Azure Recovery Services Vault Management – performing a vault swap

In this blog post I will address some of the questions we’re receiving from customers regarding Azure Backup and Recovery Services vaults. We will focus on one of the most common Azure Backup / Recovery Services Vault management scenarios, which is a ‘vault swap’ for a Data Protection Manager (DPM) server or Azure Backup Server (MABS)*.

* Since DPM and Azure Backup Server have the same functionality in regards to a ‘vault swap’, we’ll simply use the term DPM to reference both products in the rest of this article.

Azure Vault Basics

Let’s start with some baseline information regarding Azure Backup and Recovery Services vaults. First is the relationship of DPM server to vault. Options include:

  • One to One relationship (DPM1 : Vault1
    • In this case each DPM server is registered to its own vault. This works fine but it can result in many different vaults to manage if you have multiple DPM servers and it could cause you to reach the limit of 25 vaults per subscription as mentioned in the Azure Backup FAQ.
  • Many to One relationship (DPM1,DPM2,DPM3 : Vault1) 
    • For this option, multiple DPM servers are registered to the same vault. This is the most common scenario and is limited only by the fairly substantial number of 50 servers per vault, which is also mentioned in the FAQ.
  • One to Many relationship (DPM1 : Vault1,Vault2)
    • For this option a single DPM server may be registered to multiple vaults. At one time or another, for various business reasons, a DPM server may have written to multiple vaults and it’s likely those old Recovery Points need to be retained. As a result, the DPM server preserves its registration to multiple vaults. Note that only one vault at a time can be actively registered to a DPM server for reading or writing data. In other words, a DPM server cannot have one active vault for backups and another active vault for restores. There is a supported method to actively write to one vault and restore from another but it requires a second DPM server:

NOTE: If a DPM server (DPMServer1) has an active registration to one vault for backups (NewVault) but the backup admin needs to restore data from a former vault (OldVault), then use the Add external vault process from DPMServer2.  Otherwise, re-registering OldVault as the active registered vault on DPMServer1 could allow DPM to write new backups into OldVault, which likely is not desirable – why else would the backup admin have changed from OldVault to NewVault?

If you do switch back and forth between vaults – perhaps one vault is activated for writing new data while another is temporarily activated for an emergency restore – then it may be difficult to track which vault is active.  You can find the active vault name at the following location in the DPM server’s registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Azure Backup\Config\ServiceResourceName.

Azure Vault Swap

There are a couple reasons why customers may be changing their DPM server from one Azure Vault to another:

  • New Azure Data Center offerings make better business sense for some customers
    In February 2017, the Azure Recovery Service was added to several new Azure Data Centers, including the Canada and UK paired Data Centers, as well as US West 2.  US West Central was added a couple weeks prior in January 2017.

With these new service locations available, we’re seeing some customers change the location of their Recovery Services vaults (Classic vaults do not apply to these locations).  The change could be due to reduced network latency if one of these new data centers is closer to the customer’s on-premises location.  Or the change could be due to geo-political requirements, such as a Canada or UK customer that formerly saved backup data out-of-country simply due to there being no in-country offerings.

  • Various other business reasons
    This really could be anything.  For whatever reason, let’s say a customer wants to place 2016 data in a vault called ‘2016’ and 2017 data in a vault called ‘2017’.  Or maybe they started writing data to a vault that was configured for GRS replication and later decided to change to a vault configured for LRS.  I’m sure there are other possibilities here as well.

Pre-requisite Details

For full transparency, let’s first address Azure Billing details because there are scenarios where this could increase your costs for Azure Backup.  A ‘vault swap’ can be performed with you keeping the data in the old vault so you have access to all your old Recovery points.  Or you may decide you don’t need the historical data and therefore you simply delete the old vault.  For those cases where the old vault and data are retained, you would be paying for the vault costs (instances and storage costs) to maintain the Recovery Points active in two vaults since the data would be saved in two separate vault locations (and we’re not talking about GRS here)[AG1] .  Saving two copies of your backup data may not be an issue if the data has a short retention: for example 2-4 weeks.  Increasing your Azure Backup costs for 2-4 weeks might not be cause for alarm.  Along the same lines, a small amount of data would also likely make this cost increase acceptable.

However, customers with longer (such as yearly) retention or a large amount of data may decide that the cost is not worth going through this process.  Or they may decide to delete the old data – assuming they have no SOX requirements, of course.

Process to change a DPM Server’s Vault

Changing a DPM server’s registered vault is a fairly easy process, the same as registering a new vault which is documented here.  Since the topic of this article is switching vaults, step #3 (installing the Azure Backup Agent) is most likely already done.  If you’re switching to an older vault, then step #1 (create the vault) is obviously already completed as well.  This would simply leave steps #2 & #4.

  1. Create a Recovery Services vault — Create a vault in Azure portal.
  2. Download vault credentials — Download the credentials which you use to register the DPM server to Recovery Services vault.
  3. Install the Azure Backup Agent — From Azure Backup, install the agent on each DPM server.
  4. Register the server — Register the DPM server to Recovery Services vault.

After changing a DPM server’s active registration to a new vault, the DPM UI won’t update automatically so you’ll need to close and re-open the UI.  Next, the DPM’s internal ‘online policy’ doesn’t automatically get refreshed so if no further action is taken, you may see online jobs fail with this error:

Type:        Online recovery point
Status:        Failed
Description:        An internal error prevented the modification of the backup policy. (ID 100010)

This error can be resolved by updating the online policy for each Protection Group.  To update the online policy, choose to Modify the Protection Group.  Click through the wizard steps to get to the “Specify Online Retention Policy” screen.  Increment one of the retention values, then click through the remaining wizard screens, and finally update the Protection Group.  Making this change to the online properties will refresh the local policy and resolve the error listed previously.  However, to keep your previous retention values, you’ll need to go through the same steps to Modify the Protection Group and change the value back to the original.

For example, in the screenshot below, I would first change the daily retention value from 3 days to 4 days and then continue through the wizard and update the Protection Group.  Next, I would go through the wizard a second time and change the daily retention value back to 3 days.  These steps can be automated using Powershell if you have multiple Protection Groups to update.

Now that the DPM server’s vault has been changed and the online policy refreshed, your new backups will seamlessly be written to the newly registered vault

Details for the Azure Backup Agent

The Azure Backup agent (MARS), which supports file & folder backups directly to Azure, has its own steps for vault registration but I did find one item of warning while attempting a vault swap.  When you perform the vault swap, the online policy seems to contain the list of selected folders.  Therefore, after registering to the new vault, my list of selected folders was gone.  Re-registering to the old vault brought them back but if you are planning to change to a new vault while using the MARS agent, make a note or take a screenshot of your selected folders so you can re-configure the backups just as they were before the vault changes were made.

  • Scott Gehrke, Microsoft Support