This post will discuss what the recent GA of system state protection by Azure Backup means for you and will show you how you can add system state to your MARS agent backup policy.
I keep saying it and the Azure Backup keep keeps proving it. Microsoft Azure loves feedback and that feedback shapes the products and services that the cloud provider offers. Time after time, this team acts on feedback gathered via through different channels:
- Direct meetings with customers
- Conversations with people in the market
- The official feedback form
A top request that I (and the Azure Backup team) kept hearing was “we need system state backup”. This request was from those who were considering using the MARS agent method of Azure Backup, which is an agent that backs up directly to the cloud. This is intended today for smaller customers with one or two servers or maybe some PCs that need to be backed up.
Note that Microsoft Azure Backup Server (MABS) already had the ability to protect system state. This feature request was specifically for the MARS agent where an on-premises backup server is not required.
It took a while but System State protection did make it to preview earlier this year. Recently, Microsoft made the feature addition generally available and fully supported.
System State Protection
For some types of servers that fall into the workload type covered by MARS, a system state backup is important. Imagine you have a small business or branch office with a file server, and that machine has a failure of some kind. At that time, you are relying on your backup to restore operations of your business. Without system state backup, you can restore your files and folders but all the metadata of the shares is gone. There will be a long period where you will have to reconfigure shares and permissions. With system state protection, the configuration of the file server can be restored too and the server can quickly be brought back into service.
Microsoft’s value proposition on system state backup is as follows:
- Added protection: It’s not enough to protect the files and folders of a server. Often, the configuration of a service is complex and could take hours or days to manually recreate. Now you can protect Active Directory on domain controllers, the IIS Metabase on Windows web servers, and the file shares of file servers, and not just the files and folders.
- Cost effective: System State is typically under 50GB in size, according to Microsoft. In Azure Backup pricing, the system state of a server counts as an instance, and at under 50GB, that would be a $5 (RRP) charge per month. The cost of storage is based on how many GB’s of general storage Block Blobs are consumed and that starts at $0.024 per GB (RRP East US region) per month. So the cost of system state backup is going to be very small.
- Security: The system state of a domain controller contains some very sensitive data. Azure Backup uses a “trust no one” (TNO) approach to security. The MARS agent encrypts all backup data before it leaves the server. That means, in the case of a domain controller, nothing leaves that domain controller in an unencrypted state. The key for accessing that data is owned by you and Microsoft never has it. In fact, if you lose the key, Microsoft cannot give it to you. So, keep that key safe!
- Free Restores: A common myth about Azure Backup is that you have to pay to restore data. The truth is that restores are free of any charges. Azure Backup actually folded the cost of restores and storage transactions into the cost of the service, so you can sit there and restore all day long without picking up any charges.
Protecting System State
The process of backing up System State using the MARS agent is pretty simple. First you will need to:
- Create a recovery services vault in the Azure Portal
- Download, install, and register the MARS agent.
- Optionally configure bandwidth throttling for work and non-work hours in the Microsoft Azure Backup console.
To add protection for the system state, you can modify an existing backup schedule in the Microsoft Azure Backup console. Otherwise, if it’s a new installation of MARS, you can create a new backup schedule as follows.
- Launch the Microsoft Azure Backup console.
- Click Schedule Backup in Actions on the right-hand side of the console.
- Click Next to skip Getting Started.
- Click Add Items.
- Select System State, along with any other files/folders.
- Complete the Schedule Backup Wizard.
Restoring System State
It’s great that the system state is protected but when things go crash-bang-wallop, how do you do a restore? The restore is a multi-step process:
- Use the Microsoft Azure Backup console to restore the system state from the Azure recovery services vault. The system state will be recovered as a collection of files.
- Launch Windows Server Backup and restore the system state from those files.
Note that domain controllers are special, so there’s a unique process to follow when restoring the system state.