A Closer Look at Windows Server Backup (and where did my backup files go?)

Well, I’ve been taking a closer look at backing up and restoring Windows Server in general since I have been practicing forest restore procedures. I initially did a simulation with Windows 2003 and wanted to perform a simulation with Windows 2008 as well. But, as I was preparing the backups for my domain controllers, I realized I wasn’t really all that familiar with how the new Windows Server Backup (WSB) utility actually works.

So, in this post I want to take a closer look at what actually happens when you take a backup and the differences between WSB in 2008 and 2008R2.

Types of Backups

One of the major changes with WSB from Ntbackup, is it does not do traditional full, differential, or incremental backups.

In the old days of Ntbackup, you may have scheduled a full backup on each Friday and then an incremental or differential backup for the rest of the week to reduce backup time and the amount of storage space used. While it is great to reduce the time and space needed for backups, the price was more complex restores. For example, you would have to restore a full backup plus any additional incremental or differential backups to recover to a certain point in time.

WSB eliminates the need for these traditional backups by using VSS to create shadow copies that you can use to restore previous versions of files. VSS is the underlying technology that makes WSB work and is what allows you to restore previous versions of files that have been backed up. I will talk more about shadow copies and how they are used with WSB in just a little bit.

File Format

One of the biggest changes you may notice with WSB is that it does not backup to a BKF file any more. Instead it stores backups in a virtual hard disk or VHD file.

When you run a backup, a VHD is created for each source volume being backed up. If you were to mount these VHDs either using Disk Management in Windows 2008R2 or a tool like VHDMount for Windows 2008, you would see the exact layout and contents of the volume you backed up.

Of note, each time you run a backup there will only be a VHD file that represents the volumes backed up at that time. For example, say you backup your C: and E: drives. You will have two VHD files: one for the C: drive and another for the E: drive. But, now lets say you run another backup this time only for the E: drive. After performing this backup, you will see there is only one VHD file now. The previous VHD file for the C: drive has mysteriously disappeared and on top of that, the drive will show you have a lot more free space (equivalent to the size of your missing VHD). Where did your backup go? Well this is where those shadow copies come in to play.

Shadow Copies Allow You to Restore to Previous Versions

After your backup is completely written to the VHD file, Windows will take a shadow copy of the volume you used to store your backups. These shadow copies hold the previous backups you performed and are what allow you to choose a previous version of a file or folder when using WSB to restore a backup.

Despite these backups being stored as shadow copies, you cannot access them from the “Previous Versions” tab of properties of the drive.

You can, however, view a listing of the shadow copies created on your machine and what volumes they belong to by using vssadmin list shadows

Notice in the above output the “Shadow Copy ID” field. This is the ID of the shadow copy (duh) and is used by WSB to keep track of what shadow copy is associated with what backup. You can actually see this in Windows 2008R2 by using wbadmin get versions and looking at the “Snapshot ID” field.

So, this explains where your missing VHD files went. They are left as shadow copies on the volume you are backing up to. To confirm this, you can actually expose these shadow copies, assign them a drive letter, and work with them as if they were just a normal drive.

To expose a shadow copy and view its contents, you can use the Diskshadow utility. From inside Diskshadow, run the expose <shadowcopyID> <driveLetter> command. For example expose {c7ed0406-d157-4bf5-af3c-29223db987a5} p: will expose the shadow copy identified and assign a drive letter of P: which you can then access from Windows Explorer. If you look at it, you will see all the content including any VHD files that were on the drive at the time this backup was taken. You can copy these VHD files to another location if need be or you can mount them to view the contents of previous backups.

Some Notes and Caveats About Shadow Copies

It’s important to understand shadow copies are stored on the disk where your backups are stored (specifically in an area called the diff area).

Because these shadow copies are stored on the disk, when you run another backup to the same destination, WSB only needs to look at the blocks that have changed since the last backup and copy those to your destination device. This makes subsequent backups much faster.

If, however, you are performing a backup to a new disk, no shadows exist yet and WSB will have to perform a full backup.

Also, you may have heard by now that when you backup to a network share you can only keep the most recent copy on that share. Previous copies are overwritten and a full backup is performed. You only get the most recent copy because there are no shadow copies available.

System State Backups and Shadow Copies

In Windows 2008, system state backups were always full backups and shadow copies of the system state were not recorded.

To keep previous versions, each backup of the system state would create a new directory to store the VHD files. These directories would be located under \WindowsImageBackup\<computername>\SystemStateBackup and would use the naming convention “Backup YYYY-MM-DD <time of backup in UTC>”

Windows 2008R2 uses shadow copies to store previous versions of the system state. This significantly speeds up the time it takes to complete subsequent backups as only changed blocks on the disk need to be recorded.

Additionally, you will find that system state backups in 2008R2 are not stored in a separate directory, but in the same path as any other backup (\WindowsImageBackup\<computername>\<Backup YYYY-MM-DD UTCTIME>).

Limitations of WSB in Windows 2008

  • Can only backup full volumes
  • Can’t select the system state in the GUI, must use wbadmin start systemstatebackup to perform system state backup
  • Must use some form of scripting or batch file to schedule a system state backup
  • Cannot backup system state to a network share
  • Scheduling backups requires the entire destination disk to be used exclusively for backups
  • Cannot schedule backups to network share

Changes to WSB in Windows 2008R2

  • Can select individual files and folders to backup
  • Can select the system state for backup using the GUI
  • Can schedule system state backups easily with wbadmin enable backup and the -systemState switch
  • Can backup the system state to a network share
  • System state backups can be incremental
  • Do not have to dedicate entire disk to scheduled backups
  • Can schedule backups to a network folder

For both 2008 and 2008R2, you cannot backup to the same volume you are backing up. However, there is a registry tweak that will allow you to backup the system state to the same volume although that is not recommended. You can find more information about this at: http://support.microsoft.com/kb/944530

Additional Reading

How does Windows Server 2008 Backup work?
http://wbadmin.info/articles/how-does-windows-server-2008-backup-work.html

Backup Version and Space Management in Windows Server Backup
http://blogs.technet.com/b/filecab/archive/2009/06/22/backup-version-and-space-management-in-windows-server-backup.aspx

Windows Server Backup Automatic Disk Usage Management
http://blogs.technet.com/b/filecab/archive/2011/03/14/windows-server-backup-automatic-disk-usage-management.aspx

Advertisements
This entry was posted in Disaster Recovery, Windows Server 2008. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s