Cloud protection with Windows Azure Backup
Sky Blue
Microsoft is continuing to offer new features – both for installable ("on premise") software as well as services that run in the Azure cloud. A recent example of a new cloud feature is Windows Azure Backup [1], which gives users the ability to back up in the cloud. The Windows Azure service latches on to the internal data backup feature in Windows Server 2012/2012 R2 and lets you create a custom schedule for data backups to the cloud. Windows Azure can run in parallel with existing backups or as a complete data backup solution. Data is encrypted in the cloud and, of course, during transmission, to stay safe from prying eyes.
With Windows Azure, you can even back up entire virtual servers, including their configurations, in the cloud. The service is compatible with the new Windows Server 2012 R2, even in the Essentials edition, as well as with older products, like Windows Server 2008 R2. Billing is based on the compressed files that are stored in the cloud during a billing period of one month [2].
Getting Started
To use or test Windows Azure Backup, you need a free Windows Azure account. Windows Azure is integrated into Windows backup after installing the client software and can be enabled and configured separately from a local backup. In contrast to SkyDrive and others, Windows Azure is for backing up data only, not for sharing data.
Additionally, you need an agent that can save the data online in Windows Azure; you will find this on the Azure portal [3]. The familiar Windows backup interface is used for backing up and restoring. You can also control the process in Windows PowerShell; a separate module exists for this.
Windows Azure supports incremental backups, in which case it only transfers the changed blocks. Data is encrypted by the agent and also stored encrypted in Windows Azure. After completing a backup, Azure automatically checks the integrity of the data. You can use a policy to set an automatic expiration date for older backups.
The service particularly makes sense when using Windows Server 2012 R2 Essentials or the Essentials environment server role in other editions of Windows Server 2012 R2. To set up and use the service, wizards are available in the Windows Server R2 Essentials dashboard. However, you can manage backups in Windows Azure via the System Center Data Protection Manager. Companies can use this to back up some data locally and other data in the cloud. The agent is proxy-capable, which can simplify the process of connecting to the Internet.
To set up the backup on a server, first install Windows Server Backup. This is done in Server Manager from Manage | Add Roles and Features . Install the Windows Server Backup feature. In Windows Server 2012 R2 Essentials, the feature is installed by default.
Configuration in the Dashboard
If you are using Windows Server 2012 R2 Essentials, log in to Windows Azure via the Dashboard. On the home screen in the Dashboard, select Add-Ins and then Integrate with Windows Azure Online Backup . On the right-hand side, log in to Windows Azure. You can use this approach for logging in or register for a trial version on the Windows Azure Backup home page. After creating an account, you can download the client for integrating Windows Azure in the dashboard. Separate agents are available for integration with DPM and Windows Server Backup.
If you want to set up Windows Azure Backup in other editions of Windows Server 2008 or Windows Server 2012/2012 R2, you first need to press the plus sign at the bottom of the screen on the Windows Azure portal. Then, set up a vault in New\Data Services\Restore Services\Backup Vault
, in which Windows Azure Backup can store its data (Figure 1). The data stored in this vault is encrypted.
Once you have a vault, you will see a new link on the Windows Azure Management Portal, Recovery Services ; this takes you to your vault. Click the link to manage a certificate for backups, retrieve setup information, and download the Agent for integrating local servers. Authentication between agents and Windows Azure is certificate based.
You need to export the certificate as a .cer
file to the server with which you will be backing up data in Windows Azure. To do so, launch the local certificate management console, certlm.msc
, on the server and right-click the certificate after the install. Then, select All Tasks | Export
to export the certificate to a .cer
file. You do not need to export the private key. You then import this file into your vault via the Dashboard. When the server connects to Windows Azure, the certificate is recognized and the server integrated. In other words, Windows Azure Backup and the server that you are backing up need the same certificate, regardless of whether you buy a certificate or use an internal certificate.
For testing purposes, you can also create a self-signed certificate. To do this, use the makecert.exe
tool from the Windows SDK 8/8.1 [4]. You will find makecert.exe
in the C:\Program Files (x86)\Windows Kits\8.0\bin\x64
directory. You can create a certificate like this:
makecert.exe -r -pe -nCN=<Servername> -ssmy -sr localmachine-eku \ 1.3.6.1.5.5.7.3.2 -len 2048 -e01/01/2016 <Certificate>
Then, install the certificate you created on the server, export it and upload the exported .cer
file to Windows Azure Backup – just like any other certificate (Figure 2).
Backup Agent
The servers with the data you will be backing up to the cloud need an agent; you will find one on the Management Portal in Windows Azure. You do not need to enter any more data to install the agent on the server that you want to back up. The wizard supports Windows Server 2008 R2 SP1 and Windows Server 2012/2012 R2, as well as Windows Server 2012 R2 Essentials and System Center Data Protection Manager 2012 SP1/2012 R2.
Windows Server 2012/2012 R2 Essentials has its own agent. You can set it up after installing the agent using Windows Server Backup or the separate link. You can also script the agent installation at the command line with various options:
/q
– Install without feedback/l
– Installation directory (e.g.,/l:"D:\Online-Agent"
)/d
– Uninstall
After launching Windows Server Backup, you must register the server as a backup source with Windows Azure. In the following sections, you will learn how to do that. You can remove registered servers from Azure again on the Windows Azure Management Portal. This has the advantage that you can then use the license for a different server.
You can register and license multiple servers for one backup ID. All servers can be centrally managed, for example, to restore data from different servers at different locations. Restoration is also wizard-based with a graphical user interface.
Once you have Windows Server Backup and the agent installed, you will find two new icons on the start page of Windows Server 2012/2012 R2: one for the graphical interface and the other for the Windows Azure Backup Shell
; this is the PowerShell module for online backups. You will also find the graphical interface in the normal management interface of Windows Server 2012/2012 R2 Backup (wbadmin.msc
). You can also enter the commands for online backup in a normal PowerShell session.
In PowerShell, you can view the available commandlets with get-command *ob*
. Alternatively, use the command
get-command -module MSOnlineBackup
(Figure 3). You do not need to load any more modules, because PowerShell in Windows Server 2012 and 2012 R2 loads them automatically when a commandlet is called.