Latest posts by Paul Schnackenburg (see all)
- Office 365 Secure Score – Securing Exchange Online - Thu, Aug 3 2017
- Office 365 Secure Score - Reporting and monitoring - Tue, Aug 1 2017
- Office 365 Secure Score - MFA for users and auditing - Mon, Jul 31 2017
Many (larger) companies either have already adopted or are adopting System Center—primarily Configuration Manager, Operations Manager, and Virtual Machine Manager. Less love has been shared for Data Protection Manager (DPM), partly because until recently it’s only been focused on backing up Microsoft’s workloads (VMware support is now coming) and partly because most large businesses already have an enterprise backup product in place.
On the other end of the scale, Microsoft has been pushing Azure Backup for small/medium businesses. Although Azure recently increased the retention periods considerably, the backup agent has suffered from numerous limitations—essentially just backing up Windows file servers and not supporting bare metal restores. Microsoft Azure Backup Server (MABS) is going to change this.
Microsoft Azure Backup Server ^
MABS will run on Windows Server 2008 R2 SP1, 2012, and 2012 R2, either physically or virtually. You cannot install it on the same machine as DPM or the DPM agent, nor on a machine that is running the “old” Microsoft Azure backup agent.
You can use the server to back up from the disks of the protected workloads to the disks on the server, commonly called D2D. You can also do a secondary backup to the Azure cloud, D2D2C, or go directly to Azure with D2C.
MABS checking installed prerequisites
The MABS server must be domain joined and have .NET 3.51 installed. The installer will add .NET 4 during the installation if it’s not present. If you’re not on Windows Server 2012 R2, you’ll also need the Windows Management Framework 4 installed.
You’ll need separate disks for backup storage. The recommendation is 1.5x the size of the data you’re going to protect.
Setting up Microsoft Azure Backup Server ^
First, download MABS. It is 3.2 GB so the download might take some time. Then, log in to the current Azure console and create a backup vault by clicking New – Data Services – Recovery Services – Backup Vault – Quick Create.
Once that’s done, you’ll be taken to the quick start page where you can download the vault credentials file. Before you register any servers with Azure for backup, make sure you decide on your storage model because you can’t change the setting after you register the MABS server.
The default is using Geo Redundant Storage (GRS) with three copies in one datacenter and three in another. That might be overkill for your scenario (and budget). Instead, you might opt for the Locally Redundant Storage (LRS), which keeps three copies in a single datacenter. Note that you can have several vaults with different settings for LRS/GRS that protect different workloads.
After you’ve configured the vault with either LRS or GRS and downloaded the vault credential file, run the MABS installer. It’ll check if the prerequisites are installed and then start by asking for the credential file so it can connect to Azure.
It’ll ask for a passphrase to encrypt the backups with. You can either specify your own or let the program generate one. Be mindful to save the passphrase/file in at least two secure locations because (just like with ordinary Azure backup), if you lose it, you will not be able to recover your data. Microsoft does NOT have a copy of the passphrase/file. Once this is done, SQL Server 2014 (part of MABS) will be installed (you can use your own SQL server instead), followed by the actual MABS product.
SQL installation for MABS
Be aware that there might be some time lag between the creation of the vault credential file and when the MAPS installer continues. During my test installation, I kept getting an error message that the MABS installer couldn’t connect to the Internet, but after an hour or so the same file worked fine.
Register MABS server with Azure and generate a passphrase
The official installation instructions can be found here.
Configuring data protection ^
After you start the MABS console, only the name of the application lets you know it’s not DPM. Otherwise, every screen that I found is identical to DPM and the configuration is indistinguishable. Head over to the Management tab to configure disks and agents. For speedy recovery in most scenarios, you’ll want to configure local physical or virtual disks for backup. When you present these disks to MABS for backup storage, they should be configured as dynamic disks and not formatted.
Management tab of the MABS console
Each server that you want to protect also needs the MABS agent installed. You can either push this out from the console or install it manually on the workload server from the MABS installation file and then register it with MABS. Note that this means you can also protect Windows VMs running on VMware or any other hypervisor.
After you have somewhere to store the data and an agent on the workloads you want to protect, it’s time to create one or more Protection Groups (PG). These are a common grouping of backup frequency, compression, and encryption settings. In essence, you want to use the PG to group data sources with the same protection needs.
Creating a protection group
You can protect either servers or clients in each PG. Pick the data sources on each server that you want to protect and select whether you only want short-term disk protection or online protection as well (note that you can choose NOT to back up to Azure). Pick how often to synchronize and how often to do an Express Full backup. MABS will figure out how much space to allocate initially depending on the size of your workloads; you can then select whether you want to do the initial backup now or at a scheduled time over the wire. You can also do an offline backup and ship it to the MABS server if you’re on the wrong side of a WAN link. After your PG is created, your workloads start being protected according to the settings you’ve defined.
Allocating storage space to a protection group
MABS limitations ^
So what’s the difference between DPM and MABS? DPM offers tape protection, which is not available in MABS. With DPM, you can also protect one data center’s DPM installation with a secondary DPM server in another datacenter (and vice versa), which MABS doesn’t offer.
You can also manage many DPM servers in a single, central console in Operations Manager. Finally, DPM can act as a conduit for Azure Site Recovery services with Hyper-V replica, whereas MABS only does backup.
But apart from these “on-premises,” “big business backup” features, MABS is the real deal. There’s even full DPM PowerShell support for automation.
So, having paid nothing for the MABS license (compared to an arm and a leg for System Center with DPM), what’s the catch? Well, the catch is that, even if you only back up your workloads to local disk without using Azure at all, you still pay a monthly fee per protected workload.
This is actually the new pricing model as of April 2015 for all Azure backup, not just MABS. Each instance up to 50 GB of data costs $5 per month; instances between 50 and 500 GB are $10, and larger ones are $10 for each 500 GB. From my understanding of reading the FAQ, if you back up a workload to the cloud as well (D2D2C), you pay for another protected instance (one on premises and one in the cloud), doubling the above rates. If you are backing up to Azure, you will also pay for the LRS or GRS storage used in the vault.
I really like DPM. It’s a solid backup solution for Microsoft workloads, and I’ve run it in production at one of my clients. I’m happy to see that it is available to more people in the form of the “free” MABS. Just do your math on the expected costs, both for the amount of local disk storage you may need and the Azure costs, to ensure that it will deliver the right solution for your data protection needs.