Azure Backup: Using Azure Backup Agent

Hi and welcome back folks. In my last post HERE, we had a bit of a walkthrough of Azure Backup, and hopefully learned some or all of the following:

  • A little bit about the Azure Recovery Services Vault and how to deploy one
  • What a Backup Policy is and how to create one
  • How to enable and disable the protection of an Azure VM

Now that we’ve covered the Azure VM stuff, let’s move on and have a look at backing up to/restoring from Azure using the “Microsoft Azure Recovery Services (MARS) agent”

Here’s a few links to what we’re covering in this post:

Overview of the MARS Agent

As part of the Azure Backup service, we’re able to protect our on-premises client machines and servers by using the Microsoft Azure Recovery Services agent, but let’s stick to calling it MARS for short.

There are a few caveats or “limits” to this though, so here they are:

  • You can configure backups to run 3 times per day for each protected client machine/server
  • These backups are not application aware, they are file, folder and volume-level only
  • There is currently no support for backing up Linux workloads using the agent

With that out the way, what can we do with the agent?

  • Well, as touched on above, the agent has the ability to protect files, folders and a servers system state.

NOTE:  Server system state support is available from Windows Server 2016 – Windows Server 2008 R2

  • Provides incremental backup support
  • Backups are encrypted (AES 256, sent over HTTPS) over the wire and at rest in Azure (more on this later)
  • Network compression when sending data to your Recovery Vault in Azure

OK, so let’s crack on and get some hands on time with this agent.

Backup Windows Server Files and Folders to Azure

From here, I’m assuming you have a VM or physical server available where you can install the MARS agent and initiate some backups/restores from.

For this example, I’m actually using my local client machine but will be using a server when we come to the “System State” backup later in the guide.

The first thing we’ll want to do is download the agent. The easiest place to get this from is your Recovery Services Vault (RSV) in the Azure Portal

  • Within your RSV blade, navigate to the “Backup” blade
  • Select where your workload is running, for our example, select “On-Premises”
  • Select what you want to backup, we’ll be testing “File and Folders” and “System State”, so select both of those

clip_image001

  • Now click “Prepare Infrastructure”
  • Select “Download Agent for Windows Server or Windows Client”

clip_image002

  • Click “Save” as we’ll be running the MARS agent installer in a few minutes

clip_image003

Now we need to download a copy of our Recovery Vault settings file. This will be used when we register our MARS agent with our vault later.

  • Place a tick in the box labelled “Already downloaded or using the latest Recovery Services Agent”
  • Now click “Download”

clip_image004

  • Select “Save” for now

clip_image005

The file we just downloaded is actually XML, and if opened looks something like this:

We don’t really need to know what it looks like I suppose, but I was curious and so assume some of you may be 🙂

clip_image006

Now let’s get the MARS agent installed

  • Run the MARSAgentInstaller.exe file you downloaded earlier
  • Skip the usual “Getting Started” screen
  • Accept the defaults for “Installation Folder” and “Cache Location” and click “Next”
    • You can modify these if you’d rather, just pay attention to the highlighted sections in the screenshot below

clip_image007

  • Enter custom proxy settings if required, or click “Next”

clip_image008

  • Confirm all prerequisites are showing as green (as below), if not, install required software and restart installer.
  • Now click “Install”

clip_image009

  • Now click “Proceed to Registration”

clip_image010

  • “Browse” to the Vault Settings file we download earlier. The windows should then update to show you your vault name, region and subscriptionId
  • Click “Next”

clip_image011

Now we need to enter a passphrase and save it so a file. This passphrase is NEVER sent to Azure and you’re responsible for keeping it safe. This passphrase also has a minimum character limit of 16. You can have the installer generate a passphrase for you, which will spit out a 36 character string in the form of GUID:

Like this: 3cca2bc4-eebb-4632-a66c-5cf58dfa6da9

  • If you’d rather not have the installer generate a passphrase for you, enter one manually and enter a location to save your passphrase file to
  • Click “Finish”

NOTE:  For “Enter a location to save the passphrase”, enter a directory that exists and do not include a filename as this is auto-generated.

clip_image012

  • Now click “Close”

clip_image013

Now let’s head back over to the Azure Portal and confirm everything looks correct.

  • Within the “Recovery Service Vault” blade, navigate to “Backup Infrastructure”, “Protected Servers” and “Azure Backup Agent” (check “Protected Server Count”)

clip_image014

  • You should now see your On-Premises server listed in this blade

clip_image015

Now let’s head back to our On-Premises server and configure a backup schedule.

  • Launch the “Microsoft Azure Backup” MMC

clip_image016

  • Select “Schedule Backup” from the “Actions” menu on the right

clip_image017

  • Skip the “Getting started” screen by clicking “Next”

clip_image018

  • Click “Add Items” and select the files and folders you want to backup. I’m backing up the contents of my “Downloads” for this demo
  • Click “Next”

clip_image019

  • Configure the “Backup Schedule” settings to meet your requirements and click “Next”

clip_image020

  • Configure the “Retention Policy” settings to meet your requirements and click “Next”

clip_image021

The backup agent gives you the ability to “seed” your backups which is referred to here as an “Offline Backup”. This would involve you backing up the data, placing it (encrypted) on removable media and sending it to Microsoft for import into a pre-configured Azure Storage Account. You can find more information on that process HERE

For the purposes of this guide though, we’ll be doing our backup over the network (encrypted over the internet).

  • Select “Automatically over the network” and click “Next”

clip_image022

  • Look over the “Confirmation” window and click “Finish”

clip_image023

  • You can view the progress of the schedule creation on the screen below.

NOTE:  While creating the backup schedule, the MMC seems to crash quite often (every time I tried it, on multiple machines actually). Just re-open the MMC as the job should have actually completed without issue.

clip_image024

So far, all we’ve done is to set up a backup schedule but let’s kick off a one-time backup to make sure everything will work as expected

  • Select “Back Up Now” from the “Actions” menu on the right

clip_image025

  • Review the “Confirmation” screen and click “Back Up”

clip_image026

  • Review the backup progress or take the opportunity to grab a coffee

Tasks it goes through:

  • Takes snapshot
  • Prepares storage
  • Generates metadata
  • Data transfer

clip_image027

You can close the above window at any point during the backup and view it in the main console

clip_image028

  • Back in the Azure Portal you can now see there is a “Backup item” against our “Protected Server”

clip_image029

Recover Files and Folders from Azure

Now that we’ve got a successful backup from our On-Premises machine, let’s kick of a recovery job.

Before kicking this off, I deleted one of the files I backed up from my local machine.

.\Downloads\MARSAgentInstaller.exe to be precise.

  • From within the “Microsoft Azure Backup” MMC, select “Recover Data” from “Actions” on the right

clip_image030

  • Select “This server” and click “Next”

clip_image031

  • Select “Individual files and folders” and click “Next”

clip_image032

  • Select the volume you backed up (pre-populated correctly if you only backed up a single volume)
  • Select a restore point and click “Mount” (We only have one to choose from here)

clip_image033

clip_image034

  • When complete, the recovery point will now be mounted as a volume on the local machine, in my case, the “D:” drive
  • Now click “Browse”

NOTE:  Read the section regarding the Recovery Volume availability

clip_image035

  • Below, we can see the mounted recovery volume in explorer

clip_image036

  • Now I’ll navigate to the file I deleted from my local machine before kicking off the restore.

clip_image037

  • I can now copy the file from the mounted drive to its original home…nice!
  • When finished with the backup volume, go back to Azure Backup and click “Unmount”

clip_image038

…and it’s gone.

clip_image039

Now before continuing, I wanted to do a little clean-up as this was on my local machine. First I uninstalled the MARS agent, then jumped over to the Azure Portal, where I deleted the “Protected Server” from the Recovery Services Vault

  • From the Recovery Services Vault blade, select “Backup Infrastructure”, “Protected Servers”, then the server you’re looking to remove.
  • Click “Delete”

clip_image040

  • To make sure you’re not deleting this server by accident, you’ll be asked to type its name (Or you can copy it from under the work “Delete” at the top of the blade 😛 )
  • If you’re feeling helpful, enter a reason for deleting this protected server with supporting comments
  • Now click “Delete”

clip_image041

NOTE:  You won’t see a running job for this in the notifications section but you will get a notification when the deletion completes

Backup Windows Server System State to Azure

For this next section you’ll need a VM or physical machine running one of the following Operating System versions:

OS Version
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Windows Server 2008 R2

I won’t run though the installation of the MARS agent again, as you can find that earlier in this post and the process here is identical.

So let’s crack on and create our backup schedule.

  • Select “Schedule Backup” from the “Actions” pane on the right

clip_image042

  • Skip the “Getting started” screen by clicking “Next”

clip_image043

  • Click “Add Items”, select “System State” from the menu, click “OK”, then “Next”

clip_image044

  • Select a schedule that suits your needs and click “Next”

clip_image045

  • Select a retention policy that suits your needs and select “Next”

clip_image046

  • You can review the details of your schedule before creating it by clicking “View Details” (intuitive, right?)
  • Now click “Finish”

clip_image047

…and error

clip_image048

This is because I wasn’t planning on using this VM as part of my demo when I spun it up and therefore deployed it with a small (32GB) disk, let’s increase that and try again.

clip_image049

Now although the error above points toward the schedule creation failing…it actually didn’t, even though there was a problem it still created, just errored to advise I had something to resolve first. Could it have handled that process a little more gracefully? Absolutely, but it’s MMC, at least it works 🙂

Now that we’ve got our schedule set, let’s kick off a one-time backup to test its all gonna work…which of course it will!

  • Select “Back Up Now” from the “Actions” pane on the right

clip_image025[1]

  • Select “System State” and click “Next”

clip_image050

  • Have a look over your settings and click “Back Up” when satisfied it’s correct

clip_image051

  • Here we can view the progress of our backup

clip_image052

NOTE:  Remember the above window can be closed at any time without affecting the back, we can follow the job progress in the main window

clip_image053

Let’s jump back over to the Azure Portal and confirm everything is looking healthy.

  • Within the Recovery Services Vault blade, select “Backup Infrastructure”, “Protected Servers” then “Azure Backup Agent”

clip_image054

  • Here we’ll see our server name, the status of the last backup and the latest recovery point
  • Click on the server to see additional information

clip_image055

Well that was pretty easy. Let’s see if we can do a recovery of the System State now.

Restore Windows Server System State

  • Select “Recover Data” from the “Actions” pane on the right

clip_image056

  • Select “This server” and click “Next”

clip_image057

  • Select “System State” and click “Next”

clip_image058

  • Select the Restore Point you want to use and click “Next” (We only have 1 to choose from there)

clip_image059

  • “Browse” to a location to save your System State files to, ideally put this on an additional data drive (not the C: drive like me, you’ll see I copy this to a data drive later) 🙂
  • Select “Overwrite the existing versions with recovered versions” and click “Next” (Doesn’t actually matter in this instance)

clip_image060

  • Review the recovery job details and click “Recover”

clip_image061

  • Once the recovery job has completed, click “Close”

clip_image062

Now as I mentioned above, I actually meant to restore the System State files to a data drive as I plan to restore it to the same server, let’s do that now.

  • Copy from my restore location

clip_image063

  • To my data drive on the same VM

clip_image064

Now, all we’ve actually done here is restore the System State files, we haven’t restored the System State to the server…so there’s more to do.

First we need to reboot the server into safe mode, in particular “Active Directory Repair” (dsrepair) mode

  • Launch an elevated PowerShell console and paste in the following:
bcdedit /set safeboot dsrepair
shutdown /r /t 0

The machine should now reboot into Safe Mode

clip_image065

Once the machine has rebooted, login and launch the “Windows Server Backup” MMC

NOTE:  Not the “Microsoft Azure Backup” MMC

clip_image066

  • Right-click on “Local Backup” and select “Recover”

clip_image067

Even though we’re doing a recovery from and to this same server, local drives other than “C:” are considered “Another Location”

  • Select “A backup stored on another location” and click “Next”

clip_image068

  • Select “Local drives” and click “Next”

clip_image069

  • For “Backup location”, select the local drive that holds the data we recovered above and click “Next”

clip_image070

  • Select the relevant server (should only see one here if you’re following the example) and click “Next”

clip_image071

  • Select a recovery point (again, we only have one) and click “Next”

clip_image072

  • Select “System State” and click “Next”

clip_image073

  • Select “Original location” and click “Next”

clip_image074

  • If you want the server to reboot itself immediately after the restore job has completed, tick the box as per the screenshot below
  • Now click “Recover”

clip_image075

  • You’ll be given one last chance to back out of the recovery…pffft, click “Yes” thereby throwing caution to the wind 😛

clip_image076

On the screen below you can monitor the process of the recovery job, broken down into recovery items

clip_image077

Once the job completed, the VM rebooted as expected. Upon logging in, you’ll be presented with the following:

clip_image078

Great! Our recovery completed successfully and the server is back up and running…but wait, it’s still in safe mode. Let’s sort that!

  • Launch an elevated “Command Prompt” and paste in the following:
bcdedit /deletevalue safeboot
shutdown /r /t 0

clip_image079

Restore completed successfully, safe mode flag removed, VM rebooted, all good.

Well that was a success, let’s move on and have a look at some PowerShell

Backup On-Premises to Azure using PowerShell

In this section we’re going to use PowerShell to back up a selection of files and folders to our Azure Recover Vault using the MARS agent. I’m assuming the server we’re working on here doesn’t already have the MARS agent install, so that I can go through the whole end to end process.

Prepare PowerShell Environment

The first thing we’ll want to do is prepare our PowerShell session.

The code below will install/import the required modules and prompt you to log into your Azure account (i.e. the account and subscription that hosts your vault)

  • Launch an elevated PowerShell ISE console and paste in the code below
  • If you have multiple subscriptions on under your Azure tenant, modify [0] as required under the Set-AzureRMContext command
# Check required modules are installed, then install and import as required
if (((Get-PSRepository -Name PSGallery).InstallationPolicy) -eq "Untrusted") {
    Write-Verbose -Message "Setting PowerShell Repository: 'PSGallery' to Trusted" -Verbose
    Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
}

if (!(Get-Module -ListAvailable -Name AzureRM)) {
        Write-Verbose -Message "Installing and or Importing PowerShell Module: 'AzureRM'" -Verbose
        Install-Module AzureRM -Confirm:$false
        Import-Module AzureRM
}
else {
    Write-Verbose -Message "AzureRM module already installed...importing" -Verbose
    Import-Module AzureRM
}

# Log into Azure Account and set subscription context (logs into the first subscription in the array, change [0] as required
Login-AzureRmAccount
Set-AzureRmContext -SubscriptionId (Get-AzureRmSubscription)[0].SubscriptionId

Your output should look something like this:

clip_image080

Download and silently install the MARS agent

Now we’ll need to download and install the MARS agent.

The code below will create a directory at C:\Temp if it doesn’t exist, download the MARS agent and kick off a silent install.

# Check that C:\Temp directory exists and create if not
$TempDir = "C:\Temp"
if (!(Get-Item $TempDir -ErrorAction SilentlyContinue)) {
        New-Item -ItemType Directory -Path $TempDir
}

# Download and install the Microsoft Azure Recovery Services Agent (MARS)
$WebClient = New-Object System.Net.WebClient
$WebClient.DownloadFile('http://aka.ms/azurebackup_agent',"$TempDir\MARSAgentInstaller.exe")
& $TempDir\MARSAgentInstaller.exe /q
  • If you want to confirm the install was successful, check Add/Remove Programs in 60 seconds or so

clip_image081

Download Recovery Vault Settings File and Register On-Prem Server with Vault

The following code will download our Recovery Vault Settings file, import the MSOnlineBackup PowerShell module and register our On-Prem server with our vault.

# Download Recovery Vault credentials file
$ResourceGroupName = "Name of RG that contains your vault"
$RSVault = Get-AzureRmRecoveryServicesVault -ResourceGroupName $ResourceGroupName
$RSVSettingsFile = Get-AzureRmRecoveryServicesVaultSettingsFile -Backup -Vault $RSVault -Path $TempDir

# Add MSOnlineBackup PowerShell module path to the PSModulePAth environment variable and Import module
$env:PSModulePath += ';C:\Program Files\Microsoft Azure Recovery Services Agent\bin\Modules'
Import-Module MSOnlineBackup

# Regsiter On-Premises machine with Recovery Services Vault
Start-OBRegistration -VaultCredentials $RSVSettingsFile.FilePath -Confirm:$false

clip_image082

Set backup encryption passphrase

The following code will create an encryption passphrase using the New-Guid cmdlet and apply it to our client/server.

It’ll also create a file at C:\Temp\ABEncryptionPass.txt, make sure you keep a hold of this.

Instead of using the New-Guid cmdlet, you may want to manually specify your passphrase instead.

# Set backup encryption passphrase (make sure this is at least 16 characters)
# I've used the New-Guid cmdlet as its guaranteed to be random and 16 characters and works for this example
(New-Guid).Guid | Out-File -FilePath $TempDir\ABEncryptionPass.txt
$EncryptionPassPhrase = Get-Content C:\Temp\ABEncryptionPass.txt | ConvertTo-SecureString -AsPlainText -Force
Set-OBMachineSetting -EncryptionPassphrase $EncryptionPassPhrase

clip_image083

Create backup policy and configure schedule, retention etc.

The following code will create a backup policy and configure it’s schedule, retention settings and file/folder inclusions/exclusions

# Create blank backup policy and modify as required
$BackupPolicy = New-OBPolicy

# Create backup schedule (modify variables as required)
$DaysOfTheWeek = "Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday"
$TimesOfDay = "23:30"
$BackupSchedule = New-OBSchedule -DaysOfWeek $DaysOfTheWeek -TimesOfDay $TimesOfDay

# Associate schedule with the blank policy you created above
Set-OBSchedule -Policy $BackupPolicy -Schedule $BackupSchedule

# Configure Backup Retention and associate with our policy (modify variables as required)
$RetentionDays = "30"
$BackupRetentionPolicy = New-OBRetentionPolicy -RetentionDays $RetentionDays
Set-OBRetentionPolicy -Policy $BackupPolicy -RetentionPolicy $BackupRetentionPolicy

# Configure file and folder inclusion/exclusion policy (modify variables as required for your client machine/server)
$Inclusions = New-OBFileSpec -FileSpec @("C:\Temp")
$Exclusions = New-OBFileSpec -FileSpec @("C:\Temp\Dir3") -Exclude
Add-OBFileSpec -Policy $BackupPolicy -FileSpec $Inclusions, $Exclusions

# Commit new policy for use by Azure Backup
Set-OBPolicy -Policy $BackupPolicy -Confirm:$false

clip_image084

Kick off a one-time backup

Now let’s take a quick backup to test everything is set up correctly.

# Perform a one-off backup using everything we've done thus far
Get-OBPolicy | Start-OBBackup

clip_image085

Restore from Azure to On-Premises using PowerShell

So I want to recover a single file from my latest backup recovery point and I’ve decided on the following:

clip_image086

The code below does exactly that, but I’ll give a little description as it may not be immediately apparent how it works. You’ll find all the recovery code in one section at the end of the description.

This gets a list of the recoverable volumes (sources) from our backup, in this case, the “C:” drive

$RecoverySource = Get-OBRecoverableSource

This gets the available recovery point objects from our recovery source:

$RecoveryPoints = Get-OBRecoverableItem -Source $RecoverySource[0] # we only have a single volume in our recovery test, hence we use [0]

This is where we tell the recovery job where we’ll be restoring our backup data to:

$RecoveryDestinationPath = "E:\RecoveredFiles"
$RecoveryOption = New-OBRecoveryOption -DestinationPath $RecoveryDestinationPath

This is where we tell the recovery job exactly which file or folder we want to restore, and from which recovery point, in our case, we’re selecting the latest with [0]. As we’re restoring a file and not a directory, we need to set “IsDir” to $false, as it’s $true by default. Also, as we’re specifying the “Relative Path” to our file, don’t include the drive letter:

$RecoveryItem = New-OBRecoverableItem -OBRecoverableItem $RecoveryPoints[0] -RelativePath "Temp\Dir2\MARSAgentInstaller.exe" -IsDir $false

This last command actually initiates the restore job using all the information we gave it above:

Start-OBRecovery @($RecoveryItem) -RecoveryOption $RecoveryOption

A successful recovery should look like this:

clip_image087

We should also see our file restored in the folder we specified, in the following format:

$RecoveryDestinationPath \ VolumeLabel_vol (“C_vol” in this case) \ Restored directory structure (“Temp\Dir2\MARSAgentInstaller.exe” in this case)

Actually, let’s just look at a screenshot, that seems overly complex now that I’m reading it:

clip_image088

Here’s the code in one block for convenience 🙂

$RecoverySource = Get-OBRecoverableSource
$RecoveryPoints = Get-OBRecoverableItem -Source $RecoverySource[0] # [0] is the lastest recovery point
$RecoveryDestinationPath = "E:\RecoveredFiles"
$RecoveryOption = New-OBRecoveryOption -DestinationPath $RecoveryDestinationPath
$RecoveryItem = New-OBRecoverableItem -OBRecoverableItem $RecoveryPoints[0] -RelativePath "Temp\Dir2\MARSAgentInstaller.exe" -IsDir $false
Start-OBRecovery @($RecoveryItem) -RecoveryOption $RecoveryOption

Bonus Section

CLICKBAIT!

While tidying up my servers, and Azure subscription I decided it was worth including a section on removing existing backups from our server without unregistering the server from the Recovery Vault.

The following process will wipe the backup schedule and all recovery points:

  • Within the Azure Backup MMC, select “Schedule Backup” from the “Actions” pane on the right

clip_image001[4]

  • Select “Stop using all backup schedules and delete all of the stored backups” and click “Next”

clip_image002[4]

  • Review the information presented and click “Finish”

clip_image003[4]

To continue with the backup removal, we’re asked to enter a security PIN. This can be found within the “Properties” section on our Recovery Services Vault in the Azure Portal

  • From the Recovery Services Vault blade, select “Properties”
  • Select “Generate” under “Security PIN”

clip_image004[4]

  • You’ll be presented with a PIN, copy it to your clipboard

clip_image005[4]

NOTE:  These PIN numbers expire in pretty short order, so make sure you enter it quickly. It’s also the reason I’ve not obfuscated it in the screenshot 🙂

  • Jump back to your server and paste the PIN into the prompt in the Azure Backup MMC and click “OK”

clip_image006[4]

Worth noting that your backup data will be kept for 14 days at which point it will be permanently deleted.

clip_image007[4]

OK, and that’s it for this post. All going well, we should have learned a little bit about the MARS agent and how to use backup and restore our on-premises workloads.

See you in the next post…not sure what that will be yet 🙂

4 Replies to “Azure Backup: Using Azure Backup Agent”

  1. Great work David . I have a quick question for you. Have you run into the issue where some of the Azure backup protected servers will not report in the site recovery as being successful or failed. I have one server that reports as successful but the three others ones do not even though they are being backed up successfully.
    Regards

    1. Thanks Brady,

      I’ve not personally run into that issue, although I’ve not had the chance to do a great deal with site recovery as of yet. It’s on my roadmap though 🙂

    1. It can take some time yes, you should receive a pop-up in the notifications area when it deletes successfully.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.