Functional Description Ntbackup
Like all Windows products starting with NT 3.51, Windows Server 2003 comes with a backup utility, Ntbackup, that is a stripped-down version of a commercial package called Backup Exec from Veritas Software, www.veritas.com. Data backups performed with earlier versions of Ntbackup can be restored using the Windows Server 2003 version because they use the same Microsoft Tape Format (MTF).
Ntbackup does not incorporate a tape handler. Tape handling is done by the Removable Storage Management (RSM) service. The RSM service can handle individual tape drives as well as robotic libraries. It also is responsible for handling CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, Zip, Jaz, Orb, and magnetooptical drives.
Unlike most other administrative tools in Windows Server 2003, Ntbackup is managed by an executable, not by an MMC console. This enables it to retain a command-line interface that can be used for scheduling backup jobs to run in the background.
Launch Ntbackup using START | PROGRAMS | ACCESSORIES | BACKUP. The first time you run the program, it starts in a Wizard mode. I'm as much of a Harry Potter fan as the next guy, but when it comes to data recovery, I prefer to avoid wizards. There is an option in the launch window to shift to an Advanced view that does not use a wizard. All examples in this chapter use the Advanced view except for scheduling a backup, which requires the use of a wizard.
The Advanced view of Ntbackup uses a familiar tabbed control to show the features. Figure 21.1 shows an example of the Ntbackup window with the Backup tab selected.
Figure 21.1. Ntbackup window showing Backup tab.
The directory tree in the left pane of the Ntbackup window uses the standard Explorer namespace, rooted at Desktop and descending through My Computer, My Documents, and My Network Places. When selecting items to back up, you have the option of selecting an entire drive or individual folders or files. A blue checkmark indicates that you have selected an item. If you select an individual file, the folders above it get gray checkmarks indicating that the directory structure will be included in the backup.
You can back up network files either by selecting a mapped drive or by expanding the tree under My Network Neighborhood and selecting a share from the server's resource list. Ntbackup does not use agents on remote machines so it is unable to handle sophisticated transactions such as database locking or data compression.
The Backup Destination selected for a particular backup job can be a local tape drive or a file on a local or network drive. The target can be a removable media hard drive such as a Zip or Jaz drive or a DVD-RAM. It cannot be a CD-RW drive unless you use a third-party packet writing engine. If you use file-based backup, the target file can be in an NTFS or FAT/FAT32 volume.
Network backups using Ntbackup are limited to files you can reach using a network client redirector. When Ntbackup runs, it works in conjunction with the Local System account to access locked system files. Locked system files cannot be backed up via a network client redirector. It requires an agent running on the server.
A backup agent provides a client/server link between the server being backed up and the server running the backup. The agent runs in the security context of a user with Backup Operator privileges so it can access locked system files. The agent sends copies of the files to the backup server where they are put on tape. Agents typically encrypt files that are sent across the network.
When a file is modified, the file system toggles the archive bit on the file attributes. This tells a backup program that the file needs to be backed up. Ntbackup supports five different backup types classified by the way they handle the archive bit.
To view the backup type options, launch Ntbackup in Advanced mode and select TOOLS | OPTIONS from the main menu. The Options window opens with the focus set to the Backup Type tab. Figure 21.2 shows an example. Here are the options to choose from:
This option backs up the selected files and clears the archive bit if it is set.
This option backs up the selected files and does not clear the archive bit.
This option backs up only the selected files where the archive bit is set. It does not clear the archive bit.
This option backs up only the selected files where the archive bit is set. It clears the archive bit.
This option does not use the archive bit. It backs up files with a Modified timestamp that matches the backup date.
Figure 21.2. Backup Options window showing Backup Type tab.
The Copy option is primarily used for transferring files to another system and not for scheduled backups. Here are details about the other options along with criteria to use when choosing one over the other.
Running a normal backup every night makes restoration easy. All the files you need to restore a system to its most current configuration are right on one tape (or set of tapes). Normal backups take time, though, so you have to measure their usefulness against the size of your backup window.
Because differential backups only capture files with the archive bit set, they shorten the nightly backup considerably. As time goes by, though, a differential backup takes longer and longer because it does not reset the archive bit. For example, if File_A changed on Monday, each night's differential backup will include File_A.
Restoration from differential backups is a two-step process. First, you must restore the last normal backup; then, you restore the latest differential backup.
Differential backups simplify requests for individual file restores because you only need to go to one of two tapesЧthe last normal backup or the last differential backupЧto find the file.
Be sure to design your tape rotations so that the normal and its associated differential tapes are stored together. It can be embarrassing to overlay the normal backup from one week with a differential backup from another week.
Incremental backups avoid the ever-increasing backup duration caused by differential backups because it resets the archive bit. In this way, any incremental backup only captures files that changed since the last incremental or full backup.
The problem with incremental backups is that they make recovery much more complex. To restore a volume, you must first restore the last normal backup then restore each of the incremental backups in sequence. If any particular tape fails to restore, this can cause problems with data consistency.
Incremental backups also complicate individual file restores because you must search through several different tapes. If the user is a little fuzzy about the date when the file was lost, you have a chore in front of you.
Both differential and incremental backups rely on the archive bit. If you run other utilities that change the archive bit, you may end up missing files in your nightly backups. A daily backup avoids this problem by reading the timestamp on the files rather than the archive bit.
The same caveats apply to daily backups that apply to incremental backups. You must keep them in order and apply them in order after first applying the last normal backup.
Ntbackup keeps a log of each backup and restore job. You can access the log from the Ntbackup menu by selecting TOOLS | REPORT. Logging is a critical element of a backup strategy. Without a log, you could be unaware of a problem that puts your data at risk. For example, if you back up files across the network, a problem with the network connection can cause the files to be skipped. Without checking the log regularly, you won't know this happened.
Backup logs are saved to the local profile of the user who runs the backup. The path is \Documents and Settings\<logonID>\Local Settings\Application Data\ Microsoft\Windows NT\NTBackup\Data. This path is fixed. There is no Registry parameter that can be set to change it. Each backup job creates a new backup log. The logs are numbered sequentially and renumbered automatically after reaching 10, so the oldest log is overwritten.
The Backup Options window, accessed via TOOLS | OPTIONS, controls the type of log that is saved. Figure 21.3 shows an example. Ntbackup has two logging options:
Figure 21.3. Options window showing Backup log options.
Summary logs are the better choice for standard daily backups because you stand less of a chance of missing a problem buried in a long, detailed report. If you are troubleshooting a backup problem involving missed files, enable the Detailed option and scan the report for clues on why they were missed.
The Backup Options window has an Exclude Files tab. Figure 21.4 shows an example.
Figure 21.4. Options window showing Exclude Files. The Add New button can be used to exclude other file types.
The Files Excluded For All Users field lists file extensions and individual files that are deliberately left out of all backup jobs.
The default list of excluded files includes the paging file, temp files, the client-side cache for offline files, contents of the debug folder, the File Replication System (FRS) database and any FRS cache folders on volumes containing replicated files (such as \Windows\Sysvol), the Windows registration files, the Distributed Transaction Coordinator log, and the local cryptographic certificate database.
Adding File Exclusions
You can add file classifications to the exclusion list and narrow the focus to individual folders. You can do this for all backup jobs or jobs run by the current user. Add a new exclusion as shown in Procedure 21.1.
Procedure 21.1 Adding File Types to the File Exclusion List
Click Add New under the All Users field or the Current User field. The Add Excluded Files window opens.
Select the class of file you want to exclude. Use the Applies To Path field to narrow the scope to a particular folder.
Click OK to save the selection and return to the Options window.
Click OK to save the setting and close the window.
Registering File Types for Exclusion
If you back up a volume across the network and you have a file type on the source machine that you want to exclude but it is not on the local extension list, you must register the file locally on the machine running Ntbackup. The easiest way to do this is shown in Procedure 21.2.
Procedure 21.2 Registering File Types for Backup Exclusions
Open the network drive in Explorer.
Right-click one of the files of the type you want to exclude and select OPEN WITH from the flyout menu.
Double-click the executable you want to associate with the file type. This closes the window and adds the application to the list in the Open With window.
Select the Always Use This Program to Open These Files option.
Click OK to save the change and make the association in the Registry.
Now that the file type is registered, you can exclude it using the steps mentioned earlier in Procedure 21.1.
General Backup Options
From the Ntbackup menu, select TOOLS | OPTIONS then select the General tab. Figure 21.5 shows an example. Most of the options are self-explanatory and are selected by default.
Figure 21.5. Backup Options window showing General options.
Compute Selection Information Before Backup and Restore delays the backup and restore long enough to calculate the total number of files and bytes. This calculation takes a while, sometimes a long while, and unless you need to check for sufficient storage capacity prior to initiating a backup or restore, you can deselect this option.
Use the Catalogs on the Media to Speed Up Building Restore Catalogs on Disk is a highly recommended option. In backup parlance, a catalog is an index of the files that were included in the backup and their locations. Ntbackup (and every other backup program) uses catalogs to determine where to place files and folders during a restore. Ordinarily, when you run Ntbackup, a copy of the catalog is saved to the local drive in the profile of the user who submits the job. For example, if the local Administrator submits a job, the catalog is stored under \Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\Catalog. The catalogs are assigned hexadecimal sequence numbers with a .v01 extension. An index file with an .sm extension defines the members of the catalog.
By putting a copy of the catalog on the tape, you quickly recover it during a restore if your restoration server does not have a local copy of the catalog. Without the on-tape copy of the catalog, Ntbackup must scan the entire tape to build a catalog prior to performing a restore. This can take hours and hours, which can be a wrenching experience if the data is critically needed.
Verify Data After The Backup Completes adds an extra measure of assurance to your backup. After the backup has completed, each tape entry is read to assure that it is not corrupt. This verification does not touch the file system.
Back Up The Contents Of Mounted Drives is a default option. A mounted drive (mounted volume, really) consists of an NTFS reparse point that redirects a process to a remote file system such as another volume or folder or CD-ROM. If the target volume of the reparse point also has a drive letter that you are backing up, you will get two identical backups. There is no performance penalty for backing up via a mount point. If you have a mounted CD-ROM that you do not want to include in the backup, de-select this option.
Always Allow Use of Recognizable Media Without Prompting is the default option if you have never opened the Removable Storage Manager console. For the most part, if a tape drive is the only removable media that requires administrator intervention on a server, select this option. This lets Ntbackup communicate with RSM to obtain and manage tapes without the need for you to give any input. Without this option, each time you put a fresh tape in the drive, you'll be responsible for preparing it for the Backup pool.
Locked Files and the Volume Shadow Service
Ntbackup runs in the Local System security context so it is able to back up system files such as the Registry and Active Directory and the other databases that support system operations such as DHCP, WINS, and so forth. But even with a privileged system account, Ntbackup cannot override a lock placed on a file by a user process.
Applications like Word or Access that lock their files stymie just about any backup program. Locked files are getting to be more and more common as users connect from home using dial-in and VPNs. It can cause users discomfort to find out that they cannot restore a critical file because they've been working on it every night for the last week during your backups. Here is a short listing from an Ntbackup log that demonstrates this problem:
Active backup destination: 4mm DDS
Media name: "TestBackup"
Backup of "C: "
Backup set #1 on media #1
Backup description: "Test"
Media name: "TestMedia"
Backup Type: Normal
Backup started on 2/15/2002 at 3:35 AM.
Warning: Unable to open "C:\Test\LiveDocument.doc" - skipped.
Reason: The process cannot access the file because it is being used by another process.
Windows Server 2003 fixes this problem using a service called Volume Shadow, or VS. The VS service takes a snapshot of a locked file so that Ntbackup can save the snapshot rather than the original. Here is a listing that shows the Ntbackup log with Volume Shadow enabled:
Backup (via shadow copy) of "C: "
Backup set #1 on media #1
Backup description: "Test"
Media name: "TestMedia"
Backup Type: Normal
Backup started on 2/25/2002 at 3:39 AM.
Backup completed on 2/25/2002 at 3:39 AM.
Time: 4 seconds
The Volume Shadow service, Vssvc.exe, only takes snapshots of files in NTFS partitions and it uses NTFS partitions to store its temp files, so you must have sufficient free space to hold the largest locked file.
If a system lacks NTFS volumes, or those volumes lack free space, Ntbackup proceeds with standard locked file handling, which consists of 30 seconds of retries then the file is skipped.
You can elect to run Ntbackup without shadow copies. This avoids taking snapshots of large database files that you do not want backed up. The option is part of the Advanced backup selections. Figure 21.6 shows an example.
Figure 21.6. Advanced backup options showing the Volume Shadow Copy selection.
System Restore on XP Desktops
The System Restore feature is only available on XP. It takes periodic snapshots of a system configuration that can be used for rollback. Snapshots are taken daily and whenever you install applications or make major changes to the system configuration. These snapshots are called restore points.
To take a manual snapshot or roll back to a previous restore point, access the System Restore features from the Help and Support Center (HSC). Look for the System Restore option on the HSC home page. Click the link to open a page for selecting either to create a restore point or to roll back to an existing restore point. If you choose to roll back, the system displays a window with a calendar that allows you to select a day and view the restore points that were saved for that day. Figure 21.7 shows a restore point taken prior to installing Microsoft Office XP.
Figure 21.7. System Restore page showing Restore Point calendar with details about an earlier restore point.
If you elect to roll back to an earlier restore point, only system executables that were modified in the interim are rolled back, not data files. This means users will not lose data as a result of a System Restore rollback, but they may lose critical links within their application. The further you reach back, the more likely you are to have a consistency problem.
Rollbacks do not affect encrypted files. You cannot unencrypt a file simply by rolling back to a time when the file was in plain text.
When you place an account in the Backup Operators group, or otherwise assign SeBackupPermission and SeRestorePermission to an account, this gives the user permission to back up any file on the machine regardless of its security descriptor or encryption status. Backup operators can also strip security permissions from files during restoration. In short, it's hard to imagine a more serious security breach than the frivolous granting of backup operator privileges.
A similar problem exists for third-party backup applications that use client-based backup agents. These agents run in the security context of an account with Backup Operator permissions. Because of their privileged nature, backup agent accounts are often used for other purposes. It is common to find virtually every administrator logged on with the backup account.
If you want to run the nightly Ntbackup jobs using an account other than the Administrator account, you can create a special account that is a member of the Backup Operators group then assign this account to the job via the Task Scheduler. Figure 21.8 shows an example. Access the Task Scheduler via the Control Panel.
Figure 21.8. Task Scheduler job properties showing alternative credentials entered in the Run as field.
Physical control of backup tapes is also important. It is common to find shops where unauthorized users aren't allowed within 100 yards of a production server, but backup tapes are routinely put in the custody of unbonded couriers and temporary contractors. You need secure off-site storage with a known and licensed chain of custody for the tapes.
Finally, don't forget about the possibility of data loss due to theft. This is emphatically true for small businesses in strip malls and office parks with easy access from the street. It only takes a few seconds to toss a rock through a window and snatch a computer. Servers look impressive, so thieves often spend a few extra minutes looking for them. Don't multiply your loss by leaving your backup tapes where they can be scooped up, too.
Backing Up System State Files
In Windows Server 2003 and Windows 2000, Microsoft groups a large number of files under an umbrella term called System State. These files must be backed up and restored as a unit to maintain data and operational consistency. The System State files include the following:
Active Directory database, NTDS.DIT, and its associated log and checkpoint files in the \Windows\NTDS folder
Registry hives from the \Windows\System32\Config directory
COM+ class registration database
Files protected by the Windows File Protection service (This includes most of the files in \Windows and many of the Microsoft files in \Program Files.)
System files from the root of the boot drive: Ntdetect.com, Ntldr, Boot.ini, Bootsect.dos, and Ntbootdd.sys
Certification Authority database files (if the Certification Service is installed)
Contents of the \Windows\Sysvol folder, which contains group policies and scripts
IIS metabase (if IIS is installed)
Cluster database (if the Cluster service is installed)
You cannot use Ntbackup to back up System State files from another machine across the network. And don't make the mistake of thinking that doing a backup of the Admin$ share is the same as a System State backup. Many of the files are locked if you merely run Ntbackup across the network. If you want to do central backups of System State, you must purchase a commercial backup package.
Backing Up to a File
One of the nicer features of Ntbackup is its capability to send a backup job to a file rather than to tape. This makes it possible to do quick backups of local desktops saved to removable media or network drives. File-based backups are also an essential component of encrypted file management. To move encrypted files from one machine to another, you must back them up to a file, transport the backup file, then restore the encrypted files inside at their new location.
File-based backups have their downside. Desktop users with local Backup Operator privileges can use Ntbackup to run a backup of their entire hard drive to a file on a server. Consider establishing a group policy limiting access to Ntbackup.
Automated System Recovery (ASR)
Restoring a failed operating system partition has always been a tedious affair. Ordinarily, you have to format the partition, reinstall the operating system, mount the backup tape, catalog the tape, and then run a full restore.
As the name implies, the Automated System Recovery (ASR) feature makes this process much simpler. An ASR backup takes a standard backup of the operating system partition then saves the catalog and other configuration information to a floppy. If you need to restore the operating system partition using ASR, all you need to do is boot to the Windows Server 2003 CD with the backup tape mounted in the tape drive, press F2 when prompted to select the ASR option, and watch the process take off. ASR installs the operating system from CD then mounts the tape and does the restore. Remember to take the floppy out of the drive after the initial text-based portion of the restore has completed, and then come back in an hour to have a server that is up and running, good as new.
To create an ASR backup, use the ASR Wizard in Ntbackup. The only option is to do an interactive backup. You cannot use Task Scheduler to schedule an ASR backup. The wizard consists of just one window that asks the target backup device and media label (or backup file and filename). The only other time the wizard prompts for input is to ask for a blank, formatted floppy on which to store the Setup Information Files (SIFs).
ASR retains the original partitioning, so it should not disturb data volumes that are on the same spindle as the operating system. If the boot drive is mirrored, you will need to break the mirror prior to running ASR.
One challenge that can come up when using ASR is loading third-party device drivers that are required for the initial setup phase. These are generally mass storage device drivers that you would press F6 to load during a normal interactive Setup. To load these additional drivers automatically, you must make a modification to the Asr.sif file that scripts ASR to include an [InstallFiles] section in the following format:
[Installfile-Key]=[System-Key],[Source-Media-Label], [Source-Device], [Source-File-Path],
[Destination-File-Path], [Vendor-Name], [Flags]
Here is a guide to the components of the [InstallFiles] section. The double-quotes in some examples are part of the entry you would put in the Asr.sif file:
Installfile-Key is a unique sequence number assigned to each entry. System-Key is the index entry under the [System] section that designates the operating system partition you are installing. Example: The first entry in the [InstallFiles] section with a reference to the first entry in the [System] section would be listed as 1=1.
This is the label assigned to the floppy that contains the additional files. Example: If you want to load a SCSI driver from a floppy, give the floppy a label such as SCSIFiles. Then put an entry of "SCSIFiles" in the Asr.sif file. During ASR, you will be prompted to insert a disk with this label.
This entry defines the device path of the media holding the file. The path is specified in object namespace format, such as "\Device\Floppy0" or "\Device\CdRom0".
This is the source path and filename for the driver you are installing. If you need to install more than one file, you must make multiple entries under [InstallFiles]. Do not start the path string with a backslash. Example: "Scsidrvr.sys" is the path to the file at the root of the floppy.
This is where you want the file to be copied. Do not start the string with a backslash. Example: "%systemroot%\System32\Drivers\Scsidrvr.sys".
This is the name of the vendor that created the driver. It is just used for a display string, so you can enter anything you want. Example: "Additional SCSI Driver".
These are flags that tell ASR how to prompt for the floppy. The options are listed in the next list. Example: "0x00000001".
Here is a list of the flags that can be used in the [InstallFiles] section:
Always prompt. This gives the installer a chance to insert the media right at the end of the file copy phase of Setup.
Prompt for required files. Same as 0x00000001 except ASR will not proceed without the file.
Overwrite the file if it already exists.
Prompt before overwriting a file that already exists.
With these settings in mind, here is an example entry that prompts the user for an additional SCSI driver:
You should be able to manage all tape backup functions from within Ntbackup, but the tape handling is actually done by the Removable Storage Management (RSM) service.
RSM is managed with an MMC snap-in called Removable Storage. The snap-in is part of the Computer Management console (see Figure 21.9). A command-line utility, Rsm.exe, can be used instead of the snap-in to perform many functions such as mounting and dismounting media and allocating media to a specific service. The Help and Support Center contains the command syntax for the Rsm utility.
Figure 21.9. Computer Management console with Removable Storage snap-in expanded.
The floppy configured by the ASR wizard contains two System Information Files, Asr.sif and Asrpnp.sif, along with a copy of the Setup.log file. Copies of these files are saved to tape, as well. You can extract them from the tape and put them on a formatted floppy. The files are located in the \Windows\Repair folder.
RSM handles all removable media in a system, from single-drive tape devices and CD-ROM players all the way up to 100-disk CD jukeboxes and robotic tape libraries. RSM assigns media to one of four media pools. They are as follows:
This pool contains media that has been marked with a Free media label and are available for allocation.
This pool contains tape media that were formatted using Microsoft Tape Format (MTF) and have a recognizable tape label but have not yet been allocated to a particular device. This includes backup tapes created by classic NT.
This pool contains tape media that are blank or formatted in a foreign format.
The Removable Storage snap-in permits you to select users who can access particular devices and media. It does this using standard access control lists (ACL) exposed by a Security tab on the device properties. Figure 21.10 shows an example for a tape backup device.
Figure 21.10. Security properties for a tape device in the Removable Storage snap-in.
There are three sets of permissions that can be applied to a Removable Storage object:
Permits a user to mount and dismount media loaded in the device.
Permits a user to create and delete media pools and to allocate and deallocate media to and from those pools.
Permits a user to send commands to the library that controls its physical operation.
Tape Names and Ntbackup
The Removable Storage service abstracts much of the tape handling from Ntbackup and other backup products. This is a good thing, because it frees the backup applications from the need to contain proprietary tape handling functions, but it can also be downright irritating because the backup program has no real control over the tapes themselves. All tape handling is done by the Removable Storage service.
One source of irritation caused by this marriage of Ntbackup and Removable Storage service is the way tape names are managed. Ntbackup has no way to know if the Removable Storage service has mounted a tape in a single drive unit or a big multi-tape, multi-headed robotic tape library. Because libraries need special handling, Ntbackup is forced to assume the existence of a robotic library. This means that each tape must have a definite name that Ntbackup can use when requesting a tape from the library. When Ntbackup overwrites a tape, it applies a name that it can use in case you need the tape for a restore.
This puts you into something of a loop when you configure backup tape rotations. Ntbackup looks for a particular tape name and it writes a tape name as part of an overwrite job. If you use the default media label of Media Created On <date>, you cannot easily configure a backup job to look for that date each day or each week.
Ordinarily, when you run Ntbackup as part of a scheduled job, you must specify the name of the target tape. This requirement prevents you from accidentally overwriting a tape in a tape library. If you have a single tape unit, you usually don't care too much about tape names. You want the backup job to run regardless of the tape that is in the drive.
There is an undocumented Ntbackup command-line switch called /um, for Unmanaged, that tells Ntbackup to ignore the tape name and simply use whatever tape is mounted in the drive. Add the /um switch to the job description in Task Scheduler.
If you use the /um switch, you must include the /p switch, for Pool, to specify the name of the tape pool you want to useЧfor example, "4mm DAT". You can get the pool name from the RSM console display.
This workaround is not appropriate if you have a robotic tape library. You do not want the library to randomly select a tape and overwrite it. Always use specific tape names when configuring backup jobs for an automated tape library.
When configuring tapes for a rotating system, you must establish a separate job for each day of the week with a tape label that matches the job. For example, for a weekly tape rotation, you can configure a Monday backup job that writes a media label of Monday to the tape. The job looks for a tape labeled Monday when it runs. If a tape labeled Friday is still in the drive when the Monday job runs, the backup fails.
To work a blank tape into this configuration, you must write the correct label to the tape. Microsoft should provide a utility for this, but it doesn't. You must do a little manual backup job to write the label. See the sidebar, "Unmanaged Backups," for a way to avoid the need for specific tape labels.
Third-Party Backup Options
There are many players in the Windows backup game. Table 21.1 shows the names of the major vendors and their products. Their feature sets change constantly, so check their web sites for the latest updates.