.
2. The Recovery Services vault is an ARM resource, so you need to place it within a Resource Group. You can
use an existing resource group, or create a new one. When creating a new resource group, specify the name
and location for the resource group.
3. Use the New-AzureRmRecoveryServicesVault cmdlet to create the new vault. Be sure to specify the
same location for the vault as was used for the resource group.
4. Specify the type of storage redundancy to use; you can use Locally Redundant Storage (LRS) or Geo
Redundant Storage (GRS). The following example shows the -BackupStorageRedundancy option for
testVault is set to GeoRedundant.
TIP
Many Azure Backup cmdlets require the Recovery Services vault object as an input. For this reason, it is convenient
to store the Backup Recovery Services vault object in a variable.
PS C:\> Get-AzureRmRecoveryServicesVault
Name : Contoso-vault
ID : /subscriptions/1234
Type : Microsoft.RecoveryServices/vaults
Location : WestUS
ResourceGroupName : Contoso-docs-rg
SubscriptionId : 1234-567f-8910-abc
Properties : Microsoft.Azure.Commands.RecoveryServices.ARSVaultProperties
To install the agent, run the following command in an elevated PowerShell console:
PS C:\> MARSAgentInstaller.exe /q
This installs the agent with all the default options. The installation takes a few minutes in the background. If you do
not specify the /nu option then the Windows Update window will open at the end of the installation to check for
any updates. Once installed, the agent will show in the list of installed programs.
To see the list of installed programs, go to Control Panel > Programs > Programs and Features.
Installation options
To see all the options available via the command-line, use the following command:
PS C:\> MARSAgentInstaller.exe /?
/q Quiet installation -
/p:"location" Path to the installation folder for the C:\Program Files\Microsoft Azure
Azure Backup agent. Recovery Services Agent
/s:"location" Path to the cache folder for the Azure C:\Program Files\Microsoft Azure
Backup agent. Recovery Services Agent\Scratch
On the Windows Server or Windows client machine, run the Start-OBRegistration cmdlet to register the machine
with the vault. This, and other cmdlets used for backup, are from the MSONLINE module which the Mars
AgentInstaller added as part of the installation process.
The Agent installer does not update the $Env:PSModulePath variable. This means module auto-load fails. To
resolve this you can do the following:
Alternatively, you can manually load the module in your script as follows:
Once you load the Online Backup cmdlets, you register the vault credentials:
IMPORTANT
Do not use relative paths to specify the vault credentials file. You must provide an absolute path as an input to the cmdlet.
Networking settings
When the connectivity of the Windows machine to the internet is through a proxy server, the proxy settings can
also be provided to the agent. In this example, there is no proxy server, so we are explicitly clearing any proxy-
related information.
Bandwidth usage can also be controlled with the options of work hour bandwidth and non-work hour bandwidth for
a given set of days of the week.
Setting the proxy and bandwidth details is done using the Set-OBMachineSetting cmdlet:
PS C:\> Set-OBMachineSetting -NoProxy
Server properties updated successfully.
Encryption settings
The backup data sent to Azure Backup is encrypted to protect the confidentiality of the data. The encryption
passphrase is the "password" to decrypt the data at the time of restore.
IMPORTANT
Keep the passphrase information safe and secure once it is set. You are not be able to restore data from Azure without this
passphrase.
At this time the policy is empty and other cmdlets are needed to define what items will be included or excluded,
when backups will run, and where the backups will be stored.
Configuring the backup schedule
The first of the 3 parts of a policy is the backup schedule, which is created using the New-OBSchedule cmdlet. The
backup schedule defines when backups need to be taken. When creating a schedule you need to specify 2 input
parameters:
Days of the week that the backup should run. You can run the backup job on just one day, or every day of the
week, or any combination in between.
Times of the day when the backup should run. You can define up to 3 different times of the day when the
backup will be triggered.
For instance, you could configure a backup policy that runs at 4PM every Saturday and Sunday.
The retention policy must be associated with the main policy using the cmdlet Set-OBRetentionPolicy:
BackupSchedule : 4:00 PM
Saturday, Sunday,
Every 1 week(s)
DsList :
PolicyName :
RetentionPolicy : Retention Days : 7
WeeklyLTRSchedule :
Weekly schedule is not set
MonthlyLTRSchedule :
Monthly schedule is not set
YearlyLTRSchedule :
Yearly schedule is not set
State : New
PolicyState : Valid
BackupSchedule : 4:00 PM
Saturday, Sunday,
Every 1 week(s)
DsList : {DataSource
DatasourceId:0
Name:C:\
FileSpec:FileSpec
FileSpec:C:\
IsExclude:False
IsRecursive:True
, DataSource
DatasourceId:0
Name:D:\
FileSpec:FileSpec
FileSpec:D:\
IsExclude:False
IsRecursive:True
}
PolicyName :
RetentionPolicy : Retention Days : 7
WeeklyLTRSchedule :
Weekly schedule is not set
MonthlyLTRSchedule :
Monthly schedule is not set
YearlyLTRSchedule :
Yearly schedule is not set
State : New
PolicyState : Valid
BackupSchedule : 4:00 PM
Saturday, Sunday,
Every 1 week(s)
DsList : {DataSource
DatasourceId:0
Name:C:\
FileSpec:FileSpec
FileSpec:C:\
IsExclude:False
IsRecursive:True
,FileSpec
FileSpec:C:\windows
IsExclude:True
IsRecursive:True
,FileSpec
FileSpec:C:\temp
IsExclude:True
IsRecursive:True
, DataSource
DatasourceId:0
Name:D:\
FileSpec:FileSpec
FileSpec:D:\
IsExclude:False
IsRecursive:True
}
PolicyName :
RetentionPolicy : Retention Days : 7
WeeklyLTRSchedule :
Weekly schedule is not set
MonthlyLTRSchedule :
Monthly schedule is not set
YearlyLTRSchedule :
Yearly schedule is not set
State : New
PolicyState : Valid
Committing the policy object is done using the Set-OBPolicy cmdlet. This will also ask for confirmation. To skip the
confirmation use the -Confirm:$false flag with the cmdlet.
PS C:> Set-OBPolicy -Policy $newpolicy
Microsoft Azure Backup Do you want to save this backup policy ? [Y] Yes [A] Yes to All [N] No [L] No to All
[S] Suspend [?] Help (default is "Y"):
BackupSchedule : 4:00 PM Saturday, Sunday, Every 1 week(s)
DsList : {DataSource
DatasourceId:4508156004108672185
Name:C:\
FileSpec:FileSpec
FileSpec:C:\
IsExclude:False
IsRecursive:True,
FileSpec
FileSpec:C:\windows
IsExclude:True
IsRecursive:True,
FileSpec
FileSpec:C:\temp
IsExclude:True
IsRecursive:True,
DataSource
DatasourceId:4508156005178868542
Name:D:\
FileSpec:FileSpec
FileSpec:D:\
IsExclude:False
IsRecursive:True
}
PolicyName : c2eb6568-8a06-49f4-a20e-3019ae411bac
RetentionPolicy : Retention Days : 7
WeeklyLTRSchedule :
Weekly schedule is not set
MonthlyLTRSchedule :
Monthly schedule is not set
YearlyLTRSchedule :
Yearly schedule is not set
State : Existing PolicyState : Valid
You can view the details of the existing backup policy using the Get-OBPolicy cmdlet. You can drill-down further
using the Get-OBSchedule cmdlet for the backup schedule and the Get-OBRetentionPolicy cmdlet for the retention
policies
PS C:> Get-OBPolicy | Get-OBSchedule
SchedulePolicyName : 71944081-9950-4f7e-841d-32f0a0a1359a
ScheduleRunDays : {Saturday, Sunday}
ScheduleRunTimes : {16:00:00}
State : Existing
FileName : *
FilePath : \?\Volume{cdd41007-a22f-11e2-be6c-806e6f6e6963}\
FileSpec : C:\
IsExclude : False
IsRecursive : True
FileName : *
FilePath : \?\Volume{cdd41007-a22f-11e2-be6c-806e6f6e6963}\windows
FileSpec : C:\windows
IsExclude : True
IsRecursive : True
FileName : *
FilePath : \?\Volume{cdd41007-a22f-11e2-be6c-806e6f6e6963}\temp
FileSpec : C:\temp
IsExclude : True
IsRecursive : True
FriendlyName : D:\
RecoverySourceName : D:\
ServerName : myserver.microsoft.com
IsDir : False
ItemNameFriendly : D:\
ItemNameGuid : \?\Volume{b835d359-a1dd-11e2-be72-2016d8d89f0f}\
LocalMountPoint : D:\
MountPointName : D:\
Name : D:\
PointInTime : 17-Jun-15 6:31:31 AM
ServerName : myserver.microsoft.com
ItemSize :
ItemLastModifiedTime :
The object $rps is an array of backup points. The first element is the latest point and the Nth element is the oldest
point. To choose the latest point, we will use $rps[0] .
Choosing an item to restore
To identify the exact file or folder to restore, recursively use the Get-OBRecoverableItem cmdlet. That way the
folder hierarchy can be browsed solely using the Get-OBRecoverableItem .
In this example, if we want to restore the file finances.xls we can reference that using the object $filesFolders[1] .
PS C:> $filesFolders = Get-OBRecoverableItem $rps[0]
PS C:> $filesFolders
IsDir : True
ItemNameFriendly : D:\MyData\
ItemNameGuid : \?\Volume{b835d359-a1dd-11e2-be72-2016d8d89f0f}\MyData\
LocalMountPoint : D:\
MountPointName : D:\
Name : MyData
PointInTime : 18-Jun-15 6:41:52 AM
ServerName : myserver.microsoft.com
ItemSize :
ItemLastModifiedTime : 15-Jun-15 8:49:29 AM
IsDir : False
ItemNameFriendly : D:\MyData\finances.xls
ItemNameGuid : \?\Volume{b835d359-a1dd-11e2-be72-2016d8d89f0f}\MyData\finances.xls
LocalMountPoint : D:\
MountPointName : D:\
Name : finances.xls
PointInTime : 18-Jun-15 6:41:52 AM
ServerName : myserver.microsoft.com
ItemSize : 96256
ItemLastModifiedTime : 21-Jun-14 6:43:02 AM
You can also search for items to restore using the Get-OBRecoverableItem cmdlet. In our example, to search for
finances.xls we could get a handle on the file by running this command:
Now trigger the restore process by using the Start-OBRecovery command on the selected $item from the output
of the Get-OBRecoverableItem cmdlet:
PS C:\> Start-OBRecovery -RecoverableItem $item -RecoveryOption $recover_option
Estimating size of backup items...
Estimating size of backup items...
Estimating size of backup items...
Estimating size of backup items...
Job completed.
The recovery operation completed successfully.
PS C:\> .\MARSAgentInstaller.exe /d /q
Uninstalling the agent binaries from the machine has some consequences to consider:
It removes the file-filter from the machine, and tracking of changes is stopped.
All policy information is removed from the machine, but the policy information continues to be stored in the
service.
All backup schedules are removed, and no further backups are taken.
However, the data stored in Azure remains and is retained as per the retention policy setup by you. Older points
are automatically aged out.
Remote management
All the management around the Azure Backup agent, policies, and data sources can be done remotely through
PowerShell. The machine that will be managed remotely needs to be prepared correctly.
By default, the WinRM service is configured for manual startup. The startup type must be set to Automatic and the
service should be started. To verify that the WinRM service is running, the value of the Status property should be
Running.
The machine can now be managed remotely - starting from the installation of the agent. For example, the
following script copies the agent to the remote machine and installs it.
PS C:\> $dloc = "\\REMOTESERVER01\c$\Windows\Temp"
PS C:\> $agent = "\\REMOTESERVER01\c$\Windows\Temp\MARSAgentInstaller.exe"
PS C:\> $args = "/q"
PS C:\> Copy-Item "C:\Downloads\MARSAgentInstaller.exe" -Destination $dloc - force
Next steps
For more information about Azure Backup for Windows Server/Client see
Introduction to Azure Backup
Back up Windows Servers
Deploy and manage backup to Azure for Windows
Server/Windows Client using PowerShell
8/2/2017 16 min to read Edit Online
This article explains how to use PowerShell to back up Windows Server or Windows workstation data to a backup
vault. Microsoft recommends using Recovery Services vaults for all new deployments. If you are a new Azure
Backup user and have not created a backup vault in your subscription, use the article, Deploy and manage Data
Protection Manager data to Azure using PowerShell so you store your data in a Recovery Services vault.
IMPORTANT
You can now upgrade your Backup vaults to Recovery Services vaults. For details, see the article Upgrade a Backup vault to
a Recovery Services vault. Microsoft encourages you to upgrade your Backup vaults to Recovery Services vaults.
After October 15, 2017, you cant use PowerShell to create Backup vaults. By November 1, 2017:
All remaining Backup vaults will be automatically upgraded to Recovery Services vaults.
You won't be able to access your backup data in the classic portal. Instead, use the Azure portal to access your backup
data in Recovery Services vaults.
In October 2015, Azure PowerShell 1.0 was released. This release succeeded the 0.9.8 release and brought about
some significant changes, especially in the naming pattern of the cmdlets. 1.0 cmdlets follow the naming pattern
{verb}-AzureRm{noun}; whereas, the 0.9.8 names do not include Rm (for example, New-AzureRmResourceGroup
instead of New-AzureResourceGroup). When using Azure PowerShell 0.9.8, you must first enable the Resource
Manager mode by running the Switch-AzureMode AzureResourceManager command. This command is not
necessary in 1.0 or later.
If you want to use your scripts written for the 0.9.8 environment, in the 1.0 or later environment, you should
carefully test the scripts in a pre-production environment before using them in production to avoid unexpected
impact.
Download the latest PowerShell release (minimum version required is : 1.0.0)
$PSVersionTable
You will receive the following type of information:
Name Value
---- -----
PSVersion 3.0
WSManStackVersion 3.0
SerializationVersion 1.1.0.1
CLRVersion 4.0.30319.18444
BuildVersion 6.2.9200.16481
PSCompatibleVersions {1.0, 2.0, 3.0}
PSRemotingProtocolVersion 2.2
Verify that the value of PSVersion is 3.0 or 4.0. If not, see Windows Management Framework 3.0 or Windows
Management Framework 4.0.
Set your Azure account and subscription
If you don't already have an Azure subscription, you can activate your MSDN subscriber benefits or sign up for a
free trial.
Open an Azure PowerShell command prompt and log on to Azure with this command.
Login-AzureRmAccount
If you have multiple Azure subscriptions, you can list your Azure subscriptions with this command.
Get-AzureRmSubscription
SubscriptionId : fd22919d-eaca-4f2b-841a-e4ac6770g92e
SubscriptionName : Visual Studio Ultimate with MSDN
Environment : AzureCloud
SupportedModes : AzureServiceManagement,AzureResourceManager
DefaultAccount : johndoe@contoso.com
Accounts : {johndoe@contoso.com}
IsDefault : True
IsCurrent : True
CurrentStorageAccountName :
TenantId : 32fa88b4-86f1-419f-93ab-2d7ce016dba7
You can set the current Azure subscription by running these commands at the Azure PowerShell command
prompt. Replace everything within the quotes, including the < and > characters, with the correct name.
For more information about Azure subscriptions and accounts, see How to: Connect to your subscription.
You can create a new backup vault using the New-AzureRMBackupVault cmdlet. The backup vault is an ARM
resource, so you need to place it within a Resource Group. In an elevated Azure PowerShell console, run the
following commands:
PS C:\> MARSAgentInstaller.exe /q
This installs the agent with all the default options. The installation takes a few minutes in the background. If you do
not specify the /nu option then the Windows Update window will open at the end of the installation to check for
any updates. Once installed, the agent will show in the list of installed programs.
To see the list of installed programs, go to Control Panel > Programs > Programs and Features.
Installation options
To see all the options available via the command-line, use the following command:
PS C:\> MARSAgentInstaller.exe /?
/q Quiet installation -
OPTION DETAILS DEFAULT
/p:"location" Path to the installation folder for the C:\Program Files\Microsoft Azure
Azure Backup agent. Recovery Services Agent
/s:"location" Path to the cache folder for the Azure C:\Program Files\Microsoft Azure
Backup agent. Recovery Services Agent\Scratch
Registering the machine with the vault is done using the Start-OBRegistration cmdlet:
CertThumbprint : 7a2ef2caa2e74b6ed1222a5e89288ddad438df2
SubscriptionID : ef4ab577-c2c0-43e4-af80-af49f485f3d1
ServiceResourceName : test-vault
Region : West US
Networking settings
When the connectivity of the Windows machine to the internet is through a proxy server, the proxy settings can
also be provided to the agent. In this example, there is no proxy server, so we are explicitly clearing any proxy-
related information.
Bandwidth usage can also be controlled with the options of work hour bandwidth and non-work hour bandwidth for
a given set of days of the week.
Setting the proxy and bandwidth details is done using the Set-OBMachineSetting cmdlet:
Encryption settings
The backup data sent to Azure Backup is encrypted to protect the confidentiality of the data. The encryption
passphrase is the "password" to decrypt the data at the time of restore.
IMPORTANT
Keep the passphrase information safe and secure once it is set. You will not be able to restore data from Azure without this
passphrase.
At this time the policy is empty and other cmdlets are needed to define what items will be included or excluded,
when backups will run, and where the backups will be stored.
Configuring the backup schedule
The first of the 3 parts of a policy is the backup schedule, which is created using the New-OBSchedule cmdlet. The
backup schedule defines when backups need to be taken. When creating a schedule you need to specify 2 input
parameters:
Days of the week that the backup should run. You can run the backup job on just one day, or every day of the
week, or any combination in between.
Times of the day when the backup should run. You can define up to 3 different times of the day when the
backup will be triggered.
For instance, you could configure a backup policy that runs at 4PM every Saturday and Sunday.
The backup schedule needs to be associated with a policy, and this can be achieved by using the Set-OBSchedule
cmdlet.
The retention policy must be associated with the main policy using the cmdlet Set-OBRetentionPolicy:
BackupSchedule : 4:00 PM
Saturday, Sunday,
Every 1 week(s)
DsList :
PolicyName :
RetentionPolicy : Retention Days : 7
WeeklyLTRSchedule :
Weekly schedule is not set
MonthlyLTRSchedule :
Monthly schedule is not set
YearlyLTRSchedule :
Yearly schedule is not set
State : New
PolicyState : Valid
BackupSchedule : 4:00 PM
Saturday, Sunday,
Every 1 week(s)
DsList : {DataSource
DatasourceId:0
Name:C:\
FileSpec:FileSpec
FileSpec:C:\
IsExclude:False
IsRecursive:True
, DataSource
DatasourceId:0
Name:D:\
FileSpec:FileSpec
FileSpec:D:\
IsExclude:False
IsRecursive:True
}
PolicyName :
RetentionPolicy : Retention Days : 7
WeeklyLTRSchedule :
Weekly schedule is not set
MonthlyLTRSchedule :
Monthly schedule is not set
YearlyLTRSchedule :
Yearly schedule is not set
State : New
PolicyState : Valid
BackupSchedule : 4:00 PM
Saturday, Sunday,
Every 1 week(s)
DsList : {DataSource
DatasourceId:0
Name:C:\
FileSpec:FileSpec
FileSpec:C:\
IsExclude:False
IsRecursive:True
IsRecursive:True
,FileSpec
FileSpec:C:\windows
IsExclude:True
IsRecursive:True
,FileSpec
FileSpec:C:\temp
IsExclude:True
IsRecursive:True
, DataSource
DatasourceId:0
Name:D:\
FileSpec:FileSpec
FileSpec:D:\
IsExclude:False
IsRecursive:True
}
PolicyName :
RetentionPolicy : Retention Days : 7
WeeklyLTRSchedule :
Weekly schedule is not set
MonthlyLTRSchedule :
Monthly schedule is not set
YearlyLTRSchedule :
Yearly schedule is not set
State : New
PolicyState : Valid
Committing the policy object is done using the Set-OBPolicy cmdlet. This will also ask for confirmation. To skip the
confirmation use the -Confirm:$false flag with the cmdlet.
PS C:> Set-OBPolicy -Policy $newpolicy
Microsoft Azure Backup Do you want to save this backup policy ? [Y] Yes [A] Yes to All [N] No [L] No to All
[S] Suspend [?] Help (default is "Y"):
BackupSchedule : 4:00 PM Saturday, Sunday, Every 1 week(s)
DsList : {DataSource
DatasourceId:4508156004108672185
Name:C:\
FileSpec:FileSpec
FileSpec:C:\
IsExclude:False
IsRecursive:True,
FileSpec
FileSpec:C:\windows
IsExclude:True
IsRecursive:True,
FileSpec
FileSpec:C:\temp
IsExclude:True
IsRecursive:True,
DataSource
DatasourceId:4508156005178868542
Name:D:\
FileSpec:FileSpec
FileSpec:D:\
IsExclude:False
IsRecursive:True
}
PolicyName : c2eb6568-8a06-49f4-a20e-3019ae411bac
RetentionPolicy : Retention Days : 7
WeeklyLTRSchedule :
Weekly schedule is not set
MonthlyLTRSchedule :
Monthly schedule is not set
YearlyLTRSchedule :
Yearly schedule is not set
State : Existing PolicyState : Valid
You can view the details of the existing backup policy using the Get-OBPolicy cmdlet. You can drill-down further
using the Get-OBSchedule cmdlet for the backup schedule and the Get-OBRetentionPolicy cmdlet for the retention
policies
PS C:> Get-OBPolicy | Get-OBSchedule
SchedulePolicyName : 71944081-9950-4f7e-841d-32f0a0a1359a
ScheduleRunDays : {Saturday, Sunday}
ScheduleRunTimes : {16:00:00}
State : Existing
FileName : *
FilePath : \?\Volume{cdd41007-a22f-11e2-be6c-806e6f6e6963}\
FileSpec : C:\
IsExclude : False
IsRecursive : True
FileName : *
FilePath : \?\Volume{cdd41007-a22f-11e2-be6c-806e6f6e6963}\windows
FileSpec : C:\windows
IsExclude : True
IsRecursive : True
FileName : *
FilePath : \?\Volume{cdd41007-a22f-11e2-be6c-806e6f6e6963}\temp
FileSpec : C:\temp
IsExclude : True
IsRecursive : True
FriendlyName : D:\
RecoverySourceName : D:\
ServerName : myserver.microsoft.com
IsDir : False
ItemNameFriendly : D:\
ItemNameGuid : \?\Volume{b835d359-a1dd-11e2-be72-2016d8d89f0f}\
LocalMountPoint : D:\
MountPointName : D:\
Name : D:\
PointInTime : 17-Jun-15 6:31:31 AM
ServerName : myserver.microsoft.com
ItemSize :
ItemLastModifiedTime :
The object $rps is an array of backup points. The first element is the latest point and the Nth element is the oldest
point. To choose the latest point, we will use $rps[0] .
Choosing an item to restore
To identify the exact file or folder to restore, recursively use the Get-OBRecoverableItem cmdlet. That way the
folder hierarchy can be browsed solely using the Get-OBRecoverableItem .
In this example, if we want to restore the file finances.xls we can reference that using the object $filesFolders[1] .
PS C:> $filesFolders = Get-OBRecoverableItem $rps[0]
PS C:> $filesFolders
IsDir : True
ItemNameFriendly : D:\MyData\
ItemNameGuid : \?\Volume{b835d359-a1dd-11e2-be72-2016d8d89f0f}\MyData\
LocalMountPoint : D:\
MountPointName : D:\
Name : MyData
PointInTime : 18-Jun-15 6:41:52 AM
ServerName : myserver.microsoft.com
ItemSize :
ItemLastModifiedTime : 15-Jun-15 8:49:29 AM
IsDir : False
ItemNameFriendly : D:\MyData\finances.xls
ItemNameGuid : \?\Volume{b835d359-a1dd-11e2-be72-2016d8d89f0f}\MyData\finances.xls
LocalMountPoint : D:\
MountPointName : D:\
Name : finances.xls
PointInTime : 18-Jun-15 6:41:52 AM
ServerName : myserver.microsoft.com
ItemSize : 96256
ItemLastModifiedTime : 21-Jun-14 6:43:02 AM
You can also search for items to restore using the Get-OBRecoverableItem cmdlet. In our example, to search for
finances.xls we could get a handle on the file by running this command:
Now trigger restore by using the Start-OBRecovery command on the selected $item from the output of the
Get-OBRecoverableItem cmdlet:
PS C:\> Start-OBRecovery -RecoverableItem $item -RecoveryOption $recover_option
Estimating size of backup items...
Estimating size of backup items...
Estimating size of backup items...
Estimating size of backup items...
Job completed.
The recovery operation completed successfully.
PS C:\> .\MARSAgentInstaller.exe /d /q
Uninstalling the agent binaries from the machine has some consequences to consider:
It removes the file-filter from the machine, and tracking of changes is stopped.
All policy information is removed from the machine, but the policy information continues to be stored in the
service.
All backup schedules are removed, and no further backups are taken.
However, the data stored in Azure remains and is retained as per the retention policy setup by you. Older points
are automatically aged out.
Remote management
All the management around the Azure Backup agent, policies, and data sources can be done remotely through
PowerShell. The machine that will be managed remotely needs to be prepared correctly.
By default, the WinRM service is configured for manual startup. The startup type must be set to Automatic and the
service should be started. To verify that the WinRM service is running, the value of the Status property should be
Running.
The machine can now be managed remotely - starting from the installation of the agent. For example, the
following script copies the agent to the remote machine and installs it.
PS C:\> $dloc = "\\REMOTESERVER01\c$\Windows\Temp"
PS C:\> $agent = "\\REMOTESERVER01\c$\Windows\Temp\MARSAgentInstaller.exe"
PS C:\> $args = "/q"
PS C:\> Copy-Item "C:\Downloads\MARSAgentInstaller.exe" -Destination $dloc - force
Next steps
For more information about Azure Backup for Windows Server/Client see
Introduction to Azure Backup
Back up Windows Servers
1 min to read
Edit O nline
1 min to read
Edit O nline
1 min to read
Edit O nline
1 min to read
Edit O nline
Back up a Windows Server or client to Azure using
the Resource Manager deployment model
8/21/2017 9 min to read Edit Online
This article explains how to back up your Windows Server (or Windows client) files and folders to Azure with
Azure Backup using the Resource Manager deployment model.
The Azure Backup service has two types of vaults - the Backup vault and the Recovery Services vault. The Backup
vault came first. Then the Recovery Services vault came along to support the expanded Resource Manager
deployments. Microsoft recommends using Resource Manager deployments unless you specifically require a
Classic deployment.
NOTE
Backup vaults cannot protect Resource Manager-deployed solutions. However, you can use a Recovery Services vault to
protect classically-deployed servers and VMs.
Before you start
To back up a server or client to Azure, you need an Azure account. If you don't have one, you can create a free
account in just a couple of minutes.
The Recovery Services vault blade opens, prompting you to provide a Name, Subscription, Resource
group, and Location.
4. For Name, enter a friendly name to identify the vault. The name needs to be unique for the Azure
subscription. Type a name that contains between 2 and 50 characters. It must start with a letter, and can
contain only letters, numbers, and hyphens.
5. In the Subscription section, use the drop-down menu to choose the Azure subscription. If you use only
one subscription, that subscription appears and you can skip to the next step. If you are not sure which
subscription to use, use the default (or suggested) subscription. There are multiple choices only if your
organizational account is associated with multiple Azure subscriptions.
6. In the Resource group section:
select Create new if you want to create a new Resource group. Or
select Use existing and click the drop-down menu to see the available list of Resource groups.
For complete information on Resource groups, see the Azure Resource Manager overview.
7. Click Location to select the geographic region for the vault. This choice determines the geographic region
where your backup data is sent.
8. At the bottom of the Recovery Services vault blade, click Create.
It can take several minutes for the Recovery Services vault to be created. Monitor the status notifications in
the upper right-hand area of the portal. Once your vault is created, it appears in the list of Recovery
Services vaults. If after several minutes you don't see your vault, click Refresh.
Once you see your vault in the list of Recovery Services vaults, you are ready to set the storage
redundancy.
Set storage redundancy
When you first create a Recovery Services vault you determine how storage is replicated.
1. From the Recovery Services vaults blade, click the new vault.
When you select the vault, the Recovery Services vault blade narrows, and the Settings blade (which has
the name of the vault at the top) and the vault details blade open.
2. In the new vault's Settings blade, use the vertical slide to scroll down to the Manage section, and click
Backup Infrastructure.
The Backup Infrastructure blade opens.
3. In the Backup Infrastructure blade, click Backup Configuration to open the Backup Configuration
blade.
By default, your vault has geo-redundant storage. If you use Azure as a primary backup storage endpoint,
continue to use Geo-redundant. If you don't use Azure as a primary backup storage endpoint, then
choose Locally-redundant, which reduces the Azure storage costs. Read more about geo-redundant and
locally redundant storage options in this Storage redundancy overview.
Now that you've created a vault, prepare your infrastructure to back up files and folders by downloading and
installing the Microsoft Azure Recovery Services agent, downloading vault credentials, and then using those
credentials to register the agent with the vault.
2. From the Where is your workload running? drop-down menu, select On-premises.
You choose On-premises because your Windows Server or Windows computer is a physical machine that
is not in Azure.
3. From the What do you want to backup? menu, select Files and folders, and click OK.
After clicking OK, a checkmark appears next to Backup goal, and the Prepare infrastructure blade
opens.
4. On the Prepare infrastructure blade, click Download Agent for Windows Server or Windows Client.
If you are using Windows Server Essential, then choose to download the agent for Windows Server
Essential. A pop-up menu prompts you to run or save MARSAgentInstaller.exe.
You don't need to install the agent yet. You can install the agent after you have downloaded the vault
credentials.
6. On the Prepare infrastructure blade, click Download.
The vault credentials download to your Downloads folder. After the vault credentials finish downloading,
you see a pop-up asking if you want to open or save the credentials. Click Save. If you accidentally click
Open, let the dialog that attempts to open the vault credentials, fail. You cannot open the vault credentials.
Proceed to the next step. The vault credentials are in the Downloads folder.
1. Locate and double-click the MARSagentinstaller.exe from the Downloads folder (or other saved
location).
The installer provides a series of messages as it extracts, installs, and registers the Recovery Services agent.
2. Complete the Microsoft Azure Recovery Services Agent Setup Wizard. To complete the wizard, you need
to:
Choose a location for the installation and cache folder.
Provide your proxy server info if you use a proxy server to connect to the internet.
Provide your user name and password details if you use an authenticated proxy.
Provide the downloaded vault credentials
Save the encryption passphrase in a secure location.
NOTE
If you lose or forget the passphrase, Microsoft cannot help recover the backup data. Save the file in a secure
location. It is required to restore a backup.
The agent is now installed and your machine is registered to the vault. You're ready to configure and schedule
your backup.
2. In the Backup agent's Actions pane, click Schedule Backup to launch the Schedule Backup Wizard.
3. On the Getting started page of the Schedule Backup Wizard, click Next.
4. On the Select Items to Backup page, click Add Items.
The Select Items dialog opens.
5. Select the files and folders that you want to protect, and then click OK.
6. In the Select Items to Backup page, click Next.
7. On the Specify Backup Schedule page, specify the backup schedule and click Next.
You can schedule daily (at a maximum rate of three times per day) or weekly backups.
NOTE
For more information about how to specify the backup schedule, see the article Use Azure Backup to replace your
tape infrastructure.
8. On the Select Retention Policy page, choose the specific retention policies the for the backup copy and
click Next.
The retention policy specifies the duration which the backup is stored. Rather than just specifying a flat
policy for all backup points, you can specify different retention policies based on when the backup occurs.
You can modify the daily, weekly, monthly, and yearly retention policies to meet your needs.
9. On the Choose Initial Backup Type page, choose the initial backup type. Leave the option Automatically
over the network selected, and then click Next.
You can back up automatically over the network, or you can back up offline. The remainder of this article
describes the process for backing up automatically. If you prefer to do an offline backup, review the article
Offline backup workflow in Azure Backup for additional information.
10. On the Confirmation page, review the information, and then click Finish.
11. After the wizard finishes creating the backup schedule, click Close.
Enable network throttling
The Microsoft Azure Backup agent provides network throttling. Throttling controls how network bandwidth is
used during data transfer. This control can be helpful if you need to back up data during work hours but do not
want the backup process to interfere with other Internet traffic. Throttling applies to back up and restore activities.
NOTE
Network throttling is not available on Windows Server 2008 R2 SP1, Windows Server 2008 SP2, or Windows 7 (with service
packs). The Azure Backup network throttling feature engages Quality of Service (QoS) on the local operating system.
Though Azure Backup can protect these operating systems, the version of QoS available on these platforms doesn't work
with Azure Backup network throttling. Network throttling can be used on all other supported operating systems.
2. On the Throttling tab, select the Enable internet bandwidth usage throttling for backup operations
check box.
3. After you have enabled throttling, specify the allowed bandwidth for backup data transfer during Work
hours and Non-work hours.
The bandwidth values begin at 512 kilobits per second (Kbps) and can go up to 1,023 megabytes per
second (MBps). You can also designate the start and finish for Work hours, and which days of the week
are considered work days. Hours outside of designated work hours are considered non-work hours.
4. Click OK.
To back up files and folders for the first time
1. In the backup agent, click Back Up Now to complete the initial seeding over the network.
2. On the Confirmation page, review the settings that the Back Up Now Wizard will use to back up the machine.
Then click Back Up.
3. Click Close to close the wizard. If you do this before the backup process finishes, the wizard continues to run
in the background.
After the initial backup is completed, the Job completed status appears in the Backup console.
Questions?
If you have questions, or if there is any feature that you would like to see included, send us feedback.
Next steps
For additional information about backing up VMs or other workloads, see:
Now that you've backed up your files and folders, you can manage your vaults and servers.
If you need to restore a backup, use this article to restore files to a Windows machine.
Back up Windows system state in Resource Manager
deployment
8/21/2017 10 min to read Edit Online
This article explains how to back up your Windows Server system state to Azure. It's a tutorial intended to walk you
through the basics.
If you want to know more about Azure Backup, read this overview.
If you don't have an Azure subscription, create a free account that lets you access any Azure service.
If there are recovery services vaults in the subscription, the vaults are listed.
3. On the Recovery Services vaults menu, click Add.
The Recovery Services vault blade opens, prompting you to provide a Name, Subscription, Resource
group, and Location.
4. For Name, enter a friendly name to identify the vault. The name needs to be unique for the Azure
subscription. Type a name that contains between 2 and 50 characters. It must start with a letter, and can
contain only letters, numbers, and hyphens.
5. In the Subscription section, use the drop-down menu to choose the Azure subscription. If you use only one
subscription, that subscription appears and you can skip to the next step. If you are not sure which
subscription to use, use the default (or suggested) subscription. There are multiple choices only if your
organizational account is associated with multiple Azure subscriptions.
6. In the Resource group section:
select Create new if you want to create a Resource group. Or
select Use existing and click the drop-down menu to see the available list of Resource groups.
For complete information on Resource groups, see the Azure Resource Manager overview.
7. Click Location to select the geographic region for the vault. This choice determines the geographic region
where your backup data is sent.
8. At the bottom of the Recovery Services vault blade, click Create.
It can take several minutes for the Recovery Services vault to be created. Monitor the status notifications in
the upper right-hand area of the portal. Once your vault is created, it appears in the list of Recovery Services
vaults. If after several minutes you don't see your vault, click Refresh.
Once you see your vault in the list of Recovery Services vaults, you are ready to set the storage redundancy.
Set storage redundancy for the vault
When you create a Recovery Services vault, make sure storage redundancy is configured the way you want.
1. From the Recovery Services vaults blade, click the new vault.
When you select the vault, the Recovery Services vault blade narrows, and the Settings blade (which has
the name of the vault at the top) and the vault details blade open.
2. In the new vault's Settings blade, use the vertical slide to scroll down to the Manage section, and click Backup
Infrastructure. The Backup Infrastructure blade opens.
3. In the Backup Infrastructure blade, click Backup Configuration to open the Backup Configuration blade.
After clicking OK, a checkmark appears next to Backup goal, and the Prepare infrastructure blade opens.
4. On the Prepare infrastructure blade, click Download Agent for Windows Server or Windows Client.
If you are using Windows Server Essential, then choose to download the agent for Windows Server Essential.
A pop-up menu prompts you to run or save MARSAgentInstaller.exe.
You don't need to install the agent yet. You can install the agent after you have downloaded the vault
credentials.
6. On the Prepare infrastructure blade, click Download.
The vault credentials download to your Downloads folder. After the vault credentials finish downloading, you
see a pop-up asking if you want to open or save the credentials. Click Save. If you accidentally click Open, let
the dialog that attempts to open the vault credentials, fail. You cannot open the vault credentials. Proceed to
the next step. The vault credentials are in the Downloads folder.
1. Locate and double-click the MARSagentinstaller.exe from the Downloads folder (or other saved location).
The installer provides a series of messages as it extracts, installs, and registers the Recovery Services agent.
2. Complete the Microsoft Azure Recovery Services Agent Setup Wizard. To complete the wizard, you need to:
Choose a location for the installation and cache folder.
Provide your proxy server info if you use a proxy server to connect to the internet.
Provide your user name and password details if you use an authenticated proxy.
Provide the downloaded vault credentials
Save the encryption passphrase in a secure location.
NOTE
If you lose or forget the passphrase, Microsoft cannot help recover the backup data. Save the file in a secure
location. It is required to restore a backup.
The agent is now installed and your machine is registered to the vault. You're ready to configure and schedule your
backup.
PS C:\> regedit.exe
3. Add the following registry key with the specified DWord Value.
HKEY_LOCAL_MACHINE\SOFTWARE\ TurnOffSSBFeature 2
Microsoft\Windows Azure
Backup\Config\CloudBackupProvider
4. Restart the Backup engine by executing the following command in an elevated command prompt.
PS C:\> Net start obengine
3. On the Getting started page of the Schedule Backup Wizard, click Next.
4. On the Select Items to Backup page, click Add Items.
5. Select System State and then click OK.
6. Click Next.
7. The System State Backup and Retention schedule is automatically set to back up every Sunday at 9:00 PM
local time, and the retention period is set to 60 days.
NOTE
System State backup and retention policy is automatically configured. If you back up Files and Folders in addition to
the Windows Server System State, specify only the Backup and Retention policy for file backups from the wizard.
8. On the Confirmation page, review the information, and then click Finish.
9. After the wizard finishes creating the backup schedule, click Close.
To back up Windows Server System State for the first time
1. Make sure there are no pending updates for Windows Server that require a reboot.
2. In the Recovery Services agent, click Back Up Now to complete the initial seeding over the network.
3. On the Confirmation page, review the settings that the Back Up Now Wizard will use to back up the machine.
Then click Back Up.
4. Click Close to close the wizard. If you close the wizard before the backup process finishes, the wizard
continues to run in the background.
5. If you back up Files and Folders on your server, in addition to the Windows Server System State, the Backup
Now wizard will only back up files. To perform an ad hoc System State back up, use the following
PowerShell command:
PS C:\> Start-OBSystemStateBackup
After the initial backup is completed, the Job completed status appears in the Backup console.
The Staging Path is case sensitive and must be the exact same casing as what exists on the server.
1. Once you change the Staging volume path, restart the Backup engine: PS C:\> Net start obengine
2. To pick up the changed path, open the Microsoft Azure Recovery Services agent and trigger an ad hoc backup of
System State.
Why is the System State default retention set to 60 days?
The useful life of a system state backup is the same as the "tombstone lifetime" setting for the Windows Server
Active Directory role. The default value for the tombstone lifetime entry is 60 days. This value can be set on the
Directory Service (NTDS) config object.
How do I change the default Backup and Retention Policy for System State?
To change the default Backup and Retention Policy for System State:
1. Stop the Backup engine. Run the following command from an elevated command prompt.
SSBScheduleTime Used to configure the time of the DWord: Format HHMM (Decimal) for
backup. Default is 9PM local time. example 2130 for 9:30PM local time
SSBScheduleDays Used to configure the days when DWord: days of the week to run
System State Backup must be backup (decimal) for example 1230
performed at the specified time. schedules backups on Monday,
Individual digits specify days of the Tuesday, Wednesday, and Sunday.
week. 0 represents Sunday, 1 is
Monday, and so on. Default day for
backup is Sunday.
SSBRetentionDays Used to configure the days to retain DWord: Days to retain backup
backup. Default value is 60. (decimal).
Maximum allowed value is 180.
Next steps
Get more details about backing up Windows machines.
Now that you've backed up your files and folders, you can manage your vaults and servers.
If you need to restore a backup, use this article to restore files to a Windows machine.
Restore files to a Windows server or Windows client
machine using Resource Manager deployment
model
8/16/2017 7 min to read Edit Online
This article explains how to restore data from a backup vault. To restore data, you use the Recover Data wizard in
the Microsoft Azure Recovery Services (MARS) agent. When you restore data, it is possible to:
Restore data to the same machine from which the backups were taken.
Restore data to an alternate machine.
In January 2017, Microsoft released a Preview update to the MARS agent. Along with bug fixes, this update
enables Instant Restore, which allows you to mount a writeable recovery point snapshot as a recovery volume.
You can then explore the recovery volume and copy files to a local computer thereby selectively restoring files.
NOTE
The January 2017 Azure Backup update is required if you want to use Instant Restore to restore data. Also the backup data
must be protected in vaults in locales listed in the support article. Consult the January 2017 Azure Backup update for the
latest list of locales that support Instant Restore. Instant Restore is not currently available in all locales.
Instant Restore is available for use in Recovery Services vaults in the Azure portal and Backup vaults in the classic
portal. If you want to use Instant Restore, download the MARS update, and follow the procedures that mention
Instant Restore.
NOTE
Azure has two different deployment models for creating and working with resources: Resource Manager and classic. This
article covers using the Resource Manager deployment model, which Microsoft recommends for new deployments instead
of the classic deployment model.
4. On the Select Recovery Mode pane, choose Individual files and folders and then click Next.
5. On the Select Volume and Date pane, select the volume that contains the files and/or folders you want to
restore.
On the calendar, select a recovery point. You can restore from any recovery point in time. Dates in bold
indicate the availability of at least one recovery point. Once you select a date, if multiple recovery points are
available, choose the specific recovery point from the Time drop-down menu.
6. Once you have chosen the recovery point to restore, click Mount.
Azure Backup mounts the local recovery point, and uses it as a recovery volume.
7. On the Browse and Recover Files pane, click Browse to open Windows Explorer and find the files and
folders you want.
8. In Windows Explorer, copy the files and/or folders you want to restore and paste them to any location local
to the server or computer. You can open or stream the files directly from the recovery volume and verify
the correct versions are recovered.
9. When you are finished restoring the files and/or folders, on the Browse and Recovery Files pane, click
Unmount. Then click Yes to confirm that you want to unmount the volume.
IMPORTANT
If you do not click Unmount, the Recovery Volume will remain mounted for 6 hours from the time when it was
mounted. However, the mount time is extended upto a maximum of 24 hours in case of an ongoing file-copy. No
backup operations will run while the volume is mounted. Any backup operation scheduled to run during the time
when the volume is mounted, will run after the recovery volume is unmounted.
NOTE
Backups can't be restored to a target machine running an earlier version of the operating system. For example, a backup
taken from a Windows 7 computer can be restored on a Windows 8, or later, computer. A backup taken from a Windows 8
computer cannot be restored to a Windows 7 computer.
5. Provide the vault credential file that corresponds to the Sample vault, and click Next.
If the vault credential file is invalid (or expired), download a new vault credential file from the Sample vault
in the Azure portal. Once you provide a valid vault credential, the name of the corresponding Backup Vault
appears.
6. On the Select Backup Server pane, select the Source machine from the list of displayed machines and
provide the passphrase. Then click Next.
7. On the Select Recovery Mode pane, select Individual files and folders and click Next.
8. On the Select Volume and Date pane, select the volume that contains the files and/or folders you want to
restore.
On the calendar, select a recovery point. You can restore from any recovery point in time. Dates in bold
indicate the availability of at least one recovery point. Once you select a date, if multiple recovery points are
available, choose the specific recovery point from the Time drop-down menu.
9. Click Mount to locally mount the recovery point as a recovery volume on your Target machine.
10. On the Browse and Recover Files pane, click Browse to open Windows Explorer and find the files and
folders you want.
11. In Windows Explorer, copy the files and/or folders from the recovery volume and paste them to your
Target machine location. You can open or stream the files directly from the recovery volume and verify the
correct versions are recovered.
12. When you are finished restoring the files and/or folders, on the Browse and Recovery Files pane, click
Unmount. Then click Yes to confirm that you want to unmount the volume.
IMPORTANT
If you do not click Unmount, the Recovery Volume will remain mounted for 6 hours from the time when it was
mounted. However, the mount time is extended upto a maximum of 24 hours in case of an ongoing file-copy. No
backup operations will run while the volume is mounted. Any backup operation scheduled to run during the time
when the volume is mounted, will run after the recovery volume is unmounted.
Troubleshooting
If Azure Backup does not successfully mount the recovery volume even after several minutes of clicking Mount or
fails to mount the recovery volume with one or more errors, follow the steps below to begin recovering normally.
1. Cancel the ongoing mount process in case it has been running for several minutes.
2. Ensure that you are on the latest version of the Azure Backup agent. To find out the version information of
Azure Backup agent, click on About Microsoft Azure Recovery Services Agent on the Actions pane of
Microsoft Azure Backup console and ensure that the Version number is equal to or higher than the version
mentioned in this article. You can download the latest version from here
3. Go to Device Manager -> Storage Controllers and ensure that you can locate Microsoft iSCSI Initiator.
If you can locate it, directly go to step 7 below.
4. If you cannot locate Microsoft iSCSI Initiator service as mentioned in step 3, check to see if you can find an
entry under Device Manager -> Storage Controllers called Unknown Device with Hardware ID
ROOT\ISCSIPRT.
5. Right click on Unknown Device and select Update Driver Software.
6. Update the driver by selecting the option to Search automatically for updated driver software.
Completion of the update should change Unknown Device to Microsoft iSCSI Initiator as shown below.
7. Go to Task Manager -> Services (Local) -> Microsoft iSCSI Initiator Service.
8. Restart the Microsoft iSCSI Initiator service by right-clicking on the service, clicking on Stop and further
right clicking again and clicking on Start.
9. Retry recovering using Instant Restore.
If the recovery still fails, reboot your server/client. If a reboot is not desirable or the recovery still fails even after
rebooting the server, try recovering from an Alternate Machine, and contact Azure Support by going to Azure
Portal and submitting a support request.
Next steps
Now that you've recovered your files and folders, you can manage your backups.
Restore System State to Windows Server
8/18/2017 7 min to read Edit Online
This article explains how to restore Windows Server System State backups from an Azure Recovery Services vault.
To restore System State, you must have a System State backup (created using the instructions in Back up System
State), and make sure you have installed the latest version of the Microsoft Azure Recovery Services (MARS) agent.
Recovering Windows Server System State data from an Azure Recovery Services vault is a two-step process:
1. Restore System State as files from Azure Backup. When restoring System State as files from Azure Backup,
you can either:
Restore System State to the same server where the backups were taken, or
Restore System State file to an alternate server.
2. Apply the restored System State files to a Windows Server.
3. On the Getting Started pane, to restore the data to the same server or computer, select This server (
<server name> ) and click Next.
4. On the Select Recovery Mode pane, choose System State and then click Next.
5. On the calendar in Select Volume and Date pane, select a recovery point.
You can restore from any recovery point in time. Dates in bold indicate the availability of at least one
recovery point. Once you select a date, if multiple recovery points are available, choose the specific recovery
point from the Time drop-down menu.
6. Once you have chosen the recovery point to restore, click Next.
Azure Backup mounts the local recovery point, and uses it as a recovery volume.
7. On the next pane, specify the destination for the recovered System State files and click Browse to open
Windows Explorer and find the files and folders you want. The option, Create copies so that you have
both versions, creates copies of individual files in an existing System State file archive instead of creating
the copy of the entire System State archive.
8. Verify the details of recovery on the Confirmation pane and click Recover.
9. Copy the WindowsImageBackup directory in the Recovery destination to a non-critical volume of the server.
Usually, the Windows OS volume is the critical volume.
10. Once the recovery is successful, follow the steps in the section, Apply restored System State files to the
Windows Server, to complete the System State recovery process.
NOTE
Backups taken from one machine cannot be restored to a machine running an earlier version of the operating system. For
example, backups taken from a Windows Server 2016 machine can't be restored to Windows Server 2012 R2. However, the
inverse is possible. You can use backups from Windows Server 2012 R2 to restore Windows Server 2016.
5. Provide the vault credential file that corresponds to the Sample vault. If the vault credential file is invalid (or
expired), download a new vault credential file from the Sample vault in the Azure portal. Once the vault
credential file is provided, the Recovery Services vault associated with the vault credential file appears.
6. On the Select Backup Server pane, select the Source machine from the list of displayed machines.
7. On the Select Recovery Mode pane, choose System State and click Next.
8. On the Calendar in the Select Volume and Date pane, select a recovery point. You can restore from any
recovery point in time. Dates in bold indicate the availability of at least one recovery point. Once you select a
date, if multiple recovery points are available, choose the specific recovery point from the Time drop-down
menu.
9. Once you have chosen the recovery point to restore, click Next.
10. On the Select System State Recovery Mode pane, specify the destination where you want System State
files to be recovered, then click Next.
The option, Create copies so that you have both versions, creates copies of individual files in an existing
System State file archive instead of creating the copy of the entire System State archive.
11. Verify the details of recovery on the Confirmation pane, and click Recover.
12. Copy the WindowsImageBackup directory to a non-critical volume of the server (for example D:). Usually the
Windows OS volume is the critical volume.
13. To complete the recovery process, use the following section to apply the restored System State files on a
Windows Server.
2. After the reboot, open the Windows Server Backup snap-in. If you don't know where the snap-in was
installed, search the computer or server for Windows Server Backup.
The desktop app appears in the search results.
3. In the snap-in, select Local Backup.
4. On the Local Backup console, in the Actions Pane, click Recover to open the Recovery Wizard.
5. Select the option, A backup stored in another location, and click Next.
6. When specifying the location type, select Remote shared folder if your System State backup was recovered
to another server. If your System State was recovered locally, then select Local drives.
7. Enter the path to the WindowsImageBackup directory, or choose the local drive containing this directory (for
example, D:\WindowsImageBackup), recovered as part of the System State files recovery using Azure
Recovery Services Agent and click Next.
8. Select the System State version that you want to restore, and click Next.
9. In the Select Recovery Type pane, select System State and click Next.
10. For the location of the System State Recovery, select Original Location, and click Next.
11. Review the confirmation details, verify the reboot settings, and click Recover to applly the restored System
State files.
6. Run the following command to get all volumes available in the backup.
Wbadmin get items -version:<copy version from above step> -backuptarget:<Backup volume>
7. The following command recovers all volumes that are part of the System State Backup. Note that this step
recovers only the critical volumes that are part of the System State. All non-System data is erased.
Next steps
Now that you've recovered your files and folders, you can manage your backups.
Monitor and manage Azure recovery services vaults
and servers for Windows machines
8/16/2017 8 min to read Edit Online
In this article you'll find an overview of the backup monitor and management tasks available through the Azure
portal and the Microsoft Azure Backup agent. This article assumes you already have an Azure subscription and
have created at least one Recovery Services vault.
NOTE
Azure has two different deployment models for creating and working with resources: Resource Manager and classic. This
article covers using the Resource Manager deployment model, which Microsoft recommends for new deployments instead
of the classic deployment model.
3. You want to open a Recovery Services vault. In the dialog box, start typing Recovery Services. As you
begin typing, the list will filter based on your input. Click Recovery Services vaults to display the list of
Recovery Services vaults in your subscription.
The list of Recovery Services vaults opens.
4. From the list of vaults, select the name of the Recovery Services vault you want to open. The Recovery
Services vault dashboard blade opens.
Now that you have opened the Recovery Services vault, try any of the monitoring or management tasks.
Clicking the information in each of these tiles will open the associated blade where you manage related tasks.
From the top of the Dashboard:
Settings provides access available backup tasks.
Backup - helps you back up new files and folders (or Azure VMs) to the Recovery Services vault.
Delete - If a recovery services vault is no longer being used, you can delete it to free up storage space. Delete is
only enabled after all protected servers have been deleted from the vault.
Informational None
Manage Backup alerts
Click the Backup Alerts tile to open the Backup Alerts blade and manage alerts.
If Per Alert is selected as the Notify frequency no grouping or reduction in emails occurs. Every alert results in 1
notification. This is the default setting and the resolution email is also sent out immediately.
If Hourly Digest is selected as the Notify frequency one email is sent to the user telling them that there are
unresolved new alerts generated in the last hour. A resolution email is sent out at the end of the hour.
Alerts can be sent for the following severity levels:
critical
warning
information
You inactivate the alert with the inactivate button in the job details blade. When you click inactivate, you can
provide resolution notes.
You choose the columns you want to appear as part of the alert with the Choose columns button.
NOTE
From the Settings blade, you manage backup alerts by selecting Monitoring and Reports > Alerts and Events >
Backup Alerts and then clicking Filter or Configure Notifications.
The Backup Items blade opens with the filter set to File-Folder where you see each specific backup item listed.
If you select a specific backup item from the list, you see the essential details for that item.
NOTE
From the Settings blade, you manage files and folders by selecting Protected Items > Backup Items and then selecting
File-Folders from the drop down menu.
Manage Backup jobs
Backup jobs for both on-premises (when the on-premises server is backing up to Azure) and Azure backups are
visible in the dashboard.
In the Backup section of the dashboard, the Backup job tile shows the number of jobs:
in progress
failed in the last 24 hours.
To manage your backup jobs, click the Backup Jobs tile, which opens the Backup Jobs blade.
You modify the information available in the Backup Jobs blade with the Choose columns button at the top of the
page.
Use the Filter button to select between Files and folders and Azure virtual machine backup.
If you don't see your backed up files and folders, click Filter button at the top of the page and select Files and
folders from the Item Type menu.
NOTE
From the Settings blade, you manage backup jobs by selecting Monitoring and Reports > Jobs > Backup Jobs and
then selecting File-Folders from the drop down menu.
From the Actions available at the right of the backup agent console you perform the following management
tasks:
Register Server
Schedule Backup
Back Up now
Change Properties
NOTE
To Recover Data, see Restore files to a Windows server or Windows client machine.
2. In the Schedule Backup Wizard leave the Make changes to backup items or times option selected
and click Next.
3. If you want to add or change items, on the Select Items to Backup screen click Add Items.
You can also set Exclusion Settings from this page in the wizard. If you want to exclude files or file types
read the procedure for adding exclusion settings.
4. Select the files and folders you want to back up and click Okay.
6. Select the Retention Policy for the backup copy and click Next.
Once you have enabled throttling, specify the allowed bandwidth for backup data transfer during Work
hours and Non-work hours.
The bandwidth values begin at 512 kilobytes per second (Kbps) and can go up to 1023 megabytes per
second (Mbps). You can also designate the start and finish for Work hours, and which days of the week
are considered Work days. The time outside of the designated Work hours is considered to be non-work
hours.
3. Click OK.
Next steps
Restore Windows Server or Windows Client from Azure
To learn more about Azure Backup, see Azure Backup Overview
Visit the Azure Backup Forum
Back up a Windows server or workstation to Azure
using the classic portal
8/11/2017 8 min to read Edit Online
This article covers the procedures that you need to follow to prepare your environment and back up a Windows
server (or workstation) to Azure. It also covers considerations for deploying your backup solution. If you're
interested in trying Azure Backup for the first time, this article quickly walks you through the process.
Azure has two different deployment models for creating and working with resources: Resource Manager and
classic. This article covers using the classic deployment model. Microsoft recommends that most new deployments
use the Resource Manager model.
IMPORTANT
Starting March 2017, you can no longer use the classic portal to create Backup vaults.
You can now upgrade your Backup vaults to Recovery Services vaults. For details, see the article Upgrade a Backup vault to a
Recovery Services vault. Microsoft encourages you to upgrade your Backup vaults to Recovery Services vaults.
October 15, 2017, you will no longer be able to use PowerShell to create Backup vaults.
Starting November 1, 2017:
Any remaining Backup vaults will be automatically upgraded to Recovery Services vaults.
You won't be able to access your backup data in the classic portal. Instead, use the Azure portal to access your backup
data in Recovery Services vaults.
NOTE
Make sure the vault credential file is saved in a location that can be accessed from your machine. If it is stored in a file
share or server message block, verify that you have the permissions to access it.
3. After the MARSagentinstaller.exe file has downloaded, click Run (or double-click MARSAgentInstaller.exe
from the saved location).
4. Choose the installation folder and cache folder that are required for the agent, and then click Next. The cache
location you specify must have free space equal to at least 5 percent of the backup data.
5. You can continue to connect to the Internet through the default proxy settings. If you use a proxy server to
connect to the Internet, on the Proxy Configuration page, select the Use custom proxy settings check box, and
then enter the proxy server details. If you use an authenticated proxy, enter the user name and password details,
and then click Next.
6. Click Install to begin the agent installation. The Backup agent installs .NET Framework 4.5 and Windows
PowerShell (if its not already installed) to complete the installation.
7. After the agent is installed, click Proceed to Registration to continue with the workflow.
8. On the Vault Identification page, browse to and select the vault credential file that you previously
downloaded.
The vault credential file is valid for only 48 hours after its downloaded from the portal. If you encounter an
error on this page (such as Vault credentials file provided has expired), sign in to the portal and download
the vault credential file again.
Ensure that the vault credential file is available in a location that can be accessed by the setup application. If
you encounter access-related errors, copy the vault credential file to a temporary location on the same
machine and retry the operation.
If you encounter a vault credential error such as Invalid vault credentials provided," the file is damaged or
does not have the latest credentials associated with the recovery service. Retry the operation after
downloading a new vault credential file from the portal. This error can also occur if a user clicks the
Download vault credential option several times in quick succession. In this case, only the last vault
credential file is valid.
9. On the Encryption Setting page, you can either generate a passphrase or provide a passphrase (with a minimum
of 16 characters). Remember to save the passphrase in a secure location.
10. Click Finish. The Register Server Wizard registers the server with Backup.
WARNING
If you lose or forget the passphrase, Microsoft cannot help you recover the backup data. You own the encryption
passphrase, and Microsoft does not have visibility into the passphrase that you use. Save the file in a secure location
because it will be required during a recovery operation.
11. After the encryption key is set, leave the Launch Microsoft Azure Recovery Services Agent check box
selected, and then click Close.
NOTE
For more information about how to specify the backup schedule, see the article Use Azure Backup to replace your
tape infrastructure.
8. On the Select Retention Policy page, select the Retention Policy for the backup copy.
The retention policy specifies the duration for which the backup will be stored. Rather than just specifying a
flat policy for all backup points, you can specify different retention policies based on when the backup
occurs. You can modify the daily, weekly, monthly, and yearly retention policies to meet your needs.
9. On the Choose Initial Backup Type page, choose the initial backup type. Leave the option Automatically
over the network selected, and then click Next.
You can back up automatically over the network, or you can back up offline. The remainder of this article
describes the process for backing up automatically. If you prefer to do an offline backup, review the article
Offline backup workflow in Azure Backup for additional information.
10. On the Confirmation page, review the information, and then click Finish.
11. After the wizard finishes creating the backup schedule, click Close.
Enable network throttling (optional)
The Backup agent provides network throttling. Throttling controls how network bandwidth is used during data
transfer. This control can be helpful if you need to back up data during work hours but do not want the backup
process to interfere with other Internet traffic. Throttling applies to back up and restore activities.
To enable network throttling
1. In the Backup agent, click Change Properties.
2. On the Throttling tab, select the Enable internet bandwidth usage throttling for backup operations
check box.
3. After you have enabled throttling, specify the allowed bandwidth for backup data transfer during Work
hours and Non-work hours.
The bandwidth values begin at 512 kilobits per second (Kbps) and can go up to 1,023 megabytes per second
(MBps). You can also designate the start and finish for Work hours, and which days of the week are
considered work days. Hours outside of designated work hours are considered non-work hours.
4. Click OK.
To back up now
1. In the Backup agent, click Back Up Now to complete the initial seeding over the network.
2. On the Confirmation page, review the settings that the Back Up Now Wizard will use to back up the machine.
Then click Back Up.
3. Click Close to close the wizard. If you do this before the backup process finishes, the wizard continues to run in
the background.
After the initial backup is completed, the Job completed status appears in the Backup console.
Next steps
Sign up for a free Azure account.
For additional information about backing up VMs or other workloads, see:
Back up IaaS VMs
Back up workloads to Azure with Microsoft Azure Backup Server
Back up workloads to Azure with DPM
Manage Azure Backup vaults and servers using the
classic deployment model
8/21/2017 5 min to read Edit Online
In this article you'll find an overview of the backup management tasks available through the Azure classic portal
and the Microsoft Azure Backup agent.
IMPORTANT
Azure has two different deployment models for creating and working with resources: Resource Manager and Classic. This
article covers using the Classic deployment model. Microsoft recommends that most new deployments use the Resource
Manager model.
IMPORTANT
You can now upgrade your Backup vaults to Recovery Services vaults. For details, see the article Upgrade a Backup vault to a
Recovery Services vault. Microsoft encourages you to upgrade your Backup vaults to Recovery Services vaults.
After October 15, 2017, you cant use PowerShell to create Backup vaults. By November 1, 2017:
All remaining Backup vaults will be automatically upgraded to Recovery Services vaults.
You won't be able to access your backup data in the classic portal. Instead, use the Azure portal to access your backup
data in Recovery Services vaults.
By selecting the options at the top of the Quick Start page, you can see the available management tasks.
Dashboard
Select Dashboard to see the usage overview for the server. The usage overview includes:
The number of Windows Servers registered to cloud
The number of Azure virtual machines protected in cloud
The total storage consumed in Azure
The status of recent jobs
At the bottom of the Dashboard you can perform the following tasks:
Manage certificate - If a certificate was used to register the server, then use this to update the certificate. If you
are using vault credentials, do not use Manage certificate.
Delete - Deletes the current backup vault. If a backup vault is no longer being used, you can delete it to free up
storage space. Delete is only enabled after all registered servers have been deleted from the vault.
Registered items
Select Registered Items to view the names of the servers that are registered to this vault.
The Type filter defaults to Azure Virtual Machine. To view the names of the servers that are registered to this vault,
select Windows server from the drop down menu.
From here you can perform the following tasks:
Allow Re-registration - When this option is selected for a server you can use the Registration Wizard in the
on-premises Microsoft Azure Backup agent to register the server with the backup vault a second time. You
might need to re-register due to an error in the certificate or if a server had to be rebuilt.
Delete - Deletes a server from the backup vault. All of the stored data associated with the server is deleted
immediately.
Protected items
Select Protected Items to view the items that have been backed up from the servers.
Configure
From the Configure tab you can select the appropriate storage redundancy option. The best time to select the
storage redundancy option is right after creating a vault and before any machines are registered to it.
WARNING
Once an item has been registered to the vault, the storage redundancy option is locked and cannot be modified.
From the Actions available at the right of the backup agent console you can perform the following management
tasks:
Register Server
Schedule Backup
Back Up now
Change Properties
NOTE
To Recover Data, see Restore files to a Windows server or Windows client machine.
2. In the Schedule Backup Wizard leave the Make changes to backup items or times option selected and
click Next.
3. If you want to add or change items, on the Select Items to Backup screen click Add Items.
You can also set Exclusion Settings from this page in the wizard. If you want to exclude files or file types
read the procedure for adding exclusion settings.
4. Select the files and folders you want to back up and click Okay.
6. Select the Retention Policy for the backup copy and click Next.
3. Once you have enabled throttling, specify the allowed bandwidth for backup data transfer during Work
hours and Non-work hours.
The bandwidth values begin at 512 kilobytes per second (Kbps) and can go up to 1023 megabytes per
second (Mbps). You can also designate the start and finish for Work hours, and which days of the week are
considered Work days. The time outside of the designated Work hours is considered to be non-work hours.
4. Click OK.
Exclusion settings
1. Open the Microsoft Azure Backup agent (you can find it by searching your machine for Microsoft Azure
Backup).
This article explains how to recover data from a backup vault and restore it to a server or computer. Starting in
March 2017, you can no longer create backup vaults in the classic portal.
IMPORTANT
You can now upgrade your Backup vaults to Recovery Services vaults. For details, see the article Upgrade a Backup vault to a
Recovery Services vault. Microsoft encourages you to upgrade your Backup vaults to Recovery Services vaults.
October 15, 2017, you will no longer be able to use PowerShell to create Backup vaults.
Starting November 1, 2017:
Any remaining Backup vaults will be automatically upgraded to Recovery Services vaults.
You won't be able to access your backup data in the classic portal. Instead, use the Azure portal to access your backup
data in Recovery Services vaults.
To restore data, you use the Recover Data wizard in the Microsoft Azure Recovery Services (MARS) agent. When
you restore data, it is possible to:
Restore data to the same machine from which the backups were taken.
Restore data to an alternate machine.
In January 2017, Microsoft released a Preview update to the MARS agent. Along with bug fixes, this update enables
Instant Restore, which allows you to mount a writeable recovery point snapshot as a recovery volume. You can
then explore the recovery volume and copy files to a local computer thereby selectively restoring files.
NOTE
The January 2017 Azure Backup update is required if you want to use Instant Restore to restore data. Also the backup data
must be protected in vaults in locales listed in the support article. Consult the January 2017 Azure Backup update for the
latest list of locales that support Instant Restore. Instant Restore is not currently available in all locales.
Instant Restore is available for use in Recovery Services vaults in the Azure portal and Backup vaults in the classic
portal. If you want to use Instant Restore, download the MARS update, and follow the procedures that mention
Instant Restore.
4. On the Select Recovery Mode pane, choose Individual files and folders and then click Next.
5. On the Select Volume and Date pane, select the volume that contains the files and/or folders you want to
restore.
On the calendar, select a recovery point. You can restore from any recovery point in time. Dates in bold
indicate the availability of at least one recovery point. Once you select a date, if multiple recovery points are
available, choose the specific recovery point from the Time drop-down menu.
6. Once you have chosen the recovery point to restore, click Mount.
Azure Backup mounts the local recovery point, and uses it as a recovery volume.
7. On the Browse and Recover Files pane, click Browse to open Windows Explorer and find the files and
folders you want.
8. In Windows Explorer, copy the files and/or folders you want to restore and paste them to any location local
to the server or computer. You can open or stream the files directly from the recovery volume and verify the
correct versions are recovered.
9. When you are finished restoring the files and/or folders, on the Browse and Recovery Files pane, click
Unmount. Then click Yes to confirm that you want to unmount the volume.
IMPORTANT
If you do not click Unmount, the Recovery Volume will remain mounted for six hours from the time when it was
mounted. No backup operations will run while the volume is mounted. Any backup operation scheduled to run
during the time when the volume is mounted, will run after the recovery volume is unmounted.
3. Select the This server (yourmachinename) option to restore the backed up file on the same machine.
4. Choose to Browse for files or Search for files.
Leave the default option if you plan to restore one or more files whose path is known. If you are not sure
about the folder structure but would like to search for a file, pick the Search for files option. For the
purpose of this section, we will proceed with the default option.
5. Select the volume from which you wish to restore the file.
You can restore from any point in time. Dates which appear in bold in the calendar control indicate the
availability of a restore point. Once a date is selected, based on your backup schedule (and the success of a
backup operation), you can select a point in time from the Time drop down.
6. Select the items to recover. You can multi-select folders/files you wish to restore.
You have an option of restoring to the original location (in which the file/folder would be overwritten) or
to another location in the same machine.
If the file/folder you wish to restore exists in the target location, you can create copies (two versions of
the same file), overwrite the files in the target location, or skip the recovery of the files which exist in the
target.
It is highly recommended that you leave the default option of restoring the ACLs on the files which are
being recovered.
8. Once these inputs are provided, click Next. The recovery workflow, which restores the files to this machine, will
begin.
NOTE
Backups taken from a machine cannot be restored on a machine which is running an earlier version of the operating system.
For example, if backups are taken from a Windows 7 machine, it can be restored on a Windows 8 or above machine.
However, the vice-versa does not hold true.
7. Select either the Search for files or Browse for files option. For the purpose of this section, we will use the
Search for files option.
8. Select the volume and date in the next screen. Search for the folder/file name you want to restore.
11. Once the input is provided, click Recover, which triggers the restore of the backed up files to the destination
provided.
NOTE
Backups can't be restored to a target machine running an earlier version of the operating system. For example, a backup
taken from a Windows 7 computer can be restored on a Windows 8, or later, computer. A backup taken from a Windows 8
computer cannot be restored to a Windows 7 computer.
8. On the Select Volume and Date pane, select the volume that contains the files and/or folders you want to
restore.
On the calendar, select a recovery point. You can restore from any recovery point in time. Dates in bold
indicate the availability of at least one recovery point. Once you select a date, if multiple recovery points are
available, choose the specific recovery point from the Time drop-down menu.
9. Click Mount to locally mount the recovery point as a recovery volume on your Target machine.
10. On the Browse and Recover Files pane, click Browse to open Windows Explorer and find the files and
folders you want.
11. In Windows Explorer, copy the files and/or folders from the recovery volume and paste them to your Target
machine location. You can open or stream the files directly from the recovery volume and verify the correct
versions are recovered.
12. When you are finished restoring the files and/or folders, on the Browse and Recovery Files pane, click
Unmount. Then click Yes to confirm that you want to unmount the volume.
IMPORTANT
If you do not click Unmount, the Recovery Volume will remain mounted for six hours from the time when it was
mounted. No backup operations will run while the volume is mounted. Any backup operation scheduled to run
during the time when the volume is mounted, will run after the recovery volume is unmounted.
Next steps
Azure Backup FAQ
Visit the Azure Backup Forum.
Learn more
Azure Backup Overview
Backup Azure virtual machines
Backup up Microsoft workloads
Recovery Services vaults overview
10/18/2017 3 min to read Edit Online
This article describes the features of a Recovery Services vault. A Recovery Services vault is a storage entity in
Azure that houses data. The data is typically copies of data, or configuration information for virtual machines (VMs),
workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various Azure
services such as IaaS VMs (Linux or Windows) and Azure SQL databases. Recovery Services vaults support System
Center DPM, Windows Server, Azure Backup Server, and more. Recovery Services vaults make it easy to organize
your backup data, while minimizing management overhead.
Within an Azure subscription, you can create up to 25 Recovery Services vaults.
If multiple servers are protected using the same Recovery Services vault, it may be more logical to look at the
Recovery Services vault. You can search for all Recovery Services vaults in the subscription, and choose one from
the list.
The following sections contain links to articles that explain how to use a Recovery Services vault in each type of
activity.
Back up data
Back up an Azure VM
Back up Windows Server or Windows workstation
Back up DPM workloads to Azure
Prepare to back up workloads using Azure Backup Server
Manage recovery points
Manage Azure VM backups
Managing files and folders
Restore data from the vault
Recover individual files from an Azure VM
Restore an Azure VM
Secure the vault
Securing cloud backup data in Recovery Services vaults
Next Steps
Use the following articles to:
Back up an IaaS VM
Back up an Azure Backup Server
Back up a Windows Server
Upgrade a Backup vault to a Recovery Services
vault
10/4/2017 9 min to read Edit Online
This article explains how to upgrade a Backup vault to a Recovery Services vault. The upgrade process doesn't
impact any running backup jobs, and no backup data is lost. The primary reasons to upgrade a Backup vault to a
Recovery Services vault:
All features of a Backup vault are retained in a Recovery Services vault.
Recovery Services vaults have more features than Backup vaults, including: better security, integrated
monitoring, faster restores and item-level restores.
Manage backup items from an improved, simplified portal.
New features only apply to Recovery Services vaults.
NOTE
Resource Group names have constraints. Be sure to follow the guidance; failure to do so could cause vault upgrades to
fail.
Azure US Government customers need to set the environment to AzureUSGovernment while running the script.
Azure China customers need to set the environment to AzureChinaCloud while running the script.
The following code snippet is an example of what your PowerShell command should look like:
You can also run the script without any parameters and you are asked to provide inputs for all required
parameters.
The PowerShell script prompts you to enter your credentials. Enter your credentials twice: once for the Service
Manager account, and a second time for the Resource Manager account.
Pre -requisites checking
Once you have entered your Azure credentials, Azure checks that your environment meets the following
prerequisites:
Minimum agent version - Upgrading Backup vaults to Recovery Services vaults requires the MARS agent
to be at least version 2.0.9083.0. If you have items registered to a Backup vault with an agent earlier than
2.0.9083.0, the prerequisite check fails. If the prerequisite check fails, update the agent and try to upgrade the
vault again. You can download the latest version of the agent from
http://download.microsoft.com/download/F/4/B/F4B06356-150F-4DB0-8AD8-
95B4DB4BBF7C/MARSAgentInstaller.exe.
On-going configuration jobs: If someone is configuring job for a Backup vault set to be upgraded, or
registering an item, the prerequisite check fails. Complete the configuration, or finish registering the item,
and then start the vault upgrade process.
Storage-based billing model: Recovery Services vaults support the Instance-based billing model. If you
run the vault upgrade on a Backup vault that uses the Storage-based billing model, you are prompted to
upgrade your billing model along with the vault. Otherwise, you can update your billing model first, and then
run the vault upgrade.
Identify a Resource Group for the Recovery Services vault. To take advantage of the Resource Manager
deployment features, you must put a Recovery Services vault in a Resource Group. If you don't know which
Resource Group to use, provide a name and the upgrade process creates the Resource Group for you. The
upgrade process also associates the vault with the new Resource Group.
Once the upgrade process finishes checking the pre-requisites, the process prompts you to start the vault
upgrade. After you confirm, the upgrade process typically takes around 15-20 minutes to complete, depending
on the size of your vault. If you have a large vault, upgrading can take up to 90 minutes.
The second screen shows the help links available to help you get started using the Recovery Services vault.
Post-upgrade steps
Recovery Services vault supports specifying time zone information in backup policy. After vault is successfully
upgraded, go to Backup policies from vault settings menu and update the time zone information for each of the
policies configured in the vault. This screen already shows the backup schedule time specified as per local time
zone used when you created policy.
Enhanced security
When a Backup vault is upgraded to a Recovery Services vault, the security settings for that vault are
automatically turned on. When the security settings are on, certain operations such as deleting backups, or
changing a passphrase require an Azure Multi-Factor Authentication PIN. For more information on the
enhanced security, see the article Security features to protect hybrid backups.
When the enhanced security is turned on, data is retained up to 14 days after the recovery point information has
been deleted from the vault. Customers are billed for storage of this security data. Security data retention
applies to recovery points taken for the Azure Backup agent, Azure Backup Server, and System Center Data
Protection Manager.
Next steps
Use the following article to:
Back up an IaaS VM
Back up an Azure Backup Server
Back up a Windows Server.
Delete a Recovery Services vault
8/11/2017 9 min to read Edit Online
The Azure Backup service has two types of vaults - the Backup vault and the Recovery Services vault. The Backup
vault came first. Then the Recovery Services vault came along to support the expanded Resource Manager
deployments. Because of the expanded capabilities and the information dependencies that must be stored in the
vault, deleting a Backup or Recovery Services vault can be confusing. This article explains how to delete the vaults in
the classic portal and the Azure portal.
NOTE
Backup vaults cannot protect Resource Manager-deployed solutions. However, you can use a Recovery Services vault to
protect classically deployed servers and VMs.
IMPORTANT
You can now upgrade your Backup vaults to Recovery Services vaults. For details, see the article Upgrade a Backup vault to a
Recovery Services vault. Microsoft encourages you to upgrade your Backup vaults to Recovery Services vaults.
October 15, 2017, you will no longer be able to use PowerShell to create Backup vaults.
Starting November 1, 2017:
Any remaining Backup vaults will be automatically upgraded to Recovery Services vaults.
You won't be able to access your backup data in the classic portal. Instead, use the Azure portal to access your backup
data in Recovery Services vaults.
In this article, we use the term, vault, to refer to the generic form of the Backup vault or Recovery Services vault. We
use the formal name, Backup vault, or Recovery Services vault, when it is necessary to distinguish between the
vaults.
The list of Recovery Services vaults is displayed. From the list, select the vault you want to delete.
2. In the vault view, look at the Essentials pane. To delete a vault, there cannot be any protected items. If you
see a number other than zero, under either Backup Items or Backup management servers, you must
remove those items before you can delete the vault.
VMs and Files/Folders are considered Backup Items, and are listed in the Backup Items area of the
Essentials pane. A DPM server is listed in the Backup Management Server area of the Essentials pane.
Replicated Items pertain to the Azure Site Recovery service.
3. To begin removing the protected items from the vault, find the items in the vault. In the vault dashboard click
Settings, and then click Backup items to open that blade.
The Backup Items blade has separate lists, based on the Item Type: Azure Virtual Machines or File-Folders
(see image). The default Item Type list shown is Azure Virtual Machines. To view the list of File-Folders items
in the vault, select File-Folders from the drop-down menu.
4. Before you can delete an item from the vault protecting a VM, you must stop the item's backup job and
delete the recovery point data. For each item in the vault, follow these steps:
a. On the Backup Items blade, right-click the item, and from the context menu, select Stop backup.
When there are no items in the list, scroll to the Essentials pane in the Backup vault blade. There shouldn't
be any Backup items, Backup management servers, or Replicated items listed. If items still appear in
the vault, return to step three and choose a different item type list.
5. When there are no more items in the vault toolbar, click Delete.
6. To verify that you want to delete the vault, click Yes.
The vault is deleted and the portal returns to the New service menu.
If there are Backup management servers registered to the vault, you can't delete the vault even if there is no
data in the vault. If you deleted the Backup management servers associated with the vault, but there are
servers listed in the Essentials pane, see Find the Backup management servers registered to the vault.
5. To verify that you want to delete the vault, click Yes.
The vault is deleted and the portal returns to the New service menu.
2. On the Production Servers blade, right-click on the server, and click Delete.
4. In the Stop protection of 'your vault' dialog, check Delete associated backup data and click .
Optionally, you can choose a reason for stopping protection, and provide a comment.
After deleting the items in the vault, the vault will be empty.
5. In the list of tabs, click Registered Items. The Type drop-down menu, enables you to choose the type of
server registered to the vault. The type can be Windows Server or Azure Virtual Machine. In the following
example, select the virtual machine registered to the vault, and click Unregister.
If you want to delete the registration for a Windows Server, from the Type drop-down menu, select
Windows Server, click to refresh the screen, and then click Delete.
6. In the list of tabs, click Dashboard to open that tab. Verify there are no registered servers or Azure virtual
machines protected in the cloud. Also, verify there is no data in storage. Click Delete to delete the vault.
The Delete Backup vault confirmation screen opens. Select an option why you're deleting the vault, and click
.
The vault is deleted, and you return to the classic portal dashboard.
Find the Backup Management servers registered to the vault
If you have multiple servers registered to a vault, it can be difficult to remember them. To see the servers registered
to the vault, and delete them:
1. Open the vault dashboard.
2. In the Essentials pane, click Settings to open that blade.
5. To delete a server from the list, right-click the name of the server and then click Delete. The Delete blade
opens.
6. On the Delete blade, provide the name of the server. If it is a long name, you can copy and paste it from the list
of Backup Management Servers. Then click Delete.
Troubleshoot Azure virtual machine backup
10/9/2017 18 min to read Edit Online
You can troubleshoot errors encountered while using Azure Backup with information listed in the table below.
Backup
Error: The specified Disk Configuration is not supported
Currently Azure Backup doesnt support disk sizes greater than 1023GB.
If you have disks greater than 1 TB , attach new disks which are less than 1 TB
Then, copy the data from disk greater than 1TB into newly created disk(s) of size less than 1TB.
Ensure that all data has been copied and remove the disks greater than 1TB
Initiate the backup.
Could not perform the operation as VM no longer exists. - This happens when the primary VM is deleted, but the backup
Stop protecting virtual machine without deleting backup data. policy continues looking for a VM to back up. To fix this error:
More details at http://go.microsoft.com/fwlink/? 1. Recreate the virtual machine with the same name and
LinkId=808124 same resource group name [cloud service name],
(OR)
2. Stop protecting virtual machine with or without
deleting the backup data. More details
Snapshot operation failed due to no network connectivity on This error is thrown when you deny the outbound internet
the virtual machine - Ensure that VM has network access. For connectivity on the virtual machine. Internet connectivity is
snapshot to succeed, either whitelist Azure datacenter IP required for VM snapshot extension to take a snapshot of
ranges or set up a proxy server for network access. For more underlying disks of the virtual machine. Learn more on how to
details, refer to http://go.microsoft.com/fwlink/? fix snapshot failures due to blocked network access.
LinkId=800034. If you are already using proxy server, make
sure that proxy server settings are configured correctly
VM agent is unable to communicate with the Azure Backup This error is thrown if there is a problem with the VM Agent
Service. - Ensure the VM has network connectivity and the or network access to the Azure infrastructure is blocked in
VM agent is latest and running. For more information, please some way. Learn more about debugging up VM snapshot
refer to http://go.microsoft.com/fwlink/?LinkId=800034 issues.
If the VM agent is not causing any issues, then restart the
VM. At times an incorrect VM state can cause issues, and
restarting the VM resets this "bad state".
VM is in Failed Provisioning State - Please restart the VM and This occurs when one of the extension failures leads VM state
make sure that the VM is in Running or Shut-down state for to be in failed provisioning state. Go to extensions list and see
backup if there is a failed extension, remove it and try restarting the
virtual machine. If all extensions are in running state, check if
VM agent service is running. If not, restart the VM agent
service.
VMSnapshot extension operation failed for managed disks - This error when Azure Backup service fails to trigger a
Please retry the backup operation. If the issue repeats, follow snapshot. Learn more about debugging VM snapshot issues.
the instructions at 'http://go.microsoft.com/fwlink/?
LinkId=800034'. If it fails further, please contact Microsoft
support
ERROR DETAILS WORKAROUND
Could not copy the snapshot of the virtual machine, due to In case of premium VMs, we copy the snapshot to storage
insufficient free space in the storage account - Ensure that account. This is to make sure that backup management traffic,
storage account has free space equivalent to the data present which works on snapshot, doesn't limit the number of IOPS
on the premium storage disks attached to the virtual machine available to the application using premium disks. Microsoft
recommends you allocate only 50% of the total storage
account space so the Azure Backup service can copy the
snapshot to storage account and transfer data from this
copied location in storage account to the vault.
Unable to perform the operation as the VM agent is not This error is thrown if there is a problem with the VM Agent
responsive or network access to the Azure infrastructure is blocked in
some way. For Windows VMs, check the VM agent service
status in services and whether the agent appears in programs
in control panel. Try removing the program from control
panel and re-installing the agent as mentioned below. After
re-installing the agent, trigger an adhoc backup to verify.
Recovery services extension operation failed. - Please make This error is thrown when VM agent is out of date. Refer
sure that latest virtual machine agent is present on the virtual Updating the VM Agent section below to update the VM
machine and agent service is running. Please retry backup agent.
operation and if it fails, contact Microsoft support.
Virtual machine doesn't exist. - Please make sure that virtual This happens when the primary VM is deleted but the backup
machine exists or select a different virtual machine. policy continues to look for a VM to perform backup. To fix
this error:
1. Recreate the virtual machine with the same name and
same resource group name [cloud service name],
(OR)
2. Stop protecting the virtual machine without deleting
the backup data. More details
Command execution failed. - Another operation is currently in An existing backup on the VM is running, and a new job
progress on this item. Please wait until the previous operation cannot be started while the existing job is running.
is completed, and then retry
Copying VHDs from the backup vault timed out - Please retry This happens if there is a transient error on storage side or if
the operation in a few minutes. If the problem persists, backup service is not getting sufficient IOPS from storage
contact Microsoft Support. account hosting the VM in order to transfer data within
timeout period to vault. Make sure that you followed Best
practices while setting up backup. Try moving VM to a
different storage account which is not loaded and retry
backup.
Backup failed with an internal error - Please retry the You can get this error for 2 reasons:
operation in a few minutes. If the problem persists, contact 1. There is a transient issue in accessing the VM storage.
Microsoft Support Please check Azure Status to see if there is any on-
going issue related to compute, storage, or
networking in the region. Then retry the backup job
once the issue is resolved.
2. The original VM has been deleted and therefore, the
recovery point cannot be taken. To keep the backup
data for a deleted VM, but remove the backup errors:
Unprotect the VM and choose the option to keep the
data. This action stops the scheduled backup job and
the recurring error messages.
ERROR DETAILS WORKAROUND
Failed to install the Azure Recovery Services extension on the 1. Check if the VM agent has been installed correctly.
selected item - The VM agent is a prerequisite for the Azure 2. Ensure the flag on the VM config is set correctly.
Recovery Services Extension. Install the Azure VM agent and
restart the registration operation Read more about installing the VM agent, and how to
validate the VM agent installation.
Extension installation failed with the error "COM+ was unable This usually means that the COM+ service is not running.
to talk to the Microsoft Distributed Transaction Coordinator Contact Microsoft support for help on fixing this issue.
Snapshot operation failed with the VSS operation error "This Turn off BitLocker for all drives on the VM and observe if the
drive is locked by BitLocker Drive Encryption. You must VSS issue is resolved
unlock this drive from the Control Panel.
VM is not in a state that allows backups. Check if VM is in a transient state between Running
and Shut down. If it is, wait for the VM state to be one
of them and trigger backup again.
If the VM is a Linux VM and uses [Security Enhanced
Linux] kernel module, you need to exclude the Linux
Agent path(/var/lib/waagent) from security policy to
make sure backup extension gets installed.
Azure Virtual Machine Not Found. This happens when the primary VM is deleted but the backup
policy continues to look for a VM to perform back up. To fix
this error:
1. Recreate the virtual machine with the same name and
same resource group name [cloud service name],
(OR)
2. Disable protection for this VM so the backup jobs will
not be created.
Virtual machine agent is not present on the virtual machine - Read more about VM agent installation, and how to validate
Please install any prerequisite and the VM agent, and then the VM agent installation.
restart the operation.
Snapshot operation failed due to VSS Writers in bad state You need to restart VSS(Volume Shadow copy Service) writers
that are in bad state. To achieve this, from an elevated
command prompt, run vssadmin list writers. Output contains
all VSS writers and their state. For every VSS writer whose
state is not "[1] Stable", restart VSS writer by running
following commands from an elevated command prompt:
net stop serviceName
net start serviceName
ERROR DETAILS WORKAROUND
Snapshot operation failed due to a parsing failure of the This happens due to changed permissions on the
configuration MachineKeys directory:
%systemdrive%\programdata\microsoft\crypto\rsa\machine
keys
Please run below command and verify that permissions on
MachineKeys directory are default-ones:
icacls
%systemdrive%\programdata\microsoft\crypto\rsa\machine
keys
Validation failed as virtual machine is encrypted with BEK Virtual machine should be encrypted using both BitLocker
alone. Backups can be enabled only for virtual machines Encryption Key and Key Encryption Key. After that, backup
encrypted with both BEK and KEK. should be enabled.
Azure Backup Service does not have sufficient permissions to Backup service should be provided these permissions in
Key Vault for Backup of Encrypted Virtual Machines. PowerShell using steps mentioned in Enable Backup section
of PowerShell documentation.
ERROR DETAILS WORKAROUND
Installation of snapshot extension failed with error - COM+ Please try to start windows service "COM+ System
was unable to talk to the Microsoft Distributed Transaction Application" (from an elevated command prompt - net start
Coordinator COMSysApp).
If it fails while starting, please follow below steps:
1. Validate that the Logon account of service "Distributed
Transaction Coordinator" is "Network Service". If it is
not, please change it to "Network Service", restart this
service and then try to start service "COM+ System
Application".'
2. If it still fails to start, uninstall/install service
"Distributed Transaction Coordinator" by following
below steps:
- Stop the MSDTC service
- Open a command prompt (cmd)
- Run command msdtc -uninstall
- Run command msdtc -install
- Start the MSDTC service
3. Start windows service "COM+ System Application" and
after it is started, trigger backup from portal.
Snapshot operation failed due to COM+ error The recommended action is to restart windows service
"COM+ System Application" (from an elevated command
prompt - net start COMSysApp). If the issue persists, restart
the VM. If restarting the VM doesn't help, try removing the
VMSnapshot Extension and trigger the backup manually.
Failed to freeze one or more mount-points of the VM to take Use the following steps:
a file-system consistent snapshot 1. Check the file-system state of all mounted devices
using 'tune2fs' command.
Eg: tune2fs -l /dev/sdb1 | grep "Filesystem state"
2. Unmount the devices for which filesystem state is not
clean using 'umount' command
3. Run FileSystemConsistency Check on these devices
using 'fsck' command
4. Mount the devices again and try backup.
Snapshot operation failed due to failure in creating secure 1. Open Registry Editor by running regedit.exe in an
network communication channel elevated mode.
2. Identify all versions of .NetFramework present in
system. They are present under the hierarchy of
registry key
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft"
3. For each .NetFramework present in registry key, add
following key:
"SchUseStrongCrypto"=dword:00000001
Cancellation is not supported for this job type - Please wait None
until the job completes.
The job is not in a cancelable state - Please wait until the job In all likelihood, the job is almost completed. Please wait until
completes. the job is completed.
OR
The selected job is not in a cancelable state - Please wait for
the job to complete.
Cannot cancel the job because it is not in progress - This happens due to a transitory state. Wait for a minute and
Cancellation is only supported for jobs which are in progress. retry the cancel operation.
Please attempt cancel on an in progress job.
Failed to cancel the Job - Please wait till job finishes. None
Restore
ERROR DETAILS WORKAROUND
Restore failed with Cloud Internal error 1. Cloud service to which you are trying to restore is
configured with DNS settings. You can check
$deployment = Get-AzureDeployment -ServiceName
"ServiceName" -Slot "Production" Get-AzureDns -
DnsSettings $deployment.DnsSettings
If there is Address configured, this means that DNS
settings are configured.
2. Cloud service to which to you are trying to restore is
configured with ReservedIP and existing VMs in cloud
service are in stopped state.
You can check a cloud service has reserved IP by using
following powershell cmdlets:
$deployment = Get-AzureDeployment -ServiceName
"servicename" -Slot "Production"
$dep.ReservedIPName
3. You are trying to restore a virtual machine with
following special network configurations in to same
cloud service.
- Virtual machines under load balancer configuration
(Internal and external)
- Virtual machines with multiple Reserved IPs
- Virtual machines with multiple NICs
Please select a new cloud service in the UI or please
refer to restore considerations for VMs with special
network configurations.
ERROR DETAILS WORKAROUND
The selected DNS name is already taken - Please specify a The DNS name here refers to the cloud service name (usually
different DNS name and try again. ending with .cloudapp.net). This needs to be unique. If you
encounter this error, you need to choose a different VM name
during restore.
Backup vault and target storage account are in two different None
regions - Ensure that the storage account specified in restore
operation is in the same Azure region as the backup vault.
Type of Storage Account specified for restore operation is not This might happen because of a transient error in Azure
online - Make sure that the storage account specified in Storage or due to an outage. Please choose another storage
restore operation is online account.
Selected subnet does not exist - Please select a subnet which None
exists
Backup Service does not have authorization to access To resolve this, first Restore Disks using steps mentioned in
resources in your subscription. section Restore backed up disks in Choosing VM restore
configuration. After that, use PowerShell steps mentioned in
Create a VM from restored disks to create full VM from
restored disks.
VM Agent
Setting up the VM Agent
Typically, the VM Agent is already present in VMs that are created from the Azure gallery. However, virtual
machines that are migrated from on-premises datacenters would not have the VM Agent installed. For such VMs,
the VM Agent needs to be installed explicitly.
For Windows VMs:
Download and install the agent MSI. You need Administrator privileges to complete the installation.
For Classic virtual machines, Update the VM property to indicate that the agent is installed. This step is not
required for Resource Manager virtual machines.
For Linux VMs:
Install latest from distribution repository. We strongly recommend installing agent only through distribution
repository. For details on package name, please refer to Linux agent repository
For classic VMs, Update the VM property to indicate that the agent is installed. This step is not required for
Resource Manager virtual machines.
Updating the VM Agent
For Windows VMs:
Updating the VM Agent is as simple as reinstalling the VM Agent binaries. However, you need to ensure that no
backup operation is running while the VM Agent is being updated.
For Linux VMs:
Follow the instructions on Updating Linux VM Agent. We strongly recommend updating agent only through
distribution repository. We do not recommend downloading the agent code from directly github and updating
it. If latest agent is not available for your distribution, please reach out to distribution support for instructions
on how to install latest agent. You can check latest Windows Azure Linux agent information in github
repository.
Validating VM Agent installation
How to check for the VM Agent version on Windows VMs:
1. Log on to the Azure virtual machine and navigate to the folder C:\WindowsAzure\Packages. You should find
the WaAppAgent.exe file present.
2. Right-click the file, go to Properties, and then select the Details tab. The Product Version field should be
2.6.1198.718 or higher
Networking
Like all extensions, Backup extension need access to the public internet to work. Not having access to the public
internet can manifest itself in various ways:
The extension installation can fail
The backup operations (like disk snapshot) can fail
Displaying the status of the backup operation can fail
The need for resolving public internet addresses has been articulated here. You need to check the DNS
configurations for the VNET and ensure that the Azure URIs can be resolved.
Once the name resolution is done correctly, access to the Azure IPs also needs to be provided. To unblock access
to the Azure infrastructure, follow one of these steps:
1. WhiteList the Azure datacenter IP ranges.
Get the list of Azure datacenter IPs to be whitelisted.
Unblock the IPs using the New-NetRoute cmdlet. Run this cmdlet within the Azure VM, in an elevated
PowerShell window (run as Administrator).
Add rules to the NSG (if you have one in place) to allow access to the IPs.
2. Create a path for HTTP traffic to flow
If you have some network restriction in place (a Network Security Group, for example) deploy an HTTP
proxy server to route the traffic. Steps to deploy an HTTP Proxy server can found here.
Add rules to the NSG (if you have one in place) to allow access to the INTERNET from the HTTP Proxy.
NOTE
DHCP must be enabled inside the guest for IaaS VM Backup to work. If you need a static private IP, you should configure it
through the platform. The DHCP option inside the VM should be left enabled. View more information about Setting a Static
Internal Private IP.
Troubleshoot Azure virtual machine backup
6/27/2017 8 min to read Edit Online
You can troubleshoot errors encountered while using Azure Backup with information listed in the table below.
Discovery
BACKUP OPERATION ERROR DETAILS WORKAROUND
Discovery Failed to discover new items - Microsoft Retry the discovery process after 15
Azure Backup encountered and internal minutes.
error. Wait for a few minutes and then
try the operation again.
Register
BACKUP OPERATION ERROR DETAILS WORKAROUND
Register Microsoft Azure Backup encountered an You can get this error due to one of the
internal error - Wait for a few minutes following unsupported configuration of
and then try the operation again. If the VM on Premium LRS.
issue persists, contact Microsoft Premium storage VMs can be backed
Support. up using recovery services vault. Learn
More
Register Registration failed with Install Agent Check if the OS version of the virtual
operation timeout machine is supported.
Register Virtual machine agent is not present on Read more about VM agent installation,
the virtual machine - Please install the and how to validate the VM agent
required pre-requisite, VM agent and installation.
restart the operation.
Backup
BACKUP OPERATION ERROR DETAILS WORKAROUND
Backup Could not communicate with the VM This error is thrown if there is a problem
agent for snapshot status. Snapshot with the VM Agent or network access
VM sub task timed out. - Please see the to the Azure infrastructure is blocked in
troubleshooting guide on how to some way. Learn more about
resolve this. debugging up VM snapshot issues.
If the VM agent is not causing any
issues, then restart the VM. At times an
incorrect VM state can cause issues and
restarting the VM resets this "bad
state"
Backup Backup failed with an internal error - Please check if there is a transient issue
Please retry the operation in a few in accessing VM storage. Please check
minutes. If the problem persists, contact Azure Status to see if there is any on-
Microsoft Support going issue related to
compute/storage/network in the region.
Please retry the backup post issue is
mitigated.
Backup Could not perform the operation as VM Backup cannot be performed as the VM
no longer exists. configured for backup has been deleted.
Please stop further backups by going to
Protected items view, select protected
item and click on Stop Protection. You
can retain data by selecting Retain
Backup data option. You can later
resume protection for this virtual
machine by clicking on configure
protection from Registered Items view
Backup Failed to install the Azure Recovery 1. Check if the VM agent has been
Services extension on the selected item installed correctly.
- VM Agent is a pre-requisite for Azure 2. Ensure that the flag on the VM
Recovery Services Extension. Please config is set correctly.
install the Azure VM agent and restart
the registration operation Read more about VM agent installation,
and how to validate the VM agent
installation.
Backup Command execution failed - Another An existing backup or restore job for
operation is currently in progress on the VM is running, and a new job
this item. Please wait until the previous cannot be started while the existing job
operation is completed, and then retry is running.
Backup Extension installation failed with the This usually means that the COM+
error "COM+ was unable to talk to the service is not running. Contact
Microsoft Distributed Transaction Microsoft support for help on fixing this
Coordinator issue.
BACKUP OPERATION ERROR DETAILS WORKAROUND
Backup Snapshot operation failed with the VSS Turn off BitLocker for all drives on the
operation error "This drive is locked by VM and observe if the VSS issue is
BitLocker Drive Encryption. You must resolved
unlock this drive from Control Panel.
Backup Azure Virtual Machine Not Found. This happens when the primary VM is
deleted but the backup policy continues
to look for a VM to perform backup. To
fix this error:
1. Recreate the virtual machine
with the same name and same
resource group name [cloud
service name],
(OR)
2. Disable protection for this VM
so that subsequent backups will
not get triggered.
Backup Virtual machine agent is not present on Read more about VM agent installation,
the virtual machine - Please install the and how to validate the VM agent
required pre-requisite, VM agent and installation.
restart the operation.
Jobs
OPERATION ERROR DETAILS WORKAROUND
Cancel job The job is not in a cancelable state - In all likelihood, the job is almost
Please wait until the job completes. completed; please wait until the job
OR completes
The selected job is not in a cancelable
state - Please wait for the job to
complete.
Cancel job Cannot cancel the job because it is not This happens due to a transitory state.
in progress - Cancellation is only Wait for a minute and retry the cancel
supported for jobs which are in operation
progress. Please attempt cancel on an
in progress job.
Restore
OPERATION ERROR DETAILS WORKAROUND
Restore Restore failed with Cloud Internal error 1. Cloud service to which you are
trying to restore is configured
with DNS settings. You can
check
$deployment = Get-
AzureDeployment -ServiceName
"ServiceName" -Slot
"Production" Get-AzureDns -
DnsSettings
$deployment.DnsSettings
If there is Address configured,
this means that DNS settings
are configured.
2. Cloud service to which to you
are trying to restore is
configured with ReservedIP and
existing VMs in cloud service are
in stopped state.
You can check a cloud service
has reserved IP by using
following powershell cmdlets:
$deployment = Get-
AzureDeployment -ServiceName
"servicename" -Slot "Production"
$dep.ReservedIPName
3. You are trying to restore a
virtual machine with following
special network configurations in
to same cloud service.
- Virtual machines under load
balancer configuration (Internal
and external)
- Virtual machines with multiple
Reserved IPs
- Virtual machines with multiple
NICs
Please select a new cloud service
in the UI or please refer to
restore considerations for VMs
with special network
configurations
Restore The selected DNS name is already taken The DNS name here refers to the cloud
- Please specify a different DNS name service name (usually ending with
and try again. .cloudapp.net). This needs to be unique.
If you encounter this error, you need to
choose a different VM name during
restore.
Restore Type of Storage Account specified for This might happen because of a
restore operation is not online - Make transient error in Azure Storage or due
sure that the storage account specified to an outage. Please choose another
in restore operation is online storage account.
Policy
OPERATION ERROR DETAILS WORKAROUND
VM Agent
Setting up the VM Agent
Typically, the VM Agent is already present in VMs that are created from the Azure gallery. However, virtual
machines that are migrated from on-premises datacenters would not have the VM Agent installed. For such VMs,
the VM Agent needs to be installed explicitly. Read more about installing the VM agent on an existing VM.
For Windows VMs:
Download and install the agent MSI. You will need Administrator privileges to complete the installation.
Update the VM property to indicate that the agent is installed.
For Linux VMs:
Install latest Linux agent from github.
Update the VM property to indicate that the agent is installed.
Updating the VM Agent
For Windows VMs:
Updating the VM Agent is as simple as reinstalling the VM Agent binaries. However, you need to ensure that no
backup operation is running while the VM Agent is being updated.
For Linux VMs:
Follow the instructions on Updating Linux VM Agent.
Validating VM Agent installation
How to check for the VM Agent version on Windows VMs:
1. Log on to the Azure virtual machine and navigate to the folder C:\WindowsAzure\Packages. You should find the
WaAppAgent.exe file present.
2. Right-click the file, go to Properties, and then select the Details tab. The Product Version field should be
2.6.1198.718 or higher
Troubleshoot Azure Backup failure: Issues with agent
and/or extension
9/27/2017 9 min to read Edit Online
This article provides troubleshooting steps to help you resolve Backup failures related to problems in
communication with VM agent and extension.
If your Azure issue is not addressed in this article, visit the Azure forums on MSDN and the Stack Overflow. You can
post your issue in these forums, or post to @AzureSupport on Twitter. You also can submit an Azure support
request. To submit a support request, on the Azure support page, select Get support.
Backup failed with an internal error - Please retry the operation in a few
minutes
After you register and schedule a VM for the Azure Backup service, Backup initiates the job by communicating with
the VM backup extension to take a point-in-time snapshot. Any of the following conditions might prevent the
snapshot from being triggered, which in turn can lead to Backup failure. Follow below troubleshooting steps in the
given order and retry your operation.
C a u se 1 : T h e V M h a s n o I n t e r n e t a c c e ss
C a u se 2 : T h e a g e n t i n st a l l e d i n t h e V M b u t u n r e sp o n si v e (fo r W i n d o w s V M s)
C a u se 3 : T h e a g e n t i n st a l l e d i n t h e V M i s o u t o f d a t e (fo r L i n u x V M s)
C a u se 4 : T h e sn a p sh o t st a t u s c a n n o t b e r e t r i e v e d o r a sn a p sh o t c a n n o t b e t a k e n
C a u se 5 : T h e b a c k u p e x t e n si o n fa i l s t o u p d a t e o r l o a d
1. If you have network restrictions in place (for example, a network security group), deploy an HTTP proxy server
to route the traffic.
2. To allow access to the Internet from the HTTP proxy server, add rules to the network security group, if you have
one.
To learn how to set up an HTTP proxy for VM backups, see Prepare your environment to back up Azure virtual
machines.
In case you are using Managed Disks, you may need an additional port (8443) opening up on the firewalls.
The agent installed in the VM but unresponsive (for Windows VMs)
Solution
The VM Agent might have been corrupted or the service might have been stopped. Re-installing the VM agent
would help get the latest version and restart the communication.
1. Verify whether Windows Guest Agent service running in services (services.msc) of the Virtual Machine. Try
restart the Windows Guest Agent service and initiate the Backup
2. if it is not visible in services, verify in Programs and Features whether Windows Guest agent service is installed.
3. If you are able to view in programs and features uninstall the Windows Guest Agent.
4. Download and install the latest version of agent MSI. You need Administrator privileges to complete the
installation.
5. Then you should be able to view Windows Guest Agent services in services
6. Try running an on-demand/adhoc backup by clicking "Backup Now" in the portal.
Also verify your Virtual Machine has .NET 4.5 installed in the system. It is required for the VM agent to
communicate with the service
The agent installed in the VM is out of date (for Linux VMs)
Solution
Most agent-related or extension-related failures for Linux VMs are caused by issues that affect an outdated VM
agent. To troubleshoot this issue, follow these general guidelines:
1. Follow the instructions for updating the Linux VM agent.
NOTE
We strongly recommend that you update the agent only through a distribution repository. We do not recommend
downloading the agent code directly from GitHub and updating it. If the latest agent is unavailable for your
distribution, contact distribution support for instructions on how to install it. To check for the most recent agent, go
to the Windows Azure Linux agent page in the GitHub repository.
2. Make sure that the Azure agent is running on the VM by running the following command: ps -e
The VM has SQL Server backup configured. By default, the VM backup runs a VSS full backup on Windows
VMs. On VMs that are running SQL Server-based servers and
on which SQL Server backup is configured, snapshot execution
delays may occur.
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\BCDRA
GENT] "USEVSSCOPYBACKUP"="TRUE"
The VM status is reported incorrectly because the VM is shut If you shut down the VM in Remote Desktop Protocol (RDP),
down in RDP. check the portal to determine whether the VM status is
correct. If its not correct, shut down the VM in the portal by
using the Shutdown option on the VM dashboard.
Many VMs from the same cloud service are configured to Its a best practice to spread out the backup schedules for
back up at the same time. VMs from the same cloud service.
The VM is running at high CPU or memory usage. If the VM is running at high CPU usage (more than 90
percent) or high memory usage, the snapshot task is queued
and delayed, and it eventually times out. In this situation, try
an on-demand backup.
The VM cannot get the host/fabric address from DHCP. DHCP must be enabled inside the guest for the IaaS VM
backup to work. If the VM cannot get the host/fabric address
from DHCP response 245, it cannot download or run any
extensions. If you need a static private IP, you should
configure it through the platform. The DHCP option inside the
VM should be left enabled. For more information, see Setting
a Static Internal Private IP.
This article provides troubleshooting guidance to help you diagnose the cause of slow backup performance for files
and folders when you're using Azure Backup. When you use the Azure Backup agent to back up files, the backup
process might take longer than expected. This delay might be caused by one or more of the following:
There are performance bottlenecks on the computer thats being backed up.
Another process or antivirus software is interfering with the Azure Backup process.
The Backup agent is running on an Azure virtual machine (VM).
You're backing up a large number (millions) of files.
Before you start troubleshooting issues, we recommend that you download and install the latest Azure Backup
agent. We make frequent updates to the Backup agent to fix various issues, add features, and improve performance.
We also strongly recommend that you review the Azure Backup service FAQ to make sure you're not experiencing
any of the common configuration issues.
If your Azure issue is not addressed in this article, visit the Azure forums on MSDN and the Stack Overflow. You can
post your issue in these forums, or post to @AzureSupport on Twitter. You also can submit an Azure support
request. To submit a support request, on the Azure support page, select Get support.
COUNTER STATUS
Logical Disk(Physical Disk)--%Avg. Disk Sec Read or Write 0.001 ms to 0.015 ms = Healthy
0.015 ms to 0.025 ms = Warning or Monitor
0.026 ms or longer = Critical or Out of Spec
Logical Disk(Physical Disk)--Current Disk Queue Length (for all 80 requests for more than 6 minutes
instances)
Memory--Pool Non Paged Bytes Less than 60% of pool consumed = Healthy
61% to 80% of pool consumed = Warning or Monitor
Greater than 80% pool consumed = Critical or Out of Spec
NOTE
If you determine that the infrastructure is the culprit, we recommend that you defragment the disks regularly for better
performance.
You can troubleshoot errors encountered while using Azure Backup Server with information listed in the following
table.
Installation issues
OPERATION ERROR DETAILS WORKAROUND
Installation Setup could not update registry Adjust the registry key,
metadata. This update failure could lead SYSTEM\CurrentControlSet\Control\File
to over usage of storage consumption. System\RefsEnableInlineTrim. Set the
To avoid this please update the ReFS value Dword to 1.
Trimming registry entry.
Installation Setup could not update registry Create the registry key,
metadata. This update failure could lead SOFTWARE\Microsoft Data Protection
to over usage of storage consumption. Manager\Configuration\VolSnapOptimi
To avoid this please update the Volume zation\WriteIds, with an empty string
SnapOptimization registry entry. value.
Registering to a vault Invalid vault credentials provided. The To fix this error:
file is either corrupted or does not have 1. Download the latest credentials
the latest credentials associated with file from the vault and try again
recovery service (OR)
2. If the above action didn't work,
try downloading the credentials
to a different local directory or
create a new vault
(OR)
3. Try updating the date and time
settings as stated in this blog
(OR)
4. Check whether c:\windows\temp
has more than 65000 files.
Move stale files to another
location or delete the items in
the Temp folder
(OR)
5. Check the status of certificates
a. Open "Manage Computer
Certificates" (in the Control
Panel)
b. Expand the "Personal" node
and its child node "Certificates"
c. Remove the certificate
"Windows Azure Tools"
d. Retry the registration in the
Azure Backup client
(OR)
6. Check whether any Group policy
is in place
Pushing agent(s) to protected servers The agent operation failed because of a If the recommended action shown in
communication error with the DPM the product doesn't work,
Agent Coordinator service on 1. If you are attaching a computer
<ServerName> from an untrusted domain,
follow these steps
(OR)
2. If you are attaching a computer
from a trusted domain,
troubleshoot using the steps
outlined in this blog
(OR)
3. Try disabling Antivirus as a
troubleshooting step. If it
resolves the issue, modify the
Antivirus settings as suggested
in this article
Pushing agent(s) to protected servers The credentials specified for server are If the recommended action shown in
invalid the product doesn't work,
try to install the protection agent
manually on the production server as
specified in this article
OPERATION ERROR DETAILS WORKAROUND
Azure Backup Agent was unable to The Azure Backup Agent was unable to If the recommended action shown in
connect to the Azure Backup service connect to the Azure Backup service. the product doesn't work,
(ID: 100050) 1. Run following command from
elevated prompt, psexec -i -s
"c:\Program Files\Internet
Explorer\iexplore.exe" It will open
internet explorer window.
2. Go to Tools -> Internet Options ->
Connections -> LAN settings.
3. Verify proxy settings for System
account. Set Proxy IP and port.
4. Close Internet Explorer.
Azure Backup Agent installation failed The Microsoft Azure Recovery Services Manually install Azure Agent
installation failed. All changes made by
the Microsoft Azure Recovery Services
installation to the system were rolled
back. (ID: 4024)
Configuring Protection groups DPM could not enumerate application Click 'Refresh' on the configure
component on protected computer protection group UI screen at the
(Protected computer Name) relevant datasource/component level
Configuring Protection groups Unable to configure protection If the protected server is a SQL server,
please check whether sysadmin role
permissions have been provided to the
system account (NTAuthority\System)
on the protected computer as stated in
this article
Configuring Protection groups There is insufficient free space in the The disks which are added to the
storage pool for this protection group storage pool should not contain a
partition. Delete any existing volumes
on the disks and then add it to the
storage pool
OPERATION ERROR DETAILS WORKAROUND
Backup
OPERATION ERROR DETAILS WORKAROUND
Backup An unexpected error occurred while the If the recommended action shown in
job was running, The device is not ready the product doesn't work,
1. Set the Shadow Copy Storage
space to unlimited on the Items
in the protection group and run
the consistency check
(OR)
2. Try deleting the existing
Protection group and create
multiple new ones one with
each individual item in it
Backup If you are backing up only System State, 1. Verify that the WSB on the
verify if there is enough free space on protected machine is installed
the protected computer to store the 2. Verify that enough space is
System State backup present on the protected
computer for the system state:
The easiest way to do this is to
go to the protected computer,
open WSB and click through the
selections and select BMR. The
UI will then tell you how much
space is required for this. Open
WSB -> Local backup -> Backup
schedule -> Select Backup
Configuration -> Full server (size
is displayed). Use this size for
verification.
Backup Online recovery point creation failed If the error message says "Windows
Azure Backup Agent was unable to
create a snapshot of the selected
volume", please try increasing the space
in replica and recovery point volume.
Backup Online recovery point creation failed If the error message says "The Windows
Azure Backup Agent cannot connect to
the OBEngine service", verify that the
OBEngine exists in the list of running
services on the computer. If the
OBEngine service is not running use the
"net start OBEngine" command to start
the OBEngine service.
OPERATION ERROR DETAILS WORKAROUND
Backup Online recovery point creation failed If the error message says "The
encryption passphrase for this server is
not set. Please configure an encryption
passphrase" try configuring an
encryption passphrase. If it fails,
1. check whether the scratch
location exists or not. The
location mentioned in the
registry
HKEY_LOCAL_MACHINE\Softwar
e\Microsoft\Windows Azure
Backup\Config with name
ScratchLocation should exist.
2. If the scratch location exists, try
re-registering using the old
passphrase. Whenever you
configure an encryption
passphrase, please save it in a
secure location
Backup Backup failure for BMR If BMR size is huge, retry after moving
some application files to OS drive
Backup Error while accessing files/shared folders Try modifying the antivirus settings as
suggested here
Backup Online recovery point creation jobs for 1. Reset the ctk on VMWare, for the
VMware VM fails. DPM encountered affected VMs
error from VMware while trying to get Check that Independent disk is not in
ChangeTracking information. ErrorCode place on VMWare
- FileFaultFault (ID 33621 ) Stop protection for the affected VMs
and re-protect with Refresh button
Run a CC for the affected VMs
Change Passphrase
OPERATION ERROR DETAILS WORKAROUND
OPERATION ERROR DETAILS WORKAROUND