- Azure Sentinel—A real-world example - Tue, Oct 12 2021
- Deploying Windows Hello for Business - Wed, Aug 4 2021
- Azure Purview: Data governance for on-premises, multicloud, and SaaS data - Wed, Feb 17 2021
Many (larger) companies either have already adopted or are adopting System Center—primarily Configuration Manager, Operations Manager, and Virtual Machine Manager. Less love has been shared for Data Protection Manager (DPM), partly because until recently it’s only been focused on backing up Microsoft’s workloads (VMware support is now coming) and partly because most large businesses already have an enterprise backup product in place.
On the other end of the scale, Microsoft has been pushing Azure Backup for small/medium businesses. Although Azure recently increased the retention periods considerably, the backup agent has suffered from numerous limitations—essentially just backing up Windows file servers and not supporting bare metal restores. Microsoft Azure Backup Server (MABS) is going to change this.
Microsoft Azure Backup Server
MABS will run on Windows Server 2008 R2 SP1, 2012, and 2012 R2, either physically or virtually. You cannot install it on the same machine as DPM or the DPM agent, nor on a machine that is running the “old” Microsoft Azure backup agent.
You can use the server to back up from the disks of the protected workloads to the disks on the server, commonly called D2D. You can also do a secondary backup to the Azure cloud, D2D2C, or go directly to Azure with D2C.
MABS checking installed prerequisites
The MABS server must be domain joined and have .NET 3.51 installed. The installer will add .NET 4 during the installation if it’s not present. If you’re not on Windows Server 2012 R2, you’ll also need the Windows Management Framework 4 installed.
You’ll need separate disks for backup storage. The recommendation is 1.5x the size of the data you’re going to protect.
Setting up Microsoft Azure Backup Server
First, download MABS. It is 3.2 GB so the download might take some time. Then, log in to the current Azure console and create a backup vault by clicking New – Data Services – Recovery Services – Backup Vault – Quick Create.
Once that’s done, you’ll be taken to the quick start page where you can download the vault credentials file. Before you register any servers with Azure for backup, make sure you decide on your storage model because you can’t change the setting after you register the MABS server.
The default is using Geo Redundant Storage (GRS) with three copies in one datacenter and three in another. That might be overkill for your scenario (and budget). Instead, you might opt for the Locally Redundant Storage (LRS), which keeps three copies in a single datacenter. Note that you can have several vaults with different settings for LRS/GRS that protect different workloads.
After you’ve configured the vault with either LRS or GRS and downloaded the vault credential file, run the MABS installer. It’ll check if the prerequisites are installed and then start by asking for the credential file so it can connect to Azure.
It’ll ask for a passphrase to encrypt the backups with. You can either specify your own or let the program generate one. Be mindful to save the passphrase/file in at least two secure locations because (just like with ordinary Azure backup), if you lose it, you will not be able to recover your data. Microsoft does NOT have a copy of the passphrase/file. Once this is done, SQL Server 2014 (part of MABS) will be installed (you can use your own SQL server instead), followed by the actual MABS product.
SQL installation for MABS
Be aware that there might be some time lag between the creation of the vault credential file and when the MAPS installer continues. During my test installation, I kept getting an error message that the MABS installer couldn’t connect to the Internet, but after an hour or so the same file worked fine.
Register MABS server with Azure and generate a passphrase
The official installation instructions can be found here.
Configuring data protection
After you start the MABS console, only the name of the application lets you know it’s not DPM. Otherwise, every screen that I found is identical to DPM and the configuration is indistinguishable. Head over to the Management tab to configure disks and agents. For speedy recovery in most scenarios, you’ll want to configure local physical or virtual disks for backup. When you present these disks to MABS for backup storage, they should be configured as dynamic disks and not formatted.
Management tab of the MABS console
Each server that you want to protect also needs the MABS agent installed. You can either push this out from the console or install it manually on the workload server from the MABS installation file and then register it with MABS. Note that this means you can also protect Windows VMs running on VMware or any other hypervisor.
After you have somewhere to store the data and an agent on the workloads you want to protect, it’s time to create one or more Protection Groups (PG). These are a common grouping of backup frequency, compression, and encryption settings. In essence, you want to use the PG to group data sources with the same protection needs.
Creating a protection group
You can protect either servers or clients in each PG. Pick the data sources on each server that you want to protect and select whether you only want short-term disk protection or online protection as well (note that you can choose NOT to back up to Azure). Pick how often to synchronize and how often to do an Express Full backup. MABS will figure out how much space to allocate initially depending on the size of your workloads; you can then select whether you want to do the initial backup now or at a scheduled time over the wire. You can also do an offline backup and ship it to the MABS server if you’re on the wrong side of a WAN link. After your PG is created, your workloads start being protected according to the settings you’ve defined.
Allocating storage space to a protection group
MABS limitations
So what’s the difference between DPM and MABS? DPM offers tape protection, which is not available in MABS. With DPM, you can also protect one data center’s DPM installation with a secondary DPM server in another datacenter (and vice versa), which MABS doesn’t offer.
You can also manage many DPM servers in a single, central console in Operations Manager. Finally, DPM can act as a conduit for Azure Site Recovery services with Hyper-V replica, whereas MABS only does backup.
But apart from these “on-premises,” “big business backup” features, MABS is the real deal. There’s even full DPM PowerShell support for automation.
So, having paid nothing for the MABS license (compared to an arm and a leg for System Center with DPM), what’s the catch? Well, the catch is that, even if you only back up your workloads to local disk without using Azure at all, you still pay a monthly fee per protected workload.
This is actually the new pricing model as of April 2015 for all Azure backup, not just MABS. Each instance up to 50 GB of data costs $5 per month; instances between 50 and 500 GB are $10, and larger ones are $10 for each 500 GB. From my understanding of reading the FAQ, if you back up a workload to the cloud as well (D2D2C), you pay for another protected instance (one on premises and one in the cloud), doubling the above rates. If you are backing up to Azure, you will also pay for the LRS or GRS storage used in the vault.
Conclusion
I really like DPM. It’s a solid backup solution for Microsoft workloads, and I’ve run it in production at one of my clients. I’m happy to see that it is available to more people in the form of the “free” MABS. Just do your math on the expected costs, both for the amount of local disk storage you may need and the Azure costs, to ensure that it will deliver the right solution for your data protection needs.
Hi Stefan,
Glad you liked the article.
Yes, I would create a separate VM for MABS, with data disks attached to store the on-premises backups.
For the host you’ve got a few options. I would suggest the easiest option is to back it up using Windows Server backup to an external drive. That gives you easy recovery should the host fail. You can’t do bare metal recovery using Azure Backup, so you can’t point a install at Azure (but you can point it to a local Windows Server backup stored on external HDD).
Slightly tangential to your questions however, if you’re looking for disaster recovery, rather than backup (or in addition to), have a look at Azure Site Recovery. This replicates your VMs (both Hyper-V and VMware) and physical servers to Azure for DR.
Hope that helps,
Paul Schnackenburg
Thanks for your answer.
another question: again case is desaster.
Let’s say i restored the host somehow. not i want to restore the VMs backuped to azure.
Do i need to install MABS again before i can restore from azure or is there an easier way?
thanks again
Hi again Stefan,
Yes, in this scenario you’d need to restore the MABS server before you could restore any other data from Azure. I still suggest you look at Azure Site Recovery, if you were using that and your whole host failed (disaster) you could simply start your VMs in Azure.
And since we’re talking a single host – also take a look at Azure Backup. MABS is more for a larger environment, Azure Backup plugs into Windows Server Backup and lets you store backups in the cloud.
Hope that helps,
Paul Schnackenburg
Hi Paul,
Great article. Just not sure what you mean with this line:
Could you elaborate exactly what you mean?
Hi Rudi,
Azure Site Recovery (ASR) allows you to replicate VMs to Azure so that in the case of a site disaster (or simply a migration to the cloud), you can spin up these VMs in Azure. ASR can do this from stand alone Hyper-V, using just Hyper-V Replica, and from bare metal servers as well as VMWare ESX VMs. If you have System Center DPM / VMM on premises it can also be part of the ASR orchestration and handle larger environments.
MABS only backs up your data to the cloud and local disk. If you do a recovery of a VM you can recover to a Hyper-V host (or more recently VMware, since I wrote this article MABS now also supports backing up VMware VMs, just like full DPM) or put the VM files on a file share. But you can’t just recover a VM as an Azure IaaS VM, something you can do with ASR. This isn’t to say that you couldn’t do this manually but it’s not part of MABS.
Hope all that makes sense 🙂
Paul
Hi Paul,
Thanks very much for responding back, I just need to understand a little better what you mean.
With the above statement, are you saying that you could then restore an on prem VM (Hyper-v or VMWare), directly to an Azure IaaS VM? I did a quick Google search but cannot find any documentation that supports something like that. I guess I just have to understand what you mean when saying “If you have System Center DPM / VMM on premises it can also be part of the ASR orchestration” What that actually means.
Are you stating that you can restore directly to Azure IaaS? What physically does the above statement mean. I’m not understanding what functionality DPM is providing when it comes to virtual machine protection over what MABS can offer. I get that you can protect on the VM level on both Hyper-v and VMWare… IS the differentiating factor that DPM would restore the VM to VMM (first locally to a hyper-v host) and then you would move the vm over to Azure IaaS in one orchestration, where you would have to do this manually with MABS? (Restore to Hyper-v, then migrate up to IaaS?)
Hi again,
Sorry for managing to make this confusing. 🙂
To answer your follow up questions – Yes, with ASR (which is for Disaster Recovery more than backup), your VMs are stored in the cloud as VHD. If you have a disaster you can immediately spin them up as Azure IaaS VMs (which is when you start paying VM prices, when you’re just keeping the VHD files in sync, you only pay for storage and ASR). So ASR is for DR, essentially having Azure act as your recovery data center. DPM / MABS is for backup.
I also think I made it more confusing when I said that DPM is involved in orchestrating ASR, that’s actually VMM, not DPM. If you have VMM, it can talk directly to ASR and orchestrate the synching of lots of VMs from on-premises to Azure.
The difference between DPM and MABS for VM protection is that DPM supports site to site protection (one DPM server to another), tape backup and that you pay a different type of licensing for DPM versus MABS.
As for restoring, both MABS and DPM supports restoring to on-premises hosts or file shares and you would then have to upload the VMs to Azure if that’s where you want them to run, whereas with ASR, they’re already in Azure so it’s just a matter of spinning them up.
Hope that’s clearer.
/Paul
Hey Paul,
Yup that makes sense, thanks very much for clarifying 🙂
Advise on following set up:
Current:
– DPM used On-Premise (with enough licenses for more)
– All on-premise servers on Hyper-V hosts
We only want to backup our OnPremise VMs to Azure whats our best option DPM or MABS/MARS:
option 1 — Azure MARS/MABS option
a) Create MABS server in Azure VM (create two in avset? primary/secondary)
b) Will Install the Agent M.A.R.S agent to the HyperV Host only allow file/folder backup or can we install the MABS agent directly to ther Hyper Host?
c) Install MABS agent on each VM for granular SQL or Snapshot backups?
or
option 2 — DPM option
a) Deploy two DPM servers in Azure (in Azure avset primary/secondary)
b) Install MABS agent to all onpremise VMs (in hyperv) or again can we just install this agent to the HyperV directly for granular backups?
other than tape backups and a cnetral console to manager multiple DPM instances what do we lose by going MABS only. Appreciate if someone can help to clarify this, thanks
Hi Eilz,
Since you’re already using DPM on premises, your best option is to use DPM and backup to Azure. (You don’t mention which version of DPM you’re using but 2012 SP1 or 2012R2 will work fine). There’s no need to deploy DPM in VMs in the cloud. Simply use Azure as a storage target from within DPM. See here https://technet.microsoft.com/en-us/library/jj728752(v=sc.12).aspx and here https://blogs.technet.microsoft.com/dpm/2015/04/07/key-takeaways-dpm-protection-of-microsoft-workloads-to-azure/.
MABS / Azure Backup is really for people who don’t already have DPM. With your DPM already up and running you should stick with a single system.
Hope that helps,
Paul Schnackenburg
Hi,
Got a question related to this backup solution:
1. You do a local backup to disk using MBS….ok
2. Then you do a copy to Azure Cloud….. ok
3. Can you then restore directly to Azure infrastructure from the “Copy to Azure Cloud backups?
From reading this article, it appears that this allow for a storage location (DR) for the On-Premise backup but i do not see a restore option
directly to Azure cloud ?
Thank You
Ian Salgado
Hi Ian,
As far as I know you can’t. I found this in the documentation:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-alternate-dpm-server
And this:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-backup-faq
I suspect you’d have to restore the disk to on-premises and then upload it to Azure.
If you’re looking for the ability to migrate VMs / save them in the cloud Azure Site Recovery would be a better option.
/Paul Schnackenburg