A disaster recovery scenario

Let’s paint a picture of a disaster recovery scenario. This scenario spirals out of control pretty fast, so buckle up.

Imagine it’s 4:57 p.m. on a beautiful, sunny Friday afternoon. Just as you are about to head home for the weekend, disaster strikes: The electricity goes out for the entire city block where your office is located, and the uninterruptible power supply (UPS) in the server room has been removed for repairs. You haven’t rehearsed this scenario, because no one ever thought the UPS would be removed for maintenance for an extended period.

Your transaction log backups run every 15 minutes, because that’s what the RPO stipulates. Also, you have a batch script in the Windows Task Scheduler that copies your files remotely, so your logs have been copied safely offsite. Or have they?

Suddenly you have a sinking feeling in the pit of your stomach about a warning you saw in your email this morning while you were on the phone with a colleague, which you accidentally deleted, and which, thanks to that annoying muscle-memory habit you have of emptying deleted items whenever you see them, is gone forever.

Your phone squawks to inform you it has 2 percent battery remaining. Your laptop has some charge, but not much, because you were planning to charge it when you got home. Still, you crack open your laptop to check whether you can somehow undelete that email. Oh, right, your Internet is down.

Your phone rings. It’s the vice president of marketing, who is away this week at a conference. He wants to check the sales figures for a report the board is putting together for an important meeting this evening. The pressure is on! As the VP—who, by the way, doesn’t care about power failures because the company spent thousands of dollars on that UPS—asks when he can access those figures, your phone dies.

You decide to charge your phone off the laptop. That way, you can also use the tethered cellular connection to log into the DR site. But the signal in this area is weak, so you must move to the window on the other side of the office. As you stand up to move, your laptop decides that it’s time to install operating system updates, because it’s now after 5 p.m. Eventually, though, the laptop cancels the updates, because there’s no Internet access.

You move to the new location, where the signal is stronger. After an agonizing few minutes, your phone finally starts. Finally! You connect to your offsite datacenter through a Remote Desktop Protocol (RDP) session. It takes three attempts, though, because you had forgotten that RDP to this server works only with the administrator user account.

The SQL Server instance has its own service account, so you must download and use psexec to run SQL Server Management Studio (SSMS) as that service account in interactive mode. First, though, you must change a registry entry to allow that user to use interactive login. You check the backup folder. The latest log file is from 4:30 p.m. Great.

That means the 4:45 p.m. backup didn’t copy over. Oh, it’s because the drive is full. That must have been what the email warning was about.

After clearing out some files that another colleague had put on the drive temporarily, you write the script you’ve been meaning to write to restore the database because you didn’t have time to set up log shipping.

You export the backup directory listing to a text file and begin looking for the latest full backup, differential backup, and transaction log backup files. But now you see that the last differential backup doesn’t make sense, because the size is all wrong.

You remember that one of your developers made a full backup of the production database on Monday evening, but didn’t use the COPY_ONLY option, and you don’t have access to that file. The latest differential file is useless. You must start from Sunday’s full backup file, and then use Monday afternoon’s differential backup and all transaction log files since then. That’s more than 400 files to restore.

Eventually, with a bit of luck and text manipulation, you begin running the restore script. One particular log file takes a very long time. In your panicked state, you wonder whether it has somehow become stuck. After a minute or two of clicking around, you realize SQL Server had to grow the transaction log of the restored database because it was replaying that annoying index rebuild script that failed on Tuesday morning and needed to roll back.

Finally, at 6:33 p.m., your offsite database is up and running with the latest database backups, up to and including the one from 4:30 p.m. Just then, the lights come back on in the office. The power failure that affected the block where your office is has been resolved.

You need to do a full DBCC CHECKDB of the production server as soon as it starts, but it takes hours because the server is five years old and was installed with ECC RAM (which is useful but causes longer bootup times). This will push you out of the two-hour RTO that you and your boss agreed to, so you go with a failover approach.

You update the connection settings in the application to point to the offsite datacenter. Just then, your phone dies once more, but at least the office has power to charge everything again. You send the VP an email to say the reports should be working. Your cellular data bill is coming out of the expenses for his trip, you tell yourself as you pack up to go home.

As you walk to the bus stop, it occurs to you that the files you cleared out to free up drive space probably included the full database backup created by the developer from Monday night, and that you might have saved some time by checking them first.

Define acceptable data loss: RPO

When disaster strikes, you might lose a single byte in a single row in a single 8-KB data page due to memory or drive corruption. How do you recover from that corruption? Worse, what happens if you lose an entire volume or drive, the storage array, or even the entire building?

The RPO should answer the question, “How much data are you prepared to lose?” The RPO is usually measured in seconds or minutes. Your job is to deliver a technical implementation that meets this objective, perhaps by ensuring there is less time between the last known good backup and the moment of the point of failure. To achieve this, you must consider whether your backups are being done correctly, regularly, and copied offsite securely and in a timely manner.

In the nightmarish scenario we just laid out, the organization decided that losing 15 minutes’ worth of data was acceptable, but ultimately data changes over 27 minutes were lost. This is because the drive on the server at the DR site was full, and the most recent backup did not copy over. To satisfy a 15-minute window, the transaction log backups would need to be created more frequently, as would the offsite copy. Ideally, backups are copied offsite immediately after they are taken.

If the organization requires zero data loss, the budget must significantly increase to ensure that whatever unplanned event occurs, SQL Server’s memory and transaction log remains online, and that all backups are working and being securely copied offsite as soon as possible.

Define acceptable downtime: RTO

Time is money. Every minute an organization is unable to work has a cost, and lost productivity adds up quickly. The RTO is the amount of time by which you need to have everything up and running again after a disaster. You might orchestrate a failover to your DR site in another building, or a manual failover using log shipping. The RTO is usually measured in hours.

In our disaster scenario, the RTO was two hours. Our intrepid but woefully unprepared and accident-prone DBA barely made it. A few factors acted against the plan (if it could be called a plan).

For an organization to require zero downtime, the budget is exponentially increased. This is where a combination of HA and DR technologies combine to support the requirements.

Establish and use a runbook

When panic sets in, you need a clear set of instructions to follow, just like our deer-in-the-headlights DBA in our fictional scenario. This set of instructions is called a runbook.

The runbook is one of many documents that make up a DR plan. It is part of the BCP. It covers the steps necessary for someone (including your future self) to bring the databases and supporting services back online after a disaster. In an eventuality in which you or your team members become incapacitated, the document should be accessible and understandable to another DBA who has appropriate access, but doesn’t have intimate knowledge of the environment.

From our example scenario, issues like the RDP user account not being able to log in to SSMS, downloading the requisite tools, knowing to skip an out-of-band differential backup, and so on would not be immediately obvious to many people. Even the most experienced DBA in a panic will struggle with thinking clearly.

The level of detail in a runbook is defined by the complexity of the systems that need recovery and the time available to bring them back again. Your organization might be satisfied with a simple Microsoft Excel spreadsheet containing configurations for a few business-critical systems. Or it might need something more in-depth, complete with screenshots, links to vendor documentation and downloads, and expected outcomes at each step. In either case, the runbook should be updated as the system changes and stored in a version control system (which itself should be backed up properly). It is not unreasonable to have a paper copy, too, as you may not have access to all drives in the case of multiple outages or if you have to walk someone else through the process over the phone in the remote DR location.

The rest of this chapter describes how SQL Server provides backup and restore features to help you develop a recovery strategy that is most appropriate for your environment, so that when your organization wants to produce a BCP, you have sufficient knowledge to guide an appropriate and achievable technical response.

Most important, you must be able to rehearse a DR plan. The runbook won’t be perfect, and rehearsing scenarios will help you produce better documentation. That way, when disaster does strike, even the most panicked individual will be able to figure things out. Many organizations schedule regular walk-throughs and practice scenarios for DR. Some even perform a failover from one datacenter to another each month to rehearse their failover automation. When it is important to your business, you must train for it like an athlete. Financial organizations might check backups daily, perform system checks monthly, conduct walk-throughs of the DR plan quarterly, and perform full system failover annually.

An overview of SQL Server recovery models

A key part of understanding backups and their ability to restore is grasping recovery models. In SQL Server, a database’s recovery model determines how the transaction log is maintained, which affects your options for backups and restores. SQL Server supports three recovery models:

• Full. With this model, transactions are logged and kept at least until the transaction log has been backed up. This model allows a full point-in-time recovery. In this model, full, transaction log, and differential can be created. (We talk more about these three types of backups shortly.) The transaction log must be regularly backed up to avoid continuous growth. All database changes are fully logged and can be replayed.

• Bulk-logged. This model reduces the amount of transaction log used for certain bulk operations. SQL Server only logs what the Database Engine needs to undo the bulk operation, but the bulk operation cannot be replayed. Non-bulk operations are logged and maintained as in the full recovery model. This model can allow a point-in-time recovery only if no bulk-logged operations are in that portion of the transaction log backup. Full, transaction log, and differential backups can be created. Here too, the transaction log must be backed up to avoid continuous growth.

• Simple. Transactions are logged only until they are committed to the data file(s) on disk. Only full and differential backups can be created.

These models provide a high level of control over the types of backups, and thus restore options, available to your databases. We talk more about each of these models in the subsections that follow.

You can change the recovery model of a database in SSMS in Object Explorer, or by using the following Transact-SQL (T-SQL) statement and choosing the appropriate option in the square brackets:

Click here to view code image

ALTER DATABASE <dbname> SET RECOVERY [ FULL | BULK_LOGGED | SIMPLE ];

Full backups

A full database backup is a transactionally consistent copy of the entire database. The payload of this type of backup includes every 8-KB data page in every database file in all filegroups, FILESTREAM and memory-optimized files, and the portion of the transaction log that is necessary to roll forward or roll back transactions that overlapped with the backup window.

• You can read more about the active portion of the transaction log in Chapter 3.

You can perform full backups on databases in all recovery models, and you can compress them. Since SQL Server 2016, you can also compress databases encrypted with TDE.

With a minimal amount of T-SQL code, you can perform a full backup to a backup disk target. For example, you can use the following code to back up the WideWorldImporters sample database on a default instance with a machine called SERVER to a local drive (the drive path must exist):

Click here to view code image

BACKUP DATABASE WideWorldImporters
TO DISK = N'C:SQLDataBackupSERVER_WWI_FULL_20221218_210912.BAK';
GO

Differential backups

A differential backup is a convenience feature to reduce the number of transaction log backups (and time) required to restore a database to a point in time. A differential backup is always based on the last full database backup that wasn’t taken with the COPY_ONLY option. Differential backups contain all changed extents, FILESTREAM files, and memory-optimized data files since the last full backup. They cannot be restored on their own. To restore a database using a differential backup, you need that differential backup’s base full backup.

In many cases, a differential backup is much smaller than a full backup. This allows for a more flexible backup schedule. You can take a full backup less frequently and take the differential backups more regularly, taking up less space than full backups would.

Think back to Chapter 3, where we looked at extents. As a reminder, an extent is a 64-KB segment in the data file comprising a group of eight physically contiguous 8-KB data pages. After a default full backup completes (without the copy-only option, which we cover later), the differential bitmap is cleared. All subsequent changes in the database, at the extent level, are recorded in the differential bitmap. When the differential backup runs, it looks at the differential bitmap and backs up only the extents that have been modified since the full backup, along with the active portion of the transaction log. This is quite different from a transaction log backup, which records every change in the database, even if the change is made repeatedly to the same rows in the same tables. Thus, a differential backup is not the same thing as an incremental backup.

Even though you cannot restore a database to a point in time (or LSN) that occurs within the differential backup itself, differential backups can vastly reduce the number of transaction log files required to effect those same changes.

Differential backups apply to databases in the full, bulk-logged, and simple recovery models.

• You can read more about differential backups at https://learn.microsoft.com/sql/relational-databases/backup-restore/differential-backups-sql-server.

The backup chain

A backup chain starts with a full backup, followed by a series of differential and/or transaction-log backups. You can combine these into a recovery sequence to restore a database to a particular point in time after the full backup or to the time of the latest backup, whichever is required. Databases in the full recovery model can be restored to a point in time because transactions are fully logged in that recovery model.

Figure 10-1 illustrates a backup chain that starts with a full backup, which contains the most recent LSN of the active portion of the transaction log at the time that backup finished, followed by multiple transaction log backups and differential backups based on that full backup.

You can use a combination of the most recent differential backup (which must be based on that same full backup) and any additional transaction log backups to produce a point-in-time recovery. If you do not have a differential backup, or if the point in time you want to restore to is before the end of the differential backup, you must use transaction log backups. Either option will work, provided the LSNs required in the sequence are contained in each of those backups.

Until you run the very first full backup on a database using the full or bulk-logged recovery model, the database is pseudo-simple—that is, it behaves as though it is in the simple recovery model. Active portions of the log are cleared whenever a database checkpoint is issued, and the transaction log remains at a reasonably stable size unless a large transaction causes it to grow. This may seem unexpected, but there’s no need to keep a transaction log that can’t be restored.

Remember: A database restore always begins with a full backup (piecemeal restores are an uncommon exception and discussed later in this chapter). Until there is a full backup, there’s no need for historic transactions to be kept. Conversely, once the first full backup is created, less-experienced DBAs can be taken by surprise by the sudden and seemingly uncontrolled growth of the transaction log.

We recommend that you configure appropriate maintenance plans (including transaction log backups and monitoring) immediately after you create a new database. It is also a good idea to continue taking log backups even while a full backup is in progress. These log backups will ensure the backup chain is preserved even if the full backup fails or is cancelled.

• You can read more about designing an appropriate backup schedule in the “Create and verify backups” section later in this chapter. For more on maintenance plans, read Chapter 9, “Automate SQL Server administration.”

File and filegroup backups

You can take a more granular approach by backing up individual data files and filegroups, which use the full or differential options, as well. These options are available in the SSMS user interface; alternatively, you can use the official documentation to create appropriate T-SQL statements.

Additional backup options and considerations

This section includes several options and special considerations for creating backups in SQL Server.

CREATE DATABASE WideWorldImporters_202211021045 ON
( NAME = WideWorldImporters, FILENAME =
'C:Program FilesMicrosoft SQL ServerMSSQL16.MSSQLSERVERMSSQLDataWideWorldImporters
_data_202211021045.ss' )
AS SNAPSHOT OF WideWorldImporters;

RESTORE DATABASE WideWorldImporters FROM
DATABASE_SNAPSHOT = ' WideWorldImporters_202211021045';

Back up to disk

SQL Server backups are most commonly stored directly on a local volume or network path, referred to as the backup disk. A backup disk contains one or more backup files, and each file contains one or more database backups.

A database backup might also be split across multiple files. To back up VLDBs in less time, striping the backup across multiple files can be a valuable strategy. Be careful, however, because you must have all files in the set to successfully restore.

Back up to URL

Since SQL Server 2012 (with Service Pack 1 and Cumulative Update 2), you can back up your SQL Server database directly to Azure Blob Storage. This is made possible by using an Azure Storage account URL as a destination.

SQL Server 2016 added the ability to back up to Azure block blobs. This is now the preferred blob type when backing up to Azure Storage. When striping a backup on up to 64 blobs, block blobs support much larger backups and enable higher throughput than page blobs.

To back up a database to a block blob, you must provide a token for a shared access signature (SAS) for a standard Azure Storage account. (Premium storage accounts are not supported.) You can create a SAS using the Azure portal, PowerShell, the Azure Storage Explorer application, or other means. Before creating the SAS, you should define a matching stored access policy for the blob container that will store the backup files. This policy allows the SAS to be changed or revoked.

A SAS token represents the SAS. It is a query string that contains several elements that refer to the SAS. When creating a SAS token, you must specify the permissions that will be allowed using the SAS token. Read, write, delete, and list permissions are minimally required. The SAS token you obtain will begin with a question mark (?), but that question mark must be removed before SQL Server can successfully use the SAS token. (Readers versed in web technologies will understand that the question mark is the beginning of a URL query string and not part of the content.)

The SAS token must be used to create a credential. The credential’s name is the URL to the Azure Storage container. After the credential is created, backing up the database to Azure Storage only requires specifying the TO URL clause, as illustrated in the upcoming sample.

The following sample creates a credential using a SAS token and backs up the SSIO2022 database to the SSIO2022 Azure Storage account. The sample uses the WITH FORMAT option to overwrite an existing backup at the same URL. Your use case may require you to keep historic backups, in which case you should probably generate the backup file name by including the date and time of the backup. If you keep historic backups, you must create a scheme to remove outdated backup files; the RETAINDAYS and EXPIREDATE options are not supported with the TO URL clause.

Click here to view code image

CREATE CREDENTIAL [https://ssio2022.blob.core.windows.net/onprembackup]
    WITH IDENTITY = 'SHARED ACCESS SIGNATURE',
    -- Remember to remove the leading ? from the token
    SECRET = 'sv=2022-03-28&ss=…';
BACKUP DATABASE SamplesTest
    TO URL = 'https://ssio2022.blob.core.windows.net/onprembackup/db.bak'
    -- WITH FORMAT to overwrite the existing file
    WITH FORMAT;

• Extensive guidance on backup to URL is available at https://learn.microsoft.com/sql/relational-databases/backup-restore/sql-server-backup-to-url.

For security reasons, the container holding your SQL Server database backups should be configured as Private. We recommend that you configure the storage account to require secure transfer, meaning only HTTPS connections are allowed. Secure transfer is required by default on all new Azure Storage accounts. You can further secure the SAS token by restricting the IP addresses that can connect to the Azure Storage service using the token. If you choose to do so, you must remember to obtain a new token and update the database credential when your organization’s outbound IP addresses change.

Backup and media sets

As noted, SQL Server backups are written to media types (devices)—namely tape, disk (which includes locally connected volumes, solid-state drives, and UNC network paths), and Azure Blob Storage. Each of these types has specific properties, including format and block size.

Media set

A media set is an ordered collection of a fixed type and number of devices (see Figure 10-2). For example, if you are using a backup disk, your media set will comprise a fixed number of one or more files.

A backup will always contain at least one media set. With tape backup now deprecated, media sets with multiple devices are less common. Other factors to consider:

• Backup window. The backup window might be too short to allow the backup to finish unless it’s striped across multiple files or URLs.

• Backup to URL. The recommended block blobs in Azure Storage can hold 200 GB per blob at most. If your backup is larger than 200 GB, you’ll need to use multiple block blobs. Better backup performance may also be achieved using multiple block blobs, assuming your Internet upload speed is sufficient. We should note that concerns surrounding the integrity of striped backups are less acute in Azure Storage because you can, and should, configure the storage account with automatic redundancy, if not geo-redundancy.

SQL Server Enterprise edition supports mirroring media sets. A mirrored media set writes another copy of the backup. This feature provides you with a redundant copy of your backup on the same type of media. When the mirrored media sets are appropriately segmented on different storage hardware, this redundant copy increases the reliability of the backup, because an error in one backup set might not affect the mirrored copy.

• To read more about mirrored backup media sets, see https://learn.microsoft.com/sql/relational-databases/backup-restore/mirrored-backup-media-sets-sql-server.

Back up to S3-compatible storage

New in SQL Server 2022 is Simple Storage Service (S3)–compatible object storage integration. This feature extends existing BACKUP TO URL and RESTORE FROM URL functionality to S3 URLs using a REST API. URLs pointing to S3-compatible resources are prefixed with s3:// to denote that the S3 API is being used.

• An introduction to the S3 protocol and how it is used at Microsoft can be found at https://learn.microsoft.com/sql/relational-databases/backup-restore/sql-server-backup-and-restore-with-s3-compatible-object-storage.

Create backups

You can design a backup solution to satisfy a recovery strategy by using all or a combination of the available backup types. This chapter already covered the backup types and code samples.

The buffer pool (see Chapter 2) is not used for database backups. The backup buffer is a portion of memory outside the buffer pool, big enough to read pages from the data file and write those pages to the backup file. The backup buffer is usually between 16 MB and 32 MB in size. Memory pressure can reduce the backup and restore buffer sizes, causing backups and restores to take longer.

Verify backups

After you create a backup, we highly recommend that you immediately verify that the backup was successful. Although rare, corruption is always possible. Most of the time, it is caused by the storage layer (including device drivers, network drivers, and filter drivers), but it can also occur in non-ECC RAM or as the result of a bug in SQL Server itself.

• See KB309422 for more information on which antivirus exclusions to add for SQL Server, available at http://support.microsoft.com/help/309422.

There are two ways to verify a backup. You can probably guess that the most complete way is to restore it and use DBCC CHECKDB to perform a full consistency check on the restored database.

The other, quicker method is to use RESTORE VERIFYONLY. If you backed up your database using the checksum option (which is enabled by default on compressed backups), the restore will verify the backup checksum as well as the data page and log block checksums as it reads through the backup media. The convenience with RESTORE VERIFYONLY is that you do not need to allocate drive space to restore the data and log files, because the restore will read directly from the backup itself.

Restore a database using a full backup

You can perform a database restore through SSMS, Azure Data Studio, or by using a T-SQL statement. In this example, only a full backup file is available to restore a database. The full backup comes from a different server, where the path of the original database is different, so the database’s files must be relocated (moved) on the new server with the MOVE option.

To see the progress of the restore, you can set the statistics to display to the output window with the STATS option. The default is to write progress for every 5 percent complete. No statistics will be output until the files have been created on the file system.

Click here to view code image

RESTORE DATABASE WideWorldImporters
FROM DISK = N'C:SQLDataBackupSERVER_WideWorldImporters_FULL_20220918_210912.BAK'
WITH MOVE N'WideWorldImporters' TO N'C:SQLDataWWI.mdf',
MOVE N'WideWorldImporters_log' TO N'C:SQLDataWWI.ldf',
STATS = 5,
RECOVERY;
GO

The RECOVERY option (the default) at the end brings the database online immediately after the full backup has been restored. This prevents any further backups from being applied. If you want to restore a differential backup after this full backup, you must use the NORECOVERY option. Later, bring the database online only after restoring subsequent differential or transaction log backups. This is covered in the next section.

Restore a database with differential and log backups

Restoring using full, differential, and transaction log backups is more complicated, but you can still perform it through SSMS’s graphical wizard, Azure Data Studio, or by using a series of T-SQL statements.

For this scenario, we recommend creating your own automated scripts. For example, after every transaction log backup, you can use the information in the msdb database to build a script to restore the entire database to that point in time and then save the script in the same folder as the backup file(s).

You restore a database by using the RESTORE command. Full and differential restores use the RESTORE DATABASE option by convention. You can also restore transaction logs by using the RESTORE DATABASE option, but you might prefer to use RESTORE LOG, instead, for clarity:

Click here to view code image

-- First, restore the full backup
RESTORE DATABASE WideWorldImporters
FROM DISK = N'C:SQLDataBackupSERVER_WideWorldImporters_FULL_20220918_210912.BAK'
WITH
MOVE N'WideWorldImporters' TO N'C:SQLDataWWI.mdf',
MOVE N'WideWorldImporters_log' TO N'C:SQLDataWWI.ldf',
NORECOVERY;
GO
-- Second, restore the most recent differential backup
RESTORE DATABASE WideWorldImporters
FROM DISK = N'C:SQLDataBackupSERVER_WideWorldImporters_DIFF_20220926_120100.BAK'
WITH NORECOVERY;
GO
-- Finally, restore all transaction log backups after the differential
RESTORE LOG WideWorldImporters
FROM DISK = N'C:SQLDataBackupSERVER_WideWorldImporters_LOG_20220926_121500.BAK'
WITH NORECOVERY;
GO
RESTORE LOG WideWorldImporters
FROM DISK = N'C:SQLDataBackupSERVER_WideWorldImporters_LOG_20220926_123000.BAK'
WITH NORECOVERY;
GO
-- Bring the database online
RESTORE LOG WideWorldImporters WITH RECOVERY;
GO

Remember: Specify WITH RECOVERY in the final transaction log file restore, or in a separate command as in the previous example.

The RECOVERY option instructs SQL Server to run recovery on the database, which might include an upgrade step if the new instance has a newer version of SQL Server on it. When recovery is complete, the database is brought online.

Restore a database to a point in time

If configured properly, it is possible to restore a database to the exact moment in time (or more precisely, to the exact LSN) before a disaster occurred. A point-in-time restore requires an LSN or timestamp (meaning any specific date and time value) to let the RESTORE command know when to stop restoring. You can even restore to a specific mark in the transaction log backup, which you specify at transaction-creation time by explicitly naming a transaction. This requires knowing in advance that this transaction might be the cause for a point-in-time restore, which is rarely the case in a disaster scenario.

• To see more about marking transactions, go to https://learn.microsoft.com/sql/t-sql/statements/restore-statements-transact-sql.

Depending on the cause of the disaster, you might want to investigate the current state of the database to determine the best recovery approach. You might need to close connections to the database and set the database to single user mode. In single user mode, you have time to find out what happened (without making modifications), take a tail-log backup when possible and necessary, and recover the database to the moment before disaster struck.

In some cases, you might opt to leave the database active but restore it to a new database and reload changes from the restored version. The feasibility of this depends on the database schema, the number of changes that have been made since the adverse event, and the RTO.

A point-in-time restore works only when restoring transaction log backups, not full or differential backups. The point in time must be after the full backup from which you begin the restore process. This fact may make it valuable to keep several full backups prior to the most recent one. Some errors, such as human error or database corruption, may not always be detected before a new full backup is taken.

The process is the same as in the previous example, except for the final transaction log file, for which the point in time is specified by using the STOPAT or STOPBEFOREMARK options. Let’s look at each option:

• STOPAT. A timestamp. You must know this value from the time an unexpected event occurred. If it’s unclear when the event occurred, you might need to explore the transaction log.

• STOPBEFOREMARK or STOPATMARK. A log sequence number or transaction name. You must know the LSN value from exploring the active portion of the transaction log (see the preceding Inside OUT).

Assuming you have followed the same sequence as shown in the previous example, the final transaction log restore might look like this:

Click here to view code image

-- Restore point in time using timestamp
RESTORE LOG WideWorldImporters
FROM DISK = N'C:SQLDataBackupSERVER_WideWorldImporters_LOG_20170926_123000.BAK'
WITH STOPAT = 'Sep 26, 2017 12:28 AM',
RECOVERY;
GO
-- Or restore point in time using LSN
-- Assume that this LSN is where the bad thing happened
RESTORE LOG WideWorldImporters
FROM DISK = N'C:SQLDataBackupSERVER_WideWorldImporters_LOG_20170926_123000.BAK'
WITH STOPBEFOREMARK = 'lsn:0x0000029f:00300212:0002',
RECOVERY;
GO

• To read more about database recovery, including syntax and examples, visit https://learn.microsoft.com/sql/t-sql/statements/restore-statements-transact-sql.

Restore a database piecemeal

Partial database backups deal with file and filegroup backups to ease the manageability of your VLDB. This is an advanced topic with much detail to be discovered in your environment.

Partial recovery is useful for bringing a database online as quickly as possible to allow the organization to continue working. You can then restore any secondary filegroups later, during a planned maintenance window.

Piecemeal restores begin with something called the partial-restore sequence. In this sequence, the primary filegroup is restored and recovered first. If the database is under the simple recovery model, all read/write filegroups are then restored.

• To learn more about the SQL Server recovery process, read Chapter 3.

While this is taking place, the database is offline until restore and recovery is complete. Any unrestored files or filegroups remain offline, but you can bring them online later by restoring them.

Regardless of the database’s recovery model, the RESTORE command must include the PARTIAL option when doing a piecemeal restore, but only at the beginning of the sequence. Because transactions might span more than just the recovered filegroups, these transactions can become deferred, meaning that any transaction that needs to roll back cannot do so while a filegroup is offline. The transactions are deferred until the filegroup can be brought online again, and any data involved in that deferred transaction is locked in the meantime.

A sample recovery strategy for our DR scenario

Several avoidable problems occurred in the fictional DR story at the beginning of the chapter:

• There was no redundant power system in place.

• There was no redundant Internet connection (outside of a personal cellular device).

• There was no runbook to guide the accident-prone DBA.

• The security on the DR server did not follow recommended best practices.

• Sending the backups offsite failed.

The following subsections discuss some key considerations for your recovery strategy beyond taking backups.

Recovery strategies for hybrid and cloud environments

Many organizations use a combination of on-premises infrastructure and services in remote locations, including Azure services, third-party datacenters, and other cloud vendors.