Step-by-Step – Backing up a Windows 10 Client to Microsoft Azure

  • Article

Backing up a Windows Client to Microsoft Azure Recovery Services Backup Vault

To back up files and data from your Windows Clients, Windows Server or System Center Data Protection Manager (SCDPM) to Azure or when backing up IaaS VMs to Azure, you must create a backup vault in the geographic region where you want to store the data. In this step-by-step article, we are going to backup a Windows Client machine. Your machine can be Windows 7, Windows 8, Windows 8.1 or Windows 10. Make sure you have the latest service packs on your machine as well. Backups to a vault can be up to 1.7 Terabytes in size.

For more information on Microsoft Azure Recovery Services Backup Vault go to: https://azure.microsoft.com/en-us/services/backup For FAQ’s on Microsoft Azure Backup go to: https://azure.microsoft.com/en-us/documentation/articles/backup-azure-backup-faq

Create a Backup Vault

1. Sign in to the Management Portal https://manage.windowsazure.com

2. Click New -> Data Services -> Recovery Services -> Backup Vault and choose Quick Create

  • For the Name parameter, enter a friendly name to identify the backup vault. This needs to be unique for each subscription.
  • For the Region parameter, select the geographic region for the backup vault. The choice determines the geo to which your backup data is sent. By choosing a geo close to your location, you can reduce the network latency when backing up to Azure.
  • Click Create Vault to complete the workflow. It can take a while for the backup vault to be created. To check the status, you can monitor the notifications at the bottom of the portal.

Capture1

1. After the backup vault has been created, a message will tell you the vault has been successfully created and it will be listed in the resources for Recovery Services as Active.

Capture2

Azure Backup - Storage Redundancy Options

The best time to identify your storage redundancy option is right after vault creation, and before any machines are registered to the vault. Once an item has been registered to the vault, the storage redundancy option is locked and cannot be modified.

Your business needs would determine the storage redundancy of the Azure Backup backend storage. If you are using Azure as a primary backup storage endpoint (e.g. you are backing up to Azure from a Windows Server), you should consider picking (the default) Geo-Redundant storage option. This is seen under the Configure option of your Backup vault.

Geo-Redundant Storage (GRS)

GRS maintains six copies of your data. With GRS, your data is replicated three times within the primary region, and is also replicated three times in a secondary region hundreds of miles away from the primary region, providing the highest level of durability. In the event of a failure at the primary region, by storing data in GRS, Azure Backup ensures that your data is durable in two separate regions.

Capture3

Locally Redundant Storage (LRS)

Locally redundant storage (LRS) maintains three copies of your data. LRS is replicated three times within a single facility in a single region. LRS protects your data from normal hardware failures, but not from the failure of an entire Azure facility.

If you are using Azure as a tertiary backup storage endpoint (example, you are using SCDPM to have a local backup copy on-premises & using Azure for your long term retention needs), you should consider choosing Locally Redundant Storage from the Configure option of your Backup vault. This brings down the cost of storing data in Azure, while providing a lower level of durability for your data that might be acceptable for tertiary copies.

Capture4

Notes

· As of March 2015, customers do not have a programmatic (eg: PowerShell) way of creating a backup vault. 

· The storage redundancy should be selected right after vault creation, and before any machines are registered to the vault. Once an item has been registered to the vault, the storage redundancy option is locked and cannot be modified.

 

Download Vault Credentials

Using vault credentials to authenticate with the Azure Backup service

The on-premises server (Windows client or Windows Server or SCDPM server) needs to be authenticated with a backup vault before it can back up data to Azure. The authentication is achieved using “vault credentials”. The concept of vault credentials is similar to the concept of a “publish settings” file which is used in Azure PowerShell.

What is the vault credential file?

The vault credentials file is a certificate which is generated by the portal for each backup vault. The portal then uploads the public key to the Access Control Service (or ACS). The private key of the certificate is made available to the user as part of the workflow which is given as an input in the machine registration workflow. This authenticates the machine to send backup data to an identified vault in the Azure Backup service. It is worth calling out that the vault credential is used only during the registration workflow. It is the user’s responsibility to ensure that the vault credentials file is not compromised. If it falls in the hands of any rogue-user, the vault credentials file can be used to register other machines against the same vault. However, as the backup data is encrypted using a passphrase which belongs to the customer, existing backup data cannot be compromised. To mitigate this concern, the vault credentials is set of expire in 48hrs. You can download the vault credentials of a backup vault any number of times – but only the latest vault credential file is applicable during the registration workflow.

Download the vault credential file

The vault credential file is downloaded through a secure channel from the Azure portal. The Azure Backup service is unaware of the private key of the certificate and the private key is not persisted in the portal or the service. Use the following steps to download the vault credential to a local machine.

1. Sign in to the Management Portal

2. Click Recovery Services in the left navigation pane and select the backup vault which you have created.

3. Click the cloud icon to get to the Quick Start view of the backup vault.

Capture5

4. On the Quick Start page, click Download vault credentials. The portal generates the vault credential file which is made available for download.

Capture6

5. The portal will generate a vault credential using a combination of the vault name and the current date. Click Save to download the vault credentials to the local account's downloads folder, or select Save As from the Save menu to specify a location for the vault credentials.

Notes

· As of March 2015, users do not have a programmatic (eg: PowerShell) way of downloading vault credentials.

· Ensure that the vault credentials is saved in a location which can be accessed from your machine. If it is stored in a file share/SMB, check for the access permissions.

· The vault credentials file is used only during the registration workflow.

· The vault credentials file expires after 48hrs and can be downloaded from the portal.

· Refer to the Azure Backup FAQ for any questions on the workflow.

Registering your Windows Client machine

Download, install and register the Azure Backup agent

After creating the Azure Backup vault, an agent should be installed on each of your on-premises servers (Windows Server, Windows client or System Center Data Protection Manager server) which enables you to backup data and applications to Azure. This article covers the steps required to setup the Azure Backup agent on a Windows Server or Windows client machine.

1. Sign in to the Management Portal

2. Click Recovery Services, then select the backup vault that you want to register with a server. The Quick Start page for that backup vault appears.

Capture7

3. On the Quick Start page, click For Windows Server or System Center Data Protection Manager or Windows client under Download Agent option. Click Save to copy it to the local machine.

clip_image016

4. Once the agent is downloaded, double click MARSAgentInstaller.exe to launch the installation of the Azure Backup agent.

5. Choose the installation folder and folder required for the agent. The cache location specified must have free space which is at least 5% of the backup data.

Capture9

6. If you use a proxy server to connect to the internet, in the Proxy configuration screen, enter the proxy server details. If you use an authenticated proxy, enter the user name and password details in this screen.

Capture10

7. The Azure Backup agent install .NET Framework 4.5 and Windows PowerShell (if it’s not available already) to complete the installation.

Capture11

8. Once the agent is installed, click the Proceed to Registration button to continue with the workflow.

9. In the vault credentials screen, browse to and select the vault credentials file which was previously downloaded.

Capture12

NOTE:

The vault credentials file is valid only for 48 hrs (after it’s downloaded from the portal). If you encounter any error in this screen (e.g “Vault credentials file provided has expired”), login to the Azure portal and download the vault credentials file again.

Capture13

Ensure that the vault credentials file is available in a location which can be accessed by the setup application. If you encounter access related errors, copy the vault credentials file to a temporary location in this machine and retry the operation.

If you encounter an invalid vault credential error (e.g “Invalid vault credentials provided". The file is either corrupted or does not have the latest credentials associated with the recovery service”, retry the operation after downloading a new vault credential file from the portal. This error is typically seen if the user clicks on the Download vault credential option in the Azure portal, in quick succession. In this case, only the second vault credential file is valid.

10. In the Encryption setting screen, you can either generate a passphrase or provide a passphrase (minimum of 16 characters) and remember to save the passphrase in a secure location.

Capture14

WARNING:

If the passphrase is lost or forgotten; Microsoft cannot help in recovering the backup data. The end user owns the encryption passphrase and Microsoft does not have any visibility into the passphrase which is used by the end user. Please save the file in a secure location as it would be required during a recovery operation.

11. Once you click the Finish button, the machine is registered successfully to the vault and you are now ready to start backing up to Microsoft Azure. Capture15

12. You can modify the settings specified during the registration workflow by clicking the Change Properties option in the Azure Backup mmc snap in.

Capture15.5

Backup and restore from a Windows server or Windows client machine

This lab covers the steps required to back up from a Windows server or a Windows client machine. It also covers the steps required to restore the backed up files on the same machine and the steps required to restore the backed up files on any other machine.

Scheduling and Backing Up files

1. Once the machine is registered, open the Microsoft Azure Backup from the Desktop.

clip_image034

2. Click on Schedule Backup

Schedule

3. Select the items which you wish to back up. Azure Backup on a Windows Server/Windows Client (i.e without System Center Data Protection Manager) enables you to protect files and folders. Create and pick a folder you want to backup. In this case we took the c:\recovery folder.

Capture17

4. Specify the backup schedule and retention policy

5. Choose the method of sending the initial backup. Your choice of completing the initial seeding is dependent on the amount of data you wish to back up and your internet upload link speed. If you plan to back up GB’s/TB’s of data over a high latency, low bandwidth connection, it is recommended that you complete the initial backup by shipping a disk to the nearest Azure data center. If you have a sufficient bandwidth connection we recommend that you complete the initial backup over the network.

Capture18

Backup Schedule is complete

Capture19

6. Once the process completes, go back to the mmc snap in and click Back up Now to complete the initial seeding over the network.

clip_image044

Capture20

Capture21

clip_image050

7. Once the initial seeding is completed, the Jobs view in the Azure Backup console indicates the status.

Recover data on the same machine

If you accidentally deleted a file and wish to restore the file/volume on the same machine (from which the backup is taken), the following steps will help you recover the data.

1. Click Recover Data to initiate the workflow.

clip_image052

2. Select This server (yourmachinename) option as you plan to restore the backed up file on the same machine.

Capture22

3. You can choose to Browse for files or Search for files. Leave the default option if you plan to restore one or more files whose path is known. If you are not sure about the folder structure but would like to search for a file, pick the Search for files option. For the purpose of this section, we will proceed with the default option.

Capture24

4. Select the volume from which you wish to restore the file

. Capture25

5. The screen enables you restore from any point in time. Dates which appear in bold in the calendar control indicate the availability of a restore point. Once a date is selected, based on your backup schedule (and the success of a backup operation), you can select a point in time from the Time drop down.

Capture26

6. Select the items you wish to recover. You can multi-select folders/files which you wish to restore.

Capture27

7. Specify the recovery parameters.

Capture28

o You have an option of restoring to the original location (in which the file/folder would be overwritten) or to another location in the same machine.

o If the file/folder which you wish to restore, exists in the target location, you have the option to either create copies (two versions of the same file), or overwrite the files in the target location or skip the recovery of the files which exist in the target.

Capture29

o It is highly recommended that you leave the default option of restoring the ACLs on the files which are being recovered.

8. Once these inputs are provided, the recovery workflow starts which restores the files to this machine.

Capture30

You can now see both the Backup and Recovery status.

Capture31

If you go back into the Microsoft Azure Recovery Services Backup Vault you can see the Registered Items, even though it is a backup up of the client, it will say “Windows Server”.

Capture32

You can also see the Protected Items but not the individual files themselves as the folders and files are stored in blog storage. You can only see the individual folders and files from the Azure Backup Agent on the physical machine.

Capture33

This concludes “Backing up your files and folders with Microsoft Azure Recovery Services Backup Vault” for Windows Clients, Windows Servers and System Center Data Protection Manager.

For more information on Microsoft Azure Recovery Services Backup Vault go to: https://azure.microsoft.com/en-us/services/backup For FAQ’s on Microsoft Azure Backup go to: https://azure.microsoft.com/en-us/documentation/articles/backup-azure-backup-faq