With so many Microsoft Azure solutions available, it’s possible that one solution might have gone by unnoticed: Windows Azure Backup. As its name suggests, Windows Azure Backup allows Windows to make backups to Azure. No surprises there. However, what might surprise you is what’s going on under the hood. Before I discuss how Windows Azure Backup works, though, I’ll give you a high-level look at when you can use it and what you need to do so.

A High-Level Look

Windows Azure Backup lets you back up files in one of two scenarios:

  • You can back up files from a standalone server.
  • You can back up members of Microsoft System Center Data Protection Manager (DPM) protection groups. For this scenario, only DPM 2012 SP1 and DPM 2012 R2 can be used in conjunction with Windows Azure Backup.

If you want to make backups to Azure, here’s what you’re going to need:

  • An Azure account or subscription
  • A certificate
  • A passphrase
  • The Windows Azure Backup agent

Let’s take a closer look at these necessary components.

Azure Account or Subscription

You can create an Azure account on the Windows Azure website. Although I don’t know how long the offer will last, at the time of this writing, you can sign up for a free trial account. With a trial account, you can do some basic testing to see what solutions are right for you.

If you’re already a service administrator as part of a larger account, you’ll need to have Recovery Services added to your subscription. However, if you’re creating your own account, you can add it on your own. For more information about the difference between an Azure account and an Azure subscription, see the Manage Accounts, Subscriptions, and Administrative Roles web page.

After you have your subscription in order, you need to create a backup vault. The vault is simply a storage construct used to hold your backups. You can put all your backups in a single vault or create multiple vaults to organize your backups.


A certificate is used to grant access to the vault. The certificate must be uploaded to the vault. In addition, any server that you’re going to back up to the vault will need to import this certificate.

You can use any valid SSL certificate issued by a Certification Authority (CA) trusted by Microsoft, whose root certificates are distributed through the Microsoft Root Certificate Program. The certificate must meet the following requirements:

  • It must be an x.509 v3 certificate.
  • There must be a .cer format file that contains the public key to upload to the vault.
  • The key length should be at least 2048 bits.
  • The certificate must have a valid ClientAuthentication extended key usage (EKU).
  • The certificate should have a validity period that doesn’t exceed three years.
  • The certificate should reside in the Personal certificate store of the local computer on which you plan to install the Windows Azure Backup agent.
  • The private key should be included during the installation of the certificate.

If you don’t have a CA-issued certificate, you can use the MakeCert.exe tool to manually create a self-signed certificate. The MakeCert.exe tool is part of the Windows SDK. After you download the Windows SDK, you’ll find MakeCert.exe in the Bin folder of the SDK’s installation path. The following command will create a certificate that meets all of Microsoft’s requirements:

Makecert.exe -r -pe -n “CN=AZUREBACKUP” -ss my
  -sr localmachine -eku -e 12/12/2015
  -len 2048 AZUREBACKUP.cer

You might want to alter the expiration date, which is currently listed as 12/12/2015. However, don’t set it to a date more than three years in the future.


The passphrase is used to encrypt the backups before they’re copied into the vault. Selecting and storing your passphrase is important, because it’s not shared with Microsoft. In other words, if you lose your passphrase, you won’t be able to restore from the backups in the vault.

Although it’s possible to use the same passphrase for all your servers, it would be akin to using the same password for every website you visit. Is it possible? Yes. Is it secure? No. It’s recommended that you use a different passphrase for each server that you’re backing up to Azure.

After you upload the certificate, keep the web interface to the vault open. You’ll need this interface again shortly. Although I mentioned the passphrase, I haven’t discussed how to set it yet. I’ll do that when I’m discussing the Windows Azure Backup agent installation.

Windows Azure Backup Agent

The Windows Azure Backup agent can be downloaded from the Windows Azure website. The link is visible when you select the backup vault. You’ll find that there are two flavors of this client:

Stepping through the installation is pretty standard. You’ll be prompted for a cache location. This needs to be a volume with free space equal to or greater than 10 percent of the data set you plan to back up. This is where the Windows Azure Backup agent will put the backup while it’s being compressed and encrypted, which occurs before it’s copied to the vault.

You’ll also be prompted for a passphrase. You can either create one or have the wizard generate it for you, as Figure 1 shows. Make sure you store your passphrase somewhere secure after you have entered it into the setup wizard.


Creating the Passphrase
Figure 1: Creating the Passphrase


When the agent installation is complete, you still need to register the server. This allows you to select the certificate you’ll use on that server and match it to the one you already uploaded to your backup vault.

For the standalone server scenario, you can register the server by running the Windows Azure Backup agent and selecting the Register Server option, as Figure 2 shows.


Registering a Standalone Server in the Windows Azure Backup Agent
Figure 2: Registering a Standalone Server in the Windows Azure Backup Agent


When DPM is in the picture, you can register the DPM server from within the DPM Administrator Console, as shown in Figure 3.


Registering a DPM Server in the DPM Administrator Console
Figure 3: Registering a DPM Server in the DPM Administrator Console


Both actions trigger the same registration wizard.

How Windows Azure Backup Works

So far, you’ve seen how to get Windows Azure Backup configured, but you need to know what it’s actually doing when you use it. Because there are two different scenarios in which to use Windows Azure Backup, let’s look at them individually.

Standalone server solution. As Figure 4 shows, the standalone server solution is straightforward. The Windows Azure Backup agent, which looks in appearance like Windows Server Backup, tells the Volume Shadow Copy Service (VSS) to create a snapshot of the data set to be backed up. For those of you unfamiliar with how VSS works under the hood, here’s what typically happens: When a snapshot is taken, the data is put into a consistent state, then frozen (i.e., all changes are blocked) until the snapshot is created. Because you want the data to be in a consistent state, writers will instruct VSS on how to handle their respective data sets. (Microsoft SQL Server has a writer, Microsoft Exchange has a writer, the registry has a writer, and so on.)


Understanding How the Standalone Server Solution Works
Figure 4: Understanding How the Standalone Server Solution Works


With Windows Azure Backup, VSS doesn’t use any writers. For example, Figure 5 shows the VSSAdmin command being run to list snapshot information while the Windows Azure Backup agent is running. As you can see, no writers are being used.


Running the VSSAdmin Command to Show That Writers Aren't Being Used
Figure 5: Running the VSSAdmin Command to Show That Writers Aren’t Being Used


Without a writer, data sets that need to be prepped for the freeze can’t be prepped. The downside to all of this is that any data that requires a special VSS writer can’t be backed up using Windows Azure Backup. This means no Exchange backups, no SQL Server backups, no system state backups—just offline data files. However, if you were looking forward to backing up SQL Server to your new vault, don’t despair. You can use the DPM solution to do so.

DPM solution. DPM can protect various servers by backing them up to protection groups. Typically, that’s the end of it. However, if you also install the Windows Azure Backup agent on the DPM server, you can use it to back up members of the protection groups to your vault, as Figure 6 shows.


Understanding How the DPM Solution Works
Figure 6: Understanding How the DPM Solution Works


After the Windows Azure Backup agent is installed, the online protection option will be available in DPM, as you can see in Figure 7. Once this option is enabled and configured, your DPM protection groups will be backed up to your vault, extending the protection of your data to the cloud.


Choosing the Online Protection Option in DPM
Figure 7: Choosing the Online Protection Option in DPM


In both the standalone server and DPM scenarios, the backup is created locally and encrypted using the passphrase that was supplied during the installation. Then the backup is copied to the appropriate vault, where it will remain, based on your retention policy.


The standalone server and DPM solutions have different retention maximums. In the standalone server scenario, backups can be retained in the vault for up to 30 days. This is configurable in the Windows Azure Backup agent’s scheduling wizard.

In the DPM scenario, the maximum backup retention period is 120 days. In addition, there’s a backup limit of either 120 backups or 850GB data size per protected data source. This can be configured in DPM’s protection group wizard.

You should be aware of some other limitations as well. Windows Azure Backup can’t be used when:

  • A non-NTFS volume is used
  • The drive type isn’t fixed
  • A volume is read-only
  • A volume is offline
  • A volume is on a network share

Quick and Easy Way to Perform Offsite Backups

Whether you’re looking to back up files directly to the cloud or you’re looking to strengthen the protection provided by DPM, Windows Azure Backup provides a quick and easy way to perform offsite backups. Just be aware that not all data sets can be protected by it. You can find additional tutorials and guides on the Recovery Services documentation web page.


Category: How to do; Servers; Ideas
Published: 2/20/2014 9:52