The following is tip #9 from "20 tips on protecting and recovering Exchange data in 20 minutes," excerpted from the book, "Mission Critical Microsoft Exchange 2003" (Digital Press, a division of Elsevier, Copyright 2004). For more information about this book and other computing titles, please click here. Return to the main page for more tips on this topic.
Traditional best practices for backup call for a combination of full and incremental or differential backups to ensure data recoverability. However, within the Exchange space, the de facto backup best practice is daily full backups with no incremental or differential backups. For the most part, this strategy has served Exchange administrators well. However, in the event that a particular backup tape media goes bad, there is a potential for data loss.
Let's look at this problem closer. Suppose you are performing daily full backups for your Exchange server. On Day 3 of the rotation, your Exchange database becomes corrupt and you must restore from backup. However, when you go to use the backup tape from Day 2, you discover that the media is damaged, rendering the backup unusable. In this scenario, you would be forced to go to the tape and backup set for Day 1. However, if you use this backup set, it contains a valid database and log files up to the point in time that the backup was performed on Day 1. On the subsequent day (Day 2), the full backup operations have truncated the log files residing on disk that occurred after Day 1. The consequences of this backup strategy provide for recovery of your Exchange data up to the point of backup on Day 1 (in the event that the Day 2 backup set is bad).
However, since subsequent full backups have been performed on Days 2 and 3 and log files have been truncated, there are gaps in the generational sequence required to recover to Day 3 using the Day 1 backup set (Day 2's backup is bad).
At this point, the Exchange administrator will find himself or herself in a position where he or she can recover to Day 1 and has some log files on disk that were created since the Day 2 backup. There are gaps in the sequence. For example, if the database and log files 001 and 002 were recovered from the Day 1 backup set, Day 2 stored the database and logs 003 and 004, and logs 005 and 006 are on disk on Day 3, the loss of the Day 2 backup set results in a gap in the generational sequence of two log files. (Logs 001, 002, 005, and 006 are available. Logs 003 and 004 are not available.) This means that recovery is only possible to the point of log file 002 since ESE will not allow recovery to proceed beyond the gap in the sequence.
The above scenario exposes a potential flaw in the daily full backup strategy that has become the de facto standard for Exchange Server disaster recovery. To work around this potential problem, we must look at two things.
First, we must address the issue of bad media. If frequent media failures are plaguing your disaster recovery efforts, it is important to take steps to address this issue outside of Exchange management and look at the causes and factors that are contributing to this problem. You may need to look to your hardware vendor or to your procedures and processes to find the cause of frequent media failures.
However, even with the most proactive approach, top-notch hardware and bulletproof best practices, media failures may still occur. If your SLAs dictate the up-to-the-minute recovery of Exchange data, you may need to consider enhancing your backup strategy to protect from media failures and other issues that would result in missing sequences of log file generations.
One approach to the problem of missing log file sequences as a result of missing or bad backup sets is to augment daily full backups with differential backups at the mid-point during the day. For example, if you perform a full backup at 12 a.m., you would perform a differential backup at 12 p.m. This would increase the number of log files available on your backup media and potentially lessen the possibility of missing log files in the event of a media failure.
However, there would be no guarantees. Another approach would be to perform a copy backup (a copy backup copies the databases and the log files, but does not truncate the log files) at 12 a.m. followed by an incremental backup at 12 p.m. This approach would preserve all log files during the copy backup and truncate the logs during the 12 p.m. incremental backup.
Alternately, the 12 p.m. incremental backup could be a dif¬ferential backup, which would not truncate the log files. With this alternative (copy + differential), however, the logs would never be truncated. It is up to the Exchange administrator to understand the implications of the type of backup and schedule chosen along with the potential hazard of bad or lost media. It is important that disaster recovery plans provide the right backup types and schedule to meet the established SLAs.
Get more "20 tips on protecting and recovering Exchange data in 20 minutes." Return to the main page.
About the author: Jerry Cochran is a contributing editor for Windows IT Pro and Exchange & Outlook Administrator and a group program manager for Microsoft. He is the author of Mission-Critical Microsoft Exchange 2000 (Digital Press).