Understanding how to back up and restore the Exchange data on your servers is critically important. If you don't ensure that your public and private information stores, and Exchange's configuration data are backed up on a regular basis, you could end up losing business-critical datawhich can lead to some very uncomfortable conversations, at best. Unfortunately, too many administrators wait until disaster strikes to hone their backup and recovery skills. The time to understand the mechanics of backing up and restoring your servers is before you have a major failure that necessitates reloading your data from backup. Often, the most important thing to do when faced with disaster recovery is to relax, and think the situation through clearly before beginning. Ensure that you have all of the media you will need for software installation (including third-party products, like Exchange-aware anti-virus software), and that you understand the task you are undertaking. There is no shame in calling Microsoft Product Support Services (PSS) for help; the cost of the call is easily offset by the confidence you will gain and improved speed with which you'll be able to get the restore process completed. The basics of disaster recovery for Exchange really haven't changed through the various releases of the product; the main difference between Exchange 2000 and 2003 and older versions of the product is that Exchange no longer hosts its own directoryActive Directory (AD) holds almost all Exchange-related configuration data, and being AD savvy and understanding Exchange's dependency upon AD counts for a lot when you're faced with restoring an entire Exchange server from scratch. We described some of the inner workings of Exchange's Extensible Storage Engine (ESE) database engine in the Introduction in Chapter 6. From a backup and recovery perspective, there are several important consequences of the way ESE works; you have to understand these to make appropriate choices about your backup and recovery procedures. The key items about ESE's architecture to remember are that:
Online, Offline, and Point-in-Time BackupsSince the EDB and STM files are kept open by the database engine, it's reasonable to ask how they can be backed up. One way is to dismount the databases you want to back up, or the storage groups to which they belong, then copy or back up the files. This approach is called an offline backup . You can perform these backups either by stopping the Exchange information store service (which dismounts all databases on the server) or by dismounting individual storage groups. Of course, during the time that these databases are dismounted, users won't be able to access their mailboxes. Restoring these backups can be tricky (as described in MS KB 296788, Offline Backup and Restoration Procedures for Exchange), so we normally don't recommend them as a part of your backup/restore processes. The exception is when you're making a major change to the server, like installing low-level software (say, a virus scanner or a Windows service pack). In that case, you should probably plan on making a complete offline backup right before you make the change, just in case the change breaks something and you need to back out. As a better alternative to offline backups, Microsoft provides an API for performing Exchange online backups. Backup programs that use this API are said to be Exchange-aware; by using the API they can read pages from the Exchange database files while the files are open. This permits you to back up databases while users continue to send and receive messages; you can restore individual databases without affecting users whose mailboxes are in other storage groups on the same server. The API also permits a compliant backup program to simultaneously back up or restore one database from each active storage group; this allows you to parallelize backups or restores by using one tape drive or disk volume for each storage group and backing up or restoring to all of them at once. The online backup API is mature, thoroughly tested, and able to handle a variety of edge cases properly, such as when new transactions come in while the current generation is being backed up, and when two generations' worth of transactions occur during backup. Some vendors (notably EMC, HP, and VERITAS) offer snapshot backups that freeze a point-in-time copy of the data in an Exchange database. Without delving into the differences between specific products, all of these products are supported by Microsoft only as offline backups. That doesn't mean that you can't use them, it just means that these solutions aren't directly supported by Microsoft. MS KB 311898 (XADM: Hot Split Snapshot Backups of Exchange) provides a brief overview of snapshot and hot split backups, and has this to say:
For Exchange Server 2003 running on Windows 2003, there's an alternative method of making point-in-time copies; the Windows Volume Shadow Copy Service, or VSS. VSS is a system service that ties together applications, backup, or utility programs, and hardware to provide a safe method for creating point-in-time copies. With VSS, here's what happens:
As we write this, there are still very few vendors outside of Microsoft that are shipping stable VSS-aware products. However, most major backup vendors (including VERITAS, Computer Associates, and CommVault) support VSS, as do many SAN hardware vendors. At the time of this writing, VSS implementations for Exchange have not been widely produced. Until this technology becomes more mature, and more vendors provide solutions based on VSS, we're sticking with full, online backups for our Exchange servers. Backup Types: Full, Incremental, and DifferentialEarlier in this section, we mentioned that transaction logs must periodically be purged. Assuming you don't have circular logging enabled, you shouldn't do this manually; the supported way of purging the logs is to back up the log files themselves. When you perform an online backup with a program that supports the Exchange backup API, the log files may or may not be purged, depending on the type of backup you've specified. Understanding the backup types is thus critical to knowing how to ensure that the log files are backed up. (Before reading the remainder of this section, you may find it useful to revisit the Introduction in Chapter 6 on how incoming transactions are logged.) Full backups are the easiest type of backup to understand. When you perform a full online backup on an Exchange database, the database is backed up in its entirety, but the logs remain untouched. When you perform a full backup of a storage group, all of the databases are backed up, and the log files are truncatedtheir transactions are committed, and the transaction log files are removed from the disk. To restore a full backup, all you need is the full backup itselfif you restore your Monday full backup, you only need the Monday tape to roll back to that point in time. Incremental backups capture only pages within the database that have changed since the most recent full backup; they do this by backing up (and then removing) all log files generated since that backup. This tends to make these backups small and fast, but the consequence is that you can't do a complete restoration using only incremental backupsyou must first restore the full backup, and then restore each incremental backup that you have, in the correct order. Let's say you adopt the common approach of taking a full backup weekly (say, on Sunday) and incrementals daily. If you want to restore to the system state on Wednesday, you need the Sunday full backup and the Monday, Tuesday, and Wednesday incrementals. If you don't have the Tuesday tapes, you will only be able to restore the Monday state; you can't play back transaction logs that were generated after a missing or corrupt earlier generation. Differential backups are a hybrid of full and incremental backups. They accumulate all transactions since the last full backup, but they don't purge the log files when the backup is completed. If you combine a weekly full backup with daily differentials, each differential will be larger than the preceding day's backup, but you only need a particular day's differential plus the full. In the Sunday scenario described earlier, to restore to Wednesday's state, you'd need the Sunday full backup and the Wednesday differential. What backup type should you use? It depends on how much time you can afford to take for backup and restore operations, and the capacity of your storage media and devices. For example, if your backup hardware requires 12 hours to make a full backup of your current databases, but only two hours for an incremental backup (on average, of course), you'd probably find that a weekly full, combined with daily incrementals, would give you adequate protection. However, you must factor in restore times. Let's say your goal is to restore a failed database within four hours. That means that, within a four-hour window, you need to locate all the needed backup media, start the backup, wait while the backed-up data are retrieved from tape or disk, and then wait while the logs are played back and the database is mounted. The largest portion of time will be spent reading the data from tape. If you can restore 10 GB per hour, then you can restore a maximum of between 20 and 30 GB during your four-hour window. You might be able to cut that time by splitting larger databases into smaller ones, redistributing mailboxes between servers, or using different backup hardware. |