Chapter 10. Implementing Backup and Restore

Chapter 9, provided the foundation to help you prepare your backup and restore strategy. This chapter guides you through that process.

Creating an Effective Backup Strategy

On many production servers, the backup and restore strategy is to perform only periodic (such as weekly) full database backups with transaction log backups between the full database backups (with a frequency of, say, every two hours). Some companies add occasional differential database backups (for example, nightly except on the day when full backups occur). The basic strategy of performing full database backups and transaction log backups is adequate to minimize data loss.

However, if you want to achieve high availability, you can minimize downtime by restoring a differential database backup instead of all of the logs over the same period. Restoring a differential backup is significantly faster because it contains extents that contain the completed results of all modifications that have occurred without having to read them from the log. In some cases, however, the size of the differential backup might approach the size of a full backup. If this is your scenario, then you are better off performing a full database backup so that you have less to restore (just the full backup and the appropriate transaction logs). Regardless of whether or not you add differential database backups to your strategy, you must use a full backup as the starting point for a restore.

If you have a very large database (VLDB), which is usually measured in hundreds of gigabytes or even terabytes, you must consider how long your VLDB takes to back up. More important, you also have to consider the time it will take to restore the database. Are these times acceptable based on your business requirements?

Tip

Always use recovery-oriented planning when determining your backup strategy, no matter what size your databases are. Do not base your strategy on how long your backups take to run; base it on how long it will take to recover from a data-loss event. Unless your strategy uses storage-assisted backups such as split-mirror, a restore that incorporates a full database backup as part of the strategy is likely to take a long time, possibly multiple hours or even days depending on the size of your database. Even if a time span of hours or days of downtime is acceptable (if so, chances are this book is meaningless to you), how much data can you afford to lose? What is your site redundancy strategy? Do you use log shipping or copy all your log backups to a secondary site?

Microsoft SQL Server temporarily prevents certain operations such as a transaction log backup while a full database backup or a differential database backup is running. You could encounter a significant amount of data loss if you had site failure during the full or differential database backup. This scenario might sound unlikely, but when your full database backup time is measured in hours, your work loss exposure and risk for data loss increase dramatically. If your database backup takes eight hours to perform, your secondary site could be as much as eight hours behind at the time of a failure. This situation could result in eight hours of data loss if the backup was not complete or had not copied to the secondary location. Losing eight hours of data is unacceptable in most cases.

What if you could allow transaction log backups to occur while you were performing a different type of backup? Then it would be possible to continue to send transaction log backups to the secondary site even while your large backups are occurring. You might choose not to perform a full database backup regularly if you back up transaction logs on a frequent basis. (Every minute or two is a common frequency for minimizing data loss. However, you are limited by the speed of your systems as well as your workload if you try to perform transaction log backups that frequently; it might not be possible.) By using a file/filegroup backup strategy, you can completely avoid performing a full database backup, and log backups will never be paused. This strategy allows a secondary site to always be as close as possible to the primary site and minimizes the potential data loss.

Some basic backup and restore strategies have few restrictions. A full database backup has no real restrictions; it can be performed anytime. However, the more advanced file and filegroup backup strategies have some basic requirements you need to understand. Primarily, you must perform transaction log backups, a crucial component of restore, on a regular basis. When you perform transaction log backups, you minimize the risk of data loss and take advantage of features such as decreased total downtime in the event of isolated failure by using file/filegroup strategies. To be able to perform transaction log backups, first you must set the database recovery model to either Full or Bulk-Logged. If you set the recovery model to Simple, you cannot back up the transaction log, and you will not be able to use the file/filegroup backup strategy.

Important

Transaction log backups are required for recovery if you use a file/filegroup backup strategy.

One optional configuration decision you can make for your databases is that when you are creating your database objects, place them strategically within the database itself. In most databases and especially in a VLDB, your data will likely vary in the way it is used. For example, some data will be predominantly read-only and some will be predominantly read/write. In some tables, new rows might be read/write to accommodate frequent inserts, whereas old rows (historical data used mainly for analysis) would be read-only. For other tables, the distribution might vary based on corporate policy. For example, if price changes to products in a catalog are infrequent, price information would be predominantly read-only until price increases were periodically propagated as changes to the database.

After reviewing the overall use of your data, you can determine table use and strategically place read-only tables (or tables with isolated or batch modifications) in their own filegroup and read/write tables on another. Then you not only save time during a restore, but you also save money and time during backups. Although the read-only portion of your database might be large, it does not need to be backed up as often as the read/write portion.

Note

There are two important factors to be aware of:

  1. Even though a filegroup is read-only, you still have to restore all the log files until the end of the transaction log backup files. See the topic "How to restore files and filegroups (Transact-SQL)" in SQL Server Books Online.

  2. You can back up all the filegroups immediately followed by a transaction log backup and get the equivalent of a full database backup. In this case, you have all the data in one backup set and will need only to restore log backups after that point. The strategy of using file backups to allow for continuous frequent log backups is therefore not as cumbersome as it might seem. You restore the main data backup, then all the log backups they have taken while the data backup was in progress. However, be aware that the first log backup to restore after the data backup might have been taken before the data backup.

Additionally, partitioning your larger tables to split read activity from write activity can improve maintenance performance. Operations such as rebuilding an index take less time on physically smaller tables. For example, consider a typical sales table that holds the online sales information for a large company. Sales for the current month are read and write (which requires frequent index maintenance). In contrast, sales from the previous month or quarter are read-only because they are now used only for analysis, meaning maintenance occurs only once a month when the data is moved to the read-only portion of the database.

For tables with different usages, consider using separate filegroups for each type of data. For example, creating four separate filegroups—one for readonly data, one for read/write data, one for text and image data, and one for extremely large tables—can help when you are determining your backup strategies. Not only will you reduce maintenance times for each of the smaller tables (in other words, data partitions), but you will also add numerous backup and, especially, restore strategy options that can reduce downtime and backup costs.

Important

Do not partition databases into multiple files or filegroups in a production environment without first testing to see if you will actually benefit from implementing files and filegroups. Although there are good arguments for moving things into their own files and filegroups, as noted earlier, doing this can ultimately add to your administrative overhead and, in turn, maintenance. The maintenance might run more quickly in some cases, but you might have more tasks to perform and more objects and tasks to manage. Ultimately, you will be making some trade-off. You want to create an entire SQL Server solution—including a backup and restore strategy—that you can maintain and perform day in and day out.

Finally, remember to back up all of your operating system files, application files, registry entries, and so on. In most cases, it is faster to restore the base state of your servers than it is to install again from scratch from CDs or DVDs. Although a database administrator (DBA) is not usually responsible for backing up these files, a DBA must coordinate with those people who are responsible for doing this to ensure that their systems are fully protected.

Backup Retention

Before you can devise a backup strategy, take into account your company’s archival scheme, if one exists. An archival strategy is also known as a retention period for your backup files. A retention period involves the following:

  • How long you will keep a backup, whether it is a SQL Server database, the operating system, or any other application data. The amount of time a file is retained is usually dictated by a corporate policy, but is also governed by cost, space, and other logistics.

  • How long you will keep media active in the backup mix, otherwise known as rotation. Using the same tape repeatedly is not the proper strategy because you are just overwriting your backups onto the same tape or disk without being able to go back to an older backup should that backup process fail. Media also fails, which is another reason for rotation. Do not let your media be a huge point of failure. Along with rotating your media, label each tape or disk with the contents and backup date so you are not playing the "Guess the Proper Backup Tape" game in a potential disaster recovery or restore situation.

  • The location of backup storage. Whether it is on a tape or disk, the media the backups are stored on take up physical room. Do you store the media on site? off site? If your corporate disaster recovery strategy states that you must be able to go back a week, it might make sense to keep a week (or even two) on site, but anything older than that should be stored in a secure, climate-controlled off-site facility. Also, you might be at risk if your datacenter is damaged and it not only housed your systems, but your complete corporate archive of backup tapes as well. Remember that backup tapes take up physical storage space and have a cost associated with them, so you might not be able to keep every backup since the inception of your company. Many companies implement an archival and rotation schedule of somewhere between 30 days and 90 days, unless they are regulated by some external auditing agency or specific industry rules (for example, a financial company) and are mandated to retain large amounts of archived backups.

  • Off-site location access. If you store your backups at an off-site location, you need to have physical access to the location at all hours, so choose your storage facility wisely.

On the CD

Use the file SQL_DB_Backup_Info.xls to record your backup strategy. It has two main tabs that you can copy and modify. One is for an entire instance of SQL Server so you can record the databases, and one is per application. This strategy allows you to have two views to understand the scope of your backup strategy better.

Devising a Backup Strategy to Create an Optimal Recovery Strategy

The most effective backup approach combines two strategies: one strategy is based on full database backups (the full database–based backup strategy), and the other is based on file/filegroup backups (the file-based backup strategy). Both strategies can use differential backups, but all strategies involve the use of transaction log backups.

The Full Database–Based Backup Strategy

This strategy is the most common strategy. It is generally based on backup types that have been available since the introduction of SQL Server, yet if the environment is right it might also utilize one of the newer backup types to improve recovery time. This strategy is easier to administer than the file-based backup strategy and offers up-to-the-minute recovery and point-in-time recovery. You can change between the Full and Bulk-Logged recovery models without breaking the continuity of the log. Remember to also review the recommended practices for batch processing, because using the Bulk-Logged recovery model will significantly reduce the work-loss exposure created during the changes in recovery models.

The typical strategy consists of automated backups of these types:

  • Full database backups

  • Differential database backups

  • Transaction log backups

Their frequency is dictated by your database but usually follows something like this:

  • Full database backups weekly (although less frequent full backups are an option, as these might be quite large and expensive to manage).

  • Differential database backups nightly (except on the night of the full database backup).

  • Transaction log backups—consistent and automated, as well as two special cases. The frequency dictates the potential work-loss exposure in terms of minutes and the transaction log size. The smaller the interval, the smaller the log will be, which is, of course, dependent on database activity.

    • Automated. Hourly, every 30 minutes, every 5 minutes, every 1 minute, and so on.

    • Special Case 1 (Proactive). When the transaction log "percent log used" reaches a higher than normal level, back it up proactively before it fills up.

    • Special Case 2 (Reactive). When the transaction log fills up, back it up.

Consider the following example using full and transaction log backups, as well as differentials, because performing full database backups weekly leads to a large number of logs being created hourly. In a week, if you performed a transaction log backup every hour, you would have nearly 170 transaction log backups (24 × 7 = 168, but because you perform one full backup, no transaction logs are generated during the process).

Restoring all of these transaction logs from transaction log backups takes time and is cumbersome. You want a streamlined process, not one in which you need to write close to 180 Transact-SQL statements. So although it takes significantly less time than the original modification took to apply all of the operations in the transaction logs, it could still take a lot of time to implement (again, no computations, no functions, just data is applied—but for every log row). Instead of having to build a version of a database by reapplying changes row by row, you can get to a specific point in time much more quickly by using a differential backup.

In this scenario full database backups are represented as F1 and F2, differential database backups are represented as D1, D2, D3, and D4, and 20 transaction log backups are shown as l1 through l20. At point in time x you decide to recover the database.

Note

In this example, only automated backups are used to describe recovery. When disaster recovery using backups is discussed, you will learn how (and when) to access a final backup, which includes the changes since the database was taken offline. In this case a 28th backup would be necessary. This backup is called the tail of the transaction log and it provides up-to-the-minute recovery. This part of your recovery process is the most important, and the procedure has not yet been discussed. However, all of the sample scripts include the code for backing up the 28th backup—backing up the tail of the log.

F1 l1 l2 l3 D1 l4 l5 l6 D2 l7 l8 l9 D3 l10 l11 l12 F2 l13 l14 l15 D1 l16 l17 l18 D2 l19 l20 x

This example shows a total of 27 backups. With this backup strategy, you have multiple potential recovery paths and more efficient recovery. The most optimal recovery path is to use the last full database backup, the last differential backup after that full database backup, and then all of the transaction log backups after the differential backup to restore the database up-to-the-minute when it is possible.

F2

D2 l19 l20

This strategy is optimal because you can recover all of the activity that occurred between the full database backup at F2 and the differential backup at D2 with only a single restore. This restore is a copy of how the pages looked at the point in time when the differential backup was made, and it includes all changes since the full backup. Remember, each differential database backup includes all changes since the last full backup. Each differential could get larger and larger, so you will still want to periodically perform a full database backup. However, differentials offer the ability to perform a potentially smaller backup (maybe a fraction of the entire database) more frequently and not burden the system by performing full database backups. But what if the last differential backup was bad? Do you have any other options? You could use the differential backup prior to that as shown here:

F2

D1 l16 l17 l18

l19 l20

If that differential backup were bad as well, then you could use only the transaction logs and still recover:

F2 l13 l14 l15

l16 l17 l18

l19 l20

If the last full database backup were bad, you have other options. If the backup at F2 is bad, go back to F1. However, when you go back to a previous full database backup, you must remember that the only differentials you can apply are those that apply to that version of the full database backup. For the full database backup performed at F1 you can apply any differentials performed after that full backup (not another) and before the next full database backup (F2 in this case). If F1 were required for the restore then the most optimal restore sequence starting with F1 would be the following:

F1

D3 l10 l11 l12

l13 l14 l15

l16 l17 l18

l19 l20

You could then repeat the same process described previously and return to an earlier differential if the differential database backup D3 were bad. A complete list of all of your remaining options follows:

F1

 

D2 l7 l8 l9

l10 l11 l12

l13 l14 l15

l16 l17 l18

l19 l20

F1

D1 l4 l5 l6

l7 l8 l9

l10 l11 l12

l13 l14 l15

l16 l17 l18

l19 l20

F1 l1 l2 l3

l4 l5 l6

l7 l8 l9

l10 l11 l12

l13 l14 l15

l16 l17 l18

l19 l20

In fact, even if this full database backup at F1 were bad, you could return to the previous full database backup, assuming you kept it, and still roll forward to the last transaction log backup. Or you could return to the previous full database backup—or the one before that, or the one before that—as long as you have the entire sequence of log backups to apply.

Tip

Never truncate the transaction log; it breaks the log backup sequence.

Case Study: A Differential Rotation Schedule and Cost Analysis

As part of an overall cost savings analysis, a company determines that by implementing a differential backup strategy its backup needs can be covered completely and the company can save money at the same time by implementing a differential backup strategy. Because transaction log backups are critical, the company decides that transaction log backups should be performed to disk. Additionally, it augments the backup strategy with a log shipping site at a remote location. The current full database backup strategy costs $44,380 annually. The breakdown of the costs associated with it is as follows:

  • Tape costs. Each Linear Tape-Open (LTO) tape costs $70, and each full database backup requires 3 LTO tapes. Full database backups are performed daily, requiring 21 LTO tapes per week. Tapes are reused every 12 weeks (allowing the company to keep each month of history and then reuse after roughly 3 months). Proactively, tapes are cycled out after 24 weeks, allowing an archive off site of roughly 6 months. The total cost per year is $35,280. (All price quotations in this book are in U.S. dollars.)

  • Labor costs. A typical operator who is paid $50 an hour takes half an hour a day to locate, mount, dismount, label, and file each backup. Each week this process requires a total of 3.5 hours, and this specific task takes a total of 182 hours per year. The total labor cost per year is $9,100.

However, the database is over 1 terabyte (TB) and only 2 percent of the data changes daily. If 1 TB of data can fit on 3 tapes, several database differential backups can easily fit on the same tapes. In fact, numerous differentials can even fit on a single tape. The first day the backup will be 20 GB (the total backup space needed 20 GB); the second day it will be 40 GB (if appended, the total backup space needed is 60 GB); the third day it will be 60 GB (again, if appended, the total backup space needed is 120 GB); the fourth day it will be 80 GB (if appended, the total backup space needed is 200 GB); and so on.

Effectively, you could fit an entire week’s worth of differential database backups on one set of tapes; however, the decision is made to rotate tapes after three differential database backups and store them on only a single tape (instead of using a stripe set). This strategy yields a significant savings in both tape media and operational costs for a total of $10,350 annually. The breakdown of the costs associated with it is as follows:

  • Tape costs. Instead of performing full database backups daily, a full database backup is performed once per week and still requires 3 LTO tapes. Differential database backups are performed six nights per week; however, only three differential database backups are stored on each backup set. Because the size is expected to be less than 120 GB, only a single tape is used to store the differential database backups. The archiving process does not change, but instead of requiring 21 LTO tapes per week, this process requires only 5. The rotational practices are the same. The total cost per year is $8,400.

  • Labor costs. A typical operator who is paid $50 per hour takes .5 hours per day to locate, mount, dismount, label, and file each full database backup. Each week, this new process requires a total of 45 minutes. A total of 39 hours per year is spent on this specific task. The total labor cost per year is $1,950.

The total saving for using differential backups is $34,030 ($44,380 – $10,350). The differential database backup saves 75 percent of the cost of the full database strategy. Additionally, because the differential database backs up only a maximum of 12 percent of the database (2 percent per day over the six days until a full database backup), the type of backup affects the production workload significantly less than the full database backup. Furthermore, the transaction logs are paused for a far shorter period of time, keeping the log shipping secondary more up to date.

Note

This example shows the cost savings of using different backup strategies. Not all databases can benefit in this way. Carefully weigh your needs and resources against your required recovery times and database type.

The File-Based Backup Strategy

This strategy was introduced and possible in Microsoft SQL Server 7.0, but there were limitations using SQL Server 7.0 that made it less robust than the implementation in SQL Server 2000. The most significant difference is that in SQL Server 7.0, files could not be backed up individually if they were part of a filegroup or if there were data dependencies within other filegroups. If they were, SQL Server required that all files or filegroups be backed up at the same time. In SQL Server 2000, you can back up any file or filegroup at any time, with the only restriction being that your database be in the Full or Bulk-Logged recovery model (which all production databases should be running in anyway).

The typical strategy consists of automated backups of these types:

  • Full file/filegroup backups

  • Differential file/filegroup backups

  • Transaction log backups

Note

Many applications that tend to get very large are usually vendorneutral. As such, they do not usually support database proprietary extensions such as filegroups, even though they are transparent to the application. So before you start breaking up the database, make sure your software vendor will support you if you implement this file structure.

In the file-based backup strategy, you can completely customize the frequency and granularity of the backups—a huge benefit for VLDB—in which different portions of the data have different uses. You should customize the granularity based on the way the data is distributed within the database (such as targeting specific types of data to specific locations within a database). Moreover, you should determine the frequency of each backup based on the type of data that that is stored there.

Determining which type of user data should go into your filegroups requires some strategizing. As a simple start, the Primary filegroup should contain only the system tables, and you need only one transaction log file. As discussed earlier, you need only one transaction log file because frequent log backups minimize the space required to hold the changes, and you do not gain performance when you have more than one transaction log. For example, if your transaction log is backed up every minute, the size of the transaction log is the size to hold one minute’s worth of log entries.

Note

Long-running transactions might require a larger log. Make sure you have tested the sizing of your transaction log against all of the types of activities that must occur within your database.

You should store user-defined data in nonprimary filegroups. In general, you should rarely split individual tables and their indexes into separate filegroups. However, you might consider this approach if you have a single large table that you want to place directly into a filegroup for better scan performance and more backup options. Remember, do not implement it without testing properly.

Tip

You cannot restore filegroup backups to another location without restoring the entire database. However, if you are using a full database backup, you can restore filegroups by using the WITH PARTIAL option on a restore. This approach is beneficial when recovering from user error. When recovering from hardware failure, and recovering in place, restoring a filegroup from a filegroup backup is faster than restoring from a full database backup. For more information, see the topic "Partial Database Restore Operations" in SQL Server Books Online.

Here are a few recommendations for filegroup usage:

  • Read-only tables. A great benefit if the VLDB has a large portion of read-only data. For this portion of the database, you can significantly decrease the frequency of full filegroup backups and then only perform occasional filegroup differential backups. If the recovery plan includes only recovering the damaged file or filegroup and not an entire database, frequent file differential backups will minimize the cost of rolling the database forward.

  • Read-write tables. Can often make up the smaller percentage in VLDBs, yet still be critical to the database. The read-write tables need more frequent backups, yet they are only a minor fraction of the total size of the database. By placing them in their own filegroups, you can then set the frequency of backup of that filegroup.

  • Text or image dataOften in VLDBs, binary large objects (BLOBs) can take up a large amount of read-only space. As with read-only tables, you can benefit greatly by backing these up less frequently if all in the filegroup are read-only or with differentials if little changes.

  • Large tables. Benefits are few if you want to have better control over the frequency of the large table backups. If you choose to put a table into its own filegroup, file-based backups help only in being able to choose a different granularity of backup. For example, you might back up less frequently because of so few modifications. Unfortunately, you cannot perform a partial database restore from file and filegroup backups unless you are restoring because of hardware or file corruption. When an isolated failure occurs, SQL Server allows the recovery to include only the affected part of the database in place.

    Once the file or filegroup has been restored, transaction log backups can be used to bring that file up to the point in time when the database became suspect. If you are trying to recover from an accidentally dropped table and return a part of the database to an earlier point in time, then this approach has no benefits. However, you can restore the entire database to an alternate location and then choose a more manual recovery process to bring an earlier version of the table into the database.

In fact, the file-based backup strategy provides some key benefits because it is so flexible, yet it is also complex in design, administration, and recovery. The most important part is making sure you back up every file at some point. You must achieve a complete backup set similar to what the full database backup provides (all data files must have been backed up) so that you can recreate the database structure completely, if necessary (for example, if you need to recover the database from the ground up). You can create this backup set (from which you can build the database framework, if needed) by either backing up the files individually, backing up the filegroups individually, or backing up some combination of the two—as long as all files are backed up at some point.

What Both Strategies Do Well

Both strategies use differential backups as well as transaction log backups, which provides some significant benefits, such as the following:

  • Up-to-the-minute recovery. If the log is accessible and no Bulk-Logged operations have occurred since the last log backup, you will be able to back up the tail of the transaction log.

  • Built-in redundancyIf a full backup (file/filegroup or database) is damaged because of inaccessible media or for some other reason, you can use the previous full (file/filegroup or database) backup. Similarly, if a differential (file/filegroup or database) backup is damaged because of inaccessible media or for some other reason, you can use the previous differential (file/filegroup or database) backup.

The Pros and Cons of the Full Database–Based Backup Strategy

Although this strategy is the most common, you must be aware of its pros and cons. Better to know now your potential for downtime, data loss, or both during planning rather than at the time of a disaster!

The pros include the following:

  • Administration is simple.

  • When you combine it with other strategies (such as log shipping), this strategy is especially good at achieving minimal downtime and data loss in the event of a failure.

  • You can perform partial restores of the database to another location (which can be helpful in some recovery strategies).

    The cons include the following:

  • Log backups are paused during the full backup (which can affect some of the other strategies, such as log shipping).

  • Log backups are paused during the differential backup. (Although this process should take less time than the full database backup, it can also affect other strategies.)

  • Significant data loss could occur if a disaster were to strike during a long-running full backup.

  • Full database backups can be quite large, and repetitively backing up predominantly read-only data is a waste of time and resources (disk or tape).

The Pros and Cons of the File-Based Backup Strategy

Although this strategy is not widely used, you should consider it if you have a VLDB. This strategy requires design techniques that focus on physical placement of objects to best use the strategy. However, any database can use some of the basic principles of this strategy by having multiple files. This strategy is best for situations in which log shipping is used and recovery is being optimized for hardware failure. If human error is the main purpose for choosing this strategy, you must be aware of the restrictions!

The pros include the following:

  • You can back up portions of the database on a more granular level and at different intervals.

  • You can perform log backups without delay or interruption to other dependent technologies (such as log shipping).

  • You can restore a portion of the database more quickly in the event of an isolated hardware failure.

    The cons include the following:

  • Administration is complex.

  • You cannot perform partial restores of the database to another location. Only the full database–based backup strategy allows you to perform partial database restores from full database backups. The database must use a structural design that supports files and filegroups; then on restore, the full database backup must be read to find the file/filegroup that is being restored. However, using a log shipping secondary that has a load delay can resolve this problem, especially in a VLDB where loading the database—even partially—can be extremely time-consuming. This recovery option can be important in disasters involving human error.

Implementing Your Backup Strategy

To properly create an effective strategy, there are numerous issues you must consider. For example, how are you going to execute your backup? To what storage medium are you going to back up your databases? Where are you going to store your backups? Conversely, can you find the necessary backups during a restore? Now that you think you have a strategy, it is time to figure out backup options, syntax, recommendations, and requirements.

Options for Performing a Backup

There are several ways to create backups: Transact-SQL syntax executed real time within SQL Server Query Analyzer; Transact-SQL syntax that has been automated through SQL Server Agent jobs and alerts; the Database Maintenance Plan Wizard; SQL-DMO; or any custom applications or third-party tools where you can access SQL Server. Although all are acceptable options, there are some basic recommendations for each option’s usage.

There are numerous options related to how backups are written to backup devices. Backups can be performed to a new device (a new file or tape) for each backup, or a backup device can be used multiple times by either appending subsequent backups, keeping different backups on the same device, or overwriting the backups on the same device, keeping only the most recent backup. Many utilities that help to create automated backups use a new file for each backup. In this case, the filenames for the backups typically are created using the date and timestamp of when the backup was performed. For example, using the Database Maintenance Plan Wizard to create full database backups or transaction log backups, the filename has the following format:

dbname_backuptype_YYYYMMDDHHMM.bak.

Although this naming convention is helpful for finding backups by filename, it does not necessarily scale well. In fact, using the Database Maintenance Plan Wizard for small databases is acceptable, but for larger and more complex configurations where a variety of backup types are desired, it is likely you will create your backup strategy a bit more manually.

Typically, administrators automate the backup to disk through the day, and then have some type of nightly backup operation that picks up all of the backup files at the operating system level and backs them up to tape. The main reason for this is speed. Typically it is faster to back up and restore files from disk than tape because you avoid the long mechanical process of positioning the tape and rewinding. Transaction log backups are commonly automated using SQL Server Agent jobs that run at fixed points in time.

Creating a Backup Device

When you perform a backup, there are two ways you can specify the destination. You can either physically reference the output device (tape or disk) at the time of the backup, or you can make a logical reference to it by creating a backup device. Making a logical reference to the location by creating a backup device eliminates later problems with backup scripts. By abstracting the name from your scripts, you can update the hardware or devices and just update the logical definition.

For example, by backing up to a device with the logical name Tape-Backup, you do not rely on the physical tape unit to stay the same. If the underlying tape units change from \. ape0 to \. ape12, only the logical definition needs to be updated, not all of the individual backup scripts and jobs. The same is true for backups directly to a hard disk. If a drive is starting to become full and you decide to place backups on a new drive, then you can change the device without changing all of your backup scripts. During the restore process you need only to have the backups themselves. You can restore them from any location even if that is not the location to which you backed up the database.

You can create backup devices by using the sp_addumpdevice system stored procedure or using SQL Server Enterprise Manager. (Expand Management, right-click Backup, and select New Backup Device.) When you use the sp_addumpdevice stored procedure, remember that no paths or filenames are verified for access or even existence. This point is important because verification does not occur until you later attempt to back up to this device, which is when you would see errors causing the backup to fail. Make sure all of your paths and filenames are verified at the time of creation, and if the device is an over-thenetwork backup, you should also verify the path for appropriate permissions.

When using a network device using a Universal Naming Convention (UNC) name (\servernamesharenamepathnamefilename.ext), SQL Server must have the appropriate permissions to use the device. If you execute a backup command through Transact-SQL syntax (for example, in SQL Server Query Analyzer), then the command will be executed by the underlying MSSQLServer service. If you execute a backup as part of a job, then the backup will be performed by the SQLServer Agent service. You must verify that the domain accounts under which these two services are started have the appropriate write permissions to create and write files to the UNC device.

You can view the list of existing backup devices by using the sp_helpdevice system procedure or by reviewing the list in SQL Server Enterprise Manager under Management, Backup. When you perform a backup, you specify the device (or devices) to which the backup should be performed, and SQL Server writes to the location as defined by the device. A simple example of using a backup device follows:

BACKUP DATABASE DatabaseName TO DeviceName

Caution

When you use Transact-SQL or SQL Server Enterprise Manager to remove a backup device, the default behavior is to leave the files intact and not delete them. This approach has advantages and disadvantages. It is advantageous if you truly want to remove only the logical reference to the device. In fact, you can immediately create a new logical device name (for example, with a new name) that points to the same file if you want. Creating backup devices does not affect the physical file.

The disadvantage is that you will leave a (potentially large) backup file on disk. If you want to delete the file when you drop the device, you must specify the DELFILE option.

Special Backup Device: NUL

In addition to creating permanent or temporary devices, there is an output device called NUL. NUL is an operating system "device" that acknowledges a write operation without actually writing the data anywhere.

Note

This is not a typo; the device is spelled NUL, not NULL.

NUL is used in special cases to test the read side of the backup process; however, the backup is not saved. Instead the backup is processed as if it were a regular backup but the write portion of the backup is never actually done. There are a few interesting uses for this device:

  • Testing backup size

  • Testing backup scripts

  • Testing the impact of a backup on your disk subsystem and throughput

Using the NUL device in code is performed the same way as the use of any device physically defined at backup. The following full database backup command uses the NUL device to test the size and impact of the backup:

BACKUP DATABASE Inventory TO DISK = 'NUL'

go

The result will be similar to the following:

Processed 17888 pages for database 'Inventory', file 'InventoryData' on file 1.

Processed 1 pages for database 'Inventory', file 'InventoryLog' on file 1.

BACKUP DATABASE successfully processed 17889 pages in 5.872 seconds (24.955 MB/
sec).

From this output, you can determine the size of your backup. SQL Server does not need to back up every page of the database; instead, it needs to back up only allocated extents. The size of a backup is therefore the size of the database minus the free space. How large is that? In the previous example, a full database backup was performed to the NUL device. The backup showed that a total of 17,889 pages were processed. At 8 KB per page, the backup size would be about 146.5 MB. This information is helpful to know if you need to estimate storage because of space restrictions or if you are backing up to disk to copy the backup device(s) to CD or DVD.

As an alternative, you could use the sp_spaceused system procedure or run a system table query to get the same number that sp_spaceused produces. However, of the two, using a system table query is easier to add to programmatic scripts, batches, and so on. To get an estimate of the space usage for a database, use the following query:

SELECT sum(reserved)*8/1024 -- Estimate in MB

FROM sysindexes

WHERE indid IN (0, 1, 255)

Unfortunately, both sp_spaceused and this system table query might not be as accurate as you need them to be sometimes. To get a more accurate value you can run sp_spaceused @updateusage = 'true' and the information will be more accurately gathered by scanning the entire database; however, this can create quite a burden on the system.

Finally, there are some technical notes to be aware of when using the NUL device. Performing a backup to NUL will indicate that the backup strategy has begun—even though nothing exists from which you could recover. This situation requires you to manage the transaction log if you are not already doing so. You must always perform another real full database backup after backing up to the NUL device because you will need a proper full database backup from which you could recover. Differential database backups performed after a backup to the NUL device cannot be applied to a previous full database backup; in fact, only the transaction log backups are useful. Performing any full database backup—even with the NUL device—resets the differential bitmap. Because this backup to NUL performs exactly the same steps as a regular full database backup without the actual capture, you should use this option only in test or development scenarios when you are truly looking to evaluate the performance impact of the read side of backup on your disk subsystem.

Important

Transaction log backups to NUL will break the log sequence chain.

Parallel Striped Backup

To improve performance, you can use multiple backup devices in parallel to create a striped backup set. The biggest benefit of creating a striped set is that you can back up to as many as 64 independent devices at a time. If you have two drives to which you would like to store backups, then you might be able to cut the backup time in half (depending on system configuration). Realize, however, that the benefits of parallel striped backup are really only achieved when the devices are different physical devices. Backing up to multiple backup devices on the same physical disk is probably not beneficial at all unless you need the files to be of a certain size. For example, you might back up to three files on one physical disk to ensure that the three files are small enough to individually burn to a certain media type, such as a 680-MB CD-R. You can then later restore directly from the CDs. If you had backed up to one large file and then split it across multiple CDs, you would need to put the file back together on disk before commencing with the restore process.

Note

Backing up to multiple files on a device does not give you any performance improvements. You will actually have worse performance than if you were backing up to one file on that device.

Additionally, if you have multiple devices that you would like to act as one, consider creating a RAID 0 array and then using that as your backup location. Creating a parallel striped backup has the same configuration as a RAID 0 array. There is zero redundancy, and only performance gains because to successfully restore from a parallel striped backup, you must have all devices at the time of the restore. This is not true of tape devices, but it also means that you need all of the tapes to perform your restore; each media family is processed before another one can be used. Handling media families that span multiple tapes is not an easy task.

When you back up to multiple devices in parallel to a hard drive, for example three devices, approximately one-third of the database will be placed on each of the three devices. For tape, an algorithm is used where a faster tape can consume more of the data. If one device or file is not accessible at the time of recovery, the two remaining devices are essentially useless.

The following example shows a full database backup of the Inventory database to three devices: InventoryBackup1, InventoryBackup2, and InventoryBackup3.

BACKUP DATABASE [Inventory]

TO [InventoryBackup1], [InventoryBackup2], [InventoryBackup3]

If the file or tape on which InventoryBackup2 resides were to become damaged, then the complete backup would be unusable. You cannot recover any data from the two remaining devices (InventoryBackup1 and InventoryBackup3) without also having the data from InventoryBackup2.

When creating a parallel striped backup, you must have good naming conventions. If recovery were necessary, you would want to be able to find all components of your backups as quickly as possible. In fact, in addition to naming the individual backup devices, you can name the media set. Creating a media set name makes finding backups a lot easier because each device shows the media set name and description. Without the name and description, the only identifier you will have is a globally unique identifier (GUID) that SQL Server places into the backup device’s header at the time of media set creation (which is a good secondary check, but it is harder to read and harder to work with). Therefore, you should always use a media set name and description, and you must set them with the very first backup. When performing the first backup (or later if you want to break up a media set or change the use of a device), you can add the FORMAT option to define the device’s use.

Caution

If any information is currently on the devices, it will be overwritten and useless. Use the FORMAT option only when necessary.

Using the same example as before, the syntax changes to the following when you add a media set name and description:

BACKUP DATABASE [Inventory]

TO [InventoryBackup1], [InventoryBackup2], [InventoryBackup3]

WITH FORMAT, MEDIANAME = N'InventoryStripeSet',

MEDIADESCRIPTION = N'3 Devices = InventoryBackup1-3'

If you decide to use parallel striped backup to disk devices, you must make sure that each independent device has enough space to handle the appropriate portion of the database. Remember that files of filegroups do not always fill evenly. If one of the devices runs out of space, the backup will terminate.

Multifile Backups

After you have created a backup device or backup devices in a media set, you might want to save multiple backups to the same device(s). In fact, if you use the syntax to back up to a device without specifying any options other than the database and the devices to which you would like to back up, SQL Server automatically appends the new backup to the backup device. This has both advantages and disadvantages. If you back up the same database to a backup device three times over the course of a week, for example, and then you need to restore your last backup, you would probably do this:

On Monday, you execute the following:

BACKUP DATABASE [Inventory]

TO [InventoryBackup1], [InventoryBackup2], [InventoryBackup3]

On Wednesday, you execute the following:

BACKUP DATABASE [Inventory]

TO [InventoryBackup1], [InventoryBackup2], [InventoryBackup3]

On Friday, you execute the following:

BACKUP DATABASE [Inventory]

TO [InventoryBackup1], [InventoryBackup2], [InventoryBackup3]

The following Monday, you decide you want to restore the Inventory database to its state at the Friday backup, so you execute the following:

RESTORE DATABASE [Inventory]

FROM [InventoryBackup1], [InventoryBackup2], [InventoryBackup3]

And you restore Monday’s backup, not Friday’s. This mistake is one of the most common user errors when using multifile backups. To restore the appropriate backup, you must specify the backup based on position within the multifile backup device(s). To see the list of backups performed to a backup device(s), you can use the RESTORE HEADERONLY command, which has the following syntax:

RESTORE HEADERONLY FROM [InventoryBackup1]

This lists all of the backups (in this case, three rows) that have been performed to this device or these devices. You need to specify only one device because SQL Server can access the header from any of the devices of a parallel striped media set. After you list the header, you can use the position column to determine which backup must be restored. In this case the position is 3, so the restore command would use the following:

RESTORE DATABASE [Inventory]

FROM [InventoryBackup1], [InventoryBackup2], [InventoryBackup3]

WITH FILE = 3

If you would like to overwrite the contents of backup devices while backing up, you can do so by using the INIT option instead of appending. Because appending (NOINIT) is the default, you must specify when you want to overwrite. INIT only works when you are overwriting a media set with exactly the same format (which means the same number of backup devices) and when the backup set does not have a required retention period. If you want to break up a media set, which is changing the number of backup devices, you must use WITH FORMAT. If the backup set has a required retention period and you want to INIT the devices before the retention period has been met, you can tell SQL Server to SKIP the backup device headers.

Useful Backup Options

Although many backup options are offered, not all are available for each individual backup method (for example, the password options are not available through SQL Server Enterprise Manager). For more details, spend some time testing and working with your own server. The options are as follows:

Defining a media set

Use the following:

[[,] FORMAT | NOFORMAT]

[[,] MEDIADESCRIPTION = {'text' | @text_variable}]

[[,] MEDIANAME = {media_name | @media_name_variable}]

[[,] MEDIAPASSWORD = {mediapassword | @mediapassword_variable}]

Format implies INIT and SKIP. FORMAT can be used to break up a striped media set; however, use caution because FORMAT renders all devices unusable. Every media set should have a descriptive name as well as a description that details the number and name of the devices that make up the media set. If a password is used on the backup, a media set password will need to be supplied for every restore. Good naming conventions can save time and minimize errors in disaster recovery.

Defining an individual backup

Use the following:

[[,] NAME = {backup_set_name | @backup_set_name_var}]

[[,] DESCRIPTION = {'text' | @text_variable}]

[[,] PASSWORD = {password | @password_variable}]

Every backup should have a name and a description. If you have issues with the physical security of your backups or backup media, consider using a password. This password is for the individual backup, not the media set. Good naming conventions can save time and minimize errors in disaster recovery.

Manipulating the media or backup device

Use the following:

[[,] INIT | NOINIT]

[[,] NOSKIP | SKIP]

[[,] EXPIREDATE = {date | @date_var}

| RETAINDAYS = {days | @days_var}]

[[,] STATS [= percentage]]

INIT initializes backup devices only when they are in the correct structure. INIT does not allow the backup to proceed if the backup device was previously used in a media set and has not been reformatted. You must use FORMAT to break up the media set. NOINIT is the default, meaning that every backup is automatically appended to the backup devices. EXPIREDATE and RETAINDAYS set the backup retention period. EXPIREDATE is the date when a backup can use INIT—to the same device—without error. RETAINDAYS is similar, except the retention period is set as the number of days that must pass before the backup can be overwritten with INIT. Neither option invalidates the backup or prevents it from being restored once the time has expired. These options are effectively retention settings, not expiration dates.

Important

All bets are off and all expiration options are discarded if FORMAT is used or if SKIP is used. If you use FORMAT, it implies the use of SKIP.

The STATS option defines when progress messages are returned from a backup. Using WITH STATS when performing backups manually, as well as when automating backups, provides a mechanism to see the progress of a backup.

Working with tape devices

Use the following:

[[,] NOREWIND | REWIND]
[[,] NOUNLOAD | UNLOAD]
[[,] RESTART]

NOREWIND is important to use if you plan to perform automated multifile backups to tape. However, it is not essential. Specifying NOREWIND allows SQL Server to leave the tape heads in position to perform (and append) the next tape backup where the previous one left off. Therefore, you save time when backing up (or restoring from) tape. NOREWIND implies NOUNLOAD. However, if only NOUNLOAD is specified, the tape will still rewind. This can be useful if you want to backup and then immediately restore. Finally, if a power failure were to occur during the backup, you could use RESTART to resume the backup at the point at which it failed.

Important

NOREWIND holds the tape device locked, so other applications cannot use it.

Third-Party Backup and Restore Tools and SQL Server

Some third-party hardware and tools, such as enterprise backup software or storage area network (SAN) devices, can back up your file systems and databases as well. This might simplify management in an organization because all backup-related work is standardized, bypassing learning syntax for each product you run. However, it is still helpful to know the syntax because it is essentially what is issued behind the scenes for whatever technology you employ.

Nevertheless, you must understand that a "normal" backup tool cannot just back up an active SQL Server database file. SQL Server must be accessed properly so that when the software starts a backup, SQL Server believes and responds as if a native backup is occurring. Otherwise, you might damage your databases, obtaining an inconsistent set of database files on restore. To enable SQL Server to believe a native backup is happening, device drivers and software must utilize the SQL Server Virtual Backup Device (VDI) API. You must check with your preferred software or hardware vendor prior to implementing or purchasing a solution to ensure that it not only works properly with your servers running SQL Server instances, but also supports the VDI. Similarly, if your system administrators use a program already for performing backups and now want to use it to back up your live SQL Server databases, verify that it is capable of doing so.

If you intend to use a third-party program that does not support the SQL Server VDI, one of the best options to integrate it into your SQL Server backup strategy is to have a SQL Server Agent job back up the database to a specified disk, and then have the program back up the SQL Server–generated file. Other variations on this theme obviously exist, but this example illustrates that you can leverage your existing backup solution even if it cannot back up your SQL Server databases directly. If the program does support the VDI, you might want to use it to manage your entire backup strategy. Mixing SQL Server Agent jobs or manual backups might interfere with your packaged solution. You should choose one strategy and stick to it.

More Info

For information on the SQL Server 2000 VDI, go to http://www.microsoft.com/sql/downloads/virtualbackup.asp.

Storage Assisted Backups

Your storage vendor might provide technologies that greatly enhance your ability to back up and restore large amounts of data quickly, especially in a SAN environment. SQL Server 2000 supports these technologies through extensions to the VDI previously mentioned. Relative to SQL Server, a storage assisted backup is usually referred to as a split-mirror backup.

Note

Although SQL Server 2000 supports these hardware-based backups through the VDI, the technology itself is not built into SQL Server. Check with your storage vendor to see whether any storage assisted backup options are available to you.

Split-Mirror Basics, Pros, and Cons

A split mirror is pretty much what it sounds like: You take one of your RAID mirrors and "separate" it from the others. You can combine a storage assisted backup with conventional database backups to accomplish rolling your database forward to the point of failure or to an arbitrary point in time—or both. Like any other type of database backup, the history is stored in msdb if the application writes backup history there. The utility provided by the storage or backup vendor might automatically determine the files that comprise the database and determine which volumes to capture. In other cases, you might have to supply a list of volumes to the utility.

In terms of usage, a split-mirror backup is applicable to media-failure scenarios as well as application-error or user-error scenarios. From a high availability perspective, split-mirror backups are beneficial because the process is usually measured in seconds, and not minutes, hours, or even days. Imagine trying to back up a petabyte of information using another method—on any database platform for that matter—in a matter of seconds. The same principle is applicable on a restore; what you gain in speed might be worth the additional cost of the solution.

Another good use of a split-mirror backup is to initialize a log shipping secondary. If you have a large database, again, you need to weigh the risks and rewards. But if you need to initialize a 1 TB database as your base database for log shipping, virtually no other method can perform the task more quickly because using a form of a "normal" restore, at some point, no matter how much you tweak disk I/O and such, you are still trying to restore 1 TB of data. Along the same lines, if you need to initialize a test or development database housing your large production VLDB, as with the log shipping secondary, there are very few ways to restore a large database easily.

Pros Split-mirror backups can virtually eliminate the time it takes to accomplish the backup itself as well as the data copy phase of a restore, which is the most time-consuming aspect. The exact benefits depend on the vendor’s implementation. If the production disks are reconciled with the clone in the background, the restore itself is almost instantaneous. So from both a SQL Server and high availability standpoint, this is probably the biggest advantage. The database needs only to be rolled forward to the target time and recovered. It is then available for updates while the disks are reconciled in the background. And because backups are performed on a separate mirror that is already in sync at the time of the split, you get the benefit of no I/O hit for reading the data and then writing to a file. Therefore, you reduce the impact of the entire backup process on a live production system.

Cons Ultimately, the biggest drawback of implementing a split-mirror solution is the cost. These solutions are usually out of the price range of most small and midsized companies, and even some large companies. The biggest cost is obviously the number of disks. If your disk solution already has, say, 48 disks, with two stripes of 24, you need to add another 24 for a total of 72. Assuming for the sake of this example that each disk costs US$1,000 because of its large capacity and high speed, that is US$72,000 in just physical disks alone. Then you need to consider the enclosures, the racks to house them, all cabling, proper cooling, and so on—you get the idea.

Furthermore, you need to ensure that your staff is properly trained in the use of split mirrors. Unlike a normal SQL Server backup in which you are dumping a file to a disk or tape, this is a specialized solution. Even if you have the money, do not implement a backup solution that you cannot manage.

Unlike a normal backup to disk, split mirrors really have no concept of versioning. Once you split the mirror, and then remirror, that backup you made by doing the original split is gone unless you backed it up to tape or disk elsewhere. You will therefore need to manage your backups more carefully if nothing else is employed. Other caveats specific to each process are outlined next.

Using a Split Mirror for Database Backups If you employ split mirrors, a backup is accomplished by physically splitting one mirror away from the others at the disk level. This mirror contains a copy of the data at the time of the split. This mirror can be referred to by different names depending on the storage vendor. Some names are clone, snapshot, or business-continuance volume (BCV). The mirror, together with the small amount of descriptive data created by SQL Server, is the backup.

The benefit of splitting one mirror off is that it is a fast operation. SQL Server briefly stops all writes to the database while the split is initiated and completed so that you will not have torn pages in your database. This process should usually be measured in seconds and is vendor-dependent in terms of timings and implementation. The availability of the database should not be affected except for the brief stop to ensure consistency. If you have a VLDB, a split mirror might be the only way to achieve some of your service level agreements (SLAs) if you cannot use a traditional backup and restore scenario that is outlined in this chapter.

Important

Use a minimum of a three-way mirror to ensure that your production disk subsystem will still be highly available. Using only two mirrors leaves you exposed if you encounter a disk failure. Work with your storage vendor to ensure that your configuration is optimal for both SQL Server and the hardware level for using an advanced technology such as a split mirror.

Remirroring the Disk Stripe To use the disk stripe that was split, you must remirror it with the active disk mirrors to update it. During the remirroring process, the stripe data is copied from the active mirror(s) at a low level to synchronize it; the process is not handled by SQL Server. Your database is completely available for use during this process. However, especially on large databases, your other mirrors will be active, so you might see some sort of performance impact on your database because the stripe remirroring will be reading from the other disk stripes. Some storage vendors can perform the reconciliation by copying only what has changed, and others will synchronize everything. Many will allow you to prioritize the remirroring against being able to run your daily workload on the same set of disks.

Warning

If you are employing a split mirror in conjunction with SQL Server 2000 failover clustering, when the remirroring process occurs, you must guarantee that the disk signatures will not be altered. If they are altered, you can damage your cluster. Talk to your hardware vendor, because this mistake could be painfully expensive.

Also, do not confuse a split mirror with a geographically dispersed cluster. Geographically dispersed cluster solutions employ a special form of mirroring technology to ensure that the SANs in each location are kept in sync and are used for different purposes.

Using a Split Mirror to Restore Databases Performing a restore with a split mirror is similar to a remirror, but the actual data copy process flows the other way. The mirror is the master and the production volumes are synchronized with it. As part of the restore, the backup utility gives SQL Server the proper description of the backup being restored, as well as the appropriate restore options, such as NORECOVERY. The database might be rolled forward using conventional differential, file-differential, transaction log backups, or all three after main file is restored.

Ideally, the data is presented to SQL Server immediately, and the reconciliation occurs in the background. In this case, the restore occurs in a matter of seconds, and the database can be recovered and made available immediately. This functionality is the primary benefit of implementing a split mirror.

Planning Considerations for Split Mirroring When you want to implement a split-mirror backup solution for SQL Server, consider the following:

  • A backup can be restored only once. Restoring a split-mirror backup converts that backup into a database. After that, the backup no longer exists. If you need to maintain a backup, you would either need another mirror or you need to back up the mirror that was split to a media such as tape before restoring it in SQL Server.

  • The time it takes to complete remirroring limits the frequency of backups. Remirroring can take significant time for large databases, even if done incrementally. Although the database is available, this time limits the frequency of your database or file backups. As with conventional backups, this limitation increases the amount of rollforward required after a failure.

  • Performance of your databases might be affected by the remirroring process for the obvious reasons already stated. You must account for this in your planning, and you should work with your storage vendor to understand the impact on your systems so you have realistic expectations.

  • Once you remirror, you no longer have a backup of your database. Consequently, you must somehow maintain some sort of backup solution to account for this. Two options available to you are backing up the mirror to another medium before remirroring (which might take some time, but it will not leave you exposed) or adding an additional mirror that will be split off right before the other is remirrored (which gives you two mirrors that you can roll in and out, and you are still protected as long as you have at least two active mirrors).

  • On one volume, do not store data and log files from different databases. If you do, you will not be able to back up or restore the databases independently. Restoring one database will corrupt the other, which means your mirror to database ratio is 1:1.

Windows Server 2003 Volume Shadow Copy Service and SQL Server 2000

A new feature of Windows Server 2003 is the Volume Shadow Copy Service (VSS). It is a volume-oriented, snapshot-based backup. Windows Server 2003 also ships with something known as the SQLWriter, which is the back-end component of VSS that interacts with SQL Server. Under Windows, the writer is displayed as MSDEWriter. This can be verified by executing a VSSADMIN LIST WRITERS command in a command window.

SQLWriter is a VDI-based application that utilizes the VDI’s BACKUP WITH SNAPSHOT support. Because of the SQLWriter, you can use VSS with SQL Server 2000 to perform full backups. All recovery models are supported, and NORECOVERY allows you to roll the database forward. Differential, transaction log, and file backups are not supported with VSS. However, full database backups made with VSS can be combined with any other native backup strategy (such as transaction log backups or a third-party tool and so on) to handle the rolling forward after the VSS backup is restored to your instance.

Important

For user databases, you can restore them to a live SQL Server instance, but for system databases (master, model, and msdb), you have to stop SQL Server to restore the VSS backup. VSS is fully supported in a server cluster.

Note

Due to the timing of the release of Windows Server 2003 and the writing of this book, there is not a lot of information available on implementing VSS with SQL Server 2000. Check http://www.microsoft.com for updated information.

Executing the Full Database–Based Backup Strategy Using Transact-SQL

You can execute backups in many ways, but ultimately it all boils down to the syntax of the command being executed. Whether you use SQL Server Enterprise Manager to set up the backup or type it in yourself, it is just a command. This brief section shows examples of how to use the syntax to create your backup.

On the CD

There is a script included, Full_Database_Based_ Backup_Strategy.sql, which is an example of a full database backup and restore and is detailed in this section.

Executing a Full Database Backup

When using the full database–based backup strategy, you always use a full backup to create the recovery set. This backup will be the first one used during the restore. To create a full database backup, you must use the BACKUP DATABASE command and all of the appropriate options. In the following example, a full database backup will be performed to three devices in parallel. The backup set will have a defined media set name, description, and password to protect the media set, a password to protect this specific backup, and the backup will be performed to tape devices so that the next backup can immediately append. Additionally, this backup will be set to prevent INIT for seven days and it will return the status of the backup every 10 percent backed up. The syntax for this command is:

BACKUP DATABASE [Inventory]

TO [InventoryBackup1], [InventoryBackup2], [InventoryBackup3] WITH FORMAT,

MEDIANAME = N'InventoryStripeSet',

MEDIADESCRIPTION = N'3 Devices = InventoryBackup1-3',

MEDIAPASSWORD = N'InventoryStripeSetPassword',

RETAINDAYS = 7,

NAME = N'InventoryBackup',

DESCRIPTION = N'Full Database Backup of Inventory',

PASSWORD = N'InventoryBackupFullDBPassword',

NOREWIND, STATS = 10

Executing a Transaction Log Backup

As the most important type of backup to perform, transaction log backups are critical to maintaining an optimal database size and allowing the full spectrum of recovery options. Transaction log backups—like all others—should be automated. In fact, to make a system highly available you will automate all of these backups to run at a consistent and frequent interval. Transaction log backups are the most frequent. In the upcoming section "Simplifying and Automating Backups," you will automate three different situations that trigger a transaction log backup to occur.

To create the transaction log backup you use a very similar command (BACKUP LOG) with many of the same options as BACKUP DATABASE used. To perform against the same three devices that the full database backup used, you submit the media set password. The media set password is required for all commands that need to access this media set. Without the password you will receive the error "Access is denied due to a password failure." To create an individual backup password for the transaction log backup, to leave the tape ready for another backup, and to return stats to know the status of the transaction log backup, use the command listed next.

Note

Using a password is not mandatory. In the big picture, although it will secure the backup in SQL Server, it only prevents access by SQL Server tools. A disk-based backup is more exposed than one on tape.

BACKUP LOG [Inventory]

TO [InventoryBackup1], [InventoryBackup2], [InventoryBackup3] WITH NOINIT,

MEDIAPASSWORD = N'InventoryStripeSetPassword',

NAME = N'InventoryTLogBackup',

DESCRIPTION = N'Transaction Log Backup of Inventory',

PASSWORD = N'InventoryBackupTlogPassword',

NOREWIND, STATS = 10

Executing a Differential Database Backup

Executing a differential database backup is actually exactly the same as executing a full database backup, except that you back up only the extents that have changed. You use the same command with one additional clause added: WITH DIFFERENTIAL. Following the same command as the full database backup (removing the media set definition parameters because they are necessary only on the first backup)—including STATS for progress and this time telling SQL Server to rewind and unload (unload implies rewind) the tape—use the following syntax:

BACKUP DATABASE [Inventory]

TO [InventoryBackup1], [InventoryBackup2], [InventoryBackup3]

WITH DIFFERENTIAL, NOINIT,

MEDIAPASSWORD = N'InventoryStripeSetPassword',

NAME = N'InventoryDiffBackup',

DESCRIPTION = N'Differential Database Backup of Inventory',

PASSWORD = N'InventoryBackupDiffPassword',

UNLOAD, STATS = 10

Executing the File-Based Backup Strategy Using Transact-SQL

The commands for executing the file-based backup strategy are exactly the same for all parameters immediately after the TO portion of the BACKUP command, including the device list, media set information, tape option, password protection, and retention options. The file-based strategy differs before the TO clause. To perform file-based and filegroup-based backups, specify the database you are backing up with the BACKUP DATABASE command. Before you state the devices, you must specifically state the subset of the database you want based on the file (or files), the filegroup (or filegroups), or both.

When using the file-based backup strategy, you must create a complete set of all files by backing each file up individually, or by backing up groups of files as defined by your database’s filegroups. During the restore process, you always start with the file or filegroup backups and then roll forward using other backup types. To create file or filegroup backups, you must use the BACKUP DATABASE command and specify the files, filegroups, or both that you want backed up in this backup set.

On the CD

To create the File_Based_Backup_DB sample database and all the backups shown in the case study diagram shown in Figure 10-1, run the File_Based_Backup_Strategy.sql script, which you will find on the CD that accompanies this book. You can execute this script in its entirety, but you should work your way through the script, slowly reviewing the syntax to fully understand the backup strategy. For best understanding, review the syntax descriptions from this section prior to execution.

File-based backups offering significant flexibility.

Figure 10-1. File-based backups offering significant flexibility.

The example uses seven database files: a primary file (.mdf), three nonprimary data files in a filegroup named RWFG (used for read-write data), two files in a filegroup named ROFG (used for read-only data), and one transaction log file. After creating the FileBasedBackupDB database, the script modifies data between each of the backups. The FileBasedBackupDB figure shows the backup types from left to right in this sequence (the number corresponds to the number along the timeline).

  1. Full file backup of the primary file

  2. Transaction log backup

  3. Full filegroup backup of the RWFG filegroup

  4. Transaction log backup

  5. Full filegroup backup of the ROFG filegroup

  6. Transaction log backup

  7. Differential filegroup backup of the RWFG filegroup

  8. Transaction log backup

  9. Full file backup of the primary file

  10. Transaction log backup

  11. Differential filegroup backup of the RWFG filegroup

  12. Transaction log backup

Using the example shown for FileBasedBackupStrategy.sql, the first backup is a file backup of the primary file named FileBasedBackupDBPrimary. Because all of the options for tape backup, media set names, descriptions, and passwords are the same, the syntax is kept to a minimum. The syntax for the file backup at point in time 1 is as follows:

BACKUP DATABASE [FileBasedBackupDB]

File = N'FileBasedBackupDBPrimary'

TO [FileBasedBackupDev]

WITH NAME = N'FileBasedBackupDB Backup',

DESCRIPTION = N'File = FileBasedBackupDBPrimary', INIT

Transaction log backups are an integral part of the file and filegroup strategy because they ensure transactional integrity of a backup when it is restored. Transaction log backups can use the same device or devices as the database backups when necessary. In the script, a transaction log backup occurs at every even position: 2, 4, 6, 8, 10, and 12. Each transaction log backup uses the exact same syntax:

BACKUP LOG [FileBasedBackupDB]

TO [FileBasedBackupDev]

WITH NAME = N'FileBasedBackupDB Backup',

DESCRIPTION = N'Transaction Log', NOINIT

The next backup type, shown in position 3, is a filegroup backup. The RWFG filegroup backup is performed with the following syntax:

BACKUP DATABASE [FileBasedBackupDB]

FILEGROUP = N'RWFG'

TO [FileBasedBackupDev]

WITH NAME = N'FileBasedBackupDB Backup',

DESCRIPTION = N'FileGroup = RWFG', NOINIT

In the backup shown in position 5, the ROFG filegroup is backed up with the following syntax:

BACKUP DATABASE [FileBasedBackupDB]

FILEGROUP = N'ROFG'

TO [FileBasedBackupDev]

WITH NAME = N'FileBasedBackupDB Backup',

DESCRIPTION = N'FileGroup = ROFG', NOINIT

In the backup at positions 7 and 11, a filegroup differential is chosen for the RWFG. To perform a differential backup, the syntax is exactly the same as a file or filegroup backup, with the addition of the WITH DIFFERENTIAL clause. The syntax for the RWFG filegroup differential backup is as follows:

BACKUP DATABASE [FileBasedBackupDB]

FILEGROUP = N'RWFG'

TO [FileBasedBackupDev] WITH DIFFERENTIAL, NOINIT,

NAME = N'FileBasedBackupDB Backup',

DESCRIPTION = N'FileGroup DIFFERENTIAL = RWFG'

The syntax for the file-based strategy is just as straightforward as the syntax for backing up databases using the full database–based strategy. The complexities with this strategy are not in the backup, but instead in the recovery process.

Caution

You must perform significant testing so that all possible recovery paths are implemented properly. If even one file is missing, the database cannot be recovered from backups.

Simplifying and Automating Backups

The Transact-SQL syntax is not overly complex once you get a feel for it. However, creating a backup plan is hardly about syntax. To create an optimal strategy, you must have a recovery-oriented plan that is well tested and well defined—and most important—automated. Backups should never be handled manually because they will be more prone to human error or might even be forgotten. To ensure optimal recovery, implement a consistent and automated plan to handle backups. One of the easiest ways to perform this task is by creating automated jobs using the SQL Server Agent.

For each backup type you choose, you should implement a job to automate that backup type at the necessary frequency. As a simple first step, you can use SQL Server Enterprise Manager to help you create an automated backup schedule for your full database backup. To create a full database backup that runs weekly, right-click your database, select Tasks, and then select Backup Database. Select all of the options you want, as if you were actually going to perform the backup. Before you click OK, however, select the Schedule check box, as shown in Figure 10-2.

The SQL Server Backup - Inventory dialog box to simplify creating a scheduled backup.

Figure 10-2. The SQL Server Backup - Inventory dialog box to simplify creating a scheduled backup.

You can set the schedule now by clicking the ellipses (...) button, or you can set it later, after the job is created. Instead of performing the backup, SQL Server creates a job with the chosen schedule when you click OK. The backup is not performed; only the job is created as long as you have the Schedule check box selected. Once created, you can add additional steps such as sending e-mail regarding the completion or failure of the backup and modifying additional properties about your backup.

To demonstrate the simplicity of setting up jobs using the SQL Server Enterprise Manager backup user interface, the following example creates a backup of the transaction log that will be automated to run every 10 minutes. The time interval you choose depends on several criteria:

  • Database activity. If the database is predominantly read activity, the transaction log does not need to be backed up as frequently.

  • Data loss potential. If all activity needs to be captured to minimize the likelihood of data loss if a failure occurs, more frequent log backups should be performed. Especially when you have a secondary site, the frequency of your log backups determines the maximum amount of data loss you could incur if you had a site failure.

  • Transaction log size. To keep the transaction log size to a minimum, increase the frequency of backups.

Because it is a time-based backup, some transaction log backups will be larger (such as those made during working hours) and some will be smaller (such as those made during off hours when less work is being performed). To check the percentage of the log currently used, run the DBCC SQLPERF(LOGSPACE) command. This command shows you percentages used and free for all transaction logs on your SQL Server instance:

DBCC SQLPERF(LOGSPACE)

To automate the transaction log backup for the Inventory database, as shown in the previous examples, right-click your database, choose All Tasks, and select Backup Database. On the General Tab (shown in Figure 10-2), enter a name, description, and all of the backup properties.

Once you have set the options, click ... (ellipses) to set the schedule for the transaction log backups. The Edit Schedule dialog box opens, as shown in Figure 10-3.

The Edit Schedule dialog box to define backup frequency.

Figure 10-3. The Edit Schedule dialog box to define backup frequency.

Once the schedule has a name, select Recurring. On this tab, shown in Figure 10-4, you can set the exact frequency of your backups. Once you create the job, you can create multiple schedules for the execution of the job: for example, weekly full backups, the second Wednesday of every month, or the first or second weekend day of the month. Make sure you investigate all of the possibilities in these dialog boxes. The smallest granularity is 1 minute.

The Edit Recurring Job Schedule dialog box to provide numerous scheduling possibilities.

Figure 10-4. The Edit Recurring Job Schedule dialog box to provide numerous scheduling possibilities.

Once you have set all of the options, click OK to create the scheduled job. To review the job, modify its properties so you can modify the job if you want. (For example, you cannot set the media set name or password within this dialog box.) All jobs are executed by SQL Server Agent, which should be set to Auto-start. In SQL Server Enterprise Manager, expand Management, click SQL Server Agent, Jobs, and then double-click the Inventory Transaction Log Backup job. Here, you can set properties for completion notifications (whether successful or failed) by using SQL Mail—using e-mail, e-mail-based paging, or the NET SEND command. You can add additional steps to the backup job, and you can build complex jobs that include custom external executables or other applications.

For the job in this example, the execution occurs only at the scheduled time. With something fairly frequent, you might think that everything is covered. Unfortunately, some transaction-log-related events could occur that could cause you downtime, for example, if a long-running transaction occurred and filled the log. When the transaction log fills, all activity is stopped. Luckily, this problem is relatively simple to fix: back up the transaction log to free up some space. In this case, you want the transaction log backup job to execute at an unscheduled time, on the log full error (error 9002 – "The log file for database dbname is full. Back up the transaction log for the database to free up some log space.").

This process might seem complex, yet it is extremely easy using an alert. In addition to supporting regularly scheduled jobs, the SQL Server Agent also has alerts. An alert is a reaction to an event that has occurred in SQL Server. Errors of a higher severity—those written to the Windows Event Viewer’s Application Log—are errors on which you can define an alert. In fact, you can even create your own user-defined errors that are logged.

To set up the alert to perform a transaction log backup when the Inventory database’s transaction log is full, use SQL Server Enterprise Manager. Expand Management, select SQL Server Agent, select Alerts, right-click Alerts, and select New Alert. In the New Alert Properties dialog box shown in Figure 10-5, type the name of the alert and select the kind of event that should trigger it—error 9002. Also, be sure to select the database in which this error should be triggered. (Yes, you must set up an alert for each of your production databases.)

The New Alert Properties dialog box to trigger transaction log backups when the transaction log is full.

Figure 10-5. The New Alert Properties dialog box to trigger transaction log backups when the transaction log is full.

The Response tab of the New Alert Properties dialog box is important for two reasons: here, you set the job to execute as the response and define how long it will take for SQL Server to respond. More specifically, setting the delay between responses is the most important option to set appropriately. When an error occurs, SQL Server must have time to see the error and respond to it. SQL Server reacts quickly to the error being raised, yet the response might take minutes to run. If a transaction log backup takes roughly 4.5 minutes to execute, setting the delay between responses to 4 minutes and 30 seconds minimizes the number of times this alert is fired. SQL Server fires another alert only if another log full message is issued after the 4 minutes and 30 seconds have passed.

What if you think your system is well automated, but when the log fills, you have downtime? You can set a transaction log backup to occur just before the log fills, preventing the transactions from failing. Not only can you create alerts to react to SQL Server errors, but you can create alerts to react to performance monitor counters, such as Percent Log Used. In the next error, you create the same response but this time, the setup for the alert is a bit different. Again, select New and then Alert from the SQL Server Agent node of the Management folder Enterprise Manager. In the New Alert Properties dialog box, shown in Figure 10-6, change the default type from SQL Server Event Alert to SQL Server Performance Condition Alert. The options to define the alert change, allowing you to set the exact conditions under which the response should be triggered.

The New Alert Properties dialog box set to trigger transaction log backups when the transaction log is 85 percent full.

Figure 10-6. The New Alert Properties dialog box set to trigger transaction log backups when the transaction log is 85 percent full.

After you create this job and define the two alerts, this database is less likely to go down because of log full errors. Make sure you monitor long-running transactions and get a sense of what could potentially cause the log to fill. The end result is that the Inventory Transaction Log Backup Properties dialog box (Figure 10-7) shows three schedules: the recurring job schedule, the SQL Server event alert, and the SQL Server performance condition.

Inventory Transaction Log Backup schedules.

Figure 10-7. Inventory Transaction Log Backup schedules.

Creating a Production SQL Server Agent Backup Job

Creating a production SQL Server Agent backup job is deceptively simple.

On the CD

A diagram with the flow of an automated SQL Server Agent job that runs a full database backup nightly can be found in Agent_Backup_Job.pdf.

The specific details for each of the seven steps found in the Visio diagram are provided here.

Note

Please note that you can use your preferred method for alerts, such as SQL Server’s built-in alerts, but using operating system shell commands or other tools might present a security risk to your environment. This example shows other tools to demonstrate how you can integrate them into your SQL Server workflow.

  1. Disable the Transaction Log Backup. Because full database backups pause transaction log backups, the first step within this automated job disables the transaction log backup that normally runs every 10 minutes. You do not need to disable the job, but this simplifies errors created by the transaction log backup job not succeeding. As soon as the full database backup completes, the transaction log backup job will be re-enabled. From the msdb database, the transaction log backup is disabled using the sp_update_job system stored procedure:

    sp_update_job @job_name= N'Transaction Log Backup...', @enabled= 0
  2. Execute a full database backup. This backup uses three LTO tapes for backing up this VLDB in parallel. The syntax of the command is:

    BACKUP DATABASE Inventory
    
    TO LTO1, LTO2, LTO3
    
    WITH FORMAT, UNLOAD, STATS = 2

    Step 2 uses the Advanced tab to determine the next step (see Figure 10-8). If there is success, then go to Step 3. If there is a failure, then go to Step 4. Additionally, the output of the backup stats will be directed to a file using the Output File box to generate information that is used as part of the backup status e-mail.

    SQL Server Agent job step detail.

    Figure 10-8. SQL Server Agent job step detail.

  3. On success, e-mail operations that all is OK—additionally, page the on-call support person to let him or her know the backup completed successfully. For this job a custom SMTP-based e-mail application is used to e-mail the text of the backup output. The operating system command executed is:

    d:atchjobscommonSMTP.exe "operations_email"
    
    "LTO backup complete"
    
    "Please check file:\serverd$mssql
    eportsackup.txt"

    If the mail was sent OK, go to Step 5; otherwise run Step 4.

  4. On failure, e-mail operations that the backup failed and needs immediate attention. The on-call support staff is also paged to let them know a failure occurred.

    d:atchjobscommonSMTP.exe "alert"
    
     "URGENT: backup failed"
    
     "Please call operations & check
    
     file:\serverd$mssql
    eportsackup.txt"
  5. Page the on-call analyst and let him or her know that the backup succeeded. The command also used a special application created for their paging application:

    d:atchjobscommoncpage.exe oncall "LTO Backup Completed"
  6. Page the on-call analyst and let him or her know that the backup failed:

    d:atchjobscommoncpage.exe oncall "LTO backup failed!"
  7. Either way, re-enable the transaction log backup. From the msdb database, the transaction log backup is disabled using the sp_update_job system stored procedure:

    sp_update_job @job_name= N'Transaction Log Backup...', @enabled= 1

The details of the steps as seen in the SQL Server Agent are shown in Figure 10-9.

SQL Server Agent backup job.

Figure 10-9. SQL Server Agent backup job.

Checking the Completion of a Backup

When a backup job is being run using SQL Server Agent, it is tough to see how complete the job is as it is running because there is no graphic representation. However, if you use the STATS option with the BACKUP command, you can see the percentage completed using the DBCC OUTPUTBUFFER command against the session performing the backup. The percentage complete is shown in the right-hand column of the output.

To see the percentage completed you must first know the system process ID (SPID) of the backup process. To get the SPID of the backup use the following query:

SELECT DISTINCT(spid)

FROM master.dbo.sysprocesses (nolock)

WHERE cmd LIKE 'BACKUP%'

Output:

spid

------

742

Next, use the DBCC OUTPUTBUFFER command with the backup process’ SPID:

DBCC OUTPUTBUFFER(742)

When reviewing the output, the far right column shows the character values for the hexadecimal output. This is where you can see the last percentage returned by the job. The following is an example output showing that the backup is at 3 percent:

Output Buffer

-------------------------------------------------------------------------------

00000000 04 00 00 5d 02 e6 03 00 79 01 00 00 00 ab 44 00 ...].μ..y....½D.

00000010 8b 0c 00 00 01 00 14 00 33 00 20 00 70 00 65 00 ï.......3. .p.e.

00000020 72 00 63 00 65 00 6e 00 74 00 20 00 62 00 61 00 r.c.e.n.t. .b.a.

00000030 63 00 6b 00 65 00 64 00 20 00 75 00 70 00 2e 00 c.k.e.d. .u.p...

Verifying Backups

Once you have performed your backups and likely automated them, it is critical that you periodically test that your process and strategy is occurring. These verification procedures do not guarantee that a restore will be successful, but they do guarantee that you have the backups you are expecting to have.

Warning

There is only one way to truly test your backup strategy—perform periodic and complete restore testing on a test system.

In the interim, there are four ways you can verify your backups:

  • Using RESTORE LABELONLY. To view information about the backup media set and the retention period, use RESTORE LABELONLY. If you have used good naming conventions then you should easily be able to see if devices belong to the same media set. Otherwise, you will need to review the MediaFamilyID, which is a GUID, to make sure you have all devices in the parallel striped backup. To see the device label use:

    RESTORE LABELONLY FROM BackupDevice
  • Using RESTORE HEADERONLY. To view information about the backups that exist on a multifile backup, use the RESTORE HEADERONLY command. This command works against a single device—even when the device is part of a parallel striped media set. If the device is part of a media set, all devices in that media set will return exactly the same information. This command lists numerous pieces of useful information, and the most useful are the BackupType and the Position columns as shown in Table 10-1.

    Table 10-1. Example Output

    BackupName

    BackupType ...

    Position ...

    BackupSize ...

    BackupStartDate...

    FileBasedBackupDB

    1

    1

    1843200

    2003-03-16 22:00:00.000

    FileBasedBackupDB

    2

    2

    1195008

    2003-03-16 22:10:00.000

    FileBasedBackupDB

    2

    3

    1712128

    2003-03-16 22:20:00.000

    FileBasedBackupDB

    5

    4

    2243584

    2003-03-16 22:30:00.000

    FileBasedBackupDB

    2

    5

    139264

    2003-03-16 22:40:00.000

    FileBasedBackupDB

    2

    6

    2246656

    2003-03-16 22:50:00.000

    FileBasedBackupDB

    5

    7

    2243584

    2003-03-16 23:00:00.000

    FileBasedBackupDB

    2

    8

    1843200

    2003-03-16 23:10:00.000

    FileBasedBackupDB

    2

    9

    2178048

    2003-03-16 23:20:00.000

    FileBasedBackupDB

    2

    10

    3284992

    2003-03-16 23:30:00.000

    FileBasedBackupDB

    2

    11

    2245632

    2003-03-16 23:40:00.000

    The BackupType column can have one of the following values:

    • 1 = Full Database Backup

    • 2 = Transaction Log Backup

    • 4 = File or Filegroup Backup

    • 5 = Database Differential Backup

    • 6 = File or Filegroup Differential Backup

    The Position column refers to the number of backups performed against this device (or media set). During a restore, this is the most important column to understand for multifile backups. If the wrong restore is performed, this could lead to additional downtime and frustration. The syntax to view the header information is:

    RESTORE HEADERONLY FROM BackupDevice
  • Using RESTORE FILELISTONLY. To view the files affected by each backup, use the RESTORE FILELISTONLY command. This is most useful when you have received a backup device from someone and you are unsure of the exact name, path, and size of the files required by the database. Because a database’s structure cannot be changed during a restore, knowing the complete file list can save you time. By reviewing this information, you will be able to determine how you can restore the database and what the exact location of the files must be. If any of the paths are not available because database devices are damaged, the restore command can use WITH MOVE during the restore to place the database files on new drives. The syntax to view the file list from a backup is:

    RESTORE FILELISTONLY FROM BackupDevice WITH FILE = 6

    Note

    You must state the correct position of the backup on a multifile backup; otherwise, you will return the file list for the first backup (FILE = 1).

    When you restore a database, be sure the correct underlying directory paths exist before you start. The following is an example of the output:

    LogicalName PhysicalName             Type FileGroupName Size  MaxSize
    ---------------------------------------------------------------------
    CreditData  F:dataCreditData.MDF     D  PRIMARY  69795840 104857600
    CreditLog   H:logCreditLog.LDF       L  NULL     47185920  52428800

    By reviewing the PhysicalName and Size columns, you can determine whether you have the proper location available and enough space to perform the restore.

  • Using RESTORE VERIFYONLY. To verify the backup device files to ensure that they are complete (if in a parallel striped backup) and readable, use RESTORE VERIFYONLY. This does not guarantee a future successful restore. However, it is very easy to perform and always a good idea to check. The syntax for verifying the backup device or media set requires that all devices (if parallel striped backup) are supplied. To verify that your backup is readable use:

    RESTORE VERIFYONLY
    
    FROM BackupDevice1, BackupDevice2, BackupDevice3

Implementing an Effective Backup Strategy: In Summary

Here’s a summary of what you must to do implement an effective backup strategy:

  1. Determine the acceptable amount of downtime, if any.

  2. Determine the acceptable amount of data loss, if any.

  3. Determine the priority of other operations such as bulk operations and log shipping.

  4. Determine your recovery model—static or changing for batch operations.

  5. Design your database using filegroups, if necessary.

  6. Consider various strategies, determining which pros and cons are appropriate to your database environment.

  7. Perform scenario-based studies based on the risks you have assessed to see if your strategy works.

  8. Implement it in a test environment.

  9. Test it.

To really put the backup strategy to the test you need to determine if you can recover to the point in time of the failure with little to no data loss within your defined downtime interval. In the next section you will get a better understanding of how to react quickly and effectively to help minimize the overall downtime you will suffer due to each type of failure.

Database Recovery

The first step in recovering any database is determining precisely what has been damaged. In the event of a hardware failure, it is likely the database is marked as suspect. In the event of human errors (such as dropping a table), the database might still be accessible. What do you do? Your first step should be to access the disaster recovery plan and follow it meticulously, but for this section, only the actual process is addressed. You have all of the background and you know the technology, but to really create the best strategy, you must start thinking in terms of recovery time. To create a recovery-oriented strategy for a highly available system, you must remember speed is of the utmost importance. To make the recovery process as fast as possible you must be able to execute your recovery strategy with precision. This recovery strategy should be well documented and well tested; in fact, it should be scripted or automated in some other way if at all possible.

Recovery strategies will differ for user error versus hardware-related disasters. However, there are similarities in the strategies. Whenever a disaster occurs, your first question should be whether you can access the tail of the transaction log. In the event of any failure, the tail of the transaction log should be your primary concern. Before you start verifying backups and before you start recovery, always check to see if the tail of the transaction log is accessible. If the tail of the transaction log is accessible, then up-to-the-minute recovery is possible. Up-to-the-minute recovery ensures that all committed transactions up to the time of the failure can be recovered (if desired). This backup might not be used (or desired) because of the type of error. If the disaster is based on some form of human error, then you might end up returning to an earlier version of the database altogether, disregarding the tail of the transaction log.

Accessing the tail of the transaction log depends on two factors: physical access to the files and the recovery model state. The tail of the transaction log will be accessible if the physical devices on which the transaction log resides are accessible and the files are not corrupt. Additionally, the transaction log will only be accessible if you are in Full recovery model or in Bulk-Logged recovery model if you have not performed a Bulk-Logged operation since the last transaction log backup. Once it is determined that the tail of the log is accessible, then you should back up the transaction log and add it to your complete set of backups. Once you have backed up the tail of the transaction log, you need to recover your database.

Tip

Are you sure hardware failure is responsible for your problem? Whenever a database is marked suspect and signs of damaged disks are visible (such as Event Viewer’s System Log messages pointing to a disk failure), try resetting the status of the database. This simple trick is worth the few minutes it takes—especially if it works. It requires that you stop and restart SQL Server. However, if it succeeds, this might be all you have to do to recover. Sometimes, the database gets improperly marked suspect and only a status change is necessary. In this case, resetting the database status (using sp_resetstatus) and then restarting SQL Server might be the only recovery step you need. If the database is still marked suspect after restarting SQL Server, maybe only a file is corrupt. This will mark the beginning of your restore.

Do not perform this procedure if you are not sure what you are doing. You would be better off seeking the help of a support professional, if necessary, than potentially damaging your installation further.

The next step is to back up the tail of the log. To back up the tail of the log, SQL Server requires special syntax. Everything about the transaction log backup is the same—the devices to which you plan to back up, the options you want to specify, and so on—with one notable exception. To back up the tail of the transaction log, you must specify the NO_TRUNCATE clause. This can just be added to the end of the BACKUP LOG command. For example, to back up the tail of the transaction log for the Inventory database using the same devices, media set password, and options presented earlier in "Executing the Full Database–Based Backup Strategy Using Transact-SQL," the syntax only changes slightly:

BACKUP LOG [Inventory]

TO [InventoryBackup1], [InventoryBackup2], [InventoryBackup3] WITH NOINIT,

MEDIAPASSWORD = N'InventoryStripeSetPassword',

NAME = N'InventoryTLogBackup',

DESCRIPTION = N'Transaction Log Backup of Inventory',

PASSWORD = N'InventoryBackupTAILPassword',

NOREWIND, STATS = 10,

NO_TRUNCATE

Once you have backed up the tail of the log, you can start to investigate further what type of damage has occurred and what the logical course of action is. If the damage is user error, the next step is to determine whether or not users should still be allowed within the database. If not, then restrict the database access to database owners only. Next, you need to investigate the extent of the damage: rows, tables, files, filegroups, entire databases, and so on. Each one will potentially have a different recovery path. Next, regardless of type of failure, you need to determine where you are going to perform the restore—in place, on the same server, or to a different server. Each option has different requirements that should be well thought out. Begin to verify your backups, ensuring that you have a complete set based on the strategy you have chosen. Additionally, you should be thinking about (and have documented already) contingencies. Finally, start your restore.

What is the actual process of recovery? How does a database recover? What are some of the critical options to understand when recovering a database? What are the phases of restore and recovery? Can they be altered, sped up, or skipped? After answers to all of these questions are understood, numerous recovery scenarios are covered to help you create the best recovery plan for your environment.

Phases of Recovery

When a database backup is used to recover a database, there are actually four phases each backup can go through: the file creation or initialization phase, the copy media phase, the redo phase, and finally the undo phase.

File Creation

The file creation phase is only performed when the file or files of the database being restored do not already exist in the appropriate size or location. The location can be changed during restore (RESTORE WITH MOVE) but the size cannot. If the database was defined at a total size for data of 10 GB, yet the backup yielded only a 300 MB full database backup because the database does not currently have a lot of data, it does not matter. The database created during the restore must completely resemble the database structure as it was backed up. The structure for all files and filegroups cannot be changed during restore. If you are restoring in place or if a subset of files is damaged, be sure not to drop the database. If the files are already there, you can save time during the restore. Because speed is the key to recovery in high availability, this is the first step to improving the restore performance. Even if the database is suspect and one or more of the files are damaged, you can still restore that database in place, replacing the files that are damaged (specifying their new location using RESTORE WITH MOVE).

Media Copy

The second phase that a restore goes through is the media copy phase. During this phase, only faster hardware can help. SQL Server reads the pages from the backup, determines their page location (from the page header), and writes the pages to their appropriate location on disk. Even if the pages are logically inconsistent (see "How Do Full Database Backups Work?" in Chapter 9), this phase is uninterested. The sole purpose of this phase is to copy from the backup medium as fast as possible.

Again, focusing on speed, there are a few options. If you performed your backup to a parallel striped media set then your restore is also performed in parallel. If your database files being recovered are on faster RAID arrays, this can improve the copy phase (that is, striped mirror or mirrored stripes are faster than RAID 5; however, you will need to know how your hardware behaves, including things like the write cache, and so on).

Finally, maybe you can restore less. In the case of isolated corruption for a database that uses multiple files or filegroups, you can restore just the files or filegroups that are damaged.

Tip

When a database has isolated failures, you can restore the files or filegroups by restoring from a full database backup or a file or filegroup backup. However, when restoring files from a file or filegroup backup, the restore can take substantially less time as the backup is smaller and only contains the necessary data.

Redo and Undo

The two final phases a backup goes through during restore relate to the transactions that must be applied. This occurs in almost every type of backup with the exception of file/filegroup restores (the transaction log is not backed up during these backups). Because all other backups include some portion of the transaction log or are solely transaction log backups, the restore must use the transaction log to recover what is not already in the database. To do this there are two phases of log analysis: redo and undo.

During the redo phase, SQL Server reviews the log to apply any transactions not already in the database. Because some of the transactions might not have committed by the time the backup completed the final phase, undo must be performed. However, the undo phase is actually determined by the RESTORE command’s recovery completion state. If more backups are to be restored, then there is no reason to undo. Undo is only performed for the final restore, which is the restore that is meant to bring the database online for users. Determining when to recover the database is based on the recovery completion state specified during the restore.

Recovery Completion States

When each backup is restored, a recovery completion state must be defined. The recovery completion state defines the state in which the database will be when that particular backup is restored. More specifically, because each backup is an image of the database as it looked when the backup completed, SQL Server must determine the fate of the transactions that were pending when the backup completed. With each option you accomplish something different—for different purposes. The recovery completion states are RECOVERY, NORECOVERY, and STANDBY.

RECOVERY

The RECOVERY completion state indicates that all four phases of the restore should be performed, including undo. When the undo phase is performed with the RECOVERY completion state, no additional backups can be applied. The RECOVERY option should not be specified on any backup except the very last one. However, RECOVERY is the default when no recovery completion state is specified. If a database is recovered too early (meaning that you still have backups to apply) then you will need to restart the restore sequence with the first backup. The opposite is not true. If you accidentally use NORECOVERY on the very last backup, you can still recover the database easily and quickly. To recover the database without restoring any backups use this syntax:

RESTORE DATABASE DatabaseName WITH RECOVERY

Important

Never use the RECOVERY option unless you are absolutely certain that you have no other backups to restore. Recovering a database too early will cause a significant delay while you go through your restore process again.

NORECOVERY

The NORECOVERY completion state is not the default for SQL Server, but in reality, you should be using it all the time. When a series of backups must be restored, each backup should be restored with NORECOVERY. This option tells SQL Server that the undo phase can be skipped because the next step will be to perform another restore. However, this phase does not allow anyone, including system administrators, to access the database. This option leaves the database nonoperational but able to restore additional backups. NORECOVERY is not the default, but it is always safer to err on the side of NORECOVERY. Perform every restore with NORECOVERY and when you are absolutely certain that you just applied the very last transaction log (usually the tail of the transaction log), recover the database using the RECOVERY option.

STANDBY

The STANDBY recovery completion state is a special combination of the two. With this recovery completion state specified, SQL Server performs undo yet keeps the transactional information that was undone in a file that can be used when the next log is applied. If another transaction log is to be applied you might wonder how this differs from NORECOVERY. In fact, it even sounds as though it has more overhead in saving the information so that you can just re-apply it when the next backup is restored. If all you are planning to do is immediately apply another restore, then you are right; this is more overhead. However, the STANDBY recovery completion state offers the ability to use the database for read activity in between the restores. This allows you to verify the state of the data between restores. This is extremely useful if you are trying to determine when data became damaged. Additionally, this allows you to create a secondary copy of the database that can be used for read activity until the next restore must be performed. Log shipping allows this option for recovery; however, when backups are restored, users cannot be using the database.

More Info

For more information on log shipping and the use of NORECOVERY and STANDBY, see Chapter 7.

Useful RESTORE Options

In learning about parallel striped backup and multifile backup, we covered numerous options. Now that these backups have been performed, how do you read from them appropriately so that you optimally restore the correct backups? Additionally, what happens if you performed a parallel striped backup to six tape devices and one of the tape devices stopped working? Can you restore the six tapes from five devices?

  • Accessing a media set. If a media set password was specified, all backups accessing this media set must supply the correct password. Without the password, the media set is useless. This precaution secures your backups, but remember, someone needs to know the password in a disaster recovery scenario.

    [[,] MEDIAPASSWORD = {mediapassword}
  • Accessing an individual backup. As with the media set password, any backup that has a password defined needs to have the password specified to access the individual backup. Even if you know the backup password you will not be able to access it without the media set password.

    [[,] PASSWORD = {password | @password_variable}]
  • Reading the media or backup device. When backups are performed, the default SQL Server 2000 behavior is to append backups to the existing media set or to a device. If you want, you can specify WITH INIT to overwrite the backup device. However, if you choose multifile backup, multiple backups will reside on the same backup device. When restoring from multifile backups, you must always be sure to restore the correct backup based on its position on the backup device. If you do not specify the exact backup to restore by position, you will restore the first backup performed to the media set or device. This backup will always be the oldest one and possibly not the backup you want. To examine the list of all backups on a device (even when part of a media set), use the RESTORE HEADERONLY command. To restore a specific backup, you must specify FILE = # on the restore command. The pound sign (#) corresponds to the Position column shown in the header information of the multifile backup set.

    [[,] FILE [= FileByPosition]]

    Important

    Always verify the backups that exist on your media set before you restore. Look specifically at the header information and each backup’s position number before restoring. Make sure you are familiar with the backup type, date, version, and so on. For more information, see the section "Verifying Backups" earlier in this chapter.

  • Restore statistics. The STATS option defines when progress messages will be returned from a restore. Using WITH STATS when performing restores helps you determine the status of the restore. More important, though, you should have a rough estimate of how long the restore usually takes.

    [[,] STATS [= percentage]]
  • Tape-only options. NOREWIND is important if you have multiple backups to restore from the same tape. You can use RESTART if a power failure occurs during the restore. Instead of restarting from the beginning, you can execute the RESTORE with RESTART, and SQL Server resumes the restore where it left off. Finally, with tape devices, unlike disk devices, SQL Server allows you to restore from fewer than you backed up to. However, all backups must be restored before the database will become accessible. With tape devices solely, specify the devices you have and continue to restore the database until all tapes have been restored.

    [[,] NOREWIND | REWIND]
    
    [[,] NOUNLOAD | UNLOAD]
    
    [[,] RESTART]

Disaster Recovery with Backup and Restore

Database recovery can occur in one of many ways and often depends on the type of damage sustained. When a database has become corrupt due to hardware failure, the problem is ironically easier to handle because there are fewer options. This is not to say that the problem is less severe at all. When a database is suspect or corrupt, then either no users can get into the database and all activity has ceased, or users are receiving data errors and the database is rendered corrupt. Because the damage is localized, it is most likely you will recover in place after the damaged devices have been replaced. Optionally, you might recover almost immediately if you have other devices to which the damaged files can be moved during the restore. Regardless, the recovery options are well defined.

Conversely, if the damage has occurred due to human error, the database is likely still accessible. Should it be? How soon after the damage occurred did you find out about it? How are you going to begin your recovery? Are you going to recover the whole database to an earlier point in time, or are you going to recover the database to an alternate location and manually merge the data back into the production database? Managing a disaster after human error is the more difficult problem from which to recover.

Recovering from Hardware Failure: In Place and Up to the Minute

To perform database recovery in place (that is, replacing the existing—and damaged—database), you will need to make sure that there is a place for all files required for this database. To see the list of files for a database, you can use RESTORE FILELISTONLY. This tells you the number of and location for all files in the database. If drives are damaged and no space exists on other drives (which are large enough for the file), then the database cannot be restored until damaged devices are replaced. If devices are damaged, yet other drives have plenty of space, the restore can "move" the files from their damaged location to a new location during the restore.

Recovering In Place and Up to the Minute with Full Database–Based Backup Strategy

If you are running with the full database–based backup strategy the recovery process is straightforward. The process consists of these steps:

  • Back up the "tail" of the transaction log.

  • Repair the damaged devices or locate another acceptable device to which the files can be restored.

  • Verify your backups.

  • Restore the most recent full database backup.

  • Restore the last differential database backup (if you are using differentials).

  • Restore the transaction log backups—including the tail.

  • Recover the database (optionally you could recover the database on the last transaction log backup restored).

The following example describes a database corruption situation, and then explains how to recover. In this example, multifile backups are performed to a single device.

First the background:

  • Your database is using the Full recovery model.

  • The DBA makes:

    • A full backup every Sunday night at 10 P.M.

    • Differential backups Monday through Saturday at 10 P.M.

    • Transaction log backups every 15 minutes during the day. They are multifile to one log backup device on disk.

  • You get a page from operations saying that an error of severity 24 has occurred and users are unable to access certain data. Reviewing the error log, you see the following:

    2003-01-24 23:00:26.54 spid618 Error: 823, Severity: 24, State: 2
    
    2003-01-24 23:00:26.54 spid618 I/O error (bad page ID) detected
    during read at offset 0x000009f407c000 in file
    'F:mssqlDATADATA3.NDF'..
  • You run a DBCC CHECKDB that shows that there are allocation errors. Further investigation shows that the SAN firmware is not the latest revision.

  • You decide you need to restore the database to the last clean state at about 11 P.M.

Now for the recovery plan:

  1. You update your firmware to the current revision levels supported if it is necessary.

    Warning

    Make sure that this revision, especially if on a cluster, is supported for your solution. Applying firmware for the sake of updating it can lead to more problems than it can solve. Only perform this if necessary.

  2. Reformat the disk and ensure no errors.

  3. The Sunday night full database backup needs to be restored with the NORECOVERY option. The syntax for this command is:

    RESTORE DATABASE Payroll
    
    FROM PayrollFullBackupDevice WITH NORECOVERY
  4. The Friday night differential backup from 10 P.M. needs to be restored with the NORECOVERY option.

    RESTORE DATABASE Payroll
    FROM PayrollDifferentialBackupDevice
    WITH FILE=5, NORECOVERY
  5. All transaction logs from 10 P.M. to 11 P.M. need to be restored with the NORECOVERY option.

    RESTORE LOG Payroll
    
    FROM PayrollLogBackupDevice WITH FILE=88, NORECOVERY
    
    RESTORE LOG Payroll
    
    FROM PayrollLogBackupDevice WITH FILE=89, NORECOVERY
    
    RESTORE LOG Payroll
    
    FROM PayrollLogBackupDevice WITH FILE=90, NORECOVERY
    
    RESTORE LOG Payroll
    
    FROM PayrollLogBackupDevice WITH FILE=91, NORECOVERY
  6. For the last transaction log, recover the database using the RECOVERY syntax.

    RESTORE LOG Payroll
    
    FROM PayrollLogBackupDevice WITH FILE=92, RECOVERY

Note

The DBA only has to restore the transaction logs after the last differential because the differential is the cumulative of all changes since the last full backup. Thus, the DBA does not have to apply the transaction logs prior to the differential.

Although this scenario provides a simple mechanism for restoring a database up to the time of the failure, it requires the entire database to be restored. If your database was designed using multiple files and filegroups, you can restore the damaged files or filegroups more efficiently from a full database backup using the same syntax shown in the file-based recovery scenario.

Recovering In Place and Up to the Minute with the File-Based Backup Strategy

If you are running with the file-based backup strategy, the recovery process is more complex but is likely to be faster in the case of isolated hardware failure. With the full database–based backup strategy the easiest option is to recover the entire database and roll forward using other backups. The restore of the full database backup could take a significant amount of time. If you have a database designed using multiple files and filegroups, then you can restore only the damaged files. Better yet, if you have chosen to backup the individual files and filegroups then the recovery process is more granular as well. In place, you can restore only the damaged files and filegroups, restore the differentials for the files and filegroups restored, and then (and only then) apply the correct sequence of transaction log backups to get up to the minute. Of this entire process, finding the correct sequence of transaction log backups to apply is the most challenging stage. Above all, it requires an understanding of how to read backup history information from backup devices or preferably from msdb backup history tables.

Using the database backups showing the file-based backup case study earlier in this chapter in the section "Executing the File-Based Backup Strategy Using Transact-SQL," what happens if there is a disk failure on the file c:Program FilesMicrosoft SQL ServerMSSQLDataFileBasedBackupDBRWFile2.NDF? If this file is not accessible, SQL Server marks the database as suspect, as shown in Figure 10-10.

FileBasedBackupDB: A suspect database.

Figure 10-10. FileBasedBackupDB: A suspect database.

The entire database is inaccessible, so how can you determine the exact cause of error? Review the SQL Server error log, which can be found as a text file in the LOG directory. Additionally, you can find these messages in the Application Log of Event Viewer. Or, if SQL Server Enterprise Manager is accessible, you can obtain the graphical version of the error log. In the error log, you should be able to find a data file error for the damaged file, as shown in Figure 10-11.

FileBasedBackupDB: Data file error.

Figure 10-11. FileBasedBackupDB: Data file error.

By double-clicking on the error you can see even more details, as shown in Figure 10-12.

FileBasedBackupDB: Specific file error.

Figure 10-12. FileBasedBackupDB: Specific file error.

At this point, you know exactly what is damaged. You have file- and file-group-based backups, so the recovery process can be performed with just the damaged files. The recovery process always begins with a backup of the tail of the transaction log. In this case, you execute:

BACKUP LOG [FileBasedBackupDB]

TO [FileBasedBackupDev]

WITH NAME = 'FileBasedBackupDB Backup',

DESCRIPTION = 'FINAL Transaction Log (Tail up-to-minute)', NOINIT, NO_TRUNCATE

On the CD

To perform the recovery as described, first create the File_Based_Backup_DB sample database and all the backups shown in the earlier case study diagram. All of this setup can be found in the File_Based_Backup_Strategy.sql script on the companion CD. The recovery process beginning with the backup of the tail of the transaction log can be found in the File_Based_Backup_Strategy-Restore_InPlace_UpToTheMinute_Isolated_Corruption.sql script. Review the syntax descriptions from this section prior to execution for best understanding.

Once the tail of the transaction log is backed up you have the set of backups shown in Figure 10-13.

File corruption of RWFile2 between points in time 12 and 13.

Figure 10-13. File corruption of RWFile2 between points in time 12 and 13.

Because only RWFile2 is damaged, only that file needs to be recovered. To recover this file you need to first find the last "full" version of this file backed up. At point in time 3, the entire filegroup was backed up. This is your starting point for this restore. Beginning with the filegroup backup at position 3, you can restore just this damaged file using:

RESTORE DATABASE FileBasedBackupDB

FILE = 'FileBasedBackupDBRWFile2'

FROM [FileBasedBackupDev]

WITH FILE = 3, NORECOVERY

To move this file to a forward point in time, use the last differential for this file, which was performed at point in time 11. To recover just this file from this differential, the syntax is exactly the same with the exception of pointing SQL Server to the correct differential backup. To recover the differential at position 11 use:

RESTORE DATABASE FileBasedBackupDB

FILE = 'FileBasedBackupDBRWFile2'

FROM [FileBasedBackupDev]

WITH FILE = 11, NORECOVERY

Finally, transaction logs need to be applied. This is the most challenging part about recovering from file and filegroup backups. Because transaction log backups can occur concurrently, multiple transaction log backups could "overlap" with a file- or filegroup-based backup. To restore the correct transaction logs you must determine the minimum effective log sequence number (LSN). In other words, you must review the earliest point that needs to be restored. In this case, because it was isolated failure, there is only one file affected. The last restore was for point in time 11. Review the backup history with the following query:

SELECT Backup_Start_Date, [Name], [Description],

First_LSN, Last_LSN, Backup_Finish_Date

FROM msdb.dbo.backupset AS s

 JOIN msdb.dbo.backupmediafamily AS m

 ON s.media_set_id = m.media_set_id

WHERE database_name = 'FileBasedBackupDB'

ORDER BY 1 ASC

The output returned for all of the backups (the backup number refers to the backup as shown by the case study) for just the First_LSN and Last_LSN columns is shown in Table 10-2.

Table 10-2. Output Returned for All of the Backups

Backup

First_LSN

Last_LSN

1

13000000163000001

13000000163300001

2

13000000163000001

14000000057900001

3

14000000267300001

14000000268200001

4

14000000057900001

15000000159400001

5

16000000049400001

16000000050100001

6

15000000159400001

19000000112100001

7

19000000319000002

19000000319200001

8

19000000112100001

20000000210000001

9

21000000098500001

21000000098700001

10

20000000210000001

21000000304900001

11

22000000192900002

22000000193100001

12

21000000304900001

24000000030800001

13

24000000030800001

26000000141800001

Reviewing the First_LSN column for backup set number 11, you can see that the minimum LSN is 22000000192900002. To determine the appropriate transaction log to restore, you must find the first transaction log that includes this LSN. Review only transaction log backups by adding AND type = ’L’, as well as adding the appropriate value for the First_LSN. The value of Last_LSN should be less than or equal to the First_LSN of the next backup set, which is greater than the value for Last_LSN of the existing backup set. If you follow this rule and add these to a WHERE clause in the SELECT statement shown earlier, you can determine the proper transaction log to restore. Below is an example:

WHERE database_name = 'FileBasedBackupDB'

AND type = 'L' AND First_LSN <= 22000000192900002

AND Last_LSN >= 22000000192900002

Once executed, it becomes clear that the backup you will restore is the backup at position 12 (in this case the backup is after the last differential; although this is likely, it is not guaranteed). The good news is that if you accidentally restore a transaction log that is too early (for example, the transaction log backup at position 10), SQL Server generates this error message:

Server: Msg 4326, Level 16, State 1, Line 16

The log in this backup set terminates at LSN 21000000305600001, which is too
early to apply to the database. A more recent log backup that includes LSN
22000000193600002 can be restored.

Server: Msg 3013, Level 16, State 1, Line 16

RESTORE LOG is terminating abnormally.

Along the same lines, if you restore a transaction log that is too late then SQL Server also gives a comparable message:

Server: Msg 4305, Level 16, State 1, Line 1

The log in this backup set begins at LSN 24000000031500001, which is too late to
apply to the database. An earlier log backup that includes LSN 22000000193600002
can be restored.

Server: Msg 3013, Level 16, State 1, Line 1

RESTORE LOG is terminating abnormally.

Executing NORECOVERY only with file 12 leaves the transaction log at position 12. To restore the last set of transaction logs and recover the database, you complete the restore with the last two transaction log restores:

RESTORE LOG FileBasedBackupDB

FROM [FileBasedBackupDev]

WITH FILE = 12, NORECOVERY

RESTORE LOG FileBasedBackupDB

FROM [FileBasedBackupDev]

WITH FILE = 13, RECOVERY

Once the database is restored with RECOVERY then no additional restores can be performed. Additionally, users are allowed back into the database.

Additional Recovery Examples

The following examples assume that you are restoring to the same database you backed up from, or you have also restored the master database prior to starting the restore. The reason for this is that the user IDs will not be in sync if you restore to a different server than the one users were created on.

For more information on synchronizing users, see the topic "Transferring Logins, Users, and Other Objects Between Instances" in Chapter 14.

Point-In-Time Recovery

There are times when it is not necessary to recover a complete log. In fact, you might not want to because the complete transaction log has information in it that you do not want applied to the database. A good example of this is that someone accidentally forgot to provide a WHERE clause on a DELETE statement and wiped out a critical table.

If you know what time the person deleted the rows from the table, you can recover all the way up to the moment before it happened. SQL Server provides this functionality using the STOPAT syntax. In the following situation, this part of RESTORE is explored:

  • Your database is using the Full recovery model.

  • The DBA makes a full backup every day of his development database at 11 A.M.

  • The DBA makes transaction log backups every 15 minutes during the day. They are multifile to one log backup device on disk.

  • A developer was testing some code before lunch at 11:50 A.M., but forgot to fully qualify the DELETE statement with a WHERE clause to restrict the rows deleted. When the code is run, the production payroll table is affected.

  • You were paged at 12:15 P.M. when the development team realized the error and let the contact know that the table needed to be recovered and about what time it occurred.

Recovery Plan

Follow the steps in this order:

  1. The full database backup needs to be restored with the NORECOVERY option.

  2. All transaction logs up to 11:45 A.M. need to be restored with the NORECOVERY option.

  3. For the last transaction log, you need to use the STOPAT and RECOVERY syntax. This tells SQL Server to stop at the moment before the table was deleted and recover the database so users can log in.

  4. The database can now be opened for users.

The following is the script for this scenario:

-- restore the full backup made at 11AM

restore database dev_db from full_backup with norecovery

go


-- restore the 11:15AM log backup

restore database dev_db from log_backup with file=1, norecovery

go


-- restore the 11:30AM log backup

restore log dev_db from log_backup with file=2, norecovery

go


-- restore the 11:45AM log backup

restore log dev_db from log_backup with file=3, norecovery

go


-- restore the noon backup, but STOP recovery at 11:49AM, just before

-- the table was deleted at 11:50AM

restore log dev_db from log_backup with file=4, recovery, STOPAT = 'Jan 28, 2003
11:49:00.000 AM'

go

Moving Data on a RESTORE

There are times when you are restoring a database that you need to move the data to a new location. Common examples of this include the following:

  • Someone gives you a database from a different system that has different disk drive mappings or directory paths. An example of this is that you need to refresh a test database from a copy of production.

  • For performance reasons you need to move the data files among the disk drives. For example, you built a new SAN and want to take advantage of the new LUN slicing the hardware engineers configured for you.

  • If you rebuild disk drives or want to move data files around for better performance, you can restore the database to the new disks.

SQL Server provides the MOVE syntax for this purpose. You need to know the logical names of the files you are going to move. To get this information, run the command RESTORE FILELISTONLY against the backup. This lists the logical names. After that, you only need to do a restore and provide the new target locations.

In the following example, a production database is to be restored to a test server from an LTO array. The database has 12 data files and one log file. Due to the size of the database, you want to monitor the progress, so you have added the STATS syntax to show the percentage complete.

-- Examine the logical and physical locations on the backup

restore filelistonly from LTO1, LTO2, LTO3, LTO4

go


-- First, create the new directories on the file system so we can

-- RESTORE to them.


-- Now, restore the database as you normally would, except

-- specify to SQL Server the new locations for the data devices



restore database test_db

from LTO1, LTO2, LTO3, LTO4

with

move 'data1' to 'H:mssqlDATADATA1.MDF',

move 'data2' to 'I:mssqlDATADATA2.NDF',

move 'data3' to 'J:mssqlDATADATA3.NDF',

move 'log1' to 'U:mssqlLOGLOG1.LDF',

recovery, stats=1

Collected Wisdom and Good Ideas for Backup and Restore

The following list is an accumulation of experiences that are really not documented in one place, but all belong together in a proper review of backups and restores.

  • Make sure that you label each tape appropriately with information such as what is on it, date and time, and so on.

  • Tapes go bad. They are a mechanical device and also magnetically sensitive. Both are causes of failure. Plan for this. Buy extra tapes and be aware of the possible contingencies within your chosen backup strategy.

  • Try to avoid putting too much data on a tape. SQL Server allows you to append multiple backups on a tape as space permits. The problem is if all your backups are on one tape and that tape goes bad, you lose all your backups. Spread your risk. Use multiple rotations.

  • Cycle your tapes appropriately. Do not keep backing up databases to the same tapes repeatedly. This wears down the tape mechanism, and you might get confused about what is exactly on the tape.

  • Store your tapes properly. Label them. Keep them in their cases. Recovery time is extended if you do not know what is on each tape.

  • Consider multiple copies of your backups and rotate one copy to an off-site location. For a small shop, this can mean keeping a copy in a bank safe deposit box. For a large shop, there are sites that specialize in off-site data storage. Remember, a bank safe deposit box is only open during banking hours—a dedicated off-site provider is open 24/7. Additionally, make sure all critical parties are on the list to retrieve the tapes. Just like anything, you get what you pay for.

  • Many companies have rotations that go into permanent off-site storage due to government regulations. However, in 10 years, will the tape media that you have off-site be restorable? Technology changes very fast. That QIC40 tape from 1992 is pretty useless today if you do not have a QIC40 tape drive and the accompanying software. Plan for this. This is where backing up to disk and then to tape is better.

    Tip

    SQL Server will not always support restoring backups from one version of SQL Server to another (such as restoring SQL Server 6.5 backups to a SQL Server 2000 instance), so if you need to keep backups for some time, you might want to consider periodically restoring them, upgrading the database to the newer version, and then backing it up.

  • If you have to restore at a remote location, make sure that location has the same tape drives you do. If you have LTO technology, but the remote site has DLT, you needlessly waste time. This needs to be planned for.

  • Know what versions of software you are running. Older versions of SQL Server can be incompatible with current ones. The physical characteristics of SQL Server storage changed from SQL Server 6.5 to SQL Server 7.0. Have xp_msver, @@version, and SQLDIAG information stored with your backups.

  • Have copies of your binaries stored off site, too. This should include the operating system, SQL Server, and the associated license keys, too.

  • At a minimum, make regular backups of the master and msdb databases in addition to your user database.

  • Backups do not validate the data they are backing up. Run DBCC CHECKDB as part of a regular maintenance plan. Remember, you can back up corruption.

    Tip

    You might want to restore the backup and perform DBCC CHECKDB to bolster your confidence in your backup strategy and the backups itself.

  • Automate as much of your backup strategy as possible. Human intervention causes many frequent problems. Use the SQL Server Agent and possibly the Database Maintenance Wizard to simplify automation if it is appropriate.

  • Review the backup logs. This sounds obvious, but many people just change the tapes without bothering to see if the backup even ran. For example, a backup might have aborted due to a faulty tape drive.

  • You are only as safe as the last good backup you restored. Tapes can and do go bad. No one can guarantee the quality of a backup until it has been restored. As such, restore from your backups frequently to test their validity and the process you have in place for recovery. Tape vendors generally specify how long their products will hold information. Written specifications often indicate many years. However, do not rely on the published media life numbers. The more use, the more wear on the tape.

Backing Up the Operating System

The bulk of this chapter has detailed how to back up and restore your SQL Server databases. However, for a complete backup and restore plan, which directly impacts your disaster recovery plan, you also need to back up Windows. In many cases, restoring backups is easier than rebuilding the system from scratch. With Windows, you have different backup options available to you, which are listed here:

  • An Authoritative System Restore (ASR) backup, which includes cluster configuration, registry entries, boot files, system files (in other words, DLLs), and so on. This data is known as System State data.

    Tip

    To perform an Authoritative RESTORE, a System State backup is required. In a cluster, if you perform an ASR on one node, you should perform a Non-Authoritative RESTORE on the other cluster nodes. A Windows 2000 ASR restores the cluster configuration to %Systemroot%ClusterCluster_backup, which still needs to be fed into the registry using the command-line tool CLUSREST.

  • A Local Backup, which contains all files and binaries for the individual server that the backup is executed on.

To back up your operating system and its associated files, you can use a third-party tool or you can use the built-in tool that ships with all versions of Microsoft Windows 2000 and Microsoft Windows Server 2003: Backup. To access the Backup tool, use the Start menu and go to the Accessories folder under System Tools. You can also launch Windows Backup if you run Ntbackup.exe from a command prompt, and you can also run it with command-line switches as well. It is flexible to meet the needs of your company. Figure 10-14 displays the main Backup window.

Windows Backup.

Figure 10-14. Windows Backup.

Important

If you are going to use a third-party backup tool, make sure it supports what you need it to, especially features like ASR backups.

You should back up your systems prior to and after you make any changes (such as service packs or hotfixes), and periodically in between. As long as the snapshot of your system is accurate, you do not need to back up all system files every night. You are concerned about the changes because unless you are using the server as a file system (which you should not be), the only files that will probably change are the SQL Server backup files. You should have a process to back up the SQL Server backup files after they are generated.

Tip

Do not try to back up the active database files for SQL Server with a normal backup tool such as Backup. As mentioned earlier in the section "Third-Party Backup and Restore Tools and SQL Server," the backup program must support the SQL Server VDI. You can use the backup program to back up SQL Server backup files generated and placed on the file system.

Using Backup

Backup is a fairly straightforward utility to use. This section provides a basic overview of how it works.

Creating a Backup

To create a backup using the Backup tool, follow these steps:

  1. Click the Backup tab, which is where you will create your backups that you can subsequently schedule. You can choose to back up whatever folders and files you want, including System State data, or you could just back up only System State data. Figure 10-15 shows an example of checking only System State.

    Selecting System State.

    Figure 10-15. Selecting System State.

  2. At the bottom of the Backup tab, enter the name and location of the backup file. By default, a backup using Backup has the .bkf extension. Click Start Backup.

  3. The Backup Job Information dialog displays as shown in Figure 10-16. Here you can schedule the backup, choose other relevant options (such as appending or overwriting the existing data), and so on.

    Backup job information.

    Figure 10-16. Backup job information.

    If you click Advanced, you will see the Advanced Backup Options dialog box, as shown in Figure 10-17. The most important information here is the backup type; it tells the program which type of backup to perform. Click OK to close this dialog box, and then click Start Backup in the Backup Job Information dialog box to back up your choices.

    The Advanced Backup Options dialog box.

    Figure 10-17. The Advanced Backup Options dialog box.

  4. When finished, you should see a dialog box similar to the one in Figure 10-18. Click Close.

    Completed backup.

    Figure 10-18. Completed backup.

Tip

Alternatively, you can use the Backup Wizard (Advanced) or Automated System Recovery Wizard on the Welcome tab to help you generate the proper backups.

Restoring a Backup

To restore a backup using the Backup tool, follow these steps:

  1. Select the Restore And Manage Media tab in the Backup tool.

  2. In the left pane, select the backup you want to restore as shown in Figure 10-19.

    Restore And Manage Media tab.

    Figure 10-19. Restore And Manage Media tab.

  3. At the bottom of the tab, select the location to which you want to restore the files, and click Start Restore.

  4. In the Confirm Restore dialog box shown in Figure 10-20, you can click OK to start, or if you want to modify advanced options prior to starting, click Advanced, and the dialog box shown in Figure 10-21 is displayed.

    Confirm Restore dialog box.

    Figure 10-20. Confirm Restore dialog box.

    Advanced Restore Options dialog box.

    Figure 10-21. Advanced Restore Options dialog box.

  5. When finished, you should see a dialog box similar to the one in Figure 10-22. Click Close.

    Completed restore.

    Figure 10-22. Completed restore.

Tip

Alternatively, you can use the Restore Wizard (Advanced) on the Welcome tab to assist you in the restore process.

Backing Up and Restoring Clustered Environments

As you might have already guessed, backing up a server cluster is not exactly the same as backing up and restoring a stand-alone server. You have other dependencies, namely the cluster database and the registry settings for clustering.

More Info

For more information on the objects listed in this section, consult Chapter 5.

Backing Up a Standard Server Cluster

In terms of backing up the necessary components to perform an eventual restore, you need to understand how backup programs interact with clustering. If you choose to only back up the system state data (as seen in Figure 10-15), only the quorum disk and the system state data will be backed up—nothing else. A backup that contains this information has the following:

  • MscsChkxxxx.tmp. These are the cluster database snapshot files.

    Tip

    If there is more than one of these files, you might have had some problems on your cluster, and should evaluate before backing up potential corruptions.

  • MscsQuolog.log. The cluster log file.

  • Mscs<GUID of resource>. The registry checkpoint files for the .cpt resource (identified by GUID).

  • Mscs<GUID of resource>The crypto checkpoint files for the .cpr resource (identified by GUID).

  • MscsClusbackup.dat. A read-only, hidden file that is 0 bytes in size, and is the backup completion marker file.

Important

When you elect to back up the system state data, the local node’s cluster registry hive, also known as clusdb (MscsChkxxx.tmp is a binary copy of clusdb), is not backed up because the quorum, which is the master, is backed up. Because the file is open and locked, you might see some errors such as "Completed with Skipped Files" and "Examining the NTBackup log, both Clusdb and Clusdb.log failed to be backed up." You can ignore these errors because Mscs on the quorum drive has been backed up.

Important

Back up the system state data only on the node that owns the quorum; otherwise you will encounter errors. Also, you need to back up the quorum’s system state data only once because it will take care of the entire cluster. Do not move the quorum resource to each node when backing up system state data.

After you have backed up the system state data, you should back up each individual node’s files, software, and system state data. Remember that each node of the server cluster that does not own the quorum drive in a standard server cluster will not back up anything on the quorum drive.

Note

If you understand the technology behind a server cluster, you might conclude that you hardly ever need a backup because there are always at least three copies on the cluster at any given time. However, to full cluster-aware applications such as SQL Server, checkpoints are important, and you might want to use tools specifically designed for this and other purposes such as CLUSTOOL and CLUSDIAG. At the time of the launch of Windows Server 2003, CLUSDIAG was only available for that version, but will be released for Windows 2000 at a later date.

Third-Party Backup Software and SQL Server 2000 Failover Clustering

Ensure that when you evaluate enterprise-class third-party backup software, it works properly in a cluster and is truly cluster-aware. As discussed in Chapter 6, you do not want resources to depend on any SQL Server resources that do not need to be there. Some third-party backup packages technically "work" in a cluster; however, to be able to operate, they add their own resources into your SQL Server virtual server’s resource group and make them dependencies of the disks with the data and log files. This is otherwise known as a generic application in a server cluster.

Warning

If you must implement backup software that is not fully cluster-aware on your cluster that must have dependencies placed on SQL Server resources, you must check to see that the Do Not Affect The Group option is selected on the Properties tab of the added third-party generic resources. After configuring this option, if that resource fails, it will not take your SQL Server disks offline, which will in turn take your SQL Server instance offline and cause a failover that you did not want. Some third-party programs also do not contain any logic to handle clustered situations and simply restart all of that day’s backup jobs from scratch after a failover. Because you do not want to restart all backup jobs, you might also want to disable the Restart option on the Properties tab in addition to selecting Do Not Affect The Group."

Summary

The message is simple: you cannot talk about high availability without talking about backup and restore. You do not have a backup until you have done a restore. Simple principles are often overlooked and undervalued. You cannot have a highly available environment without significant risk assessment. Some risks—some of the most challenging from which you will need to recover—can be recovered only through a solid backup and recovery plan. This chapter discussed backup types, effective recovery strategies, benefits and complexities for each strategy, and how best to perform each backup strategy. To ensure an efficient recovery, you must understand the environment settings and database structures that are most conducive to the availability you are trying to achieve. For each backup type you must understand the downtime potential as well as the costs and the effects on actively processing users, in terms of both performance as well as log activity. After thorough testing, you should have a solid strategy that minimizes downtime as well as data loss.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.142.166.55