Вы находитесь на странице: 1из 712

Table of Contents

Azure Backup Documentation


Overview
What is Azure Backup?
Quickstarts
Back up a VM - Portal
Back up a VM - PowerShell
Back up a VM - CLI
Tutorials
Back up Azure VMs at scale
Restore a disk
Restore individual files
Back up Windows Server
Restore files to Windows Server
Samples
Azure PowerShell
Concepts
FAQ
FAQ on Recovery Services vault
FAQ on Azure VM backup
FAQ on file-folder backup using Azure Backup agent
FAQ on auto-upgrade of backup vault
Role-Based Access Control
Security for hybrid backups
Configure offline-backup
Replace your tape library
How to
Azure Backup Server
Azure Backup Server protection matrix
Install or upgrade
Protect workloads
Recover data from Azure Backup Server
Azure VMs
Prepare the VM
Plan your environment
Back up VMs
Manage and monitor VMs
Restore data from VMs
Configure Azure Backup reports
Configure Azure Backup reports
Data model for Azure Backup reports
Log Analytics data model for Azure Backup
Data Protection Manager
Prepare DPM workloads in Azure portal
Prepare DPM workloads in classic portal
Use System Center DPM to back up Exchange server
Recover data to an alternate DPM server
Use DPM to back up SQL Server workloads
Use DPM to back up a SharePoint farm
Use Azure PowerShell
Azure VMs in Azure portal
Azure VMs in classic portal
DPM in Azure portal
DPM in classic portal
Windows Server in Azure portal
Windows Server in classic portal
Azure SQL Database
Configure long-term backup retention
View backups in a Recovery Services vault
Restore from long-term backup retention
Delete long-term Azure SQL backups
Windows Server
Back up Windows Server files and folders
Back up Windows Server files and folders
Back up Windows Server System State
Recover files from Azure to Windows Server
Restore Windows Server System State
Monitor and manage Recovery Services vaults
Back up and restore using the classic portal
Recovery Services vault
Overview of Recovery Services vaults
Upgrading a Backup vault to Recovery Services vault
Delete a Recovery Services vault
Troubleshoot
Azure VM backup problems in Azure portal
Azure VM backup problems in classic portal
Azure VM Backup fails: Could not communicate with the VM agent for snapshot
status - Snapshot VM sub task timed out
Slow backup of files and folders in Azure Backup
Troubleshoot Azure Backup Server
Reference
Azure PowerShell
.NET
Resources
Azure Roadmap
MSDN forum
Pricing
Pricing calculator
Service updates
Videos
Overview of the features in Azure Backup
10/9/2017 20 min to read Edit Online

Azure Backup is the Azure-based service you can use to back up (or protect) and restore your data in the Microsoft
cloud. Azure Backup replaces your existing on-premises or off-site backup solution with a cloud-based solution
that is reliable, secure, and cost-competitive. Azure Backup offers multiple components that you download and
deploy on the appropriate computer, server, or in the cloud. The component, or agent, that you deploy depends on
what you want to protect. All Azure Backup components (no matter whether you're protecting data on-premises or
in the cloud) can be used to back up data to a Recovery Services vault in Azure. See the Azure Backup components
table (later in this article) for information about which component to use to protect specific data, applications, or
workloads.
Watch a video overview of Azure Backup

Why use Azure Backup?


Traditional backup solutions have evolved to treat the cloud as an endpoint, or static storage destination, similar to
disks or tape. While this approach is simple, it is limited and doesn't take full advantage of an underlying cloud
platform, which translates to an expensive, inefficient solution. Other solutions are expensive because you end up
paying for the wrong type of storage, or storage that you don't need. Other solutions are often inefficient because
they don't offer you the type or amount of storage you need, or administrative tasks require too much time. In
contrast, Azure Backup delivers these key benefits:
Automatic storage management - Hybrid environments often require heterogeneous storage - some on-
premises and some in the cloud. With Azure Backup, there is no cost for using on-premises storage devices. Azure
Backup automatically allocates and manages backup storage, and it uses a pay-as-you-use model. Pay-as-you-use
means that you only pay for the storage that you consume. For more information, see the Azure pricing article.
Unlimited scaling - Azure Backup uses the underlying power and unlimited scale of the Azure cloud to deliver
high-availability - with no maintenance or monitoring overhead. You can set up alerts to provide information
about events, but you don't need to worry about high-availability for your data in the cloud.
Multiple storage options - An aspect of high-availability is storage replication. Azure Backup offers two types of
replication: locally redundant storage and geo-redundant storage. Choose the backup storage option based on
need:
Locally redundant storage (LRS) replicates your data three times (it creates three copies of your data) in a
paired datacenter in the same region. LRS is a low-cost option for protecting your data from local hardware
failures.
Geo-redundant storage (GRS) replicates your data to a secondary region (hundreds of miles away from the
primary location of the source data). GRS costs more than LRS, but GRS provides a higher level of durability
for your data, even if there is a regional outage.
Unlimited data transfer - Azure Backup does not limit the amount of inbound or outbound data you transfer.
Azure Backup also does not charge for the data that is transferred. However, if you use the Azure Import/Export
service to import large amounts of data, there is a cost associated with inbound data. For more information about
this cost, see Offline-backup workflow in Azure Backup. Outbound data refers to data transferred from a Recovery
Services vault during a restore operation.
Data encryption - Data encryption allows for secure transmission and storage of your data in the public cloud.
You store the encryption passphrase locally, and it is never transmitted or stored in Azure. If it is necessary to
restore any of the data, only you have encryption passphrase, or key.
Application-consistent backup - Whether backing up a file server, virtual machine, or SQL database, you need
to know that a recovery point has all required data to restore the backup copy. Azure Backup provides application-
consistent backups, which ensured additional fixes are not needed to restore the data. Restoring application
consistent data reduces the restoration time, allowing you to quickly return to a running state.
Long-term retention - Instead of switching backup copies from disk to tape and moving the tape to an off-site
location, you can use Azure for short-term and long-term retention. Azure doesn't limit the length of time data
remains in a Backup or Recovery Services vault. You can keep data in a vault for as long as you like. Azure Backup
has a limit of 9999 recovery points per protected instance. See the Backup and retention section in this article for
an explanation of how this limit may impact your backup needs.

Which Azure Backup components should I use?


If you aren't sure which Azure Backup component works for your needs, see the following table for information
about what you can protect with each component. The Azure portal provides a wizard, which is built into the
portal, to guide you through choosing the component to download and deploy. The wizard, which is part of the
Recovery Services vault creation, leads you through the steps for selecting a backup goal, and choosing the data or
application to protect.

WHERE ARE BACKUPS


COMPONENT BENEFITS LIMITS WHAT IS PROTECTED? STORED?

Azure Backup (MARS) Back up files and Backup 3x per day Files, Recovery Services
agent folders on physical or Not application Folders vault
virtual Windows OS aware; file, folder, and
(VMs can be on- volume-level restore
premises or in Azure) only,
No separate No support for
backup server Linux.
required.

System Center DPM Application-aware Cannot back up Files, Recovery Services


snapshots (VSS) Oracle workload. Folders, vault,
Full flexibility for Volumes, Locally attached
when to take backups VMs, disk,
Recovery Applications, Tape (on-premises
granularity (all) Workloads only)
Can use Recovery
Services vault
Linux support on
Hyper-V and VMware
VMs
Back up and
restore VMware VMs
using DPM 2012 R2
WHERE ARE BACKUPS
COMPONENT BENEFITS LIMITS WHAT IS PROTECTED? STORED?

Azure Backup Server App aware Cannot back up Files, Recovery Services
snapshots (VSS) Oracle workload. Folders, vault,
Full flexibility for Always requires live Volumes, Locally attached
when to take backups Azure subscription VMs, disk
Recovery No support for Applications,
granularity (all) tape backup Workloads
Can use Recovery
Services vault
Linux support on
Hyper-V and VMware
VMs
Back up and
restore VMware VMs
Does not require a
System Center license

Azure IaaS VM Native backups for Back up VMs once- VMs, Recovery Services
Backup Windows/Linux a-day All disks (using vault
No specific agent Restore VMs only PowerShell)
installation required at disk level
Fabric-level backup Cannot back up
with no backup on-premises
infrastructure needed

What are the deployment scenarios for each component?


CAN BE DEPLOYED ON-
COMPONENT CAN BE DEPLOYED IN AZURE? PREMISES? TARGET STORAGE SUPPORTED

Azure Backup (MARS) agent Yes Yes Recovery Services vault


The Azure Backup agent The Backup agent can
can be deployed on any be deployed on any
Windows Server VM Windows Server VM or
that runs in Azure. physical machine.

System Center DPM Yes Yes Locally attached disk,


Learn more about how Learn more about how Recovery Services vault,
to protect workloads in to protect workloads
Azure by using System and VMs in your tape (on-premises only)
Center DPM. datacenter.

Azure Backup Server Yes Yes Locally attached disk,


Learn more about how Learn more about how Recovery Services vault
to protect workloads in to protect workloads in
Azure by using Azure Azure by using Azure
Backup Server. Backup Server.
CAN BE DEPLOYED ON-
COMPONENT CAN BE DEPLOYED IN AZURE? PREMISES? TARGET STORAGE SUPPORTED

Azure IaaS VM Backup Yes No Recovery Services vault


Part of Azure fabric Use System Center DPM
to back up virtual
Specialized for backup of machines in your
Azure infrastructure as a datacenter.
service (IaaS) virtual
machines.

Which applications and workloads can be backed up?


The following table provides a matrix of the data and workloads that can be protected using Azure Backup. The
Azure Backup solution column has links to the deployment documentation for that solution.

DATA OR WORKLOAD SOURCE ENVIRONMENT AZURE BACKUP SOLUTION

Files and folders Windows Server Azure Backup agent,


System Center DPM (+ the Azure
Backup agent),
Azure Backup Server (includes the
Azure Backup agent)

Files and folders Windows computer Azure Backup agent,


System Center DPM (+ the Azure
Backup agent),
Azure Backup Server (includes the
Azure Backup agent)

Hyper-V virtual machine (Windows) Windows Server System Center DPM (+ the Azure
Backup agent),
Azure Backup Server (includes the
Azure Backup agent)

Hyper-V virtual machine (Linux) Windows Server System Center DPM (+ the Azure
Backup agent),
Azure Backup Server (includes the
Azure Backup agent)

VMware virtual machine Windows Server System Center DPM (+ the Azure
Backup agent),
Azure Backup Server (includes the
Azure Backup agent)
DATA OR WORKLOAD SOURCE ENVIRONMENT AZURE BACKUP SOLUTION

Microsoft SQL Server Windows Server System Center DPM (+ the Azure
Backup agent),
Azure Backup Server (includes the
Azure Backup agent)

Microsoft SharePoint Windows Server System Center DPM (+ the Azure


Backup agent),
Azure Backup Server (includes the
Azure Backup agent)

Microsoft Exchange Windows Server System Center DPM (+ the Azure


Backup agent),
Azure Backup Server (includes the
Azure Backup agent)

Azure IaaS VMs (Windows) running in Azure Azure Backup (VM extension)

Azure IaaS VMs (Linux) running in Azure Azure Backup (VM extension)

Linux support
The following table shows the Azure Backup components that have support for Linux.

COMPONENT LINUX (AZURE ENDORSED) SUPPORT

Azure Backup (MARS) agent No (Only Windows based agent)

System Center DPM File-consistent backup of Linux Guest VMs on Hyper-V and
VMWare
VM restore of Hyper-V and VMWare Linux Guest VMs

File-consistent backup not available for Azure VM

Azure Backup Server File-consistent backup of Linux Guest VMs on Hyper-V and
VMWare
VM restore of Hyper-V and VMWare Linux Guest VMs
File-consistent backup not available for Azure VM

Azure IaaS VM Backup Application-consistent backup using pre-script and post-


script framework
Granular file recovery
Restore all VM disks
VM restore

Using Premium Storage VMs with Azure Backup


Azure Backup protects Premium Storage VMs. Azure Premium Storage is solid-state drive (SSD)-based storage
designed to support I/O-intensive workloads. Premium Storage is attractive for virtual machine (VM) workloads.
For more information about Premium Storage, see the article, Premium Storage: High-Performance Storage for
Azure Virtual Machine Workloads.
Back up Premium Storage VMs
While backing up Premium Storage VMs, the Backup service creates a temporary staging location, named
"AzureBackup-", in the Premium Storage account. The size of the staging location is equal to the size of the
recovery point snapshot. Be sure the Premium Storage account has adequate free space to accommodate the
temporary staging location. For more information, see the article, premium storage limitations. Once the backup
job finishes, the staging location is deleted. The price of storage used for the staging location is consistent with all
Premium storage pricing.

NOTE
Do not modify or edit the staging location.

Restore Premium Storage VMs


Premium Storage VMs can be restored to either Premium Storage or to normal storage. Restoring a Premium
Storage VM recovery point back to Premium Storage is the typical process of restoration. However, it can be cost
effective to restore a Premium Storage VM recovery point to standard storage. This type of restoration can be used
if you need a subset of files from the VM.

Using managed disk VMs with Azure Backup


Azure Backup protects managed disk VMs. Managed disks free you from managing storage accounts of virtual
machines and greatly simplify VM provisioning.
Back up managed disk VMs
Backing up VMs on managed disks is no different than backing up Resource Manager VMs. In the Azure portal,
you can configure the backup job directly from the Virtual Machine view or from the Recovery Services vault view.
You can back up VMs on managed disks through RestorePoint collections built on top of managed disks. Azure
Backup also supports backing up managed disk VMs encrypted using Azure Disk encryption(ADE).
Restore managed disk VMs
Azure Backup allows you to restore a complete VM with managed disks, or restore managed disks to a storage
account. Azure manages the managed disks during the restore process. You (the customer) manage the storage
account created as part of the restore process. When restoring managed encrypted VMs, the VM's keys and secrets
should exist in the key vault prior to starting the restore operation.

What are the features of each Backup component?


The following sections provide tables that summarize the availability or support of various features in each Azure
Backup component. See the information following each table for additional support or details.
Storage
AZURE IAAS VM
FEATURE AZURE BACKUP AGENT SYSTEM CENTER DPM AZURE BACKUP SERVER BACKUP

Recovery Services
vault

Disk storage

Tape storage
AZURE IAAS VM
FEATURE AZURE BACKUP AGENT SYSTEM CENTER DPM AZURE BACKUP SERVER BACKUP

Compression
(in Recovery Services
vault)

Incremental backup

Disk deduplication

The Recovery Services vault is the preferred storage target across all components. System Center DPM and Azure
Backup Server also provide the option to have a local disk copy. However, only System Center DPM provides the
option to write data to a tape storage device.
Compression
Backups are compressed to reduce the required storage space. The only component that does not use
compression is the VM extension. The VM extension copies all backup data from your storage account to the
Recovery Services vault in the same region. No compression is used when transferring the data. Transferring the
data without compression slightly inflates the storage used. However, storing the data without compression allows
for faster restoration, should you need that recovery point.
Disk Deduplication
You can take advantage of deduplication when you deploy System Center DPM or Azure Backup Server on a
Hyper-V virtual machine. Windows Server performs data deduplication (at the host level) on virtual hard disks
(VHDs) that are attached to the virtual machine as backup storage.

NOTE
Deduplication is not available in Azure for any Backup component. When System Center DPM and Backup Server are
deployed in Azure, the storage disks attached to the VM cannot be deduplicated.

Incremental backup explained


Every Azure Backup component supports incremental backup regardless of the target storage (disk, tape, Recovery
Services vault). Incremental backup ensures that backups are storage and time efficient, by transferring only those
changes made since the last backup.
Comparing Full, Differential and Incremental backup
Storage consumption, recovery time objective (RTO), and network consumption varies for each type of backup
method. To keep the backup total cost of ownership (TCO) down, you need to understand how to choose the best
backup solution. The following image compares Full Backup, Differential Backup, and Incremental Backup. In the
image, data source A is composed of 10 storage blocks A1-A10, which are backed up monthly. Blocks A2, A3, A4,
and A9 change in the first month, and block A5 changes in the next month.
With Full Backup, each backup copy contains the entire data source. Full backup consumes a large amount of
network bandwidth and storage, each time a backup copy is transferred.
Differential backup stores only the blocks that changed since the initial full backup, which results in a smaller
amount of network and storage consumption. Differential backups don't retain redundant copies of unchanged
data. However, because the data blocks that remain unchanged between subsequent backups are transferred and
stored, differential backups are inefficient. In the second month, changed blocks A2, A3, A4, and A9 are backed up.
In the third month, these same blocks are backed up again, along with changed block A5. The changed blocks
continue to be backed up until the next full backup happens.
Incremental Backup achieves high storage and network efficiency by storing only the blocks of data that
changed since the previous backup. With incremental backup, there is no need to take regular full backups. In the
example, after the full backup is taken for the first month, changed blocks A2, A3, A4, and A9 are marked as
changed and transferred for the second month. In the third month, only changed block A5 is marked and
transferred. Moving less data saves storage and network resources, which decreases TCO.
Security
AZURE IAAS VM
FEATURE AZURE BACKUP AGENT SYSTEM CENTER DPM AZURE BACKUP SERVER BACKUP

Network security
(to Azure)

Data security
(in Azure)

Network security
All backup traffic from your servers to the Recovery Services vault is encrypted using Advanced Encryption
Standard 256. The backup data is sent over a secure HTTPS link. The backup data is also stored in the Recovery
Services vault in encrypted form. Only you, the Azure customer, have the passphrase to unlock this data. Microsoft
cannot decrypt the backup data at any point.
WARNING
Once you establish the Recovery Services vault, only you have access to the encryption key. Microsoft never maintains a
copy of your encryption key, and does not have access to the key. If the key is misplaced, Microsoft cannot recover the
backup data.

Data security
Backing up Azure VMs requires setting up encryption within the virtual machine. Use BitLocker on Windows virtual
machines and dm-crypt on Linux virtual machines. Azure Backup does not automatically encrypt backup data that
comes through this path.
Network
AZURE IAAS VM
FEATURE AZURE BACKUP AGENT SYSTEM CENTER DPM AZURE BACKUP SERVER BACKUP

Network compression
(to backup server)

Network compression
(to Recovery
Services vault)

Network protocol TCP TCP


(to backup server)

Network protocol HTTPS HTTPS HTTPS HTTPS


(to Recovery
Services vault)

The VM extension (on the IaaS VM) reads the data directly from the Azure storage account over the storage
network, so it is not necessary to compress this traffic.
If you use a System Center DPM server or Azure Backup Server as a secondary backup server, compress the data
going from the primary server to the backup server. Compressing data before backing it up to DPM or Azure
Backup Server, saves bandwidth.
Network Throttling
The Azure Backup agent offers network throttling, which allows you to control how network bandwidth is used
during data transfer. Throttling can be helpful if you need to back up data during work hours but do not want the
backup process to interfere with other internet traffic. Throttling for data transfer applies to back up and restore
activities.

Backup and retention


Azure Backup has a limit of 9999 recovery points, also known as backup copies or snapshots, per protected
instance. A protected instance is a computer, server (physical or virtual), or workload configured to back up data to
Azure. For more information, see the section, What is a protected instance. An instance is protected once a backup
copy of data has been saved. The backup copy of data is the protection. If the source data was lost or became
corrupt, the backup copy could restore the source data. The following table shows the maximum backup frequency
for each component. Your backup policy configuration determines how quickly you consume the recovery points.
For example, if you create a recovery point each day, then you can retain recovery points for 27 years before you
run out. If you take a monthly recovery point, you can retain recovery points for 833 years before you run out. The
Backup service does not set an expiration time limit on a recovery point.

AZURE IAAS VM
AZURE BACKUP AGENT SYSTEM CENTER DPM AZURE BACKUP SERVER BACKUP

Backup frequency Three backups per Two backups per day Two backups per day One backup per day
(to Recovery Services day
vault)

Backup frequency Not applicable Every 15 minutes Every 15 minutes Not applicable
(to disk) for SQL Server for SQL Server
Every hour for Every hour for
other workloads other workloads

Retention options Daily, weekly, Daily, weekly, Daily, weekly, Daily, weekly,
monthly, yearly monthly, yearly monthly, yearly monthly, yearly

Maximum recovery 9999 9999 9999 9999


points per protected
instance

Maximum retention Depends on backup Depends on backup Depends on backup Depends on backup
period frequency frequency frequency frequency

Recovery points on Not applicable 64 for File Servers, 64 for File Servers, Not applicable
local disk 448 for Application 448 for Application
Servers Servers

Recovery points on Not applicable Unlimited Not applicable Not applicable


tape

What is a protected instance


A protected instance is a generic reference to a Windows computer, a server (physical or virtual), or SQL database
that has been configured to back up to Azure. An instance is protected once you configure a backup policy for the
computer, server, or database, and create a backup copy of the data. Subsequent copies of the backup data for that
protected instance (which are called recovery points), increase the amount of storage consumed. You can create up
to 9999 recovery points for a protected instance. If you delete a recovery point from storage, it does not count
against the 9999 recovery point total. Some common examples of protected instances are virtual machines,
application servers, databases, and personal computers running the Windows operating system. For example:
A virtual machine running the Hyper-V or Azure IaaS hypervisor fabric. The guest operating systems for the
virtual machine can be Windows Server or Linux.
An application server: The application server can be a physical or virtual machine running Windows Server and
workloads with data that needs to be backed up. Common workloads are Microsoft SQL Server, Microsoft
Exchange server, Microsoft SharePoint server, and the File Server role on Windows Server. To back up these
workloads you need System Center Data Protection Manager (DPM) or Azure Backup Server.
A personal computer, workstation, or laptop running the Windows operating system.

What is a Recovery Services vault?


A Recovery Services vault is an online storage entity in Azure used to hold data such as backup copies, recovery
points, and backup policies. You can use Recovery Services vaults to hold backup data for Azure services and on-
premises servers and workstations. Recovery Services vaults make it easy to organize your backup data, while
minimizing management overhead. You can create as many Recovery Services vaults as you like, within a
subscription.
Backup vaults, which are based on Azure Service Manager, were the first version of the vault. Recovery Services
vaults, which add the Azure Resource Manager model features, are the second version of the vault. See the
Recovery Services vault overview article for a full description of the feature differences. You can no longer create
use the portal to create Backup vaults, but Backup vaults are still supported. You must use the Azure portal to
manage your Backup vaults.

IMPORTANT
You can now upgrade your Backup vaults to Recovery Services vaults. For details, see the article Upgrade a Backup vault to a
Recovery Services vault. Microsoft encourages you to upgrade your Backup vaults to Recovery Services vaults.
After October 15, 2017, you will no longer be able to use PowerShell to create Backup vaults.
By November 1, 2017 any remaining Backup vaults will be automatically upgraded to Recovery Services vaults.

How does Azure Backup differ from Azure Site Recovery?


Azure Backup and Azure Site Recovery are related in that both services back up data and can restore that data.
However, these services serve different purposes in providing business continuity and disaster recovery in your
business. Use Azure Backup to protect and restore data at a more granular level. For example, if a presentation on
a laptop became corrupted, you would use Azure Backup to restore the presentation. If you wanted to replicate the
configuration and data on a VM across another datacenter, use Azure Site Recovery.
Azure Backup protects data on-premises and in the cloud. Azure Site Recovery coordinates virtual-machine and
physical-server replication, failover, and failback. Both services are important because your disaster recovery
solution needs to keep your data safe and recoverable (Backup) and keep your workloads available (Site Recovery)
when outages occur.
The following concepts can help you make important decisions around backup and disaster recovery.

CONCEPT DETAILS BACKUP DISASTER RECOVERY (DR)

Recovery point objective The amount of acceptable Backup solutions have wide Disaster recovery solutions
(RPO) data loss if a recovery needs variability in their acceptable have low RPOs. The DR copy
to be done. RPO. Virtual machine can be behind by a few
backups usually have an seconds or a few minutes.
RPO of one day, while
database backups have
RPOs as low as 15 minutes.

Recovery time objective The amount of time that it Because of the larger RPO, Disaster recovery solutions
(RTO) takes to complete a recovery the amount of data that a have smaller RTOs because
or restore. backup solution needs to they are more in sync with
process is typically much the source. Fewer changes
higher, which leads to longer need to be processed.
RTOs. For example, it can
take days to restore data
from tapes, depending on
the time it takes to
transport the tape from an
off-site location.
CONCEPT DETAILS BACKUP DISASTER RECOVERY (DR)

Retention How long data needs to be For scenarios that require Disaster recovery needs only
stored operational recovery (data operational recovery data,
corruption, inadvertent file which typically takes a few
deletion, OS failure), backup hours or up to a day.
data is typically retained for Because of the fine-grained
30 days or less. data capture used in DR
From a compliance solutions, using DR data for
standpoint, data might need long-term retention is not
to be stored for months or recommended.
even years. Backup data is
ideally suited for archiving in
such cases.

Next steps
Use one of the following tutorials for detailed, step-by-step, instructions for protecting data on Windows Server, or
protecting a virtual machine (VM) in Azure:
Back up Files and Folders
Backup Azure Virtual Machines
For details about protecting other workloads, try one of these articles:
Back up your Windows Server
Back up application workloads
Backup Azure IaaS VMs
Back up a virtual machine in Azure
9/25/2017 3 min to read Edit Online

Azure backups can be created through the Azure portal. This method provides a browser-based user interface to
create and configure Azure backups and all related resources. You can protect your data by taking backups at
regular intervals. Azure Backup creates recovery points that can be stored in geo-redundant recovery vaults. This
article details how to back up a virtual machine (VM) with the Azure portal.
This quick start enables backup on an existing Azure VM. If you need to create a VM, you can create a VM with the
Azure portal.

Log in to Azure
Log in to the Azure portal at http://portal.azure.com.

Select a VM to back up
Create a simple scheduled daily backup to a Recovery Services Vault.
1. In the menu on the left, select Virtual machines.
2. From the list, choose a VM to back up. If you used the sample VM quick start commands, the VM is named
myVM in the myResourceGroup resource group.
3. In the Settings section, choose Backup. The Enable backup window opens.

Enable backup on a VM
A Recovery Services vault is a logical container that stores the backup data for each protected resource, such as
Azure VMs. When the backup job for a protected resource runs, it creates a recovery point inside the Recovery
Services vault. You can then use one of these recovery points to restore data to a given point in time.
1. Select Create new and provide a name for the new vault, such as myRecoveryServicesVault.
2. If not already selected, choose Use existing, then select the resource group of your VM from the drop-
down menu.
By default, the vault is set for Geo-Redundant storage. To further protect your data, this storage redundancy
level ensures that your backup data is replicated to a secondary Azure region that is hundreds of miles away
from the primary region.
You create and use policies to define when a backup job runs and how long the recovery points are stored.
The default protection policy runs a backup job each day and retains recovery points for 30 days. You can
use these default policy values to quickly protect your VM.
3. To accept the default backup policy values, select Enable Backup.

Start a backup job


You can start a backup now rather than wait for the default policy to run the job at the scheduled time. This first
backup job creates a full recovery point. Each backup job after this initial backup creates incremental recovery
points. Incremental recovery points are storage and time-efficient, as they only transfer changes made since the
last backup.
1. On the Backup window for your VM, select Backup now.
2. To accept the backup retention policy of 30 days, leave the default Retain Backup Till date. To start the job,
select Backup.

Monitor the backup job


In the Backup window for your VM, the status of the backup and number of completed restore points are shown.
Once the VM backup job is complete, information on the Last backup time, Latest restore point, and Oldest
restore point is shown on the right-hand side of the Overview window.

Clean up deployment
When no longer needed, you can disable protection on the VM, remove the restore points and Recovery Services
vault, then delete the resource group and associated VM resources
If you are going to continue on to a Backup tutorial that explains how to restore data for your VM, skip the steps in
this section and go to Next steps.
1. Select the Backup option for your VM.
2. Select ...More to show additional options, then choose Stop backup.
3. Select Delete Backup Data from the drop-down menu.
4. In the Type the name of the Backup item dialog, enter your VM name, such as myVM. Select Stop
Backup
Once the VM backup has been stopped and recovery points removed, you can delete the resource group. If
you used an existing VM, you may wish to leave the resource group and VM in place.
5. In the menu on the left, select Resource groups.
6. From the list, choose your resource group. If you used the sample VM quick start commands, the resource
group is named myResourceGroup.
7. Select Delete resource group. To confirm, enter the resource group name, then select Delete.

Next steps
In this quick start, you created a Recovery Services vault, enabled protection on a VM, and created the initial
recovery point. To learn more about Azure Backup and Recovery Services, continue to the tutorials.
Back up multiple Azure VMs
Back up a virtual machine in Azure with PowerShell
9/25/2017 4 min to read Edit Online

The Azure PowerShell module is used to create and manage Azure resources from the command line or in scripts.
You can protect your data by taking backups at regular intervals. Azure Backup creates recovery points that can be
stored in geo-redundant recovery vaults. This article details how to back up a virtual machine (VM) with the Azure
PowerShell module. You can also perform these steps with the Azure CLI or Azure portal.
This quick start enables backup on an existing Azure VM. If you need to create a VM, you can create a VM with
Azure PowerShell.
This quick start requires the Azure PowerShell module version 4.4 or later. Run Get-Module -ListAvailable AzureRM
to find the version. If you need to install or upgrade, see Install Azure PowerShell module.

Log in to Azure
Log in to your Azure subscription with the Login-AzureRmAccount command and follow the on-screen directions.

Login-AzureRmAccount

The first time you use Azure Backup, you must register the Azure Recovery Service provider in your subscription
with Register-AzureRmResourceProvider.

Register-AzureRmResourceProvider -ProviderNamespace "Microsoft.RecoveryServices"

Create a recovery services vault


A Recovery Services vault is a logical container that stores the backup data for each protected resource, such as
Azure VMs. When the backup job for a protected resource runs, it creates a recovery point inside the Recovery
Services vault. You can then use one of these recovery points to restore data to a given point in time.
Create a Recovery Services vault with New-AzureRmRecoveryServicesVault. Specify the same resource group and
location as the VM you wish to protect. If you used the sample script to create your VM, the resource group is
named myResourceGroup, the VM is named myVM, and the resources are in the WestEurope location.

New-AzureRmRecoveryServicesVault `
-ResourceGroupName "myResourceGroup" `
-Name "myRecoveryServicesVault" `
-Location "WestEurope"

By default, the vault is set for Geo-Redundant storage. To further protect your data, this storage redundancy level
ensures that your backup data is replicated to a secondary Azure region that is hundreds of miles away from the
primary region.
To use this vault with the remaining steps, set the vault context with Set-AzureRmRecoveryServicesVaultContext

Get-AzureRmRecoveryServicesVault `
-Name "myRecoveryServicesVault" | Set-AzureRmRecoveryServicesVaultContext
Enable backup for an Azure VM
You create and use policies to define when a backup job runs and how long the recovery points are stored. The
default protection policy runs a backup job each day and retains recovery points for 30 days. You can use these
default policy values to quickly protect your VM. First, set the default policy with Get-
AzureRmRecoveryServicesBackupProtectionPolicy:

$policy = Get-AzureRmRecoveryServicesBackupProtectionPolicy -Name "DefaultPolicy"

To enable backup protection for a VM, use Enable-AzureRmRecoveryServicesBackupProtection. Specify the policy
to use, then the resource group and VM to protect:

Enable-AzureRmRecoveryServicesBackupProtection `
-ResourceGroupName "myResourceGroup" `
-Name "myVM" `
-Policy $policy

Start a backup job


To start a backup now rather than wait for the default policy to run the job at the scheduled time, use Backup-
AzureRmRecoveryServicesBackupItem. This first backup job creates a full recovery point. Each backup job after this
initial backup creates incremental recovery points. Incremental recovery points are storage and time-efficient, as
they only transfer changes made since the last backup.
In the following set of commands, you specify a container in the Recovery Services vault that holds your backup
data with Get-AzureRmRecoveryServicesBackupContainer. Each VM to back up is treated as an item. To start a
backup job, obtain information on your VM item with Get-AzureRmRecoveryServicesBackupItem.

$backupcontainer = Get-AzureRmRecoveryServicesBackupContainer `
-ContainerType "AzureVM" `
-FriendlyName "myVM"

$item = Get-AzureRmRecoveryServicesBackupItem `
-Container $backupcontainer `
-WorkloadType "AzureVM"

Backup-AzureRmRecoveryServicesBackupItem -Item $item

As this first backup job creates a full recovery point, the process can take up to 20 minutes.

Monitor the backup job


To monitor the status of backup jobs, use Get-AzureRmRecoveryservicesBackupJob:

Get-AzureRmRecoveryservicesBackupJob

The output is similar to the following example, which shows the backup job is InProgress:

WorkloadName Operation Status StartTime EndTime JobID


------------ --------- ------ --------- ------- -----
myvm Backup InProgress 9/18/2017 9:38:02 PM 9f9e8f14
myvm ConfigureBackup Completed 9/18/2017 9:33:18 PM 9/18/2017 9:33:51 PM fe79c739

When the Status of the backup job reports Completed, your VM is protected with Recovery Services and has a full
recovery point stored.

Clean up deployment
When no longer needed, you can disable protection on the VM, remove the restore points and Recovery Services
vault, then delete the resource group and associated VM resources. If you used an existing VM, you can skip the
final Remove-AzureRmResourceGroup cmdlet to leave the resource group and VM in place.
If you are going to continue on to a Backup tutorial that explains how to restore data for your VM, skip the steps in
this section and go to Next steps.

Disable-AzureRmRecoveryServicesBackupProtection -Item $item -RemoveRecoveryPoints


$vault = Get-AzureRmRecoveryServicesVault -Name "myRecoveryServicesVault"
Remove-AzureRmRecoveryServicesVault -Vault $vault
Remove-AzureRmResourceGroup -Name "myResourceGroup"

Next steps
In this quick start, you created a Recovery Services vault, enabled protection on a VM, and created the initial
recovery point. To learn more about Azure Backup and Recovery Services, continue to the tutorials.
Back up multiple Azure VMs
Back up a virtual machine in Azure with the CLI
10/2/2017 4 min to read Edit Online

The Azure CLI is used to create and manage Azure resources from the command line or in scripts. You can protect
your data by taking backups at regular intervals. Azure Backup creates recovery points that can be stored in geo-
redundant recovery vaults. This article details how to back up a virtual machine (VM) in Azure with the Azure CLI.
You can also perform these steps with Azure PowerShell or in the Azure portal.
This quick start enables backup on an existing Azure VM. If you need to create a VM, you can create a VM with the
Azure CLI.

Launch Azure Cloud Shell


The Azure Cloud Shell is a free Bash shell that you can run directly within the Azure portal. It has the Azure CLI
preinstalled and configured to use with your account. Click the Cloud Shell button on the menu in the upper-right
of the Azure portal.

The button launches an interactive shell that you can use to run the steps in this topic:

To install and use the CLI locally, you must run Azure CLI version 2.0.18 or later. To find the CLI version, run . If
you need to install or upgrade, see Install Azure CLI 2.0.

Create a recovery services vault


A Recovery Services vault is a logical container that stores the backup data for each protected resource, such as
Azure VMs. When the backup job for a protected resource runs, it creates a recovery point inside the Recovery
Services vault. You can then use one of these recovery points to restore data to a given point in time.
Create a Recovery Services vault with az backup vault create. Specify the same resource group and location as the
VM you wish to protect. If you used the VM quickstart, then you created:
a resource group named myResourceGroup,
a VM named myVM,
resources in the eastus location.

az backup vault create --resource-group myResourceGroup \


--name myRecoveryServicesVault \
--location eastus

By default, the Recovery Services vault is set for Geo-Redundant storage. Geo-Redundant storage ensures your
backup data is replicated to a secondary Azure region that is hundreds of miles away from the primary region.

Enable backup for an Azure VM


Create a protection policy to define: when a backup job runs, and how long the recovery points are stored. The
default protection policy runs a backup job each day and retains recovery points for 30 days. You can use these
default policy values to quickly protect your VM. To enable backup protection for a VM, use az backup protection
enable-for-vm. Specify the resource group and VM to protect, then the policy to use:

az backup protection enable-for-vm \


--resource-group myResourceGroup \
--vault-name myRecoveryServicesVault \
--vm myVM \
--policy-name DefaultPolicy

Start a backup job


To start a backup now rather than wait for the default policy to run the job at the scheduled time, use az backup
protection backup-now. This first backup job creates a full recovery point. Each backup job after this initial backup
creates incremental recovery points. Incremental recovery points are storage and time-efficient, as they only
transfer changes made since the last backup.
The following parameters are used to back up the VM:
--container-name is the name of your VM
--item-name is the name of your VM
--retain-until value should be set to the last available date, in UTC time format (dd-mm-yyyy), that you wish
the recovery point to be available
The following example backs up the VM named myVM and sets the expiration of the recovery point to October 18,
2017:

az backup protection backup-now \


--resource-group myResourceGroup \
--vault-name myRecoveryServicesVault \
--container-name myVM \
--item-name myVM \
--retain-until 18-10-2017

Monitor the backup job


To monitor the status of backup jobs, use az backup job list:
az backup job list \
--resource-group myResourceGroup \
--vault-name myRecoveryServicesVault \
--output table

The output is similar to the following example, which shows the backup job is InProgress:

Name Operation Status Item Name Start Time UTC Duration


-------- --------------- ---------- ----------- ------------------- --------------
a0a8e5e6 Backup InProgress myvm 2017-09-19T03:09:21 0:00:48.718366
fe5d0414 ConfigureBackup Completed myvm 2017-09-19T03:03:57 0:00:31.191807

When the Status of the backup job reports Completed, your VM is protected with Recovery Services and has a full
recovery point stored.

Clean up deployment
When no longer needed, you can disable protection on the VM, remove the restore points and Recovery Services
vault, then delete the resource group and associated VM resources. If you used an existing VM, you can skip the
final az group delete command to leave the resource group and VM in place.
If you want to try a Backup tutorial that explains how to restore data for your VM, go to Next steps.

az backup protection disable \


--resource-group myResourceGroup \
--vault-name myRecoveryServicesVault \
--container-name myVM \
--item-name myVM \
--delete-backup-data true
az backup vault delete \
--resource-group myResourceGroup \
--name myRecoveryServicesVault \
az group delete --name myResourceGroup

Next steps
In this quick start, you created a Recovery Services vault, enabled protection on a VM, and created the initial
recovery point. To learn more about Azure Backup and Recovery Services, continue to the tutorials.
Back up multiple Azure VMs
Use Azure portal to back up multiple virtual
machines
9/25/2017 6 min to read Edit Online

When you back up data in Azure, you store that data in an Azure resource called a Recovery Services vault. The
Recovery Services vault resource is available from the Settings menu of most Azure services. The benefit of having
the Recovery Services vault integrated into the Settings menu of most Azure services makes it very easy to back
up data. However, individually working with each database or virtual machine in your business is tedious. What if
you want to back up the data for all virtual machines in one department, or in one location? It is easy to back up
multiple virtual machines by creating a backup policy and applying that policy to the desired virtual machines. This
tutorial explains how to:
Create a Recovery Services vault
Define a backup policy
Apply the backup policy to protect multiple virtual machines
Trigger an on-demand backup job for the protected virtual machines

Log in to the Azure portal


Log in to the Azure portal.

Create a Recovery Services vault


The Recovery Services vault contains the backup data, and the backup policy applied to the protected virtual
machines. Backing up virtual machines is a local process. You cannot back up a virtual machine from one location
to a Recovery Services vault in another location. So, for each Azure location that has virtual machines to be backed
up, at least one Recovery Services vault must exist in that location.
1. On the left-hand menu, select More services and in the services list, type Recovery Services. As you type,
the list of resources filters. When you see Recovery Services vaults in the list, select it to open the Recovery
Services vaults menu.
2. In the Recovery Services vaults menu, click Add to open the Recovery Services vault menu.

3. In the Recovery Services vault menu,


Type myRecoveryServicesVault in Name,
The current subscription ID appears in Subscription. If you have additional subscriptions, you could
choose another subscription for the new vault.
For Resource group select Use existing and choose myResourceGroup. If myResourceGroup doesn't
exist, select Create new and type myResourceGroup.
From the Location drop-down menu, choose West Europe.
Click Create to create your Recovery Services vault.
A Recovery Services vault must be in the same location as the virtual machines being protected. If you have virtual
machines in multiple regions,create a Recovery Services vault in each region. This tutorial creates a Recovery
Services vault in West Europe because that is where myVM (the virtual machine created with the quickstart) was
created.
It can take several minutes for the Recovery Services vault to be created. Monitor the status notifications in the
upper right-hand area of the portal. Once your vault is created, it appears in the list of Recovery Services vaults.
When you create a Recovery Services vault, by default the vault has geo-redundant storage. To provide data
resiliency, geo-redundant storage replicates the data multiple times across two Azure regions.

Set backup policy to protect VMs


After creating the Recovery Services vault, the next step is to configure the vault for the type of data, and to set the
backup policy. Backup policy is the schedule for how often and when recovery points are taken. Policy also
includes the retention range for the recovery points. For this tutorial let's assume your business is a sports
complex with a hotel, stadium, and restaurants and concessions, and you are protecting the data on the virtual
machines. The following steps create a backup policy for the financial data.
1. From the list of Recovery Services vaults, select myRecoveryServicesVault to open its dashboard.

2. On the vault dashboard menu, click Backup to open the Backup menu.
3. On the Backup Goal menu, in the Where is your workload running drop-down menu, choose Azure.
From the What do you want to backup drop-down, choose Virtual machine, and click Backup.
These actions prepare the Recovery Services vault for interacting with a virtual machine. Recovery Services
vaults have a default policy that creates a restore point each day, and retains the restore points for 30 days.
4. To create a new policy, on the Backup policy menu, from the Choose backup policy drop-down menu,
select Create New.

5. In the Backup policy menu, for Policy Name type Finance. Enter the following changes for the Backup
policy:
For Backup frequency set the timezone for Central Time. Since the sports complex is in Texas, the
owner wants the timing to be local. Leave the backup frequency set to Daily at 3:30AM.
For Retention of daily backup point, set the period to 90 days.
For Retention of weekly backup point, use the Monday restore point and retain it for 52 weeks.
For Retention of monthly backup point, use the restore point from First Sunday of the month, and
retain it for 36 months.
Deselect the Retention of yearly backup point option. The leader of Finance doesn't want to keep
data longer than 36 months.
Click OK to create the backup policy.
After creating the backup policy, associate the policy with the virtual machines.
6. In the Select virtual machines dialog select myVM and click OK to deploy the backup policy to the virtual
machines.
All virtual machines that are in the same location, and are not already associated with a backup policy,
appear. myVMH1 and myVMR1 are selected to be associated with the Finance policy.
When the deployment completes, you receive a notification that deployment successfully completed.

Initial backup
You have enabled backup for the Recovery Services vaults, but an initial backup has not been created. It is a
disaster recovery best practice to trigger the first backup, so that your data is protected.
To run an on-demand backup job:
1. On the vault dashboard, click 3 under Backup Items, to open the Backup Items menu.
The Backup Items menu opens.
2. On the Backup Items menu, click Azure Virtual Machine to open the list of virtual machines associated
with the vault.

The Backup Items list opens.

3. On the Backup Items list, click the ellipses ... to open the Context menu.
4. On the Context menu, select Backup now.

The Backup Now menu opens.


5. On the Backup Now menu, enter the last day to retain the recovery point, and click Backup.

Deployment notifications let you know the backup job has been triggered, and that you can monitor the
progress of the job on the Backup jobs page. Depending on the size of your virtual machine, creating the
initial backup may take a while.
When the initial backup job completes, you can see its status in the Backup job menu. The on-demand
backup job created the initial restore point for myVM. If you want to back up other virtual machines, repeat
these steps for each virtual machine.

Clean up resources
If you plan to continue on to work with subsequent tutorials, do not clean up the resources created in this tutorial.
If you do not plan to continue, use the following steps to delete all resources created by this tutorial in the Azure
portal.
1. On the myRecoveryServicesVault dashboard, click 3 under Backup Items, to open the Backup Items
menu.
2. On the Backup Items menu, click Azure Virtual Machine to open the list of virtual machines associated
with the vault.

The Backup Items list opens.


3. In the Backup Items menu, click the ellipsis to open the Context menu.
4. On the context menu select Stop backup to open Stop Backup menu.

5. In the Stop Backup menu, select the upper drop-down menu and choose Delete Backup Data.
6. In the Type the name of the Backup item dialog, type myVM.
7. Once the backup item is verified (a checkmark appears), Stop backup button is enabled. Click Stop
Backup to stop the policy and delete the restore points.

.
8. In the myRecoveryServicesVault menu, click Delete.
Once the vault is deleted, you return to the list of Recovery Services vaults.

Next steps
In this tutorial you used the Azure portal to:
Create a Recovery Services vault
Set the vault to protect virtual machines
Create a custom backup and retention policy
Assign the policy to protect multiple virtual machines
Trigger an on-demand back up for virtual machines
Continue to the next tutorial to restore an Azure virtual machine from disk.
Restore VMs using CLI
Restore a disk and create a recovered VM in Azure
9/29/2017 5 min to read Edit Online

Azure Backup creates recovery points that are stored in geo-redundant recovery vaults. When you restore from a
recovery point, you can restore the whole VM or individual files. This article explains how to restore a complete VM.
In this tutorial you learn how to:
List and select recovery points
Restore a disk from a recovery point
Create a VM from the restored disk

Launch Azure Cloud Shell


The Azure Cloud Shell is a free Bash shell that you can run directly within the Azure portal. It has the Azure CLI
preinstalled and configured to use with your account. Click the Cloud Shell button on the menu in the upper-right
of the Azure portal.

The button launches an interactive shell that you can use to run the steps in this topic:

If you choose to install and use the CLI locally, this tutorial requires that you are running the Azure CLI version
2.0.18 or later. Run az --version to find the version. If you need to install or upgrade, see Install Azure CLI 2.0.

Prerequisites
This tutorial requires a Linux VM that has been protected with Azure Backup. To simulate an accidental VM deletion
and recovery process, you create a VM from a disk in a recovery point. If you need a Linux VM that has been
protected with Azure Backup, see Back up a virtual machine in Azure with the CLI.

Backup overview
When Azure initiates a backup, the backup extension on the VM takes a point-in-time snapshot. The backup
extension is installed on the VM when the first backup is requested. Azure Backup can also take a snapshot of the
underlying storage if the VM is not running when the backup takes place.
By default, Azure Backup takes a file system consistent backup. Once Azure Backup takes the snapshot, the data is
transferred to the Recovery Services vault. To maximize efficiency, Azure Backup identifies and transfers only the
blocks of data that have changed since the previous backup.
When the data transfer is complete, the snapshot is removed and a recovery point is created.

List available recovery points


To restore a disk, you select a recovery point as the source for the recovery data. As the default policy creates a
recovery point each day and retains them for 30 days, you can keep a set of recovery points that allows you to
select a particular point in time for recovery.
To see a list of available recovery points, use az backup recoverypoint list. The recovery point name is used to
recover disks. In this tutorial, we want the most recent recovery point available. The --query [0].name parameter
selects the most recent recovery point name as follows:

az backup recoverypoint list \


--resource-group myResourceGroup \
--vault-name myRecoveryServicesVault \
--container-name myVM \
--item-name myVM \
--query [0].name \
--output tsv

Restore a VM disk
To restore your disk from the recovery point, you first create an Azure storage account. This storage account is
used to store the restored disk. In additional steps, the restored disk is used to create a VM.
1. To create a storage account, use az storage account create. The storage account name must be all lowercase,
and be globally unique. Replace mystorageaccount with your own unique name:

az storage account create \


--resource-group myResourceGroup \
--name mystorageaccount \
--sku Standard_LRS

2. Restore the disk from your recovery point with az backup restore restore-disks. Replace mystorageaccount
with the name of the storage account you created in the preceding command. Replace
myRecoveryPointName with the recovery point name you obtained in the output from the previous az
backup recoverypoint list command:

az backup restore restore-disks \


--resource-group myResourceGroup \
--vault-name myRecoveryServicesVault \
--container-name myVM \
--item-name myVM \
--storage-account mystorageaccount \
--rp-name myRecoveryPointName

Monitor the restore job


To monitor the status of restore job, use az backup job list:

az backup job list \


--resource-group myResourceGroup \
--vault-name myRecoveryServicesVault \
--output table

The output is similar to the following example, which shows the restore job is InProgress:

Name Operation Status Item Name Start Time UTC Duration


-------- --------------- ---------- ----------- ------------------- --------------
7f2ad916 Restore InProgress myvm 2017-09-19T19:39:52 0:00:34.520850
a0a8e5e6 Backup Completed myvm 2017-09-19T03:09:21 0:15:26.155212
fe5d0414 ConfigureBackup Completed myvm 2017-09-19T03:03:57 0:00:31.191807

When the Status of the restore job reports Completed, the disk has been restored to the storage account.

Convert the restored disk to a Managed Disk


The restore job creates an unmanaged disk. In order to create a VM from the disk, it must first be converted to a
managed disk.
1. Obtain the connection information for your storage account with az storage account show-connection-
string. Replace mystorageaccount with the name of your storage account as follows:

export AZURE_STORAGE_CONNECTION_STRING=$( az storage account show-connection-string \


--resource-group myResourceGroup \
--output tsv \
--name mystorageaccount )

2. Your unmanaged disk is secured in the storage account. The following commands get information about
your unmanaged disk and create a variable named uri that is used in the next step when you create the
Managed Disk.

container=$(az storage container list --query [0].name -o tsv)


blob=$(az storage blob list --container-name $container --query [0].name -o tsv)
uri=$(az storage blob url --container-name $container --name $blob -o tsv)

3. Now you can create a Managed Disk from your recovered disk with az disk create. The uri variable from the
preceding step is used as the source for your Managed Disk.

az disk create \
--resource-group myResourceGroup \
--name myRestoredDisk \
--source $uri

4. As you now have a Managed Disk from your restored disk, clean up the unmanaged disk and storage
account with az storage account delete. Replace mystorageaccount with the name of your storage account
as follows:

az storage account delete \


--resource-group myResourceGroup \
--name mystorageaccount
Create a VM from the restored disk
The final step is to create a VM from the Managed Disk.
1. Create a VM from your Managed Disk with az vm create as follows:

az vm create \
--resource-group myResourceGroup \
--name myRestoredVM \
--attach-os-disk myRestoredDisk \
--os-type linux

2. To confirm that your VM has been created from your recovered disk, list the VMs in your resource group
with az vm list as follows:

az vm list --resource-group myResourceGroup --output table

Next steps
In this tutorial, you restored a disk from a recovery point and then created a VM from the disk. You learned how to:
List and select recovery points
Restore a disk from a recovery point
Create a VM from the restored disk
Advance to the next tutorial to learn about restoring individual files from a recovery point.
Restore files to a virtual machine in Azure
Restore files to a virtual machine in Azure
9/29/2017 6 min to read Edit Online

Azure Backup creates recovery points that are stored in geo-redundant recovery vaults. When you restore from a
recovery point, you can restore the whole VM or individual files. This article details how to restore individual files.
In this tutorial you learn how to:
List and select recovery points
Connect a recovery point to a VM
Restore files from a recovery point

Launch Azure Cloud Shell


The Azure Cloud Shell is a free Bash shell that you can run directly within the Azure portal. It has the Azure CLI
preinstalled and configured to use with your account. Click the Cloud Shell button on the menu in the upper-right
of the Azure portal.

The button launches an interactive shell that you can use to run the steps in this topic:

If you choose to install and use the CLI locally, this tutorial requires that you are running the Azure CLI version
2.0.18 or later. Run az --version to find the version. If you need to install or upgrade, see Install Azure CLI 2.0.

Prerequisites
This tutorial requires a Linux VM that has been protected with Azure Backup. To simulate an accidental file deletion
and recovery process, you delete a page from a web server. If you need a Linux VM that runs a webserver and has
been protected with Azure Backup, see Back up a virtual machine in Azure with the CLI.

Backup overview
When Azure initiates a backup, the backup extension on the VM takes a point-in-time snapshot. The backup
extension is installed on the VM when the first backup is requested. Azure Backup can also take a snapshot of the
underlying storage if the VM is not running when the backup takes place.
By default, Azure Backup takes a file system consistent backup. Once Azure Backup takes the snapshot, the data is
transferred to the Recovery Services vault. To maximize efficiency, Azure Backup identifies and transfers only the
blocks of data that have changed since the previous backup.
When the data transfer is complete, the snapshot is removed and a recovery point is created.

Delete a file from a VM


If you accidentally delete or make changes to a file, you can restore individual files from a recovery point. This
process allows you to browse the files backed up in a recovery point and restore only the files you need. In this
example, we delete a file from a web server to demonstrate the file-level recovery process.
1. To connect to your VM, obtain the IP address of your VM with az vm show:

az vm show --resource-group myResourceGroup --name myVM -d --query [publicIps] --o tsv

2. To confirm that your web site currently works, open a web browser to the public IP address of your VM.
Leave the web browser window open.

3. Connect to your VM with SSH. Replace publicIpAddress with the public IP address that you obtained in a
previous command:

ssh publicIpAddress

4. Delete the default page from the web server at /var/www/html/index.nginx-debian.html as follows:

sudo rm /var/www/html/index.nginx-debian.html

5. In your web browser, refresh the web page. The web site no longer loads the page, as shown in the
following example:
6. Close the SSH session to your VM as follows:

exit

Generate file recovery script


To restore your files, Azure Backup provides a script to run on your VM that connects your recovery point as a local
drive. You can browse this local drive, restore files to the VM itself, then disconnect the recovery point. Azure
Backup continues to back up your data based on the assigned policy for schedule and retention.
1. To list recovery points for your VM, use az backup recoverypoint list. In this example, we select the most
recent recovery point for the VM named myVM that is protected in myRecoveryServicesVault:

az backup recoverypoint list \


--resource-group myResourceGroup \
--vault-name myRecoveryServicesVault \
--container-name myVM \
--item-name myVM \
--query [0].name \
--output tsv

2. To obtain the script that connects, or mounts, the recovery point to your VM, use az backup restore files
mount-rp. The following example obtains the script for the VM named myVM that is protected in
myRecoveryServicesVault.
Replace myRecoveryPointName with the name of the recovery point that you obtained in the preceding
command:

az backup restore files mount-rp \


--resource-group myResourceGroup \
--vault-name myRecoveryServicesVault \
--container-name myVM \
--item-name myVM \
--rp-name myRecoveryPointName

The script is downloaded and a password is displayed, as in the following example:

File downloaded: myVM_we_1571974050985163527.sh. Use password c068a041ce12465

3. To transfer the script to your VM, use Secure Copy (SCP). Provide the name of your downloaded script, and
replace publicIpAddress with the public IP address of your VM. Make sure you include the trailing : at the
end of the SCP command as follows:

scp myVM_we_1571974050985163527.sh 52.174.241.110:

Restore file to your VM


With the recovery script copied to your VM, you can now connect the recovery point and restore files.
1. Connect to your VM with SSH. Replace publicIpAddress with the public IP address of your VM as follows:

ssh publicIpAddress

2. To allow your script to run correctly, add execute permissions with chmod. Enter the name of your own
script:

chmod +x myVM_we_1571974050985163527.sh

3. To mount the recovery point, run the script. Enter the name of your own script:

./myVM_we_1571974050985163527.sh

As the script runs, you are prompted to enter a password to access the recovery point. Enter the password
shown in the output from the previous az backup restore files mount-rp command that generated the
recovery script.
The output from the script gives you the path for the recovery point. The following example output shows
that the recovery point is mounted at /home/azureuser/myVM-20170919213536/Volume1:

Microsoft Azure VM Backup - File Recovery


______________________________________________
Please enter the password as shown on the portal to securely connect to the recovery point. :
c068a041ce12465

Connecting to recovery point using ISCSI service...

Connection succeeded!

Please wait while we attach volumes of the recovery point to this machine...

************ Volumes of the recovery point and their mount paths on this machine ************

Sr.No. | Disk | Volume | MountPath

1) | /dev/sdc | /dev/sdc1 | /home/azureuser/myVM-20170919213536/Volume1

************ Open File Explorer to browse for files. ************

4. Use cp to copy the NGINX default web page from the mounted recovery point back to the original file
location. Replace the /home/azureuser/myVM-20170919213536/Volume1 mount point with your own
location:

sudo cp /home/azureuser/myVM-20170919213536/Volume1/var/www/html/index.nginx-debian.html /var/www/html/


5. In your web browser, refresh the web page. The web site now loads correctly again, as shown in the
following example:

6. Close the SSH session to your VM as follows:

exit

7. Unmount the recovery point from your VM with az backup restore files unmount-rp. The following example
unmounts the recovery point from the VM named myVM in myRecoveryServicesVault.
Replace myRecoveryPointName with the name of your recovery point that you obtained in the previous
commands:

az backup restore files unmount-rp \


--resource-group myResourceGroup \
--vault-name myRecoveryServicesVault \
--container-name myVM \
--item-name myVM \
--rp-name myRecoveryPointName

Next steps
In this tutorial, you connected a recovery point to a VM and restored files for a web server. You learned how to:
List and select recovery points
Connect a recovery point to a VM
Restore files from a recovery point
Advance to the next tutorial to learn about how to back up Windows Server to Azure.
Back up Windows Server to Azure
Back up Windows Server to Azure
9/25/2017 4 min to read Edit Online

You can use Azure Backup to protect your Windows Server from corruptions, attacks, and disasters. Azure Backup
provides a lightweight tool known as the Microsoft Azure Recovery Services (MARS) agent. The MARS agent is
installed on the Windows Server to protect files and folders, and server configuration info via Windows Server
System State. This tutorial explains how you can use MARS Agent to back up your Windows Server to Azure. In this
tutorial you learn how to:
Download and set up the MARS Agent
Configure back up times and retention schedule for your servers backups
Perform an ad-hoc back up

Log in to Azure
Log in to the Azure portal at http://portal.azure.com.

Create a Recovery Services vault


Before you can back up Windows Server, you must create a place for the backups, or restore points, to be stored. A
Recovery Services vault is a container in Azure that stores the backups from your Windows Server. Follow the steps
below to create a Recovery Services vault in the Azure portal.
1. On the left-hand menu, select More services and in the services list,type Recovery Services. Click
Recovery Services vaults.
2. On the Recovery Services vaults menu, click Add.

3. In the Recovery Services vault menu,


Type myRecoveryServicesVault in Name.
The current subscription ID appears in Subscription.
For Resource group, select Use existing and choose myResourceGroup. If myResourceGroup doesn't
exist, select Create New and type myResourceGroup.
From the Location drop-down menu, choose West Europe.
Click Create to create your Recovery Services vault.
Once your vault is created, it appears in the list of Recovery Services vaults.

Download Recovery Services agent


The Microsoft Azure Recovery Services (MARS) agent creates an association between Windows Server and your
Recovery Services vault. The following procedure explains how to download the agent to your server.
1. From the list of Recovery Services vaults, select myRecoveryServicesVault to open its dashboard.
2. On the vault dashboard menu, click Backup.
3. On the Backup Goal menu:
for Where is your workload running?, selectOn-premises,
for What do you want to backup?, select Files and folders and System State

4. Click Prepare Infrastructure to open the Prepare infrastructure menu.


5. On the Prepare infrastructure menu, click Download Agent for Windows Server or Windows Client to
download the MARSAgentInstaller.exe.
The installer opens a separate browser and downloads MARSAgentInstaller.exe.
6. Before you run the downloaded file, click the Download button on the Prepare infrastructure blade to
download and save the Vault Credentials file. This file is required for connecting the MARS Agent with the
Recovery Services Vault.

Install and register the agent


1. Locate and double-click the downloaded MARSagentinstaller.exe.
2. The Microsoft Azure Recovery Services Agent Setup Wizard appears. As you go through the wizard,
provide the following information when prompted and click Register.
Location for the installation and cache folder.
Proxy server info if you use a proxy server to connect to the internet.
Your user name and password details if you use an authenticated proxy.
3. At the end of the wizard, click Proceed to Registration and provide the Vault Credentials file you
downloaded in the previous procedure.
4. When prompted, provide an encryption passphrase to encrypt backups from Windows Server. Save the
passphrase in a secure location as Microsoft cannot recover the passphrase if it is lost.
5. Click Finish.

Configure Backup and Retention


You use the Microsoft Azure Recovery Services agent to schedule when backups to Azure, occur on Windows
Server. Execute the following steps on the server where you downloaded the agent.
1. Open the Microsoft Azure Recovery Services agent. You can find it by searching your machine for Microsoft
Azure Backup.
2. In the Recovery Services agent console, click Schedule Backup under the Actions Pane.

3. Click Next to navigate to the Select Items to Back up page.


4. Click Add Items and from the dialog box that opens select System State and files or folders that you want
to back up. Then click OK.
5. Click Next.
6. On the Specify Backup Schedule page, specify the times of the day, or week when backups need to be
triggered for files and folders. System State backup schedule is automatically configured.

7. On the Select Retention Policy page, select the Retention Policy for the backup copy for files and folders.
The retention period of System State backups is automatically set to 60 days.
8. On the Choose Initial Back up Type page, leave the option Automatically over the network selected, and
then click Next.
9. On the Confirmation page, review the information, and then click Finish.
10. After the wizard finishes creating the backup schedule, click Close.

Perform an ad-hoc back up


You have established the schedule when backup jobs run. However, you have not backed up the server. It is a
disaster recovery best practice to run an on-demand backup to ensure data resiliency for your server.
1. In the Microsoft Azure Recovery Services agent console, click Back Up Now.

2. On the Confirmation page, review the settings that the Back Up Now wizard uses to back up your server.
Then click Back Up.
3. Click Close to close the wizard. If you close the wizard before the back up process finishes, the wizard continues
to run in the background.
4. After the initial backup is completed, Job completed status appears in Jobs pane of the MARS agent console.

Next steps
In this tutorial you used the Azure portal to:
Create a Recovery Services vault
Download the Microsoft Azure Recovery Services agent
Install the agent
Configure backup for Windows Server
Perform an on-demand backup
Continue to the next tutorial to recover files from Azure to Windows Server
Restore files from Azure to Windows Server
Recover files from Azure to a Windows Server
9/25/2017 2 min to read Edit Online

Azure Backup enables the recovery of individual items from backups of your Windows Server. Recovering
individual files is helpful if you must quickly restore files that are accidentally deleted. This tutorial covers how you
can use the Microsoft Azure Recovery Services Agent (MARS) agent to recover items from backups you have
already performed in Azure. In this tutorial you learn how to:
Initiate recovery of individual items
Select a recovery point
Restore items from a recovery point
This tutorial assumes you have already performed the steps to Back up a Windows Server to Azure and have at
least one backup of your Windows Server files in Azure.

Initiate recovery of individual items


A helpful user interface wizard named Microsoft Azure Backup is installed with the Microsoft Azure Recovery
Services (MARS) agent. The Microsoft Azure Backup wizard works with the Microsoft Azure Recovery Services
(MARS) agent to retrieve backup data from recovery points stored in Azure. Use the Microsoft Azure Backup wizard
to identify the files or folders you want to restore to Windows Server.
1. Open the Microsoft Azure Backup snap-in. You can find it by searching your machine for Microsoft
Azure Backup.

2. In the wizard, click Recover Data in the Actions Pane of the agent console to start the Recover Data
wizard.

3. On the Getting Started page, select This server (server name) and click Next.
4. On the Select Recovery Mode page, select Individual files and folders and then click Next to begin the
recovery point selection process.
5. On the Select Volume and Date page, select the volume that contains the files or folders you want to
restore, and click Mount. Select a date, and select a time from the drop-down menu that corresponds to a
recovery point. Dates in bold indicate the availability of at least one recovery point on that day.

When you click Mount, Azure Backup makes the recovery point available as a disk. Browse and recover files
from the disk.

Restore items from a recovery point


1. Once the recovery volume is mounted, click Browse to open Windows Explorer and find the files and folders
you wish to recover.

You can open the files directly from the recovery volume and verify the files.
2. In Windows Explorer, copy the files and/or folders you want to restore and paste them to any desired
location on the server.

3. When you are finished restoring the files and/or folders, on the Browse and Recovery Files page of the
Recover Data wizard, click Unmount.

4. Click Yes to confirm that you want to unmount the volume.


Once the snapshot is unmounted, Job Completed appears in the Jobs pane in the agent console.

Next steps
This completes the tutorials on backing up and restoring Windows Server data to Azure. To learn more about Azure
Backup, see the PowerShell sample for backing up encrypted virtual machines.
Back up encrypted VM
Azure Backup PowerShell samples
9/25/2017 1 min to read Edit Online

The following table links to PowerShell script samples that use Azure Backup to back up and restore data.

Back up virtual machines

Back up an encrypted virtual machine to Azure Back up all data on the encrypted virtual machine.
Questions about the Azure Backup service
9/19/2017 11 min to read Edit Online

This article has answers to common questions to help you quickly understand the Azure Backup components. In
some of the answers, there are links to the articles that have comprehensive information. You can ask questions
about Azure Backup by clicking Comments (to the right). Comments appear at the bottom of this article. A
Livefyre account is required to comment. You can also post questions about the Azure Backup service in the
discussion forum.
To quickly scan the sections in this article, use the links to the right, under In this article.

Recovery services vault


Is there any limit on the number of vaults that can be created in each Azure subscription?
Yes. As of September 2016, you can create 25 Recovery Services or backup vaults per subscription. You can
create up to 25 Recovery Services vaults, per supported region of Azure Backup, per subscription. If you need
additional vaults, create an additional subscription.
Are there limits on the number of servers/machines that can be registered against each vault?
Yes, you can register up to 50 machines per vault. For Azure IaaS virtual machines, the limit is 200 VMs per vault.
If you need to register more machines, create another vault.
If my organization has one vault, how can I isolate one server's data from another server when restoring data?
All servers that are registered to the same vault can recover the data backed up by other servers that use the
same passphrase. If you have servers whose backup data you want to isolate from other servers in your
organization, use a designated passphrase for those servers. For example, human resources servers could use one
encryption passphrase, accounting servers another, and storage servers a third.
Can I migrate my backup data or vault between subscriptions?
No. The vault is created at a subscription level and cannot be reassigned to another subscription once its created.
Recovery Services vaults are Resource Manager based. Are Backup vaults (classic mode ) still supported?
All existing Backup vaults in the classic portal continue to be supported. However, you can no longer use the
classic portal to deploy new Backup vaults. Microsoft recommends using Recovery Services vaults for all
deployments because future enhancements apply to Recovery Services vaults, only. If you attempt to create a
Backup vault in the classic portal, you will be redirected to the Azure portal.
Can I migrate a Backup vault to a Recovery Services vault?
Yes, you can now upgrade your Backup vault to a Recovery Services vault. For details, refer the article Upgrade a
Backup vault to a Recovery Services vault.
I backed up my classic VMs in a Backup vault. Can I migrate my VMs from classic mode to Resource Manager
mode and protect them in a Recovery Services vault?
Classic VM recovery points in a backup vault don't automatically migrate to a Recovery Services vault when you
move the VM from classic to Resource Manager mode. Follow these steps to transfer your VM backups:
1. In the Backup vault, go to the Protected Items tab and select the VM. Click Stop Protection. Leave Delete
associated backup data option unchecked.
2. Delete the backup/snapshot extension from the VM.
3. Migrate the virtual machine from classic mode to Resource Manager mode. Make sure the storage and
network information corresponding to the virtual machine is also migrated to Resource Manager mode.
4. Create a Recovery Services vault and configure backup on the migrated virtual machine using Backup action
on top of vault dashboard. For detailed information on backing up a VM to a Recovery Services vault, see the
article, Protect Azure VMs with a Recovery Services vault.

Azure Backup agent


Detailed list of questions are present in FAQ on Azure file-folder backup

Azure VM backup
Detailed list of questions are present in FAQ on Azure VM backup

Back up VMware servers


Can I back up VMware vCenter servers to Azure?
Yes. You can use Azure Backup Server to back up VMware vCenter and ESXi to Azure. For information on the
supported VMware version, see the article, Azure Backup Server protection matrix. For step-by-step instructions,
see Use Azure Backup Server to back up a VMware server.

Azure Backup Server and System Center Data Protection Manager


Can I use Azure Backup Server to create a Bare Metal Recovery (BMR ) backup for a physical server?
Yes.
Can I Register my DPM Server to multiple vaults?
No. A DPM or MABS server can be registered to only one vault.
Which version of System Center Data Protection Manager is supported?
We recommend that you install the latest Azure Backup agent on the latest update rollup (UR) for System Center
Data Protection Manager (DPM). As of August 2016, Update Rollup 11 is the latest update.
I have installed Azure Backup agent to protect my files and folders. Can I now install System Center DPM to
work with Azure Backup agent to protect on-premises application/VM workloads to Azure?
To use Azure Backup with System Center Data Protection Manager (DPM), install DPM first and then install Azure
Backup agent. Installing the Azure Backup components in this order ensures the Azure Backup agent works with
DPM. Installing the Azure Backup agent before installing DPM is not advised or supported.

How Azure Backup works


If I cancel a backup job once it has started, is the transferred backup data deleted?
No. All data transferred into the vault, before the backup job was canceled, stays in the vault. Azure Backup uses a
checkpoint mechanism to occasionally add checkpoints to the backup data during the backup. Because there are
checkpoints in the backup data, the next backup process can validate the integrity of the files. The next backup job
will be incremental to the data previously backed up. Incremental backups only transfer new or changed data,
which equates to better utilization of bandwidth.
If you cancel a backup job for an Azure VM, any transferred data is ignored. The next backup job transfers
incremental data from the last successful backup job.
Are there limits on when or how many times a backup job can be scheduled?
Yes. You can run backup jobs on Windows Server or Windows workstations up to three times/day. You can run
backup jobs on System Center DPM up to twice a day. You can run a backup job for IaaS VMs once a day. You can
use the scheduling policy for Windows Server or Windows workstation to specify daily or weekly schedules.
Using System Center DPM, you can specify daily, weekly, monthly, and yearly schedules.
Why is the size of the data transferred to the Recovery Services vault smaller than the data I backed up?
All the data that is backed up from Azure Backup Agent or SCDPM or Azure Backup Server, is compressed and
encrypted before being transferred. Once the compression and encryption is applied, the data in the backup vault
is 30-40% smaller.

What can I back up


Which operating systems do Azure Backup support?
Azure Backup supports the following list of operating systems for backing up: files and folders, and workload
applications protected using Azure Backup Server and System Center Data Protection Manager (DPM).

OPERATING SYSTEM PLATFORM SKU

Windows 8 and latest SPs 64 bit Enterprise, Pro

Windows 7 and latest SPs 64 bit Ultimate, Enterprise, Professional,


Home Premium, Home Basic, Starter

Windows 8.1 and latest SPs 64 bit Enterprise, Pro

Windows 10 64 bit Enterprise, Pro, Home

Windows Server 2016 64 bit Standard, Datacenter, Essentials

Windows Server 2012 R2 and latest 64 bit Standard, Datacenter, Foundation


SPs

Windows Server 2012 and latest SPs 64 bit Datacenter, Foundation, Standard

Windows Storage Server 2016 and 64 bit Standard, Workgroup


latest SPs

Windows Storage Server 2012 R2 and 64 bit Standard, Workgroup


latest SPs

Windows Storage Server 2012 and 64 bit Standard, Workgroup


latest SPs

Windows Server 2012 R2 and latest 64 bit Essential


SPs

Windows Server 2008 R2 SP1 64 bit Standard, Enterprise, Datacenter,


Foundation

Windows Server 2008 SP2 64 bit Standard, Enterprise, Datacenter,


Foundation

For Azure VM backup:


Linux: Azure Backup supports a list of distributions that are endorsed by Azure except Core OS Linux. Other
Bring-Your-Own-Linux distributions also might work as long as the VM agent is available on the virtual
machine and support for Python exists.
Windows Server: Versions older than Windows Server 2008 R2 are not supported.
Is there a limit on the size of each data source being backed up?
There is no limit on the amount of data you can back up to a vault. Azure Backup restricts the maximum size for
the data source, however, these limits are large. As of August 2015, the maximum size for a data source for the
supported operating systems is:

S.NO OPERATING SYSTEM MAXIMUM SIZE OF DATA SOURCE

1 Windows Server 2012 or later 54,400 GB

2 Windows 8 or later 54,400 GB

3 Windows Server 2008, Windows Server 1700 GB


2008 R2

4 Windows 7 1700 GB

The following table explains how each data source size is determined.

DATASOURCE DETAILS

Volume The amount of data being backed up from single volume of a


server or client machine

Hyper-V virtual machine Sum of data of all the VHDs of the virtual machine being
backed up

Microsoft SQL Server database Size of single SQL database size being backed up

Microsoft SharePoint Sum of the content and configuration databases within a


SharePoint farm being backed up

Microsoft Exchange Sum of all Exchange databases in an Exchange server being


backed up

BMR/System State Each individual copy of BMR or system state of the machine
being backed up

For Azure VM backup, each VM can have up to 16 data disks with each data disk being of size 1023GB or less.

Retention policy and recovery points


Is there a difference between the retention policy for DPM and Windows Server/client (that is, on Windows
Server without DPM )?
No, both DPM and Windows Server/client have daily, weekly, monthly, and yearly retention policies.
Can I configure my retention policies selectively i.e. configure weekly and daily but not yearly and monthly?
Yes, the Azure Backup retention structure allows you to have full flexibility in defining the retention policy as per
your requirements.
Can I schedule a backup at 6pm and specify retention policies at a different time?
No. Retention policies can only be applied on backup points. In the following image, the retention policy is
specified for backups taken at 12am and 6pm.
If a backup is retained for a long duration, does it take more time to recover an older data point?
No the time to recover the oldest or the newest point is the same. Each recovery point behaves like a full point.
If each recovery point is like a full point, does it impact the total billable backup storage?
Typical long-term retention point products store backup data as full points. The full points are storage inefficient
but are easier and faster to restore. Incremental copies are storage efficient but require you to restore a chain of
data, which impacts your recovery time. Azure Backup storage architecture gives you the best of both worlds by
optimally storing data for fast restores and incurring low storage costs. This data storage approach ensures that
your ingress and egress bandwidth is used efficiently. Both the amount of data storage and the time needed to
recover the data, is kept to a minimum. Learn more on how incremental backups are efficient.
Is there a limit on the number of recovery points that can be created?
You can create up to 9999 recovery points per protected instance. A protected instance is a computer, server
(physical or virtual), or workload configured to back up data to Azure. For more information, see the explanations
of Backup and retention, and What is a protected instance?
How many recoveries can I perform on the data that is backed up to Azure?
There is no limit on the number of recoveries from Azure Backup.
When restoring data, do I pay for the egress traffic from Azure?
No. Your recoveries are free and you are not charged for the egress traffic.

Azure Backup encryption


Is the data sent to Azure encrypted?
Yes. Data is encrypted on the on-premises server/client/SCDPM machine using AES256 and the data is sent over
a secure HTTPS link.
Is the backup data on Azure encrypted as well?
Yes. The data sent to Azure remains encrypted (at rest). Microsoft does not decrypt the backup data at any point.
When backing up an Azure VM, Azure Backup relies on encryption of the virtual machine. For example, if your VM
is encrypted using Azure Disk Encryption, or some other encryption technology, Azure Backup uses that
encryption to secure your data.
What is the minimum length of encryption key used to encrypt backup data?
The encryption key should be at least 16 characters when you are using Azure backup agent. For Azure VMs,
there is no limit to length of keys used by Azure KeyVault.
What happens if I misplace the encryption key? Can I recover the data (or) can Microsoft recover the data?
The key used to encrypt the backup data is present only on the customer premises. Microsoft does not maintain a
copy in Azure and does not have any access to the key. If the customer misplaces the key, Microsoft cannot
recover the backup data.
Questions about the Azure VM Backup service
10/18/2017 2 min to read Edit Online

This article has answers to common questions to help you quickly understand the Azure VM Backup components.
In some of the answers, there are links to the articles that have comprehensive information. You can also post
questions about the Azure Backup service in the discussion forum.

Configure backup
Do Recovery Services vaults support classic VMs or Resource Manager based VMs?
Recovery Services vaults support both models. You can back up a classic VM (created in the Classic portal), or a
Resource Manager VM (created in the Azure portal) to a Recovery Services vault.
What configurations are not supported by Azure VM backup?
Go through Supported operating systems and Limitations of VM backup
Why can't I see my VM in configure backup wizard?
In Configure backup wizard, Azure Backup only lists VMs that are:
Not already protected You can verify the backup status of a VM by going to VM blade and checking Backup
status from Settings Menu . Learn more on how to Check backup status of a VM
Belongs to same region as VM

Backup
Will on-demand backup job follow same retention schedule as scheduled backups?
No. You should specify the retention range for an on-demand backup job. By default, it is retained for 30 days
when triggered from portal.
I recently enabled Azure Disk Encryption on some VMs. Will my backups continue to work?
You need to give permissions for Azure Backup service to access Key Vault. You can provide these permissions in
PowerShell using steps mentioned in Enable Backup section of PowerShell documentation.
I migrated disks of a VM to managed disks. Will my backups continue to work?
Yes, backups work seamlessly and no need to reconfigure backup.
My VM is shut down. Will an on-demand or a scheduled backup work?
Yes. Even when a machine is shut down backups work and the recovery point is marked as Crash consistent. For
more details, see the data consistency section in this article

Restore
How do I decide between restoring disks versus full VM restore?
Think of Azure full VM restore as a quick create option. Restore VM option changes the names of disks, containers
used by those disks, public IP addresses and network interface names. The change is required to maintain the
uniqueness of resources created during VM creation. But it will not add the VM to availability set.
Use restore disks to:
Customize the VM that gets created from point in time configuration like changing the size
Add configurations, which are not present at the time of backup
Control the naming convention for resources getting created
Add VM to availability set
For any other configuration which can be achieved only by using PowerShell/a declarative template definition

Manage VM backups
What happens when I change a backup policy on VM (s)?
When a new policy is applied on VM(s), schedule and retention of the new policy is followed. If retention is
extended, existing recovery points are marked to keep them as per new policy. If retention is reduced, they are
marked for pruning in the next cleanup job and subsequently deleted.
Questions about the Azure Backup agent
8/16/2017 5 min to read Edit Online

This article has answers to common questions to help you quickly understand the Azure Backup agent
components. In some of the answers, there are links to the articles that have comprehensive information. You can
also post questions about the Azure Backup service in the discussion forum.

Configure backup
Where can I download the latest Azure Backup agent?
You can download the latest agent for backing up Windows Server, System Center DPM, or Windows client, from
here. If you want to back up a virtual machine, use the VM Agent (which automatically installs the proper
extension). The VM Agent is already present on virtual machines created from the Azure gallery.
When configuring the Azure Backup agent, I am prompted to enter the vault credentials. Do vault credentials
expire?
Yes, the vault credentials expire after 48 hours. If the file expires, log in to the Azure portal and download the vault
credentials files from your vault.
What types of drives can I back up files and folders from?
You can't back up the following drives/volumes:
Removable Media: All backup item sources must report as fixed.
Read-only Volumes: The volume must be writable for the volume shadow copy service (VSS) to function.
Offline Volumes: The volume must be online for VSS to function.
Network share: The volume must be local to the server to be backed up using online backup.
Bitlocker-protected volumes: The volume must be unlocked before the backup can occur.
File System Identification: NTFS is the only file system supported.
What file and folder types can I back up from my server?
The following types are supported:
Encrypted
Compressed
Sparse
Compressed + Sparse
Hard Links: Not supported, skipped
Reparse Point: Not supported, skipped
Encrypted + Sparse: Not supported, skipped
Compressed Stream: Not supported, skipped
Sparse Stream: Not supported, skipped
Can I install the Azure Backup agent on an Azure VM already backed by the Azure Backup service using the VM
extension?
Absolutely. Azure Backup provides VM-level backup for Azure VMs using the VM extension. To protect files and
folders on the guest Windows OS, install the Azure Backup agent on the guest Windows OS.
Can I install the Azure Backup agent on an Azure VM to back up files and folders present on temporary storage
provided by the Azure VM?
Yes. Install the Azure Backup agent on the guest Windows OS, and back up files and folders to temporary storage.
Backup jobs fail once temporary storage data is wiped out. Also, if the temporary storage data has been deleted,
you can only restore to non-volatile storage.
What's the minimum size requirement for the cache folder?
The size of the cache folder determines the amount of data that you are backing up. Your cache folder should be
5% of the space required for data storage.
How do I register my server to another datacenter?
Backup data is sent to the datacenter of the vault to which it is registered. The easiest way to change the datacenter
is to uninstall the agent and reinstall the agent and register to a new vault that belongs to desired datacenter.
Does the Azure Backup agent work on a server that uses Windows Server 2012 deduplication?
Yes. The agent service converts the deduplicated data to normal data when it prepares the backup operation. It then
optimizes the data for backup, encrypts the data, and then sends the encrypted data to the online backup service.

Backup
How do I change the cache location specified for the Azure Backup agent?
Use the following list to change the cache location.
1. Stop the Backup engine by executing the following command in an elevated command prompt:
PS C:\> Net stop obengine

2. Do not move the files. Instead, copy the cache space folder to a different drive with sufficient space. The
original cache space can be removed after confirming the backups are working with the new cache space.
3. Update the following registry entries with the path to the new cache space folder.

REGISTRY PATH REGISTRY KEY VALUE

ScratchLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows New cache folder location
Azure Backup\Config

ScratchLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows New cache folder location
Azure Backup\Config\CloudBackupProvider

4. Restart the Backup engine by executing the following command in an elevated command prompt:
PS C:\> Net start obengine

Once the backup creation is successfully completed in the new cache location, you can remove the original cache
folder.
Where can I put the cache folder for the Azure Backup Agent to work as expected?
The following locations for the cache folder are not recommended:
Network share or Removable Media: The cache folder must be local to the server that needs backing up using
online backup. Network locations or removable media like USB drives are not supported.
Offline Volumes: The cache folder must be online for expected backup using Azure Backup Agent.
Are there any attributes of the cache -folder that are not supported?
The following attributes or their combinations are not supported for the cache folder:
Encrypted
De-duplicated
Compressed
Sparse
Reparse-Point
The cache folder and the metadata VHD do not have the necessary attributes for the Azure Backup agent.
Is there a way to adjust the amount of bandwidth used by the Backup service?
Yes, use the Change Properties option in the Backup Agent to adjust bandwidth. You can adjust the amount of
bandwidth and the times when you use that bandwidth. For step-by-step instructions, see Enable network
throttling.

Manage backups
What happens if I rename a Windows server that is backing up data to Azure?
When you rename a server, all currently configured backups are stopped. Register the new name of the server with
the Backup vault. When you register the new name with the vault, the first backup operation is a full backup. If you
need to recover data backed up to the vault with the old server name, use the Another server option in the
Recover Data wizard.
What is the maximum file path length that can be specified in Backup policy using Azure Backup agent?
Azure Backup agent relies on NTFS. The filepath length specification is limited by the Windows API. If the files you
want to protect have a file-path length longer than what is allowed by the Windows API, back up the parent folder
or the disk drive.
What characters are allowed in file path of Azure Backup policy using Azure Backup agent?
Azure Backup agent relies on NTFS. It enables NTFS supported characters as part of file specification.
I receive the warning, "Azure Backups have not been configured for this server" even though I configured a
backup policy
This warning occurs when the backup schedule settings stored on the local server are not the same as the settings
stored in the backup vault. When either the server or the settings have been recovered to a known good state, the
backup schedules can lose synchronization. If you receive this warning, reconfigure the backup policy and then
Run Back Up Now to resynchronize the local server with Azure.
Backup vault upgraded to Recovery Services vault
10/5/2017 7 min to read Edit Online

This article provides an overview of what Recovery Services vault provides, frequently asked questions about
upgrading existing Backup vault to Recovery Services vault, and post-upgrade steps. A Recovery Services vault is
the Azure Resource Manager equivalent of a Backup vault that houses your backup data. The data is typically copies
of data, or configuration information for virtual machines (VMs), workloads, servers, or workstations, whether on-
premises or in Azure.

What is a Recovery Services vault?


A Recovery Services vault is an online storage entity in Azure used to hold data such as backup copies, recovery
points, and backup policies. You can use Recovery Services vaults to hold backup data for various Azure services
such as IaaS VMs (Linux or Windows) and Azure SQL databases. Recovery Services vaults support System Center
DPM, Windows Server, Azure Backup Server, and more. Recovery Services vaults make it easy to organize your
backup data, while minimizing management overhead.

Comparing Recovery Services vaults and Backup vaults


Recovery Services vaults are based on the Azure Resource Manager model of Azure, whereas Backup vaults are
based on the Azure Service Manager model. When you upgrade a Backup vault to a Recovery Services vault, the
backup data remains intact during and after the upgrade process. Recovery Services vaults provide features not
available for Backup vaults, such as:
Enhanced capabilities to help secure backup data: With Recovery Services vaults, Azure Backup
provides security capabilities to protect cloud backups. These security features ensure that you can secure
your backups, and safely recover data from cloud backups even if production and backup servers are
compromised. Learn more
Central monitoring for your hybrid IT environment: With Recovery Services vaults, you can monitor not
only your Azure IaaS VMs but also your on-premises assets from a central portal. Learn more
Role-Based Access Control (RBAC): RBAC provides fine-grained access management control in Azure.
Azure provides various built-in roles, and Azure Backup has three built-in roles to manage recovery points.
Recovery Services vaults are compatible with RBAC, which restricts backup and restore access to the defined
set of user roles. Learn more
Protect all configurations of Azure Virtual Machines: Recovery Services vaults protect Resource
Manager-based VMs including Premium Disks, Managed Disks, and Encrypted VMs. Upgrading a Backup
vault to a Recovery Services vault gives you the opportunity to upgrade your Service Manager-based VMs to
Resource Manager-based VMs. While upgrading the vault, you can retain your Service Manager-based VM
recovery points and configure protection for the upgraded (Resource Manager-enabled) VMs. Learn more
Instant restore for IaaS VMs: Using Recovery Services vaults, you can restore files and folders from an IaaS
VM without restoring the entire VM, which enables faster restore times. Instant restore for IaaS VMs is
available for both Windows and Linux VMs. Learn more
NOTE
If you have items registered to a Backup vault with MARS agent earlier than 2.0.9083.0, download the latest MARS agent
version to take the benefits of all the features of Recovery Services vault.

Managing your Recovery Services vaults


The following screens show a new Recovery Services vault, upgraded from Backup vault, in the Azure portal. The
upgraded vault will be present in a default Resource group named Default-RecoveryServices-ResourceGroup-
geo. Example: If your Backup vault was located in West US, it will be put up in a default RG named Default-
RecoveryServices-ResourceGroup-westus.

NOTE
For CPS Standard customers, Resource group is not changed after the vault upgrade and remains the same as it was before
the upgrade.

The first screen shows the vault dashboard that displays key entities for the vault.

The second screen shows the help links available to help you get started using the Recovery Services vault.
Post-upgrade steps
Recovery Services vault supports specifying time zone information in backup policy. After vault is successfully
upgraded, go to Backup policies from vault settings menu and update the time zone information for each of the
policies configured in the vault. This screen already shows the backup schedule time specified as per local time
zone used when you created policy.

Enhanced security
When a Backup vault is upgraded to a Recovery Services vault, the security settings for that vault are automatically
turned on. When the security settings are on, certain operations such as deleting backups, or changing a
passphrase require an Azure Multi-Factor Authentication PIN. For more information on the enhanced security, see
the article Security features to protect hybrid backups. When the enhanced security is turned on, data is retained up
to 14 days after the recovery point information has been deleted from the vault. Customers are billed for storage of
this security data. Security data retention applies to recovery points taken for the Azure Backup agent, Azure Backup
Server, and System Center Data Protection Manager.

Gather data on your vault


Once you upgrade to a Recovery Services vault, configure reports for Azure Backup (for IaaS VMs and Microsoft
Azure Recovery Services agent), and use Power BI to access the reports. For additional information on gathering
data, see the article, Configure Azure Backup reports.

Frequently asked questions


Does the upgrade plan affect my ongoing backups?
No. Your ongoing backups continue uninterrupted during and after upgrade.
What does this upgrade mean for my existing tooling?
You must update your existing automation or tooling to the Resource Manager deployment model to ensure that it
continues to work after the upgrade. Consult the PowerShell cmdlets references for the Service Manager
deployment model and the Resource Manager deployment model.
Can I roll back after upgrade?
No. Rollback is not supported after the resources have been successfully upgraded.
Can I view my classic vault post upgrade?
No. You cannot view or manage your classic vault post upgrade. You will only be able to use the new Azure portal
for all management actions on the vault.
Why cant I see servers protected by MARS agent in my upgraded vault?
You need to install the latest MARS agent to see all the servers protected by MARS agent in your vault. You can
download the latest version of the agent from here.
I cant see Backup policy for the servers protected by MARS agent after the upgrade
Vaults backup policy might be out of date and therefore could not be synced to the upgraded vault. Please update
the policy to ensure you continue to see your policies in the upgraded vault. To update the policy, go to MARS
agent and update the configured backup policy.
Why cant I update my Backup policy after the upgrade?
This happens when you are on an old backup agent and select the minimum retention period to be less than the
allowed minimum value. When a Backup vault is upgraded to a Recovery Services vault, the security settings for
that vault are automatically turned on. To ensure that there are always a valid number of recovery points available,
there is some minimum retention period that needs to be maintained as per the security feature. For more details,
refer here. Also, you need to update your Azure Backup agents to latest version to take the benefits of the latest
features of Azure Backup.
I have updated my agent, but I still cant see any objects being synced even days after the upgrade
Please check if you have registered the same machine to multiple vaults. Ensure that you are looking at the same
vault to which the MARS Agent is registered. To find out which vault your MARS Agent is registered to, open the
Windows Registry and check the value for ServiceResourceName key under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Azure Backup\Config The vault registered to that MARS
agent will appear there. If the ServiceResourceName key is not visible in your system, reach out to us with the value
of the ResourceId and MachineId keys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Azure
Backup\Config and we will help you resolve the issue.
Why can't I see the jobs information for my resources after upgrade?
Monitoring for backups (MARS agent and IaaS) is a new feature that you get when you upgrade your Backup vault
to Recovery Services vault. The monitoring information takes up to 12 hours to sync with the service.
How do I report an issue?
If any portion of the vault upgrade fails, note the OperationId listed in the error. Microsoft Support will proactively
work to resolve the issue. You can reach out to Support or email us at rsvaultupgrade@service.microsoft.com with
your Subscription ID, vault name and OperationId. We will attempt to resolve the issue as quickly as possible. Do
not retry the operation unless explicitly instructed to do so by Microsoft.

Next steps
Use the following articles for:
Back up an IaaS VM
Back up an Azure Backup Server
Back up a Windows Server
Use Role-Based Access Control to manage Azure
Backup recovery points
10/4/2017 2 min to read Edit Online

Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure. Using RBAC, you can
segregate duties within your team and grant only the amount of access to users that they need to perform their
jobs.

IMPORTANT
Roles provided by Azure Backup are limited to actions that can be performed in Azure portal or Recovery Services vault
PowerShell cmdlets. Actions performed in Azure backup Agent Client UI or System center Data Protection Manager UI or
Azure Backup Server UI are out of control of these roles.

Azure Backup provides 3 built-in roles to control backup management operations. Learn more on Azure RBAC
built-in roles
Backup Contributor - This role has all permissions to create and manage backup except creating Recovery
Services vault and giving access to others. Imagine this role as admin of backup management who can do
every backup management operation.
Backup Operator - This role has permissions to everything a contributor does except removing backup and
managing backup policies. This role is equivalent to contributor except it can't perform destructive operations
such as stop backup with delete data or remove registration of on-premises resources.
Backup Reader - This role has permissions to view all backup management operations. Imagine this role to be a
monitoring person.
If you're looking to define your own roles for even more control, see how to build Custom roles in Azure RBAC.

Mapping Backup built-in roles to backup management actions


The following table captures the Backup management actions and corresponding minimum RBAC role required to
perform that operation.

MANAGEMENT OPERATION MINIMUM RBAC ROLE REQUIRED

Create Recovery Services vault Contributor on Resource group of vault

Enable backup of Azure VMs Backup Operator on vault, Virtual machine contributor on
VMs

On-demand backup of VM Backup operator

Restore VM Backup operator, Resource group contributor in which VM


and Vnets are going to get deployed

Restore disks, individual files from VM backup Backup operator, Virtual machine contributor on VMs

Create backup policy for Azure VM backup Backup contributor


MANAGEMENT OPERATION MINIMUM RBAC ROLE REQUIRED

Modify backup policy of Azure VM backup Backup contributor

Delete backup policy of Azure VM backup Backup contributor

Stop backup (with retain data or delete data) on VM backup Backup contributor

Register on-premises Windows Server/client/SCDPM or Azure Backup operator


Backup Server

Delete registered on-premises Windows Server/client/SCDPM Backup contributor


or Azure Backup Server

Next steps
Role Based Access Control: Get started with RBAC in the Azure portal.
Learn how to manage access with:
PowerShell
Azure CLI
REST API
Role-Based Access Control troubleshooting: Get suggestions for fixing common issues.
Security features to help protect hybrid backups that
use Azure Backup
8/22/2017 7 min to read Edit Online

Concerns about security issues, like malware, ransomware, and intrusion, are increasing. These security issues can
be costly, in terms of both money and data. To guard against such attacks, Azure Backup now provides security
features to help protect hybrid backups. This article covers how to enable and use these features, by using an
Azure Recovery Services agent and Azure Backup Server. These features include:
Prevention. An additional layer of authentication is added whenever a critical operation like changing a
passphrase is performed. This validation is to ensure that such operations can be performed only by users who
have valid Azure credentials.
Alerting. An email notification is sent to the subscription admin whenever a critical operation like deleting
backup data is performed. This email ensures that the user is notified quickly about such actions.
Recovery. Deleted backup data is retained for an additional 14 days from the date of the deletion. This ensures
recoverability of the data within a given time period, so there is no data loss even if an attack happens. Also, a
greater number of minimum recovery points are maintained to guard against corrupt data.

NOTE
Security features should not be enabled if you are using infrastructure as a service (IaaS) VM backup. These features are not
yet available for IaaS VM backup, so enabling them will not have any impact. Security features should be enabled only if you
are using:
Azure Backup agent. Minimum agent version 2.0.9052. After you have enabled these features, you should upgrade to
this agent version to perform critical operations.
Azure Backup Server. Minimum Azure Backup agent version 2.0.9052 with Azure Backup Server update 1.
System Center Data Protection Manager. Minimum Azure Backup agent version 2.0.9052 with Data Protection
Manager 2012 R2 UR12 or Data Protection Manager 2016 UR2.

NOTE
These features are available only for Recovery Services vault. All the newly created Recovery Services vaults have these
features enabled by default. For existing Recovery Services vaults, users enable these features by using the steps mentioned
in the following section. After the features are enabled, they apply to all the Recovery Services agent computers, Azure
Backup Server instances, and Data Protection Manager servers registered with the vault. Enabling this setting is a one-time
action, and you cannot disable these features after enabling them.

Enable security features


If you are creating a Recovery Services vault, you can use all the security features. If you are working with an
existing vault, enable security features by following these steps:
1. Sign in to the Azure portal by using your Azure credentials.
2. Select Browse, and type Recovery Services.
The list of recovery services vaults appears. From this list, select a vault. The selected vault dashboard
opens.
3. From the list of items that appears under the vault, under Settings, click Properties.

4. Under Security Settings, click Update.


The update link opens the Security Settings blade, which provides a summary of the features and lets you
enable them.
5. From the drop-down list Have you configured Azure Multi-Factor Authentication?, select a value to
confirm if you have enabled Azure Multi-Factor Authentication. If it is enabled, you are asked to
authenticate from another device (for example, a mobile phone) while signing in to the Azure portal.
When you perform critical operations in Backup, you have to enter a security PIN, available on the Azure
portal. Enabling Azure Multi-Factor Authentication adds a layer of security. Only authorized users with valid
Azure credentials, and authenticated from a second device, can access the Azure portal.
6. To save security settings, select Enable and click Save. You can select Enable only after you select a value
from the Have you configured Azure Multi-Factor Authentication? list in the previous step.
Recover deleted backup data
Backup retains deleted backup data for an additional 14 days, and does not delete it immediately if the Stop
backup with delete backup data operation is performed. To restore this data in the 14-day period, take the
following steps, depending on what you are using:
For Azure Recovery Services agent users:
1. If the computer where backups were happening is still available, use Recover data to the same machine in
Azure Recovery Services, to recover from all the old recovery points.
2. If this computer is not available, use Recover to an alternate machine to use another Azure Recovery Services
computer to get this data.
For Azure Backup Server users:
1. If the server where backups were happening is still available, re-protect the deleted data sources, and use the
Recover Data feature to recover from all the old recovery points.
2. If this server is not available, use Recover data from another Azure Backup Server to use another Azure Backup
Server instance to get this data.
For Data Protection Manager users:
1. If the server where backups were happening is still available, re-protect the deleted data sources, and use the
Recover Data feature to recover from all the old recovery points.
2. If this server is not available, use Add External DPM to use another Data Protection Manager server to get this
data.

Prevent attacks
Checks have been added to make sure only valid users can perform various operations. These include adding an
extra layer of authentication, and maintaining a minimum retention range for recovery purposes.
Authentication to perform critical operations
As part of adding an extra layer of authentication for critical operations, you are prompted to enter a security PIN
when you perform Stop Protection with Delete data and Change Passphrase operations.
To receive this PIN:
1. Sign in to the Azure portal.
2. Browse to Recovery Services vault > Settings > Properties.
3. Under Security PIN, click Generate. This opens a blade that contains the PIN to be entered in the Azure
Recovery Services agent user interface. This PIN is valid for only five minutes, and it gets generated
automatically after that period.
Maintain a minimum retention range
To ensure that there are always a valid number of recovery points available, the following checks have been
added:
For daily retention, a minimum of seven days of retention should be done.
For weekly retention, a minimum of four weeks of retention should be done.
For monthly retention, a minimum of three months of retention should be done.
For yearly retention, a minimum of one year of retention should be done.

Notifications for critical operations


Typically, when a critical operation is performed, the subscription admin is sent an email notification with details
about the operation. You can configure additional email recipients for these notifications by using the Azure
portal.
The security features mentioned in this article provide defense mechanisms against targeted attacks. More
importantly, if an attack happens, these features give you the ability to recover your data.

Troubleshooting errors
OPERATION ERROR DETAILS RESOLUTION
OPERATION ERROR DETAILS RESOLUTION

Policy change The backup policy could not be Cause:


modified. Error: The current operation This error comes when security settings
failed due to an internal service error are enabled, you try to reduce
[0x29834]. Please retry the operation retention range below the minimum
after sometime. If the issue persists, values specified above and you are on
please contact Microsoft support. unsupported version (supported
versions are specified in first note of
this article).
Recommended Action:
In this case, you should set retention
period above the minimum retention
period specified (seven days for daily,
four weeks for weekly, three weeks for
monthly or one year for yearly) to
proceed with policy related udpates.
Optionally, preferred approach would
be to update backup agent, Azure
Backup Server and/or DPM UR to
leverage all the security updates.

Change Passphrase Security PIN entered is incorrect. (ID: Cause:


100130) Provide the correct Security This error comes when you enter
PIN to complete this operation. invalid or expired Security PIN while
performing critical operation (like
change passphrase).
Recommended Action:
To complete the operation, you must
enter valid Security PIN. To get the PIN,
log in to Azure portal and navigate to
Recovery Services vault > Settings >
Properties > Generate Security PIN.
Use this PIN to change passphrase.

Change Passphrase Operation failed. ID: 120002 Cause:


This error comes when security settings
are enabled, you try to change
passphrase and you are on
unsupported version (valid versions
specified in first note of this article).
Recommended Action:
To change passphrase, you must first
update backup agent to minimum
version minimum 2.0.9052, Azure
Backup server to minimum update 1,
and/or DPM to minimum DPM 2012
R2 UR12 or DPM 2016 UR2 (download
links below), then enter valid Security
PIN. To get the PIN, log in to Azure
portal and navigate to Recovery
Services vault > Settings > Properties >
Generate Security PIN. Use this PIN to
change passphrase.

Next steps
Get started with Azure Recovery Services vault to enable these features.
Download the latest Azure Recovery Services agent to help protect Windows computers and guard your
backup data against attacks.
Download the latest Azure Backup Server to help protect workloads and guard your backup data against
attacks.
Download UR12 for System Center 2012 R2 Data Protection Manager or download UR2 for System Center
2016 Data Protection Manager to help protect workloads and guard your backup data against attacks.
Offline-backup workflow in Azure Backup
8/21/2017 12 min to read Edit Online

Azure Backup has several built-in efficiencies that save network and storage costs during the initial full backups of
data to Azure. Initial full backups typically transfer large amounts of data and require more network bandwidth
when compared to subsequent backups that transfer only the deltas/incrementals. Azure Backup compresses the
initial backups. Through the process of offline seeding, Azure Backup can use disks to upload the compressed
initial backup data offline to Azure.
The offline-seeding process of Azure Backup is tightly integrated with the Azure Import/Export service that enables
you to transfer data to Azure by using disks. If you have terabytes (TBs) of initial backup data that needs to be
transferred over a high-latency and low-bandwidth network, you can use the offline-seeding workflow to ship the
initial backup copy on one or more hard drives to an Azure datacenter. This article provides an overview of the
steps that complete this workflow.

Overview
With the offline-seeding capability of Azure Backup and Azure Import/Export, it is simple to upload the data offline
to Azure by using disks. Instead of transferring the initial full copy over the network, the backup data is written to a
staging location. After the copy to the staging location is completed by using the Azure Import/Export tool, this
data is written to one or more SATA drives, depending on the amount of data. These drives are eventually shipped
to the nearest Azure datacenter.
The August 2016 update of Azure Backup (and later) includes the Azure Disk Preparation tool, named
AzureOfflineBackupDiskPrep, that:
Helps you prepare your drives for Azure Import by using the Azure Import/Export tool.
Automatically creates an Azure Import job for the Azure Import/Export service on the Azure classic portal as
opposed to creating the same manually with older versions of Azure Backup.
After the upload of the backup data to Azure is finished, Azure Backup copies the backup data to the backup vault
and the incremental backups are scheduled.

NOTE
To use the Azure Disk Preparation tool, ensure that you have installed the August 2016 update of Azure Backup (or later),
and perform all the steps of the workflow with it. If you are using an older version of Azure Backup, you can prepare the
SATA drive by using the Azure Import/Export tool as detailed in later sections of this article.

Prerequisites
Familiarize yourself with the Azure Import/Export workflow.
Before initiating the workflow, ensure the following:
An Azure Backup vault has been created.
Vault credentials have been downloaded.
The Azure Backup agent has been installed on either Windows Server/Windows client or System Center
Data Protection Manager server, and the computer is registered with the Azure Backup vault.
Download the Azure Publish file settings on the computer from which you plan to back up your data.
Prepare a staging location, which might be a network share or additional drive on the computer. The staging
location is transient storage and is used temporarily during this workflow. Ensure that the staging location has
enough disk space to hold your initial copy. For example, if you are trying to back up a 500-GB file server,
ensure that the staging area is at least 500 GB. (A smaller amount is used due to compression.)
Make sure that youre using a supported drive. Only 2.5 inch SSD, or 2.5 or 3.5-inch SATA II/III internal hard
drives are supported for use with the Import/Export service. You can use hard drives up to 10 TB. Check the
Azure Import/Export service documentation for the latest set of drives that the service supports.
Enable BitLocker on the computer to which the SATA drive writer is connected.
Download the Azure Import/Export tool to the computer to which the SATA drive writer is connected. This step
is not required if you have downloaded and installed the August 2016 update of Azure Backup (or later).

Workflow
The information in this section helps you complete the offline-backup workflow so that your data can be delivered
to an Azure datacenter and uploaded to Azure Storage. If you have questions about the Import service or any
aspect of the process, see the Import service overview documentation referenced earlier.
Initiate offline backup
1. When you schedule a backup, you see the following screen (in Windows Server, Windows client, or System
Center Data Protection Manager).

Here's the corresponding screen in System Center Data Protection Manager:


The description of the inputs is as follows:
Staging Location: The temporary storage location to which the initial backup copy is written. This might
be on a network share or a local computer. If the copy computer and source computer are different, we
recommended that you specify the full network path of the staging location.
Azure Import Job Name: The unique name by which Azure Import service and Azure Backup track the
transfer of data sent on disks to Azure.
Azure Publish Settings: An XML file that contains information about your subscription profile. It also
contains secure credentials that are associated with your subscription. You can download the file.
Provide the local path to the publish settings file.
Azure Subscription ID: The Azure subscription ID for the subscription where you plan to initiate the
Azure Import job. If you have multiple Azure subscriptions, use the ID of the subscription that you want
to associate with the import job.
Azure Storage Account: The classic type storage account in the provided Azure subscription that will
be associated with the Azure Import job.
Azure Storage Container: The name of the destination storage blob in the Azure storage account
where this jobs data is imported.

NOTE
If you have registered your server to an Azure Recovery Services vault from the Azure portal for your
backups and are not on a Cloud Solution Provider (CSP) subscription, you can still create a classic type
storage account from the Azure portal and use it for the offline-backup workflow.

Save all this information because you need to enter it again in following steps. Only the staging
location is required if you used the Azure Disk Preparation tool to prepare the disks.
2. Complete the workflow, and then select Back Up Now in the Azure Backup management console to initiate
the offline-backup copy. The initial backup is written to the staging area as part of this step.

To complete the corresponding workflow in System Center Data Protection Manager, right-click the
Protection Group, and then choose the Create recovery point option. You then choose the Online
Protection option.

After the operation finishes, the staging location is ready to be used for disk preparation.
Prepare a SATA drive and create an Azure Import job by using the Azure Disk Preparation tool
The Azure Disk Preparation tool is available in installation directory of the Recovery Services agent (August 2016
update and later) in the following path.
\Microsoft Azure Recovery Services Agent\Utils\
1. Go to the directory, and copy the AzureOfflineBackupDiskPrep directory to a copy computer on which
the drives to be prepared are mounted. Ensure the following with regard to the copy computer:
The copy computer can access the staging location for the offline-seeding workflow by using the same
network path that was provided in the Initiate offline backup workflow.
BitLocker is enabled on the computer.
The computer can access the Azure portal.
If necessary, the copy computer can be the same as the source computer.
2. Open an elevated command prompt on the copy computer with the Azure Disk Preparation tool directory
as the current directory, and run the following command:
*.\AzureOfflineBackupDiskPrep.exe* s:<*Staging Location Path*> [p:<*Path to PublishSettingsFile*>]

PARAMETER DESCRIPTION

s:<Staging Location Path> Mandatory input that's used to provide the path to the
staging location that you entered in the Initiate offline
backup workflow.

p:<Path to PublishSettingsFile> Optional input that's used to provide the path to the
Azure Publish Settings file that you entered in the
Initiate offline backup workflow.
NOTE
The <Path to PublishSettingFile> value is mandatory when the copy computer and source computer are different.

When you run the command, the tool requests the selection of the Azure Import job that corresponds to the
drives that need to be prepared. If only a single import job is associated with the provided staging location,
you see a screen like the one that follows.

3. Enter the drive letter without the trailing colon for the mounted disk that you want to prepare for transfer to
Azure. Provide confirmation for the formatting of the drive when prompted.
The tool then begins to prepare the disk with the backup data. You may need to attach additional disks
when prompted by the tool in case the provided disk does not have sufficient space for the backup data.
At the end of successful execution of the tool, one or more disks that you provided are prepared for
shipping to Azure. In addition, an import job with the name you provided during the Initiate offline
backup workflow is created on the Azure classic portal. Finally, the tool displays the shipping address to the
Azure datacenter where the disks need to be shipped and the link to locate the import job on the Azure
classic portal.

4. Ship the disks to the address that the tool provided and keep the tracking number for future reference.
5. When you go to the link that the tool displayed, you see the Azure storage account that you specified in the
Initiate offline backup workflow. Here you can see the newly created import job on the
IMPORT/EXPORT tab of the storage account.
6. Click SHIPPING INFO at the bottom of the page to update your contact details as shown in the following
screen. Microsoft uses this info to ship your disks back to you after the import job is finished.

7. Enter the shipping details on the next screen. Provide the Delivery Carrier and Tracking Number details
that correspond to the disks that you shipped to the Azure datacenter.
Complete the workflow
After the import job finishes, initial backup data is available in your storage account. The Recovery Services agent
then copies the contents of the data from this account to the Backup vault or Recovery Services vault, whichever is
applicable. In the next scheduled backup time, the Azure Backup agent performs the incremental backup over the
initial backup copy.

NOTE
The following sections apply to users of earlier versions of Azure Backup who do not have access to the Azure Disk
Preparation tool.

Prepare a SATA drive


1. Download the Microsoft Azure Import/Export Tool to the copy computer. Ensure that the staging location is
accessible from the computer in which you plan to run the next set of commands. If necessary, the copy
computer can be the same as the source computer.
2. Unzip the WAImportExport.zip file. Run the WAImportExport tool that formats the SATA drive, writes the
backup data to the SATA drive, and encrypts it. Before you run the following command, ensure that
BitLocker is enabled on the computer.
*.\WAImportExport.exe PrepImport /j:<*JournalFile*>.jrn /id: <*SessionId*> /sk:<*StorageAccountKey*>
/BlobType:**PageBlob** /t:<*TargetDriveLetter*> /format /encrypt /srcdir:<*staging location*> /dstdir:
<*DestinationBlobVirtualDirectory*>/*

NOTE
If you have installed the August 2016 update of Azure Backup (or later), ensure that the staging location that you
entered is the same as the one on the Back Up Now screen and contains AIB and Base Blob files.

PARAMETER DESCRIPTION
PARAMETER DESCRIPTION

/j:<JournalFile> The path to the journal file. Each drive must have exactly one
journal file. The journal file must not be on the target drive.
The journal file extension is .jrn and is created as part of
running this command.

/id:<SessionId> The session ID identifies a copy session. It is used to ensure


accurate recovery of an interrupted copy session. Files that are
copied in a copy session are stored in a directory named after
the session ID on the target drive.

/sk:<StorageAccountKey> The account key for the storage account to which the data is
imported. The key needs to be the same as it was entered
during backup policy/protection group creation.

/BlobType The type of blob. This workflow succeeds only if PageBlob is


specified. This is not the default option and should be
mentioned in this command.

/t:<TargetDriveLetter> The drive letter without the trailing colon of the target hard
drive for the current copy session.

/format The option to format the drive. Specify this parameter when
the drive needs to be formatted; otherwise, omit it. Before the
tool formats the drive, it prompts for a confirmation from the
console. To suppress the confirmation, specify the /silentmode
parameter.

/encrypt The option to encrypt the drive. Specify this parameter when
the drive has not yet been encrypted with BitLocker and
needs to be encrypted by the tool. If the drive has already
been encrypted with BitLocker, omit this parameter, specify
the /bk parameter, and provide the existing BitLocker key. If
you specify the /format parameter, you must also specify the
/encrypt parameter.

/srcdir:<SourceDirectory> The source directory that contains files to be copied to the


target drive. Ensure that the specified directory name has a
full rather than relative path.

/dstdir:<DestinationBlobVirtualDirectory> The path to the destination virtual directory in your Azure


storage account. Be sure to use valid container names when
you specify the destination virtual directories or blobs. Keep in
mind that container names must be lowercase. This container
name should be the one that you entered during backup
policy/protection group creation.

NOTE
A journal file is created in the WAImportExport folder that captures the entire information of the workflow. You need this file
when you create an import job in the Azure portal.
Create an import job in the Azure portal
1. Go to your storage account in the Azure classic portal, click Import/Export, and then Create Import Job in
the task pane.
2. In step 1 of the wizard, indicate that you have prepared your drive and that you have the drive journal file
available.
3. In step 2 of the wizard, provide contact information for the person who's responsible for this import job.
4. In step 3, upload the drive journal files that you obtained in the previous section.
5. In step 4, enter a descriptive name for the import job that you entered during backup policy/protection
group creation. The name that you enter may contain only lowercase letters, numbers, hyphens, and
underscores, must start with a letter, and cannot contain spaces. The name that you choose is used to track
your jobs while they are in progress and after they are completed.
6. Next, select your datacenter region from the list. The datacenter region indicates the datacenter and address
to which you must ship your package.
7. In step 5, select your return carrier from the list, and enter your carrier account number. Microsoft uses this
account to ship your drives back to you after your import job is completed.
8. Ship the disk and enter the tracking number to track the status of the shipment. After the disk arrives in the
datacenter, it is copied to the storage account, and the status is updated.

Complete the workflow


After the initial backup data is available in your storage account, the Microsoft Azure Recovery Services agent
copies the contents of the data from this account to the Backup vault or Recovery Services vault, whichever is
applicable. In the next schedule backup time, the Azure Backup agent performs the incremental backup over the
initial backup copy.

Next steps
For any questions on the Azure Import/Export workflow, refer to Use the Microsoft Azure Import/Export service
to transfer data to Blob storage.
Refer to the offline-backup section of the Azure Backup FAQ for any questions about the workflow.
Move your long-term storage from tape to the
Azure cloud
6/27/2017 2 min to read Edit Online

Azure Backup and System Center Data Protection Manager customers can:
Back up data in schedules which best suit the organizational needs.
Retain the backup data for longer periods
Make Azure a part of their long-term retention needs (instead of tape).
This article explains how customers can enable backup and retention policies. Customers who use tapes to address
their long-term-retention needs now have a powerful and viable alternative with the availability of this feature.
The feature is enabled in the latest release of the Azure Backup (which is available here). System Center DPM
customers must update to, at least, DPM 2012 R2 UR5 before using DPM with the Azure Backup service.

What is the Backup Schedule?


The backup schedule indicates the frequency of the backup operation. For example, the settings in the following
screen indicate that backups are taken daily at 6pm and at midnight.

Customers can also schedule a weekly backup. For example, the settings in the following screen indicate that
backups are taken every alternate Sunday & Wednesday at 9:30AM and 1:00AM.
What is the Retention Policy?
The retention policy specifies the duration for which the backup must be stored. Rather than just specifying a flat
policy for all backup points, customers can specify different retention policies based on when the backup is taken.
For example, the backup point taken daily, which serves as an operational recovery point, is preserved for 90 days.
The backup point taken at the end of each quarter for audit purposes is preserved for a longer duration.

The total number of retention points specified in this policy is 90 (daily points) + 40 (one each quarter for 10
years) = 130.
Example Putting both together

1. Daily retention policy: Backups taken daily are stored for seven days.
2. Weekly retention policy: Backups taken every day at midnight and 6PM Saturday are preserved for four
weeks
3. Monthly retention policy: Backups taken at midnight and 6pm on the last Saturday of each month are
preserved for 12 months
4. Yearly retention policy: Backups taken at midnight on the last Saturday of every March are preserved for 10
years
The total number of retention points (points from which a customer can restore data) in the preceding diagram
is computed as follows:
two points per day for seven days = 14 recovery points
two points per week for four weeks = 8 recovery points
two points per month for 12 months = 24 recovery points
one point per year per 10 years = 10 recovery points
The total number of recovery points is 56.

NOTE
Azure backup doesn't have a restriction on number of recovery points.

Advanced configuration
By clicking Modify in the preceding screen, customers have further flexibility in specifying retention schedules.
Next Steps
For more information about Azure Backup, see:
Introduction to Azure Backup
Try Azure Backup
Azure Backup Server protection matrix
8/4/2017 12 min to read Edit Online

This article lists the various servers and workloads that you can protect with Azure Backup Server. The following
matrix lists what can be protected with Azure Backup Server v1 and v2.

Protection support matrix


AZURE BACKUP
SERVER AZURE BACKUP AZURE BACKUP PROTECTION AND
WORKLOAD VERSION INSTALLATION SERVER V2 SERVER V1 RECOVERY

System Center VMM 2016, Physical server Y Y All deployment


VMM VMM 2012, SP1, scenarios:
R2 Hyper-V virtual Database
machine

Client computers Windows 10 Physical server Y Y Files


(64-bit and 32-
bit) Hyper-V virtual Protected
machine volumes must be
NTFS. FAT and
VMware virtual FAT32 aren't
machine supported.

Volumes must be
at least 1 GB.
DPM uses
Volume Shadow
Copy Service
(VSS) to take the
data snapshot
and the snapshot
only works if the
volume is at least
1 GB.

Client computers Windows 8.1 Physical server Y Y Files


(64-bit and 32-
bit) Hyper-V virtual Protected
machine volumes must be
NTFS. FAT and
FAT32 aren't
supported.

Volumes must be
at least 1 GB.
DPM uses
Volume Shadow
Copy Service
(VSS) to take the
data snapshot
and the snapshot
only works if the
volume is at least
1 GB.
AZURE BACKUP
SERVER AZURE BACKUP AZURE BACKUP PROTECTION AND
WORKLOAD VERSION INSTALLATION SERVER V2 SERVER V1 RECOVERY

Client computers Windows 8.1 Windows virtual Y Y Files


(64-bit and 32- machine in
bit) VMWare Protected
(protects volumes must be
workloads NTFS and at least
running in 1 GB.
Windows virtual
machine in
VMWare)

Client computers Windows 8 Physical server Y Y Files


(64-bit and 32-
bit) On-premises Protected
Hyper-V virtual volumes must be
machine NTFS and at least
1 GB.

Client computers Windows 8 Windows virtual Y Y Files


(64-bit and 32- machine in
bit) VMWare Protected
(protects volumes must be
workloads NTFS and at least
running in 1 GB.
Windows virtual
machine in
VMWare)

Client computers Windows 7 Physical server Y Y Files


(64-bit and 32-
bit) On-premises Protected
Hyper-V virtual volumes must be
machine NTFS and at least
1 GB.

Client computers Windows 7 Windows virtual Y Y Files


(64-bit and 32- machine in
bit) VMWare Protected
(protects volumes must be
workloads NTFS and at least
running in 1 GB.
Windows virtual
machine in
VMWare)

Client computers Windows Vista Physical server Y Y Files


(64-bit and 32- with SP2
bit) On-premises Protected
Hyper-V virtual volumes must be
machine NTFS and at least
1 GB.

Client computers Windows Vista Physical server Y Y Files


(64-bit and 32- with SP1
bit) On-premises Protected
Hyper-V virtual volumes must be
machine NTFS and at least
1 GB.
AZURE BACKUP
SERVER AZURE BACKUP AZURE BACKUP PROTECTION AND
WORKLOAD VERSION INSTALLATION SERVER V2 SERVER V1 RECOVERY

Client computers Windows Vista Physical server Y Y Files


(64-bit and 32-
bit) On-premises Protected
Hyper-V virtual volumes must be
machine NTFS and at least
1 GB.

Client computers Windows Vista Physical server Y Y Volume, share,


(64-bit and 32- folder, file,
bit) On-premises system
Hyper-V virtual state/bare metal),
machine deduped
volumes

Servers (32-bit Windows Server Azure virtual Y N Volume, share,


and 64-bit) 2016 machine (when folder, file,
workload is Not Nano server system
running as Azure state/bare metal),
virtual machine) deduped
volumes
Windows virtual
machine in
VMWare
(protects
workloads
running in
Windows virtual
machine in
VMWare)

Physical server

On-premises
Hyper-V virtual
machine

Servers (32-bit Windows Server Azure virtual Y Y Volume, share,


and 64-bit) 2012 R2 - machine (when folder, file
Datacenter and workload is
Standard running as Azure DPM must be
virtual machine) running on at
least Windows
Server 2012 R2
to protect
Windows Server
2012 deduped
volumes.
AZURE BACKUP
SERVER AZURE BACKUP AZURE BACKUP PROTECTION AND
WORKLOAD VERSION INSTALLATION SERVER V2 SERVER V1 RECOVERY

Servers (32-bit Windows Server Windows virtual Y Y Volume, share,


and 64-bit) 2012 R2 - machine in folder, file,
Datacenter and VMWare system
Standard (protects state/bare metal)
workloads
running in DPM must be
Windows virtual running on
machine in Windows Server
VMWare) 2012 or 2012 R2
to protect
Windows Server
2012 deduped
volumes.

Servers (32-bit Windows Server Physical server Y Y Volume, share,


and 64-bit) 2012/2012 with folder, file,
SP1 - Datacenter On-premises system
and Standard Hyper-V virtual state/bare metal
machine
DPM must be
running on at
least Windows
Server 2012 R2
to protect
Windows Server
2012 deduped
volumes.

Servers (32-bit Windows Server Azure virtual Y Y Volume, share,


and 64-bit) 2012/2012 with machine (when folder, file
SP1 - Datacenter workload is
and Standard running as Azure DPM must be
virtual machine) running on at
least Windows
Server 2012 R2
to protect
Windows Server
2012 deduped
volumes.

Servers (32-bit Windows Server Windows virtual Y Y Volume, share,


and 64-bit) 2012/2012 with machine in folder, file,
SP1 - Datacenter VMWare system
and Standard (protects state/bare metal
workloads
running in DPM must be
Windows virtual running on at
machine in least Windows
VMWare) Server 2012 R2
to protect
Windows Server
2012 deduped
volumes.
AZURE BACKUP
SERVER AZURE BACKUP AZURE BACKUP PROTECTION AND
WORKLOAD VERSION INSTALLATION SERVER V2 SERVER V1 RECOVERY

Servers (32-bit Windows Server Physical server Y Y Volume, share,


and 64-bit) 2008 R2 SP1 - folder, file,
Standard and On-premises You need to be system
Enterprise Hyper-V virtual running SP1 and state/bare metal
machine install Windows
Management
Frame 4.0

Servers (32-bit Windows Server Azure virtual Y Y Volume, share,


and 64-bit) 2008 R2 SP1 - machine (when folder, file
Standard and workload is You need to be
Enterprise running as Azure running SP1 and
virtual machine) install Windows
Management
Frame 4.0

Servers (32-bit Windows Server Windows virtual Y Y Volume, share,


and 64-bit) 2008 R2 SP1 - machine in folder, file,
Standard and VMWare You need to be system
Enterprise (protects running SP1 and state/bare metal
workloads install Windows
running in Management
Windows virtual Frame 4.0
machine in
VMWare)

Servers (32-bit Windows Server Physical server Y Y Volume, share,


and 64-bit) 2008 R2 folder, file,
On-premises system
Hyper-V virtual state/bare metal
machine

Servers (32-bit Windows Server Azure virtual N Y Volume, share,


and 64-bit) 2008 R2 machine (when folder, file
workload is
running as Azure
virtual machine)

Servers (32-bit Windows Server Windows virtual N Y Volume, share,


and 64-bit) 2008 R2 machine in folder, file,
VMWare system
(protects state/bare metal
workloads
running in
Windows virtual
machine in
VMWare)

Servers (32-bit Windows Server Physical server N Y Volume, share,


and 64-bit) 2008 folder, file,
On-premises system
Hyper-V virtual state/bare metal
machine
AZURE BACKUP
SERVER AZURE BACKUP AZURE BACKUP PROTECTION AND
WORKLOAD VERSION INSTALLATION SERVER V2 SERVER V1 RECOVERY

Servers (32-bit Windows Server Windows virtual Y Y Volume, share,


and 64-bit) 2008 machine in folder, file,
VMWare system
(protects state/bare metal
workloads
running in
Windows virtual
machine in
VMWare)

Servers (32-bit Windows Storage Physical server Y Y Volume, share,


and 64-bit) Server 2008 folder, file,
On-premises system
Hyper-V virtual state/bare metal
machine

SQL Server SQL Server 2016 Physical server Y N All deployment


scenarios:
On-premises database
Hyper-V virtual
machine

Azure virtual
machine

Windows virtual
machine in
VMWare
(protects
workloads
running in
Windows virtual
machine in
VMWare)

SQL Server SQL Server 2014 Azure virtual Y Y All deployment


machine (when scenarios:
workload is database
running as Azure
virtual machine)

SQL Server SQL Server 2014 Windows virtual Y Y All deployment


machine in scenarios:
VMWare database
(protects
workloads
running in
Windows virtual
machine in
VMWare)

SQL Server SQL Server 2012 Physical server Y Y All deployment


with SP2 scenarios:
On-premises database
Hyper-V virtual
machine
AZURE BACKUP
SERVER AZURE BACKUP AZURE BACKUP PROTECTION AND
WORKLOAD VERSION INSTALLATION SERVER V2 SERVER V1 RECOVERY

SQL Server SQL Server 2012 Azure virtual Y Y All deployment


with SP2 machine (when scenarios:
workload is database
running as Azure
virtual machine)

SQL Server SQL Server 2012 Windows virtual Y Y All deployment


with SP2 machine in scenarios:
VMWare database
(protects
workloads
running in
Windows virtual
machine in
VMWare)

SQL Server SQL Server 2012, Physical server Y Y All deployment


SQL Server 2012 scenarios:
with SP1 On-premises database
Hyper-V virtual
machine

SQL Server SQL Server 2012, Azure virtual Y Y All deployment


SQL Server 2012 machine (when scenarios:
with SP1 workload is database
running as Azure
virtual machine)

SQL Server SQL Server 2012, Windows virtual Y Y All deployment


SQL Server 2012 machine in scenarios:
with SP1 VMWare database
(protects
workloads
running in
Windows virtual
machine in
VMWare)

SQL Server SQL Server 2008 Physical server Y Y All deployment


R2 scenarios:
On-premises database
Hyper-V virtual
machine

SQL Server SQL Server 2008 Azure virtual Y Y All deployment


R2 machine (when scenarios:
workload is database
running as Azure
virtual machine)
AZURE BACKUP
SERVER AZURE BACKUP AZURE BACKUP PROTECTION AND
WORKLOAD VERSION INSTALLATION SERVER V2 SERVER V1 RECOVERY

SQL Server SQL Server 2008 Windows virtual Y Y All deployment


R2 machine in scenarios:
VMWare database
(protects
workloads
running in
Windows virtual
machine in
VMWare)

SQL Server SQL Server 2008 Physical server Y Y All deployment


scenarios:
On-premises database
Hyper-V virtual
machine

SQL Server SQL Server 2008 Azure virtual Y Y All deployment


machine (when scenarios:
workload is database
running as Azure
virtual machine)

SQL Server SQL Server 2008 Windows virtual Y Y All deployment


machine in scenarios:
VMWare database
(protects
workloads
running in
Windows virtual
machine in
VMWare)

Exchange Exchange 2016 Physical server Y Y Protect (all


deployment
On-premises scenarios):
Hyper-V virtual Standalone
machine Exchange server,
database under a
database
availability group
(DAG)

Recover (all
deployment
scenarios):
Mailbox, mailbox
databases under
a DAG
AZURE BACKUP
SERVER AZURE BACKUP AZURE BACKUP PROTECTION AND
WORKLOAD VERSION INSTALLATION SERVER V2 SERVER V1 RECOVERY

Exchange Exchange 2016 Windows virtual Y Y Protect (all


machine in deployment
VMWare scenarios):
(protects Standalone
workloads Exchange server,
running in database under a
Windows virtual database
machine in availability group
VMWare) (DAG)

Recover (all
deployment
scenarios):
Mailbox, mailbox
databases under
a DAG

Exchange Exchange 2013 Physical server Y Y Protect (all


deployment
On-premises scenarios):
Hyper-V virtual Standalone
machine Exchange server,
database under a
database
availability group
(DAG)

Recover (all
deployment
scenarios):
Mailbox, mailbox
databases under
a DAG

Exchange Exchange 2013 Windows virtual Y Y Protect (all


machine in deployment
VMWare scenarios):
(protects Standalone
workloads Exchange server,
running in database under a
Windows virtual database
machine in availability group
VMWare) (DAG)

Recover (all
deployment
scenarios):
Mailbox, mailbox
databases under
a DAG
AZURE BACKUP
SERVER AZURE BACKUP AZURE BACKUP PROTECTION AND
WORKLOAD VERSION INSTALLATION SERVER V2 SERVER V1 RECOVERY

Exchange Exchange 2010 Physical server Y Y Protect (all


deployment
On-premises scenarios):
Hyper-V virtual Standalone
machine Exchange server,
database under a
database
availability group
(DAG)

Recover (all
deployment
scenarios):
Mailbox, mailbox
databases under
a DAG

Exchange Exchange 2010 Windows virtual Y Y Protect (all


machine in deployment
VMWare scenarios):
(protects Standalone
workloads Exchange server,
running in database under a
Windows virtual database
machine in availability group
VMWare) (DAG)

Recover (all
deployment
scenarios):
Mailbox, mailbox
databases under
a DAG

Exchange Exchange 2007 Physical server Y Y Protect (all


deployment
On-premises scenarios):
Hyper-V virtual Storage group
machine
Recover (all
deployment
scenarios):
Storage group,
database,
mailbox

Exchange Exchange 2007 Windows virtual Y Y Protect (all


machine in deployment
VMWare scenarios):
(protects Storage group
workloads
running in Recover (all
Windows virtual deployment
machine in scenarios):
VMWare) Storage group,
database,
mailbox
AZURE BACKUP
SERVER AZURE BACKUP AZURE BACKUP PROTECTION AND
WORKLOAD VERSION INSTALLATION SERVER V2 SERVER V1 RECOVERY

SharePoint SharePoint 2016 Physical server Y N Protect (all


deployment
On-premises scenarios): Farm,
Hyper-V virtual frontend web
machine server content

Azure virtual Recover (all


machine (when deployment
workload is scenarios): Farm,
running as Azure database, web
virtual machine) application, file or
list item,
Windows virtual SharePoint
machine in search, frontend
VMWare web server
(protects
workloads Note that
running in protecting a
Windows virtual SharePoint farm
machine in that's using the
VMWare) SQL Server 2012
AlwaysOn feature
for the content
databases isn't
supported.

SharePoint SharePoint 2013 Physical server Y Y Protect (all


deployment
On-premises scenarios): Farm,
Hyper-V virtual frontend web
machine server content

Recover (all
deployment
scenarios): Farm,
database, web
application, file or
list item,
SharePoint
search, frontend
web server

Note that
protecting a
SharePoint farm
that's using the
SQL Server 2012
AlwaysOn feature
for the content
databases isn't
supported.
AZURE BACKUP
SERVER AZURE BACKUP AZURE BACKUP PROTECTION AND
WORKLOAD VERSION INSTALLATION SERVER V2 SERVER V1 RECOVERY

SharePoint SharePoint 2013 Azure virtual Y Y Protect (all


machine (when deployment
workload is scenarios): Farm,
running as Azure SharePoint
virtual machine) - search, frontend
DPM 2012 R2 web server
Update Rollup 3 content
onwards
Recover (all
deployment
scenarios): Farm,
database, web
application, file or
list item,
SharePoint
search, frontend
web server

Note that
protecting a
SharePoint farm
that's using the
SQL Server 2012
AlwaysOn feature
for the content
databases isn't
supported.

SharePoint SharePoint 2013 Windows virtual Y Y Protect (all


machine in deployment
VMWare scenarios): Farm,
(protects SharePoint
workloads search, frontend
running in web server
Windows virtual content
machine in
VMWare) Recover (all
deployment
scenarios): Farm,
database, web
application, file or
list item,
SharePoint
search, frontend
web server

Note that
protecting a
SharePoint farm
that's using the
SQL Server 2012
AlwaysOn feature
for the content
databases isn't
supported.
AZURE BACKUP
SERVER AZURE BACKUP AZURE BACKUP PROTECTION AND
WORKLOAD VERSION INSTALLATION SERVER V2 SERVER V1 RECOVERY

SharePoint SharePoint 2010 Physical server Y Y Protect (all


deployment
On-premises scenarios): Farm,
Hyper-V virtual SharePoint
machine search, frontend
web server
content

Recover (all
deployment
scenarios): Farm,
database, web
application, file or
list item,
SharePoint
search, frontend
web server

SharePoint SharePoint 2010 Azure virtual Y Y Protect (all


machine (when deployment
workload is scenarios): Farm,
running as Azure SharePoint
virtual machine) search, frontend
web server
content

Recover (all
deployment
scenarios): Farm,
database, web
application, file or
list item,
SharePoint
search, frontend
web server

SharePoint SharePoint 2010 Windows virtual Y Y Protect (all


machine in deployment
VMWare scenarios): Farm,
(protects SharePoint
workloads search, frontend
running in web server
Windows virtual content
machine in
VMWare) Recover (all
deployment
scenarios): Farm,
database, web
application, file or
list item,
SharePoint
search, frontend
web server
AZURE BACKUP
SERVER AZURE BACKUP AZURE BACKUP PROTECTION AND
WORKLOAD VERSION INSTALLATION SERVER V2 SERVER V1 RECOVERY

SharePoint SharePoint 2007 Physical server Y Y Protect (all


deployment
On-premises scenarios): Farm,
Hyper-V virtual SharePoint
machine search, frontend
web server
content

Recover (all
deployment
scenarios): Farm,
database, web
application, file or
list item,
SharePoint
search, frontend
web server

SharePoint SharePoint 2007 Windows virtual Y Y Protect (all


machine in deployment
VMWare scenarios): Farm,
(protects SharePoint
workloads search, frontend
running in web server
Windows virtual content
machine in
VMWare) Recover (all
deployment
scenarios): Farm,
database, web
application, file or
list item,
SharePoint
search, frontend
web server

Hyper-V host - Windows Server Physical server Y N Protect: Hyper-V


DPM protection 2016 computers,
agent on Hyper- On-premises cluster shared
V host server, Hyper-V virtual volumes (CSVs)
cluster, or VM machine
Recover: Virtual
machine, Item-
level recovery of
files and folder,
volumes, virtual
hard drives
AZURE BACKUP
SERVER AZURE BACKUP AZURE BACKUP PROTECTION AND
WORKLOAD VERSION INSTALLATION SERVER V2 SERVER V1 RECOVERY

Hyper-V host - Windows Server Physical server Y Y Protect: Hyper-V


DPM protection 2012 R2 - computers,
agent on Hyper- Datacenter and On-premises cluster shared
V host server, Standard Hyper-V virtual volumes (CSVs)
cluster, or VM machine
Recover: Virtual
machine, Item-
level recovery of
files and folder,
volumes, virtual
hard drives

Hyper-V host - Windows Server Physical server Y Y Protect: Hyper-V


DPM protection 2012 - computers,
agent on Hyper- Datacenter and On-premises cluster shared
V host server, Standard Hyper-V virtual volumes (CSVs)
cluster, or VM machine
Recover: Virtual
machine, Item-
level recovery of
files and folder,
volumes, virtual
hard drives

Hyper-V host - Windows Server Physical server Y Y Protect: Hyper-V


DPM protection 2008 R2 SP1 - computers,
agent on Hyper- Enterprise and On-premises cluster shared
V host server, Standard Hyper-V virtual volumes (CSVs)
cluster, or VM machine
Recover: Virtual
machine, Item-
level recovery of
files and folder,
volumes, virtual
hard drives

Hyper-V host - Windows Server Physical server N N Protect: Hyper-V


DPM protection 2008 computers,
agent on Hyper- On-premises cluster shared
V host server, Hyper-V virtual volumes (CSVs)
cluster, or VM machine
Recover: Virtual
machine, Item-
level recovery of
files and folder,
volumes, virtual
hard drives
AZURE BACKUP
SERVER AZURE BACKUP AZURE BACKUP PROTECTION AND
WORKLOAD VERSION INSTALLATION SERVER V2 SERVER V1 RECOVERY

VMware VMs VMware server On-premises Y Y (with UR1) VMware VMs on


5.5 or 6.0 or 6.5 Hyper-V virtual cluster-shared
machine volumes (CSVs),
NFS, and SAN
storage
Item-level
recovery of files
and folders
available only for
Windows
VMware vApps
not supported

Linux Linux running as On-premises Y Y Hyper-V must be


Hyper-V or Hyper-V virtual running on
VMware guest machine Windows Server
2012 R2 or
Windows Server
2016. Protect:
Entire virtual
machine

Recover: Entire
virtual machine

Cluster support
Azure Backup Server can protect data in the following clustered applications:
File servers
SQL Server
Hyper-V - If you protect a Hyper-V cluster using scaled-out DPM protection, you can't add secondary
protection for the protected Hyper-V workloads.
If you run Hyper-V on Windows Server 2008 R2, make sure to install the update described in KB 975354. If
you run Hyper-V on Windows Server 2008 R2 in a cluster configuration, make sure you install SP2 and KB
971394.
Exchange Server - Azure Backup Server can protect non-shared disk clusters for supported Exchange Server
versions (cluster-continuous replication), and can also protect Exchange Server configured for local
continuous replication.
SQL Server - Azure Backup Server doesn't support backing up SQL Server databases hosted on cluster-
shared volumes (CSVs).
Azure Backup Server can protect cluster workloads that are located in the same domain as the DPM server, and in
a child or trusted domain. If you want to protect data sources in untrusted domains or workgroups, use NTLM or
certificate authentication for a single server, or certificate authentication only for a cluster.
Preparing to back up workloads using Azure Backup
Server
8/21/2017 12 min to read Edit Online

This article explains how to prepare your environment to back up workloads using Azure Backup Server. With
Azure Backup Server, you can protect application workloads such as Hyper-V VMs, Microsoft SQL Server,
SharePoint Server, Microsoft Exchange, and Windows clients from a single console.

NOTE
Azure Backup Server can now protect VMware VMs and provides improved security capabilities. Install the product as
explained in the sections below; apply Update 1 and the latest Azure Backup Agent. To learn more about backing up
VMware servers with Azure Backup Server, see the article, Use Azure Backup Server to back up a VMware server. To learn
about security capabilities, refer to Azure backup security features documentation.

You can also protect Infrastructure as a Service (IaaS) workloads such as VMs in Azure.

NOTE
Azure has two deployment models for creating and working with resources: Resource Manager and classic. This article
provides the information and procedures for restoring VMs deployed using the Resource Manager model.

Azure Backup Server inherits much of the workload backup functionality from Data Protection Manager (DPM).
This article links to DPM documentation to explain some of the shared functionality. Though Azure Backup Server
shares much of the same functionality as DPM. Azure Backup Server does not back up to tape, nor does it
integrate with System Center.

1. Choose an installation platform


The first step towards getting the Azure Backup Server up and running is to set up a Windows Server. Your server
can be in Azure or on-premises.
Using a server in Azure
When choosing a server for running Azure Backup Server, it is recommended you start with a gallery image of
Windows Server 2012 R2 Datacenter. The article, Create your first Windows virtual machine in the Azure portal,
provides a tutorial for getting started with the recommended virtual machine in Azure, even if you've never used
Azure before. The recommended minimum requirements for the server virtual machine (VM) should be: A2
Standard with two cores and 3.5 GB RAM.
Protecting workloads with Azure Backup Server has many nuances. The article, Install DPM as an Azure virtual
machine, helps explain these nuances. Before deploying the machine, read this article completely.
Using an on-premises server
If you do not want to run the base server in Azure, you can run the server on a Hyper-V VM, a VMware VM, or a
physical host. The recommended minimum requirements for the server hardware are two cores and 4 GB RAM.
The supported operating systems are listed in the following table:
OPERATING SYSTEM PLATFORM SKU

Windows Server 2012 R2 and latest 64 bit Standard, Datacenter, Foundation


SPs

Windows Server 2012 and latest SPs 64 bit Datacenter, Foundation, Standard

Windows Storage Server 2012 R2 and 64 bit Standard, Workgroup


latest SPs

Windows Storage Server 2012 and 64 bit Standard, Workgroup


latest SPs

You can deduplicate the DPM storage using Windows Server Deduplication. Learn more about how DPM and
deduplication work together when deployed in Hyper-V VMs.

NOTE
Azure Backup Server is designed to run on a dedicated, single-purpose server. You cannot install Azure Backup Server on:
A computer running as a domain controller
A computer on which the Application Server role is installed
A computer that is a System Center Operations Manager management server
A computer on which Exchange Server is running
A computer that is a node of a cluster

Always join Azure Backup Server to a domain. If you plan to move the server to a different domain, it is
recommended that you join the server to the new domain before installing Azure Backup Server. Moving an
existing Azure Backup Server machine to a new domain after deployment is not supported.

2. Recovery Services vault


Whether you send backup data to Azure or keep it locally, the software needs to be connected to Azure. To be
more specific, the Azure Backup Server machine needs to be registered with a recovery services vault.
To create a recovery services vault:
1. Sign in to the Azure portal.
2. On the Hub menu, click Browse and in the list of resources, type Recovery Services. As you begin typing,
the list filters based on your input. Click Recovery Services vault.
The list of Recovery Services vaults is displayed.
3. On the Recovery Services vaults menu, click Add.

The Recovery Services vault blade opens, prompting you to provide a Name, Subscription, Resource
group, and Location.
4. For Name, enter a friendly name to identify the vault. The name needs to be unique for the Azure
subscription. Type a name that contains between 2 and 50 characters. It must start with a letter, and can
contain only letters, numbers, and hyphens.
5. Click Subscription to see the available list of subscriptions. If you are not sure which subscription to use, use
the default (or suggested) subscription. There are multiple choices only if your organizational account is
associated with multiple Azure subscriptions.
6. Click Resource group to see the available list of Resource groups, or click New to create a new Resource
group. For complete information on Resource groups, see Azure Resource Manager overview
7. Click Location to select the geographic region for the vault.
8. Click Create. It can take a while for the Recovery Services vault to be created. Monitor the status notifications
in the upper right-hand area in the portal. Once your vault is created, it opens in the portal.
Set Storage Replication
The storage replication option allows you to choose between geo-redundant storage and locally redundant
storage. By default, your vault has geo-redundant storage. If this vault is your primary vault, leave the storage
option set to geo-redundant storage. Choose locally redundant storage if you want a cheaper option that isn't
quite as durable. Read more about geo-redundant and locally redundant storage options in the Azure Storage
replication overview.
To edit the storage replication setting:
1. Select your vault to open the vault dashboard and the Settings blade. If the Settings blade doesn't open, click
All settings in the vault dashboard.
2. On the Settings blade, click Backup Infrastructure > Backup Configuration to open the Backup
Configuration blade. On the Backup Configuration blade, choose the storage replication option for
your vault.
After choosing the storage option for your vault, you are ready to associate the VM with the vault. To
begin the association, you should discover and register the Azure virtual machines.

3. Software package
Downloading the software package
1. Sign in to the Azure portal.
2. If you already have a Recovery Services vault open, proceed to step 3. If you do not have a Recovery
Services vault open, but are in the Azure portal, on the Hub menu, click Browse.
In the list of resources, type Recovery Services.
As you begin typing, the list will filter based on your input. When you see Recovery Services
vaults, click it.
The list of Recovery Services vaults appears.
From the list of Recovery Services vaults, select a vault.
The selected vault dashboard opens.
3. The Settings blade opens up by default. If it is closed, click on Settings to open the settings blade.

4. Click Backup to open the Getting Started wizard.


In the Getting Started with backup blade that opens, Backup Goals will be auto-selected.

5. In the Backup Goal blade, from the Where is your workload running menu, select On-premises.
From the What do you want to backup? drop-down menu, select the workloads you want to protect
using Azure Backup Server, and then click OK.
The Getting Started with backup wizard switches the Prepare infrastructure option to back up
workloads to Azure.

NOTE
If you only want to back up files and folders, we recommend using the Azure Backup agent and following the
guidance in the article, First look: back up files and folders. If you are going to protect more than files and folders,
or you are planning to expand the protection needs in the future, select those workloads.

6. In the Prepare infrastructure blade that opens, click the Download links for Install Azure Backup Server
and Download vault credentials. You use the vault credentials during registration of Azure Backup Server
to the recovery services vault. The links take you to the Download Center where the software package can
be downloaded.
7. Select all the files and click Next. Download all the files coming in from the Microsoft Azure Backup
download page, and place all the files in the same folder.

Since the download size of all the files together is > 3G, on a 10Mbps download link it may take up to 60
minutes for the download to complete.
Extracting the software package
After you've downloaded all the files, click MicrosoftAzureBackupInstaller.exe. This will start the Microsoft
Azure Backup Setup Wizard to extract the setup files to a location specified by you. Continue through the
wizard and click on the Extract button to begin the extraction process.

WARNING
At least 4GB of free space is required to extract the setup files.
Once the extraction process complete, check the box to launch the freshly extracted setup.exe to begin installing
Microsoft Azure Backup Server and click on the Finish button.
Installing the software package
1. Click Microsoft Azure Backup to launch the setup wizard.

2. On the Welcome screen click the Next button. This takes you to the Prerequisite Checks section. On this
screen, click Check to determine if the hardware and software prerequisites for Azure Backup Server have
been met. If all prerequisites are met successfully, you will see a message indicating that the machine
meets the requirements. Click on the Next button.
3. Microsoft Azure Backup Server requires SQL Server Standard, and the Azure Backup Server installation
package comes bundled with the appropriate SQL Server binaries needed. When starting with a new
Azure Backup Server installation, you should pick the option Install new Instance of SQL Server with
this Setup and click the Check and Install button. Once the prerequisites are successfully installed, click
Next.
If a failure occurs with a recommendation to restart the machine, do so and click Check Again.

NOTE
Azure Backup Server will not work with a remote SQL Server instance. The instance being used by Azure Backup
Server needs to be local.

4. Provide a location for the installation of Microsoft Azure Backup server files and click Next.
The scratch location is a requirement for back up to Azure. Ensure the scratch location is at least 5% of the
data planned to be backed up to the cloud. For disk protection, separate disks need to be configured once
the installation completes. For more information regarding storage pools, see Configure storage pools and
disk storage.
5. Provide a strong password for restricted local user accounts and click Next.
6. Select whether you want to use Microsoft Update to check for updates and click Next.

NOTE
We recommend having Windows Update redirect to Microsoft Update, which offers security and important updates
for Windows and other products like Microsoft Azure Backup Server.
7. Review the Summary of Settings and click Install.

8. The installation happens in phases. In the first phase the Microsoft Azure Recovery Services Agent is
installed on the server. The wizard also checks for Internet connectivity. If Internet connectivity is available
you can proceed with installation, if not, you need to provide proxy details to connect to the Internet.
The next step is to configure the Microsoft Azure Recovery Services Agent. As a part of the configuration,
you will have to provide your vault credentials to register the machine to the recovery services vault. You
will also provide a passphrase to encrypt/decrypt the data sent between Azure and your premises. You can
automatically generate a passphrase or provide your own minimum 16-character passphrase. Continue
with the wizard until the agent has been configured.

9. Once registration of the Microsoft Azure Backup server successfully completes, the overall setup wizard
proceeds to the installation and configuration of SQL Server and the Azure Backup Server components.
Once the SQL Server component installation completes, the Azure Backup Server components are
installed.
When the installation step has completed, the product's desktop icons will have been created as well. Just
double-click the icon to launch the product.
Add backup storage
The first backup copy is kept on storage attached to the Azure Backup Server machine. For more information
about adding disks, see Configure storage pools and disk storage.

NOTE
You need to add backup storage even if you plan to send data to Azure. In the current architecture of Azure Backup
Server, the Azure Backup vault holds the second copy of the data while the local storage holds the first (and mandatory)
backup copy.

4. Network connectivity
Azure Backup Server requires connectivity to the Azure Backup service for the product to work successfully. To
validate whether the machine has the connectivity to Azure, use the Get-DPMCloudConnection cmdlet in the Azure
Backup Server PowerShell console. If the output of the cmdlet is TRUE then connectivity exists, else there is no
connectivity.
At the same time, the Azure subscription needs to be in a healthy state. To find out the state of your subscription
and to manage it, log in to the subscription portal.
Once you know the state of the Azure connectivity and of the Azure subscription, you can use the table below to
find out the impact on the backup/restore functionality offered.
CONNECTIVITY AZURE BACK UP TO RESTORE FROM RESTORE FROM
STATE SUBSCRIPTION AZURE BACK UP TO DISK AZURE DISK

Connected Active Allowed Allowed Allowed Allowed

Connected Expired Stopped Stopped Allowed Allowed

Connected Deprovisioned Stopped Stopped Stopped and Stopped


Azure recovery
points deleted

Lost connectivity Active Stopped Stopped Allowed Allowed


> 15 days

Lost connectivity Expired Stopped Stopped Allowed Allowed


> 15 days

Lost connectivity Deprovisioned Stopped Stopped Stopped and Stopped


> 15 days Azure recovery
points deleted

Recovering from loss of connectivity


If you have a firewall or a proxy that is preventing access to Azure, you need to whitelist the following domain
addresses in the firewall/proxy profile:
www.msftncsi.com
*.Microsoft.com
*.WindowsAzure.com
*.microsoftonline.com
*.windows.net
Once connectivity to Azure has been restored to the Azure Backup Server machine, the operations that can be
performed are determined by the Azure subscription state. The table above has details about the operations
allowed once the machine is "Connected".
Handling subscription states
It is possible to take an Azure subscription from an Expired or Deprovisioned state to the Active state. However
this has some implications on the product behavior while the state is not Active:
A Deprovisioned subscription loses functionality for the period that it is deprovisioned. On turning Active, the
product functionality of backup/restore is revived. The backup data on the local disk also can be retrieved if it
was kept with a sufficiently large retention period. However, the backup data in Azure is irretrievably lost once
the subscription enters the Deprovisioned state.
An Expired subscription only loses functionality for until it has been made Active again. Any backups
scheduled for the period that the subscription was Expired will not run.

Troubleshooting
If Microsoft Azure Backup server fails with errors during the setup phase (or backup or restore), refer to this error
codes document for more information. You can also refer to Azure Backup related FAQs

Next steps
You can get detailed information about preparing your environment for DPM on the Microsoft TechNet site. It
also contains information about supported configurations on which Azure Backup Server can be deployed and
used.
You can use these articles to gain a deeper understanding of workload protection using Microsoft Azure Backup
server.
SQL Server backup
SharePoint server backup
Alternate server backup
Preparing to back up workloads using Azure Backup
Server
8/2/2017 8 min to read Edit Online

This article is about preparing your environment to back up workloads using Azure Backup Server. With Azure
Backup Server, you can protect application workloads such as Hyper-V VMs, Microsoft SQL Server, SharePoint
Server, Microsoft Exchange and Windows clients from a single console.

WARNING
Azure Backup Server inherits the functionality of Data Protection Manager (DPM) for workload backup. You will find pointers
to DPM documentation for some of these capabilities. However Azure Backup Server does not provide protection on tape or
integrate with System Center.

1. Windows Server machine

The first step towards getting the Azure Backup Server up and running is to have a Windows Server machine.

LOCATION MINIMUM REQUIREMENTS ADDITIONAL INSTRUCTIONS

Azure Azure IaaS virtual machine You can start with a simple gallery
image of Windows Server 2012 R2
A2 Standard: 2 cores, 3.5GB RAM Datacenter. Protecting IaaS workloads
using Azure Backup Server (DPM) has
many nuances. Ensure that you read
the article completely before deploying
the machine.

On-premises Hyper-V VM, You can deduplicate the DPM storage


VMWare VM, using Windows Server Deduplication.
or a physical host Learn more about how DPM and
deduplication work together when
2 cores and 4GB RAM deployed in Hyper-V VMs.

NOTE
It is recommended that Azure Backup Server be installed on a machine with Windows Server 2012 R2 Datacenter. A lot of the
prerequisites are automatically covered with the latest version of the Windows operating system.

If you plan to join Azure Backup Server to a domain, it is recommended that you join the physical server or virtual
machine to the domain before installing the Azure Backup Server software. Moving an Azure Backup Server to a
new domain, after deployment, is not supported.

2. Backup vault
Whether you send backup data to Azure or keep it locally, the Azure Backup Server must be registered to a vault. If
you are a new Azure Backup user, and want to use Azure Backup Server, see the Azure portal version of this article -
Prepare to back up workloads using Azure Backup Server.

IMPORTANT
Starting March 2017, you can no longer use the classic portal to create Backup vaults. You can now upgrade your Backup
vaults to Recovery Services vaults. For details, see the article Upgrade a Backup vault to a Recovery Services vault. Microsoft
encourages you to upgrade your Backup vaults to Recovery Services vaults.
After October 15, 2017, you cant use PowerShell to create Backup vaults. By November 1, 2017:
All remaining Backup vaults will be automatically upgraded to Recovery Services vaults.
You won't be able to access your backup data in the classic portal. Instead, use the Azure portal to access your backup
data in Recovery Services vaults.

3. Software package

Downloading the software package


Similar to vault credentials, you can download Microsoft Azure Backup for application workloads from the Quick
Start Page of the backup vault.
1. Click For Application Workloads (Disk to Disk to Cloud). This will take you to the Download Center page
from where the software package can be downloaded.
2. Click Download.

3. Select all the files and click Next. Download all the files coming in from the Microsoft Azure Backup
download page, and place all the files in the same folder.

Since the download size of all the files together is > 3G, on a 10Mbps download link it may take up to 60
minutes for the download to complete.
Extracting the software package
After you've downloaded all the files, click MicrosoftAzureBackupInstaller.exe. This will start the Microsoft
Azure Backup Setup Wizard to extract the setup files to a location specified by you. Continue through the wizard
and click on the Extract button to begin the extraction process.

WARNING
At least 4GB of free space is required to extract the setup files.
Once the extraction process complete, check the box to launch the freshly extracted setup.exe to begin installing
Microsoft Azure Backup Server and click on the Finish button.
Installing the software package
1. Click Microsoft Azure Backup to launch the setup wizard.

2. On the Welcome screen click the Next button. This takes you to the Prerequisite Checks section. On this
screen, click on the Check button to determine if the hardware and software prerequisites for Azure Backup
Server have been met. If all of the prerequisites are have been met successfully, you will see a message
indicating that the machine meets the requirements. Click on the Next button.
3. Microsoft Azure Backup Server requires SQL Server Standard, and the Azure Backup Server installation
package comes bundled with the appropriate SQL Server binaries needed. When starting with a new Azure
Backup Server installation, you should pick the option Install new Instance of SQL Server with this Setup
and click the Check and Install button. Once the prerequisites are successfully installed, click Next.
If a failure occurs with a recommendation to restart the machine, do so and click Check Again.

NOTE
Azure Backup Server will not work with a remote SQL Server instance. The instance being used by Azure Backup
Server needs to be local.

4. Provide a location for the installation of Microsoft Azure Backup server files and click Next.
The scratch location is a requirement for back up to Azure. Ensure the scratch location is at least 5% of the
data planned to be backed up to the cloud. For disk protection, separate disks need to be configured once
the installation completes. For more information regarding storage pools, see Configure storage pools and
disk storage.
5. Provide a strong password for restricted local user accounts and click Next.
6. Select whether you want to use Microsoft Update to check for updates and click Next.

NOTE
We recommend having Windows Update redirect to Microsoft Update, which offers security and important updates
for Windows and other products like Microsoft Azure Backup Server.
7. Review the Summary of Settings and click Install.

8. The installation happens in phases. In the first phase the Microsoft Azure Recovery Services Agent is
installed on the server. The wizard also checks for Internet connectivity. If Internet connectivity is available
you can proceed with installation, if not, you need to provide proxy details to connect to the Internet.
The next step is to configure the Microsoft Azure Recovery Services Agent. As a part of the configuration,
you will have to provide your the vault credentials to register the machine to the backup vault. You will also
provide a passphrase to encrypt/decrypt the data sent between Azure and your premises. You can
automatically generate a passphrase or provide your own minimum 16-character passphrase. Continue with
the wizard until the agent has been configured.

9. Once registration of the Microsoft Azure Backup server successfully completes, the overall setup wizard
proceeds to the installation and configuration of SQL Server and the Azure Backup Server components.
Once the SQL Server component installation completes, the Azure Backup Server components are installed.
When the installation step has completed, the product's desktop icons will have been created as well. Just double-
click the icon to launch the product.
Add backup storage
The first backup copy is kept on storage attached to the Azure Backup Server machine. For more information about
adding disks, see Configure storage pools and disk storage.

NOTE
You need to add backup storage even if you plan to send data to Azure. In the current architecture of Azure Backup Server,
the Azure Backup vault holds the second copy of the data while the local storage holds the first (and mandatory) backup
copy.

4. Network connectivity

Azure Backup Server requires connectivity to the Azure Backup service for the product to work successfully. To
validate whether the machine has the connectivity to Azure, use the Get-DPMCloudConnection commandlet in the
Azure Backup Server PowerShell console. If the output of the commandlet is TRUE then connectivity exists, else
there is no connectivity.
At the same time, the Azure subscription needs to be in a healthy state. To find out the state of your subscription
and to manage it, log in to the subscription portal.
Once you know the state of the Azure connectivity and of the Azure subscription, you can use the table below to
find out the impact on the backup/restore functionality offered.
CONNECTIVITY AZURE RESTORE FROM RESTORE FROM
STATE SUBSCRIPTION BACKUP TO AZURE BACKUP TO DISK AZURE DISK

Connected Active Allowed Allowed Allowed Allowed

Connected Expired Stopped Stopped Allowed Allowed

Connected Deprovisioned Stopped Stopped Stopped and Stopped


Azure recovery
points deleted

Lost connectivity Active Stopped Stopped Allowed Allowed


> 15 days

Lost connectivity Expired Stopped Stopped Allowed Allowed


> 15 days

Lost connectivity Deprovisioned Stopped Stopped Stopped and Stopped


> 15 days Azure recovery
points deleted

Recovering from loss of connectivity


If you have a firewall or a proxy that is preventing access to Azure, you need to whitelist the following domain
addresses in the firewall/proxy profile:
www.msftncsi.com
*.Microsoft.com
*.WindowsAzure.com
*.microsoftonline.com
*.windows.net
Once connectivity to Azure has been restored to the Azure Backup Server machine, the operations that can be
performed are determined by the Azure subscription state. The table above has details about the operations
allowed once the machine is "Connected".
Handling subscription states
It is possible to take an Azure subscription from an Expired or Deprovisioned state to the Active state. However this
has some implications on the product behavior while the state is not Active:
A Deprovisioned subscription loses functionality for the period that it is deprovisioned. On turning Active, the
product functionality of backup/restore is revived. The backup data on the local disk also can be retrieved if it
was kept with a sufficiently large retention period. However, the backup data in Azure is irretrievably lost once
the subscription enters the Deprovisioned state.
An Expired subscription only loses functionality for until it has been made Active again. Any backups scheduled
for the period that the subscription was Expired will not run.

Troubleshooting
If Microsoft Azure Backup server fails with errors during the setup phase (or backup or restore), refer to this error
codes document for more information. You can also refer to Azure Backup related FAQs

Next steps
You can get detailed information about preparing your environment for DPM on the Microsoft TechNet site. It also
contains information about supported configurations on which Azure Backup Server can be deployed and used.
You can use these articles to gain a deeper understanding of workload protection using Microsoft Azure Backup
server.
SQL Server backup
SharePoint server backup
Alternate server backup
Add storage to Azure Backup Server v2
6/27/2017 3 min to read Edit Online

Azure Backup Server v2 comes with System Center 2016 Data Protection Manager Modern Backup Storage.
Modern Backup Storage offers storage savings of 50 percent, backups that are three times faster, and more
efficient storage. It also offers workload-aware storage.

NOTE
To use Modern Backup Storage, you must run Backup Server v2 on Windows Server 2016. If you run Backup Server v2 on an
earlier version of Windows Server, Azure Backup Server can't take advantage of Modern Backup Storage. Instead, it protects
workloads as it does with Backup Server v1. For more information, see the Backup Server version protection matrix.

Volumes in Backup Server v2


Backup Server v2 accepts storage volumes. When you add a volume, Backup Server formats the volume to Resilient
File System (ReFS), which Modern Backup Storage requires. To add a volume, and to expand it later if you need to,
we suggest that you use this workflow:
1. Set up Backup Server v2 on a VM.
2. Create a volume on a virtual disk in a storage pool:
a. Add a disk to a storage pool and create a virtual disk with simple layout.
b. Add any additional disks, and extend the virtual disk.
c. Create volumes on the virtual disk.
3. Add the volumes to Backup Server.
4. Configure workload-aware storage.

Create a volume for Modern Backup Storage


Using Backup Server v2 with volumes as disk storage can help you maintain control over storage. A volume can be
a single disk. However, if you want to extend storage in the future, create a volume out of a disk created by using
storage spaces. This can help if you want to expand the volume for backup storage. This section offers best
practices for creating a volume with this setup.
1. In Server Manager, select File and Storage Services > Volumes > Storage Pools. Under PHYSICAL
DISKS, select New Storage Pool.
2. In the TASKS drop-down box, select New Virtual Disk.

3. Select the storage pool, and then select Add Physical Disk.
4. Select the physical disk, and then select Extend Virtual Disk.

5. Select the virtual disk, and then select New Volume.


6. In the Select the server and disk dialog, select the server and the new disk. Then, select Next.

Add volumes to Backup Server disk storage


To add a volume to Backup Server, in the Management pane, rescan the storage, and then select Add. A list of all
the volumes available to be added for Backup Server Storage appears. After available volumes are added to the list
of selected volumes, you can give them a friendly name to help you manage them. To format these volumes to
ReFS so Backup Server can use the benefits of Modern Backup Storage, select OK.
Set up workload-aware storage
With workload-aware storage, you can select the volumes that preferentially store certain kinds of workloads. For
example, you can set expensive volumes that support a high number of input/output operations per second (IOPS)
to store only the workloads that require frequent, high-volume backups. An example is SQL Server with transaction
logs. Other workloads that are backed up less frequently, like VMs, can be backed up to low-cost volumes.
Update -DPMDiskStorage
You can set up workload-aware storage by using the PowerShell cmdlet Update-DPMDiskStorage, which updates
the properties of a volume in the storage pool on a Data Protection Manager server.
Syntax:
Parameter Set: Volume

Update-DPMDiskStorage [-Volume] <Volume> [[-FriendlyName] <String> ] [[-DatasourceType] <VolumeTag[]> ] [-


Confirm] [-WhatIf] [ <CommonParameters>]

The following screenshot shows the Update-DPMDiskStorage cmdlet in the PowerShell window.
The changes you make by using PowerShell are reflected in the Backup Server Administrator Console.

Next steps
After you install Backup Server, learn how to prepare your server, or begin protecting a workload.
Prepare Backup Server workloads
Use Backup Server to back up a VMware server
Use Backup Server to back up SQL Server
Install Azure Backup Server v2
8/4/2017 11 min to read Edit Online

Azure Backup Server helps protect your virtual machines (VMs), workloads, files and folders, and more. Azure
Backup Server v2 builds on Azure Backup Server v1, and gives you new features that are not available in v1. For a
comparison of features between v1 and v2, see Azure Backup Server protection matrix.
The additional features in Backup Server v2 are an upgrade from Backup Server v1. However, Backup Server v1 is
not a prerequisite for installing Backup Server v2. If you want to upgrade from Backup Server v1 to Backup Server
v2, install Backup Server v2 on the Backup Server protection server. Your existing Backup Server settings remain
intact.
You can install Backup Server v2 on Windows Server 2012 R2 or Windows Server 2016. To take advantage of new
features like System Center 2016 Data Protection Manager Modern Backup Storage, you must install Backup Server
v2 on Windows Server 2016. Before you upgrade to or install Backup Server v2, read about the installation
prerequisites.

NOTE
Azure Backup Server has the same code base as System Center Data Protection Manager. Backup Server v1 is equivalent to
Data Protection Manager 2012 R2, and Backup Server v2 is equivalent to Data Protection Manager 2016. This article
occasionally references the Data Protection Manager documentation.

Upgrade Backup Server to v2


To upgrade from Backup Server v1 to Backup Server v2, make sure your installation has the required updates:
Update the protection agents on the protected servers.
Upgrade Windows Server 2012 R2 to Windows Server 2016.
Upgrade Azure Backup Server Remote Administrator on all production servers.
Ensure that backups are set to continue without restarting your production server.
Upgrade steps for Backup Server v2
1. In the Download Center, download the upgrade installer.
2. After you extract the setup wizard, make sure that Execute setup.exe is selected, and then select Finish.
3. In the Microsoft Azure Backup Server wizard, under Install, select Microsoft Azure Backup Server.

4. On the Welcome page, review the warnings, and then select Next.
5. The setup wizard performs prerequisite checks to make sure your environment can upgrade. On the
Prerequisite Checks page, select Check.

6. Your environment must pass the prerequisite checks. If your environment doesn't pass the checks, note the
issues and fix them. Then, select Check Again. After you pass the prerequisite checks, select Next.

7. On the SQL Settings page, select the relevant option for your SQL installation, and then select Check and
Install.
The checks might take a few minutes. When the checks are finished, select Next.

8. On the Installation Settings page, make any changes to the location where Backup Server is installed, or to
the Scratch Location. Select Next.
9. To finish the setup wizard, select Finish.

Add storage for Modern Backup Storage


To improve backup storage efficiency, Backup Server v2 adds support for volumes. Like Backup Server v1, Backup
Server v2 supports disks.
Add volumes and disks
If you run Backup Server v2 on Windows Server 2016, you can use volumes to store backup data. Volumes offer
storage savings and faster backups. Because volumes are new to Backup Server, you must add them.
When you add a volume to Backup Server, you can give the volume a friendly name. Click the Friendly Name
column of the volume you want to name. You can change the name later, if necessary. You also can use PowerShell
to add or change friendly names for volumes.
To add a volume in the Administrator Console:
1. In the Azure Backup Server Administrator Console, select Management > Disk Storage > Add.
This opens the Add Disk Storage wizard.
2. On the Add Disk Storage page, in the Available volumes box, select a volume, and then select Add.
3. In the Selected volumes box, enter a friendly name for the volume, and then select OK.

If you want to add a disk, the disk must belong to a protection group that has legacy storage. These disks can
only be used for these protection groups. If Backup Server doesn't have sources that have legacy protection,
the disk isn't listed.
For more information about adding disks, see Adding disks to increase legacy storage. You can't give a disk a
friendly name.
Assign workloads to volumes
In Backup Server, you specify which workloads are assigned to which volumes. For example, you can set expensive
volumes that support a high number of input/output operations per second (IOPS) to store only workloads that
require frequent, high-volume backups. An example is SQL Server with transaction logs.
Update-DPMDiskStorage
To update the properties of a volume in the storage pool in Backup Server, use the PowerShell cmdlet Update-
DPMDiskStorage.
Syntax:
Parameter Set: Volume

Update-DPMDiskStorage [-Volume] <Volume> [[-FriendlyName] <String> ] [[-DatasourceType] <VolumeTag[]> ] [-


Confirm] [-WhatIf] [ <CommonParameters>]

All changes that you make by using PowerShell are reflected in the UI.

Protect data sources


To begin protecting data sources, create a protection group. The following steps highlight changes or additions to
the New Protection Group wizard.
To create a protection group:
1. In the Backup Server Administrator Console, select Protection.
2. On the tool ribbon, select New.
This opens the Create New Protection Group wizard.

3. On the Welcome page, select Next.


4. On the Select Protection Group Type page, select the type of protection group you want to create, and
then select Next.

5. On the Select Group Members page, in the Available members pane, the members with protection
agents are listed. For this example, select volume D:\ and E:\ and add them to the Selected members pane.
Select Next.

6. On the Select Data Protection Method page, enter a Protection group name, select the protection
method, and then select Next. If you want short-term protection, you must select the Disk backup method.
7. On the Specify Short-Term Goals page, select the details for Retention range and Synchronization
frequency. Then, select Next. Optionally, to change the schedule for when recovery points are taken, select
Modify.

8. On the Review Disk Storage Allocation page, review details about the data sources you selected, their size,
and values for the space to be provisioned and the target storage volume.
Storage volumes are based on the workload volume allocation (set by using PowerShell) and the available
storage. You can change the storage volumes by selecting other volumes in the drop-down menu. If you
change the value for Target Storage, the value for Available disk storage dynamically changes to reflect
values under Free Space and Underprovisioned Space.
If the data sources grow as planned, the value for the Underprovisioned Space column in Available disk
storage reflects the amount of additional storage that's needed. Use this value to help plan your storage
needs for smooth backups. If the value is zero, there are no potential problems with storage in the
foreseeable future. If the value is a number other than zero, you do not have sufficient storage allocated
(based on your protection policy and the data size of your protected members).
To finish creating your protection group, complete the wizard.

Migrate legacy storage to Modern Backup Storage


After you upgrade to or install Backup Server v2 and upgrade the operating system to Windows Server 2016,
update your protection groups to use Modern Backup Storage. By default, protection groups are not changed. They
continue to function as they were initially set up.
Updating protection groups to use Modern Backup Storage is optional. To update the protection group, stop
protection of all data sources by using the retain data option. Then, add the data sources to a new protection group.
1. In the Administrator Console, select the Protection feature. In the Protection Group Member list, right-
click the member, and then select Stop protection of member.
2. In the Remove from Group dialog box, review the used disk space and the available free space for the
storage pool. The default is to leave the recovery points on the disk and allow them to expire per their
associated retention policy. Click OK.
If you want to immediately return the used disk space to the free storage pool, select the Delete replica on
disk check box to delete the backup data (and recovery points) associated with that member.

3. Create a protection group that uses Modern Backup Storage. Include the unprotected data sources.

Add disks to increase legacy storage


If you want to use legacy storage with Backup Server, you might need to add disks to increase legacy storage.
To add disk storage:
1. In the Administrator Console, select Management > Disk Storage > Add.
2. In the Add Disk Storage dialog, select Add disks.
3. In the list of available disks, select the disks you want to add, select Add, and then select OK.

Update the Data Protection Manager protection agent


Backup Server uses the System Center Data Protection Manager protection agent for updates. If you are upgrading
a protection agent that is not connected to the network, you cannot use the Data Protection Manager Administrator
Console to complete a connected agent upgrade. You must upgrade the protection agent in a nonactive domain
environment. Until the client computer is connected to the network, the Data Protection Manager Administrator
Console shows that the protection agent update is pending.
The following sections describe how to update protection agents for client computers that are connected and client
computers that are not connected.
Update a protection agent for a connected client computer
1. In the Backup Server Administrator Console, select Management > Agents.
2. In the display pane, select the client computers for which you want to update the protection agent.

NOTE
The Agent Updates column indicates when a protection agent update is available for each protected computer. In
the Actions pane, the Update action is available only when a protected computer is selected and updates are
available.

3. To install updated protection agents on the selected computers, in the Actions pane, select Update.
Update a protection agent on a client computer that is not connected
1. In the Backup Server Administrator Console, select Management > Agents.
2. In the display pane, select the client computers for which you want to update the protection agent.
NOTE
The Agent Updates column indicates when a protection agent update is available for each protected computer. In
the Actions pane, the Update action is not available when a protected computer is selected unless updates are
available.

3. To install updated protection agents on the selected computers, select Update.


4. For a client computer that is not connected to the network, until the computer is connected to the network,
the Agent Status column shows a status of Update Pending.
After a client computer is connected to the network, the Agent Updates column for the client computer
shows a status of Updating.
Move legacy Protection groups from old version and sync the new version with Azure
Once Azure Backup Server and the OS are both updated, you are ready to protect new data sources using Modern
Backup Storage. However already protected data sources will continue to be protected in the legacy way as they
were in Azure Backup Server but all new protection will use Modern Backup Storage.
Below steps are to migrate data sources from legacy mode of protection to Modern backup storage.
Add the new volume(s) to the DPM storage pool and assign friendly names and data source tags if desired. For
each data source that is in legacy mode, stop protection of the data sources and Retain Protected Data. This will
allow recovery of old recovery points after migration.
Create a new PG and select the data sources that are to be stored using new format. DPM will do a replica copy
from the legacy backup storage into the Modern Backup Storage volume locally. Note: This will be seen as a post-
recovery operation job All new sync and recovery points will then be stored in Modern Backup Storage. Old
recovery points will be pruned out as they expire and eventually free up the disk space. Once all the legacy
volumes are deleted from the old storage, the disk can be removed from Azure backup and the system. Take a
backup of the Azure DPMDB.
Part 2: -Important items> The new server will need to be named same as the original Azure Backup server. You
cannot change the name of the new Azure backup server if you want to use old storage pool and DPMDB to retain
recovery points -Must have backup of DPMDB as it will need to be restored
1) Shutdown the original Azure backup server or take it off the wire. 2) Reset the machine account in active
directory. 3) Install Server 2016 on new machine and name it the same machine name as the original Azure Backup
server. 4) Join the Domain 5) Install Azure Backup server V2 (Move DPM Storage pool disks from old server and
import) 6) Restore the DPMDB taken from end of part 2 7) Attach the storage from the original backup server to the
new server. 8) From SQL Restore the DPMDB 9) From admin command line on new server cd to Microsoft Azure
Backup install location and bin folder
Path example: C:\windows\system32>cd "c:\Program Files\Microsoft Azure Backup\DPM\DPM\bin\ to Azure
backup Run DPMSYNC -SYNC
10) Run DPMSYNC -SYNC Note If you have added NEW disks to the DPM Storage pool instead of moving the old
ones, then run DPMSYNC -Reallocatereplica

New PowerShell cmdlets in v2


When you install Azure Backup Server v2, two new cmdlets are available:
Mount-DPMRecoveryPoint
Dismount-DPMRecoveryPoint
Next steps
Learn how to prepare your server or begin protecting a workload:
Prepare Backup Server workloads
Use Backup Server to back up a VMware server
Use Backup Server to back up SQL Server
Use Modern Backup Storage with Backup Server
Run an unattended installation of Azure Backup
Server v2
6/27/2017 1 min to read Edit Online

Learn how to run an unattended installation of Azure Backup Server v2.


These steps do not apply if you are installing Azure Backup Server v1.

Install Backup Server v2


1. On the server that hosts Azure Backup Server v2, create a text file. (You can create the file in Notepad or in
another text editor.) Save the file as MABSSetup.ini.
2. Paste the following code in the MABSSetup.ini file. Replace the text inside the brackets (< >) with values from
your environment. The following text is an example:

[OPTIONS]
UserName=administrator
CompanyName=<Microsoft Corporation>
SQLMachineName=localhost
SQLInstanceName=<SQL instance name>
SQLMachineUserName=administrator
SQLMachinePassword=<admin password>
SQLMachineDomainName=<machine domain>
ReportingMachineName=localhost
ReportingInstanceName=<reporting instance name>
SqlAccountPassword=<admin password>
ReportingMachineUserName=<username>
ReportingMachinePassword=<reporting admin password>
ReportingMachineDomainName=<domain>
VaultCredentialFilePath=<vault credential full path and complete name>
SecurityPassphrase=<passphrase>
PassphraseSaveLocation=<passphrase save location>
UseExistingSQL=<1/0 use or do not use existing SQL>

3. Save the file. Then, at an elevated command prompt on the installation server, enter this command:

start /wait <cdlayout path>/Setup.exe /i /f <.ini file path>/setup.ini /L <log path>/setup.log

You can use these flags for the installation:


/f: .ini file path
/l: Log path
/i: Installation path
/x: Uninstall path

Next steps
After you install Backup Server, learn how to prepare your server, or begin protecting a workload.
Prepare Backup Server workloads
Use Backup Server to back up a VMware server
Use Backup Server to back up SQL Server
Add Modern Backup Storage to Backup Server
Back up a VMware server to Azure
7/24/2017 13 min to read Edit Online

This article explains how to configure Azure Backup Server to help protect VMware server workloads. This article
assumes you already have Azure Backup Server installed. If you don't have Azure Backup Server installed, see
Prepare to back up workloads using Azure Backup Server.
Azure Backup Server can back up, or help protect, VMware vCenter Server version 6.5, 6.0 and 5.5.

Create a secure connection to the vCenter Server


By default, Azure Backup Server communicates with each vCenter Server via an HTTPS channel. To turn on the
secure communication, we recommend that you install the VMware Certificate Authority (CA) certificate on Azure
Backup Server. If you don't require secure communication, and would prefer to disable the HTTPS requirement,
see Disable secure communication protocol. To create a secure connection between Azure Backup Server and the
vCenter Server, import the trusted certificate on Azure Backup Server.
Typically, you use a browser on the Azure Backup Server machine to connect to the vCenter Server via the vSphere
Web Client. The first time you use the Azure Backup Server browser to connect to the vCenter Server, the
connection isn't secure. The following image shows the unsecured connection.

To fix this issue, and create a secure connection, download the trusted root CA certificates.
1. In the browser on Azure Backup Server, enter the URL to the vSphere Web Client. The vSphere Web Client
login page appears.

At the bottom of the information for administrators and developers, locate the Download trusted root CA
certificates link.
If you don't see the vSphere Web Client login page, check your browser's proxy settings.
2. Click Download trusted root CA certificates.
The vCenter Server downloads a file to your local computer. The file's name is named download.
Depending on your browser, you receive a message that asks whether to open or save the file.

3. Save the file to a location on Azure Backup Server. When you save the file, add the .zip file name extension.
The file is a .zip file that contains the information about the certificates. With the .zip extension, you can use
the extraction tools.
4. Right-click download.zip, and then select Extract All to extract the contents.
The .zip file extracts its contents to a folder named certs. Two types of files appear in the certs folder. The
root certificate file has an extension that begins with a numbered sequence like .0 and .1.
The CRL file has an extension that begins with a sequence like .r0 or .r1. The CRL file is associated with a
certificate.

5. In the certs folder, right-click the root certificate file, and then click Rename.
Change the root certificate's extension to .crt. When you're asked if you're sure you want to change the
extension, click Yes or OK. Otherwise, you change the file's intended function. The icon for the file changes
to an icon that represents a root certificate.
6. Right-click the root certificate and from the pop-up menu, select Install Certificate.
The Certificate Import Wizard dialog box appears.
7. In the Certificate Import Wizard dialog box, select Local Machine as the destination for the certificate,
and then click Next to continue.

If you're asked if you want to allow changes to the computer, click Yes or OK, to all the changes.
8. On the Certificate Store page, select Place all certificates in the following store, and then click Browse
to choose the certificate store.
The Select Certificate Store dialog box appears.

9. Select Trusted Root Certification Authorities as the destination folder for the certificates, and then click
OK.

The Trusted Root Certification Authorities folder is confirmed as the certificate store. Click Next.
10. On the Completing the Certificate Import Wizard page, verify that the certificate is in the desired folder,
and then click Finish.

A dialog box appears, the successful certificate import is confirmed.


11. Sign in to the vCenter Server to confirm that your connection is secure.
If the certificate import is not successful, and you cannot establish a secure connection, consult the VMware
vSphere documentation on obtaining server certificates.
If you have secure boundaries within your organization, and don't want to turn on the HTTPS protocol, use
the following procedure to disable the secure communications.
Disable secure communication protocol
If your organization doesn't require the HTTPS protocol, use the following steps to disable HTTPS. To disable the
default behavior, create a registry key that ignores the default behavior.
1. Copy and paste the following text into a .txt file.

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\VMWare]
"IgnoreCertificateValidation"=dword:00000001

2. Save the file to your Azure Backup Server computer. For the file name, use DisableSecureAuthentication.reg.
3. Double-click the file to activate the registry entry.

Create a role and user account on the vCenter Server


On the vCenter Server, a role is a predefined set of privileges. A vCenter Server administrator creates the roles. To
assign permissions, the administrator pairs user accounts with a role. To establish the necessary user credentials
to back up the vCenter Server computer, create a role with specific privileges, and then associate the user account
with the role.
Azure Backup Server uses a username and password to authenticate with the vCenter Server. Azure Backup Server
uses these credentials as authentication for all backup operations.
To add a vCenter Server role and its privileges for a backup administrator:
1. Sign in to the vCenter Server, and then in the vCenter Server Navigator panel, click Administration.

2. In Administration select Roles, and then in the Roles panel click the add role icon (the + symbol).
The Create Role dialog box appears.

3. In the Create Role dialog box, in the Role name box, enter BackupAdminRole. The role name can be
whatever you like, but it should be recognizable for the role's purpose.
4. Select the privileges for the appropriate version of vCenter, and then click OK. The following table identifies
the required privileges for vCenter 6.0 and vCenter 5.5.
When you select the privileges, click the icon next to the parent label to expand the parent and view the
child privileges. To select the VirtualMachine privileges, you need to go several levels into the parent child
hierarchy. You don't need to select all child privileges within a parent privilege.

After you click OK, the new role appears in the list on the Roles panel.

PRIVILEGES FOR VCENTER 6.0 PRIVILEGES FOR VCENTER 5.5

Datastore.AllocateSpace Datastore.AllocateSpace

Global.ManageCustomFields Global.ManageCustomerFields

Global.SetCustomFields

Host.Local.CreateVM Network.Assign

Network.Assign

Resource.AssignVMToPool
PRIVILEGES FOR VCENTER 6.0 PRIVILEGES FOR VCENTER 5.5

VirtualMachine.Config.AddNewDisk VirtualMachine.Config.AddNewDisk

VirtualMachine.Config.AdvanceConfig VirtualMachine.Config.AdvancedConfig

VirtualMachine.Config.ChangeTracking VirtualMachine.Config.ChangeTracking

VirtualMachine.Config.HostUSBDevice

VirtualMachine.Config.QueryUnownedFiles

VirtualMachine.Config.SwapPlacement VirtualMachine.Config.SwapPlacement

VirtualMachine.Interact.PowerOff VirtualMachine.Interact.PowerOff

VirtualMachine.Inventory.Create VirtualMachine.Inventory.Create

VirtualMachine.Provisioning.DiskRandomAccess

VirtualMachine.Provisioning.DiskRandomRead VirtualMachine.Provisioning.DiskRandomRead

VirtualMachine.State.CreateSnapshot VirtualMachine.State.CreateSnapshot

VirtualMachine.State.RemoveSnapshot VirtualMachine.State.RemoveSnapshot

Create a vCenter Server user account and permissions


After the role with privileges is set up, create a user account. The user account has a name and password, which
provides the credentials that are used for authentication.
1. To create a user account, in the vCenter Server Navigator panel, click Users and Groups.

The vCenter Users and Groups panel appears.


2. In the vCenter Users and Groups panel, select the Users tab, and then click the add users icon (the +
symbol).
The New User dialog box appears.
3. In the New User dialog box, add the user's information and then click OK. In this procedure, the username
is BackupAdmin.

The new user account appears in the list.


4. To associate the user account with the role, in the Navigator panel, click Global Permissions. In the
Global Permissions panel, select the Manage tab, and then click the add icon (the + symbol).

The Global Permissions Root - Add Permission dialog box appears.


5. In the Global Permission Root - Add Permission dialog box, click Add to choose the user or group.
The Select Users/Groups dialog box appears.
6. In the Select Users/Groups dialog box, choose BackupAdmin and then click Add.
In Users, the domain\username format is used for the user account. If you want to use a different domain,
choose it from the Domain list.

Click OK to add the selected users to the Add Permission dialog box.
7. Now that you've identified the user, assign the user to the role. In Assigned Role, from the drop-down list,
select BackupAdminRole, and then click OK.
On the Manage tab in the Global Permissions panel, the new user account and the associated role appear
in the list.

Establish vCenter Server credentials on Azure Backup Server


Before you add the VMware server to Azure Backup Server, install Update 1 for Azure Backup Server.
1. To open Azure Backup Server, double-click the icon on the Azure Backup Server desktop.

If you can't find the icon on the desktop, open Azure Backup Server from the list of installed apps. The Azure
Backup Server app name is called Microsoft Azure Backup.
2. In the Azure Backup Server console, click Management, click Production Servers, and then on the tool
ribbon, click Manage VMware.
The Manage Credentials dialog box appears.

3. In the Manage Credentials dialog box, click Add to open the Add Credential dialog box.
4. In the Add Credential dialog box, enter a name and a description for the new credential. Then specify the
username and password. The name, Contoso Vcenter credential is used to identify the credential in the next
procedure. Use the same username and password that is used for the vCenter Server. If the vCenter Server
and Azure Backup Server are not in the same domain, in User name, specify the domain.

Click Add to add the new credential to Azure Backup Server. The new credential appears in the list in the
Manage Credentials dialog box.
5. To close the Manage Credentials dialog box, click the X in the upper-right corner.

Add the vCenter Server to Azure Backup Server


Production Server Addition Wizard is used to add the vCenter Server to Azure Backup Server.
To open Production Server Addition Wizard, complete the following procedure:
1. In the Azure Backup Server console, click Management, click Production Servers, and then click Add.

The Production Server Addition Wizard dialog box appears.


2. On the Select Production Server type page, select VMware Servers, and then click Next.
3. In Server Name/IP Address, specify the fully qualified domain name (FQDN) or IP address of the VMware
server. If all the ESXi servers are managed by the same vCenter, you can use the vCenter name.

4. In SSL Port, enter the port that is used to communicate with the VMware server. Use port 443, which is the
default port, unless you know that a different port is required.
5. In Specify Credential, select the credential that you created earlier.
6. Click Add to add the VMware server to the list of Added VMware Servers, and then click Next to move to
the next page in the wizard.

7. In the Summary page, click Add to add the specified VMware server to Azure Backup Server.

The VMware server backup is an agentless backup, and the new server is added immediately. The Finish
page shows you the results.
To add multiple instances of vCenter Server to Azure Backup Server, repeat the previous steps in this
section.
After you add the vCenter Server to Azure Backup Server, the next step is to create a protection group. The
protection group specifies the various details for short or long-term retention, and it is where you define and
apply the backup policy. The backup policy is the schedule for when backups occur, and what is backed up.

Configure a protection group


If you have not used System Center Data Protection Manager or Azure Backup Server before, see Plan for disk
backups to prepare your hardware environment. After you check that you have proper storage, use the Create
New Protection Group wizard to add VMware virtual machines.
1. In the Azure Backup Server console, click Protection, and in the tool ribbon, click New to open the Create
New Protection Group wizard.
The Create New Protection Group wizard dialog box appears.

Click Next to advance to the Select protection group type page.


2. On the Select Protection group type page, select Servers and then click Next. The Select group
members page appears.
3. On the Select group members page, the available members and the selected members appear. Select the
members that you want to protect, and then click Next.
When you select a member, if you select a folder that contains other folders or VMs, those folders and VMs
are also selected. The inclusion of the folders and VMs in the parent folder is called folder-level protection.
To remove a folder or VM, clear the check box.
If a VM, or a folder containing a VM, is already protected to Azure, you cannot select that VM again. That is,
after a VM is protected to Azure, it cannot be protected again, which prevents duplicate recovery points
from being created for one VM. If you want to see which Azure Backup Server instance already protects a
member, point to the member to see the name of the protecting server.
4. On the Select Data Protection Method page, enter a name for the protection group. Short-term
protection (to disk) and online protection are selected. If you want to use online protection (to Azure), you
must use short-term protection to disk. Click Next to proceed to the short-term protection range.
5. On the Specify Short-Term Goals page, for Retention Range, specify the number of days that you want
to retain recovery points that are stored to disk. If you want to change the time and days when recovery
points are taken, click Modify. The short-term recovery points are full backups. They are not incremental
backups. When you are satisfied with the short-term goals, click Next.

6. On the Review Disk Allocation page, review and if necessary, modify the disk space for the VMs. The
recommended disk allocations are based on the retention range that is specified in the Specify Short-
Term Goals page, the type of workload, and the size of the protected data (identified in step 3).
Data size: Size of the data in the protection group.
Disk space: The recommended amount of disk space for the protection group. If you want to modify
this setting, you should allocate total space that is slightly larger than the amount that you estimate each
data source grows.
Colocate data: If you turn on colocation, multiple data sources in the protection can map to a single
replica and recovery point volume. Colocation isn't supported for all workloads.
Automatically grow: If you turn on this setting, if data in the protected group outgrows the initial
allocation, System Center Data Protection Manager tries to increase the disk size by 25 percent.
Storage pool details: Shows the status of the storage pool, including total and remaining disk size.
When you are satisfied with the space allocation, click Next.
7. On the Choose Replica Creation Method page, specify how you want to generate the initial copy, or
replica, of the protected data on Azure Backup Server.
The default is Automatically over the network and Now. If you use the default, we recommend that you
specify an off-peak time. Choose Later and specify a day and time.
For large amounts of data or less-than-optimal network conditions, consider replicating the data offline by
using removable media.
After you have made your choices, click Next.

8. On the Consistency Check Options page, select how and when to automate the consistency checks. You
can run consistency checks when replica data becomes inconsistent, or on a set schedule.
If you don't want to configure automatic consistency checks, you can run a manual check. In the protection
area of the Azure Backup Server console, right-click the protection group and then select Perform
Consistency Check.
Click Next to move to the next page.
9. On the Specify Online Protection Data page, select one or more data sources that you want to protect.
You can select the members individually, or click Select All to choose all members. After you choose the
members, click Next.
10. On the Specify Online Backup Schedule page, specify the schedule to generate recovery points from the
disk backup. After the recovery point is generated, it is transferred to the Recovery Services vault in Azure.
When you are satisfied with the online backup schedule, click Next.

11. On the Specify Online Retention Policy page, indicate how long you want to retain the backup data in
Azure. After the policy is defined, click Next.

There is no time limit for how long you can keep data in Azure. When you store recovery point data in
Azure, the only limit is that you cannot have more than 9999 recovery points per protected instance. In this
example, the protected instance is the VMware server.
12. On the Summary page, review the details for your protection group members and settings, and then click
Create Group.

Next steps
If you use Azure Backup Server to protect VMware workloads, you may be interested in using Azure Backup Server
to help protect a Microsoft Exchange server, a Microsoft SharePoint farm, or a SQL Server database.
For information on problems with registering the agent, configuring the protection group, or backing up jobs, see
Troubleshoot Azure Backup Server.
Back up an Exchange server to Azure Backup with
Azure Backup Server
6/27/2017 3 min to read Edit Online

This article describes how to configure Microsoft Azure Backup Server (MABS) to back up a Microsoft Exchange
server to Azure.

Prerequisites
Before you continue, make sure that Azure Backup Server is installed and prepared.

MABS protection agent


To install the MABS protection agent on the Exchange server, follow these steps:
1. Make sure that the firewalls are correctly configured. See Configure firewall exceptions for the agent.
2. Install the agent on the Exchange server by clicking Management > Agents > Install in MABS Administrator
Console. See Install the MABS protection agent for detailed steps.

Create a protection group for the Exchange server


1. In the MABS Administrator Console, click Protection, and then click New on the tool ribbon to open the Create
New Protection Group wizard.
2. On the Welcome screen of the wizard click Next.
3. On the Select protection group type screen, select Servers and click Next.
4. Select the Exchange server database that you want to protect and click Next.

NOTE
If you are protecting Exchange 2013, check the Exchange 2013 prerequisites.

In the following example, the Exchange 2010 database is selected.


5. Select the data protection method.
Name the protection group, and then select both of the following options:
I want short-term protection using Disk.
I want online protection.
6. Click Next.
7. Select the Run Eseutil to check data integrity option if you want to check the integrity of the Exchange
Server databases.
After you select this option, backup consistency checking will be run on MABS to avoid the I/O traffic thats
generated by running the eseutil command on the Exchange server.
NOTE
To use this option, you must copy the Ese.dll and Eseutil.exe files to the C:\Program Files\Microsoft Azure
Backup\DPM\DPM\bin directory on the MAB server. Otherwise, the following error is triggered:

8. Click Next.
9. Select the database for Copy Backup, and then click Next.

NOTE
If you do not select Full backup for at least one DAG copy of a database, logs will not be truncated.

10. Configure the goals for Short-Term backup, and then click Next.
11. Review the available disk space, and then click Next.
12. Select the time at which the MAB Server will create the initial replication, and then click Next.
13. Select the consistency check options, and then click Next.
14. Choose the database that you want to back up to Azure, and then click Next. For example:
15. Define the schedule for Azure Backup, and then click Next. For example:
NOTE
Note Online recovery points are based on express full recovery points. Therefore, you must schedule the online
recovery point after the time thats specified for the express full recovery point.

16. Configure the retention policy for Azure Backup, and then click Next.
17. Choose an online replication option and click Next.
If you have a large database, it could take a long time for the initial backup to be created over the network.
To avoid this issue, you can create an offline backup.

18. Confirm the settings, and then click Create Group.


19. Click Close.

Recover the Exchange database


1. To recover an Exchange database, click Recovery in the MABS Administrator Console.
2. Locate the Exchange database that you want to recover.
3. Select an online recovery point from the recovery time drop-down list.
4. Click Recover to start the Recovery Wizard.
For online recovery points, there are five recovery types:
Recover to original Exchange Server location: The data will be recovered to the original Exchange server.
Recover to another database on an Exchange Server: The data will be recovered to another database on
another Exchange server.
Recover to a Recovery Database: The data will be recovered to an Exchange Recovery Database (RDB).
Copy to a network folder: The data will be recovered to a network folder.
Copy to tape: If you have a tape library or a stand-alone tape drive attached and configured on MABS, the
recovery point will be copied to a free tape.

Next steps
Azure Backup FAQ
Back up a SharePoint farm to Azure
6/27/2017 9 min to read Edit Online

You back up a SharePoint farm to Microsoft Azure by using Microsoft Azure Backup Server (MABS) in much the
same way that you back up other data sources. Azure Backup provides flexibility in the backup schedule to create
daily, weekly, monthly, or yearly backup points and gives you retention policy options for various backup points. It
also provides the capability to store local disk copies for quick recovery-time objectives (RTO) and to store copies to
Azure for economical, long-term retention.

SharePoint supported versions and related protection scenarios


Azure Backup for DPM supports the following scenarios:

WORKLOAD VERSION SHAREPOINT DEPLOYMENT PROTECTION AND RECOVERY

SharePoint SharePoint 2013, SharePoint SharePoint deployed as a Protect SharePoint Farm


2010, SharePoint 2007, physical server or Hyper- recovery options: Recovery
SharePoint 3.0 V/VMware virtual machine farm, database, and file or
-------------- list item from disk recovery
SQL AlwaysOn points. Farm and database
recovery from Azure
recovery points.

Before you start


There are a few things you need to confirm before you back up a SharePoint farm to Azure.
Prerequisites
Before you proceed, make sure that you have installed and prepared the Azure Backup Server to protect workloads.
Protection agent
The Protection agent must be installed on the server that's running SharePoint, the servers that are running SQL
Server, and all other servers that are part of the SharePoint farm. For more information about how to set up the
protection agent, see Setup Protection Agent. The one exception is that you install the agent only on a single web
front end (WFE) server. DPM needs the agent on one WFE server only to serve as the entry point for protection.
SharePoint farm
For every 10 million items in the farm, there must be at least 2 GB of space on the volume where the MABS folder
is located. This space is required for catalog generation. For MABS to recover specific items (site collections, sites,
lists, document libraries, folders, individual documents, and list items), catalog generation creates a list of the URLs
that are contained within each content database. You can view the list of URLs in the recoverable item pane in the
Recovery task area of MABS Administrator Console.
SQL Server
MABS runs as a LocalSystem account. To back up SQL Server databases, MABS needs sysadmin privileges on that
account for the server that's running SQL Server. Set NT AUTHORITY\SYSTEM to sysadmin on the server that's
running SQL Server before you back it up.
If the SharePoint farm has SQL Server databases that are configured with SQL Server aliases, install the SQL Server
client components on the front-end Web server that MABS will protect.
SharePoint Server
While performance depends on many factors such as size of SharePoint farm, as general guidance one MABS can
protect a 25 TB SharePoint farm.
What's not supported
MABS that protects a SharePoint farm does not protect search indexes or application service databases. You will
need to configure the protection of these databases separately.
MABS does not provide backup of SharePoint SQL Server databases that are hosted on scale-out file server
(SOFS) shares.

Configure SharePoint protection


Before you can use MABS to protect SharePoint, you must configure the SharePoint VSS Writer service (WSS
Writer service) by using ConfigureSharePoint.exe.
You can find ConfigureSharePoint.exe in the [MABS Installation Path]\bin folder on the front-end web server.
This tool provides the protection agent with the credentials for the SharePoint farm. You run it on a single WFE
server. If you have multiple WFE servers, select just one when you configure a protection group.
To configure the SharePoint VSS Writer service
1. On the WFE server, at a command prompt, go to [MABS installation location]\bin\
2. Enter ConfigureSharePoint -EnableSharePointProtection.
3. Enter the farm administrator credentials. This account should be a member of the local Administrator group on
the WFE server. If the farm administrator isnt a local admin grant the following permissions on the WFE server:
Grant the WSS_Admin_WPG group full control to the DPM folder (%Program Files%\Microsoft Azure
Backup\DPM).
Grant the WSS_Admin_WPG group read access to the DPM Registry key
(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager).

NOTE
Youll need to rerun ConfigureSharePoint.exe whenever theres a change in the SharePoint farm administrator credentials.

Back up a SharePoint farm by using MABS


After you have configured MABS and the SharePoint farm as explained previously, SharePoint can be protected by
MABS.
To protect a SharePoint farm
1. From the Protection tab of the MABS Administrator Console, click New.
2. On the Select Protection Group Type page of the Create New Protection Group wizard, select Servers,
and then click Next.

3. On the Select Group Members screen, select the check box for the SharePoint server you want to protect
and click Next.
NOTE
With the protection agent installed, you can see the server in the wizard. MABS also shows its structure. Because you
ran ConfigureSharePoint.exe, MABS communicates with the SharePoint VSS Writer service and its corresponding SQL
Server databases and recognizes the SharePoint farm structure, the associated content databases, and any
corresponding items.

4. On the Select Data Protection Method page, enter the name of the Protection Group, and select your
preferred protection methods. Click Next.
NOTE
The disk protection method helps to meet short recovery-time objectives.

5. On the Specify Short-Term Goals page, select your preferred Retention range and identify when you
want backups to occur.

NOTE
Because recovery is most often required for data that's less than five days old, we selected a retention range of five
days on disk and ensured that the backup happens during non-production hours, for this example.

6. Review the storage pool disk space allocated for the protection group, and click then Next.
7. For every protection group, MABS allocates disk space to store and manage replicas. At this point, MABS
must create a copy of the selected data. Select how and when you want the replica created, and then click
Next.
NOTE
To make sure that network traffic is not effected, select a time outside production hours.

8. MABS ensures data integrity by performing consistency checks on the replica. There are two available
options. You can define a schedule to run consistency checks, or DPM can run consistency checks
automatically on the replica whenever it becomes inconsistent. Select your preferred option, and then click
Next.
9. On the Specify Online Protection Data page, select the SharePoint farm that you want to protect, and
then click Next.
10. On the Specify Online Backup Schedule page, select your preferred schedule, and then click Next.

NOTE
MABS provides a maximum of two daily backups to Azure from the then available latest disk backup point. Azure
Backup can also control the amount of WAN bandwidth that can be used for backups in peak and off-peak hours by
using Azure Backup Network Throttling.

11. Depending on the backup schedule that you selected, on the Specify Online Retention Policy page, select
the retention policy for daily, weekly, monthly, and yearly backup points.
NOTE
MABS uses a grandfather-father-son retention scheme in which a different retention policy can be chosen for
different backup points.

12. Similar to disk, an initial reference point replica needs to be created in Azure. Select your preferred option to
create an initial backup copy to Azure, and then click Next.
13. Review your selected settings on the Summary page, and then click Create Group. You will see a success
message after the protection group has been created.
Restore a SharePoint item from disk by using MABS
In the following example, the Recovering SharePoint item has been accidentally deleted and needs to be recovered.

1. Open the DPM Administrator Console. All SharePoint farms that are protected by DPM are shown in the
Protection tab.
2. To begin to recover the item, select the Recovery tab.

3. You can search SharePoint for Recovering SharePoint item by using a wildcard-based search within a
recovery point range.
4. Select the appropriate recovery point from the search results, right-click the item, and then select Recover.
5. You can also browse through various recovery points and select a database or item to recover. Select Date >
Recovery time, and then select the correct Database > SharePoint farm > Recovery point > Item.

6. Right-click the item, and then select Recover to open the Recovery Wizard. Click Next.
7. Select the type of recovery that you want to perform, and then click Next.
NOTE
The selection of Recover to original in the example recovers the item to the original SharePoint site.

8. Select the Recovery Process that you want to use.


Select Recover without using a recovery farm if the SharePoint farm has not changed and is the same
as the recovery point that is being restored.
Select Recover using a recovery farm if the SharePoint farm has changed since the recovery point
was created.

9. Provide a staging SQL Server instance location to recover the database temporarily, and provide a staging
file share on MABS and the server that's running SharePoint to recover the item.
MABS attaches the content database that is hosting the SharePoint item to the temporary SQL Server
instance. From the content database, it recovers the item and puts it on the staging file location on MABS.
The recovered item that's on the staging location now needs to be exported to the staging location on the
SharePoint farm.
10. Select Specify recovery options, and apply security settings to the SharePoint farm or apply the security
settings of the recovery point. Click Next.
NOTE
You can choose to throttle the network bandwidth usage. This minimizes impact to the production server during
production hours.

11. Review the summary information, and then click Recover to begin recovery of the file.
12. Now select the Monitoring tab in the MABS Administrator Console to view the Status of the recovery.

NOTE
The file is now restored. You can refresh the SharePoint site to check the restored file.
Restore a SharePoint database from Azure by using DPM
1. To recover a SharePoint content database, browse through various recovery points (as shown previously),
and select the recovery point that you want to restore.

2. Double-click the SharePoint recovery point to show the available SharePoint catalog information.

NOTE
Because the SharePoint farm is protected for long-term retention in Azure, no catalog information (metadata) is
available on MABS. As a result, whenever a point-in-time SharePoint content database needs to be recovered, you
need to catalog the SharePoint farm again.

3. Click Re-catalog.

The Cloud Recatalog status window opens.


After cataloging is finished, the status changes to Success. Click Close.

4. Click the SharePoint object shown in the MABS Recovery tab to get the content database structure. Right-
click the item, and then click Recover.
5. At this point, follow the recovery steps earlier in this article to recover a SharePoint content database from disk.

FAQs
Q: Can I recover a SharePoint item to the original location if SharePoint is configured by using SQL AlwaysOn (with
protection on disk)?
A: Yes, the item can be recovered to the original SharePoint site.
Q: Can I recover a SharePoint database to the original location if SharePoint is configured by using SQL AlwaysOn?
A: Because SharePoint databases are configured in SQL AlwaysOn, they cannot be modified unless the availability
group is removed. As a result, MABS cannot restore a database to the original location. You can recover a SQL
Server database to another SQL Server instance.

Next steps
Learn more about MABS Protection of SharePoint - see Video Series - DPM Protection of SharePoint
Back up SQL Server to Azure With Azure Backup
Server
6/27/2017 6 min to read Edit Online

This article leads you through the configuration steps for backup of SQL Server databases using Microsoft Azure
Backup Server (MABS).
The management of SQL Server database backup to Azure and recovery from Azure involves three steps:
1. Create a backup policy to protect SQL Server databases to Azure.
2. Create on-demand backup copies to Azure.
3. Recover the database from Azure.

Before you start


Before you begin, ensure that you have installed and prepared the Azure Backup Server.

Create a backup policy to protect SQL Server databases to Azure


1. On the Azure Backup Server UI, click the Protection workspace.
2. On the tool ribbon, click New to create a new protection group.

3. MABS shows the start screen with the guidance on creating a Protection Group. Click Next.
4. Select Servers.
5. Expand the SQL Server machine where the databases to be backed up are present. MABS shows various
data sources that can be backed up from that server. Expand the All SQL Shares and select the databases
(in this case we selected ReportServer$MSDPM2012 and ReportServer$MSDPM2012TempDB) to be
backed up. Click Next.

6. Provide a name for the protection group and select the I want online Protection checkbox.
7. In the Specify Short-Term Goals screen, include the necessary inputs to create backup points to disk.
Here we see that Retention range is set to 5 days, Synchronization frequency is set to once every 15
minutes which is the frequency at which backup is taken. Express Full Backup is set to 8:00 P.M.
NOTE
At 8:00 PM (according to the screen input) a backup point is created every day by transferring the data that has
been modified from the previous days 8:00 PM backup point. This process is called Express Full Backup. While the
transaction logs are synchronized every 15 minutes, if there is a need to recover the database at 9:00 PM then the
point is created by replaying the logs from the last express full backup point (8pm in this case).

8. Click Next
MABS shows the overall storage space available and the potential disk space utilization.
By default, MABS creates one volume per data source (SQL Server database) which is used for the initial
backup copy. Using this approach, the Logical Disk Manager (LDM) limits MABS protection to 300 data
sources (SQL Server databases). To work around this limitation, select the Co-locate data in DPM Storage
Pool, option. If you use this option, MABS uses a single volume for multiple data sources, which allows
MABS to protect up to 2000 SQL databases.
If Automatically grow the volumes option is selected, MABS can account for the increased backup
volume as the production data grows. If Automatically grow the volumes option is not selected, MABS
limits the backup storage used to the data sources in the protection group.
9. Administrators are given the choice of transferring this initial backup manually (off network) to avoid
bandwidth congestion or over the network. They can also configure the time at which the initial transfer can
happen. Click Next.

The initial backup copy requires transfer of the entire data source (SQL Server database) from production
server (SQL Server machine) to MABS. This data might be large, and transferring the data over the network
could exceed bandwidth. For this reason, administrators can choose to transfer the initial backup: Manually
(using removable media) to avoid bandwidth congestion, or Automatically over the network (at a
specified time).
Once the initial backup is complete, the rest of the backups are incremental backups on the initial backup
copy. Incremental backups tend to be small and are easily transferred across the network.
10. Choose when you want the consistency check to run and click Next.

MABS can perform a consistency check to check the integrity of the backup point. It calculates the checksum
of the backup file on the production server (SQL Server machine in this scenario) and the backed-up data
for that file at MABS. In the case of a conflict, it is assumed that the backed-up file at MABS is corrupt. MABS
rectifies the backed-up data by sending the blocks corresponding to the checksum mismatch. As the
consistency check is a performance-intensive operation, administrators have the option of scheduling the
consistency check or running it automatically.
11. To specify online protection of the datasources, select the databases to be protected to Azure and click
Next.

12. Administrators can choose backup schedules and retention policies that suit their organization policies.
In this example, backups are taken once a day at 12:00 PM and 8 PM (bottom part of the screen)

NOTE
Its a good practice to have a few short-term recovery points on disk, for quick recovery. These recovery points are
used for operational recovery". Azure serves as a good offsite location with higher SLAs and guaranteed availability.

Best Practice: Make sure that Azure Backups are scheduled after the completion of local disk backups
using DPM. This enables the latest disk backup to be copied to Azure.
13. Choose the retention policy schedule. The details on how the retention policy works are provided at Use
Azure Backup to replace your tape infrastructure article.
In this example:
Backups are taken once a day at 12:00 PM and 8 PM (bottom part of the screen) and are retained for 180
days.
The backup on Saturday at 12:00 P.M. is retained for 104 weeks
The backup on Last Saturday at 12:00 P.M. is retained for 60 months
The backup on Last Saturday of March at 12:00 P.M. is retained for 10 years
14. Click Next and select the appropriate option for transferring the initial backup copy to Azure. You can
choose Automatically over the network or Offline Backup.
Automatically over the network transfers the backup data to Azure as per the schedule chosen for
backup.
How Offline Backup works is explained at Offline Backup workflow in Azure Backup.
Choose the relevant transfer mechanism to send the initial backup copy to Azure and click Next.
15. Once you review the policy details in the Summary screen, click on the Create group button to complete
the workflow. You can click the Close button and monitor the job progress in Monitoring workspace.
On-demand backup of a SQL Server database
While the previous steps created a backup policy, a recovery point is created only when the first backup occurs.
Rather than waiting for the scheduler to kick in, the steps below trigger the creation of a recovery point manually.
1. Wait until the protection group status shows OK for the database before creating the recovery point.

2. Right-click on the database and select Create Recovery Point.


3. Choose Online Protection in the drop-down menu and click OK. This starts the creation of a recovery
point in Azure.

4. You can view the job progress in the Monitoring workspace where you'll find an in progress job like the
one depicted in the next figure.

Recover a SQL Server database from Azure


The following steps are required to recover a protected entity (SQL Server database) from Azure.
1. Open the DPM server Management Console. Navigate to Recovery workspace where you can see the
servers backed up by DPM. Browse the required database (in this case ReportServer$MSDPM2012). Select
a Recovery from time which ends with Online.

2. Right-click the database name and click Recover.

3. DPM shows the details of the recovery point. Click Next. To overwrite the database, select the recovery type
Recover to original instance of SQL Server. Click Next.
In this example, DPM allows recovery of the database to another SQL Server instance or to a standalone
network folder.
4. In the Specify Recovery options screen, you can select the recovery options like Network bandwidth usage
throttling to throttle the bandwidth used by recovery. Click Next.
5. In the Summary screen, you see all the recovery configurations provided so far. Click Recover.
The Recovery status shows the database being recovered. You can click Close to close the wizard and view
the progress in the Monitoring workspace.

Once the recovery is completed, the restored database is application consistent.


Next Steps:
Azure Backup FAQ
Back up system state and restore to bare metal with
Azure Backup Server
6/27/2017 15 min to read Edit Online

Azure Backup Server backs up system state and provides bare-metal recovery (BMR) protection.
System state backup: Backs up operating system files, so you can recover when a computer starts, but system
files and the registry are lost. A system state backup includes:
Domain member: Boot files, COM+ class registration database, registry
Domain controller: Windows Server Active Directory (NTDS), boot files, COM+ class registration database,
registry, system volume (SYSVOL)
Computer that runs cluster services: Cluster server metadata
Computer that runs certificate services: Certificate data
Bare-metal backup: Backs up operating system files and all data on critical volumes (except user data). By
definition, a BMR backup includes a system state backup. It provides protection when a computer won't start and
you have to recover everything.
The following table summarizes what you can back up and recover. For detailed information about app versions
that can be protected with system state and BMR, see What does Azure Backup Server back up?.

RECOVER FROM AZURE


BACKUP SERVER RECOVER FROM SYSTEM
BACKUP ISSUE BACKUP STATE BACKUP BMR

File data Lost file data Y N N

Regular data backup

BMR/system state
backup

File data Lost or damaged N Y Y


operating system
Azure Backup Server
backup of file data

BMR/system state
backup

File data Lost server (data N N Y


volumes intact)
Azure Backup Server
backup of file data

BMR/system state
backup
RECOVER FROM AZURE
BACKUP SERVER RECOVER FROM SYSTEM
BACKUP ISSUE BACKUP STATE BACKUP BMR

File data Lost server (data Y No Yes (BMR, followed by


volumes lost) regular recovery of
Azure Backup Server backed-up file data)
backup of file data

BMR/system state
backup

SharePoint data: Lost site, lists, list Y N N


items, documents
Azure Backup Server
backup of farm data

BMR/system state
backup

SharePoint data: Lost or damaged N Y Y


operating system
Azure Backup Server
backup of farm data

BMR/system state
backup

SharePoint data: Disaster recovery N N N

Azure Backup Server


backup of farm data

BMR/system state
backup

Windows Server 2012 Lost VM Y N N


R2 Hyper-V

Azure Backup Server


backup of Hyper-V
host or guest

BMR/system state
backup of host

Hyper-V Lost or damaged N Y Y


operating system
Azure Backup Server
backup of Hyper-V
host or guest

BMR/system state
backup of host
RECOVER FROM AZURE
BACKUP SERVER RECOVER FROM SYSTEM
BACKUP ISSUE BACKUP STATE BACKUP BMR

Hyper-V Lost Hyper-V host N N Y


(VMs intact)
Azure Backup Server
backup of Hyper-V
host or guest

BMR/system state
backup of host

Hyper-V Lost Hyper-V host N N Y


(VMs lost)
Azure Backup Server BMR, followed by
backup of Hyper-V regular Azure Backup
host or guest Server recovery

BMR/system state
backup of host

SQL Server/Exchange Lost app data Y N N

Azure Backup Server


app backup

BMR/system state
backup

SQL Server/Exchange Lost or damaged N y Y


operating system
Azure Backup Server
app backup

BMR/system state
backup

SQL Server/Exchange Lost server N N Y


(database/transaction
Azure Backup Server logs intact)
app backup

BMR/system state
backup

SQL Server/Exchange Lost server N N Y


(database/transaction
Azure Backup Server logs lost) BMR recovery,
app backup followed by regular
Azure Backup Server
BMR/system state recovery
backup

How system state backup works


When a system state backup runs, Backup Server communicates with Windows Server Backup to request a backup
of the server's system state. By default, Backup Server and Windows Server Backup use the drive that has the most
available free space. Information about this drive is saved in the PSDataSourceConfig.xml file. This is the drive that
Windows Server Backup uses for backups.
You can customize the drive that Backup Server uses for the system state backup. On the protected server, go to
C:\Program Files\Microsoft Data Protection Manager\MABS\Datasources. Open the PSDataSourceConfig.xml file for
editing. Change the <FilesToProtect> value for the drive letter. Save and close the file. If there's a protection group
set to protect the system state of the computer, run a consistency check. If an alert is generated, select Modify
protection group in the alert, and then complete the wizard. Then, run another consistency check.
Note that if the protection server is in a cluster, it's possible that a cluster drive will be selected as the drive with the
most free space. If that drive ownership has been switched to another node and a system state backup runs, the
drive isn't available and the backup fails. In this scenario, modify PSDataSourceConfig.xml to point to a local drive.
Next, Windows Server Backup creates a folder called WindowsImageBackup in the root of the restore folder. As
Windows Server Backup creates the backup, all the data is placed in this folder. When the backup is finished, the file
is transferred to the Backup Server computer. Note the following information:
This folder and its contents are not cleaned up when the backup or transfer is finished. The best way to think of
this is that the space is being reserved for the next time a backup is finished.
The folder is created every time a backup is made. The time and date stamp reflect the time of your last system
state backup.

BMR backup
For BMR (including a system state backup), the backup job is saved directly to a share on the Backup Server
computer. It is not saved to a folder on the protected server.
Backup Server calls Windows Server Backup and shares out the replica volume for that BMR backup. In this case, it
doesn't tell Windows Server Backup to use the drive with the most free space. Instead, it uses the share that was
created for the job.
When the backup is finished, the file is transferred to the Backup Server computer. Logs are stored in
C:\Windows\Logs\WindowsServerBackup.

Prerequisites and limitations


BMR isn't supported for computers that run Windows Server 2003 or for computers that run a client
operating system.
You can't protect BMR and system state for the same computer in different protection groups.
A Backup Server computer can't protect itself for BMR.
Short-term protection to tape (disk-to-tape, or D2T) isn't supported for BMR. Long-term storage to tape
(disk-to-disk-to-tape, or D2D2T) is supported.
For BMR protection, Windows Server Backup must be installed on the protected computer.
For BMR protection, unlike for system state protection, Backup Server doesn't have any space requirements
on the protected computer. Windows Server Backup directly transfers backups to the Backup Server
computer. The backup transfer job doesn't appear in the Backup Server Jobs view.
Backup Server reserves 30 GB of space on the replica volume for BMR. You can change this on the Disk
Allocation page in the Modify Protection Group wizard or by using the Get-DatasourceDiskAllocation and
Set-DatasourceDiskAllocation PowerShell cmdlets. On the recovery point volume, BMR protection requires
about 6 GB for a retention of five days.
Note that you can't reduce the replica volume size to less than 15 GB.
Backup Server doesn't calculate the size of the BMR data source. It assumes 30 GB for all servers. Change
the value based on the size of BMR backups that you expect in your environment. The size of a BMR
backup can be roughly calculated as the sum of used space on all critical volumes. Critical volumes = boot
volume + system volume + volume hosting system state data, such as Active Directory.
If you change from system state protection to BMR protection, BMR protection requires less space on the
recovery point volume. However, the extra space on the volume is not reclaimed. You can manually shrink
the volume size on the Modify Disk Allocation page of the Modify Protection Group wizard or by using the
Get-DatasourceDiskAllocation and Set-DatasourceDiskAllocation PowerShell cmdlets.
If you change from system state protection to BMR protection, BMR protection requires more space on the
replica volume. The volume is automatically extended. If you want to change the default space allocations,
use the Modify-DiskAllocation PowerShell cmdlet.
If you change from BMR protection to system state protection, you need more space on the recovery point
volume. Backup Server might try to automatically increase the volume. If there is insufficient space in the
storage pool, an error occurs.
If you change from BMR protection to system state protection, you need space on the protected computer.
This is because system state protection first writes the replica to the local computer, and then transfers it to
the Backup Server computer.

Before you begin


1. Deploy Azure Backup Server. Verify that Backup Server is correctly deployed. For more information, see:
System requirements for Azure Backup Server
Backup Server protection matrix
2. Set up storage. You can store backup data on disk, on tape, and in the cloud with Azure. For more
information, see Prepare data storage.
3. Set up the protection agent. Install the protection agent on the computer that you want to back up. For
more information, see Deploy the DPM protection agent.

Back up system state and bare metal


Set up a protection group as described in Deploy protection groups. Note that you can't protect BMR and system
state for the same computer in different groups. Also, when you select BMR, system state is automatically enabled.
1. To open the Create New Protection Group wizard in the Backup Server Administrator Console, select
Protection > Actions > Create Protection Group.
2. On the Select Protection Group Type page, select Servers, and then select Next.
3. On the Select Group Members page, expand the computer, and then select either BMR or system state.
Remember that you can't protect both BMR and system state for the same computer in different groups.
Also, when you select BMR, system state is automatically enabled. For more information, see Deploy
protection groups.
4. On the Select Data Protection Method page, select how you want to handle short-term and long-term
backup. Short-term backup is always to disk first, with the option of backing up from the disk to the Azure
cloud by using Azure Backup (short-term or long-term). An alternative to long-term backup to the cloud is to
set up long-term backup to a standalone tape device or tape library that's connected to Backup Server.
5. On the Select Short-Term Goals page, select how you want to back up to short-term storage on disk:
a. For Retention range, select how long you want to keep the data on disk.
b. For Synchronization frequency, select how often you want to run an incremental backup to disk. If you
don't want to set a backup interval, you can check the Just before a recovery point option. Backup
Server will run an express, full backup just before each recovery point is scheduled.
6. If you want to store data on tape for long-term storage, on the Specify Long-Term Goals page, select how
long you want to keep tape data (1-99 years).
a. For Frequency of backup, select how often backup to tape should run. The frequency is based on the
retention range you've selected:
When the retention range is 1-99 years, you can select backups to occur daily, weekly, biweekly,
monthly, quarterly, half-yearly, or yearly.
When the retention range is 1-11 months, you can select backups to occur daily, weekly, biweekly,
or monthly.
When the retention range is 1-4 weeks, you can select backups to occur daily or weekly.
b. On the Select Tape and Library Details page, select the tape and library to use, and whether data
should be compressed and encrypted.
7. On the Review Disk Allocation page, review the storage pool disk space that's allocated for the protection
group.
a. Total Data size is the size of the data you want to back up.
b. Disk space to be provisioned on Azure Backup Server is the space that Backup Server recommends
for the protection group. Backup Server chooses the ideal backup volume based on the settings. However,
you can edit the backup volume choices in Disk allocation details.
c. For workloads, in the drop-down menu, select the preferred storage. Your edits change the values for
Total Storage and Free Storage in the Available Disk Storage pane. Underprovisioned space is the
amount of storage that Backup Server suggests you add to the volume, to ensure smooth backups.
8. On the Choose Replica Creation Method page, select how you want to handle the initial full data
replication. If you choose to replicate over the network, we recommend that you choose an off-peak time. For
large amounts of data or for network conditions that are less than optimal, consider replicating the data
offline by using removable media.
9. On the Choose Consistency Check Options page, select how you want to automate consistency checks.
You can choose to run a check only when replica data becomes inconsistent, or on a schedule. If you don't
want to configure automatic consistency checking, you can run a manual check at any time. To run a manual
check, in the Protection area of the Backup Server Administrator Console, right-click the protection group,
and then select Perform Consistency Check.
10. If you've selected to back up to the cloud by using Azure Backup, on the Specify Online Protection Data
page, make sure that you select the workloads you want to back up to Azure.
11. On the Specify Online Backup Schedule page, select how often incremental backups to Azure will occur.
You can schedule backups to run every day, week, month, and year, and select the time and date at which
they should run. Backups can occur up to twice a day. Each time a backup runs, a data recovery point is
created in Azure from the copy of the backup data stored on the Backup Server disk.
12. On the Specify Online Retention Policy page, select how the recovery points that are created from the
daily, weekly, monthly, and yearly backups are retained in Azure.
13. On the Choose Online Replication page, select how the initial full replication of data occurs. You can
replicate over the network or do an offline backup (offline seeding). Offline backup uses the Azure Import
feature. For more information, see Offline backup workflow in Azure Backup.
14. On the Summary page, review your settings. After you select Create Group, initial replication of the data
occurs. When data replication finishes, on the Status page, the protection group status is OK. Backup then
takes place per the protection group settings.
Recover system state or BMR
You can recover BMR or system state to a network location. If you've backed up BMR, use Windows Recovery
Environment (WinRE) to start your system and connect it to the network. Then, use Windows Server Backup to
recover from the network location. If you've backed up system state, just use Windows Server Backup to recover
from the network location.
Restore BMR
Run recovery on the Backup Server computer:
1. In the Recovery pane, find the computer you want to recover, and then select Bare Metal Recovery.
2. Available recovery points are indicated in bold on the calendar. Select the date and time for the recovery
point that you want to use.
3. On the Select Recovery Type page, select Copy to a network folder.
4. On the Specify Destination page, select where you want to copy the data to. Remember that the selected
destination needs to have enough room. We recommend that you create a new folder.
5. On the Specify Recovery Options page, select the security settings to apply. Then, select whether you want
to use storage area network (SAN)-based hardware snapshots, for quicker recovery. (This is an option only if
you have a SAN with this functionality available, and the ability to create and split a clone to make it writable.
In addition, the protected computer and Backup Server computer must be connected to the same network.)
6. Set up notification options. On the Confirmation page, select Recover.
Set up the share location:
1. In the restore location, go to the folder that has the backup.
2. Share the folder that is one level above WindowsImageBackup so that the root of the shared folder is the
WindowsImageBackup folder. If you don't do this, restore won't find the backup. To connect by using
Windows Recovery Environment (WinRE), you need a share that you can access in WinRE with the correct IP
address and credentials.
Restore the system:
1. Start the computer on which you want to restore the image by using the Windows DVD for the system you
are restoring.
2. On the first page, verify language and locale settings. On the Install page, select Repair your computer.
3. On the System Recovery Options page, select Restore your computer using a system image that you
created earlier.
4. On the Select a system image backup page, select Select a system image > Advanced > Search for a
system image on the network. If a warning appears, select Yes. Go to the share path, enter the credentials,
and then select the recovery point. This scans for specific backups that are available in that recovery point.
Select the recovery point that you want to use.
5. On the Choose how to restore the backup page, select Format and repartition disks. On the next page,
verify settings.
6. To begin the restore, select Finish. A restart is required.
Restore system state
Run recovery in Backup Server:
1. In the Recovery pane, find the computer that you want to recover, and then select Bare Metal Recovery.
2. Available recovery points are indicated in bold on the calendar. Select the date and time for the recovery
point that you want to use.
3. On the Select Recovery Type page, select Copy to a network folder.
4. On the Specify Destination page, select where you want to copy the data. Remember that the selected
destination needs enough room. We recommend that you create a new folder.
5. On the Specify Recovery Options page, select the security settings to apply. Then, select whether you want
to use SAN-based hardware snapshots for quicker recovery. (This is an option only if you have a SAN with
this functionality and the ability to create and split a clone to make it writable. In addition, the protected
computer and Backup Server server must be connected to the same network.)
6. Set up notification options. On the Confirmation page, select Recover.
Run Windows Server Backup:
1. Select Actions > Recover > This Server > Next.
2. Select Another Server, select the Specify Location Type page, and then select Remote shared folder.
Enter the path to the folder that contains the recovery point.
3. On the Select Recovery Type page, select System state.
4. On the Select Location for System State Recovery page, select Original Location.
5. On the Confirmation page, select Recover. After the restore, restart the server.
6. You also can run the system state restore at a command prompt. To do this, start Windows Server Backup on
the computer you want to recover. To get the version identifer, at a command prompt, enter:
wbadmin get versions -backuptarget \<servername\sharename\>

Use the version identifier to start the system state restore. At the command prompt, enter:
wbadmin start systemstaterecovery -version:<versionidentified> -backuptarget:<servername\sharename>

Confirm that you want to start the recovery. You can see the process in the Command Prompt window. A
restore log is created. After the restore, restart the server.
Recover data from Azure Backup Server
8/21/2017 5 min to read Edit Online

You can use Azure Backup Server to recover the data you've backed up to a Recovery Services vault. The process for
doing so is integrated into the Azure Backup Server management console, and is similar to the recovery workflow
for other Azure Backup components.

NOTE
This article is applicable for System Center Data Protection Manager 2012 R2 with UR7 or later, combined with the latest
Azure Backup agent.

To recover data from an Azure Backup Server:


1. From the Recovery tab of the Azure Backup Server management console, click 'Add External DPM' (at the top
left of the screen).

2. Download new vault credentials from the vault associated with the Azure Backup Server where the data
is being recovered, choose the Azure Backup Server from the list of Azure Backup Servers registered with the
Recovery Services vault, and provide the encryption passphrase associated with the server whose data is
being recovered.
NOTE
Only Azure Backup Servers associated with the same registration vault can recover each others data.

Once the External Azure Backup Server is successfully added, you can browse the data of the external server
and the local Azure Backup Server from the Recovery tab.
3. Browse the available list of production servers protected by the external Azure Backup Server and select the
appropriate data source.

4. Select the month and year from the Recovery points drop down, select the required Recovery date for
when the recovery point was created, and select the Recovery time.
A list of files and folders appears in the bottom pane, which can be browsed and recovered to any location.

5. Right click the appropriate item and click Recover.


6. Review the Recover Selection. Verify the data and time of the backup copy being recovered, as well as the
source from which the backup copy was created. If the selection is incorrect, click Cancel to navigate back to
recovery tab to select appropriate recovery point. If the selection is correct, click Next.

7. Select Recover to an alternate location. Browse to the correct location for the recovery.
8. Choose the option related to create copy, Skip, or Overwrite.
Create copy - creates a copy of the file if there is a name collision.
Skip - if there is a name collision, does not recover the file which leaves the original file.
Overwrite - if there is a name collision, overwrites the existing copy of the file.
Choose the appropriate option to Restore security. You can apply the security settings of the
destination computer where the data is being recovered or the security settings that were applicable
to product at the time the recovery point was created.
Identify whether a Notification is sent, once the recovery successfully completes.
9. The Summary screen lists the options chosen so far. Once you click Recover, the data is recovered to the
appropriate on-premises location.
NOTE
The recovery job can be monitored in the Monitoring tab of the Azure Backup Server.

10. You can click Clear External DPM on the Recovery tab of the DPM server to remove the view of the
external DPM server.

Troubleshooting Error Messages


NO. ERROR MESSAGE TROUBLESHOOTING STEPS
NO. ERROR MESSAGE TROUBLESHOOTING STEPS

1. This server is not registered to the vault Cause: This error appears when the
specified by the vault credential. vault credential file selected does not
belong to the Recovery Services vault
associated with Azure Backup Server on
which the recovery is attempted.
Resolution: Download the vault
credential file from the Recovery
Services vault to which the Azure
Backup Server is registered.

2. Either the recoverable data is not Cause: There are no other Azure
available or the selected server is not a Backup Servers registered to the
DPM server. Recovery Services vault, or the servers
have not yet uploaded the metadata, or
the selected server is not an Azure
Backup Server (aka Windows Server or
Windows Client).
Resolution: If there are other Azure
Backup Servers registered to the
Recovery Services vault, ensure that the
latest Azure Backup agent is installed.
If there are other Azure Backup Servers
registered to the Recovery Services
vault, wait for a day after installation to
start the recovery process. The nightly
job will upload the metadata for all the
protected backups to cloud. The data
will be available for recovery.

3. No other DPM server is registered to Cause: There are no other Azure


this vault. Backup Servers that are registered to
the vault from which the recovery is
being attempted.
Resolution: If there are other Azure
Backup Servers registered to the
Recovery Services vault, ensure that the
latest Azure Backup agent is installed.
If there are other Azure Backup Servers
registered to the Recovery Services
vault, wait for a day after installation to
start the recovery process. The nightly
job uploads the metadata for all
protected backups to cloud. The data
will be available for recovery.

4. The encryption passphrase provided Cause: The encryption passphrase used


does not match with passphrase in the process of encrypting the data
associated with the following server: from the Azure Backup Servers data
that is being recovered does not match
the encryption passphrase provided.
The agent is unable to decrypt the data.
Hence the recovery fails.
Resolution: Please provide the exact
same encryption passphrase associated
with the Azure Backup Server whose
data is being recovered.

Frequently asked questions


Why cant I add an external DPM server after installing UR7 and latest Azure Backup agent?
For the DPM servers with data sources that are protected to the cloud (by using an update rollup earlier than
Update Rollup 7), you must wait at least one day after installing the UR7 and latest Azure Backup agent, to start
Add External DPM server. The one-day time period is needed to upload the metadata of the DPM protection
groups to Azure. Protection group metadata is uploaded the first time through a nightly job.
What is the minimum version of the Microsoft Azure Recovery Services agent needed?
The minimum version of the Microsoft Azure Recovery Services agent, or Azure Backup agent, required to enable
this feature is 2.0.8719.0. To view the agent's version: open Control Panel > All Control Panel items > Programs and
features > Microsoft Azure Recovery Services Agent. If the version is less than 2.0.8719.0, download and install the
latest Azure Backup agent.

Next steps:
Azure Backup FAQ
Prepare your environment to back up Resource
Manager-deployed virtual machines
10/17/2017 15 min to read Edit Online

This article provides the steps for preparing your environment to back up a Resource Manager-deployed virtual
machine (VM). The steps shown in the procedures use the Azure portal.
The Azure Backup service has two types of vaults (back up vaults and recovery services vaults) for protecting your
VMs. A backup vault protects VMs deployed using the Classic deployment model. A recovery services vault
protects both Classic-deployed or Resource Manager-deployed VMs. You must use a Recovery Services vault
to protect a Resource Manager-deployed VM.

NOTE
Azure has two deployment models for creating and working with resources: Resource Manager and Classic. See Prepare
your environment to back up Azure virtual machines for details on working with Classic deployment model VMs.

Before you can protect or back up a Resource Manager-deployed virtual machine (VM), make sure these
prerequisites exist:
Create a recovery services vault (or identify an existing recovery services vault) in the same location as your
VM.
Select a scenario, define the backup policy, and define items to protect.
Check the installation of VM Agent on virtual machine.
Check network connectivity
For Linux VMs, in case you want to customize your backup environment for application consistent backups
please follow the steps to configure pre-snapshot and post-snapshot scripts
If you know these conditions already exist in your environment then proceed to the Back up your VMs article. If
you need to set up, or check, any of these prerequisites, this article leads you through the steps to prepare that
prerequisite.

Supported operating system for backup


Linux: Azure Backup supports a list of distributions that are endorsed by Azure except Core OS Linux. Other
Bring-Your-Own-Linux distributions also might work as long as the VM agent is available on the virtual
machine and support for Python exists. However, we do not endorse those distributions for backup.
Windows Server: Versions older than Windows Server 2008 R2 are not supported.

Limitations when backing up and restoring a VM


Before you prepare your environment, please understand the limitations.
Backing up virtual machines with more than 16 data disks is not supported.
Backing up virtual machines with data disk sizes greater than 1023GB is not supported.
Backing up virtual machines with a reserved IP address and no defined endpoint is not supported.
Backup of VMs encrypted using just BEK is not supported. Backup of Linux VMs encrypted using LUKS
encryption is not supported.
Backup of VMs containing Cluster Shared Volumes(CSV) or Scale out File Server configuration is not
recommended as they require involving all VMs included in the cluster configuration during snapshot task.
Azure Backup doesn't support multi-VM consistency.
Backup data doesn't include network mounted drives attached to VM.
Replacing an existing virtual machine during restore is not supported. If you attempt to restore the VM when
the VM exists, the restore operation fails.
Cross-region backup and restore are not supported.
You can back up virtual machines in all public regions of Azure (see the checklist of supported regions). If the
region that you are looking for is unsupported today, it will not appear in the dropdown list during vault
creation.
Restoring a domain controller (DC) VM that is part of a multi-DC configuration is supported only through
PowerShell. Read more about restoring a multi-DC domain controller.
Restoring virtual machines that have the following special network configurations is supported only through
PowerShell. VMs created using the restore workflow in the UI will not have these network configurations after
the restore operation is complete. To learn more, see Restoring VMs with special network configurations.
Virtual machines under load balancer configuration (internal and external)
Virtual machines with multiple reserved IP addresses
Virtual machines with multiple network adapters

Create a recovery services vault for a VM


A recovery services vault is an entity that stores the backups and recovery points that have been created over time.
The recovery services vault also contains the backup policies associated with the protected virtual machines.
To create a recovery services vault:
1. Sign in to the Azure portal.
2. On the Hub menu, click Browse and in the list of resources, type Recovery Services. As you begin typing,
the list will filter based on your input. Click Recovery Services vault.
The list of Recovery Services vaults is displayed.
3. On the Recovery Services vaults menu, click Add.

The Recovery Services vault blade opens, prompting you to provide a Name, Subscription, Resource
group, and Location.

4. For Name, enter a friendly name to identify the vault. The name needs to be unique for the Azure subscription.
Type a name that contains between 2 and 50 characters. It must start with a letter, and can contain only letters,
numbers, and hyphens.
5. Click Subscription to see the available list of subscriptions. If you are not sure which subscription to use, use
the default (or suggested) subscription. There will be multiple choices only if your organizational account is
associated with multiple Azure subscriptions.
6. Click Resource group to see the available list of Resource groups, or click New to create a new Resource
group. For complete information on Resource groups, see Azure Resource Manager overview
7. Click Location to select the geographic region for the vault. The vault must be in the same region as the
virtual machines that you want to protect.

IMPORTANT
If you are unsure of the location in which your VM exists, close out of the vault creation dialog, and go to the list of
Virtual Machines in the portal. If you have virtual machines in multiple regions, you will need to create a Recovery
Services vault in each region. Create the vault in the first location before going to the next location. There is no need
to specify storage accounts to store the backup data--the Recovery Services vault and the Azure Backup service
handle this automatically.

8. Click Create. It can take a while for the Recovery Services vault to be created. Monitor the status
notifications in the upper right-hand area in the portal. Once your vault is created, it appears in the list of
Recovery Services vaults. If you don't see your vault, click Refresh to
Now that you've created your vault, learn how to set the storage replication.

Set Storage Replication


The storage replication option allows you to choose between geo-redundant storage and locally redundant
storage. By default, your vault has geo-redundant storage. Leave the option set to geo-redundant storage if this is
your primary backup. Choose locally redundant storage if you want a cheaper option that isn't quite as durable.
To edit the storage replication setting:
1. On the Recovery Services vaults blade, select your vault. When you click your vault, the Settings blade
(which has the name of the vault at the top) and the vault details blade opens.

2. On the Settings blade, use the vertical slider to scroll down to the Manage section. Click Backup
Infrastructure to open its blade. In the General section click Backup Configuration to open its blade. On
the Backup Configuration blade, choose the storage replication option for your vault. By default, your
vault has geo-redundant storage. If you change the Storage replication type, click Save.

If you are using Azure as a primary backup storage endpoint, continue using geo-redundant storage. If you
are using Azure as a non-primary backup storage endpoint, then choose locally redundant storage. Read
more about geo-redundant and locally redundant storage options in the Azure Storage replication
overview. After choosing the storage option for your vault, you are ready to associate the VM with the vault.
To begin the association, you should discover and register the Azure virtual machines.

Select a backup goal, set policy and define items to protect


Before registering a VM with a vault, run the discovery process to ensure that any new virtual machines that have
been added to the subscription are identified. The process queries Azure for the list of virtual machines in the
subscription, along with additional information like the cloud service name and the region. In the Azure portal,
scenario refers to what you are going to put into the recovery services vault. Policy is the schedule for how often
and when recovery points are taken. Policy also includes the retention range for the recovery points.
1. If you already have a Recovery Services vault open, proceed to step 2. If you do not have a Recovery
Services vault open, then open the Azure portal and on the Hub menu, click More services.
In the list of resources, type Recovery Services.
As you begin typing, the list will filter based on your input. When you see Recovery Services
vaults, click it.
The list of Recovery Services vaults appears. If there are no vaults in your subscription, this list will
be empty.

From the list of Recovery Services vaults, select a vault to open its dashboard.
The Settings blade and the vault dashboard for the chosen vault, opens.
2. On the vault dashboard menu click Backup to open the Backup blade.

The Backup and Backup Goal blades open.

3. On the Backup Goal blade, set Where is your workload running to Azure and What do you want to
backup to Virtual machine, then click OK.
This registers the VM extension with the vault. The Backup Goal blade closes and the Backup policy blade
opens.
4. On the Backup policy blade, select the backup policy you want to apply to the vault.

The details of the default policy are listed under the drop-down menu. If you want to create a new policy,
select Create New from the drop-down menu. For instructions on defining a backup policy, see Defining a
backup policy. Click OK to associate the backup policy with the vault.
The Backup policy blade closes and the Select virtual machines blade opens.
5. In the Select virtual machines blade, choose the virtual machines to associate with the specified policy
and click OK.
The selected virtual machine is validated. If you do not see the virtual machines that you expected to see,
check that they exist in the same Azure location as the Recovery Services vault and are not already
protected in another vault. The location of the Recovery Services vault is shown on the vault dashboard.
6. Now that you have defined all settings for the vault, in the Backup blade click Enable Backup. This deploys
the policy to the vault and the VMs. This does not create the initial recovery point for the virtual machine.

After successfully enabling the backup, your backup policy will execute on schedule. If you would like to generate
an on-demand backup job to back up the virtual machines now, see Triggering the Backup job.
If you have problems registering the virtual machine, see the following information on installing the VM Agent
and on Network connectivity. You probably don't need the following information if you are protecting virtual
machines created in Azure. However if you migrated your virtual machines into Azure, then be sure you have
properly installed the VM agent and that your virtual machine can communicate with the virtual network.

Install the VM Agent on the virtual machine


The Azure VM Agent must be installed on the Azure virtual machine for the Backup extension to work. If your VM
was created from the Azure gallery, then the VM Agent is already present on the virtual machine. This information
is provided for the situations where you are not using a VM created from the Azure gallery - for example you
migrated a VM from an on-premises datacenter. In such a case, the VM Agent needs to be installed in order to
protect the virtual machine. Learn about the VM Agent.
If you have problems backing up the Azure VM, check that the Azure VM Agent is correctly installed on the virtual
machine (see the table below). The following table provides additional information about the VM Agent for
Windows and Linux VMs.

OPERATION WINDOWS LINUX

Installing the VM Agent Download and install the agent MSI. Install the latest Linux agent. You will
You will need Administrator privileges need Administrator privileges to
to complete the installation. complete the installation. We
recommend installing agent from your
distribution repository. We do not
recommend installing Linux VM agent
directly from github.

Updating the VM Agent Updating the VM Agent is as simple as Follow the instructions on updating the
reinstalling the VM Agent binaries. Linux VM Agent. We recommend
Ensure that no backup operation is updating agent from your distribution
running while the VM agent is being repository. We do not recommend
updated. updating Linux VM agent directly from
github.
Ensure that no backup operation is
running while the VM Agent is being
updated.

Validating the VM Agent installation Navigate to the N/A


C:\WindowsAzure\Packages folder in
the Azure VM.
You should find the
WaAppAgent.exe file present.
Right-click the file, go to Properties,
and then select the Details tab. The
Product Version field should be
2.6.1198.718 or higher.

Backup extension
Once the VM Agent is installed on the virtual machine, the Azure Backup service installs the backup extension to
the VM Agent. The Azure Backup service seamlessly upgrades and patches the backup extension.
The backup extension is installed by the Backup service whether or not the VM is running. A running VM provides
the greatest chance of getting an application-consistent recovery point. However, the Azure Backup service
continues to back up the VM even if it is turned off, and the extension could not be installed. This is known as
Offline VM. In this case, the recovery point will be crash consistent.

Network connectivity
In order to manage the VM snapshots, the backup extension needs connectivity to the Azure public IP addresses.
Without the right Internet connectivity, the virtual machine's HTTP requests time out and the backup operation
fails. If your deployment has access restrictions in place (through a network security group (NSG), for example),
then choose one of these options for providing a clear path for backup traffic:
Whitelist the Azure datacenter IP ranges - see the article for instructions on how to whitelist the IP addresses.
Deploy an HTTP proxy server for routing traffic.
When deciding which option to use, the trade-offs are between manageability, granular control, and cost.

OPTION ADVANTAGES DISADVANTAGES


OPTION ADVANTAGES DISADVANTAGES

Whitelist IP ranges No additional costs. Complex to manage as the impacted IP


ranges change over time.
For opening access in an NSG, use the
Set-AzureNetworkSecurityRule cmdlet. Provides access to the whole of Azure,
and not just Storage.

HTTP proxy Granular control in the proxy over the Additional costs for running a VM with
storage URLs allowed. the proxy software.
Single point of Internet access to VMs.
Not subject to Azure IP address
changes.

Whitelist the Azure datacenter IP ranges


To whitelist the Azure datacenter IP ranges, please see the Azure website for details on the IP ranges, and
instructions.
You can use service tags to allow connections to storage of the specific region using Service Tags. Make
sure that rule which allows access to storage account is having higher priority than rule blocking internet
access.

WARNING
Storage tags are available only in specific regions and are in preview. For list of regions, refer to Service tags for Storage

Using an HTTP proxy for VM backups


When backing up a VM, the backup extension on the VM sends the snapshot management commands to Azure
Storage using an HTTPS API. Route the backup extension traffic through the HTTP proxy since it is the only
component configured for access to the public Internet.

NOTE
There is no recommendation for the proxy software that should be used. Ensure that you pick a proxy that is compatible
with the configuration steps below.

The example image below shows the three configuration steps necessary to use an HTTP proxy:
App VM routes all HTTP traffic bound for the public Internet through Proxy VM.
Proxy VM allows incoming traffic from VMs in the virtual network.
The Network Security Group (NSG) named NSF-lockdown needs a security rule allowing outbound Internet
traffic from Proxy VM.
To use an HTTP proxy to communicating to the public Internet, follow these steps:
Step 1. Configure outgoing network connections
F o r W i n d o w s ma c h i n e s

This will setup proxy server configuration for Local System Account.
1. Download PsExec
2. Run following command from elevated prompt,

psexec -i -s "c:\Program Files\Internet Explorer\iexplore.exe"

It will open internet explorer window.


3. Go to Tools -> Internet Options -> Connections -> LAN settings.
4. Verify proxy settings for System account. Set Proxy IP and port.
5. Close Internet Explorer.
This will set up a machine-wide proxy configuration, and will be used for any outgoing HTTP/HTTPS traffic.
If you have setup a proxy server on a current user account(not a Local System Account), use the following script to
apply them to SYSTEMACCOUNT:

$obj = Get-ItemProperty -Path


Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections"
Set-ItemProperty -Path Registry::HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Connections" -Name DefaultConnectionSettings -Value $obj.DefaultConnectionSettings
Set-ItemProperty -Path Registry::HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Connections" -Name SavedLegacySettings -Value $obj.SavedLegacySettings
$obj = Get-ItemProperty -Path
Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
Set-ItemProperty -Path Registry::HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet
Settings" -Name ProxyEnable -Value $obj.ProxyEnable
Set-ItemProperty -Path Registry::HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet
Settings" -Name Proxyserver -Value $obj.Proxyserver

NOTE
If you observe "(407) Proxy Authentication Required" in proxy server log, check your authentication is setup correctly.

F o r L i n u x ma c h i n e s

Add the following line to the /etc/environment file:

http_proxy=http://<proxy IP>:<proxy port>


Add the following lines to the /etc/waagent.conf file:

HttpProxy.Host=<proxy IP>
HttpProxy.Port=<proxy port>

Step 2. Allow incoming connections on the proxy server:


1. On the proxy server, open Windows Firewall. The easiest way to access the firewall is to search for
Windows Firewall with Advanced Security.

2. In the Windows Firewall dialog, right-click Inbound Rules and click New Rule....

3. In the New Inbound Rule Wizard, choose the Custom option for the Rule Type and click Next.
4. On the page to select the Program, choose All Programs and click Next.
5. On the Protocol and Ports page, enter the following information and click Next:
for Protocol type choose TCP
for Local port choose Specific Ports, in the field below specify the <Proxy Port> that has been
configured.
for Remote port select All Ports
For the rest of the wizard, click all the way to the end and give this rule a name.
Step 3. Add an exception rule to the NSG:
In an Azure PowerShell command prompt, enter the following command:
The following command adds an exception to the NSG. This exception allows TCP traffic from any port on 10.0.0.5
to any Internet address on port 80 (HTTP) or 443 (HTTPS). If you require a specific port in the public Internet, be
sure to add that port to the -DestinationPortRange as well.

Get-AzureNetworkSecurityGroup -Name "NSG-lockdown" |


Set-AzureNetworkSecurityRule -Name "allow-proxy " -Action Allow -Protocol TCP -Type Outbound -Priority 200 -
SourceAddressPrefix "10.0.0.5/32" -SourcePortRange "*" -DestinationAddressPrefix Internet -
DestinationPortRange "80-443"

These steps use specific names and values for this example. Please use the names and values for your deployment
when entering, or cutting and pasting details into your code.
Now that you know you have network connectivity, you are ready to back up your VM. See Back up Resource
Manager-deployed VMs.

Questions?
If you have questions, or if there is any feature that you would like to see included, send us feedback.

Next steps
Now that you have prepared your environment for backing up your VM, your next logical step is to create a
backup. The planning article provides more detailed information about backing up VMs.
Back up virtual machines
Plan your VM backup infrastructure
Manage virtual machine backups
Application-consistent backup of Azure Linux VMs
(preview)
6/27/2017 5 min to read Edit Online

This article talks about the Linux pre-script and post-script framework, and how it can be used to take application-
consistent backups of Azure Linux VMs.

NOTE
The pre-script and post-script framework is supported only for Azure Resource Manager-deployed Linux virtual machines.
Scripts for application consistency are not supported for Service Manager-deployed virtual machines or Windows virtual
machines.

How the framework works


The framework provides an option to run custom pre-scripts and post-scripts while you're taking VM snapshots.
Pre-scripts are run just before you take the VM snapshot, and post-scripts are run immediately after you take the
VM snapshot. This gives you the flexibility to control your application and environment while you're taking VM
snapshots.
In this scenario, it's important to ensure application-consistent VM backup. The pre-script can invoke application-
native APIs to quiesce the IOs and flush in-memory content to the disk. This ensures that the snapshot is
application-consistent (that is, that the application comes up when the VM is booted post-restore). Post-script can
be used to thaw the IOs. It does this by using application-native APIs so that the application can resume normal
operations post-VM snapshot.

Steps to configure pre-script and post-script


1. Sign in as the root user to the Linux VM that you want to back up.
2. Download VMSnapshotScriptPluginConfig.json from GitHub, and then copy it to the /etc/azure folder
on all the VMs that you're going to back up. Create the /etc/azure directory if it doesn't exist already.
3. Copy the pre-script and post-script for your application on all the VMs that you plan to back up. You can
copy the scripts to any location on the VM. Be sure to update the full path of the script files in the
VMSnapshotScriptPluginConfig.json file.
4. Ensure the following permissions for these files:
VMSnapshotScriptPluginConfig.json: Permission 600. For example, only root user should have
read and write permissions to this file, and no user should have execute permissions.
Pre-script file: Permission 700. For example, only root user should have read, write, and
execute permissions to this file.
Post-script Permission 700. For example, only root user should have read, write, and execute
permissions to this file.
IMPORTANT
The framework gives users a lot of power. Its important that it's secure and that only root user has access to critical
JSON and script files. If the previous requirements aren't met, the script doesn't run. This results in file system/crash
consistent backup.

5. Configure VMSnapshotScriptPluginConfig.json as described here:


pluginName: Leave this field as is or your scripts might not work as expected.
preScriptLocation: Provide the full path of the pre-script on the VM that's going to be backed up.
postScriptLocation: Provide the full path of the post-script on the VM that's going to be backed up.
preScriptParams: Provide the optional parameters that need to be passed to the pre-script. All
parameters should be in quotes, and should be comma-separated if there are multiple parameters.
postScriptParams: Provide the optional parameters that need to be passed to the post-script. All
parameters should be in quotes, and should be comma-separated if there are multiple parameters.
preScriptNoOfRetries: Set the number of times the pre-script should be retried if there is any error
before terminating. Zero means only one try and no retry if there is a failure.
postScriptNoOfRetries: Set the number of times the post-script should be retried if there is any
error before terminating. Zero means only one try and no retry if there is a failure.
timeoutInSeconds: Specify individual timeouts for the pre-script and the post-script.
continueBackupOnFailure: Set this value to true if you want Azure Backup to fall back to a file
system consistent/crash consistent backup if pre-script or post-script fails. Setting this to false fails
the backup in case of script failure (except when you have single-disk VM that falls back to crash-
consistent backup regardless of this setting).
fsFreezeEnabled: Specify whether Linux fsfreeze should be called while you're taking the VM
snapshot to ensure file system consistency. We recommend keeping this setting set to true unless
your application has a dependency on disabling fsfreeze.
6. The script framework is now configured. If the VM backup is already configured, the next backup invokes the
scripts and triggers application-consistent backup. If the VM backup is not configured, configure it by using
Back up Azure virtual machines to Recovery Services vaults.

Troubleshooting
Make sure you add appropriate logging while writing your pre-script and post-script, and review your script logs to
fix any script issues. If you still have problems running scripts, refer to the following table for more information.

ERROR ERROR MESSAGE RECOMMENDED ACTION

Pre-ScriptExecutionFailed The pre-script returned an error, so Look at the failure logs for your script to
backup might not be application- fix the issue.
consistent.

Post-ScriptExecutionFailed The post-script returned an error that Look at the failure logs for your script to
might impact application state. fix the issue and check the application
state.
ERROR ERROR MESSAGE RECOMMENDED ACTION

Pre-ScriptNotFound The pre-script was not found at the Make sure that pre-script is present at
location that's specified in the the path that's specified in the config file
VMSnapshotScriptPluginConfig.json to ensure application-consistent backup.
config file.

Post-ScriptNotFound The post-script wasn't found at the Make sure that post-script is present at
location that's specified in the the path that's specified in the config file
VMSnapshotScriptPluginConfig.json to ensure application-consistent backup.
config file.

IncorrectPluginhostFile The Pluginhost file, which comes with Uninstall the VmSnapshotLinux
the VmSnapshotLinux extension, is extension, and it will automatically be
corrupted, so pre-script and post-script reinstalled with the next backup to fix
cannot run and the backup won't be the problem.
application-consistent.

IncorrectJSONConfigFile The Download the copy from GitHub and


VMSnapshotScriptPluginConfig.json configure it again.
file is incorrect, so pre-script and post-
script cannot run and the backup won't
be application-consistent.

InsufficientPermissionforPre-Script For running scripts, "root" user should Make sure root user is the owner of
be the owner of the file and the file the script file and that only "owner" has
should have 700 permissions (that is, read, write and execute
only "owner" should have read, write, permissions.
and execute permissions).

InsufficientPermissionforPost-Script For running scripts, root user should be Make sure root user is the owner of
the owner of the file and the file should the script file and that only "owner" has
have 700 permissions (that is, only read, write and execute
"owner" should have read, write, and permissions.
execute permissions).

Pre-ScriptTimeout The execution of the application- Check the script and increase the
consistent backup pre-script timed-out. timeout in the
VMSnapshotScriptPluginConfig.json
file that's located at /etc/azure.

Post-ScriptTimeout The execution of the application- Check the script and increase the
consistent backup post-script timed out. timeout in the
VMSnapshotScriptPluginConfig.json
file that's located at /etc/azure.

Next steps
Configure VM backup to a Recovery Services vault
Prepare your environment to back up Azure virtual
machines
10/2/2017 9 min to read Edit Online

Before you can back up an Azure virtual machine (VM), there are three conditions that must exist.
You need to create a backup vault or identify an existing backup vault in the same region as your VM.
Establish network connectivity between the Azure public Internet addresses and the Azure storage endpoints.
Install the VM agent on the VM.
If you know these conditions already exist in your environment then proceed to the Back up your VMs article.
Otherwise, read on, this article will lead you through the steps to prepare your environment to back up an Azure
VM.

Supported operating system for backup


Linux: Azure Backup supports a list of distributions that are endorsed by Azure except Core OS Linux. Other
Bring-Your-Own-Linux distributions also might work as long as the VM agent is available on the virtual
machine and support for Python exists. However, we do not endorse those distributions for backup.
Windows Server: Versions older than Windows Server 2008 R2 are not supported.

Limitations when backing up and restoring a VM


NOTE
Azure has two deployment models for creating and working with resources: Resource Manager and classic. The following list
provides the limitations when deploying in the classic model.

Backing up virtual machines with more than 16 data disks is not supported.
Backing up virtual machines with a reserved IP address and no defined endpoint is not supported.
Backup data doesn't include network mounted drives attached to VM.
Replacing an existing virtual machine during restore is not supported. First delete the existing virtual machine
and any associated disks, and then restore the data from backup.
Cross-region backup and restore is not supported.
Backing up virtual machines by using the Azure Backup service is supported in all public regions of Azure (see
the checklist of supported regions). If the region that you are looking for is unsupported today, it will not
appear in the dropdown list during vault creation.
Backing up virtual machines by using the Azure Backup service is supported only for select operating system
versions:
Restoring a domain controller (DC) VM that is part of a multi-DC configuration is supported only through
PowerShell. Read more about restoring a multi-DC domain controller.
Restoring virtual machines that have the following special network configurations is supported only through
PowerShell. VMs that you create by using the restore workflow in the UI will not have these network
configurations after the restore operation is complete. To learn more, see Restoring VMs with special network
configurations.
Virtual machines under load balancer configuration (internal and external)
Virtual machines with multiple reserved IP addresses
Virtual machines with multiple network adapters

Create a backup vault for a VM


A backup vault is an entity that stores all the backups and recovery points that have been created over time. The
backup vault also contains the backup policies that will be applied to the virtual machines being backed up.

IMPORTANT
Starting March 2017, you can no longer use the classic portal to create Backup vaults. Existing Backup vaults are still
supported, and it is possible to use Azure PowerShell to create Backup vaults. However, Microsoft recommends you create
Recovery Services vaults for all deployments because future enhancements apply to Recovery Services vaults, only.

This image shows the relationships between the various Azure Backup entities:

Network connectivity
In order to manage the VM snapshots, the backup extension needs connectivity to the Azure public IP addresses.
Without the right Internet connectivity, the virtual machine's HTTP requests time out and the backup operation
fails. If your deployment has access restrictions in place (through a network security group (NSG), for example),
then choose one of these options for providing a clear path for backup traffic:
Whitelist the Azure datacenter IP ranges - see the article for instructions on how to whitelist the IP addresses.
Deploy an HTTP proxy server for routing traffic.
When deciding which option to use, the trade-offs are between manageability, granular control, and cost.

OPTION ADVANTAGES DISADVANTAGES

Whitelist IP ranges No additional costs. Complex to manage as the impacted IP


ranges change over time.
For opening access in an NSG, use the
Set-AzureNetworkSecurityRule cmdlet. Provides access to the whole of Azure,
and not just Storage.
OPTION ADVANTAGES DISADVANTAGES

HTTP proxy Granular control in the proxy over the Additional costs for running a VM with
storage URLs allowed. To setup the proxy software.
granular control in the proxy,
https://*.blob.core.windows.net/* URL
Pattern needs to be whitelisted. To
whitelist only the storage account used
by the VM,
https://<storageAccount>.blob.core.win
dows.net/* URL pattern needs to be
whitelisted.
Single point of Internet access to VMs.
Not subject to Azure IP address
changes.

Whitelist the Azure datacenter IP ranges


To whitelist the Azure datacenter IP ranges, please see the Azure website for details on the IP ranges, and
instructions.
Using an HTTP proxy for VM backups
When backing up a VM, the backup extension on the VM sends the snapshot management commands to Azure
Storage using an HTTPS API. Route the backup extension traffic through the HTTP proxy since it is the only
component configured for access to the public Internet.

NOTE
There is no recommendation for the proxy software that should be used. Ensure that you pick a proxy that has outbound
stickiness and which is compatible with the configuration steps below. Make sure third party softwares do not modify the
proxy settings

The example image below shows the three configuration steps necessary to use an HTTP proxy:
App VM routes all HTTP traffic bound for the public Internet through Proxy VM.
Proxy VM allows incoming traffic from VMs in the virtual network.
The Network Security Group (NSG) named NSF-lockdown needs a security rule allowing outbound Internet
traffic from Proxy VM.

To use an HTTP proxy to communicating to the public Internet, follow these steps:
Step 1. Configure outgoing network connections
F o r W i n d o w s ma c h i n e s

This will setup proxy server configuration for Local System Account.
1. Download PsExec
2. Run following command from elevated prompt,

psexec -i -s "c:\Program Files\Internet Explorer\iexplore.exe"

It will open internet explorer window.


3. Go to Tools -> Internet Options -> Connections -> LAN settings.
4. Verify proxy settings for System account. Set Proxy IP and port.
5. Close Internet Explorer.
This will set up a machine-wide proxy configuration, and will be used for any outgoing HTTP/HTTPS traffic.
If you have setup a proxy server on a current user account(not a Local System Account), use the following script to
apply them to SYSTEMACCOUNT:

$obj = Get-ItemProperty -Path


Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections"
Set-ItemProperty -Path Registry::HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Connections" -Name DefaultConnectionSettings -Value $obj.DefaultConnectionSettings
Set-ItemProperty -Path Registry::HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Connections" -Name SavedLegacySettings -Value $obj.SavedLegacySettings
$obj = Get-ItemProperty -Path
Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
Set-ItemProperty -Path Registry::HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet
Settings" -Name ProxyEnable -Value $obj.ProxyEnable
Set-ItemProperty -Path Registry::HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet
Settings" -Name Proxyserver -Value $obj.Proxyserver

NOTE
If you observe "(407)Proxy Authentication Required" in proxy server log, check your authentication is setup correctly.

F o r L i n u x ma c h i n e s

Add the following line to the /etc/environment file:

http_proxy=http://<proxy IP>:<proxy port>

Add the following lines to the /etc/waagent.conf file:

HttpProxy.Host=<proxy IP>
HttpProxy.Port=<proxy port>

Step 2. Allow incoming connections on the proxy server:


1. On the proxy server, open Windows Firewall. The easiest way to access the firewall is to search for Windows
Firewall with Advanced Security.
2. In the Windows Firewall dialog, right-click Inbound Rules and click New Rule....

3. In the New Inbound Rule Wizard, choose the Custom option for the Rule Type and click Next.
4. On the page to select the Program, choose All Programs and click Next.
5. On the Protocol and Ports page, enter the following information and click Next:

for Protocol type choose TCP


for Local port choose Specific Ports, in the field below specify the <Proxy Port> that has been
configured.
for Remote port select All Ports
For the rest of the wizard, click all the way to the end and give this rule a name.
Step 3. Add an exception rule to the NSG:
In an Azure PowerShell command prompt, enter the following command:
The following command adds an exception to the NSG. This exception allows TCP traffic from any port on 10.0.0.5
to any Internet address on port 80 (HTTP) or 443 (HTTPS). If you require a specific port in the public Internet, be
sure to add that port to the -DestinationPortRange as well.

Get-AzureNetworkSecurityGroup -Name "NSG-lockdown" |


Set-AzureNetworkSecurityRule -Name "allow-proxy " -Action Allow -Protocol TCP -Type Outbound -Priority 200 -
SourceAddressPrefix "10.0.0.5/32" -SourcePortRange "*" -DestinationAddressPrefix Internet -
DestinationPortRange "80-443"

Ensure that you replace the names in the example with the details appropriate to your deployment.

VM agent
Before you can back up the Azure virtual machine, you should ensure that the Azure VM agent is correctly installed
on the virtual machine. Since the VM agent is an optional component at the time that the virtual machine is
created, ensure that the check box for the VM agent is selected before the virtual machine is provisioned.
Manual installation and update
The VM agent is already present in VMs that are created from the Azure gallery. However, virtual machines that
are migrated from on-premises datacenters would not have the VM agent installed. For such VMs, the VM agent
needs to be installed explicitly.

OPERATION WINDOWS LINUX

Installing the VM Agent Download and install the agent MSI. Install the latest Linux agent. You will
You will need Administrator privileges need Administrator privileges to
to complete the installation. complete the installation. We
Update the VM property to indicate recommend installing agent from your
that the agent is installed. distribution repository. We do not
recommend installing Linux VM agent
directly from github.

Updating the VM Agent Updating the VM Agent is as simple as Follow the instructions on updating the
reinstalling the VM Agent binaries. Linux VM Agent. We recommend
Ensure that no backup operation is updating agent from your distribution
running while the VM agent is being repository. We do not recommend
updated. updating Linux VM agent directly from
github.
Ensure that no backup operation is
running while the VM Agent is being
updated.

Validating the VM Agent installation Navigate to the N/A


C:\WindowsAzure\Packages folder in
the Azure VM.
You should find the WaAppAgent.exe
file present.
Right-click the file, go to Properties,
and then select the Details tab. The
Product Version field should be
2.6.1198.718 or higher.

Learn about the VM agent and how to install it.


Backup extension
To back up the virtual machine, the Azure Backup service installs an extension to the VM agent. The Azure Backup
service seamlessly upgrades and patches the backup extension without additional user intervention.
The backup extension is installed if the VM is running. A running VM also provides the greatest chance of getting
an application-consistent recovery point. However, the Azure Backup service will continue to back up the VM--
even if it is turned off, and the extension could not be installed (aka Offline VM). In this case, the recovery point will
be crash consistent as discussed above.

Questions?
If you have questions, or if there is any feature that you would like to see included, send us feedback.

Next steps
Now that you have prepared your environment for backing up your VM, your next logical step is to create a
backup. The planning article provides more detailed information about backing up VMs.
Back up virtual machines
Plan your VM backup infrastructure
Manage virtual machine backups
Plan your VM backup infrastructure in Azure
8/21/2017 12 min to read Edit Online

This article provides performance and resource suggestions to help you plan your VM backup infrastructure. It
also defines key aspects of the Backup service; these aspects can be critical in determining your architecture,
capacity planning, and scheduling. If you've prepared your environment, planning is the next step before you
begin to back up VMs. If you need more information about Azure virtual machines, see the Virtual Machines
documentation.

How does Azure back up virtual machines?


When the Azure Backup service initiates a backup job at the scheduled time, it triggers the backup extension to
take a point-in-time snapshot. The Azure Backup service uses the VMSnapshot extension in Windows, and the
VMSnapshotLinux extension in Linux. The extension is installed during the first VM backup. To install the extension,
the VM must be running. If the VM is not running, the Backup service takes a snapshot of the underlying storage
(since no application writes occur while the VM is stopped).
When taking a snapshot of Windows VMs, the Backup service coordinates with the Volume Shadow Copy Service
(VSS) to get a consistent snapshot of the virtual machine's disks. If you're backing up Linux VMs, you can write
your own custom scripts to ensure consistency when taking a VM snapshot. Details on invoking these scripts are
provided later in this article.
Once the Azure Backup service takes the snapshot, the data is transferred to the vault. To maximize efficiency, the
service identifies and transfers only the blocks of data that have changed since the previous backup.

When the data transfer is complete, the snapshot is removed and a recovery point is created.

NOTE
1. During the backup process, Azure Backup doesn't include the temporary disk attached to the virtual machine. For more
information, see the blog on temporary storage.
2. Since Azure Backup takes a storage-level snapshot and transfers that snapshot to vault, do not change the storage
account keys until the backup job finishes.
3. For premium VMs, we copy the snapshot to storage account. This is to make sure that Azure Backup service gets
sufficient IOPS for transferring data to vault. This additional copy of storage is charged as per the VM allocated size.
Data consistency
Backing up and restoring business critical data is complicated by the fact that business critical data must be backed
up while the applications that produce the data are running. To address this, Azure Backup supports application-
consistent backups for both Windows and Linux VMs
Windows VM
Azure Backup takes VSS full backups on Windows VMs (read more about VSS full backup). To enable VSS copy
backups, the following registry key needs to be set on the VM.

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\BCDRAGENT]
"USEVSSCOPYBACKUP"="TRUE"

Linux VMs
Azure Backup provides a scripting framework. To ensure application consistency when backing up Linux VMs,
create custom pre-scripts and post-scripts that control the backup workflow and environment. Azure Backup
invokes the pre-script before taking the VM snapshot and invokes the post-script once the VM snapshot job
completes. For more details, see application consistent VM backups using pre-script and post-script.

NOTE
Azure Backup only invokes the customer-written pre- and post-scripts. If the pre-script and post-scripts execute
successfully, Azure Backup marks the recovery point as application consistent. However, the customer is ultimately
responsible for the application consistency when using custom scripts.

This table explains the types of consistency and the conditions that they occur under during Azure VM backup and
restore procedures.

CONSISTENCY VSS-BASED EXPLANATION AND DETAILS


CONSISTENCY VSS-BASED EXPLANATION AND DETAILS

Application consistency Yes for Windows Application consistency is ideal for


workloads as it ensures that:
1. The VM boots up.
2. There is no corruption.
3. There is no data loss.
4. The data is consistent to the
application that uses the data,
by involving the application at
the time of backup--using VSS
or pre/post script.
Windows VMs- Most Microsoft
workloads have VSS writers that do
workload-specific actions related to
data consistency. For example,
Microsoft SQL Server has a VSS writer
that ensures that the writes to the
transaction log file and the database
are done correctly. For Azure Windows
VM backups, to create an application-
consistent recovery point, the backup
extension must invoke the VSS
workflow and complete it before taking
the VM snapshot. For the Azure VM
snapshot to be accurate, the VSS
writers of all Azure VM applications
must complete as well. (Learn the basics
of VSS and dive deep into the details of
how it works).
Linux VMs- Customers can execute
custom pre-script and post-script to
ensure application consistency.

File-system consistency Yes - for Windows-based computers There are two scenarios where the
recovery point can be file-system
consistent:
Backups of Linux VMs in Azure,
without pre-script/post-script or
if pre-script/post-script failed.
VSS failure during backup for
Windows VMs in Azure.
In both these cases, the best that can
be done is to ensure that:
1. The VM boots up.
2. There is no corruption.
3. There is no data loss.
Applications need to implement their
own "fix-up" mechanism on the
restored data.
CONSISTENCY VSS-BASED EXPLANATION AND DETAILS

Crash consistency No This situation is equivalent to a virtual


machine experiencing a "crash"
(through either a soft or hard reset).
Crash consistency typically happens
when the Azure virtual machine is shut
down at the time of backup. A crash-
consistent recovery point provides no
guarantees around the consistency of
the data on the storage medium--
either from the perspective of the
operating system or the application.
Only the data that already exists on the
disk at the time of backup is captured
and backed up.

While there are no guarantees, usually,


the operating system boots, followed
by disk-checking procedure, like chkdsk,
to fix any corruption errors. Any in-
memory data or writes that have not
been transferred to the disk are lost.
The application typically follows with its
own verification mechanism in case
data rollback needs to be done.

As an example, if the transaction log


has entries that are not present in the
database, then the database software
does a rollback until the data is
consistent. When data is spread across
multiple virtual disks (like spanned
volumes), a crash-consistent recovery
point provides no guarantees for the
correctness of the data.

Performance and resource utilization


Like backup software that is deployed on-premises, you should plan for capacity and resource utilization needs
when backing up VMs in Azure. The Azure Storage limits define how to structure VM deployments to get
maximum performance with minimum impact to running workloads.
Pay attention to the following Azure Storage limits when planning backup performance:
Max egress per storage account
Total request rate per storage account
Storage account limits
Backup data copied from a storage account, adds to the input/output operations per second (IOPS) and egress (or
throughput) metrics of the storage account. At the same time, virtual machines are also consuming IOPS and
throughput. The goal is to ensure Backup and virtual machine traffic don't exceed your storage account limits.
Number of disks
The backup process tries to complete a backup job as quickly as possible. In doing so, it consumes as many
resources as it can. However, all I/O operations are limited by the Target Throughput for Single Blob, which has a
limit of 60 MB per second. In an attempt to maximize its speed, the backup process tries to back up each of the
VM's disks in parallel. If a VM has four disks, the service attempts to back up all four disks in parallel. The number
of disks being backed up, is the most important factor in determining storage account backup traffic.
Backup schedule
An additional factor that impacts performance is the backup schedule. If you configure the policies so all VMs are
backed up at the same time, you have scheduled a traffic jam. The backup process attempts to back up all disks in
parallel. To reduce the backup traffic from a storage account, back up different VMs at different time of the day,
with no overlap.

Capacity planning
Putting the previous factors together, you need to plan for the storage account usage needs. Download the VM
backup capacity planning Excel spreadsheet to see the impact of your disk and backup schedule choices.
Backup throughput
For each disk being backed up, Azure Backup reads the blocks on the disk and stores only the changed data
(incremental backup). The following table shows the average Backup service throughput values. Using the
following data, you can estimate the amount of time needed to back up a disk of a given size.

BACKUP OPERATION BEST-CASE THROUGHPUT

Initial backup 160 Mbps

Incremental backup (DR) 640 Mbps

Throughput drops significantly if the changed data (that


needs to be backed up) is dispersed across the disk.

Total VM backup time


While most of the backup time is spent reading and copying data, other operations contribute to the total time
needed to back up a VM:
Time needed to install or update the backup extension.
Snapshot time, which is the time taken to trigger a snapshot. Snapshots are triggered close to the scheduled
backup time.
Queue wait time. Since the Backup service is processing backups from multiple customers, copying backup
data from snapshot to the backup or Recovery Services vault might not start immediately. In times of peak
load, the wait can stretch up to eight hours due to the number of backups being processed. However, the total
VM backup time is less than 24 hours for daily backup policies.
Data transfer time, time needed for backup service to compute the incremental changes from previous backup
and transfer those changes to vault storage.
Why am I observing longer(>12 hours) backup time?
Backup consists of two phases: taking snapshots and transferring the snapshots to the vault. The Backup service
optimizes for storage. When transferring the snapshot data to a vault, the service only transfers incremental
changes from the previous snapshot. To determine the incremental changes, the service computes the checksum
of the blocks. If a block is changed, the block is identified as a block to be sent to the vault. Then the service drills
further into each of the identified blocks, looking for opportunities to minimize the data to transfer. After
evaluating all changed blocks, the service coalesces the changes and sends them to the vault. In some legacy
applications, small, fragmented writes are not optimal for storage. If the snapshot contains many small,
fragmented writes, the service spends additional time processing the data written by the applications. The
recommended application write block from Azure, for applications running inside the VM, is a minimum of 8 KB. If
your application uses a block of less than 8 KB, backup performance is effected. For help with tuning your
application to improve backup performance, see Tuning applications for optimal performance with Azure storage.
Though the article on backup performance uses Premium storage examples, the guidance is applicable for
Standard storage disks.

Total restore time


A restore operation consists of two main sub tasks: Copying data back from the vault to the chosen customer
storage account, and creating the virtual machine. Copying data back from the vault depends on where the
backups are stored internally in Azure, and where the customer storage account is stored. Time taken to copy data
depends upon:
Queue wait time - Since the service processes restore jobs from multiple customers at the same time, restore
requests are put in a queue.
Data copy time - Data is copied from the vault to the customer storage account. Restore time depends on IOPS
and throughput Azure Backup service gets on the selected customer storage account. To reduce the copying
time during the restore process, select a storage account not loaded with other application writes and reads.

Best practices
We suggest following these practices while configuring backups for virtual machines:
Don't schedule more than 10 classic VMs from the same cloud service to back up at the same time. If you want
to back up multiple VMs from same cloud service, stagger the backup start times by an hour.
Do not schedule more than 40 VMs to back up at the same time.
Schedule VM backups during non-peak hours. This way the Backup service uses IOPS for transferring data
from the customer storage account to the vault.
Make sure that a policy is applied on VMs spread across different storage accounts. We suggest no more than
20 total disks from a single storage account be protected by the same backup schedule. If you have greater
than 20 disks in a storage account, spread those VMs across multiple policies to get the required IOPS during
the transfer phase of the backup process.
Do not restore a VM running on Premium storage to same storage account. If the restore operation process
coincides with the backup operation, it reduces the available IOPS for backup.
For Premium VM backup, ensure that storage account that hosts premium disks has atleast 50% free space for
staging snapshot for a successful backup.
Make sure that python version on Linux VMs enabled for backup is 2.7

Data encryption
Azure Backup does not encrypt data as a part of the backup process. However, you can encrypt data within the VM
and back up the protected data seamlessly (read more about backup of encrypted data).

Calculating the cost of protected instances


Azure virtual machines that are backed up through Azure Backup are subject to Azure Backup pricing. The
Protected Instances calculation is based on the actual size of the virtual machine, which is the sum of all the data in
the virtual machine--excluding the resource disk.
Pricing for backing up VMs is not based on the maximum supported size for each data disk attached to the virtual
machine. Pricing is based on the actual data stored in the data disk. Similarly, the backup storage bill is based on
the amount of data that is stored in Azure Backup, which is the sum of the actual data in each recovery point.
For example, take an A2 Standard-sized virtual machine that has two additional data disks with a maximum size of
1 TB each. The following table gives the actual data stored on each of these disks:
DISK TYPE MAX SIZE ACTUAL DATA PRESENT

Operating system disk 1023 GB 17 GB

Local disk / Resource disk 135 GB 5 GB (not included for backup)

Data disk 1 1023 GB 30 GB

Data disk 2 1023 GB 0 GB

The actual size of the virtual machine in this case is 17 GB + 30 GB + 0 GB = 47 GB. This Protected Instance size
(47 GB) becomes the basis for the monthly bill. As the amount of data in the virtual machine grows, the Protected
Instance size used for billing changes accordingly.
Billing does not start until the first successful backup completes. At this point, the billing for both Storage and
Protected Instances begins. Billing continues as long as there is any backup data stored in a vault for the virtual
machine. If you stop protection on the virtual machine, but virtual machine backup data exists in a vault, billing
continues.
Billing for a specified virtual machine stops only if the protection is stopped and all backup data is deleted. When
protection stops and there are no active backup jobs, the size of the last successful VM backup becomes the
Protected Instance size used for the monthly bill.

Questions?
If you have questions, or if there is any feature that you would like to see included, send us feedback.

Next steps
Back up virtual machines
Manage virtual machine backup
Restore virtual machines
Troubleshoot VM backup issues
Back up Azure virtual machines to a Recovery
Services vault
8/16/2017 2 min to read Edit Online

This article details how to back up Azure VMs (both Resource Manager-deployed and Classic-deployed) to a
Recovery Services vault. Most of the work for backing up VMs is the preparation. Before you can back up or
protect a VM, you must complete the prerequisites to prepare your environment for protecting your VMs. Once
you have completed the prerequisites, then you can initiate the backup operation to take snapshots of your VM.
The Azure Backup service has two types of vaults - the Backup vault and the Recovery Services vault. The Backup
vault came first. Then the Recovery Services vault came along to support the expanded Resource Manager
deployments. Microsoft recommends using Resource Manager deployments unless you specifically require a
Classic deployment.

DEPLOYMENT PORTAL VAULT

Classic Classic Backup

Resource Manager Azure Recovery Services

NOTE
Backup vaults cannot protect Resource Manager-deployed solutions. However, you can use a Recovery Services vault to
protect classically-deployed servers and VMs.

For more information, see the articles on planning your VM backup infrastructure in Azure and Azure virtual
machines.

Triggering the backup job


The backup policy associated with the Recovery Services vault defines how often and when the backup operation
runs. By default, the first scheduled backup is the initial backup. Until the initial backup occurs, the Last Backup
Status on the Backup Jobs blade shows as Warning(initial backup pending).

Unless your initial backup is due to begin soon, it is recommended that you run Back up Now. The following
procedure starts from the vault dashboard. This procedure serves for running the initial backup job after you have
completed all prerequisites. If the initial backup job has already been run, this procedure is not available. The
associated backup policy determines the next backup job.
To run the initial backup job:
1. On the vault dashboard, click the number under Backup Items, or click the Backup Items tile.
The Backup Items blade opens.

2. On the Backup Items blade, select the item.


The Backup Items list opens.

3. On the Backup Items list, click the ellipses ... to open the Context menu.

The Context menu appears.

4. On the Context menu, click Backup now.

The Backup Now blade opens.


5. On the Backup Now blade, click the calendar icon, use the calendar control to select the last day this
recovery point is retained, and click Backup.

Deployment notifications let you know the backup job has been triggered, and that you can monitor the
progress of the job on the Backup jobs page. Depending on the size of your VM, creating the initial backup
may take a while.
6. To view or track the status of the initial backup, on the vault dashboard, on the Backup Jobs tile click In
progress.
The Backup Jobs blade opens.

In the Backup jobs blade, you can see the status of all jobs. Check if the backup job for your VM is still in
progress, or if it has finished. When a backup job is finished, the status is Completed.

NOTE
As a part of the backup operation, the Azure Backup service issues a command to the backup extension in each VM
to flush all writes and take a consistent snapshot.

Troubleshooting errors
If you run into issues while backing up your virtual machine, see the VM troubleshooting article for help.

Next steps
Now that you have protected your VM, see the following articles to learn about VM management tasks, and how to
restore VMs.
Manage and monitor your virtual machines
Restore virtual machines
Back up and restore encrypted virtual machines with
Azure Backup
10/13/2017 5 min to read Edit Online

This article talks about the steps to back up and restore virtual machines (VMs) by using Azure Backup. It also
provides details about supported scenarios, prerequisites, and troubleshooting steps for error cases.

Supported scenarios
Backup and restore of encrypted VMs is supported only for VMs that use the Azure Resource Manager
deployment model. It's not supported for VMs that use the classic deployment model.
Backup and restore of encrypted VMs is supported for both Windows and Linux VMs that use Azure Disk
Encryption. Disk Encryption uses the industry standard BitLocker feature of Windows and the dm-crypt
feature of Linux to provide encryption of disks.
The following table shows supported scenarios for BitLocker encryption key (BEK)-only and key encryption
key (KEK)-encrypted VMs:

BEK + KEK VMS BEK-ONLY VMS

Nonmanaged VMs Yes Yes

Managed VMs Yes Yes

Prerequisites
The VM was encrypted by using Azure Disk Encryption.
A Recovery Services vault was created and storage replication was set by following the steps in Prepare your
environment for backup.
Backup was given permissions to access a key vault containing keys and secrets for encrypted VMs.

Backup-encrypted VM
Use the following steps to set a backup goal, define a policy, configure items, and trigger a backup.
Configure backup
1. If you already have a Recovery Services vault open, proceed to the next step. If you don't have a Recovery
Services vault open but you're in the Azure portal, on the Hub menu, select Browse.
a. In the list of resources, type Recovery Services.
b. As you begin typing, the list filters based on your input. When you see Recovery Services vaults, select it.
c. The list of Recovery Services vaults appears. Select a vault from the list.
The selected vault dashboard opens.
2. From the list of items that appears under the vault, select Backup to start backing up the encrypted VM.

3. On the Backup tile, select Backup goal.


4. Under Where is your workload running?, select Azure. Under What do you want to backup?, select
Virtual machine. Then select OK.

5. Under Choose backup policy, select the backup policy you want to apply to the vault. Then select OK.
The details of the default policy are listed. If you want to create a policy, select Create New from the drop-
down list. After you select OK, the backup policy is associated with the vault.
6. Choose the encrypted VMs to associate with the specified policy, and select OK.

7. This page shows a message about key vaults associated to the encrypted VMs you selected. Backup requires
read-only access to the keys and secrets in the key vault. It uses these permissions to back up the keys and
secrets, along with the associated VMs. You must provide permissions to the backup service to access the key
vault for backups to work. You can provide these permissions by following the steps mentioned in the
following section.
Now that you have defined all settings for the vault, select Enable Backup at the bottom of the page.
Enable Backup deploys the policy to the vault and the VMs.
8. The next phase in preparation is installing the VM Agent or making sure the VM Agent is installed. To do the
same, follow the steps in Prepare your environment for backup.
Trigger a backup job
Follow the steps in Backup Azure VMs to a Recovery Services vault to trigger a backup job.
Continue backups of already backed-up VMs with encryption enabled
If you have VMs already being backed up in a Recovery Services vault that are enabled for encryption later, you
must give permissions to Backup to access the key vault for backups to continue. You can provide these
permissions by following the steps in the following section. Or you can follow the PowerShell steps in the "Enable
backup" section of the PowerShell documentation.

Provide permissions to Backup


Use the following steps to provide relevant permissions to Backup to access the key vault and perform backup of
encrypted VMs.
1. Select More services, and search for Key vaults.
2. From the list of key vaults, select the key vault associated with the encrypted VM that needs to be backed up.

3. Select Access policies, and then select Add new.


4. Select Select principal, and then type Backup Management Service in the search box.
5. Select Backup Management Service, and then select Select.

6. Under Configure from template (optional), select Azure Backup. The required permissions are prefilled
for Key permissions and Secret permissions. If your VM is encrypted by using BEK only, permissions only
for secrets are required, so you must remove the selection for Key permissions.
7. Select OK. Notice that Backup Management Service gets added in Access policies.
8. Select Save to give the required permissions to Backup.

After permissions are successfully provided, you can proceed with enabling backup for encrypted VMs.

Restore an encrypted VM
To restore an encrypted VM, first restore disks by following the steps in the "Restore backed-up disks" section in
Choose a VM restore configuration. After that, you can use one of the following options:
Follow the PowerShell steps in Create a VM from restored disks to create a full VM from restored disks.
Or, use templates to customize a restored VM to create VMs from restored disks. Templates can be used only for
recovery points created after April 26, 2017.

Troubleshooting errors
OPERATION ERROR DETAILS RESOLUTION

Backup Backup doesn't have sufficient Backup should be provided these


permissions to the key vault for backup permissions by following the steps in
of encrypted VMs. the previous section. Or you can follow
the PowerShell steps in the "Enable
protection" section of the PowerShell
documentation at Use
AzureRM.RecoveryServices.Backup
cmdlets to back up virtual machines.
OPERATION ERROR DETAILS RESOLUTION

Restore You can't restore this encrypted VM Create a key vault by using Get started
because the key vault associated with with Azure Key Vault. See Restore a key
this VM doesn't exist. vault key and a secret by using Azure
Backup to restore a key and a secret if
they aren't present.

Restore You can't restore this encrypted VM See Restore a key vault key and a secret
because the key and the secret by using Azure Backup to restore a key
associated with this VM don't exist. and a secret if they aren't present.

Restore Backup doesn't have the authorization As mentioned previously, restore disks
to access resources in your subscription. first by following the steps in the
"Restore backed-up disks" section in
Choose a VM restore configuration.
After that, use PowerShell to create a
VM from restored disks.
Back up Azure virtual machines (classic portal)
8/2/2017 6 min to read Edit Online

This article provides the procedures for backing up a Classic-deployed Azure virtual machine (VM) to a Backup
vault. There are a few tasks you need to take care of before you can back up an Azure virtual machine. If you
haven't already done so, complete the prerequisites to prepare your environment for backing up your VMs.
For additional information, see the articles on planning your VM backup infrastructure in Azure and Azure virtual
machines.

NOTE
Azure has two deployment models for creating and working with resources: Resource Manager and Classic. A Backup vault
can only protect Classic-deployed VMs. You cannot protect Resource Manager-deployed VMs with a Backup vault. See
Back up VMs to Recovery Services vault for details on working with Recovery Services vaults.

Backing up Azure virtual machines involves three key steps:

NOTE
Backing up virtual machines is a local process. You cannot back up virtual machines in one region to a backup vault in
another region. So, you must create a backup vault in each Azure region, where there are VMs that will be backed up.

IMPORTANT
Starting March 2017, you can no longer use the classic portal to create Backup vaults. You can now upgrade your Backup
vaults to Recovery Services vaults. For details, see the article Upgrade a Backup vault to a Recovery Services vault. Microsoft
encourages you to upgrade your Backup vaults to Recovery Services vaults.
After October 15, 2017, you cant use PowerShell to create Backup vaults. By November 1, 2017:
All remaining Backup vaults will be automatically upgraded to Recovery Services vaults.
You won't be able to access your backup data in the classic portal. Instead, use the Azure portal to access your backup
data in Recovery Services vaults.

Step 1 - Discover Azure virtual machines


To ensure any new virtual machines (VMs) added to the subscription are identified before registering, run the
discovery process. The process queries Azure for the list of virtual machines in the subscription, along with
additional information like the cloud service name and the region.
1. Sign in to the Classic portal
2. In the list of Azure services, click Recovery Services to open the list of Backup and Site Recovery vaults.

3. In the list of Backup vaults, select the vault to back up a VM.


If this is a new vault the portal opens to the Quick Start page.
If the vault has previously been configured, the portal opens to the most recently used menu.
4. From the vault menu (at the top of the page), click Registered Items.

5. From the Type menu, select Azure Virtual Machine.

6. Click DISCOVER at the bottom of the page.


The discovery process may take a few minutes while the virtual machines are being tabulated. There is a
notification at the bottom of the screen that lets you know that the process is running.

The notification changes when the process is complete. If the discovery process did not find the virtual
machines, first ensure the VMs exist. If the VMs exist, ensure the VMs are in the same region as the backup
vault. If the VMs exist and are in the same region, ensure the VMs are not already registered to a backup
vault. If a VM is assigned to a backup vault it is not available to be assigned to other backup vaults.

Once you have discovered the new items, go to Step 2 and register your VMs.

Step 2 - Register Azure virtual machines


You register an Azure virtual machine to associate it with the Azure Backup service. This is typically a one-time
activity.
1. Navigate to the backup vault under Recovery Services in the Azure portal, and then click Registered Items.
2. Select Azure Virtual Machine from the drop-down menu.

3. Click REGISTER at the bottom of the page.


4. In the Register Items shortcut menu, select the virtual machines that you want to register. If there are two
or more virtual machines with the same name, use the cloud service to distinguish between them.
TIP
Multiple virtual machines can be registered at one time.

A job is created for each virtual machine that you've selected.


5. Click View Job in the notification to go to the Jobs page.

The virtual machine also appears in the list of registered items, along with the status of the registration
operation.

When the operation completes, the status changes to reflect the registered state.

Step 3 - Protect Azure virtual machines


Now you can set up a backup and retention policy for the virtual machine. Multiple virtual machines can be
protected by using a single protect action.
Azure Backup vaults created after May 2015 come with a default policy built into the vault. This default policy
comes with a default retention of 30 days and a once-daily backup schedule.
1. Navigate to the backup vault under Recovery Services in the Azure portal, and then click Registered Items.
2. Select Azure Virtual Machine from the drop-down menu.

3. Click PROTECT at the bottom of the page.


The Protect Items wizard appears. The wizard only lists virtual machines that are registered and not
protected. Select the virtual machines that you want to protect.
If there are two or more virtual machines with the same name, use the cloud service to distinguish
between the virtual machines.

TIP
You can protect multiple virtual machines at one time.
4. Choose a backup schedule to back up the virtual machines that you've selected. You can pick from an
existing set of policies or define a new one.
Each backup policy can have multiple virtual machines associated with it. However, the virtual machine can
only be associated with one policy at any given point in time.

NOTE
A backup policy includes a retention scheme for the scheduled backups. If you select an existing backup policy, you
cannot modify the retention options in the next step.

5. Choose a retention range to associate with the backups.


Retention policy specifies the length of time for storing a backup. You can specify different retention
policies based on when the backup is taken. For example, a backup point taken daily (which serves as an
operational recovery point) might be preserved for 90 days. In comparison, a backup point taken at the
end of each quarter (for audit purposes) may need to be preserved for many months or years.

In this example image:


Daily retention policy: Backups taken daily are stored for 30 days.
Weekly retention policy: Backups taken every week on Sunday are preserved for 104 weeks.
Monthly retention policy: Backups taken on the last Sunday of each month are preserved for 120
months.
Yearly retention policy: Backups taken on the first Sunday of every January are preserved for 99
years.
A job is created to configure the protection policy and associate the virtual machines to that policy
for each virtual machine that you've selected.
6. To view the list of Configure Protection jobs, from the vaults menu, click Jobs and select Configure
Protection from the Operation filter.

Initial backup
Once the virtual machine is protected with a policy, it shows up under the Protected Items tab with the status of
Protected - (pending initial backup). By default, the first scheduled backup is the initial backup.
To trigger the initial backup immediately after configuring protection:
1. At the bottom of the Protected Items page, click Backup Now.
The Azure Backup service creates a backup job for the initial backup operation.
2. Click the Jobs tab to view the list of jobs.

NOTE
During the backup operation, the Azure Backup service issues a command to the backup extension in each virtual machine
to flush all write jobs and take a consistent snapshot.

When the initial backup finishes, the status of the virtual machine in the Protected Items tab is Protected.

Viewing backup status and details


Once protected, the virtual machine count also increases in the Dashboard page summary. The Dashboard
page also shows the number of jobs from the last 24 hours that were successful, have failed, and are in progress.
On the Jobs page, use the Status, Operation, or From and To menus to filter the jobs.
Values in the dashboard are refreshed once every 24 hours.

Troubleshooting errors
If you run into issues while backing up your virtual machine, look at the VM troubleshooting article for help.

Next steps
Manage and monitor your virtual machines
Restore virtual machines
Manage Azure virtual machine backups
6/27/2017 9 min to read Edit Online

This article provides guidance on managing VM backups, and explains the backup alerts information available in
the portal dashboard. The guidance in this article applies to using VMs with Recovery Services vaults. This article
does not cover the creation of virtual machines, nor does it explain how to protect virtual machines. For a primer
on protecting Azure Resource Manager-deployed VMs in Azure with a Recovery Services vault, see First look:
Back up VMs to a Recovery Services vault.

Manage vaults and protected virtual machines


In the Azure portal, the Recovery Services vault dashboard provides access to information about the vault
including:
the most recent backup snapshot, which is also the latest restore point <br>
the backup policy <br>
total size of all backup snapshots <br>
number of virtual machines that are protected with the vault <br>
Many management tasks with a virtual machine backup begin with opening the vault in the dashboard. However,
because vaults can be used to protect multiple items (or multiple VMs), to view details about a particular VM,
open the vault item dashboard. The following procedure shows you how to open the vault dashboard and then
continue to the vault item dashboard. There are "tips" in both procedures that point out how to add the vault and
vault item to the Azure dashboard by using the Pin to dashboard command. Pin to dashboard is a way of
creating a shortcut to the vault or item. You can also execute common commands from the shortcut.

TIP
If you have multiple dashboards and blades open, use the dark-blue slider at the bottom of the window to slide the Azure
dashboard back and forth.

Open a Recovery Services vault in the dashboard:


1. Sign in to the Azure portal.
2. On the Hub menu, click Browse and in the list of resources, type Recovery Services. As you begin typing,
the list filters based on your input. Click Recovery Services vault.

The list of Recovery Services vaults are displayed.

TIP
If you pin a vault to the Azure Dashboard, that vault is immediately accessible when you open the Azure portal. To
pin a vault to the dashboard, in the vault list, right-click the vault, and select Pin to dashboard.

3. From the list of vaults, select the vault to open its dashboard. When you select the vault, the vault
dashboard and the Settings blade open. In the following image, the Contoso-vault dashboard is
highlighted.
Open a vault item dashboard
In the previous procedure you opened the vault dashboard. To open the vault item dashboard:
1. In the vault dashboard, on the Backup Items tile, click Azure Virtual Machines.

The Backup Items blade lists the last backup job for each item. In this example, there is one virtual
machine, demovm-markgal, protected by this vault.
TIP
For ease of access, you can pin a vault item to the Azure Dashboard. To pin a vault item, in the vault item list,
right-click the item and select Pin to dashboard.

2. In the Backup Items blade, click the item to open the vault item dashboard.

The vault item dashboard and its Settings blade open.


From the vault item dashboard, you can accomplish many key management tasks, such as:
change policies or create a new backup policy<br>
view restore points, and see their consistency state <br>
on-demand backup of a virtual machine <br>
stop protecting virtual machines <br>
resume protection of a virtual machine <br>
delete a backup data (or recovery point) <br>
restore backup disks <br>
For the following procedures, the starting point is the vault item dashboard.

Manage backup policies


1. On the vault item dashboard, click All Settings to open the Settings blade.

2. On the Settings blade, click Backup policy to open that blade.


On the blade, the backup frequency and retention range details are shown.
3. From the Choose backup policy menu:
To change policies, select a different policy and click Save. The new policy is immediately applied to the
vault. <br>
To create a policy, select Create New.

For instructions on creating a backup policy, see Defining a backup policy.

Defining a backup policy


A backup policy defines a matrix of when the data snapshots are taken, and how long those snapshots are
retained. When defining a policy for backing up a VM, you can trigger a backup job once a day. When you create
a new policy, it is applied to the vault. The backup policy interface looks like this:
To create a policy:
1. Enter a name for the Policy name.
2. Snapshots of your data can be taken at Daily or Weekly intervals. Use the Backup Frequency drop-down
menu to choose whether data snapshots are taken Daily or Weekly.
If you choose a Daily interval, use the highlighted control to select the time of the day for the
snapshot. To change the hour, de-select the hour, and select the new hour.

If you choose a Weekly interval, use the highlighted controls to select the day(s) of the week, and
the time of day to take the snapshot. In the day menu, select one or multiple days. In the hour
menu, select one hour. To change the hour, de-select the selected hour, and select the new hour.

3. By default, all Retention Range options are selected. Uncheck any retention range limit you do not want
to use. Then, specify the interval(s) to use.
Monthly and Yearly retention ranges allow you to specify the snapshots based on a weekly or daily
increment.
NOTE
When protecting a VM, a backup job runs once a day. The time when the backup runs is the same for each
retention range.

4. After setting all options for the policy, at the top of the blade click Save.
The new policy is immediately applied to the vault.

NOTE
While managing backup policies, make sure to follow the best practices for optimal backup performance

On-demand backup of a virtual machine


You can take an on-demand backup of a virtual machine once it is configured for protection. If the initial backup
is pending, on-demand backup creates a full copy of the virtual machine in the Recovery Services vault. If the
initial backup is completed, an on-demand backup will only send changes from the previous snapshot, to the
Recovery Services vault. That is, subsequent backups are always incremental.

NOTE
The retention range for an on-demand backup is the retention value specified for the Daily backup point in the policy. If no
Daily backup point is selected, then the weekly backup point is used.

To trigger an on-demand backup of a virtual machine:


On the vault item dashboard, click Backup now.

The portal makes sure that you want to start an on-demand backup job. Click Yes to start the backup job.

The backup job creates a recovery point. The retention range of the recovery point is the same as retention
range specified in the policy associated with the virtual machine. To track the progress for the job, in the
vault dashboard, click the Backup Jobs tile.

Stop protecting virtual machines


If you choose to stop protecting a virtual machine, you are asked if you want to retain the recovery points. There
are two ways to stop protecting virtual machines:
stop all future backup jobs and delete all recovery points, or
stop all future backup jobs but leave the recovery points
There is a cost associated with leaving the recovery points in storage. However, the benefit of leaving the
recovery points is you can restore the virtual machine later, if desired. For information about the cost of leaving
the recovery points, see the pricing details. If you choose to delete all recovery points, you cannot restore the
virtual machine.
To stop protection for a virtual machine:
1. On the vault item dashboard, click Stop backup.

The Stop Backup blade opens.

2. On the Stop Backup blade, choose whether to retain or delete the backup data. The information box
provides details about your choice.

3. If you chose to retain the backup data, skip to step 4. If you chose to delete backup data, confirm that you
want to stop the backup jobs and delete the recovery points - type the name of the item.

If you aren't sure of the item name, hover over the exclamation mark to view the name. Also, the name of
the item is under Stop Backup at the top of the blade.
4. Optionally provide a Reason or Comment.
5. To stop the backup job for the current item, click
A notification message lets you know the backup jobs have been stopped.

Resume protection of a virtual machine


If the Retain Backup Data option was chosen when protection for the virtual machine was stopped, then it is
possible to resume protection. If the Delete Backup Data option was chosen, then protection for the virtual
machine cannot resume.
To resume protection for the virtual machine
1. On the vault item dashboard, click Resume backup.

The Backup Policy blade opens.

NOTE
When re-protecting the virtual machine, you can choose a different policy than the policy with which virtual
machine was protected initially.

2. Follow the steps in Manage backup policies to assign the policy for the virtual machine.
Once the backup policy is applied to the virtual machine, you see the following message.

Delete Backup data


You can delete the backup data associated with a virtual machine during the Stop backup job, or anytime after
the backup job has completed. It may even be beneficial to wait days or weeks before deleting the recovery
points. Unlike restoring recovery points, when deleting backup data, you cannot choose specific recovery points
to delete. If you choose to delete your backup data, you delete all recovery points associated with the item.
The following procedure assumes the Backup job for the virtual machine has been stopped or disabled. Once the
Backup job is disabled, the Resume backup and Delete backup options are available in the vault item
dashboard.

To delete backup data on a virtual machine with the Backup disabled:


1. On the vault item dashboard, click Delete backup.

The Delete Backup Data blade opens.


2. Type the name of the item to confirm you want to delete the recovery points.

If you aren't sure of the item name, hover over the exclamation mark to view the name. Also, the name of
the item is under Delete Backup Data at the top of the blade.
3. Optionally provide a Reason or Comment.
4. To delete the backup data for the current item, click
A notification message lets you know the backup data has been deleted.

Next steps
For information on re-creating a virtual machine from a recovery point, check out Restore Azure VMs. If you need
information on protecting your virtual machines, see First look: Back up VMs to a Recovery Services vault. For
information on monitoring events, see Monitor alerts for Azure virtual machine backups.
Monitor alerts for Azure virtual machine backups
8/10/2017 8 min to read Edit Online

Alerts are responses from the service that an event threshold has been met or surpassed. Knowing when problems
start can be critical to keeping business costs down. Alerts typically do not occur on a schedule, and so it is helpful
to know as soon as possible after alerts occur. For example, when a backup or restore job fails, an alert occurs
within five minutes of the failure. In the vault dashboard, the Backup Alerts tile displays Critical and Warning-level
events. In the Backup Alerts settings, you can view all events. But what do you do if an alert occurs when you are
working on a separate issue? If you don't know when the alert happens, it could be a minor inconvenience, or it
could compromise data. To make sure the correct people are aware of an alert - when it occurs, configure the
service to send alert notifications via email. For details on setting up email notifications, see Configure notifications.

How do I find information about the alerts?


To view information about the event that threw an alert, you must open the Backup Alerts blade. There are two
ways to open the Backup Alerts blade: either from the Backup Alerts tile in the vault dashboard, or from the Alerts
and Events blade.
To open the Backup Alerts blade from Backup Alerts tile:
On the Backup Alerts tile on the vault dashboard, click Critical or Warning to view the operational events
for that severity level.

To open the Backup Alerts blade from the Alerts and Events blade:

1. From the vault dashboard, click All Settings.


2. On the Settings blade, click Alerts and Events.
3. On the Alerts and Events blade, click Backup Alerts.
The Backup Alerts blade opens and displays the filtered alerts.

4. To view detailed information about a particular alert, from the list of events, click the alert to open its Details
blade.
To customize the attributes displayed in the list, see View additional event attributes

Configure notifications
You can configure the service to send email notifications for the alerts that occurred over the past hour, or when
particular types of events occur.
To set up email notifications for alerts
1. On the Backup Alerts menu, click Configure notifications

The Configure notifications blade opens.


2. On the Configure notifications blade, for Email notifications, click On.
The Recipients and Severity dialogs have a star next to them because that information is required. Provide at
least one email address, and select at least one Severity.
3. In the Recipients (Email) dialog, type the email addresses for who receive the notifications. Use the format:
username@domainname.com. Separate multiple email addresses with a semicolon (;).
4. In the Notify area, choose Per Alert to send notification when the specified alert occurs, or Hourly Digest to
send a summary for the past hour.
5. In the Severity dialog, choose one or more levels that you want to trigger email notification.
6. Click Save.
What alert types are available for Azure IaaS VM backup?
ALERT LEVEL ALERTS SENT

Critical Backup failure, recovery failure

Warning None

Informational None

Are there situations where email isn't sent even if notifications are configured?
There are situations where an alert is not sent, even though the notifications have been properly configured. In the
following situations email notifications are not sent to avoid alert noise:
If notifications are configured to Hourly Digest, and an alert is raised and resolved within the hour.
The job is canceled.
A backup job is triggered and then fails, and another backup job is in progress.
A scheduled backup job for a Resource Manager-enabled VM starts, but the VM no longer exists.

Customize your view of events


The Audit logs setting comes with a pre-defined set of filters and columns showing operational event information.
You can customize the view so that when the Events blade opens, it shows you the information you want.
1. In the vault dashboard, browse to and click Audit Logs to open the Events blade.

The Events blade opens to the operational events filtered just for the current vault.
The blade shows the list of Critical, Error, Warning, and Informational events that occurred in the past week.
The time span is a default value set in the Filter. The Events blade also shows a bar chart tracking when the
events occurred. If you don't want to see the bar chart, in the Events menu, click Hide chart to toggle off the
chart. The default view of Events shows Operation, Level, Status, Resource, and Time information. For
information about exposing additional Event attributes, see the section expanding Event information.
2. For additional information on an operational event, in the Operation column, click an operational event to
open its blade. The blade contains detailed information about the events. Events are grouped by their
correlation ID and a list of the events that occurred in the Time span.
3. To view detailed information about a particular event, from the list of events, click the event to open its
Details blade.

The Event-level information is as detailed as the information gets. If you prefer seeing this much information
about each event, and would like to add this much detail to the Events blade, see the section expanding
Event information.

Customize the event filter


Use the Filter to adjust or choose the information that appears in a particular blade. To filter the event information:
1. In the vault dashboard, browse to and click Audit Logs to open the Events blade.

The Events blade opens to the operational events filtered just for the current vault.
2. On the Events menu, click Filter to open that blade.

3. On the Filter blade, adjust the Level, Time span, and Caller filters. The other filters are not available since
they were set to provide the current information for the Recovery Services vault.
You can specify the Level of event: Critical, Error, Warning, or Informational. You can choose any
combination of event Levels, but you must have at least one Level selected. Toggle the Level on or off. The
Time span filter allows you to specify the length of time for capturing events. If you use a custom Time
span, you can set the start and end times.
4. Once you are ready to query the operations logs using your filter, click Update. The results display in the
Events blade.
View additional event attributes
Using the Columns button, you can enable additional event attributes to appear in the list on the Events blade. The
default list of events displays information for Operation, Level, Status, Resource, and Time. To enable additional
attributes:
1. On the Events blade, click Columns.

The Choose columns blade opens.


2. To select the attribute, click the checkbox. The attribute checkbox toggles on and off.
3. Click Reset to reset the list of attributes in the Events blade. After adding or removing attributes from the list,
use Reset to view the new list of Event attributes.
4. Click Update to update the data in the Event attributes. The following table provides information about each
attribute.

COLUMN NAME DESCRIPTION

Operation The name of the operation

Level The level of the operation, values can be: Informational,


Warning, Error, or Critical

Status Descriptive state of the operation

Resource URL that identifies the resource; also known as the resource ID

Time Time, measured from the current time, when the event
occurred

Caller Who or what called or triggered the event; can be the system,
or a user

Timestamp The time when the event was triggered

Resource Group The associated resource group

Resource Type The internal resource type used by Resource Manager

Subscription ID The associated subscription ID


COLUMN NAME DESCRIPTION

Category Category of the event

Correlation ID Common ID for related events

Use PowerShell to customize alerts


You can get custom alert notifications for the jobs in the portal. To get these jobs, define PowerShell-based alert
rules on the operational logs events. Use PowerShell version 1.3.0 or later.
To define a custom notification to alert for backup failures, use a command like the following script:

PS C:\> $actionEmail = New-AzureRmAlertRuleEmail -CustomEmail contoso@microsoft.com


PS C:\> Add-AzureRmLogAlertRule -Name backupFailedAlert -Location "East US" -ResourceGroup RecoveryServices-
DP2RCXUGWS3MLJF4LKPI3A3OMJ2DI4SRJK6HIJH22HFIHZVVELRQ-East-US -OperationName
Microsoft.RecoveryServices/recoveryServicesVault/Backup -Status Failed -TargetResourceId
/subscriptions/86eeac34-eth9a-4de3-84db-7a27d121967e/resourceGroups/RecoveryServices-
DP2RCXUGWS3MLJF4LKPI3A3OMJ2DI4SRJK6HIJH22HFIHZVVELRQ-East-
US/providers/Microsoft.RecoveryServices/vaults/trinadhVault -Actions $actionEmail

ResourceId : You can get ResourceId from the Audit logs. The ResourceId is a URL provided in the Resource
column of the Operation logs.
OperationName : OperationName is in the format
"Microsoft.RecoveryServices/recoveryServicesVault/EventName" where EventName can be:
Register
Unregister
ConfigureProtection
Backup
Restore
StopProtection
DeleteBackupData
CreateProtectionPolicy
DeleteProtectionPolicy
UpdateProtectionPolicy
Status : Supported values are Started, Succeeded, or Failed.
ResourceGroup : This is the Resource Group to which the resource belongs. You can add the Resource Group
column to the generated logs. Resource Group is one of the available types of event information.
Name : Name of the Alert Rule.
CustomEmail : Specify the custom email address to which you want to send an alert notification
SendToServiceOwners : This option sends alert notifications to all administrators and co-administrators of the
subscription. It can be used in New-AzureRmAlertRuleEmail cmdlet
Limitations on Alerts
Event-based alerts are subject to the following limitations:
1. Alerts are triggered on all virtual machines in the Recovery Services vault. You cannot customize the alert for a
subset of virtual machines in a Recovery Services vault.
2. This feature is in Preview. Learn more
3. Alerts are sent from "alerts-noreply@mail.windowsazure.com". Currently you can't modify the email sender.

Next steps
Event logs enable great post-mortem and audit support for the backup operations. The following operations are
logged:
Register
Unregister
Configure protection
Backup (Both scheduled as well as on-demand backup)
Restore
Stop protection
Delete backup data
Add policy
Delete policy
Update policy
Cancel job
For a broad explanation of events, operations, and audit logs across the Azure services, see the article, View events
and audit logs.
For information on re-creating a virtual machine from a recovery point, check out Restore Azure VMs. If you need
information on protecting your virtual machines, see First look: Back up VMs to a Recovery Services vault. Learn
about the management tasks for VM backups in the article, Manage Azure virtual machine backups.
Manage common Azure Backup jobs and trigger
alerts in the classic portal
8/10/2017 8 min to read Edit Online

This article provides information about common management and monitoring tasks for Classic-model virtual
machines protected in Azure.

NOTE
Azure has two deployment models for creating and working with resources: Resource Manager and Classic. See Prepare your
environment to back up Azure virtual machines for details on working with Classic deployment model VMs.

IMPORTANT
Starting March 2017, you can no longer use the classic portal to create Backup vaults.
You can now upgrade your Backup vaults to Recovery Services vaults. For details, see the article Upgrade a Backup vault to a
Recovery Services vault. Microsoft encourages you to upgrade your Backup vaults to Recovery Services vaults.
After October 15, 2017, you cant use PowerShell to create Backup vaults. By November 1, 2017:
All remaining Backup vaults will be automatically upgraded to Recovery Services vaults.
You won't be able to access your backup data in the classic portal. Instead, use the Azure portal to access your backup
data in Recovery Services vaults.

Manage protected virtual machines


To manage protected virtual machines:
1. To view and manage backup settings for a virtual machine click the Protected Items tab.
2. Click on the name of a protected item to see the Backup Details tab, which shows you information about
the last backup.
3. To view and manage backup policy settings for a virtual machine click the Policies tab.

The Backup Policies tab shows you the existing policy. You can modify as needed. If you need to create a
new policy click Create on the Policies page. Note that if you want to remove a policy it shouldn't have any
virtual machines associated with it.
4. You can get more information about actions or status for a virtual machine on the Jobs page. Click a job in
the list to get more details, or filter jobs for a specific virtual machine.

On-demand backup of a virtual machine


You can take an on-demand backup of a virtual machine once it is configured for protection. If the initial backup is
pending for the virtual machine, on-demand backup will create a full copy of the virtual machine in Azure backup
vault. If first backup is completed, on-demand backup will only send changes from previous backup to Azure
backup vault i.e. it is always incremental.
NOTE
Retention range of an on-demand backup is set to retention value specified for Daily retention in backup policy
corresponding to the VM.

To take an on-demand backup of a virtual machine:


1. Navigate to the Protected Items page and select Azure Virtual Machine as Type (if not already selected)
and click on Select button.

2. Select the virtual machine on which you want to take an on-demand backup and click on Backup Now
button at the bottom of the page.

This will create a backup job on the selected virtual machine. Retention range of recovery point created
through this job will be same as that specified in the policy associated with the virtual machine.

NOTE
To view the policy associated with a virtual machine, drill down into virtual machine in the Protected Items page and
go to backup policy tab.

3. Once the job is created, you can click on View job button in the toast bar to see the corresponding job in the
jobs page.

4. After successful completion of the job, a recovery point will be created which you can use to restore the virtual
machine. This will also increment the recovery point column value by 1 in Protected Items page.

Stop protecting virtual machines


You can choose to stop the future backups of a virtual machine with the following options:
Retain backup data associated with virtual machine in Azure Backup vault
Delete backup data associated with virtual machine
If you have selected to retain backup data associated with virtual machine, you can use the backup data to restore
the virtual machine. For pricing details for such virtual machines, click here.
To Stop protection for a virtual machine:
1. Navigate to Protected Items page and select Azure virtual machine as the filter type (if not already
selected) and click on Select button.
2. Select the virtual machine and click on Stop Protection at the bottom of the page.

3. By default, Azure Backup doesnt delete the backup data associated with the virtual machine.

If you want to delete backup data, select the check box.

Please select a reason for stopping the backup. While this is optional, providing a reason will help Azure
Backup to work on the feedback and prioritize the customer scenarios.
4. Click on Submit button to submit the Stop protection job. Click on View Job to see the corresponding the
job in Jobs page.

If you have not selected Delete associated backup data option during Stop Protection wizard, then post
job completion, protection status changes to Protection Stopped. The data remains with Azure Backup
until it is explicitly deleted. You can always delete the data by selecting the virtual machine in the Protected
Items page and clicking Delete.

If you have selected the Delete associated backup data option, the virtual machine wont be part of the
Protected Items page.

Re-protect Virtual machine


If you have not selected the Delete associate backup data option in Stop Protection, you can re-protect the
virtual machine by following the steps similar to backing up registered virtual machines. Once protected, this
virtual machine will have backup data retained prior to stop protection and recovery points created after re-protect.
After re-protect, the virtual machines protection status will be changed to Protected if there are recovery points
prior to Stop Protection.

NOTE
When re-protecting the virtual machine, you can choose a different policy than the policy with which virtual machine was
protected initially.

Unregister virtual machines


If you want to remove the virtual machine from the backup vault:
1. Click on the UNREGISTER button at the bottom of the page.

A toast notification will appear at the bottom of the screen requesting confirmation. Click YES to continue.

Delete Backup data


You can delete the backup data associated with a virtual machine, either:
During Stop Protection Job
After a stop protection job is completed on a virtual machine
To delete backup data on a virtual machine, which is in the Protection Stopped state post successful completion of a
Stop Backup job:
1. Navigate to the Protected Items page and select Azure Virtual Machine as type and click the Select
button.

2. Select the virtual machine. The virtual machine will be in Protection Stopped state.
3. Click the DELETE button at the bottom of the page.

4. In the Delete backup data wizard, select a reason for deleting backup data (highly recommended) and click
Submit.

5. This will create a job to delete backup data of selected virtual machine. Click View job to see corresponding
job in Jobs page.

Once the job is completed, the entry corresponding to the virtual machine will be removed from Protected
items page.

Dashboard
On the Dashboard page you can review information about Azure virtual machines, their storage, and jobs
associated with them in the last 24 hours. You can view backup status and any associated backup errors.
NOTE
Values in the dashboard are refreshed once every 24 hours.

Auditing Operations
Azure backup provides review of the "operation logs" of backup operations triggered by the customer making it
easy to see exactly what management operations were performed on the backup vault. Operations logs enable
great post-mortem and audit support for the backup operations.
The following operations are logged in Operation logs:
Register
Unregister
Configure protection
Backup ( Both scheduled as well as on-demand backup through BackupNow)
Restore
Stop protection
Delete backup data
Add policy
Delete policy
Update policy
Cancel job
To view operation logs corresponding to a backup vault:
1. Navigate to Management services in Azure portal, and then click the Operation Logs tab.
2. In the filters, select Backup as Type and specify the backup vault name in service name and click on Submit.

3. In the operations logs, select any operation and click Details to see details corresponding to an operation.
The Details wizard contains information about the operation triggered, job Id, resource on which this
operation is triggered, and start time of the operation.

Alert notifications
You can get custom alert notifications for the jobs in portal. This is achieved by defining PowerShell-based alert
rules on operational logs events. We recommend using PowerShell version 1.3.0 or above.
To define a custom notification to alert for backup failures, a sample command will look like:

PS C:\> $actionEmail = New-AzureRmAlertRuleEmail -CustomEmail contoso@microsoft.com


PS C:\> Add-AzureRmLogAlertRule -Name backupFailedAlert -Location "East US" -ResourceGroup RecoveryServices-
DP2RCXUGWS3MLJF4LKPI3A3OMJ2DI4SRJK6HIJH22HFIHZVVELRQ-East-US -OperationName Microsoft.Backup/backupVault/Backup
-Status Failed -TargetResourceId /subscriptions/86eeac34-eth9a-4de3-84db-
7a27d121967e/resourceGroups/RecoveryServices-DP2RCXUGWS3MLJF4LKPI3A3OMJ2DI4SRJK6HIJH22HFIHZVVELRQ-East-
US/providers/microsoft.backupbvtd2/BackupVault/trinadhVault -Actions $actionEmail

ResourceId: You can get this from Operations Logs popup as described in above section. ResourceUri in details
popup window of an operation is the ResourceId to be supplied for this cmdlet.
OperationName: This will be of the format "Microsoft.Backup/backupvault/" where EventName is one of
Register,Unregister,ConfigureProtection,Backup,Restore,StopProtection,DeleteBackupData,CreateProtectionPolicy,D
eleteProtectionPolicy,UpdateProtectionPolicy
Status: Supported values are- Started, Succeeded and Failed.
ResourceGroup:ResourceGroup of the resource on which operation is triggered. You can obtain this from
ResourceId value. Value between fields /resourceGroups/ and /providers/ in ResourceId value is the value for
ResourceGroup.
Name: Name of the Alert Rule.
CustomEmail: Specify the custom email address to which you want to send alert notification
SendToServiceOwners: This option sends alert notification to all administrators and co-administrators of the
subscription. It can be used in New-AzureRmAlertRuleEmail cmdlet
Limitations on Alerts
Event-based alerts are subjected to the following limitations:
1. Alerts are triggered on all virtual machines in the backup vault. You cannot customize it to get alerts for specific
set of virtual machines in a backup vault.
2. This feature is in Preview. Learn more
3. You will receive alerts from "alerts-noreply@mail.windowsazure.com". Currently you can't modify the email
sender.

Next steps
Restore Azure VMs
Recover files from Azure virtual machine backup
9/28/2017 8 min to read Edit Online

Azure Backup provides the capability to restore Azure virtual machines (VMs) and disks from Azure VM backups,
also known as restore points. This article explains how to recover files and folders from an Azure VM backup.
Restoring files and folders is available only for Azure VMs deployed using the Resource Manager model and
protected to a Recovery services vault.

NOTE
File recovery from an encrypted VM backup is not supported.

Mount the volume and copy files


To restore files or folders from the restore point, go to the virtual machine and choose to the restore point.
1. Sign into the Azure portal and in the left-hand menu, click Virtual machines. From the list of virtual
machines, select the virtual machine to open that virtual machine's dashboard.
2. In the virtual machine's menu, click Backup to open the Backup dashboard.
3. In the Backup dashboard menu, click File Recovery to open its menu.

4. From the Select recovery point drop-down menu, select the recovery point that contains the files you
want. By default, the latest recovery point is already selected.
5. To download the software used to copy files from the recovery point, click Download Executable (for
Windows Azure VM) or Download Script (for Linux Azure VM).

Azure downloads the executable or script to the local computer.

To run the executable or script as an administrator, it is suggested you save the download to your computer.
6. The executable or script is password protected, and requires a password. In the File Recovery menu, click
the copy button to load the password into memory.

7. From the download location (usually the Downloads folder), right-click the executable or script and run it
with Administrator credentials. When prompted, type the password or paste the password from memory,
and press Enter. Once the valid password is entered, the script connects to the recovery point.

If you run the script on a computer with restricted access, ensure there is access to:
download.microsoft.com
Azure endpoints used for Azure VM backups
outbound port 3260
For Linux, the script requires 'open-iscsi' and 'lshw' components to connect to the recovery point. If the
components do not exist on the computer where the script is run, the script asks for permission to install the
components. Provide consent to install the necessary components.
You can run the script on any machine that has the same (or compatible) operating system as the backed-up
VM. See the Compatible OS table for compatible operating systems. If the protected Azure virtual machine
uses Windows Storage Spaces (for Windows Azure VMs) or LVM/RAID Arrays(for Linux VMs), you can't run
the executable or script on the same virtual machine. Instead, run the executable or script on any other
machine with a compatible operating system.
Compatible OS
For Windows
The following table shows the compatibility between server and computer operating systems. When recovering
files, you can't restore files to a previous or future operating system version. For example, you can't restore a file
from a Windows Server 2016 VM to Windows Server 2012 or Windows 8 computer. You can restore files from a
VM to the same server operating system, or to the compatible client operating system.

SERVER OS COMPATIBLE CLIENT OS

Windows Server 2016 Windows 10

Windows Server 2012 R2 Windows 8.1

Windows Server 2012 Windows 8

Windows Server 2008 R2 Windows 7


For Linux
In Linux, the OS of the computer used to restore files must support the file system of the protected virtual machine.
When selecting a computer to run the script, ensure the computer has a compatible OS, and uses one of the
versions identified in the following table:

LINUX OS VERSIONS

Ubuntu 12.04 and above

CentOS 6.5 and above

RHEL 6.7 and above

Debian 7 and above

Oracle Linux 6.4 and above

The script also requires Python and bash components to execute and connect securely to the recovery point.

COMPONENT VERSION

bash 4 and above

python 2.6.6 and above

Identifying Volumes
For Windows
When you run the executable, the operating system mounts the new volumes and assigns drive letters. You can use
Windows Explorer or File Explorer to browse those drives. The drive letters assigned to the volumes may not be the
same letters as the original virtual machine, however, the volume name is preserved. For example, if the volume on
the original virtual machine was Data Disk (E: \ ), that volume can be attached on the local computer as Data
Disk ('Any letter': \ ). Browse through all volumes mentioned in the script output until you find your files/folder.

For Linux
In Linux, the volumes of the recovery point are mounted to the folder where the script is run. The attached disks,
volumes, and the corresponding mount paths are shown accordingly. These mount paths are visible to users
having root level access. Browse through the volumes mentioned in the script output.
Closing the connection
After identifying the files and copying them to a local storage location, remove (or unmount) the additional drives.
To unmount the drives, on the File Recovery menu in the Azure portal, click Unmount Disks.

Once the disks have been unmounted, you receive a message letting you know it was successful. It may take a few
minutes for the connection to refresh so that you can remove the disks.
In Linux, after the connection to the recovery point is severed, the OS doesn't remove the corresponding mount
paths automatically. The mount paths exist as "orphan" volumes and they are visible but throw an error when you
access/write the files. They can be manually removed. The script, when run, identifies any such volumes existing
from any previous recovery points and cleans them up upon consent.

Special configurations
Dynamic Disks
If the protected Azure VM has volumes with one or both of the following characteristics, you can't run the
executable script on the same VM.
Volumes that span multiple disks (spanned and striped volumes)
Fault-tolerant volumes (mirrored and RAID-5 volumes) on dynamic disks
Instead, run the executable script on any other computer with a compatible operating system.
Windows Storage Spaces
Windows Storage Spaces is a Windows technology that enables you to virtualize storage. With Windows Storage
Spaces you can group industry-standard disks into storage pools. Then you use the available space in those storage
pools to create virtual disks, called storage spaces.
If the protected Azure VM uses Windows Storage Spaces, you can't run the executable script on the same VM.
Instead, run the executable script on any other machine with a compatible operating system.
LVM/RAID Arrays
In Linux, Logical volume manager (LVM) and/or software RAID Arrays are used to manage logical volumes over
multiple disks. If the protected Linux VM uses LVM and/or RAID Arrays, you can't run the script on the same VM.
Instead run the script on any other machine with a compatible OS and which supports the file system of the
protected VM.
The following script output displays the LVM and/or RAID Arrays disks and the volumes with the partition type.

To bring these partitions online, run the commands in the following sections.
For LVM Partitions
To list the volume group names under a physical volume.

$ pvs <volume name as shown above in the script output>

To list all logical volumes, names, and their paths in a volume group.
$ lvdisplay <volume-group-name from the pvs commands results>

To mount the logical volumes to the path of your choice.

$ mount <LV path> </mountpath>

For RAID Arrays


The following command displays details about all raid disks.

$ mdadm detail scan

The relevant RAID disk is displayed as /dev/mdm/<RAID array name in the protected VM>

Use the mount command if the RAID disk has physical volumes.

$ mount [RAID Disk Path] [/mountpath]

If the RAID disk has another LVM configured in it, then use the preceding procedure for LVM partitions but use the
volume name in place of the RAID Disk name

Troubleshooting
If you have problems while recovering files from the virtual machines, check the following table for additional
information.

ERROR MESSAGE / SCENARIO PROBABLE CAUSE RECOMMENDED ACTION

Exe output: Exception connecting to the Script is not able to access the recovery Check whether the machine fulfills the
target point previous access requirements.

Exe output: The target has already The script was already executed on the The volumes of the recovery point have
been logged in via an ISCSI session. same machine and the drives have been already been attached. They may NOT
attached be mounted with the same drive letters
of the original VM. Browse through all
the available volumes in the file explorer
for your file

Exe output: This script is invalid The disks have been dismounted from This particular exe is now invalid and
because the disks have been the portal or the 12-hr limit exceeded cant be run. If you want to access the
dismounted via portal/exceeded the files of that recovery point-in-time, visit
12-hr limit. Download a new script the portal for a new exe
from the portal.

On the machine where the exe is run: The ISCSI initiator on the machine is not Wait for some mins after the dismount
The new volumes are not dismounted responding/refreshing its connection to button is pressed. If the new volumes
after the dismount button is clicked the target and maintaining the cache are still not dismounted, please browse
through all the volumes. This forces the
initiator to refresh the connection and
the volume is dismounted with an error
message that the disk is not available
ERROR MESSAGE / SCENARIO PROBABLE CAUSE RECOMMENDED ACTION

Exe output: Script is run successfully but This is a transient error The volumes would have been already
New volumes attached is not attached. Open Explorer to browse. If
displayed on the script output you are using the same machine for
running scripts every time, consider
restarting the machine and the list
should be displayed in the subsequent
exe runs.

Linux specific: Not able to view the The OS of the machine where the script Check whether the recovery point is
desired volumes is run may not recognize the underlying crash consistent or file-consistent. If file
filesystem of the protected VM consistent, run the script on another
machine whose OS recognizes the
protected VM's filesystem

Windows specific: Not able to view the The disks may have been attached but From the disk management screen,
desired volumes the volumes were not configured identify the additional disks related to
the recovery point. If any of these disks
are in offline state try making them
online by right-clicking on the disk and
click 'Online'
Use the Azure portal to restore virtual machines
10/6/2017 11 min to read Edit Online

Protect your data by taking snapshots of your data at defined intervals. These snapshots are known as recovery
points, and they're stored in Recovery Services vaults. If it's necessary to repair or rebuild a virtual machine (VM),
you can restore the VM from any of the saved recovery points. When you restore a recovery point, you can:
Create a new VM, which is a point-in-time representation of your backed-up VM.
Restore disks, and use the template that comes with the process to customize the restored VM, or do an
individual file recovery.
This article explains how to restore a VM to a new VM or restore all backed-up disks. For individual file recovery,
see Recover files from an Azure VM backup.

NOTE
Azure has two deployment models for creating and working with resources: Azure Resource Manager and classic. This article
provides the information and procedures used to restore deployed VMs by using the Resource Manager model.

Restoring a VM or all disks from VM backup involves two steps:


Select a restore point for restore.
Select the restore type, create a new VM or restore disks, and specify the required parameters.

Select a restore point for restore


1. Sign in to the Azure portal.
2. On the Azure menu, select Browse. In the list of services, type Recovery Services. The list of services
adjusts to what you type. When you see Recovery Services vaults, select it.
The list of vaults in the subscription is displayed.

3. From the list, select the vault associated with the VM you want to restore. When you select the vault, its
dashboard opens.
4. In the vault dashboard, on the Backup Items tile, select Azure Virtual Machines.

The Backup Items blade opens and displays the list of Azure VMs.
5. From the list, select a VM to open the dashboard. The VM dashboard opens to the monitoring area, which
contains the Restore points tile.

6. On the VM dashboard menu, select Restore.

The Restore blade opens.


7. On the Restore blade, select Restore point. The Select restore point blade opens.

By default, the dialog box displays all the restore points from the last 30 days. Use the Filter to alter the
time range of the restore points displayed. By default, restore points of all consistencies are displayed.
Modify the All restore points filter to select a specific restore point consistency. For more information
about each type of restoration point, see Data consistency.
Restore point consistency options:
Crash consistent restore points
Application consistent restore points
File-system consistent restore points
All restore points
8. Choose a restore point, and select OK.
The Restore blade shows that the restore point is set.
9. If you're not already there, go to the Restore blade. Ensure that a restore point is selected, and select
Restore configuration. The Restore configuration blade opens.

Choose a VM restore configuration


After you select the restore point, choose a VM restore configuration. To configure the restored VM, you can use
the Azure portal or PowerShell.
1. If you're not already there, go to the Restore blade. Ensure that a restore point is selected, and select
Restore configuration. The Restore configuration blade opens.
2. On the Restore configuration blade, you have two choices:
Create virtual machine
Restore disks
The portal provides a Quick Create option for a restored VM. To customize the VM configuration or the names of
the resources created as part of creating a new VM choice, use PowerShell or the portal to restore backed-up disks.
Use PowerShell commands to attach them to your choice of VM configuration. Or you can use the template that
comes with restored disks to customize the restored VM. For information on how to restore a VM that has multiple
NICs or is under a load balancer, see Restore a VM with special network configurations. If your Windows VM uses
HUB licensing, restore disks and use PowerShell/Template as specified in this article to create the VM. Make sure
that you specify the License Type as "Windows_Server" while you create the VM to avail HUB benefits on the
restored VM.

Create a new VM from a restore point


1. If you're not already there, select a restore point before you begin to create a new VM from a restore point.
After you select a restore point, on the Restore configuration blade, enter or select values for each of the
following fields:
a. Restore Type. Create a virtual machine.
b. Virtual machine name. Provide a name for the VM. The name must be unique to the resource group
(for an Azure Resource Manager-deployed VM) or cloud service (for a classic VM). You can't replace the VM
if it already exists in the subscription.
c. Resource group. Use an existing resource group or create a new one. If you're restoring a classic VM, use
this field to specify the name of a new cloud service. If you're creating a new resource group/cloud service,
the name must be globally unique. Typically, the cloud service name is associated with a public-facing URL:
for example, [cloudservice].cloudapp.net. If you attempt to use a name for the cloud resource group/cloud
service already in use, Azure assigns the resource group/cloud service the same name as the VM. Azure
displays resource groups/cloud services and VMs not associated with any affinity groups. For more
information, see How to migrate from affinity groups to a regional virtual network.
d. Virtual network. Select the virtual network when you create the VM. The field provides all virtual
networks associated with the subscription. The resource group of the VM is displayed in parentheses.
e. Subnet. If the virtual network has subnets, the first subnet is selected by default. If there are additional
subnets, select the subnet you want.
f. Storage Account. This menu lists the storage accounts in the same location as the Recovery Services
vault. Storage accounts that are zone redundant aren't supported. If there are no storage accounts with the
same location as the Recovery Services vault, you must create one before you start the restore operation.
The storage account's replication type is displayed in parentheses.

NOTE
If you restore a Resource Manager-deployed VM, you must identify a virtual network. A virtual network is
optional for a classic VM.
If you restore VMs with managed disks, make sure that the storage account selected isn't enabled for Azure
Storage Service Encryption in its lifetime.
Based on the storage type of the storage account selected (premium or standard), all disks restored will be
either premium or standard disks. We currently don't support a mixed mode of disks when restoring.

2. On the Restore configuration blade, select OK to finalize the restore configuration. On the Restore blade,
select Restore to trigger the restore operation.
Restore backed-up disks
To customize the VM you want to create from backed-up disks different from what is present in the Restore
configuration blade, select Restore disks as the value for Restore Type. This choice asks for a storage account
where disks from backups are to be copied. When you choose a storage account, select an account that shares the
same location as the Recovery Services vault. Storage accounts that are zone redundant aren't supported. If there
are no storage accounts with the same location as the Recovery Services vault, you must create one before you
start the restore operation. The storage account's replication type is displayed in parentheses.
After the restore operation is finished, you can:
Use the template to customize the restored VM
Use the restored disks to attach to an existing VM
Create a new VM by using PowerShell from restored disks
On the Restore configuration blade, select OK to finalize the restore configuration. On the Restore blade, select
Restore to trigger the restore operation.

Track the restore operation


After you trigger the restore operation, the backup service creates a job for tracking the restore operation. The
backup service also creates and temporarily displays the notification in the Notifications area of the portal. If you
don't see the notification, select the Notifications symbol to view your notifications.
To view the operation while it's processing, or to view it when it's finished, open the Backup jobs list.
1. On the Azure menu, select Browse, and in the list of services, type Recovery Services. The list of services
adjusts to what you type. When you see Recovery Services vaults, select it.

The list of vaults in the subscription is displayed.

2. From the list, select the vault associated with the VM you restored. When you select the vault, its dashboard
opens.
3. In the vault dashboard on the Backup Jobs tile, select Azure virtual machines to display the jobs
associated with the vault.
The Backup jobs blade opens and displays the list of jobs.

Use templates to customize a restored VM


After the restore disks operation is finished, use the template that was generated as part of the restore operation to
create a new VM with a configuration different from the backup configuration. You also can use it to customize
names of resources that were created during the process of creating a new VM from a restore point.

NOTE
Templates are added as part of restore disks for recovery points taken after March 1, 2017. They're applicable for
nonmanaged disk VMs. Support for managed disk VMs is coming in upcoming releases.

To get the template that was generated as part of the restore disks option:
1. Go to the restore job details corresponding to the job.
2. On the Restore Job Details screen, select Deploy Template to initiate template deployment.
3. On the Deploy template blade for custom deployment, use template deployment to edit and deploy the
template or append more customizations by authoring a template before you deploy.

4. After you enter the required values, accept the Terms and Conditions and select Purchase.

Post-restore steps
If you use a cloud-init-based Linux distribution, such as Ubuntu, for security reasons, the password is blocked
post restore. Use the VMAccess extension on the restored VM to reset the password. We recommend using SSH
keys on these distributions to avoid resetting the password post restore.
Extensions present during the backup configuration are installed, but they won't be enabled. If you see an issue,
reinstall the extensions.
If the backed-up VM has static IP post restore, the restored VM has a dynamic IP to avoid conflict when you
create a restored VM. Learn more about how you can add a static IP to a restored VM.
A restored VM doesn't have an availability value set. We recommend using the restore disks option to add an
availability set when you create a VM from PowerShell or templates by using restored disks.

Backup for restored VMs


If you restored a VM to the same resource group with the same name as the originally backed-up VM, backup
continues on the VM post restore. If you restored the VM to a different resource group or you specified a different
name for the restored VM, the VM is treated as if it's a new VM. You need to set up backup for the restored VM.

Restore a VM during an Azure datacenter disaster


Azure Backup allows restoring backed-up VMs to the paired datacenter in case the primary datacenter where VMs
are running experiences a disaster and you configured the backup vault to be geo-redundant. During such
scenarios, select a storage account, which is present in a paired datacenter. The rest of the restore process remains
the same. Backup uses the compute service from the paired geo to create the restored VM. For more information,
see Azure datacenter resiliency.

Restore domain controller VMs


Backup of domain controller (DC) VMs is a supported scenario with Backup. However, you must be careful during
the restore process. The correct restore process depends on the structure of the domain. In the simplest case, you
have a single DC in a single domain. More commonly for production loads, you have a single domain with multiple
DCs, perhaps with some DCs on-premises. Finally, you might have a forest with multiple domains.
From an Active Directory perspective, the Azure VM is like any other VM on a modern supported hypervisor. The
major difference with on-premises hypervisors is that there's no VM console available in Azure. A console is
required for certain scenarios, such as recovering by using a bare-metal recovery (BMR)-type backup. However,
VM restore from the backup vault is a full replacement for BMR. Directory Services Restore Mode (DSRM) is also
available, so all Active Directory recovery scenarios are viable. For more information, see Backup and restore
considerations for virtualized domain controllers and Planning for Active Directory forest recovery.
Single DC in a single domain
The VM can be restored (like any other VM) from the Azure portal or by using PowerShell.
Multiple DCs in a single domain
When other DCs of the same domain can be reached over the network, the DC can be restored like any VM. If it's
the last remaining DC in the domain, or a recovery in an isolated network is performed, a forest recovery
procedure must be followed.
Multiple domains in one forest
When other DCs of the same domain can be reached over the network, the DC can be restored like any VM. In all
other cases, we recommend a forest recovery.

Restore VMs with special network configurations


It's possible to back up and restore VMs with the following special network configurations. However, these
configurations require some special consideration while going through the restore process:
VMs under load balancers (internal and external)
VMs with multiple reserved IPs
VMs with multiple NICs
IMPORTANT
When you create the special network configuration for VMs, you must use PowerShell to create VMs from the restored
disks.

To fully re-create the VMs after restoring to disk, follow these steps:
1. Restore the disks from a Recovery Services vault by using PowerShell.
2. Create the VM configuration required for load balancer/multiple NIC/multiple reserved IP by using the
PowerShell cmdlets. Use it to create the VM with the configuration you want:
a. Create a VM in the cloud service with an internal load balancer.
b. Create a VM to connect to an internet-facing load balancer.
c. Create a VM with multiple NICs.
d. Create a VM with multiple reserved IPs.

Next steps
Now that you can restore your VMs, see the troubleshooting article for information on common errors with VMs.
Also, check out the article on managing tasks with your VMs.
Troubleshooting errors
Manage virtual machines
Back up and restore encrypted virtual machines with
Azure Backup
10/13/2017 5 min to read Edit Online

This article talks about the steps to back up and restore virtual machines (VMs) by using Azure Backup. It also
provides details about supported scenarios, prerequisites, and troubleshooting steps for error cases.

Supported scenarios
Backup and restore of encrypted VMs is supported only for VMs that use the Azure Resource Manager
deployment model. It's not supported for VMs that use the classic deployment model.
Backup and restore of encrypted VMs is supported for both Windows and Linux VMs that use Azure Disk
Encryption. Disk Encryption uses the industry standard BitLocker feature of Windows and the dm-crypt
feature of Linux to provide encryption of disks.
The following table shows supported scenarios for BitLocker encryption key (BEK)-only and key encryption
key (KEK)-encrypted VMs:

BEK + KEK VMS BEK-ONLY VMS

Nonmanaged VMs Yes Yes

Managed VMs Yes Yes

Prerequisites
The VM was encrypted by using Azure Disk Encryption.
A Recovery Services vault was created and storage replication was set by following the steps in Prepare your
environment for backup.
Backup was given permissions to access a key vault containing keys and secrets for encrypted VMs.

Backup-encrypted VM
Use the following steps to set a backup goal, define a policy, configure items, and trigger a backup.
Configure backup
1. If you already have a Recovery Services vault open, proceed to the next step. If you don't have a Recovery
Services vault open but you're in the Azure portal, on the Hub menu, select Browse.
a. In the list of resources, type Recovery Services.
b. As you begin typing, the list filters based on your input. When you see Recovery Services vaults, select it.
c. The list of Recovery Services vaults appears. Select a vault from the list.
The selected vault dashboard opens.
2. From the list of items that appears under the vault, select Backup to start backing up the encrypted VM.

3. On the Backup tile, select Backup goal.


4. Under Where is your workload running?, select Azure. Under What do you want to backup?, select
Virtual machine. Then select OK.

5. Under Choose backup policy, select the backup policy you want to apply to the vault. Then select OK.
The details of the default policy are listed. If you want to create a policy, select Create New from the drop-
down list. After you select OK, the backup policy is associated with the vault.
6. Choose the encrypted VMs to associate with the specified policy, and select OK.

7. This page shows a message about key vaults associated to the encrypted VMs you selected. Backup requires
read-only access to the keys and secrets in the key vault. It uses these permissions to back up the keys and
secrets, along with the associated VMs. You must provide permissions to the backup service to access the key
vault for backups to work. You can provide these permissions by following the steps mentioned in the
following section.
Now that you have defined all settings for the vault, select Enable Backup at the bottom of the page.
Enable Backup deploys the policy to the vault and the VMs.
8. The next phase in preparation is installing the VM Agent or making sure the VM Agent is installed. To do the
same, follow the steps in Prepare your environment for backup.
Trigger a backup job
Follow the steps in Backup Azure VMs to a Recovery Services vault to trigger a backup job.
Continue backups of already backed-up VMs with encryption enabled
If you have VMs already being backed up in a Recovery Services vault that are enabled for encryption later, you
must give permissions to Backup to access the key vault for backups to continue. You can provide these
permissions by following the steps in the following section. Or you can follow the PowerShell steps in the "Enable
backup" section of the PowerShell documentation.

Provide permissions to Backup


Use the following steps to provide relevant permissions to Backup to access the key vault and perform backup of
encrypted VMs.
1. Select More services, and search for Key vaults.
2. From the list of key vaults, select the key vault associated with the encrypted VM that needs to be backed up.

3. Select Access policies, and then select Add new.


4. Select Select principal, and then type Backup Management Service in the search box.
5. Select Backup Management Service, and then select Select.

6. Under Configure from template (optional), select Azure Backup. The required permissions are prefilled
for Key permissions and Secret permissions. If your VM is encrypted by using BEK only, permissions only
for secrets are required, so you must remove the selection for Key permissions.
7. Select OK. Notice that Backup Management Service gets added in Access policies.
8. Select Save to give the required permissions to Backup.

After permissions are successfully provided, you can proceed with enabling backup for encrypted VMs.

Restore an encrypted VM
To restore an encrypted VM, first restore disks by following the steps in the "Restore backed-up disks" section in
Choose a VM restore configuration. After that, you can use one of the following options:
Follow the PowerShell steps in Create a VM from restored disks to create a full VM from restored disks.
Or, use templates to customize a restored VM to create VMs from restored disks. Templates can be used only for
recovery points created after April 26, 2017.

Troubleshooting errors
OPERATION ERROR DETAILS RESOLUTION

Backup Backup doesn't have sufficient Backup should be provided these


permissions to the key vault for backup permissions by following the steps in
of encrypted VMs. the previous section. Or you can follow
the PowerShell steps in the "Enable
protection" section of the PowerShell
documentation at Use
AzureRM.RecoveryServices.Backup
cmdlets to back up virtual machines.

Restore You can't restore this encrypted VM Create a key vault by using Get started
because the key vault associated with with Azure Key Vault. See Restore a key
this VM doesn't exist. vault key and a secret by using Azure
Backup to restore a key and a secret if
they aren't present.

Restore You can't restore this encrypted VM See Restore a key vault key and a secret
because the key and the secret by using Azure Backup to restore a key
associated with this VM don't exist. and a secret if they aren't present.

Restore Backup doesn't have the authorization As mentioned previously, restore disks
to access resources in your subscription. first by following the steps in the
"Restore backed-up disks" section in
Choose a VM restore configuration.
After that, use PowerShell to create a
VM from restored disks.
Restore virtual machines in Azure
8/11/2017 8 min to read Edit Online

Restore a virtual machine to a new VM from the backups stored in an Azure Backup vault with the following steps.

IMPORTANT
You can now upgrade your Backup vaults to Recovery Services vaults. For details, see the article Upgrade a Backup vault to
a Recovery Services vault. Microsoft encourages you to upgrade your Backup vaults to Recovery Services vaults.
October 15, 2017, you will no longer be able to use PowerShell to create Backup vaults.
Starting November 1, 2017:
Any remaining Backup vaults will be automatically upgraded to Recovery Services vaults.
You won't be able to access your backup data in the classic portal. Instead, use the Azure portal to access your backup
data in Recovery Services vaults.

Restore workflow
Step 1: Choose an item to restore
1. Navigate to the Protected Items tab and select the virtual machine you want to restore to a new VM.

The Recovery Point column in the Protected Items page will tell you the number of recovery points for a
virtual machine. The Newest Recovery Point column tells you the time of the most recent backup from
which a virtual machine can be restored.
2. Click Restore to open the Restore an Item wizard.

Step 2: Pick a recovery point


1. In the select a recovery point screen, you can restore from the newest recovery point, or from a previous
point in time. The default option selected when wizard opens is Newest Recovery Point.
2. To pick an earlier point in time, choose the Select Date option in the dropdown and select a date in the
calendar control by clicking on the calendar icon. In the control, all dates that have recovery points are
filled with a light gray shade and are selectable by the user.

Once you click a date in the calendar control, the recovery points available on that date will be shown in
recovery points table below. The Time column indicates the time at which the snapshot was taken. The
Type column displays the consistency of the recovery point. The table header shows the number of
recovery points available on that day in parentheses.

3. Select the recovery point from the Recovery Points table and click the Next arrow to go to the next screen.
Step 3: Specify a destination location
1. In the Select restore instance screen specify details of where to restore the virtual machine.
Specify the virtual machine name: In a given cloud service, the virtual machine name should be unique.
We don't support over-writing existing VM.
Select a cloud service for the VM: This is mandatory for creating a VM. You can choose to either use
an existing cloud service or create a new cloud service.
Whatever cloud service name is picked should be globally unique. Typically, the cloud service name
gets associated with a public-facing URL in the form of [cloudservice].cloudapp.net. Azure will not
allow you to create a new cloud service if the name has already been used. If you choose to create a
new cloud service, it will be given the same name as the virtual machine in which case the VM
name picked should be unique enough to be applied to the associated cloud service.
We only display cloud services and virtual networks that are not associated with any affinity groups
in the restore instance details. Learn More.
2. Select a storage account for the VM: This is mandatory for creating the VM. You can select from existing
storage accounts in the same region as the Azure Backup vault. We dont support storage accounts that are
Zone redundant or of Premium storage type.
If there are no storage accounts with supported configuration, please create a storage account of supported
configuration prior to starting restore operation.

3. Select a Virtual Network: The virtual network (VNET) for the virtual machine should be selected at the time
of creating the VM. The restore UI shows all the VNETs within this subscription that can be used. It is not
mandatory to select a VNET for the restored VM you will be able to connect to the restored virtual
machine over the internet even if the VNET is not applied.
If the cloud service selected is associated with a virtual network, then you cannot change the virtual
network.

4. Select a subnet: In case the VNET has subnets, by default the first subnet will be selected. Choose the
subnet of your choice from the dropdown options. For subnet details, go to Networks extension in the
portal home page, go to Virtual Networks and select the virtual network and drill down into Configure to
see subnet details.
5. Click the Submit icon in the wizard to submit the details and create a restore job.

Track the Restore operation


Once you have input all the information into the restore wizard and submitted it Azure Backup will try to create a
job to track the restore operation.

If the job creation is successful, you will see a toast notification indicating that the job is created. You can get more
details by clicking the View Job button that will take you to Jobs tab.

Once the restore operation is finished, it will be marked as completed in Jobs tab.

After restoring the virtual machine you may need to re-install the extensions existing on the original VM and
modify the endpoints for the virtual machine in the Azure portal.

Post-Restore steps
If you are using a cloud-init based Linux distribution such as Ubuntu, for security reasons, password will be
blocked post restore. Please use VMAccess extension on the restored VM to reset the password. We recommend
using SSH keys on these distributions to avoid resetting password post restore.

Backup for Restored VMs


If you have restored VM to same cloud service with the same name as originally backed up VM, backup will
continue on the VM post restore. If you have either restored VM to a different cloud service or specified a different
name for restored VM, this will be treated as a new VM and you need to setup backup for restored VM.

Restoring a VM during Azure DataCenter Disaster


Azure Backup allows restoring backed up VMs to the paired data center in case the primary data center where
VMs are running experiences disaster and you configured Backup vault to be geo-redundant. During such
scenarios, you need to select a storage account which is present in paired data center and rest of the restore
process remains same. Azure Backup uses Compute service from paired geo to create the restored virtual
machine. Learn more about Azure Data center resiliency

Restoring Domain Controller VMs


Backup of Domain Controller (DC) virtual machines is a supported scenario with Azure Backup. However, care
must be taken during the restore process. The correct restore process depends on the structure of the domain. In
the simplest case you have a single DC in a single domain. More commonly for production loads, you will have a
single domain with multiple DCs, perhaps with some DCs on premises. Finally, you may have a forest with
multiple domains.
From an Active Directory perspective the Azure VM is like any other VM on a modern supported hypervisor. The
major difference with on-premises hypervisors is that there is no VM console available in Azure. A console is
required for certain scenarios such as recovering using a Bare Metal Recovery (BMR) type backup. However, VM
restore from the backup vault is a full replacement for BMR. Active Directory Restore Mode (DSRM) is also
available, so all Active Directory recovery scenarios are viable. For more background information, please check
Backup and Restore considerations for virtualized Domain Controllers and Planning for Active Directory Forest
Recovery.
Single DC in a single domain
The VM can be restored (like any other VM) from the Azure portal or using PowerShell.
Multiple DCs in a single domain
When other DCs of the same domain can be reached over the network, the DC can be restored like any VM. If it is
the last remaining DC in the domain, or a recovery in an isolated network is performed, a forest recovery
procedure must be followed.
Multiple domains in one forest
When other DCs of the same domain can be reached over the network, the DC can be restored like any VM.
However, in all other cases a forest recovery is recommended.

Restoring VMs with special network configurations


Azure Backup supports backup for following special network configurations of virtual machines.
VMs under load balancer (internal and external)
VMs with multiple reserved IPs
VMs with multiple NICs
These configurations mandate following considerations while restoring them.

TIP
Please use PowerShell based restore flow to recreate the special network configuration of VMs post restore.
Restoring from the UI:
While restoring from UI, always choose a new cloud service. Please note that since portal only takes
mandatory parameters during restore flow, VMs restored using UI will lose the special network configuration they
possess. In other words, restore VMs will be normal VMs without configuration of load balancer or multi NIC or
multiple reserved IP.
Restoring from PowerShell:
PowerShell has the ability to just restore the VM disks from backup and not create the virtual machine. This is
helpful when restoring virtual machines which require special network configurations mentioned above.
In order to fully recreate the virtual machine post restoring disks, follow these steps:
1. Restore the disks from backup vault using Azure Backup PowerShell
2. Create the VM config required for load balancer/multiple NIC/multiple reserved IP using the PowerShell
cmdlets and use it to create the VM of desired configuration.
Create VM in cloud service with Internal Load balancer
Create VM to connect to Internet facing load balancer
Create VM with multiple NICs
Create VM with multiple reserved IPs

Next steps
Troubleshooting errors
Manage virtual machines
Restore Key Vault key and secret for encrypted VMs
using Azure Backup
8/28/2017 4 min to read Edit Online

This article talks about using Azure VM Backup to perform restore of encrypted Azure VMs, if your key and secret
do not exist in the key vault. These steps can also be used if you want to maintain a separate copy of key (Key
Encryption Key) and secret (BitLocker Encryption Key) for the restored VM.

Prerequisites
Backup encrypted VMs - Encrypted Azure VMs have been backed up using Azure Backup. Refer the article
Manage backup and restore of Azure VMs using PowerShell for details about how to backup encrypted Azure
VMs.
Configure Azure Key Vault Ensure that key vault to which keys and secrets need to be restored is already
present. Refer the article Get Started with Azure Key Vault for details about key vault management.
Restore disk - Ensure that you have triggered restore job for restoring disks for encrypted VM using
PowerShell steps. This is because this job generates a JSON file in your storage account containing keys and
secrets for the encrypted VM to be restored.

Get key and secret from Azure Backup


NOTE
Once disk has been restored for the encrypted VM, ensure that:
1. $details is populated with restore disk job details, as mentioned in PowerShell steps in Restore the Disks section
2. VM should be created from restored disks only after key and secret is restored to key vault.

Query the restored disk properties for the job details.

PS C:\> $properties = $details.properties


PS C:\> $storageAccountName = $properties["Target Storage Account Name"]
PS C:\> $containerName = $properties["Config Blob Container Name"]
PS C:\> $encryptedBlobName = $properties["Encryption Info Blob Name"]

Set the Azure storage context and restore JSON configuration file containing key and secret details for encrypted
VM.

PS C:\> Set-AzureRmCurrentStorageAccount -Name $storageaccountname -ResourceGroupName '<rg-name>'


PS C:\> $destination_path = 'C:\vmencryption_config.json'
PS C:\> Get-AzureStorageBlobContent -Blob $encryptedBlobName -Container $containerName -Destination
$destination_path
PS C:\> $encryptionObject = Get-Content -Path $destination_path | ConvertFrom-Json

Restore key
Once the JSON file is generated in the destination path mentioned above, generate key blob file from the JSON
and feed it to restore key cmdlet to put the key (KEK) back in the key vault.
PS C:\> $keyDestination = 'C:\keyDetails.blob'
PS C:\> [io.file]::WriteAllBytes($keyDestination,
[System.Convert]::FromBase64String($encryptionObject.OsDiskKeyAndSecretDetails.KeyBackupData))
PS C:\> Restore-AzureKeyVaultKey -VaultName '<target_key_vault_name>' -InputFile $keyDestination

Restore secret
Use the JSON file generated above to get secret name and value and feed it to set secret cmdlet to put the secret
(BEK) back in the key vault. Use these cmdlets if your VM is encrypted using BEK and KEK.

PS C:\> $secretdata = $encryptionObject.OsDiskKeyAndSecretDetails.SecretData


PS C:\> $Secret = ConvertTo-SecureString -String $secretdata -AsPlainText -Force
PS C:\> $secretname = 'B3284AAA-DAAA-4AAA-B393-60CAA848AAAA'
PS C:\> $Tags = @{'DiskEncryptionKeyEncryptionAlgorithm' = 'RSA-OAEP';'DiskEncryptionKeyFileName' = 'B3284AAA-
DAAA-4AAA-B393-60CAA848AAAA.BEK';'DiskEncryptionKeyEncryptionKeyURL' =
$encryptionObject.OsDiskKeyAndSecretDetails.KeyUrl;'MachineName' = 'vm-name'}
PS C:\> Set-AzureKeyVaultSecret -VaultName '<target_key_vault_name>' -Name $secretname -SecretValue $Secret -
ContentType 'Wrapped BEK' -Tags $Tags

If your VM is encrypted using BEK only, generate secret blob file from the JSON and feed it to restore secret
cmdlet to put the secret (BEK) back in the key vault.

PS C:\> $secretDestination = 'C:\secret.blob'


PS C:\> [io.file]::WriteAllBytes($secretDestination,
[System.Convert]::FromBase64String($encryptionObject.OsDiskKeyAndSecretDetails.KeyVaultSecretBackupData))
PS C:\> Restore-AzureKeyVaultSecret -VaultName '<target_key_vault_name>' -InputFile $secretDestination -
Verbose

NOTE
1. Value for $secretname can be obtained by referring to the output of
$encryptionObject.OsDiskKeyAndSecretDetails.SecretUrl and using text after secrets/ e.g. output secret URL is
https://keyvaultname.vault.azure.net/secrets/B3284AAA-DAAA-4AAA-B393-
60CAA848AAAA/xx000000xx0849999f3xx30000003163 and secret name is B3284AAA-DAAA-4AAA-B393-
60CAA848AAAA
2. Value of the tag DiskEncryptionKeyFileName is same as secret name.

Create virtual machine from restored disk


If you have backed up encrypted VM using Azure VM Backup, the PowerShell cmdlets mentioned above help you
restore key and secret back to the key vault. After restoring them, refer the article Manage backup and restore of
Azure VMs using PowerShell to create encrypted VMs from restored disk, key, and secret.

Legacy approach
The approach mentioned above would work for all the recovery points. However, the older approach of getting
key and secret information from recovery point, would be valid for recovery points older than July 11, 2017 for
VMs encrypted using BEK and KEK. Once restore disk job is complete for encrypted VM using PowerShell steps,
ensure that $rp is populated with a valid value.
Restore key
Use the following cmdlets to get key (KEK) information from recovery point and feed it to restore key cmdlet to
put it back in the key vault.
PS C:\> $rp1 = Get-AzureRmRecoveryServicesBackupRecoveryPoint -RecoveryPointId $rp[0].RecoveryPointId -Item
$backupItem -KeyFileDownloadLocation 'C:\Users\downloads'
PS C:\> Restore-AzureKeyVaultKey -VaultName '<target_key_vault_name>' -InputFile 'C:\Users\downloads'

Restore secret
Use the following cmdlets to get secret (BEK) information from recovery point and feed it to set secret cmdlet to
put it back in the key vault.

PS C:\> $secretname = 'B3284AAA-DAAA-4AAA-B393-60CAA848AAAA'


PS C:\> $secretdata = $rp1.KeyAndSecretDetails.SecretData
PS C:\> $Secret = ConvertTo-SecureString -String $secretdata -AsPlainText -Force
PS C:\> $Tags = @{'DiskEncryptionKeyEncryptionAlgorithm' = 'RSA-OAEP';'DiskEncryptionKeyFileName' = 'B3284AAA-
DAAA-4AAA-B393-60CAA848AAAA.BEK';'DiskEncryptionKeyEncryptionKeyURL' =
'https://mykeyvault.vault.azure.net:443/keys/KeyName/84daaac999949999030bf99aaa5a9f9';'MachineName' = 'vm-
name'}
PS C:\> Set-AzureKeyVaultSecret -VaultName '<target_key_vault_name>' -Name $secretname -SecretValue $secret -
Tags $Tags -SecretValue $Secret -ContentType 'Wrapped BEK'

NOTE
1. Value for $secretname can be obtained by referring to the output of $rp1.KeyAndSecretDetails.SecretUrl and using text
after secrets/ e.g. output secret URL is https://keyvaultname.vault.azure.net/secrets/B3284AAA-DAAA-4AAA-B393-
60CAA848AAAA/xx000000xx0849999f3xx30000003163 and secret name is B3284AAA-DAAA-4AAA-B393-
60CAA848AAAA
2. Value of the tag DiskEncryptionKeyFileName is same as secret name.
3. Value for DiskEncryptionKeyEncryptionKeyURL can be obtained from key vault after restoring the keys back and using
Get-AzureKeyVaultKey cmdlet

Next steps
After restoring key and secret back to key vault, refer the article Manage backup and restore of Azure VMs using
PowerShell to create encrypted VMs from restored disk, key and secret.
Configure Azure Backup reports
10/3/2017 7 min to read Edit Online

This article talks about steps to configure reports for Azure Backup using Recovery Services vault, and to access
these reports using Power BI. After performing these steps, you can directly go to Power BI to view all the reports,
customize and create reports.

Supported scenarios
1. Azure Backup reports are supported for Azure virtual machine backup and file/folder backup to cloud using
Azure Recovery Services Agent.
2. Reports for Azure SQL, DPM and Azure Backup Server are not supported at this time.
3. You can view reports across vaults and across subscriptions, if same storage account is configured for each of
the vaults. Storage account selected should be in the same region as recovery services vault.
4. The frequency of scheduled refresh for the reports is 24 hours in Power BI. You can also perform an ad-hoc
refresh of the reports in Power BI, in which case latest data in customer storage account is used for rendering
reports.

Prerequisites
1. Create an Azure storage account to configure it for reports. This storage account is used for storing reports
related data.
2. Create a Power BI account to view, customize, and create your own reports using Power BI portal.
3. Register the resource provider Microsoft.insights if not registered already, with the subscription of storage
account and also with the subscription of Recovery Services vault to enable reporting data to flow to the
storage account. To do the same, you must go to Azure portal > Subscription > Resource providers and check
for this provider to register it.

Configure storage account for reports


Use the following steps to configure the storage account for recovery services vault using Azure portal. This is a
one-time configuration and once storage account is configured, you can go to Power BI directly to view content
pack and leverage reports.
1. If you already have a Recovery Services vault open, proceed to next step. If you do not have a Recovery
Services vault open, but are in the Azure portal, on the Hub menu, click Browse.
In the list of resources, type Recovery Services.
As you begin typing, the list filters based on your input. When you see Recovery Services vaults,
click it.
The list of Recovery Services vaults appears. From the list of Recovery Services vaults, select a vault.
The selected vault dashboard opens.
2. From the list of items that appears under vault, click Backup Reports under Monitoring and Reports section
to configure the storage account for reports.

3. On the Backup Reports blade, click Configure button. This opens the Azure Application Insights blade which
is used for pushing data to customer storage account.
4. Set the Status toggle button to On and select Archive to a Storage Account check box so that reporting
data can start flowing in to the storage account.

5. Click Storage Account picker and select the storage account from the list for storing reporting data and click
OK.
6. Select AzureBackupReport check box and also move the slider to select retention period for this reporting
data. Reporting data in the storage account is kept for the period selected using this slider.

7. Review all the changes and click Save button on top, as shown in the figure above. This action ensures that all
your changes are saved and storage account is now configured for storing reporting data.

NOTE
Once you configure reports by saving storage account, you should wait for 24 hours for initial data push to complete. You
should import Azure Backup content pack in Power BI only after that time. Refer FAQ section for further details.

View reports in Power BI


After configuring storage account for reports using recovery services vault, it takes around 24 hours for reporting
data to start flowing in. After 24 hours of setting up storage account, use the following steps to view reports in
Power BI:
1. Sign in to Power BI.
2. Click Get Data and click Get under Services in Content Pack Library. Use steps mentioned in Power BI
documentation to access content pack.

3. Type Azure Backup in Search bar and click Get it now.

4. Enter the storage account name configured in step 5 above and click Next button.
5. Enter the storage account key for this storage account. You can view and copy storage access keys by
navigating to your storage account in Azure portal.

6. Click Sign in button. After sign-in is successful, you get Importing data notification.
After some time, you get Success notification after the import is complete. It might take little longer to
import the content pack, if there is a lot of data in the storage account.

7. Once data is imported successfully, Azure Backup content pack is visible in Apps in the navigation pane.
The list now shows Azure Backup dashboard, reports, and dataset with a yellow star indicating newly
imported reports.

8. Click Azure Backup under Dashboards, which shows a set of pinned key reports.
9. To view the complete set of reports, click any report in the dashboard.

10. Click each tab in the reports to view reports in that area.

Frequently asked questions


1. How do I check if reporting data has started flowing in to storage account?
You can go to the storage account configured and select containers. If the container has an entry for
insights-logs-azurebackupreport, it indicates that reporting data has started flowing in.
2. What is the frequency of data push to storage account and Azure Backup content pack in Power
BI?
For Day 0 users, it would take around 24 hours to push data to storage account. Once this initial push is
compelete, data is refreshed with the following frequency shown in the figure below.
Data related to Jobs, Alerts, Backup Items, Vaults, Protected Servers and Policies is pushed to
customer storage account as and when it is logged.
Data related to Storage is pushed to customer storage account every 24 hours.

Power BI has a scheduled refresh once a day. You can perform a manual refresh of the data in Power BI for
the content pack.
3. How long can I retain the reports?
While configuring storage account, you can select retention period of reporting data in the storage account
(using step 6 in Configure storage account for reports section above). Besides that, you can Analyze reports
in excel and save them for a longer retention period, as per your needs.
4. Will I see all my data in reports after configuring the storage account?
All the data generated after "configuring storage account" will be pushed to the storage account and will
be available in reports. However, In Progress Jobs are not pushed for Reporting. Once the job completes
or fails, it is sent to reports.
5. If I have already configured the storage account to view reports, can I change the configuration to
use another storage account?
Yes, you can change the configuration to point to a different storage account. You should use the newly
configured storage account while connecting to Azure Backup content pack. Also, once a different storage
account is configured, new data would flow in this storage account. But older data (before changing the
configuration) would still remain in the older storage account.
6. Can I view reports across vaults and across subscriptions?
Yes, you can configure the same storage account across various vaults to view cross-vault reports. Also, you
can configure the same storage account for vaults across subscriptions. You can then use this storage
account while connecting to Azure Backup content pack in Power BI to view the reports. However, the
storage account selected should be in the same region as recovery services vault.

Troubleshooting errors
ERROR DETAILS RESOLUTION

After setting up the storage account for Backup Reports, If you configured storage account successfully, your reporting
Storage Account still shows Not Configured. data will flow in despite this issue. To resolve this issue, go to
Azure portal > More Services > Diagnostic settings > RS vault
> Edit Setting. Delete the previously configured setting and
create a new setting from the same blade. This time set the
field Name to service. This should show the configured
storage account.

After importing Azure Backup content pack in Power BI, the As suggested in this document, you must wait for 24 hours
error 404- container is not found comes up. after configuring reports in Recovery Services vault to see
them correctly in Power BI. If you try to access the reports
before 24 hours, you will get this error since complete data is
not yet present to show valid reports.

Next steps
Now that you have configured the storage account and imported Azure Backup content pack, the next step is to
customize these reports and use reporting data model to create reports. Refer the following articles for more
details.
Using Azure Backup reporting data model
Filtering reports in Power BI
Creating reports in Power BI
Data model for Azure Backup reports
6/27/2017 7 min to read Edit Online

This article describes the Power BI data model used for creating Azure Backup reports. Using this data model, you
can filter existing reports based on relevant fields and more importantly, create your own reports by using tables
and fields in the model.

Creating new reports in Power BI


Power BI provides customization features using which you can create reports using the data model.

Using Azure Backup data model


You can use the following fields provided as part of the data model to create reports and customize existing
reports.
Alert
This table provides basic fields and aggregations over various alert related fields.

FIELD DATA TYPE DESCRIPTION

#AlertsCreatedInPeriod Whole Number Number of alerts created in selected


time period

%ActiveAlertsCreatedInPeriod Percentage Percentage of active alerts in selected


time period

%CriticalAlertsCreatedInPeriod Percentage Percentage of critical alerts in selected


time period

AlertOccurenceDate Date Date when alert was created

AlertSeverity Text Severity of the alert for example, Critical

AlertStatus Text Status of the alert for example, Active

AlertType Text Type of the generated alert for example,


Backup

AlertUniqueId Text Unique Id of the generated alert

AsOnDateTime Date/Time Latest refresh time for the selected row

AvgResolutionTimeInMinsForAlertsCrea Decimal Number Average time (in minutes) to resolve


tedInPeriod alert for selected time period

EntityState Text Current state of the alert object for


example, Active, Deleted

Backup Item
This table provides basic fields and aggregations over various backup item-related fields.
FIELD DATA TYPE DESCRIPTION

#BackupItems Whole Number Number of backup items

#UnprotectedBackupItems Whole Number Number of backup items stopped for


protection or configured for backups
but backups not started

AsOnDateTime Date/Time Latest refresh time for the selected row

BackupItemFriendlyName Text Friendly name of backup item

BackupItemId Text Id of backup item

BackupItemName Text Name of backup item

BackupItemType Text Type of backup item for example, VM,


FileFolder

EntityState Text Current state of the backup item object


for example, Active, Deleted

LastBackupDateTime Date/Time Time of last backup for selected backup


item

LastBackupState Text State of last backup for selected backup


item for example, Successful, Failed

LastSuccessfulBackupDateTime Date/Time Time of last successful backup for


selected backup item

ProtectionState Text Current protection state of the backup


item for example, Protected,
ProtectionStopped

Calendar
This table provides details about calendar-related fields.

FIELD DATA TYPE DESCRIPTION

Date Date Date selected for filtering data

DateKey Text Unique key for each date item

DayDiff Decimal Number Difference in day for filtering data for


example, 0 indicates current day's data,
-1 indicates previous one day's data, 0
and -1 indicate data for current and
previous day

Month Text Month of the year selected for filtering


data, month begins on first day and
ends on 31st day
FIELD DATA TYPE DESCRIPTION

MonthDate Date Date in the month when month ends,


selected for filtering data

MonthDiff Decimal Number Difference in month for filtering data for


example, 0 indicates current month's
data, -1 indicates previous month's
data, 0 and -1 indicate data for current
and previous month

Week Text Week selected for filtering data, week


begins on Sunday and ends on
Saturday

WeekDate Date Date in the week when week ends,


selected for filtering data

WeekDiff Decimal Number Difference in week for filtering data for


example, 0 indicates current week's
data, -1 indicates previous week's data,
0 and -1 indicate data for current and
previous week

Year Text Calendar year selected for filtering data

YearDate Date Date in the year when year ends,


selected for filtering data

Job
This table provides basic fields and aggregations over various job-related fields.

FIELD DATA TYPE DESCRIPTION

#JobsCreatedInPeriod Whole Number Number of jobs created in the selected


time period

%FailuresForJobsCreatedInPeriod Percentage Percentage overall job failures in the


selected time period

80thPercentileDataTransferredInMBFor Decimal Number 80th percentile value of data transferred


BackupJobsCreatedInPeriod in MB for backup jobs created in the
selected time period

AsOnDateTime Date/Time Latest refresh time for the selected row

AvgBackupDurationInMinsForJobsCreat Decimal Number Average time in minutes for completed


edInPeriod backup jobs created in selected time
period

AvgRestoreDurationInMinsForJobsCrea Decimal Number Average time in minutes for completed


tedInPeriod restore jobs created in selected time
period

BackupStorageDestination Text Destination of backup storage for


example, Cloud, Disk
FIELD DATA TYPE DESCRIPTION

EntityState Text Current state of the job object for


example, Active, Deleted

JobFailureCode Text Failure Code string because of which job


failure happened

JobOperation Text Operation for which job is run for


example, Backup, Restore, Configure
Backup

JobStartDate Date Date when job started running

JobStartTime Time Time when job started running

JobStatus Text Status of the finished job for example,


Completed, Failed

JobUniqueId Text Unique Id to identify the job

Policy
This table provides basic fields and aggregations over various policy-related fields.

FIELD DATA TYPE DESCRIPTION

#Policies Whole Number Number of backup policies that exist in


the system

#PoliciesInUse Whole Number Number of policies currently being used


for configuring backups

AsOnDateTime Date/Time Latest refresh time for the selected row

BackupDaysOfTheWeek Text Days of the week when backups have


been scheduled

BackupFrequency Text Frequency with which backups are run


for example, daily, weekly

BackupTimes Text Date and time when backups are


scheduled

DailyRetentionDuration Whole Number Total retention duration in days for


configured backups

DailyRetentionTimes Text Date and time when daily retention was


configured

EntityState Text Current state of the policy object for


example, Active, Deleted

MonthlyRetentionDaysOfTheMonth Text Dates of the month selected for


monthly retention
FIELD DATA TYPE DESCRIPTION

MonthlyRetentionDaysOfTheWeek Text Days of the week selected for monthly


retention

MonthlyRetentionDuration Decimal Number Total retention duration in months for


configured backups

MonthlyRetentionFormat Text Type of configuration for monthly


retention for example, daily for day
based, weekly for week based

MonthlyRetentionTimes Text Date and time when monthly retention


is configured

MonthlyRetentionWeeksOfTheMonth Text Weeks of the month when monthly


retention is configured for example,
First, Last etc.

PolicyName Text Name of the policy defined

PolicyUniqueId Text Unique Id to identify the policy

RetentionType Text Type of retention policy for example,


Daily, Weekly, Monthly, Yearly

WeeklyRetentionDaysOfTheWeek Text Days of the week selected for weekly


retention

WeeklyRetentionDuration Decimal Number Total weekly retention duration in


weeks for configured backups

WeeklyRetentionTimes Text Date and time when weekly retention is


configured

YearlyRetentionDaysOfTheMonth Text Dates of the month selected for yearly


retention

YearlyRetentionDaysOfTheWeek Text Days of the week selected for yearly


retention

YearlyRetentionDuration Decimal Number Total retention duration in years for


configured backups

YearlyRetentionFormat Text Type of configuration for yearly


retention for example, daily for day
based, weekly for week based

YearlyRetentionMonthsOfTheYear Text Months of the year selected for yearly


retention

YearlyRetentionTimes Text Date and time when yearly retention is


configured
FIELD DATA TYPE DESCRIPTION

YearlyRetentionWeeksOfTheMonth Text Weeks of the month when yearly


retention is configured for example,
First, Last etc.

Protected Server
This table provides basic fields and aggregations over various protected server-related fields.

FIELD DATA TYPE DESCRIPTION

#ProtectedServers Whole Number Number of protected servers

AsOnDateTime Date/Time Latest refresh time for the selected row

AzureBackupAgentOSType Text OS Type of Azure Backup Agent

AzureBackupAgentOSVersion Text OS Version of Azure Backup Agent

AzureBackupAgentUpdateDate Text Date when Agent Backup Agent was


updated

AzureBackupAgentVersion Text Version number of Agent Backup


Version

BackupManagementType Text Provider type for performing backup for


example, IaaSVM, FileFolder

EntityState Text Current state of the protected server


object for example, Active, Deleted

ProtectedServerFriendlyName Text Friendly name of protected server

ProtectedServerName Text Name of protected server

ProtectedServerType Text Type of protected server backed up for


example, IaaSVMContainer

ProtectedServerName Text Name of protected server to which


backup item belongs

RegisteredContainerId Text Id of container registered for backup

Storage
This table provides basic fields and aggregations over various storage-related fields.

FIELD DATA TYPE DESCRIPTION

#ProtectedInstances Decimal Number Number of protected instances used for


calculating frontend storage in billing,
calculated based on latest value in
selected time

AsOnDateTime Date/Time Latest refresh time for the selected row


FIELD DATA TYPE DESCRIPTION

CloudStorageInMB Decimal Number Cloud backup storage used by backups,


calculated based on latest value in
selected time

EntityState Text Current state of the object for example,


Active, Deleted

LastUpdatedDate Date Date when selected row was last


updated

Time
This table provides details about time-related fields.

FIELD DATA TYPE DESCRIPTION

Hour Time Hour of the day for example, 1:00:00


PM

HourNumber Decimal Number Hour number in the day for example,


13.00

Minute Decimal Number Minute of the hour

PeriodOfTheDay Text Time period slot in the day for example,


12-3 AM

Time Time Time of the day for example, 12:00:01


AM

TimeKey Text Key value to represent time

Vault
This table provides basic fields and aggregations over various vault-related fields.

FIELD DATA TYPE DESCRIPTION

#Vaults Whole Number Number of vaults

AsOnDateTime Date/Time Latest refresh time for the selected row

AzureDataCenter Text Data center where vault is located

EntityState Text Current state of the vault object for


example, Active, Deleted

StorageReplicationType Text Type of storage replication for the vault


for example, GeoRedundant

SubscriptionId Text Subscription Id of the customer selected


for generating reports

VaultName Text Name of the vault


FIELD DATA TYPE DESCRIPTION

VaultTags Text Tags associated to the vault

Next steps
Once you review the data model for creating Azure Backup reports, refer the following articles for more details
about creating and viewing reports in Power BI.
Creating reports in Power BI
Filtering reports in Power BI
Log Analytics data model for Azure Backup data
7/25/2017 14 min to read Edit Online

This article describes the data model used for pushing reporting data to Log Analytics. Using this data model, you
can create custom queries, dashboards, and utilize it in OMS.

Using Azure Backup data model


You can use the following fields provided as part of the data model to create visuals, custom queries, and
dashboard as per your requirements.
Alert
This table provides details about alert related fields.

FIELD DATA TYPE DESCRIPTION

AlertUniqueId_s Text Unique Id of the generated alert

AlertType_s Text Type of the generated alert, for


example, Backup

AlertStatus_s Text Status of the alert, for example, Active

AlertOccurenceDateTime_s Date/Time Date and time when alert was created

AlertSeverity_s Text Severity of the alert, for example, Critical

EventName_s Text This field represents name of this event,


it is always AzureBackupCentralReport

BackupItemUniqueId_s Text Unique Id of the backup item to which


this alert belongs to

SchemaVersion_s Text This field denotes current version of the


schema, it is V1

State_s Text Current state of the alert object, for


example, Active, Deleted

BackupManagementType_s Text Provider type for performing backup,


for example, IaaSVM, FileFolder to which
this alert belongs to

OperationName Text This field represents name of the


current operation - Alert

Category Text This field represents category of


diagnostics data pushed to Log
Analytics, it is AzureBackupReport
FIELD DATA TYPE DESCRIPTION

Resource Text This is the resource for which data is


being collected, it shows Recovery
Services vault name

ProtectedServerUniqueId_s Text Unique Id of the protected to which this


alert belongs to

VaultUniqueId_s Text Unique Id of the protected to which this


alert belongs to

SourceSystem Text Source system of the current data -


Azure

ResourceId Text This field represents resource id for


which data is being collected, it shows
Recovery Services vault resource id

SubscriptionId Text This field represents subscription id of


the resource (RS vault) for which data is
being collected

ResourceGroup Text This field represents resource group of


the resource (RS vault) for which data is
being collected

ResourceProvider Text This field represents the resource


provider for which data is being
collected - Microsoft.RecoveryServices

ResourceType Text This field represents type of the


resource for which data is being
collected - Vaults

BackupItem
This table provides details about backup item-related fields.

FIELD DATA TYPE DESCRIPTION

EventName_s Text This field represents name of this event,


it is always AzureBackupCentralReport

BackupItemUniqueId_s Text Unique Id of the backup item

BackupItemId_s Text Id of backup item

BackupItemName_s Text Name of backup item

BackupItemFriendlyName_s Text Friendly name of backup item

BackupItemType_s Text Type of backup item, for example, VM,


FileFolder
FIELD DATA TYPE DESCRIPTION

ProtectedServerName_s Text Name of protected server to which


backup item belongs to

ProtectionState_s Text Current protection state of the backup


item, for example, Protected,
ProtectionStopped

SchemaVersion_s Text This field denotes current version of the


schema, it is V1

State_s Text Current state of the backup item object,


for example, Active, Deleted

BackupManagementType_s Text Provider type for performing backup,


for example, IaaSVM, FileFolder to which
this backup item belongs to

OperationName Text This field represents name of the


current operation - BackupItem

Category Text This field represents category of


diagnostics data pushed to Log
Analytics, it is AzureBackupReport

Resource Text This is the resource for which data is


being collected, it shows Recovery
Services vault name

SourceSystem Text Source system of the current data -


Azure

ResourceId Text This field represents resource id for


which data is being collected, it shows
Recovery Services vault resource id

SubscriptionId Text This field represents subscription id of


the resource (RS vault) for which data is
being collected

ResourceGroup Text This field represents resource group of


the resource (RS vault) for which data is
being collected

ResourceProvider Text This field represents the resource


provider for which data is being
collected - Microsoft.RecoveryServices

ResourceType Text This field represents type of the


resource for which data is being
collected - Vaults

BackupItemAssociation
This table provides details about backup item associations with various entities.
FIELD DATA TYPE DESCRIPTION

EventName_s Text This field represents name of this event,


it is always AzureBackupCentralReport

BackupItemUniqueId_s Text Unique Id of the backup item

SchemaVersion_s Text This field denotes current version of the


schema, it is V1

State_s Text Current state of the backup item


association object, for example, Active,
Deleted

BackupManagementType_s Text Provider type for performing backup,


for example, IaaSVM, FileFolder to which
this backup item belongs to

OperationName Text This field represents name of the


current operation -
BackupItemAssociation

Category Text This field represents category of


diagnostics data pushed to Log
Analytics, it is AzureBackupReport

Resource Text This is the resource for which data is


being collected, it shows Recovery
Services vault name

PolicyUniqueId_g Text Unique Id to identify the policy, which


backup item is associated to

ProtectedServerUniqueId_s Text Unique Id of the protected server to


which this backup item belongs to

VaultUniqueId_s Text Unique Id of the vault to which this


backup item belongs to

SourceSystem Text Source system of the current data -


Azure

ResourceId Text This field represents resource id for


which data is being collected, it shows
Recovery Services vault resource id

SubscriptionId Text This field represents subscription id of


the resource (RS vault) for which data is
being collected

ResourceGroup Text This field represents resource group of


the resource (RS vault) for which data is
being collected

ResourceProvider Text This field represents the resource


provider for which data is being
collected - Microsoft.RecoveryServices
FIELD DATA TYPE DESCRIPTION

ResourceType Text This field represents type of the


resource for which data is being
collected - Vaults

Job
This table provides details about job-related fields.

FIELD DATA TYPE DESCRIPTION

EventName_s Text This field represents name of this event,


it is always AzureBackupCentralReport

BackupItemUniqueId_s Text Unique Id of the backup item to which


this job belongs to

SchemaVersion_s Text This field denotes current version of the


schema, it is V1

State_s Text Current state of the job object, for


example, Active, Deleted

BackupManagementType_s Text Provider type for performing backup,


for example, IaaSVM, FileFolder to which
this job belongs to

OperationName Text This field represents name of the


current operation - Job

Category Text This field represents category of


diagnostics data pushed to Log
Analytics, it is AzureBackupReport

Resource Text This is the resource for which data is


being collected, it shows Recovery
Services vault name

ProtectedServerUniqueId_s Text Unique Id of the protected to which this


job belongs to

VaultUniqueId_s Text Unique Id of the protected to which this


job belongs to

JobOperation_s Text Operation for which job is run for


example, Backup, Restore, Configure
Backup

JobStatus_s Text Status of the finished job, for example,


Completed, Failed
FIELD DATA TYPE DESCRIPTION

JobFailureCode_s Text Failure Code string because of which job


failure happened

JobStartDateTime_s Date/Time Date and time when job started running

BackupStorageDestination_s Text Destination of backup storage, for


example, Cloud, Disk

JobDurationInSecs_s Number Total job duration in seconds

DataTransferredInMB_s Number Data transferred in MB for this job

JobUniqueId_g Text Unique Id to identify the job

SourceSystem Text Source system of the current data -


Azure

ResourceId Text This field represents resource id for


which data is being collected, it shows
Recovery Services vault resource id

SubscriptionId Text This field represents subscription id of


the resource (RS vault) for which data is
being collected

ResourceGroup Text This field represents resource group of


the resource (RS vault) for which data is
being collected

ResourceProvider Text This field represents the resource


provider for which data is being
collected - Microsoft.RecoveryServices

ResourceType Text This field represents type of the


resource for which data is being
collected - Vaults

Policy
This table provides details about policy-related fields.

FIELD DATA TYPE DESCRIPTION

EventName_s Text This field represents name of this event,


it is always AzureBackupCentralReport

SchemaVersion_s Text This field denotes current version of the


schema, it is V1

State_s Text Current state of the policy object, for


example, Active, Deleted
FIELD DATA TYPE DESCRIPTION

BackupManagementType_s Text Provider type for performing backup,


for example, IaaSVM, FileFolder to which
this policy belongs to

OperationName Text This field represents name of the


current operation - Policy

Category Text This field represents category of


diagnostics data pushed to Log
Analytics, it is AzureBackupReport

Resource Text This is the resource for which data is


being collected, it shows Recovery
Services vault name

PolicyUniqueId_g Text Unique Id to identify the policy

PolicyName_s Text Name of the policy defined

BackupFrequency_s Text Frequency with which backups are run,


for example, daily, weekly

BackupTimes_s Text Date and time when backups are


scheduled

BackupDaysOfTheWeek_s Text Days of the week when backups have


been scheduled

RetentionDuration_s Whole Number Retention duration for configured


backups

DailyRetentionDuration_s Whole Number Total retention duration in days for


configured backups

DailyRetentionTimes_s Text Date and time when daily retention was


configured

WeeklyRetentionDuration_s Decimal Number Total weekly retention duration in


weeks for configured backups

WeeklyRetentionTimes_s Text Date and time when weekly retention is


configured

WeeklyRetentionDaysOfTheWeek_s Text Days of the week selected for weekly


retention

MonthlyRetentionDuration_s Decimal Number Total retention duration in months for


configured backups

MonthlyRetentionTimes_s Text Date and time when monthly retention


is configured
FIELD DATA TYPE DESCRIPTION

MonthlyRetentionFormat_s Text Type of configuration for monthly


retention, for example, daily for day
based, weekly for week based

MonthlyRetentionDaysOfTheWeek_s Text Days of the week selected for monthly


retention

MonthlyRetentionWeeksOfTheMonth_s Text Weeks of the month when monthly


retention is configured, for example,
First, Last etc.

YearlyRetentionDuration_s Decimal Number Total retention duration in years for


configured backups

YearlyRetentionTimes_s Text Date and time when yearly retention is


configured

YearlyRetentionMonthsOfTheYear_s Text Months of the year selected for yearly


retention

YearlyRetentionFormat_s Text Type of configuration for yearly


retention, for example, daily for day
based, weekly for week based

YearlyRetentionDaysOfTheMonth_s Text Dates of the month selected for yearly


retention

SourceSystem Text Source system of the current data -


Azure

ResourceId Text This field represents resource id for


which data is being collected, it shows
Recovery Services vault resource id

SubscriptionId Text This field represents subscription id of


the resource (RS vault) for which data is
being collected

ResourceGroup Text This field represents resource group of


the resource (RS vault) for which data is
being collected

ResourceProvider Text This field represents the resource


provider for which data is being
collected - Microsoft.RecoveryServices

ResourceType Text This field represents type of the


resource for which data is being
collected - Vaults

PolicyAssociation
This table provides details about policy associations with various entities.
FIELD DATA TYPE DESCRIPTION

EventName_s Text This field represents name of this event,


it is always AzureBackupCentralReport

SchemaVersion_s Text This field denotes current version of the


schema, it is V1

State_s Text Current state of the policy object, for


example, Active, Deleted

BackupManagementType_s Text Provider type for performing backup for


example, IaaSVM, FileFolder to which
this policy belongs to

OperationName Text This field represents name of the


current operation - PolicyAssociation

Category Text This field represents category of


diagnostics data pushed to Log
Analytics, it is AzureBackupReport

Resource Text This is the resource for which data is


being collected, it shows Recovery
Services vault name

PolicyUniqueId_g Text Unique Id to identify the policy

VaultUniqueId_s Text Unique Id of the vault to which this


policy belongs to

SourceSystem Text Source system of the current data -


Azure

ResourceId Text This field represents resource id for


which data is being collected, it shows
Recovery Services vault resource id

SubscriptionId Text This field represents subscription id of


the resource (RS vault) for which data is
being collected

ResourceGroup Text This field represents resource group of


the resource (RS vault) for which data is
being collected

ResourceProvider Text This field represents the resource


provider for which data is being
collected - Microsoft.RecoveryServices

ResourceType Text This field represents type of the


resource for which data is being
collected - Vaults

ProtectedServer
This table provides details about protected server-related fields.
FIELD DATA TYPE DESCRIPTION

EventName_s Text This field represents name of this event,


it is always AzureBackupCentralReport

ProtectedServerName_s Text Name of protected server

SchemaVersion_s Text This field denotes current version of the


schema, it is V1

State_s Text Current state of the protected server


object, for example, Active, Deleted

BackupManagementType_s Text Provider type for performing backup for


example, IaaSVM, FileFolder to which
this protected server belongs to

OperationName Text This field represents name of the


current operation - ProtectedServer

Category Text This field represents category of


diagnostics data pushed to Log
Analytics, it is AzureBackupReport

Resource Text This is the resource for which data is


being collected, it shows Recovery
Services vault name

ProtectedServerUniqueId_s Text Unique Id of the protected server

RegisteredContainerId_s Text Id of container registered for backup

ProtectedServerType_s Text Type of protected server backed up for


example, Windows

ProtectedServerFriendlyName_s Text Friendly name of protected server

AzureBackupAgentVersion_s Text Version number of Agent Backup


Version

SourceSystem Text Source system of the current data -


Azure

ResourceId Text This field represents resource id for


which data is being collected, it shows
Recovery Services vault resource id

SubscriptionId Text This field represents subscription id of


the resource (RS vault) for which data is
being collected

ResourceGroup Text This field represents resource group of


the resource (RS vault) for which data is
being collected
FIELD DATA TYPE DESCRIPTION

ResourceProvider Text This field represents the resource


provider for which data is being
collected - Microsoft.RecoveryServices

ResourceType Text This field represents type of the


resource for which data is being
collected - Vaults

ProtectedServerAssociation
This table provides details about protected server associations with other entities.

FIELD DATA TYPE DESCRIPTION

EventName_s Text This field represents name of this event,


it is always AzureBackupCentralReport

SchemaVersion_s Text This field denotes current version of the


schema, it is V1

State_s Text Current state of the protected server


association object, for example, Active,
Deleted

BackupManagementType_s Text Provider type for performing backup,


for example, IaaSVM, FileFolder to which
this protected server belongs to

OperationName Text This field represents name of the


current operation -
ProtectedServerAssociation

Category Text This field represents category of


diagnostics data pushed to Log
Analytics, it is AzureBackupReport

Resource Text This is the resource for which data is


being collected, it shows Recovery
Services vault name

ProtectedServerUniqueId_s Text Unique Id of the protected server

VaultUniqueId_s Text Unique Id of the vault to which this


protected server belongs to

SourceSystem Text Source system of the current data -


Azure

ResourceId Text This field represents resource id for


which data is being collected, it shows
Recovery Services vault resource id

SubscriptionId Text This field represents subscription id of


the resource (RS vault) for which data is
being collected
FIELD DATA TYPE DESCRIPTION

ResourceGroup Text This field represents resource group of


the resource (RS vault) for which data is
being collected

ResourceProvider Text This field represents the resource


provider for which data is being
collected - Microsoft.RecoveryServices

ResourceType Text This field represents type of the


resource for which data is being
collected - Vaults

Storage
This table provides details about storage-related fields.

FIELD DATA TYPE DESCRIPTION

CloudStorageInBytes_s Decimal Number Cloud backup storage used by backups,


calculated based on latest value

ProtectedInstances_s Decimal Number Number of protected instances used for


calculating frontend storage in billing,
calculated based on latest value

EventName_s Text This field represents name of this event,


it is always AzureBackupCentralReport

SchemaVersion_s Text This field denotes current version of the


schema, it is V1

State_s Text Current state of the storage object, for


example, Active, Deleted

BackupManagementType_s Text Provider type for performing backup,


for example, IaaSVM, FileFolder to which
this storage belongs to

OperationName Text This field represents name of the


current operation - Storage

Category Text This field represents category of


diagnostics data pushed to Log
Analytics, it is AzureBackupReport

Resource Text This is the resource for which data is


being collected, it shows Recovery
Services vault name

ProtectedServerUniqueId_s Text Unique Id of the protected server for


which storage is calculated

VaultUniqueId_s Text Unique Id of the vault for storage is


calculated
FIELD DATA TYPE DESCRIPTION

SourceSystem Text Source system of the current data -


Azure

ResourceId Text This field represents resource id for


which data is being collected, it shows
Recovery Services vault resource id

SubscriptionId Text This field represents subscription id of


the resource (RS vault) for which data is
being collected

ResourceGroup Text This field represents resource group of


the resource (RS vault) for which data is
being collected

ResourceProvider Text This field represents the resource


provider for which data is being
collected - Microsoft.RecoveryServices

ResourceType Text This field representse type of the


resource for which data is being
collected - Vaults

Vault
This table provides details about vault-related fields.

FIELD DATA TYPE DESCRIPTION

EventName_s Text This field represents name of this event,


it is always AzureBackupCentralReport

SchemaVersion_s Text This field denotes current version of the


schema, it is V1

State_s Text Current state of the vault object, for


example, Active, Deleted

OperationName Text This field represents name of the


current operation - Vault

Category Text This field represents category of


diagnostics data pushed to Log
Analytics, it is AzureBackupReport

Resource Text This is the resource for which data is


being collected, it shows Recovery
Services vault name

VaultUniqueId_s Text Unique Id of the vault

VaultName_s Text Name of the vault

AzureDataCenter_s Text Data center where vault is located


FIELD DATA TYPE DESCRIPTION

StorageReplicationType_s Text Type of storage replication for the vault,


for example, GeoRedundant

SourceSystem Text Source system of the current data -


Azure

ResourceId Text This field represents resource id for


which data is being collected, it shows
Recovery Services vault resource id

SubscriptionId Text This field represents subscription id of


the resource (RS vault) for which data is
being collected

ResourceGroup Text This field represents resource group of


the resource (RS vault) for which data is
being collected

ResourceProvider Text This field represents the resource


provider for which data is being
collected - Microsoft.RecoveryServices

ResourceType Text This field represents type of the


resource for which data is being
collected - Vaults

Next steps
Once you review the data model for creating Azure Backup reports, you can start creating dashboard in Log
Analytics and OMS.
Preparing to back up workloads to Azure with DPM
8/21/2017 11 min to read Edit Online

This article provides an introduction to using Microsoft Azure Backup to protect your System Center Data
Protection Manager (DPM) servers and workloads. By reading it, youll understand:
How Azure DPM server backup works
The prerequisites to achieve a smooth backup experience
The typical errors encountered and how to deal with them
Supported scenarios

NOTE
Azure has two deployment models for creating and working with resources: Resource Manager and classic. This article
provides the information and procedures for restoring VMs deployed using the Resource Manager model.

System Center DPM backs up file and application data. Data backed up to DPM can be stored on tape, on disk, or
backed up to Azure with Microsoft Azure Backup. DPM interacts with Azure Backup as follows:
DPM deployed as a physical server or on-premises virtual machine If DPM is deployed as a physical
server or as an on-premises Hyper-V virtual machine you can back up data to a Recovery Services vault in
addition to disk and tape backup.
DPM deployed as an Azure virtual machine From System Center 2012 R2 with Update 3, DPM can be
deployed as an Azure virtual machine. If DPM is deployed as an Azure virtual machine you can back up data to
Azure disks attached to the DPM Azure virtual machine, or you can offload the data storage by backing it up to
a Recovery Services vault.

Why backup from DPM to Azure?


The business benefits of using Azure Backup for backing up DPM servers include:
For on-premises DPM deployment, you can use Azure as an alternative to long-term deployment to tape.
For DPM deployments in Azure, Azure Backup allows you to offload storage from the Azure disk, allowing you
to scale up by storing older data in Recovery Services vault and new data on disk.

Prerequisites
Prepare Azure Backup to back up DPM data as follows:
1. Create a Recovery Services vault Create a vault in Azure portal.
2. Download vault credentials Download the credentials which you use to register the DPM server to
Recovery Services vault.
3. Install the Azure Backup Agent From Azure Backup, install the agent on each DPM server.
4. Register the server Register the DPM server to Recovery Services vault.
1. Create a recovery services vault
To create a recovery services vault:
1. Sign in to the Azure portal.
2. On the Hub menu, click Browse and in the list of resources, type Recovery Services. As you begin typing,
the list will filter based on your input. Click Recovery Services vault.

The list of Recovery Services vaults is displayed.


3. On the Recovery Services vaults menu, click Add.

The Recovery Services vault blade opens, prompting you to provide a Name, Subscription, Resource
group, and Location.
4. For Name, enter a friendly name to identify the vault. The name needs to be unique for the Azure subscription.
Type a name that contains between 2 and 50 characters. It must start with a letter, and can contain only letters,
numbers, and hyphens.
5. Click Subscription to see the available list of subscriptions. If you are not sure which subscription to use, use
the default (or suggested) subscription. There will be multiple choices only if your organizational account is
associated with multiple Azure subscriptions.
6. Click Resource group to see the available list of Resource groups, or click New to create a new Resource
group. For complete information on Resource groups, see Azure Resource Manager overview
7. Click Location to select the geographic region for the vault.
8. Click Create. It can take a while for the Recovery Services vault to be created. Monitor the status notifications
in the upper right-hand area in the portal. Once your vault is created, it opens in the portal.
Set Storage Replication
The storage replication option allows you to choose between geo-redundant storage and locally redundant
storage. By default, your vault has geo-redundant storage. Leave the option set to geo-redundant storage if this is
your primary backup. Choose locally redundant storage if you want a cheaper option that isn't quite as durable.
Read more about geo-redundant and locally redundant storage options in the Azure Storage replication
overview.
To edit the storage replication setting:
1. Select your vault to open the vault dashboard and the Settings blade. If the Settings blade doesn't open, click
All settings in the vault dashboard.
2. On the Settings blade, click Backup Infrastructure > Backup Configuration to open the Backup
Configuration blade. On the Backup Configuration blade, choose the storage replication option for
your vault.
After choosing the storage option for your vault, you are ready to associate the VM with the vault. To begin
the association, you should discover and register the Azure virtual machines.
2. Download vault credentials
The vault credentials file is a certificate generated by the portal for each backup vault. The portal then uploads the
public key to the Access Control Service (ACS). The private key of the certificate is made available to the user as
part of the workflow which is given as an input in the machine registration workflow. This authenticates the
machine to send backup data to an identified vault in the Azure Backup service.
The vault credential is used only during the registration workflow. It is the users responsibility to ensure that the
vault credentials file is not compromised. If it falls in the hands of any rogue-user, the vault credentials file can be
used to register other machines against the same vault. However, as the backup data is encrypted using a
passphrase which belongs to the customer, existing backup data cannot be compromised. To mitigate this
concern, vault credentials are set to expire in 48hrs. You can download the vault credentials of a recovery services
any number of times but only the latest vault credential file is applicable during the registration workflow.
The vault credential file is downloaded through a secure channel from the Azure portal. The Azure Backup service
is unaware of the private key of the certificate and the private key is not persisted in the portal or the service. Use
the following steps to download the vault credential file to a local machine.
1. Sign in to the Azure portal.
2. Open Recovery Services vault to which to which you want to register DPM machine.
3. Settings blade opens up by default. If it is closed, click on Settings on vault dashboard to open the settings
blade. In Settings blade, click on Properties.
4. On the Properties page, click Download under Backup Credentials. The portal generates the vault
credential file, which is made available for download.
The portal will generate a vault credential using a combination of the vault name and the current date. Click Save
to download the vault credentials to the local account's downloads folder, or select Save As from the Save menu
to specify a location for the vault credentials. It will take up to a minute for the file to be generated.
Note
Ensure that the vault credentials file is saved in a location which can be accessed from your machine. If it is
stored in a file share/SMB, check for the access permissions.
The vault credentials file is used only during the registration workflow.
The vault credentials file expires after 48hrs and can be downloaded from the portal.
3. Install Backup Agent
After creating the Azure Backup vault, an agent should be installed on each of your Windows machines (Windows
Server, Windows client, System Center Data Protection Manager server, or Azure Backup Server machine) that
enables back up of data and applications to Azure.
1. Open Recovery Services vault to which to which you want to register DPM machine.
2. Settings blade opens up by default. If it is closed, click on Settings to open the settings blade. In Settings
blade, click on Properties.
3. On the Settings page, click Download under Azure Backup Agent.
Once the agent is downloaded, double click MARSAgentInstaller.exe to launch the installation of the Azure
Backup agent. Choose the installation folder and scratch folder required for the agent. The cache location
specified must have free space which is at least 5% of the backup data.
4. If you use a proxy server to connect to the internet, in the Proxy configuration screen, enter the proxy server
details. If you use an authenticated proxy, enter the user name and password details in this screen.
5. The Azure Backup agent installs .NET Framework 4.5 and Windows PowerShell (if its not available already) to
complete the installation.
6. Once the agent is installed, Close the window.
7. To Register the DPM Server to the vault, in the Management tab, Click on Online. Then, select Register. It
will open the Register Setup Wizard.
8. If you use a proxy server to connect to the internet, in the Proxy configuration screen, enter the proxy
server details. If you use an authenticated proxy, enter the user name and password details in this screen.

9. In the vault credentials screen, browse to and select the vault credentials file which was previously
downloaded.
The vault credentials file is valid only for 48 hrs (after its downloaded from the portal). If you encounter
any error in this screen (for example, Vault credentials file provided has expired), login to the Azure portal
and download the vault credentials file again.
Ensure that the vault credentials file is available in a location which can be accessed by the setup
application. If you encounter access related errors, copy the vault credentials file to a temporary location in
this machine and retry the operation.
If you encounter an invalid vault credential error (for example, Invalid vault credentials provided") the file
is either corrupted or does not have the latest credentials associated with the recovery service. Retry the
operation after downloading a new vault credential file from the portal. This error is typically seen if the
user clicks on the Download vault credential option in the Azure portal, in quick succession. In this case,
only the second vault credential file is valid.
10. To control the usage of network bandwidth during work, and non-work hours, in the Throttling Setting
screen, you can set the bandwidth usage limits and define the work and non-work hours.
11. In the Recovery Folder Setting screen, browse for the folder where the files downloaded from Azure will
be temporarily staged.
12. In the Encryption setting screen, you can either generate a passphrase or provide a passphrase
(minimum of 16 characters). Remember to save the passphrase in a secure location.
WARNING
If the passphrase is lost or forgotten; Microsoft cannot help in recovering the backup data. The end user owns the
encryption passphrase and Microsoft does not have visibility into the passphrase used by the end user. Please save
the file in a secure location as it is required during a recovery operation.

13. Once you click the Register button, the machine is registered successfully to the vault and you are now ready
to start backing up to Microsoft Azure.
14. When using Data Protection Manager, you can modify the settings specified during the registration workflow
by clicking the Configure option by selecting Online under the Management Tab.

Requirements (and limitations)


DPM can be running as a physical server or a Hyper-V virtual machine installed on System Center 2012 SP1 or
System Center 2012 R2. It can also be running as an Azure virtual machine running on System Center 2012
R2 with at least DPM 2012 R2 Update Rollup 3 or a Windows virtual machine in VMWare running on System
Center 2012 R2 with at least Update Rollup 5.
If youre running DPM with System Center 2012 SP1 you should install Update Roll up 2 for System Center
Data Protection Manager SP1. This is required before you can install the Azure Backup Agent.
The DPM server should have Windows PowerShell and .Net Framework 4.5 installed.
DPM can back up most workloads to Azure Backup. For a full list of whats supported see the Azure Backup
support items below.
Data stored in Azure Backup cant be recovered with the copy to tape option.
Youll need an Azure account with the Azure Backup feature enabled. If you don't have an account, you can
create a free trial account in just a couple of minutes. Read about Azure Backup pricing.
Using Azure Backup requires the Azure Backup Agent to be installed on the servers you want to back up. Each
server must have at least 5 % of the size of the data that is being backed up, available as local free storage. For
example, backing up 100 GB of data requires a minimum of 5 GB of free space in the scratch location.
Data will be stored in the Azure vault storage. Theres no limit to the amount of data you can back up to an
Azure Backup vault but the size of a data source (for example a virtual machine or database) shouldnt exceed
54400 GB.
These file types are supported for back up to Azure:
Encrypted (Full backups only)
Compressed (Incremental backups supported)
Sparse (Incremental backups supported)
Compressed and sparse (Treated as Sparse)
And these are unsupported:
Servers on case-sensitive file systems arent supported.
Hard links (Skipped)
Reparse points (Skipped)
Encrypted and compressed (Skipped)
Encrypted and sparse (Skipped)
Compressed stream
Sparse stream

NOTE
From in System Center 2012 DPM with SP1 onwards you can backup up workloads protected by DPM to Azure using
Microsoft Azure Backup.
Preparing to back up workloads to Azure with DPM
8/2/2017 10 min to read Edit Online

This article provides an introduction to using Microsoft Azure Backup to protect your System Center Data
Protection Manager (DPM) servers and workloads. By reading it, youll understand:
How Azure DPM server backup works
The prerequisites to achieve a smooth backup experience
The typical errors encountered and how to deal with them
Supported scenarios
System Center DPM backs up file and application data. Data backed up to DPM can be stored on tape, on disk, or
backed up to Azure with Microsoft Azure Backup. DPM interacts with Azure Backup as follows:
DPM deployed as a physical server or on-premises virtual machine If DPM is deployed as a physical
server or as an on-premises Hyper-V virtual machine you can back up data to an Azure Backup vault in addition
to disk and tape backup.
DPM deployed as an Azure virtual machine From System Center 2012 R2 with Update 3, DPM can be
deployed as an Azure virtual machine. If DPM is deployed as an Azure virtual machine you can back up data to
Azure disks attached to the DPM Azure virtual machine, or you can offload the data storage by backing it up to
an Azure Backup vault.

Why backup your DPM servers?


The business benefits of using Azure Backup for backing up DPM servers include:
For on-premises DPM deployment, you can use Azure backup as an alternative to long-term deployment to
tape.
For DPM deployments in Azure, Azure Backup allows you to offload storage from the Azure disk, allowing you
to scale up by storing older data in Azure Backup and new data on disk.

How does DPM server backup work?


To back up a virtual machine, first a point-in-time snapshot of the data is needed. The Azure Backup service
initiates the backup job at the scheduled time, and triggers the backup extension to take a snapshot. The backup
extension coordinates with the in-guest VSS service to achieve consistency, and invokes the blob snapshot API of
the Azure Storage service once consistency has been reached. This is done to get a consistent snapshot of the disks
of the virtual machine, without having to shut it down.
After the snapshot has been taken, the data is transferred by the Azure Backup service to the backup vault. The
service takes care of identifying and transferring only the blocks that have changed from the last backup making
the backups storage and network efficient. When the data transfer is completed, the snapshot is removed and a
recovery point is created. This recovery point can be seen in the Azure classic portal.

NOTE
For Linux virtual machines, only file-consistent backup is possible.

Prerequisites
Prepare Azure Backup to back up DPM data as follows:
1. Create a Backup vault. If you haven't created a Backup vault in your subscription, see the Azure portal
version of this article - Prepare to back up workloads to Azure with DPM.

IMPORTANT
Starting March 2017, you can no longer use the classic portal to create Backup vaults. You can now upgrade your
Backup vaults to Recovery Services vaults. For details, see the article Upgrade a Backup vault to a Recovery Services
vault. Microsoft encourages you to upgrade your Backup vaults to Recovery Services vaults.
After October 15, 2017, you cant use PowerShell to create Backup vaults. By November 1, 2017:
All remaining Backup vaults will be automatically upgraded to Recovery Services vaults.
You won't be able to access your backup data in the classic portal. Instead, use the Azure portal to access your
backup data in Recovery Services vaults.

2. Download vault credentials In Azure Backup, upload the management certificate you created to the
vault.
3. Install the Azure Backup Agent and register the server From Azure Backup, install the agent on each
DPM server and register the DPM server in the backup vault.

Using vault credentials to authenticate with the Azure Backup service


The on-premises server (Windows client or Windows Server or Data Protection Manager server) needs to be
authenticated with a backup vault before it can back up data to Azure. The authentication is achieved using vault
credentials. The concept of vault credentials is similar to the concept of a publish settings file which is used in
Azure PowerShell.
What is the vault credential file?
The vault credentials file is a certificate generated by the portal for each backup vault. The portal then uploads the
public key to the Access Control Service (ACS). The private key of the certificate is made available to the user as
part of the workflow which is given as an input in the machine registration workflow. This authenticates the
machine to send backup data to an identified vault in the Azure Backup service.
The vault credential is used only during the registration workflow. It is the users responsibility to ensure that the
vault credentials file is not compromised. If it falls in the hands of any rogue-user, the vault credentials file can be
used to register other machines against the same vault. However, as the backup data is encrypted using a
passphrase which belongs to the customer, existing backup data cannot be compromised. To mitigate this concern,
vault credentials are set to expire in 48hrs. You can download the vault credentials of a backup vault any number
of times but only the latest vault credential file is applicable during the registration workflow.
Download the vault credential file
The vault credential file is downloaded through a secure channel from the Azure portal. The Azure Backup service
is unaware of the private key of the certificate and the private key is not persisted in the portal or the service. Use
the following steps to download the vault credential file to a local machine.
1. Sign in to the Management Portal
2. Click on Recovery Services in the left navigation pane and select the backup vault which you have created.
Click on the cloud icon to get to the Quick Start view of the backup vault.
3. On the Quick Start page, click Download vault credentials. The portal generates the vault credential file,
which is made available for download.

4. The portal will generate a vault credential using a combination of the vault name and the current date. Click
Save to download the vault credentials to the local account's downloads folder, or select Save As from the Save
menu to specify a location for the vault credentials.
Note
Ensure that the vault credentials is saved in a location which can be accessed from your machine. If it is stored
in a file share/SMB, check for the access permissions.
The vault credentials file is used only during the registration workflow.
The vault credentials file expires after 48hrs and can be downloaded from the portal.
Refer to the Azure Backup FAQ for any questions on the workflow.

Download, install, and register the Azure Backup agent


After creating the Azure Backup vault, an agent should be installed on each of your Windows machines (Windows
Server, Windows client, System Center Data Protection Manager server, or Azure Backup Server machine) that
enables back up of data and applications to Azure.
1. Sign in to the Management Portal
2. Click Recovery Services, then select the backup vault that you want to register with a server. The Quick
Start page for that backup vault appears.

3. On the Quick Start page, click the For Windows Server or System Center Data Protection Manager or
Windows client option under Download Agent. Click Save to copy it to the local machine.

4. Once the agent is installed, double click MARSAgentInstaller.exe to launch the installation of the Azure Backup
agent. Choose the installation folder and scratch folder required for the agent. The cache location specified
must have free space which is at least 5% of the backup data.
5. If you use a proxy server to connect to the internet, in the Proxy configuration screen, enter the proxy server
details. If you use an authenticated proxy, enter the user name and password details in this screen.
6. The Azure Backup agent installs .NET Framework 4.5 and Windows PowerShell (if its not available already) to
complete the installation.
7. Once the agent is installed, click the Proceed to Registration button to continue with the workflow.
8. In the vault credentials screen, browse to and select the vault credentials file which was previously
downloaded.

The vault credentials file is valid only for 48 hrs (after its downloaded from the portal). If you encounter any
error in this screen (e.g Vault credentials file provided has expired), login to the Azure portal and
download the vault credentials file again.
Ensure that the vault credentials file is available in a location which can be accessed by the setup application.
If you encounter access related errors, copy the vault credentials file to a temporary location in this machine
and retry the operation.
If you encounter an invalid vault credential error (e.g Invalid vault credentials provided") the file is either
corrupted or does not have the latest credentials associated with the recovery service. Retry the operation
after downloading a new vault credential file from the portal. This error is typically seen if the user clicks on
the Download vault credential option in the Azure portal, in quick succession. In this case, only the
second vault credential file is valid.
9. In the Encryption setting screen, you can either generate a passphrase or provide a passphrase (minimum
of 16 characters). Remember to save the passphrase in a secure location.

WARNING
If the passphrase is lost or forgotten; Microsoft cannot help in recovering the backup data. The end user owns the
encryption passphrase and Microsoft does not have visibility into the passphrase used by the end user. Please save
the file in a secure location as it is required during a recovery operation.

10. Once you click the Finish button, the machine is registered successfully to the vault and you are now ready to
start backing up to Microsoft Azure.
11. When using Microsoft Azure Backup standalone you can modify the settings specified during the
registration workflow by clicking on the Change Properties option in the Azure Backup mmc snap in.
Alternatively, when using Data Protection Manager, you can modify the settings specified during the
registration workflow by clicking the Configure option by selecting Online under the Management Tab.

Requirements (and limitations)


DPM can be running as a physical server or a Hyper-V virtual machine installed on System Center 2012 SP1 or
System Center 2012 R2. It can also be running as an Azure virtual machine running on System Center 2012 R2
with at least DPM 2012 R2 Update Rollup 3 or a Windows virtual machine in VMWare running on System
Center 2012 R2 with at least Update Rollup 5.
If youre running DPM with System Center 2012 SP1, you should install Update Rollup 2 for System Center
Data Protection Manager SP1. This is required before you can install the Azure Backup Agent.
The DPM server should have Windows PowerShell and .Net Framework 4.5 installed.
DPM can back up most workloads to Azure Backup. For a full list of whats supported see the Azure Backup
support items below.
Data stored in Azure Backup cant be recovered with the copy to tape option.
Youll need an Azure account with the Azure Backup feature enabled. If you don't have an account, you can
create a free trial account in just a couple of minutes. Read about Azure Backup pricing.
Using Azure Backup requires the Azure Backup Agent to be installed on the servers you want to back up. Each
server must have at least 10% of the size of the data that is being backed up, available as local free storage. For
example, backing up 100 GB of data requires a minimum of 10 GB of free space in the scratch location. While
the minimum is 10%, 15% of free local storage space to be used for the cache location is recommended.
Data will be stored in the Azure vault storage. Theres no limit to the amount of data you can back up to an
Azure Backup vault but the size of a data source (for example a virtual machine or database) shouldnt exceed
54,400 GB.
These file types are supported for back up to Azure:
Encrypted (Full backups only)
Compressed (Incremental backups supported)
Sparse (Incremental backups supported)
Compressed and sparse (Treated as Sparse)
And these are unsupported:
Servers on case-sensitive file systems arent supported.
Hard links (Skipped)
Reparse points (Skipped)
Encrypted and compressed (Skipped)
Encrypted and sparse (Skipped)
Compressed stream
Sparse stream

NOTE
From in System Center 2012 DPM with SP1 onwards, you can backup up workloads protected by DPM to Azure using
Microsoft Azure Backup.
Back up an Exchange server to Azure Backup with
System Center 2012 R2 DPM
9/27/2017 3 min to read Edit Online

This article describes how to configure a System Center 2012 R2 Data Protection Manager (DPM) server to back up
a Microsoft Exchange server to Azure Backup.

Updates
To successfully register the DPM server with Azure Backup, you must install the latest update rollup for System
Center 2012 R2 DPM and the latest version of the Azure Backup Agent. Get the latest update rollup from the
Microsoft Catalog.

NOTE
For the examples in this article, version 2.0.8719.0 of the Azure Backup Agent is installed, and Update Rollup 6 is installed on
System Center 2012 R2 DPM.

Prerequisites
Before you continue, make sure that all the prerequisites for using Microsoft Azure Backup to protect workloads
have been met. These prerequisites include the following:
A backup vault on the Azure site has been created.
Agent and vault credentials have been downloaded to the DPM server.
The agent is installed on the DPM server.
The vault credentials were used to register the DPM server.
If you are protecting Exchange 2016, please upgrade to DPM 2012 R2 UR9 or later

DPM protection agent


To install the DPM protection agent on the Exchange server, follow these steps:
1. Make sure that the firewalls are correctly configured. See Configure firewall exceptions for the agent.
2. Install the agent on the Exchange server by clicking Management > Agents > Install in DPM Administrator
Console. See Install the DPM protection agent for detailed steps.

Create a protection group for the Exchange server


1. In the DPM Administrator Console, click Protection, and then click New on the tool ribbon to open the Create
New Protection Group wizard.
2. On the Welcome screen of the wizard click Next.
3. On the Select protection group type screen, select Servers and click Next.
4. Select the Exchange server database that you want to protect and click Next.
NOTE
If you are protecting Exchange 2013, check the Exchange 2013 prerequisites.

In the following example, the Exchange 2010 database is selected.

5. Select the data protection method.


Name the protection group, and then select both of the following options:
I want short-term protection using Disk.
I want online protection.
6. Click Next.
7. Select the Run Eseutil to check data integrity option if you want to check the integrity of the Exchange
Server databases.
After you select this option, backup consistency checking will be run on the DPM server to avoid the I/O
traffic thats generated by running the eseutil command on the Exchange server.
NOTE
To use this option, you must copy the Ese.dll and Eseutil.exe files to the C:\Program Files\Microsoft System Center
2012 R2\DPM\DPM\bin directory on the DPM server. Otherwise, the following error is triggered:

8. Click Next.
9. Select the database for Copy Backup, and then click Next.

NOTE
If you do not select Full backup for at least one DAG copy of a database, logs will not be truncated.

10. Configure the goals for Short-Term backup, and then click Next.
11. Review the available disk space, and then click Next.
12. Select the time at which the DPM server will create the initial replication, and then click Next.
13. Select the consistency check options, and then click Next.
14. Choose the database that you want to back up to Azure, and then click Next. For example:
15. Define the schedule for Azure Backup, and then click Next. For example:
NOTE
Note Online recovery points are based on express full recovery points. Therefore, you must schedule the online
recovery point after the time thats specified for the express full recovery point.

16. Configure the retention policy for Azure Backup, and then click Next.
17. Choose an online replication option and click Next.
If you have a large database, it could take a long time for the initial backup to be created over the network.
To avoid this issue, you can create an offline backup.

18. Confirm the settings, and then click Create Group.


19. Click Close.

Recover the Exchange database


1. To recover an Exchange database, click Recovery in the DPM Administrator Console.
2. Locate the Exchange database that you want to recover.
3. Select an online recovery point from the recovery time drop-down list.
4. Click Recover to start the Recovery Wizard.
For online recovery points, there are five recovery types:
Recover to original Exchange Server location: The data will be recovered to the original Exchange server.
Recover to another database on an Exchange Server: The data will be recovered to another database on
another Exchange server.
Recover to a Recovery Database: The data will be recovered to an Exchange Recovery Database (RDB).
Copy to a network folder: The data will be recovered to a network folder.
Copy to tape: If you have a tape library or a stand-alone tape drive attached and configured on the DPM
server, the recovery point will be copied to a free tape.

Next steps
Azure Backup FAQ
Recover data from Azure Backup Server
8/21/2017 5 min to read Edit Online

You can use Azure Backup Server to recover the data you've backed up to a Recovery Services vault. The process
for doing so is integrated into the Azure Backup Server management console, and is similar to the recovery
workflow for other Azure Backup components.

NOTE
This article is applicable for System Center Data Protection Manager 2012 R2 with UR7 or later, combined with the latest
Azure Backup agent.

To recover data from an Azure Backup Server:


1. From the Recovery tab of the Azure Backup Server management console, click 'Add External DPM' (at the
top left of the screen).

2. Download new vault credentials from the vault associated with the Azure Backup Server where the data
is being recovered, choose the Azure Backup Server from the list of Azure Backup Servers registered with
the Recovery Services vault, and provide the encryption passphrase associated with the server whose
data is being recovered.
NOTE
Only Azure Backup Servers associated with the same registration vault can recover each others data.

Once the External Azure Backup Server is successfully added, you can browse the data of the external
server and the local Azure Backup Server from the Recovery tab.
3. Browse the available list of production servers protected by the external Azure Backup Server and select the
appropriate data source.

4. Select the month and year from the Recovery points drop down, select the required Recovery date for
when the recovery point was created, and select the Recovery time.
A list of files and folders appears in the bottom pane, which can be browsed and recovered to any location.

5. Right click the appropriate item and click Recover.


6. Review the Recover Selection. Verify the data and time of the backup copy being recovered, as well as the
source from which the backup copy was created. If the selection is incorrect, click Cancel to navigate back
to recovery tab to select appropriate recovery point. If the selection is correct, click Next.

7. Select Recover to an alternate location. Browse to the correct location for the recovery.
8. Choose the option related to create copy, Skip, or Overwrite.
Create copy - creates a copy of the file if there is a name collision.
Skip - if there is a name collision, does not recover the file which leaves the original file.
Overwrite - if there is a name collision, overwrites the existing copy of the file.
Choose the appropriate option to Restore security. You can apply the security settings of the
destination computer where the data is being recovered or the security settings that were applicable
to product at the time the recovery point was created.
Identify whether a Notification is sent, once the recovery successfully completes.
9. The Summary screen lists the options chosen so far. Once you click Recover, the data is recovered to the
appropriate on-premises location.
NOTE
The recovery job can be monitored in the Monitoring tab of the Azure Backup Server.

10. You can click Clear External DPM on the Recovery tab of the DPM server to remove the view of the
external DPM server.

Troubleshooting Error Messages


NO. ERROR MESSAGE TROUBLESHOOTING STEPS
NO. ERROR MESSAGE TROUBLESHOOTING STEPS

1. This server is not registered to the vault Cause: This error appears when the
specified by the vault credential. vault credential file selected does not
belong to the Recovery Services vault
associated with Azure Backup Server on
which the recovery is attempted.
Resolution: Download the vault
credential file from the Recovery
Services vault to which the Azure
Backup Server is registered.

2. Either the recoverable data is not Cause: There are no other Azure
available or the selected server is not a Backup Servers registered to the
DPM server. Recovery Services vault, or the servers
have not yet uploaded the metadata,
or the selected server is not an Azure
Backup Server (aka Windows Server or
Windows Client).
Resolution: If there are other Azure
Backup Servers registered to the
Recovery Services vault, ensure that the
latest Azure Backup agent is installed.
If there are other Azure Backup Servers
registered to the Recovery Services
vault, wait for a day after installation to
start the recovery process. The nightly
job will upload the metadata for all the
protected backups to cloud. The data
will be available for recovery.

3. No other DPM server is registered to Cause: There are no other Azure


this vault. Backup Servers that are registered to
the vault from which the recovery is
being attempted.
Resolution: If there are other Azure
Backup Servers registered to the
Recovery Services vault, ensure that the
latest Azure Backup agent is installed.
If there are other Azure Backup Servers
registered to the Recovery Services
vault, wait for a day after installation to
start the recovery process. The nightly
job uploads the metadata for all
protected backups to cloud. The data
will be available for recovery.

4. The encryption passphrase provided Cause: The encryption passphrase used


does not match with passphrase in the process of encrypting the data
associated with the following server: from the Azure Backup Servers data
that is being recovered does not match
the encryption passphrase provided.
The agent is unable to decrypt the
data. Hence the recovery fails.
Resolution: Please provide the exact
same encryption passphrase associated
with the Azure Backup Server whose
data is being recovered.

Frequently asked questions


Why cant I add an external DPM server after installing UR7 and latest Azure Backup agent?
For the DPM servers with data sources that are protected to the cloud (by using an update rollup earlier than
Update Rollup 7), you must wait at least one day after installing the UR7 and latest Azure Backup agent, to start
Add External DPM server. The one-day time period is needed to upload the metadata of the DPM protection
groups to Azure. Protection group metadata is uploaded the first time through a nightly job.
What is the minimum version of the Microsoft Azure Recovery Services agent needed?
The minimum version of the Microsoft Azure Recovery Services agent, or Azure Backup agent, required to enable
this feature is 2.0.8719.0. To view the agent's version: open Control Panel > All Control Panel items > Programs
and features > Microsoft Azure Recovery Services Agent. If the version is less than 2.0.8719.0, download and
install the latest Azure Backup agent.

Next steps:
Azure Backup FAQ
Back up SQL Server to Azure as a DPM workload
6/27/2017 6 min to read Edit Online

This article leads you through the configuration steps for backup of SQL Server databases using Azure Backup.
To back up SQL Server databases to Azure, you need an Azure account. If you dont have an account, you can
create a free trial account in just couple of minutes. For details, see Azure Free Trial.
The management of SQL Server database backup to Azure and recovery from Azure involves three steps:
1. Create a backup policy to protect SQL Server databases to Azure.
2. Create on-demand backup copies to Azure.
3. Recover the database from Azure.

Before you start


Before you begin, ensure that all the prerequisites for using Microsoft Azure Backup to protect workloads have
been met. The prerequisites cover tasks such as: creating a backup vault, downloading vault credentials, installing
the Azure Backup Agent, and registering the server with the vault.

Create a backup policy to protect SQL Server databases to Azure


1. On the DPM server, click the Protection workspace.
2. On the tool ribbon, click New to create a new protection group.

3. DPM shows the start screen with the guidance on creating a Protection Group. Click Next.
4. Select Servers.
5. Expand the SQL Server machine where the databases to be backed up are present. DPM shows various data
sources that can be backed up from that server. Expand the All SQL Shares and select the databases (in this
case we selected ReportServer$MSDPM2012 and ReportServer$MSDPM2012TempDB) to be backed up.
Click Next.

6. Provide a name for the protection group and select the I want online Protection checkbox.
7. In the Specify Short-Term Goals screen, include the necessary inputs to create backup points to disk.
Here we see that Retention range is set to 5 days, Synchronization frequency is set to once every 15
minutes which is the frequency at which backup is taken. Express Full Backup is set to 8:00 P.M.
NOTE
At 8:00 PM (according to the screen input) a backup point is created every day by transferring the data that has
been modified from the previous days 8:00 PM backup point. This process is called Express Full Backup. While the
transaction logs are synchronized every 15 minutes, if there is a need to recover the database at 9:00 PM then the
point is created by replaying the logs from the last express full backup point (8pm in this case).

8. Click Next
DPM shows the overall storage space available and the potential disk space utilization.
By default, DPM creates one volume per data source (SQL Server database) which is used for the initial
backup copy. Using this approach, the Logical Disk Manager (LDM) limits DPM protection to 300 data
sources (SQL Server databases). To work around this limitation, select the Co-locate data in DPM Storage
Pool, option. If you use this option, DPM uses a single volume for multiple data sources, which allows DPM
to protect up to 2000 SQL databases.
If Automatically grow the volumes option is selected, DPM can account for the increased backup volume
as the production data grows. If Automatically grow the volumes option is not selected, DPM limits the
backup storage used to the data sources in the protection group.
9. Administrators are given the choice of transferring this initial backup manually (off network) to avoid
bandwidth congestion or over the network. They can also configure the time at which the initial transfer can
happen. Click Next.

The initial backup copy requires transfer of the entire data source (SQL Server database) from production
server (SQL Server machine) to the DPM server. This data might be large, and transferring the data over the
network could exceed bandwidth. For this reason, administrators can choose to transfer the initial backup:
Manually (using removable media) to avoid bandwidth congestion, or Automatically over the network
(at a specified time).
Once the initial backup is complete, the rest of the backups are incremental backups on the initial backup
copy. Incremental backups tend to be small and are easily transferred across the network.
10. Choose when you want the consistency check to run and click Next.

DPM can perform a consistency check to check the integrity of the backup point. It calculates the checksum
of the backup file on the production server (SQL Server machine in this scenario) and the backed-up data
for that file at DPM. In the case of a conflict, it is assumed that the backed-up file at DPM is corrupt. DPM
rectifies the backed-up data by sending the blocks corresponding to the checksum mismatch. As the
consistency check is a performance-intensive operation, administrators have the option of scheduling the
consistency check or running it automatically.
11. To specify online protection of the datasources, select the databases to be protected to Azure and click Next.

12. Administrators can choose backup schedules and retention policies that suit their organization policies.
In this example, backups are taken once a day at 12:00 PM and 8 PM (bottom part of the screen)

NOTE
Its a good practice to have a few short-term recovery points on disk, for quick recovery. These recovery points are
used for operational recovery". Azure serves as a good offsite location with higher SLAs and guaranteed availability.

Best Practice: Make sure that Azure Backups are scheduled after the completion of local disk backups using
DPM. This enables the latest disk backup to be copied to Azure.
13. Choose the retention policy schedule. The details on how the retention policy works are provided at Use
Azure Backup to replace your tape infrastructure article.
In this example:
Backups are taken once a day at 12:00 PM and 8 PM (bottom part of the screen) and are retained for 180
days.
The backup on Saturday at 12:00 P.M. is retained for 104 weeks
The backup on Last Saturday at 12:00 P.M. is retained for 60 months
The backup on Last Saturday of March at 12:00 P.M. is retained for 10 years
14. Click Next and select the appropriate option for transferring the initial backup copy to Azure. You can
choose Automatically over the network or Offline Backup.
Automatically over the network transfers the backup data to Azure as per the schedule chosen for
backup.
How Offline Backup works is explained at Offline Backup workflow in Azure Backup.
Choose the relevant transfer mechanism to send the initial backup copy to Azure and click Next.
15. Once you review the policy details in the Summary screen, click on the Create group button to complete
the workflow. You can click the Close button and monitor the job progress in Monitoring workspace.
On-demand backup of a SQL Server database
While the previous steps created a backup policy, a recovery point is created only when the first backup occurs.
Rather than waiting for the scheduler to kick in, the steps below trigger the creation of a recovery point manually.
1. Wait until the protection group status shows OK for the database before creating the recovery point.

2. Right-click on the database and select Create Recovery Point.


3. Choose Online Protection in the drop-down menu and click OK. This starts the creation of a recovery
point in Azure.

4. You can view the job progress in the Monitoring workspace where you'll find an in progress job like the
one depicted in the next figure.

Recover a SQL Server database from Azure


The following steps are required to recover a protected entity (SQL Server database) from Azure.
1. Open the DPM server Management Console. Navigate to Recovery workspace where you can see the
servers backed up by DPM. Browse the required database (in this case ReportServer$MSDPM2012). Select a
Recovery from time which ends with Online.

2. Right-click the database name and click Recover.

3. DPM shows the details of the recovery point. Click Next. To overwrite the database, select the recovery type
Recover to original instance of SQL Server. Click Next.
In this example, DPM allows recovery of the database to another SQL Server instance or to a standalone
network folder.
4. In the Specify Recovery options screen, you can select the recovery options like Network bandwidth usage
throttling to throttle the bandwidth used by recovery. Click Next.
5. In the Summary screen, you see all the recovery configurations provided so far. Click Recover.
The Recovery status shows the database being recovered. You can click Close to close the wizard and view
the progress in the Monitoring workspace.

Once the recovery is completed, the restored database is application consistent.


Next Steps:
Azure Backup FAQ
Back up a SharePoint farm to Azure
6/27/2017 10 min to read Edit Online

You back up a SharePoint farm to Microsoft Azure by using System Center Data Protection Manager (DPM) in
much the same way that you back up other data sources. Azure Backup provides flexibility in the backup schedule
to create daily, weekly, monthly, or yearly backup points and gives you retention policy options for various backup
points. DPM provides the capability to store local disk copies for quick recovery-time objectives (RTO) and to store
copies to Azure for economical, long-term retention.

SharePoint supported versions and related protection scenarios


Azure Backup for DPM supports the following scenarios:

SHAREPOINT DPM DEPLOYMENT DPM - SYSTEM PROTECTION AND


WORKLOAD VERSION DEPLOYMENT TYPE CENTER 2012 R2 RECOVERY

SharePoint SharePoint 2013, SharePoint Physical server or Supports backup Protect


SharePoint 2010, deployed as a on-premises to Azure from SharePoint Farm
SharePoint 2007, physical server or Hyper-V virtual Update Rollup 5 recovery options:
SharePoint 3.0 Hyper-V/VMware machine Recovery farm,
virtual machine database, and file
-------------- or list item from
SQL AlwaysOn disk recovery
points. Farm and
database
recovery from
Azure recovery
points.

Before you start


There are a few things you need to confirm before you back up a SharePoint farm to Azure.
Prerequisites
Before you proceed, make sure that you have met all the prerequisites for using Microsoft Azure Backup to protect
workloads. Some tasks for prerequisites include: create a backup vault, download vault credentials, install Azure
Backup Agent, and register DPM/Azure Backup Server with the vault.
DPM agent
The DPM agent must be installed on the server that's running SharePoint, the servers that are running SQL Server,
and all other servers that are part of the SharePoint farm. For more information about how to set up the protection
agent, see Setup Protection Agent. The one exception is that you install the agent only on a single web front end
(WFE) server. DPM needs the agent on one WFE server only to serve as the entry point for protection.
SharePoint farm
For every 10 million items in the farm, there must be at least 2 GB of space on the volume where the DPM folder is
located. This space is required for catalog generation. For DPM to recover specific items (site collections, sites, lists,
document libraries, folders, individual documents, and list items), catalog generation creates a list of the URLs that
are contained within each content database. You can view the list of URLs in the recoverable item pane in the
Recovery task area of DPM Administrator Console.
SQL Server
DPM runs as a LocalSystem account. To back up SQL Server databases, DPM needs sysadmin privileges on that
account for the server that's running SQL Server. Set NT AUTHORITY\SYSTEM to sysadmin on the server that's
running SQL Server before you back it up.
If the SharePoint farm has SQL Server databases that are configured with SQL Server aliases, install the SQL Server
client components on the front-end Web server that DPM will protect.
SharePoint Server
While performance depends on many factors such as size of SharePoint farm, as general guidance one DPM server
can protect a 25 TB SharePoint farm.
DPM Update Rollup 5
To begin protection of a SharePoint farm to Azure, you need to install DPM Update Rollup 5 or later. Update Rollup
5 provides the ability to protect a SharePoint farm to Azure if the farm is configured by using SQL AlwaysOn. For
more information, see the blog post that introduces DPM Update Rollup 5
What's not supported
DPM that protects a SharePoint farm does not protect search indexes or application service databases. You will
need to configure the protection of these databases separately.
DPM does not provide backup of SharePoint SQL Server databases that are hosted on scale-out file server
(SOFS) shares.

Configure SharePoint protection


Before you can use DPM to protect SharePoint, you must configure the SharePoint VSS Writer service (WSS Writer
service) by using ConfigureSharePoint.exe.
You can find ConfigureSharePoint.exe in the [DPM Installation Path]\bin folder on the front-end web server. This
tool provides the protection agent with the credentials for the SharePoint farm. You run it on a single WFE server. If
you have multiple WFE servers, select just one when you configure a protection group.
To configure the SharePoint VSS Writer service
1. On the WFE server, at a command prompt, go to [DPM installation location]\bin\
2. Enter ConfigureSharePoint -EnableSharePointProtection.
3. Enter the farm administrator credentials. This account should be a member of the local Administrator group on
the WFE server. If the farm administrator isnt a local admin grant the following permissions on the WFE server:
Grant the WSS_Admin_WPG group full control to the DPM folder (%Program Files%\Microsoft Data
Protection Manager\DPM).
Grant the WSS_Admin_WPG group read access to the DPM Registry key
(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager).

NOTE
Youll need to rerun ConfigureSharePoint.exe whenever theres a change in the SharePoint farm administrator credentials.

Back up a SharePoint farm by using DPM


After you have configured DPM and the SharePoint farm as explained previously, SharePoint can be protected by
DPM.
To protect a SharePoint farm
1. From the Protection tab of the DPM Administrator Console, click New.
2. On the Select Protection Group Type page of the Create New Protection Group wizard, select Servers,
and then click Next.

3. On the Select Group Members screen, select the check box for the SharePoint server you want to protect
and click Next.
NOTE
With the DPM agent installed, you can see the server in the wizard. DPM also shows its structure. Because you ran
ConfigureSharePoint.exe, DPM communicates with the SharePoint VSS Writer service and its corresponding SQL
Server databases and recognizes the SharePoint farm structure, the associated content databases, and any
corresponding items.

4. On the Select Data Protection Method page, enter the name of the Protection Group, and select your
preferred protection methods. Click Next.
NOTE
The disk protection method helps to meet short recovery-time objectives. Azure is an economical, long-term
protection target compared to tapes. For more information, see Use Azure Backup to replace your tape infrastructure

5. On the Specify Short-Term Goals page, select your preferred Retention range and identify when you
want backups to occur.

NOTE
Because recovery is most often required for data that's less than five days old, we selected a retention range of five
days on disk and ensured that the backup happens during non-production hours, for this example.

6. Review the storage pool disk space allocated for the protection group, and click then Next.
7. For every protection group, DPM allocates disk space to store and manage replicas. At this point, DPM must
create a copy of the selected data. Select how and when you want the replica created, and then click Next.
NOTE
To make sure that network traffic is not effected, select a time outside production hours.

8. DPM ensures data integrity by performing consistency checks on the replica. There are two available
options. You can define a schedule to run consistency checks, or DPM can run consistency checks
automatically on the replica whenever it becomes inconsistent. Select your preferred option, and then click
Next.
9. On the Specify Online Protection Data page, select the SharePoint farm that you want to protect, and
then click Next.
10. On the Specify Online Backup Schedule page, select your preferred schedule, and then click Next.

NOTE
DPM provides a maximum of two daily backups to Azure at different times. Azure Backup can also control the
amount of WAN bandwidth that can be used for backups in peak and off-peak hours by using Azure Backup
Network Throttling.

11. Depending on the backup schedule that you selected, on the Specify Online Retention Policy page, select
the retention policy for daily, weekly, monthly, and yearly backup points.
NOTE
DPM uses a grandfather-father-son retention scheme in which a different retention policy can be chosen for different
backup points.

12. Similar to disk, an initial reference point replica needs to be created in Azure. Select your preferred option to
create an initial backup copy to Azure, and then click Next.
13. Review your selected settings on the Summary page, and then click Create Group. You will see a success
message after the protection group has been created.
Restore a SharePoint item from disk by using DPM
In the following example, the Recovering SharePoint item has been accidentally deleted and needs to be recovered.

1. Open the DPM Administrator Console. All SharePoint farms that are protected by DPM are shown in the
Protection tab.
2. To begin to recover the item, select the Recovery tab.

3. You can search SharePoint for Recovering SharePoint item by using a wildcard-based search within a
recovery point range.
4. Select the appropriate recovery point from the search results, right-click the item, and then select Recover.
5. You can also browse through various recovery points and select a database or item to recover. Select Date
> Recovery time, and then select the correct Database > SharePoint farm > Recovery point > Item.

6. Right-click the item, and then select Recover to open the Recovery Wizard. Click Next.
7. Select the type of recovery that you want to perform, and then click Next.
NOTE
The selection of Recover to original in the example recovers the item to the original SharePoint site.

8. Select the Recovery Process that you want to use.


Select Recover without using a recovery farm if the SharePoint farm has not changed and is the
same as the recovery point that is being restored.
Select Recover using a recovery farm if the SharePoint farm has changed since the recovery point
was created.

9. Provide a staging SQL Server instance location to recover the database temporarily, and provide a staging
file share on the DPM server and the server that's running SharePoint to recover the item.
DPM attaches the content database that is hosting the SharePoint item to the temporary SQL Server
instance. From the content database, the DPM server recovers the item and puts it on the staging file
location on the DPM server. The recovered item that's on the staging location of the DPM server now needs
to be exported to the staging location on the SharePoint farm.
10. Select Specify recovery options, and apply security settings to the SharePoint farm or apply the security
settings of the recovery point. Click Next.
NOTE
You can choose to throttle the network bandwidth usage. This minimizes impact to the production server during
production hours.

11. Review the summary information, and then click Recover to begin recovery of the file.
12. Now select the Monitoring tab in the DPM Administrator Console to view the Status of the recovery.

NOTE
The file is now restored. You can refresh the SharePoint site to check the restored file.
Restore a SharePoint database from Azure by using DPM
1. To recover a SharePoint content database, browse through various recovery points (as shown previously),
and select the recovery point that you want to restore.

2. Double-click the SharePoint recovery point to show the available SharePoint catalog information.

NOTE
Because the SharePoint farm is protected for long-term retention in Azure, no catalog information (metadata) is
available on the DPM server. As a result, whenever a point-in-time SharePoint content database needs to be
recovered, you need to catalog the SharePoint farm again.

3. Click Re-catalog.

The Cloud Recatalog status window opens.


After cataloging is finished, the status changes to Success. Click Close.

4. Click the SharePoint object shown in the DPM Recovery tab to get the content database structure. Right-
click the item, and then click Recover.
5. At this point, follow the recovery steps earlier in this article to recover a SharePoint content database from disk.

FAQs
Q: Which versions of DPM support SQL Server 2014 and SQL 2012 (SP2)?
A: DPM 2012 R2 with Update Rollup 4 supports both.
Q: Can I recover a SharePoint item to the original location if SharePoint is configured by using SQL AlwaysOn (with
protection on disk)?
A: Yes, the item can be recovered to the original SharePoint site.
Q: Can I recover a SharePoint database to the original location if SharePoint is configured by using SQL AlwaysOn?
A: Because SharePoint databases are configured in SQL AlwaysOn, they cannot be modified unless the availability
group is removed. As a result, DPM cannot restore a database to the original location. You can recover a SQL
Server database to another SQL Server instance.

Next steps
Learn more about DPM Protection of SharePoint - see Video Series - DPM Protection of SharePoint
Review Release Notes for System Center 2012 - Data Protection Manager
Review Release Notes for Data Protection Manager in System Center 2012 SP1
Use AzureRM.RecoveryServices.Backup cmdlets to
back up virtual machines
10/13/2017 16 min to read Edit Online

This article shows you how to use Azure PowerShell cmdlets to back up and recover an Azure virtual machine
(VM) from a Recovery Services vault. A Recovery Services vault is an Azure Resource Manager resource and is
used to protect data and assets in both Azure Backup and Azure Site Recovery services. You can use a Recovery
Services vault to protect Azure Service Manager-deployed VMs, and Azure Resource Manager-deployed VMs.

NOTE
Azure has two deployment models for creating and working with resources: Resource Manager and Classic. This article is for
use with VMs created using the Resource Manager model.

This article walks you through using PowerShell to protect a VM, and restore data from a recovery point.

Concepts
If you are not familiar with the Azure Backup service, for an overview of the service, check out What is Azure
Backup? Before you start, ensure that you cover the essentials about the prerequisites needed to work with Azure
Backup, and the limitations of the current VM backup solution.
To use PowerShell effectively, it is necessary to understand the hierarchy of objects and from where to start.

To view the AzureRm.RecoveryServices.Backup PowerShell cmdlet reference, see the Azure Backup - Recovery
Services Cmdlets in the Azure library.

Setup and Registration


To begin:
1. Download the latest version of PowerShell (the minimum version required is: 1.4.0)
2. Find the Azure Backup PowerShell cmdlets available by typing the following command:
PS C:\> Get-Command *azurermrecoveryservices*

CommandType Name Version Source


----------- ---- ------- ------
Cmdlet Backup-AzureRmRecoveryServicesBackupItem 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Disable-AzureRmRecoveryServicesBackupProtection 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Enable-AzureRmRecoveryServicesBackupProtection 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Get-AzureRmRecoveryServicesBackupContainer 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Get-AzureRmRecoveryServicesBackupItem 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Get-AzureRmRecoveryServicesBackupJob 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Get-AzureRmRecoveryServicesBackupJobDetails 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Get-AzureRmRecoveryServicesBackupManagementServer 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Get-AzureRmRecoveryServicesBackupProperties 1.4.0 AzureRM.RecoveryServices
Cmdlet Get-AzureRmRecoveryServicesBackupProtectionPolicy 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Get-AzureRMRecoveryServicesBackupRecoveryPoint 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Get-AzureRmRecoveryServicesBackupRetentionPolic... 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Get-AzureRmRecoveryServicesBackupSchedulePolicy... 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Get-AzureRmRecoveryServicesVault 1.4.0 AzureRM.RecoveryServices
Cmdlet Get-AzureRmRecoveryServicesVaultSettingsFile 1.4.0 AzureRM.RecoveryServices
Cmdlet New-AzureRmRecoveryServicesBackupProtectionPolicy 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet New-AzureRmRecoveryServicesVault 1.4.0 AzureRM.RecoveryServices
Cmdlet Remove-AzureRmRecoveryServicesProtectionPolicy 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Remove-AzureRmRecoveryServicesVault 1.4.0 AzureRM.RecoveryServices
Cmdlet Restore-AzureRMRecoveryServicesBackupItem 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Set-AzureRmRecoveryServicesBackupProperties 1.4.0 AzureRM.RecoveryServices
Cmdlet Set-AzureRmRecoveryServicesBackupProtectionPolicy 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Set-AzureRmRecoveryServicesVaultContext 1.4.0 AzureRM.RecoveryServices
Cmdlet Stop-AzureRmRecoveryServicesBackupJob 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Unregister-AzureRmRecoveryServicesBackupContainer 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Unregister-AzureRmRecoveryServicesBackupManagem... 1.4.0 AzureRM.RecoveryServices.Backup
Cmdlet Wait-AzureRmRecoveryServicesBackupJob 1.4.0 AzureRM.RecoveryServices.Backup

The following tasks can be automated with PowerShell:


Create a Recovery Services vault
Back up Azure VMs
Trigger a backup job
Monitor a backup job
Restore an Azure VM

Create a recovery services vault


The following steps lead you through creating a Recovery Services vault. A Recovery Services vault is different
than a Backup vault.
1. If you are using Azure Backup for the first time, you must use the Register-AzureRmResourceProvider
cmdlet to register the Azure Recovery Service provider with your subscription.

PS C:\> Register-AzureRmResourceProvider -ProviderNamespace "Microsoft.RecoveryServices"

2. The Recovery Services vault is a Resource Manager resource, so you need to place it within a resource
group. You can use an existing resource group, or create a resource group with the New-
AzureRmResourceGroup cmdlet. When creating a resource group, specify the name and location for the
resource group.

PS C:\> New-AzureRmResourceGroup Name "test-rg" Location "West US"

3. Use the New-AzureRmRecoveryServicesVault cmdlet to create the Recovery Services vault. Be sure to
specify the same location for the vault as was used for the resource group.

PS C:\> New-AzureRmRecoveryServicesVault -Name "testvault" -ResourceGroupName " test-rg" -Location


"West US"

4. Specify the type of storage redundancy to use; you can use Locally Redundant Storage (LRS) or Geo
Redundant Storage (GRS). The following example shows the -BackupStorageRedundancy option for
testvault is set to GeoRedundant.

PS C:\> $vault1 = Get-AzureRmRecoveryServicesVault Name "testvault"


PS C:\> Set-AzureRmRecoveryServicesBackupProperties -Vault $vault1 -BackupStorageRedundancy
GeoRedundant

TIP
Many Azure Backup cmdlets require the Recovery Services vault object as an input. For this reason, it is convenient
to store the Backup Recovery Services vault object in a variable.

View the vaults in a subscription


Use Get-AzureRmRecoveryServicesVault to view the list of all vaults in the current subscription. You can use
this command to check that a new vault was created, or to see the available vaults in the subscription.
Run the command, Get-AzureRmRecoveryServicesVault, to view all vaults in the subscription. The following
example shows the information displayed for each vault.

PS C:\> Get-AzureRmRecoveryServicesVault
Name : Contoso-vault
ID : /subscriptions/1234
Type : Microsoft.RecoveryServices/vaults
Location : WestUS
ResourceGroupName : Contoso-docs-rg
SubscriptionId : 1234-567f-8910-abc
Properties : Microsoft.Azure.Commands.RecoveryServices.ARSVaultProperties

Back up Azure VMs


Use a Recovery Services vault to protect your virtual machines. Before you apply the protection, set the vault
context (the type of data protected in the vault), and verify the protection policy. The protection policy is the
schedule when the backup jobs run, and how long each backup snapshot is retained.
Set vault context
Before enabling protection on a VM, use Set-AzureRmRecoveryServicesVaultContext to set the vault context.
Once the vault context is set, it applies to all subsequent cmdlets. The following example sets the vault context for
the vault, testvault.

PS C:\> Get-AzureRmRecoveryServicesVault -Name "testvault" | Set-AzureRmRecoveryServicesVaultContext

Create a protection policy


When you create a Recovery Services vault, it comes with default protection and retention policies. The default
protection policy triggers a backup job each day at a specified time. The default retention policy retains the daily
recovery point for 30 days. You can use the default policy to quickly protect your VM and edit the policy later with
different details.
Use Get-AzureRmRecoveryServicesBackupProtectionPolicy to view the protection policies in the vault. You
can use this cmdlet to get a specific policy, or to view the policies associated with a workload type. The following
example gets policies for workload type, AzureVM.

PS C:\> Get-AzureRmRecoveryServicesBackupProtectionPolicy -WorkloadType "AzureVM"


Name WorkloadType BackupManagementType BackupTime DaysOfWeek
---- ------------ -------------------- ---------- ----------
DefaultPolicy AzureVM AzureVM 4/14/2016 5:00:00 PM

NOTE
The timezone of the BackupTime field in PowerShell is UTC. However, when the backup time is shown in the Azure portal,
the time is adjusted to your local timezone.

A backup protection policy is associated with at least one retention policy. Retention policy defines how long a
recovery point is kept before it is deleted. Use Get-AzureRmRecoveryServicesBackupRetentionPolicyObject
to view the default retention policy. Similarly you can use Get-
AzureRmRecoveryServicesBackupSchedulePolicyObject to obtain the default schedule policy. The New-
AzureRmRecoveryServicesBackupProtectionPolicy cmdlet creates a PowerShell object that holds backup
policy information. The schedule and retention policy objects are used as inputs to the New-
AzureRmRecoveryServicesBackupProtectionPolicy cmdlet. The following example stores the schedule policy
and the retention policy in variables. The example uses those variables to define the parameters when creating a
protection policy, NewPolicy.

PS C:\> $schPol = Get-AzureRmRecoveryServicesBackupSchedulePolicyObject -WorkloadType "AzureVM"


PS C:\> $retPol = Get-AzureRmRecoveryServicesBackupRetentionPolicyObject -WorkloadType "AzureVM"
PS C:\> New-AzureRmRecoveryServicesBackupProtectionPolicy -Name "NewPolicy" -WorkloadType "AzureVM" -
RetentionPolicy $retPol -SchedulePolicy $schPol
Name WorkloadType BackupManagementType BackupTime DaysOfWeek
---- ------------ -------------------- ---------- ----------
NewPolicy AzureVM AzureVM 4/24/2016 1:30:00 AM

Enable protection
Once you have defined the backup protection policy, you still must enable the policy for an item. Use Enable-
AzureRmRecoveryServicesBackupProtection to enable protection. Enabling protection requires two objects -
the item and the policy. Once the policy has been associated with the vault, the backup workflow is triggered at
the time defined in the policy schedule.
The following example enables protection for the item, V2VM, using the policy, NewPolicy. To enable the
protection on non-encrypted Resource Manager VMs

PS C:\> $pol=Get-AzureRmRecoveryServicesBackupProtectionPolicy -Name "NewPolicy"


PS C:\> Enable-AzureRmRecoveryServicesBackupProtection -Policy $pol -Name "V2VM" -ResourceGroupName "RGName1"

To enable the protection on encrypted VMs (encrypted using BEK and KEK), you need to give the Azure Backup
service permission to read keys and secrets from key vault.
PS C:\> Set-AzureRmKeyVaultAccessPolicy -VaultName "KeyVaultName" -ResourceGroupName "RGNameOfKeyVault" -
PermissionsToKeys backup,get,list -PermissionsToSecrets get,list -ServicePrincipalName 262044b1-e2ce-469f-
a196-69ab7ada62d3
PS C:\> $pol=Get-AzureRmRecoveryServicesBackupProtectionPolicy -Name "NewPolicy"
PS C:\> Enable-AzureRmRecoveryServicesBackupProtection -Policy $pol -Name "V2VM" -ResourceGroupName "RGName1"

To enable the protection on encrypted VMs (encrypted using BEK only), you need to give the Azure Backup service
permission to read secrets from key vault.

PS C:\> Set-AzureRmKeyVaultAccessPolicy -VaultName "KeyVaultName" -ResourceGroupName "RGNameOfKeyVault" -


PermissionsToSecrets backup,get,list -ServicePrincipalName 262044b1-e2ce-469f-a196-69ab7ada62d3
PS C:\> $pol=Get-AzureRmRecoveryServicesBackupProtectionPolicy -Name "NewPolicy"
PS C:\> Enable-AzureRmRecoveryServicesBackupProtection -Policy $pol -Name "V2VM" -ResourceGroupName "RGName1"

NOTE
If you are using the Azure Government cloud, then use the value ff281ffe-705c-4f53-9f37-a40e6f2c68f3 for the parameter
-ServicePrincipalName in Set-AzureRmKeyVaultAccessPolicy cmdlet.

For classic VMs

PS C:\> $pol=Get-AzureRmRecoveryServicesBackupProtectionPolicy -Name "NewPolicy"


PS C:\> Enable-AzureRmRecoveryServicesBackupProtection -Policy $pol -Name "V1VM" -ServiceName "ServiceName1"

Modify a protection policy


To modify the protection policy, use Set-AzureRmRecoveryServicesBackupProtectionPolicy to modify the
SchedulePolicy or RetentionPolicy objects.
The following example changes the recovery point retention to 365 days.

PS C:\> $retPol = Get-AzureRmRecoveryServicesBackupRetentionPolicyObject -WorkloadType "AzureVM"


PS C:\> $retPol.DailySchedule.DurationCountInDays = 365
PS C:\> $pol= Get-AzureRmRecoveryServicesBackupProtectionPolicy -Name "NewPolicy"
PS C:\> Set-AzureRmRecoveryServicesBackupProtectionPolicy -Policy $pol -RetentionPolicy $RetPol

Trigger a backup
You can use Backup-AzureRmRecoveryServicesBackupItem to trigger a backup job. If it is the initial backup, it
is a full backup. Subsequent backups take an incremental copy. Be sure to use Set-
AzureRmRecoveryServicesVaultContext to set the vault context before triggering the backup job. The
following example assumes vault context was set.

PS C:\> $namedContainer = Get-AzureRmRecoveryServicesBackupContainer -ContainerType "AzureVM" -Status


"Registered" -FriendlyName "V2VM"
PS C:\> $item = Get-AzureRmRecoveryServicesBackupItem -Container $namedContainer -WorkloadType "AzureVM"
PS C:\> $job = Backup-AzureRmRecoveryServicesBackupItem -Item $item
WorkloadName Operation Status StartTime EndTime
JobID
------------ --------- ------ --------- -------
----------
V2VM Backup InProgress 4/23/2016 5:00:30 PM
cf4b3ef5-2fac-4c8e-a215-d2eba4124f27
NOTE
The timezone of the StartTime and EndTime fields in PowerShell is UTC. However, when the time is shown in the Azure
portal, the time is adjusted to your local timezone.

Monitoring a backup job


You can monitor long-running operations, such as backup jobs, without using the Azure portal. To get the status
of an in-progress job, use the Get-AzureRmRecoveryservicesBackupJob cmdlet. This cmdlet gets the backup
jobs for a specific vault, and that vault is specified in the vault context. The following example gets the status of an
in-progress job as an array, and stores the status in the $joblist variable.

PS C:\> $joblist = Get-AzureRmRecoveryservicesBackupJob Status "InProgress"


PS C:\> $joblist[0]
WorkloadName Operation Status StartTime EndTime
JobID
------------ --------- ------ --------- -------
----------
V2VM Backup InProgress 4/23/2016 5:00:30 PM cf4b3ef5-2fac-
4c8e-a215-d2eba4124f27

Instead of polling these jobs for completion - which is unnecessary additional code - use the Wait-
AzureRmRecoveryServicesBackupJob cmdlet. This cmdlet pauses the execution until either the job completes
or the specified timeout value is reached.

PS C:\> Wait-AzureRmRecoveryServicesBackupJob -Job $joblist[0] -Timeout 43200

Restore an Azure VM
There is a key difference between the restoring a VM using the Azure portal and restoring a VM using PowerShell.
With PowerShell, the restore operation is complete once the disks and configuration information from the
recovery point are created.

NOTE
The restore operation does not create a virtual machine.

To create a virtual machine from disk, see the section, Create the VM from stored disks. The basic steps to restore
an Azure VM are:
Select the VM
Choose a recovery point
Restore the disks
Create the VM from stored disks
The following graphic shows the object hierarchy from the RecoveryServicesVault down to the
BackupRecoveryPoint.
To restore backup data, identify the backed-up item and the recovery point that holds the point-in-time data. Use
the Restore-AzureRmRecoveryServicesBackupItem cmdlet to restore data from the vault to the customer's
account.
Select the VM
To get the PowerShell object that identifies the right backup item, start from the container in the vault, and work
your way down the object hierarchy. To select the container that represents the VM, use the Get-
AzureRmRecoveryServicesBackupContainer cmdlet and pipe that to the Get-
AzureRmRecoveryServicesBackupItem cmdlet.

PS C:\> $namedContainer = Get-AzureRmRecoveryServicesBackupContainer -ContainerType "AzureVM" Status


"Registered" -FriendlyName "V2VM"
PS C:\> $backupitem = Get-AzureRmRecoveryServicesBackupItem Container $namedContainer WorkloadType
"AzureVM"

Choose a recovery point


Use the Get-AzureRmRecoveryServicesBackupRecoveryPoint cmdlet to list all recovery points for the backup
item. Then choose the recovery point to restore. If you are unsure which recovery point to use, it is a good practice
to choose the most recent RecoveryPointType = AppConsistent point in the list.
In the following script, the variable, $rp, is an array of recovery points for the selected backup item, from the past
seven days. The array is sorted in reverse order of time with the latest recovery point at index 0. Use standard
PowerShell array indexing to pick the recovery point. In the example, $rp[0] selects the latest recovery point.

PS C:\> $startDate = (Get-Date).AddDays(-7)


PS C:\> $endDate = Get-Date
PS C:\> $rp = Get-AzureRmRecoveryServicesBackupRecoveryPoint -Item $backupitem -StartDate
$startdate.ToUniversalTime() -EndDate $enddate.ToUniversalTime()
PS C:\> $rp[0]
RecoveryPointAdditionalInfo :
SourceVMStorageType : NormalStorage
Name : 15260861925810
ItemName : VM;iaasvmcontainer;RGName1;V2VM
RecoveryPointId : /subscriptions/XX/resourceGroups/
RGName1/providers/Microsoft.RecoveryServices/vaults/testvault/backupFabrics/Azure/protectionContainers/IaasVM
Container;iaasvmcontainer;RGName1;V2VM/protectedItems/VM;iaasvmcontainer;
RGName1;V2VM/recoveryPoints/15260861925810
RecoveryPointType : AppConsistent
RecoveryPointTime : 4/23/2016 5:02:04 PM
WorkloadType : AzureVM
ContainerName : IaasVMContainer;iaasvmcontainer; RGName1;V2VM
ContainerType : AzureVM
BackupManagementType : AzureVM

Restore the disks


Use the Restore-AzureRmRecoveryServicesBackupItem cmdlet to restore a backup item's data and
configuration to a recovery point. Once you have identified a recovery point, use it as the value for the -
RecoveryPoint parameter. In the previous sample code, $rp[0] was the recovery point to use. In the following
sample code, $rp[0] is the recovery point to use for restoring the disk.
To restore the disks and configuration information:
PS C:\> $restorejob = Restore-AzureRmRecoveryServicesBackupItem -RecoveryPoint $rp[0] -StorageAccountName
"DestAccount" -StorageAccountResourceGroupName "DestRG"
PS C:\> $restorejob
WorkloadName Operation Status StartTime EndTime JobID
------------ --------- ------ --------- ------- ---------
-
V2VM Restore InProgress 4/23/2016 5:00:30 PM
cf4b3ef5-2fac-4c8e-a215-d2eba4124f27

Use the Wait-AzureRmRecoveryServicesBackupJob cmdlet to wait for the Restore job to complete.

PS C:\> Wait-AzureRmRecoveryServicesBackupJob -Job $restorejob -Timeout 43200

Once the Restore job has completed, use the Get-AzureRmRecoveryServicesBackupJobDetails cmdlet to get
the details of the restore operation. The JobDetails property has the information needed to rebuild the VM.

PS C:\> $restorejob = Get-AzureRmRecoveryServicesBackupJob -Job $restorejob


PS C:\> $details = Get-AzureRmRecoveryServicesBackupJobDetails -Job $restorejob

Once you restore the disks, go to the next section to create the VM.

Create a VM from restored disks


After you have restored the disks, use these steps to create and configure the virtual machine from disk.

NOTE
To create encrypted VMs from restored disks, your Azure role must have permission to perform the action,
Microsoft.KeyVault/vaults/deploy/action. If your role does not have this permission, create a custom role with this
action. For more information, see Custom Roles in Azure RBAC.

1. Query the restored disk properties for the job details.

PS C:\> $properties = $details.properties


PS C:\> $storageAccountName = $properties["Target Storage Account Name"]
PS C:\> $containerName = $properties["Config Blob Container Name"]
PS C:\> $blobName = $properties["Config Blob Name"]

2. Set the Azure storage context and restore the JSON configuration file.

PS C:\> Set-AzureRmCurrentStorageAccount -Name $storageaccountname -ResourceGroupName "testvault"


PS C:\> $destination_path = "C:\vmconfig.json"
PS C:\> Get-AzureStorageBlobContent -Container $containerName -Blob $blobName -Destination
$destination_path
PS C:\> $obj = ((Get-Content -Path $destination_path -Raw -Encoding Unicode)).TrimEnd([char]0x00) |
ConvertFrom-Json

3. Use the JSON configuration file to create the VM configuration.

PS C:\> $vm = New-AzureRmVMConfig -VMSize $obj.'properties.hardwareProfile'.vmSize -VMName


"testrestore"

4. Attach the OS disk and data disks. Depending on the configuration of your VMs, refer to the relevant
section to view respective cmdlets:
Non-managed, non-encrypted VMs
Use the following sample for non-managed, non-encrypted VMs.

PS C:\> Set-AzureRmVMOSDisk -VM $vm -Name "osdisk" -VhdUri


$obj.'properties.StorageProfile'.osDisk.vhd.Uri -CreateOption "Attach"
PS C:\> $vm.StorageProfile.OsDisk.OsType = $obj.'properties.StorageProfile'.OsDisk.OsType
PS C:\> foreach($dd in $obj.'properties.StorageProfile'.DataDisks)
{
$vm = Add-AzureRmVMDataDisk -VM $vm -Name "datadisk1" -VhdUri $dd.vhd.Uri -DiskSizeInGB 127 -Lun
$dd.Lun -CreateOption "Attach"
}

Non-managed, encrypted VMs (BEK only )


For non-managed, encrypted VMs (encrypted using BEK only), you need to restore the secret to the key
vault before you can attach disks. For more information, please see the article, Restore an encrypted virtual
machine from an Azure Backup recovery point. The following sample shows how to attach OS and data
disks for encrypted VMs.

PS C:\> $dekUrl =
"https://ContosoKeyVault.vault.azure.net:443/secrets/ContosoSecret007/xx000000xx0849999f3xx30000003163
"
PS C:\> $keyVaultId = "/subscriptions/abcdedf007-4xyz-1a2b-0000-
12a2b345675c/resourceGroups/ContosoRG108/providers/Microsoft.KeyVault/vaults/ContosoKeyVault"
PS C:\> Set-AzureRmVMOSDisk -VM $vm -Name "osdisk" -VhdUri
$obj.'properties.storageProfile'.osDisk.vhd.uri -DiskEncryptionKeyUrl $dekUrl -
DiskEncryptionKeyVaultId $keyVaultId -CreateOption "Attach" -Windows
PS C:\> $vm.StorageProfile.OsDisk.OsType = $obj.'properties.storageProfile'.osDisk.osType
PS C:\> foreach($dd in $obj.'properties.storageProfile'.dataDisks)
{
$vm = Add-AzureRmVMDataDisk -VM $vm -Name "datadisk1" -VhdUri $dd.vhd.Uri -DiskSizeInGB 127 -Lun
$dd.Lun -CreateOption "Attach"
}

Non-managed, encrypted VMs (BEK and KEK)


For non-managed, encrypted VMs (encrypted using BEK and KEK), you need to restore the key and secret
to the key vault before you can attach disks. For more information, please see the article, Restore an
encrypted virtual machine from an Azure Backup recovery point. The following sample shows how to
attach OS and data disks for encrypted VMs.

PS C:\> $dekUrl =
"https://ContosoKeyVault.vault.azure.net:443/secrets/ContosoSecret007/xx000000xx0849999f3xx30000003163
"
PS C:\> $kekUrl =
"https://ContosoKeyVault.vault.azure.net:443/keys/ContosoKey007/x9xxx00000x0000x9b9949999xx0x006"
PS C:\> $keyVaultId = "/subscriptions/abcdedf007-4xyz-1a2b-0000-
12a2b345675c/resourceGroups/ContosoRG108/providers/Microsoft.KeyVault/vaults/ContosoKeyVault"
PS C:\> Set-AzureRmVMOSDisk -VM $vm -Name "osdisk" -VhdUri
$obj.'properties.storageProfile'.osDisk.vhd.uri -DiskEncryptionKeyUrl $dekUrl -
DiskEncryptionKeyVaultId $keyVaultId -KeyEncryptionKeyUrl $kekUrl -KeyEncryptionKeyVaultId $keyVaultId
-CreateOption "Attach" -Windows
PS C:\> $vm.StorageProfile.OsDisk.OsType = $obj.'properties.storageProfile'.osDisk.osType
PS C:\> foreach($dd in $obj.'properties.storageProfile'.dataDisks)
{
$vm = Add-AzureRmVMDataDisk -VM $vm -Name "datadisk1" -VhdUri $dd.vhd.Uri -DiskSizeInGB 127 -Lun
$dd.Lun -CreateOption "Attach"
}

Managed, non-encrypted VMs


For managed non-encrypted VMs, you'll need to create managed disks from blob storage, and then attach
the disks. For in-depth information, see the article, Attach a data disk to a Windows VM using PowerShell.
The following sample code shows how to attach the data disks for managed non-encrypted VMs.

PS C:\> $storageType = "StandardLRS"


PS C:\> $osDiskName = $vm.Name + "_osdisk"
PS C:\> $osVhdUri = $obj.'properties.storageProfile'.osDisk.vhd.uri
PS C:\> $diskConfig = New-AzureRmDiskConfig -AccountType $storageType -Location "West US" -
CreateOption Import -SourceUri $osVhdUri
PS C:\> $osDisk = New-AzureRmDisk -DiskName $osDiskName -Disk $diskConfig -ResourceGroupName "test"
PS C:\> Set-AzureRmVMOSDisk -VM $vm -ManagedDiskId $osDisk.Id -CreateOption "Attach" -Windows
PS C:\> foreach($dd in $obj.'properties.storageProfile'.dataDisks)
{
$dataDiskName = $vm.Name + $dd.name ;
$dataVhdUri = $dd.vhd.uri ;
$dataDiskConfig = New-AzureRmDiskConfig -AccountType $storageType -Location "West US" -CreateOption
Import -SourceUri $dataVhdUri ;
$dataDisk2 = New-AzureRmDisk -DiskName $dataDiskName -Disk $dataDiskConfig -ResourceGroupName "test"
;
Add-AzureRmVMDataDisk -VM $vm -Name $dataDiskName -ManagedDiskId $dataDisk2.Id -Lun $dd.Lun -
CreateOption "Attach"
}

Managed, encrypted VMs (BEK only )


For managed encrypted VMs (encrypted using BEK only), you'll need to create managed disks from blob
storage, and then attach the disks. For in-depth information, see the article, Attach a data disk to a
Windows VM using PowerShell. The following sample code shows how to attach the data disks for
managed encrypted VMs.

PS C:\> $dekUrl =
"https://ContosoKeyVault.vault.azure.net:443/secrets/ContosoSecret007/xx000000xx0849999f3xx30000003163
"
PS C:\> $keyVaultId = "/subscriptions/abcdedf007-4xyz-1a2b-0000-
12a2b345675c/resourceGroups/ContosoRG108/providers/Microsoft.KeyVault/vaults/ContosoKeyVault"
PS C:\> $storageType = "StandardLRS"
PS C:\> $osDiskName = $vm.Name + "_osdisk"
PS C:\> $osVhdUri = $obj.'properties.storageProfile'.osDisk.vhd.uri
PS C:\> $diskConfig = New-AzureRmDiskConfig -AccountType $storageType -Location "West US" -
CreateOption Import -SourceUri $osVhdUri
PS C:\> $osDisk = New-AzureRmDisk -DiskName $osDiskName -Disk $diskConfig -ResourceGroupName "test"
PS C:\> Set-AzureRmVMOSDisk -VM $vm -ManagedDiskId $osDisk.Id -DiskEncryptionKeyUrl $dekUrl -
DiskEncryptionKeyVaultId $keyVaultId -CreateOption "Attach" -Windows
PS C:\> foreach($dd in $obj.'properties.storageProfile'.dataDisks)
{
$dataDiskName = $vm.Name + $dd.name ;
$dataVhdUri = $dd.vhd.uri ;
$dataDiskConfig = New-AzureRmDiskConfig -AccountType $storageType -Location "West US" -CreateOption
Import -SourceUri $dataVhdUri ;
$dataDisk2 = New-AzureRmDisk -DiskName $dataDiskName -Disk $dataDiskConfig -ResourceGroupName "test" ;
Add-AzureRmVMDataDisk -VM $vm -Name $dataDiskName -ManagedDiskId $dataDisk2.Id -Lun $dd.Lun -
CreateOption "Attach"
}

Managed, encrypted VMs (BEK and KEK)


For managed encrypted VMs (encrypted using BEK and KEK), you'll need to create managed disks from
blob storage, and then attach the disks. For in-depth information, see the article, Attach a data disk to a
Windows VM using PowerShell. The following sample code shows how to attach the data disks for
managed encrypted VMs.
PS C:\> $dekUrl =
"https://ContosoKeyVault.vault.azure.net:443/secrets/ContosoSecret007/xx000000xx0849999f3xx30000003163
"
PS C:\> $kekUrl =
"https://ContosoKeyVault.vault.azure.net:443/keys/ContosoKey007/x9xxx00000x0000x9b9949999xx0x006"
PS C:\> $keyVaultId = "/subscriptions/abcdedf007-4xyz-1a2b-0000-
12a2b345675c/resourceGroups/ContosoRG108/providers/Microsoft.KeyVault/vaults/ContosoKeyVault"
PS C:\> $storageType = "StandardLRS"
PS C:\> $osDiskName = $vm.Name + "_osdisk"
PS C:\> $osVhdUri = $obj.'properties.storageProfile'.osDisk.vhd.uri
PS C:\> $diskConfig = New-AzureRmDiskConfig -AccountType $storageType -Location "West US" -
CreateOption Import -SourceUri $osVhdUri
PS C:\> $osDisk = New-AzureRmDisk -DiskName $osDiskName -Disk $diskConfig -ResourceGroupName "test"
PS C:\> Set-AzureRmVMOSDisk -VM $vm -ManagedDiskId $osDisk.Id -DiskEncryptionKeyUrl $dekUrl -
DiskEncryptionKeyVaultId $keyVaultId -KeyEncryptionKeyUrl $kekUrl -KeyEncryptionKeyVaultId $keyVaultId
-CreateOption "Attach" -Windows
PS C:\> foreach($dd in $obj.'properties.storageProfile'.dataDisks)
{
$dataDiskName = $vm.Name + $dd.name ;
$dataVhdUri = $dd.vhd.uri ;
$dataDiskConfig = New-AzureRmDiskConfig -AccountType $storageType -Location "West US" -CreateOption
Import -SourceUri $dataVhdUri ;
$dataDisk2 = New-AzureRmDisk -DiskName $dataDiskName -Disk $dataDiskConfig -ResourceGroupName "test" ;
Add-AzureRmVMDataDisk -VM $vm -Name $dataDiskName -ManagedDiskId $dataDisk2.Id -Lun $dd.Lun -
CreateOption "Attach"
}

5. Set the Network settings.

PS C:\> $nicName="p1234"
PS C:\> $pip = New-AzureRmPublicIpAddress -Name $nicName -ResourceGroupName "test" -Location "WestUS"
-AllocationMethod Dynamic
PS C:\> $vnet = Get-AzureRmVirtualNetwork -Name "testvNET" -ResourceGroupName "test"
PS C:\> $nic = New-AzureRmNetworkInterface -Name $nicName -ResourceGroupName "test" -Location "WestUS"
-SubnetId $vnet.Subnets[$subnetindex].Id -PublicIpAddressId $pip.Id
PS C:\> $vm=Add-AzureRmVMNetworkInterface -VM $vm -Id $nic.Id

6. Create the virtual machine.

PS C:\> New-AzureRmVM -ResourceGroupName "test" -Location "WestUS" -VM $vm

Next steps
If you prefer to use PowerShell to engage with your Azure resources, see the PowerShell article, Deploy and
Manage Backup for Windows Server. If you manage DPM backups, see the article, Deploy and Manage Backup for
DPM. Both of these articles have a version for Resource Manager deployments and Classic deployments.
Use AzureRM.Backup cmdlets to back up virtual
machines
8/2/2017 10 min to read Edit Online

This article shows you how to use Azure PowerShell for backup and recovery of Azure VMs. Azure has two
different deployment models for creating and working with resources: Resource Manager and Classic. This article
covers using the Classic deployment model to back up data to a Backup vault. If you have not created a Backup
vault in your subscription, see the Resource Manager version of this article, Use AzureRM.RecoveryServices.Backup
cmdlets to back up virtual machines. Microsoft recommends that most new deployments use the Resource
Manager model.

IMPORTANT
You can now upgrade your Backup vaults to Recovery Services vaults. For details, see the article Upgrade a Backup vault to a
Recovery Services vault. Microsoft encourages you to upgrade your Backup vaults to Recovery Services vaults.
After October 15, 2017, you cant use PowerShell to create Backup vaults. By November 1, 2017:
All remaining Backup vaults will be automatically upgraded to Recovery Services vaults.
You won't be able to access your backup data in the classic portal. Instead, use the Azure portal to access your backup
data in Recovery Services vaults.

Concepts
This article provides information specific to the PowerShell cmdlets used to back up virtual machines. For
introductory information about protecting Azure VMs, please see Plan your VM backup infrastructure in Azure.

NOTE
Before you start, read the prerequisites required to work with Azure Backup, and the limitations of the current VM backup
solution.

To use PowerShell effectively, take a moment to understand the hierarchy of objects and from where to start.
The two most important flows are enabling protection for a VM, and restoring data from a recovery point. The
focus of this article is to help you become adept at working with the PowerShell cmdlets to enable these two
scenarios.

Setup and Registration


To begin:
1. Download latest PowerShell (minimum version required is : 1.0.0)
2. Find the Azure Backup PowerShell cmdlets available by typing the following command:

PS C:\> Get-Command *azurermbackup*

CommandType Name Version Source


----------- ---- ------- ------
Cmdlet Backup-AzureRmBackupItem 1.0.1 AzureRM.Backup
Cmdlet Disable-AzureRmBackupProtection 1.0.1 AzureRM.Backup
Cmdlet Enable-AzureRmBackupContainerReregistration 1.0.1 AzureRM.Backup
Cmdlet Enable-AzureRmBackupProtection 1.0.1 AzureRM.Backup
Cmdlet Get-AzureRmBackupContainer 1.0.1 AzureRM.Backup
Cmdlet Get-AzureRmBackupItem 1.0.1 AzureRM.Backup
Cmdlet Get-AzureRmBackupJob 1.0.1 AzureRM.Backup
Cmdlet Get-AzureRmBackupJobDetails 1.0.1 AzureRM.Backup
Cmdlet Get-AzureRmBackupProtectionPolicy 1.0.1 AzureRM.Backup
Cmdlet Get-AzureRmBackupRecoveryPoint 1.0.1 AzureRM.Backup
Cmdlet Get-AzureRmBackupVault 1.0.1 AzureRM.Backup
Cmdlet Get-AzureRmBackupVaultCredentials 1.0.1 AzureRM.Backup
Cmdlet New-AzureRmBackupProtectionPolicy 1.0.1 AzureRM.Backup
Cmdlet New-AzureRmBackupRetentionPolicyObject 1.0.1 AzureRM.Backup
Cmdlet New-AzureRmBackupVault 1.0.1 AzureRM.Backup
Cmdlet Register-AzureRmBackupContainer 1.0.1 AzureRM.Backup
Cmdlet Remove-AzureRmBackupProtectionPolicy 1.0.1 AzureRM.Backup
Cmdlet Remove-AzureRmBackupVault 1.0.1 AzureRM.Backup
Cmdlet Restore-AzureRmBackupItem 1.0.1 AzureRM.Backup
Cmdlet Set-AzureRmBackupProtectionPolicy 1.0.1 AzureRM.Backup
Cmdlet Set-AzureRmBackupVault 1.0.1 AzureRM.Backup
Cmdlet Stop-AzureRmBackupJob 1.0.1 AzureRM.Backup
Cmdlet Unregister-AzureRmBackupContainer 1.0.1 AzureRM.Backup
Cmdlet Wait-AzureRmBackupJob 1.0.1 AzureRM.Backup

The following setup and registration tasks can be automated with PowerShell:
Create a backup vault
Registering the VMs with the Azure Backup service
Create a backup vault

WARNING
For customers using Azure Backup for the first time, you need to register the Azure Backup provider to be used with your
subscription. This can be done by running the following command: Register-AzureRmResourceProvider -ProviderNamespace
"Microsoft.Backup"

You can create a new backup vault using the New-AzureRmBackupVault cmdlet. The backup vault is an ARM
resource, so you need to place it within a Resource Group. In an elevated Azure PowerShell console, run the
following commands:

PS C:\> New-AzureRmResourceGroup Name test-rg Location West US


PS C:\> $backupvault = New-AzureRmBackupVault ResourceGroupName test-rg Name test-vault Region West
US Storage GeoRedundant

You can get a list of all the backup vaults in a given subscription using the Get-AzureRmBackupVault cmdlet.

NOTE
It is convenient to store the backup vault object into a variable. The vault object is needed as an input for many Azure
Backup cmdlets.

Registering the VMs


The first step towards configuring backup with Azure Backup is to register your machine or VM with an Azure
Backup vault. The Register-AzureRmBackupContainer cmdlet takes the input information of an Azure IaaS
virtual machine and registers it with the specified vault. The register operation associates the Azure virtual machine
with the backup vault and tracks the VM through the backup lifecycle.
Registering your VM with the Azure Backup service creates a top-level container object. A container typically
contains multiple items that can be backed up, but in the case of VMs there will be only one backup item for the
container.

PS C:\> $registerjob = Register-AzureRmBackupContainer -Vault $backupvault -Name "testvm" -ServiceName


"testvm"

Backup Azure VMs


Create a protection policy
It is not mandatory to create a new protection policy to start backup of your VMs. The vault comes with a 'Default
Policy' that can be used to quickly enable protection, and then edited later with the right details. You can get a list
of the policies available in the vault by using the Get-AzureRmBackupProtectionPolicy cmdlet:

PS C:\> Get-AzureRmBackupProtectionPolicy -Vault $backupvault

Name Type ScheduleType BackupTime


---- ---- ------------ ----------
DefaultPolicy AzureVM Daily 26-Aug-15 12:30:00 AM
NOTE
The timezone of the BackupTime field in PowerShell is UTC. However, when the backup time is shown in the Azure portal, the
timezone is aligned to your local system along with the UTC offset.

A backup policy is associated with at least one retention policy. The retention policy defines how long a recovery
point is kept with Azure Backup. The New-AzureRmBackupRetentionPolicy cmdlet creates PowerShell objects
that hold retention policy information. These retention policy objects are used as inputs to the New-
AzureRmBackupProtectionPolicy cmdlet, or directly with the Enable-AzureRmBackupProtection cmdlet.
A backup policy defines when and how often the backup of an item is done. The New-
AzureRmBackupProtectionPolicy cmdlet creates a PowerShell object that holds backup policy information. The
backup policy is used as an input to the Enable-AzureRmBackupProtection cmdlet.

PS C:\> $Daily = New-AzureRmBackupRetentionPolicyObject -DailyRetention -Retention 30


PS C:\> $newpolicy = New-AzureRmBackupProtectionPolicy -Name DailyBackup01 -Type AzureVM -Daily -BackupTime
([datetime]"3:30 PM") -RetentionPolicy $Daily -Vault $backupvault

Name Type ScheduleType BackupTime


---- ---- ------------ ----------
DailyBackup01 AzureVM Daily 01-Sep-15 3:30:00 PM

Enable protection
Enabling protection involves two objects - the Item and the Policy, and both need to belong to the same vault. Once
the policy has been associated with the item, the backup workflow will kick in at the defined schedule.

PS C:\> Get-AzureRmBackupContainer -Type AzureVM -Status Registered -Vault $backupvault | Get-


AzureRmBackupItem | Enable-AzureRmBackupProtection -Policy $newpolicy

Initial backup
The backup schedule will take care of doing the full initial copy for the item and the incremental copy for the
subsequent backups. However, if you want to force the initial backup to happen at a certain time or even
immediately then use the Backup-AzureRmBackupItem cmdlet:

PS C:\> $container = Get-AzureRmBackupContainer -Vault $backupvault -Type AzureVM -Name "testvm"


PS C:\> $backupjob = Get-AzureRmBackupItem -Container $container | Backup-AzureRmBackupItem
PS C:\> $backupjob

WorkloadName Operation Status StartTime EndTime


------------ --------- ------ --------- -------
testvm Backup InProgress 01-Sep-15 12:24:01 PM 01-Jan-01 12:00:00 AM

NOTE
The timezone of the StartTime and EndTime fields shown in PowerShell is UTC. However, when the similar information is
shown in the Azure portal, the timezone is aligned to your local system clock.

Monitoring a backup job


Most long-running operations in Azure Backup are modelled as a job. This makes it easy to track progress without
having to keep the Azure portal open at all times.
To get the latest status of an in-progress job, use the Get-AzureRmBackupJob cmdlet.
PS C:\> $joblist = Get-AzureRmBackupJob -Vault $backupvault -Status InProgress
PS C:\> $joblist[0]

WorkloadName Operation Status StartTime EndTime


------------ --------- ------ --------- -------
testvm Backup InProgress 01-Sep-15 12:24:01 PM 01-Jan-01 12:00:00 AM

Instead of polling these jobs for completion - which is unnecessary, additional code - it is simpler to use the Wait-
AzureRmBackupJob cmdlet. When used in a script, the cmdlet will pause the execution until either the job
completes or the specified timeout value is reached.

PS C:\> Wait-AzureRmBackupJob -Job $joblist[0] -Timeout 43200

Restore an Azure VM
In order to restore backup data, you need to identify the backed-up Item and the Recovery Point that holds the
point-in-time data. This information is supplied to the Restore-AzureRmBackupItem cmdlet to initiate a restore of
data from the vault to the customer's account.
Select the VM
To get the PowerShell object that identifies the right backup Item, you need to start from the Container in the vault,
and work your way down object hierarchy. To select the container that represents the VM, use the Get-
AzureRmBackupContainer cmdlet and pipe that to the Get-AzureRmBackupItem cmdlet.

PS C:\> $backupitem = Get-AzureRmBackupContainer -Vault $backupvault -Type AzureVM -name "testvm" | Get-
AzureRmBackupItem

Choose a recovery point


You can now list all the recovery points for the backup item using the Get-AzureRmBackupRecoveryPoint
cmdlet, and choose the recovery point to restore. Typically users pick the most recent AppConsistent point in the
list.

PS C:\> $rp = Get-AzureRmBackupRecoveryPoint -Item $backupitem


PS C:\> $rp

RecoveryPointId RecoveryPointType RecoveryPointTime ContainerName


--------------- ----------------- ----------------- -------------
15273496567119 AppConsistent 01-Sep-15 12:27:38 PM iaasvmcontainer;testvm;testv...

The variable $rp is an array of recovery points for the selected backup item, sorted in reverse order of time - the
latest recovery point is at index 0. Use standard PowerShell array indexing to pick the recovery point. For example:
$rp[0] will select the latest recovery point.

Restoring disks
There is a key difference between the restore operations done through the Azure portal and through Azure
PowerShell. With PowerShell, the restore operation stops at restoring the disks and config information from the
recovery point. It does not create a virtual machine.

WARNING
The Restore-AzureRmBackupItem does not create a VM. It only restores the disks to the specified storage account. This is
not the same behavior you will experience in the Azure portal.
PS C:\> $restorejob = Restore-AzureRmBackupItem -StorageAccountName "DestAccount" -RecoveryPoint $rp[0]
PS C:\> $restorejob

WorkloadName Operation Status StartTime EndTime


------------ --------- ------ --------- -------
testvm Restore InProgress 01-Sep-15 1:14:01 PM 01-Jan-01 12:00:00 AM

You can get the details of the restore operation using the Get-AzureRmBackupJobDetails cmdlet once the
Restore job has completed. The ErrorDetails property will have the information needed to rebuild the VM.

PS C:\> $restorejob = Get-AzureRmBackupJob -Job $restorejob


PS C:\> $details = Get-AzureRmBackupJobDetails -Job $restorejob

Build the VM
Building the VM out of the restored disks can be done using the older Azure Service Management PowerShell
cmdlets, the new Azure Resource Manager templates, or even using the Azure portal. In a quick example, we will
show how to get there using the Azure Service Management cmdlets.

$properties = $details.Properties

$storageAccountName = $properties["Target Storage Account Name"]


$containerName = $properties["Config Blob Container Name"]
$blobName = $properties["Config Blob Name"]

$keys = Get-AzureStorageKey -StorageAccountName $storageAccountName


$storageAccountKey = $keys.Primary
$storageContext = New-AzureStorageContext -StorageAccountName $storageAccountName -StorageAccountKey
$storageAccountKey

$destination_path = "C:\Users\admin\Desktop\vmconfig.xml"
Get-AzureStorageBlobContent -Container $containerName -Blob $blobName -Destination $destination_path -Context
$storageContext

$obj = [xml](((Get-Content -Path $destination_path -Encoding UniCode)).TrimEnd([char]0x00))


$pvr = $obj.PersistentVMRole
$os = $pvr.OSVirtualHardDisk
$dds = $pvr.DataVirtualHardDisks
$osDisk = Add-AzureDisk -MediaLocation $os.MediaLink -OS $os.OS -DiskName "panbhaosdisk"
$vm = New-AzureVMConfig -Name $pvr.RoleName -InstanceSize $pvr.RoleSize -DiskName $osDisk.DiskName

if (!($dds -eq $null))


{
foreach($d in $dds.DataVirtualHardDisk)
{
$lun = 0
if(!($d.Lun -eq $null))
{
$lun = $d.Lun
}
$name = "panbhadataDisk" + $lun
Add-AzureDisk -DiskName $name -MediaLocation $d.MediaLink
$vm | Add-AzureDataDisk -Import -DiskName $name -LUN $lun
}
}

New-AzureVM -ServiceName "panbhasample" -Location "SouthEast Asia" -VM $vm

For more information on how to build a VM from the restored disks, read about the following cmdlets:
Add-AzureDisk
New-AzureVMConfig
New-AzureVM

Code samples
1. Get the completion status of job sub-tasks
To track the completion status of individual sub-tasks, you can use the Get-AzureRmBackupJobDetails cmdlet:

PS C:\> $details = Get-AzureRmBackupJobDetails -JobId $backupjob.InstanceId -Vault $backupvault


PS C:\> $details.SubTasks

Name Status
---- ------
Take Snapshot Completed
Transfer data to Backup vault InProgress

2. Create a daily/weekly report of backup jobs


Administrators typically want to know what backup jobs ran in the last 24 hours, the status of those backup jobs.
Additionally, the amount of data transferred gives administrators a way to estimate their monthly data usage. The
script below pulls the raw data from the Azure Backup service and displays the information in the PowerShell
console.
param( [Parameter(Mandatory=$True,Position=1)]
[string]$backupvaultname,

[Parameter(Mandatory=$False,Position=2)]
[int]$numberofdays = 7)

#Initialize variables
$DAILYBACKUPSTATS = @()
$backupvault = Get-AzureRmBackupVault -Name $backupvaultname
$enddate = ([datetime]::Today).AddDays(1)
$startdate = ([datetime]::Today)

for( $i = 1; $i -le $numberofdays; $i++ )


{
# We query one day at a time because pulling 7 days of data might be too much
$dailyjoblist = Get-AzureRmBackupJob -Vault $backupvault -From $startdate -To $enddate -Type AzureVM -
Operation Backup
Write-Progress -Activity "Getting job information for the last $numberofdays days" -Status "Day -$i" -
PercentComplete ([int]([decimal]$i*100/$numberofdays))

foreach( $job in $dailyjoblist )


{
#Extract the information for the reports
$newstatsobj = New-Object System.Object
$newstatsobj | Add-Member -Type NoteProperty -Name Date -Value $startdate
$newstatsobj | Add-Member -Type NoteProperty -Name VMName -Value $job.WorkloadName
$newstatsobj | Add-Member -Type NoteProperty -Name Duration -Value $job.Duration
$newstatsobj | Add-Member -Type NoteProperty -Name Status -Value $job.Status

$details = Get-AzureRmBackupJobDetails -Job $job


$newstatsobj | Add-Member -Type NoteProperty -Name BackupSize -Value $details.Properties["Backup
Size"]
$DAILYBACKUPSTATS += $newstatsobj
}

$enddate = $enddate.AddDays(-1)
$startdate = $startdate.AddDays(-1)
}

$DAILYBACKUPSTATS | Out-GridView

If you want to add charting capabilities to this report output, learn from the TechNet blog post Charting with
PowerShell

Next steps
If you prefer using PowerShell to engage with your Azure resources, check out the PowerShell article for protecting
Windows Server, Deploy and Manage Backup for Windows Server. There is also a PowerShell article for managing
DPM backups, Deploy and Manage Backup for DPM. Both of these articles have a version for Resource Manager
deployments as well as Classic deployments.
Deploy and manage backup to Azure for Data
Protection Manager (DPM) servers using PowerShell
9/29/2017 14 min to read Edit Online

This article shows you how to use PowerShell to setup Azure Backup on a DPM server, and to manage backup and
recovery.

Setting up the PowerShell environment


IMPORTANT
Before you work with Azure resources, get familiar with the deployment models: Resource Manager, and classic.

Before you can use PowerShell to manage backups from Data Protection Manager to Azure, you need to have the
right environment in PowerShell. At the start of the PowerShell session, ensure that you run the following
command to import the right modules and allow you to correctly reference the DPM cmdlets:

PS C:> & "C:\Program Files\Microsoft System Center 2012 R2\DPM\DPM\bin\DpmCliInitScript.ps1"

Welcome to the DPM Management Shell!

Full list of cmdlets: Get-Command


Only DPM cmdlets: Get-DPMCommand
Get general help: help
Get help for a cmdlet: help <cmdlet-name> or <cmdlet-name> -?
Get definition of a cmdlet: Get-Command <cmdlet-name> -Syntax
Sample DPM scripts: Get-DPMSampleScript

Setup and Registration


To begin:
1. Download latest PowerShell (minimum version required is: 1.0.0)
2. Enable the Azure Backup commandlets by switching to AzureResourceManager mode by using the Switch-
AzureMode commandlet:

PS C:\> Switch-AzureMode AzureResourceManager

The following setup and registration tasks can be automated with PowerShell:
Create a Recovery Services vault
Installing the Azure Backup agent
Registering with the Azure Backup service
Networking settings
Encryption settings

Create a recovery services vault


The following steps lead you through creating a Recovery Services vault. A Recovery Services vault is different
than a Backup vault.
1. If you are using Azure Backup for the first time, you must use the Register-AzureRMResourceProvider
cmdlet to register the Azure Recovery Service provider with your subscription.

PS C:\> Register-AzureRmResourceProvider -ProviderNamespace "Microsoft.RecoveryServices"

2. The Recovery Services vault is an ARM resource, so you need to place it within a Resource Group. You can
use an existing resource group, or create a new one. When creating a new resource group, specify the name
and location for the resource group.

PS C:\> New-AzureRmResourceGroup Name "test-rg" Location "West US"

3. Use the New-AzureRmRecoveryServicesVault cmdlet to create a new vault. Be sure to specify the same
location for the vault as was used for the resource group.

PS C:\> New-AzureRmRecoveryServicesVault -Name "testvault" -ResourceGroupName " test-rg" -Location


"West US"

4. Specify the type of storage redundancy to use; you can use Locally Redundant Storage (LRS) or Geo
Redundant Storage (GRS). The following example shows the -BackupStorageRedundancy option for
testVault is set to GeoRedundant.

TIP
Many Azure Backup cmdlets require the Recovery Services vault object as an input. For this reason, it is convenient
to store the Backup Recovery Services vault object in a variable.

PS C:\> $vault1 = Get-AzureRmRecoveryServicesVault Name "testVault"


PS C:\> Set-AzureRmRecoveryServicesBackupProperties -vault $vault1 -BackupStorageRedundancy
GeoRedundant

View the vaults in a subscription


Use Get-AzureRmRecoveryServicesVault to view the list of all vaults in the current subscription. You can use
this command to check that a new vault was created, or to see what vaults are available in the subscription.
Run the command, Get-AzureRmRecoveryServicesVault, and all vaults in the subscription are listed.

PS C:\> Get-AzureRmRecoveryServicesVault
Name : Contoso-vault
ID : /subscriptions/1234
Type : Microsoft.RecoveryServices/vaults
Location : WestUS
ResourceGroupName : Contoso-docs-rg
SubscriptionId : 1234-567f-8910-abc
Properties : Microsoft.Azure.Commands.RecoveryServices.ARSVaultProperties

Installing the Azure Backup agent on a DPM Server


Before you install the Azure Backup agent, you need to have the installer downloaded and present on the Windows
Server. You can get the latest version of the installer from the Microsoft Download Center or from the Recovery
Services vault's Dashboard page. Save the installer to an easily accessible location like C:\Downloads\.
To install the agent, run the following command in an elevated PowerShell console on the DPM server:

PS C:\> MARSAgentInstaller.exe /q

This installs the agent with all the default options. The installation takes a few minutes in the background. If you do
not specify the /nu option the Windows Update window opens at the end of the installation to check for any
updates.
The agent shows up in the list of installed programs. To see the list of installed programs, go to Control Panel >
Programs > Programs and Features.

Installation options
To see all the options available via the commandline, use the following command:

PS C:\> MARSAgentInstaller.exe /?

The available options include:

OPTION DETAILS DEFAULT

/q Quiet installation -

/p:"location" Path to the installation folder for the C:\Program Files\Microsoft Azure
Azure Backup agent. Recovery Services Agent

/s:"location" Path to the cache folder for the Azure C:\Program Files\Microsoft Azure
Backup agent. Recovery Services Agent\Scratch

/m Opt-in to Microsoft Update -

/nu Do not Check for updates after -


installation is complete

/d Uninstalls Microsoft Azure Recovery -


Services Agent

/ph Proxy Host Address -

/po Proxy Host Port Number -

/pu Proxy Host UserName -


OPTION DETAILS DEFAULT

/pw Proxy Password -

Registering DPM to a Recovery Services Vault


After you created the Recovery Services vault, download the latest agent and the vault credentials and store it in a
convenient location like C:\Downloads.

PS C:\> $credspath = "C:\downloads"


PS C:\> $credsfilename = Get-AzureRmRecoveryServicesVaultSettingsFile -Backup -Vault $vault1 -Path $credspath
PS C:\> $credsfilename
C:\downloads\testvault\_Sun Apr 10 2016.VaultCredentials

On the DPM server, run the Start-OBRegistration cmdlet to register the machine with the vault.

PS C:\> $cred = $credspath + $credsfilename


PS C:\> Start-OBRegistration-VaultCredentials $cred -Confirm:$false
CertThumbprint :7a2ef2caa2e74b6ed1222a5e89288ddad438df2
SubscriptionID : ef4ab577-c2c0-43e4-af80-af49f485f3d1
ServiceResourceName: testvault
Region :West US
Machine registration succeeded.

Initial configuration settings


Once the DPM Server is registered with the Recovery Services vault, it starts with default subscription settings.
These subscription settings include Networking, Encryption and the Staging area. To change subscription settings
you need to first get a handle on the existing (default) settings using the Get-DPMCloudSubscriptionSetting
cmdlet:

$setting = Get-DPMCloudSubscriptionSetting -DPMServerName "TestingServer"

All modifications are made to this local PowerShell object $setting and then the full object is committed to DPM
and Azure Backup to save them using the Set-DPMCloudSubscriptionSetting cmdlet. You need to use the Commit
flag to ensure that the changes are persisted. The settings will not be applied and used by Azure Backup unless
committed.

PS C:\> Set-DPMCloudSubscriptionSetting -DPMServerName "TestingServer" -SubscriptionSetting $setting -Commit

Networking
If the connectivity of the DPM machine to the Azure Backup service on the internet is through a proxy server, then
the proxy server settings should be provided for successful backups. This is done by using the -ProxyServer and
-ProxyPort , -ProxyUsername and the ProxyPassword parameters with the Set-DPMCloudSubscriptionSetting
cmdlet. In this example, there is no proxy server so we are explicitly clearing any proxy-related information.

PS C:\> Set-DPMCloudSubscriptionSetting -DPMServerName "TestingServer" -SubscriptionSetting $setting -NoProxy

Bandwidth usage can also be controlled with options of -WorkHourBandwidth and -NonWorkHourBandwidth for a
given set of days of the week. In this example, we are not setting any throttling.
PS C:\> Set-DPMCloudSubscriptionSetting -DPMServerName "TestingServer" -SubscriptionSetting $setting -
NoThrottle

Configuring the staging Area


The Azure Backup agent running on the DPM server needs temporary storage for data restored from the cloud
(local staging area). Configure the staging area using the Set-DPMCloudSubscriptionSetting cmdlet and the
-StagingAreaPath parameter.

PS C:\> Set-DPMCloudSubscriptionSetting -DPMServerName "TestingServer" -SubscriptionSetting $setting -


StagingAreaPath "C:\StagingArea"

In the example above, the staging area will be set to C:\StagingArea in the PowerShell object $setting . Ensure
that the specified folder already exists, or else the final commit of the subscription settings will fail.
Encryption settings
The backup data sent to Azure Backup is encrypted to protect the confidentiality of the data. The encryption
passphrase is the "password" to decrypt the data at the time of restore. It is important to keep this information safe
and secure once it is set.
In the example below, the first command converts the string passphrase123456789 to a secure string and assigns
the secure string to the variable named $Passphrase . the second command sets the secure string in $Passphrase
as the password for encrypting backups.

PS C:\> $Passphrase = ConvertTo-SecureString -string "passphrase123456789" -AsPlainText -Force

PS C:\> Set-DPMCloudSubscriptionSetting -DPMServerName "TestingServer" -SubscriptionSetting $setting -


EncryptionPassphrase $Passphrase

IMPORTANT
Keep the passphrase information safe and secure once it is set. You will not be able to restore data from Azure without this
passphrase.

At this point, you should have made all the required changes to the $setting object. Remember to commit the
changes.

PS C:\> Set-DPMCloudSubscriptionSetting -DPMServerName "TestingServer" -SubscriptionSetting $setting -Commit

Protect data to Azure Backup


In this section, you will add a production server to DPM and then protect the data to local DPM storage and then to
Azure Backup. In the examples, we will demonstrate how to back up files and folders. The logic can easily be
extended to backup any DPM-supported data source. All your DPM backups are governed by a Protection Group
(PG) with four parts:
1. Group members is a list of all the protectable objects (also known as Datasources in DPM) that you want to
protect in the same protection group. For example, you may want to protect production VMs in one protection
group and SQL Server databases in another protection group as they may have different backup requirements.
Before you can back up any datasource on a production server you need to make sure the DPM Agent is
installed on the server and is managed by DPM. Follow the steps for installing the DPM Agent and linking it to
the appropriate DPM Server.
2. Data protection method specifies the target backup locations - tape, disk, and cloud. In our example we will
protect data to the local disk and to the cloud.
3. A backup schedule that specifies when backups need to be taken and how often the data should be
synchronized between the DPM Server and the production server.
4. A retention schedule that specifies how long to retain the recovery points in Azure.
Creating a protection group
Start by creating a new Protection Group using the New-DPMProtectionGroup cmdlet.

PS C:\> $PG = New-DPMProtectionGroup -DPMServerName " TestingServer " -Name "ProtectGroup01"

The above cmdlet will create a Protection Group named ProtectGroup01. An existing protection group can also be
modified later to add backup to the Azure cloud. However, to make any changes to the Protection Group - new or
existing - we need to get a handle on a modifiable object using the Get-DPMModifiableProtectionGroup cmdlet.

PS C:\> $MPG = Get-ModifiableProtectionGroup $PG

Adding group members to the Protection Group


Each DPM Agent knows the list of datasources on the server that it is installed on. To add a datasource to the
Protection Group, the DPM Agent needs to first send a list of the datasources back to the DPM server. One or more
datasources are then selected and added to the Protection Group. The PowerShell steps needed to achieve this are:
1. Fetch a list of all servers managed by DPM through the DPM Agent.
2. Choose a specific server.
3. Fetch a list of all datasources on the server.
4. Choose one or more datasources and add them to the Protection Group
The list of servers on which the DPM Agent is installed and is being managed by the DPM Server is acquired with
the Get-DPMProductionServer cmdlet. In this example we will filter and only configure PS with name
productionserver01 for backup.

PS C:\> $server = Get-ProductionServer -DPMServerName "TestingServer" | where {($_.servername) contains


productionserver01}

Now fetch the list of datasources on $server using the Get-DPMDatasource cmdlet. In this example we are
filtering for the volume D:\ that we want to configure for backup. This datasource is then added to the Protection
Group using the Add-DPMChildDatasource cmdlet. Remember to use the modifiable protection group object
$MPG to make the additions.

PS C:\> $DS = Get-Datasource -ProductionServer $server -Inquire | where { $_.Name -contains D:\ }

PS C:\> Add-DPMChildDatasource -ProtectionGroup $MPG -ChildDatasource $DS

Repeat this step as many times as required, until you have added all the chosen datasources to the protection
group. You can also start with just one datasource, and complete the workflow for creating the Protection Group,
and at a later point add more datasources to the Protection Group.
Selecting the data protection method
Once the datasources have been added to the Protection Group, the next step is to specify the protection method
using the Set-DPMProtectionType cmdlet. In this example, the Protection Group is setup for local disk and cloud
backup. You also need to specify the datasource that you want to protect to cloud using the Add-
DPMChildDatasource cmdlet with -Online flag.

PS C:\> Set-DPMProtectionType -ProtectionGroup $MPG -ShortTerm Disk LongTerm Online


PS C:\> Add-DPMChildDatasource -ProtectionGroup $MPG -ChildDatasource $DS Online

Setting the retention range


Set the retention for the backup points using the Set-DPMPolicyObjective cmdlet. While it might seem odd to set
the retention before the backup schedule has been defined, using the Set-DPMPolicyObjective cmdlet
automatically sets a default backup schedule that can then be modified. It is always possible to set the backup
schedule first and the retention policy after.
In the example below, the cmdlet sets the retention parameters for disk backups. This will retain backups for 10
days, and sync data every 6 hours between the production server and the DPM server. The
SynchronizationFrequencyMinutes doesn't define how often a backup point is created, but how often data is copied
to the DPM server. This setting prevents backups from becoming too large.

PS C:\> Set-DPMPolicyObjective ProtectionGroup $MPG -RetentionRangeInDays 10 -SynchronizationFrequencyMinutes


360

For backups going to Azure (DPM refers to them as Online backups) the retention ranges can be configured for
long term retention using a Grandfather-Father-Son scheme (GFS). That is, you can define a combined retention
policy involving daily, weekly, monthly and yearly retention policies. In this example, we create an array
representing the complex retention scheme that we want, and then configure the retention range using the Set-
DPMPolicyObjective cmdlet.

PS C:\> $RRlist = @()


PS C:\> $RRList += (New-Object -TypeName
Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.OMCommon.RetentionRange -ArgumentList 180, Days)
PS C:\> $RRList += (New-Object -TypeName
Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.OMCommon.RetentionRange -ArgumentList 104, Weeks)
PS C:\> $RRList += (New-Object -TypeName
Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.OMCommon.RetentionRange -ArgumentList 60, Month)
PS C:\> $RRList += (New-Object -TypeName
Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.OMCommon.RetentionRange -ArgumentList 10, Years)
PS C:\> Set-DPMPolicyObjective ProtectionGroup $MPG -OnlineRetentionRangeList $RRlist

Set the backup schedule


DPM sets a default backup schedule automatically if you specify the protection objective using the
Set-DPMPolicyObjective cmdlet. To change the default schedules, use the Get-DPMPolicySchedule cmdlet followed
by the Set-DPMPolicySchedule cmdlet.

PS C:\> $onlineSch = Get-DPMPolicySchedule -ProtectionGroup $mpg -LongTerm Online


PS C:\> Set-DPMPolicySchedule -ProtectionGroup $MPG -Schedule $onlineSch[0] -TimesOfDay 02:00
PS C:\> Set-DPMPolicySchedule -ProtectionGroup $MPG -Schedule $onlineSch[1] -TimesOfDay 02:00 -DaysOfWeek
Sa,Su Interval 1
PS C:\> Set-DPMPolicySchedule -ProtectionGroup $MPG -Schedule $onlineSch[2] -TimesOfDay 02:00 -
RelativeIntervals First,Third DaysOfWeek Sa
PS C:\> Set-DPMPolicySchedule -ProtectionGroup $MPG -Schedule $onlineSch[3] -TimesOfDay 02:00 -DaysOfMonth
2,5,8,9 -Months Jan,Jul
PS C:\> Set-DPMProtectionGroup -ProtectionGroup $MPG

In the above example, $onlineSch is an array with four elements that contains the existing online protection
schedule for the Protection Group in the GFS scheme:
1. $onlineSch[0] contains the daily schedule
2. $onlineSch[1] contains the weekly schedule
3. $onlineSch[2] contains the monthly schedule
4. $onlineSch[3] contains the yearly schedule

So if you need to modify the weekly schedule, you need to refer to the $onlineSch[1] .
Initial backup
When backing up a datasource for the first time, DPM needs creates initial replica that creates a full copy of the
datasource to be protected on DPM replica volume. This activity can either be scheduled for a specific time, or can
be triggered manually, using the Set-DPMReplicaCreationMethod cmdlet with the parameter -NOW .

PS C:\> Set-DPMReplicaCreationMethod -ProtectionGroup $MPG -NOW

Changing the size of DPM Replica & recovery point volume


You can also change the size of DPM Replica volume and Shadow Copy volume using Set-
DPMDatasourceDiskAllocation cmdlet as in the following example: Get-DatasourceDiskAllocation -Datasource $DS
Set-DatasourceDiskAllocation -Datasource $DS -ProtectionGroup $MPG -manual -ReplicaArea (2gb) -
ShadowCopyArea (2gb)
Committing the changes to the Protection Group
Finally, the changes need to be committed before DPM can take the backup per the new Protection Group
configuration. This can be achieved using the Set-DPMProtectionGroup cmdlet.

PS C:\> Set-DPMProtectionGroup -ProtectionGroup $MPG

View the backup points


You can use the Get-DPMRecoveryPoint cmdlet to get a list of all recovery points for a datasource. In this example,
we will:
fetch all the PGs on the DPM server and stored in an array $PG
get the datasources corresponding to the $PG[0]
get all the recovery points for a datasource.

PS C:\> $PG = Get-DPMProtectionGroup DPMServerName "TestingServer"


PS C:\> $DS = Get-DPMDatasource -ProtectionGroup $PG[0]
PS C:\> $RecoveryPoints = Get-DPMRecoverypoint -Datasource $DS[0] -Online

Restore data protected on Azure


Restoring data is a combination of a RecoverableItem object and a RecoveryOption object. In the previous section,
we got a list of the backup points for a datasource.
In the example below, we demonstrate how to restore a Hyper-V virtual machine from Azure Backup by combining
backup points with the target for recovery. This example includes:
Creating a recovery option using the New-DPMRecoveryOption cmdlet.
Fetching the array of backup points using the Get-DPMRecoveryPoint cmdlet.
Choosing a backup point to restore from.
PS C:\> $RecoveryOption = New-DPMRecoveryOption -HyperVDatasource -TargetServer "HVDCenter02" -
RecoveryLocation AlternateHyperVServer -RecoveryType Recover -TargetLocation C:\VMRecovery

PS C:\> $PG = Get-DPMProtectionGroup DPMServerName "TestingServer"


PS C:\> $DS = Get-DPMDatasource -ProtectionGroup $PG[0]
PS C:\> $RecoveryPoints = Get-DPMRecoverypoint -Datasource $DS[0] -Online

PS C:\> Restore-DPMRecoverableItem -RecoverableItem $RecoveryPoints[0] -RecoveryOption $RecoveryOption

The commands can easily be extended for any datasource type.

Next steps
For more information about DPM to Azure Backup see Introduction to DPM Backup
Deploy and manage backup to Azure for Data
Protection Manager (DPM) servers using PowerShell
8/2/2017 14 min to read Edit Online

This article explains how to use PowerShell to back up and recover DPM data from a backup vault. Microsoft
recommends using Recovery Services vaults for all new deployments. If you are a new Azure Backup user, use the
article, Deploy and manage Data Protection Manager data to Azure using PowerShell, so you store your data in a
Recovery Services vault.

IMPORTANT
You can now upgrade your Backup vaults to Recovery Services vaults. For details, see the article Upgrade a Backup vault to a
Recovery Services vault. Microsoft encourages you to upgrade your Backup vaults to Recovery Services vaults. After October
15, 2017, you cant use PowerShell to create Backup vaults. By November 1, 2017:
All remaining Backup vaults will be automatically upgraded to Recovery Services vaults.
You won't be able to access your backup data in the classic portal. Instead, use the Azure portal to access your backup
data in Recovery Services vaults.

Setting up the PowerShell environment


IMPORTANT
Before you work with Azure resources, get familiar with the deployment models: Resource Manager, and classic.

Before you can use PowerShell to manage backups from Data Protection Manager to Azure, you will need to have
the right environment in PowerShell. At the start of the PowerShell session, ensure that you run the following
command to import the right modules and allow you to correctly reference the DPM cmdlets:

PS C:> & "C:\Program Files\Microsoft System Center 2012 R2\DPM\DPM\bin\DpmCliInitScript.ps1"

Welcome to the DPM Management Shell!

Full list of cmdlets: Get-Command


Only DPM cmdlets: Get-DPMCommand
Get general help: help
Get help for a cmdlet: help <cmdlet-name> or <cmdlet-name> -?
Get definition of a cmdlet: Get-Command <cmdlet-name> -Syntax
Sample DPM scripts: Get-DPMSampleScript

Setup and Registration


To begin:
1. Download latest PowerShell (minimum version required is : 1.0.0)
2. Enable the Azure Backup commandlets by switching to AzureResourceManager mode by using the Switch-
AzureMode commandlet:
PS C:\> Switch-AzureMode AzureResourceManager

The following setup and registration tasks can be automated with PowerShell:
Create a backup vault
Installing the Azure Backup agent
Registering with the Azure Backup service
Networking settings
Encryption settings
Create a backup vault

WARNING
For customers using Azure Backup for the first time, you need to register the Azure Backup provider to be used with your
subscription. This can be done by running the following command: Register-AzureProvider -ProviderNamespace
"Microsoft.Backup"

You can create a new backup vault using the New-AzureRMBackupVault commandlet. The backup vault is an
ARM resource, so you need to place it within a Resource Group. In an elevated Azure PowerShell console, run the
following commands:

PS C:\> New-AzureResourceGroup Name test-rg -Region West US


PS C:\> $backupvault = New-AzureRMBackupVault ResourceGroupName test-rg Name test-vault Region West
US Storage GRS

You can get a list of all the backup vaults in a given subscription using the Get-AzureRMBackupVault
commandlet.
Installing the Azure Backup agent on a DPM Server
Before you install the Azure Backup agent, you need to have the installer downloaded and present on the Windows
Server. You can get the latest version of the installer from the Microsoft Download Center or from the backup
vault's Dashboard page. Save the installer to an easily accessible location like C:\Downloads\.
To install the agent, run the following command in an elevated PowerShell console on the DPM server:

PS C:\> MARSAgentInstaller.exe /q

This installs the agent with all the default options. The installation takes a few minutes in the background. If you do
not specify the /nu option the Windows Update window will open at the end of the installation to check for any
updates.
The agent will show in the list of installed programs. To see the list of installed programs, go to Control Panel >
Programs > Programs and Features.
Installation options
To see all the options available via the command-line, use the following command:

PS C:\> MARSAgentInstaller.exe /?

The available options include:

OPTION DETAILS DEFAULT

/q Quiet installation -

/p:"location" Path to the installation folder for the C:\Program Files\Microsoft Azure
Azure Backup agent. Recovery Services Agent

/s:"location" Path to the cache folder for the Azure C:\Program Files\Microsoft Azure
Backup agent. Recovery Services Agent\Scratch

/m Opt-in to Microsoft Update -

/nu Do not Check for updates after -


installation is complete

/d Uninstalls Microsoft Azure Recovery -


Services Agent

/ph Proxy Host Address -

/po Proxy Host Port Number -

/pu Proxy Host UserName -

/pw Proxy Password -

Registering with the Azure Backup service


Before you can register with the Azure Backup service, you need to ensure that the prerequisites are met. You
must:
Have a valid Azure subscription
Have a backup vault
To download the vault credentials, run the Get-AzureBackupVaultCredentials commandlet in an Azure
PowerShell console and store it in a convenient location like C:\Downloads\.
PS C:\> $credspath = "C:\"
PS C:\> $credsfilename = Get-AzureRMBackupVaultCredentials -Vault $backupvault -TargetLocation $credspath
PS C:\> $credsfilename
f5303a0b-fae4-4cdb-b44d-0e4c032dde26_backuprg_backuprn_2015-08-11--06-22-35.VaultCredentials

Registering the machine with the vault is done using the Start-DPMCloudRegistration cmdlet:

PS C:\> $cred = $credspath + $credsfilename


PS C:\> Start-DPMCloudRegistration -DPMServerName "TestingServer" -VaultCredentialsFilePath $cred

This will register the DPM Server named TestingServer with Microsoft Azure Vault using the specified vault
credentials.

IMPORTANT
Do not use relative paths to specify the vault credentials file. You must provide an absolute path as an input to the cmdlet.

Initial configuration settings


Once the DPM Server is registered with the Azure Backup vault, it will start with default subscription settings.
These subscription settings include Networking, Encryption and the Staging area. To begin changing the
subscription settings you need to first get a handle on the existing (default) settings using the Get-
DPMCloudSubscriptionSetting cmdlet:

$setting = Get-DPMCloudSubscriptionSetting -DPMServerName "TestingServer"

All modifications are made to this local PowerShell object $setting and then the full object is committed to DPM
and Azure Backup to save them using the Set-DPMCloudSubscriptionSetting cmdlet. You need to use the Commit
flag to ensure that the changes are persisted. The settings will not be applied and used by Azure Backup unless
committed.

PS C:\> Set-DPMCloudSubscriptionSetting -DPMServerName "TestingServer" -SubscriptionSetting $setting -Commit

Networking
If the connectivity of the DPM machine to the Azure Backup service on the internet is through a proxy server, then
the proxy server settings should be provided for backups to succeed. This is done by using the -ProxyServer ,
-ProxyPort , -ProxyUsername and the ProxyPassword parameters with the Set-DPMCloudSubscriptionSetting
cmdlet. In this example, there is no proxy server so we are explicitly clearing any proxy-related information.

PS C:\> Set-DPMCloudSubscriptionSetting -DPMServerName "TestingServer" -SubscriptionSetting $setting -NoProxy

Bandwidth usage can also be controlled with options of -WorkHourBandwidth and -NonWorkHourBandwidth for a
given set of days of the week. In this example we are not setting any throttling.

PS C:\> Set-DPMCloudSubscriptionSetting -DPMServerName "TestingServer" -SubscriptionSetting $setting -


NoThrottle

Configuring the staging Area


The Azure Backup agent running on the DPM server needs temporary storage for data restored from the cloud
(local staging area). Configure the staging area using the Set-DPMCloudSubscriptionSetting cmdlet and the
-StagingAreaPath parameter.

PS C:\> Set-DPMCloudSubscriptionSetting -DPMServerName "TestingServer" -SubscriptionSetting $setting -


StagingAreaPath "C:\StagingArea"

In the example above, the staging area will be set to C:\StagingArea in the PowerShell object $setting . Ensure
that the specified folder already exists, or else the final commit of the subscription settings will fail.
Encryption settings
The backup data sent to Azure Backup is encrypted to protect the confidentiality of the data. The encryption
passphrase is the "password" to decrypt the data at the time of restore. It is important to keep this information safe
and secure once it is set.
In the example below, the first command converts the string passphrase123456789 to a secure string and assigns
the secure string to the variable named $Passphrase . the second command sets the secure string in $Passphrase
as the password for encrypting backups.

PS C:\> $Passphrase = ConvertTo-SecureString -string "passphrase123456789" -AsPlainText -Force

PS C:\> Set-DPMCloudSubscriptionSetting -DPMServerName "TestingServer" -SubscriptionSetting $setting -


EncryptionPassphrase $Passphrase

IMPORTANT
Keep the passphrase information safe and secure once it is set. You will not be able to restore data from Azure without this
passphrase.

At this point, you should have made all the required changes to the $setting object. Remember to commit the
changes.

PS C:\> Set-DPMCloudSubscriptionSetting -DPMServerName "TestingServer" -SubscriptionSetting $setting -Commit

Protect data to Azure Backup


In this section, you will add a production server to DPM and then protect the data to local DPM storage and then to
Azure Backup. In the examples we will demonstrate how to back up files and folders. The logic can easily be
extended to backup any DPM-supported data source. All your DPM backups are governed by a Protection Group
(PG) with four parts:
1. Group members is a list of all the protectable objects (also known as Datasources in DPM) that you want to
protect in the same protection group. For example, you may want to protect production VMs in one protection
group and SQL Server databases in another protection group as they may have different backup requirements.
Before you can back up any datasource on a production server you need to make sure the DPM Agent is
installed on the server and is managed by DPM. Follow the steps for installing the DPM Agent and linking it to
the appropriate DPM Server.
2. Data protection method specifies the target backup locations - tape, disk, and cloud. In our example we will
protect data to the local disk and to the cloud.
3. A backup schedule that specifies when backups need to be taken and how often the data should be
synchronized between the DPM Server and the production server.
4. A retention schedule that specifies how long to retain the recovery points in Azure.
Creating a protection group
Start by creating a new Protection Group using the New-DPMProtectionGroup cmdlet.

PS C:\> $PG = New-DPMProtectionGroup -DPMServerName " TestingServer " -Name "ProtectGroup01"

The above cmdlet will create a Protection Group named ProtectGroup01. An existing protection group can also be
modified later to add backup to the Azure cloud. However, to make any changes to the Protection Group - new or
existing - we need to get a handle on a modifiable object using the Get-DPMModifiableProtectionGroup cmdlet.

PS C:\> $MPG = Get-ModifiableProtectionGroup $PG

Adding group members to the Protection Group


Each DPM Agent knows the list of datasources on the server that it is installed on. To add a datasource to the
Protection Group, the DPM Agent needs to first send a list of the datasources back to the DPM server. One or more
datasources are then selected and added to the Protection Group. The PowerShell steps needed to get achieve this
are:
1. Fetch a list of all servers managed by DPM through the DPM Agent.
2. Choose a specific server.
3. Fetch a list of all datasources on the server.
4. Choose one or more datasources and add them to the Protection Group
The list of servers on which the DPM Agent is installed and is being managed by the DPM Server is acquired with
the Get-DPMProductionServer cmdlet. In this example we will filter and only configure PS with name
productionserver01 for backup.

PS C:\> $server = Get-ProductionServer -DPMServerName "TestingServer" | where {($_.servername) contains


productionserver01

Now fetch the list of datasources on $server using the Get-DPMDatasource cmdlet. In this example we are
filtering for the volume D:\ which we want to configure for backup. This datasource is then added to the Protection
Group using the Add-DPMChildDatasource cmdlet. Remember to use the modifable protection group object $MPG
to make the additions.

PS C:\> $DS = Get-Datasource -ProductionServer $server -Inquire | where { $_.Name -contains D:\ }

PS C:\> Add-DPMChildDatasource -ProtectionGroup $MPG -ChildDatasource $DS

Repeat this step as many times as required, until you have added all the chosen datasources to the protection
group. You can also start with just one datasource, and complete the workflow for creating the Protection Group,
and at a later point add more datasources to the Protection Group.
Selecting the data protection method
Once the datasources have been added to the Protection Group, the next step is to specify the protection method
using the Set-DPMProtectionType cmdlet. In this example, the Protection Group will be setup for local disk and
cloud backup. You also need to specify the datasource that you want to protect to cloud using the Add-
DPMChildDatasource cmdlet with -Online flag.

PS C:\> Set-DPMProtectionType -ProtectionGroup $MPG -ShortTerm Disk LongTerm Online


PS C:\> Add-DPMChildDatasource -ProtectionGroup $MPG -ChildDatasource $DS Online

Setting the retention range


Set the retention for the backup points using the Set-DPMPolicyObjective cmdlet. While it might seem odd to set
the retention before the backup schedule has been defined, using the Set-DPMPolicyObjective cmdlet
automatically sets a default backup schedule that can then be modified. It is always possible to set the backup
schedule first and the retention policy after.
In the example below, the cmdlet sets the retention parameters for disk backups. This will retain backups for 10
days, and sync data every 6 hours between the production server and the DPM server. The
SynchronizationFrequencyMinutes doesn't define how often a backup point is created, but how often data is copied
to the DPM server; this prevents backups from becoming too large.

PS C:\> Set-DPMPolicyObjective ProtectionGroup $MPG -RetentionRangeInDays 10 -SynchronizationFrequencyMinutes


360

For backups going to Azure (DPM refers to these as Online backups) the retention ranges can be configured for
long term retention using a Grandfather-Father-Son scheme (GFS). That is, you can define a combined retention
policy involving daily, weekly, monthly and yearly retention policies. In this example, we create an array
representing the complex retention scheme that we want, and then configure the retention range using the Set-
DPMPolicyObjective cmdlet.

PS C:\> $RRlist = @()


PS C:\> $RRList += (New-Object -TypeName
Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.OMCommon.RetentionRange -ArgumentList 180, Days)
PS C:\> $RRList += (New-Object -TypeName
Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.OMCommon.RetentionRange -ArgumentList 104, Weeks)
PS C:\> $RRList += (New-Object -TypeName
Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.OMCommon.RetentionRange -ArgumentList 60, Month)
PS C:\> $RRList += (New-Object -TypeName
Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.OMCommon.RetentionRange -ArgumentList 10, Years)
PS C:\> Set-DPMPolicyObjective ProtectionGroup $MPG -OnlineRetentionRangeList $RRlist

Set the backup schedule


DPM sets a default backup schedule automatically if you specify the protection objective using the
Set-DPMPolicyObjective cmdlet. To change the default schedules, use the Get-DPMPolicySchedule cmdlet followed
by the Set-DPMPolicySchedule cmdlet.

PS C:\> $onlineSch = Get-DPMPolicySchedule -ProtectionGroup $mpg -LongTerm Online


PS C:\> Set-DPMPolicySchedule -ProtectionGroup $MPG -Schedule $onlineSch[0] -TimesOfDay 02:00
PS C:\> Set-DPMPolicySchedule -ProtectionGroup $MPG -Schedule $onlineSch[1] -TimesOfDay 02:00 -DaysOfWeek
Sa,Su Interval 1
PS C:\> Set-DPMPolicySchedule -ProtectionGroup $MPG -Schedule $onlineSch[2] -TimesOfDay 02:00 -
RelativeIntervals First,Third DaysOfWeek Sa
PS C:\> Set-DPMPolicySchedule -ProtectionGroup $MPG -Schedule $onlineSch[3] -TimesOfDay 02:00 -DaysOfMonth
2,5,8,9 -Months Jan,Jul
PS C:\> Set-DPMProtectionGroup -ProtectionGroup $MPG

In the example above, $onlineSch is an array with four elements that contains the existing online protection
schedule for the Protection Group in the GFS scheme:
1. $onlineSch[0] will contain the daily schedule
2. $onlineSch[1] will contain the weekly schedule
3. $onlineSch[2] will contain the monthly schedule
4. $onlineSch[3] will contain the yearly schedule

So if you need to modify the weekly schedule, you need to refer to the $onlineSch[1] .
Initial backup
When backing up a datasource for the first time, DPM needs to create an initial replica which will create a copy of
the datasource to be protected on DPM replica volume. This activity can either be scheduled for a specific time, or
can be triggered manually, using the Set-DPMReplicaCreationMethod cmdlet with the parameter -NOW .

PS C:\> Set-DPMReplicaCr