Constructing a solid backup plan with Microsoft Azure Backup

Microsoft Azure Backup makes quick work of big backups for a pint-size price.

12 backup
Credit: flickr/ DRs Kulturarvsprojekt

Backup and recovery: Ah, IT's very own sewer service. You manage huge libraries of tapes, babysit backup reports, and test recoveries both weekly and at random. And yet, with all of that, do you ever feel confident in your organization's backup scheme? Are you ever totally satisfied with how backups are performed?

Well, the cloud has come to the rescue again with a surprisingly good solution, at least for shops that use a lot of Windows, Exchange, SharePoint and SQL Server. It's the Microsoft Azure Backup Service.

But I won't bury the lede: The Azure Backup Service is a fast, efficient and very cost-effective way to bring an additional layer of disaster recovery protection to your organization. It brings the best of the cloud -- when you as the IT person can simply say, "Handle this for me and don't bother me with the details of storage, blobs, geographical redundancy, ordering new tapes, running out of quota, and anything else" -- without it costing an arm and a leg or giving up some required level of functionality.

All you have to do once the service is set up is glance at the status reports and do regular test restores, which you should be doing anyway as part of your existing backup regimen. You don't have to worry about arrays filling up, ordering tapes, media wear or the licensing cost of backup software.

Here, I'll explain how to build a robust backup system using free software and an Azure subscription -- a system that gets you local, disk-based backups as a first layer of protection and an essentially unlimited amount of offsite storage, all handled in an automated way that you can indeed control. Let's dive in.

Azure Backup Service

Let's tackle the cloud part of this equation first. Essentially, the Azure Backup Service works by using agents on either physical machines or virtual machines to stream backup images to a "vault," which is basically a big section of cloud storage in Azure. (At this point, the service appears to be limited to Hyper-V and VMware virtual machines and VMs from the Azure cloud service itself, but it's easy to see a future in which other hypervisors are supported as well.)

These backup images are handled by the Azure Backup Agent -- which can be installed in any Windows Server virtual machine regardless of whether it lives on-premises or in Azure -- and can grab folders and files as you would expect. But they can also take application-consistent backups of Exchange, SQL Server and SharePoint workloads.

"Application-consistent" means that instead of just a block-by-block backup of these applications, the Azure Backup agent will use shadow copies, log streaming or whatever other technology might be necessary to take a high-integrity backup of an actual application at any given time. So when you restore, you're basically live: No required mailbox database mounts are needed, no log replays are necessary, nor is there any other sort of pre-restore restore work.

The vault, where your backups actually live, is more than just a backup destination or target like you would consider a disk or a tape -- instead, think of it more like a flexible cloud component. It automatically expands itself as needed, and it bills and charges you only for what you use on the storage side. (Inbound data transfers are free, as are outbound restores.)

Also, the vault scales and makes itself available automatically in a very resilient way, encrypts your backups both in transit over the wire and at rest in the Azure data centers, and can replicate itself out to another, geographically distinct data center to provide further disaster recovery. (Think of that last feature as the ultimate in offsite backups; if a disaster strikes two different Azure sites, you probably have more pressing issues to worry about than your backups.)

This solution is really intended to replace any other backup product or service you have, but a careful and considerate approach would probably call for duplicate backups for a while until you are satisfied with the functionality and integrity of the Azure service as opposed to your current solution.

Azure Backup can back up machines running the following operating systems:

  • Windows 7 Starter, Home Basic, Home Premium, Professional, Ultimate and Enterprise, including the latest service pack
  • Windows 8 Pro and Enterprise, including the latest service pack
  • Windows 8.1 Pro and Enterprise, including the latest service pack
  • Windows 10 Home, Pro and Enterprise, including the latest service pack
  • Windows Server 2012 R2 Standard, Datacenter and Foundation, including the latest service pack
  • Windows Server 2012 Datacenter, Foundation and Standard, including the latest service pack
  • Windows Storage Server 2012 R2 Standard and Workgroup, including the latest service pack
  • Windows Storage Server 2012 Standard and Workgroup, including the latest service pack
  • Windows Server 2012 R2 Essentials, including the latest service pack
  • Windows Server 2008 R2 Standard, Enterprise, Datacenter and Foundation, all at Service Pack 1
  • Windows Server 2008 Standard, Enterprise, Datacenter and Foundation, all at Service Pack 2

Note that all of those operating systems must be the 64-bit editions; any available 32-bit editions of those versions of Windows aren't supported.

You can stick with just this cloud backup option: You can simply deploy the agents on each machine you want to protect and then let the cloud manage all of it. But that wouldn't give you on-premises backups, too, and adding the Microsoft Azure Backup Server brings a lot of functionality to the mix -- at absolutely no cost to you.

The Microsoft Azure Backup Server software

A central piece of the on-premises Azure Backup story, the free Microsoft Azure Backup Server (MABS), is basically System Center Data Protection Manager with the System Center ties broken and the backup-to-tape functionality removed. It lives in a machine in your infrastructure with a bunch of storage attached and basically acts as a local backup "vault" for quick on-premises backup and restore.

But it is linked up to Azure, of course, so that your point-in-time backups are replicated up to the Azure cloud vault for further redundancy and offsite protection. The storage attached to the server on which MABS runs is the first layer of your backups, and the online Azure service will be the second layer of your backups.

You can literally have this running in about an hour, maybe less. Basically, you put together a machine with some storage directly attached -- any kind of RAID is fine, or no RAID, whatever your preference -- and a dual-core processor with 4GB of RAM.

You can't use USB disks, however, so find yourself a chassis with some drive bays and install those disks locally. Three or four SATA drives at 1TB would be less than $500.

Once the hardware is put together, then install Windows Server 2012 R2 on it (you can install on an earlier release, but you will do a lot of prerequisite installing). Join it to your domain.

Next up, create your Azure vault. While the software is free, the Azure vault acts as sort of an activation or licensing mechanism, and the Azure Backup Server software will "phone home" to it to register with the Azure backup vault. It is easy to create this vault: Sign in to, go to New, Data Services, Recovery Services, Backup Vault, Quick Create, and then fill in a friendly name, a geographic region that's close to you, and the right Azure subscription to which the charges for the vault should accrue. Then click Create Vault, and have yourself a cup of coffee or two.

This took 15 minutes to complete for me; your time may vary.

Then click on your created vault and on the first page, under Option 1, "Install Microsoft Azure Backup Agent and register your server," choose the first option, called "For Application Workloads (Disk to Disk to Cloud)." This will redirect you to a download page; select all of the files, which will total just over 3GB, and then download them. Have a whole pot of coffee for that download, unless you are blessed with a tremendously fast Internet connection.

Why is that download so big? Well, you are basically downloading a System Center product along with a bundled version of the full SQL Server product that is restricted to use only with Microsoft Azure Backup Server; that's a lot of code, and it's free to boot.

Once the download is complete, double-click the executable file and run through the setup wizard. It is fairly self explanatory; you will check for prerequisites, fill in some default SQL Server settings, choose a location for the program files, scratch files and database files, create two new accounts to run SQL Server and generate reports, and enable the Microsoft Update service.

Then the actual installation commences.

First, the Azure Recovery Services agent is laid down and then you are prompted to configure it. To configure the agent, you will need to provide the credentials for your Azure backup vault as well as a passphrase that can be used to encrypt and decrypt the data that goes over the Internet up into the Azure service.

You and you alone have this passphrase; Microsoft doesn't ever get a copy of this key, which means that not even Microsoft can decrypt the backups in their service. If you lose the key, you will not be able to restore your backups and no one in Azure support can help you.

Once this information is entered, the agent will register with Azure.

Next, SQL Server and the rest of the binaries for the Azure Backup Server product are both installed. Then, the setup is complete.

Now, you need to deploy the agents on the machines you want to back up. These agents will talk to the Microsoft Azure Backup Server machine and store their backups there.

These agents are different from the Azure Recovery Service agents I described in the previous section; these are basically Data Protection Manager agents that direct backups to the MABS server. The MABS server is then responsible for sending that data up to the cloud at intervals you select.

After that, use the Microsoft Azure Backup Console to configure the protection groups for your machines and their applications and to enable the Azure online backup part of the equation. Here's how:

  1. Use the Management tab to set up the disks and agents. MABS will find unprotected computers and offer to install the agents on them.
  2. Make sure MABS can see your disks; they will be listed on the management tab as well. Make sure the disks are visible, but not formatted. They should also be configured as dynamic disks.
  3. Then, configure protection groups. In the Create New Protection Group wizard, MABS will present a list of protected computers as well as the resources associated with those computers (files, folders, SQL databases, Exchange and the like). Select those computers, and elect to back up both locally for short-term disk protection and online to make those backups replicate to your Azure vault.

Then, as they say, Bob's your uncle. Everything should just start working at that point.

The last word

The combination of the Azure Backup Service and Microsoft Azure Backup Server software means that the days of complex backups are very numbered. While it would be nice to have support for USB disks in the server itself, and it might be better for smaller businesses to have a slightly lighter-weight on-premises solution, you can hardly argue with getting an enterprise-class backup product for free and offsite storage for pennies per gigabyte.

Take a look at these solutions and challenge yourself: Are you doing backups better than MABS would let you do backups?

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon