Chapter 11
Developing, deploying, and managing data recovery

The first and foremost responsibility of a data professional is to ensure that a database can be recovered in the event of a disaster.

You don’t design a backup strategy. You design a restore strategy. You need to allow for potential downtime and loss of data, within acceptable limits. These are defined by the business requirements for getting an environment back up and running after a disaster.

Technical solutions such as high availability (HA) and disaster recovery (DR) are available in Microsoft SQL Server to support these requirements, which are ultimately governed by the organization itself. In other words, business requirements define the approach that you will take in your organization to plan for and survive a disaster. Remember that this is only a small but important part of a larger business continuity plan.

This chapter does not provide any guidance on recovering from a corrupt database. Microsoft recommends restoring from a last known good database backup if you experience corruption. That being said, our objective is that by the end of the next two chapters, you will understand how to achieve close to zero data loss with minimal downtime.

You can read more about data corruption in Chapter 13.

The governance of these requirements is outlined in a Service-Level Agreement (SLA), which explains the Recovery Point Objective (RPO) and Recovery Time Objective (RTO) from the organization’s perspective, as it relates to business continuity. The SLA might also include the consequences and penalties (financial or otherwise) if you do not meet the timelines.

The SLA is a business document, not a technical one, because the RPO and RTO are business requirements. Although you will use technical solutions to satisfy these requirements, it is important to keep in mind that your recovery strategy should be the best fit for the organization’s business needs.

For more information about achieving HA, read Chapter 12.

Disaster strikes in your office, just as you are about to head home for the weekend. The electricity goes out for the entire city block, and the uninterruptible power supply (UPS) under your desk fails because in all the confusion, you knocked over a half-finished can of soda onto it, which blew out the battery.

As the smell of burned electronics wafts up to your nostrils, you begin to panic. You haven’t rehearsed this scenario, because no one ever thought the UPS would be moved upstairs after the basement was flooded last spring, let alone end up with soda poured over it.

Your transaction log backups run every 15 minutes because that’s what the RPO stipulates, and you have a batch script in the Windows Task Scheduler that copies your files remotely, so your logs should have been copied safely off-premises. Well…that is, you’re pretty sure the log backups were copied correctly, right?

Except that you get a sinking feeling in the pit of your stomach as you remember a warning you saw among your email this morning, while a colleague was on the phone to you, and your finger had slipped on the mouse and accidentally deleted the notification instead of moving it. Plus, you have that annoying muscle-memory habit of emptying deleted items whenever you see them.

Your smartphone rings. It’s the boss, who is away this week at a conference and wants to check the sales figures for a report the board is putting together for an important meeting this evening. Your phone squawks because it has 2% battery remaining. Your laptop has some charge, but not much because you were planning on charging it when you arrived home.

You crack open your laptop to check whether you can somehow undelete your mail. Oh, right, your internet is down.

And then your phone dies while your boss, who coincidentally doesn’t care about power failures because the company spent hundreds of dollars on that UPS under your desk, is asking you when the reports will be available again and wants you to just get it done.

You could charge the phone off the laptop and use the tethered cellular connection to log into the DR site. But the signal in this area is weak, so you need to move to the window on the other side of the office. As you stand up, the laptop decides that it’s time to install operating system updates because it’s now after 5 PM.

After an agonizing few minutes, your phone finally starts. Meanwhile your laptop has cancelled the updates because there’s no internet access. You connect to your off-premises datacenter through a Remote Desktop session. It takes three attempts because you had forgotten that RDP to this server works only with the administrator user account.

The SQL Server instance has its own service account, so you need to download and use psexec to run SQL Server Management Studio as the service account in interactive mode, after changing a registry entry to allow that user to use interactive login. You check the backup folder, and thankfully the latest log file is from 4:30 PM. Great. That means the 4:45 PM backup didn’t copy over. Oh, it’s because the drive is full. That must have been what the email warning was about.

After clearing out some files that another colleague had put on the drive temporarily, you need to write the script you’ve been meaning to write to restore the database because you didn’t have time to set up log shipping.

You export the backup directory listing to a text file and begin looking for the latest full backup, differential backup, and transaction log backup files. But now you’ve seen that the last differential backup doesn’t make sense, because the size is all wrong.

You remember that one of your developers had made a full backup of the production database this week on Monday evening, didn’t use the COPY_ONLY option, and you don’t have access to that file. The latest differential file is useless. You need to start from Sunday’s full backup file and then use Monday afternoon’s differential backup and all transaction log files since then. That’s more than 400 files to restore.

Eventually, with a bit of luck and text manipulation, you begin running the restore script. One particular log file takes a very long time, and in your panicked state you wonder whether it has somehow become stuck. After a minute or two of clicking around, you realize SQL Server had to grow the transaction log of the restored database because it was replaying that annoying index rebuild script that failed on Tuesday morning and needed to roll back.

Finally, at 6:33 PM, your off-premises database is up and running with the latest database backups up to and including the one from 4:30 PM. Just then, the lights come on in the office, because the power failure that affected the downtown area where your office is has been resolved. Now you need to do a full DBCC CHECKDB of the production server as soon as it starts, which always takes forever because the server is five years old and was installed with ECC RAM, which will push you out of the two-hour RTO that you and your boss agreed to, so you stick with the failover plan.

You update the connection settings in the application to point to the off-premises datacenter just as your phone dies once more, but at least the office again has power to charge everything. You send the boss an email to say the reports should be working. The cellular data bill is coming out of your boss’s next trip, you tell yourself as you pack up to go home.

As you walk to the bus stop, it occurs to you that the files you cleared out to free up drive space probably included the full database backup from Monday night, and that you might have saved some time by checking them first.

The RPO should answer the question: “How much data are you prepared to lose?” You need to consider whether your backups are being done correctly, regularly, and copied off-premises securely and in a timely manner. The RPO is usually measured in seconds or minutes. In other words, this is the acceptable amount of time elapsed between the last known good backup, and the moment of the point of failure.

In this hellish scenario that we just laid out, the organization decided that losing 15 minutes of data was acceptable, but ultimately 27 minutes was lost. This is because the drive on the DR server was full, and the most recent backup did not copy over.

To satisfy a 15-minute window, the transaction log backups would need to be taken more frequently, as would the off-premises copy.

If the organization requires “zero data loss,” the budget will need to significantly increase to ensure that whatever unplanned event happens, SQL Server’s memory and transaction log remains online and that all backups are working and being securely copied off-premises as soon as possible.

In our disaster scenario, the RTO was two hours. Our intrepid but woefully unprepared and accident-prone DBA barely made it. A number of factors acted against the plan (if it could be called a plan).

For an organization to require zero downtime, the budget is exponentially increased. This is where a combination of HA and DR technologies combine to support the requirements.

The run book is a business continuity document. It covers the steps necessary for someone (including yourself) to bring the databases and supporting services back online after a disaster. In an eventuality in which you or your team members become incapacitated, the document should be accessible and understandable to someone who doesn’t have intimate knowledge of the environment.

From our example scenario, issues like the Remote Desktop Protocol (RDP) user account not being able to log in to SQL Server Management Studio, getting psexec downloaded, knowing to skip an out-of-band differential backup, and so on would not be immediately obvious to many people. Even the most experienced DBA in a panic will struggle with thinking clearly.

The level of detail in a run book is defined by the complexity of the systems that need recovery and the time available to bring them back again. Your organization might be satisfied with a simple Microsoft Excel spreadsheet containing configurations for a few business-critical systems. Or, it might be something more in-depth, updated regularly, and stored in a version control system (which itself should be backed up properly).

The rest of this chapter describes how SQL Server provides backup and restore features to help you come up with a recovery strategy that is most appropriate to your environment, so that when your organization wants to produce business continuity documentation, you have sufficient knowledge to guide an appropriate and achievable technical response.

Most important, you need to be able to rehearse a DR plan. The run book won’t be perfect, and rehearsing scenarios will help you to produce better documentation so that when disaster strikes, even the most panicked individual will be able to figure things out.

• Full recovery model. Allows a full point-in-time recovery. Full, differential, and transaction log backups can be taken. All transactions are fully logged.

• Bulk-logged recovery model. Reduces the amount of transaction log used for certain bulk operations. Can allow a point-in-time recovery if no bulk-logged operations are in that portion of the transaction log backup. Full, differential, and transaction log backups can be taken.

• Simple recovery model. No transactions are logged. Full and differential backups can be taken.

  ---

  NOTE

  These are called recovery models. If you see the term “recovery mode,” it is incorrect.

  ---

You can change the recovery model of a database in SQL Server Management Studio in Object Explorer, or by using the following Transact-SQL (T-SQL) statement (and choosing the appropriate option in the square brackets):

Click here to view code image

ALTER DATABASE <dbname> SET RECOVERY [ FULL | BULK_LOGGED | SIMPLE ];

Before diving into each recovery model in more detail, let’s take a look at point-in-time restores, and how those are affected by the log backup chain.

The most common form of disaster is human error, like accidentally leaving out a WHERE clause during an UPDATE statement.

No matter the cause, your reactions should be the same: stop all work on the database in question, find out what happened in a nondestructive way, take a tail-log backup if possible or necessary, and recover to the moment before disaster struck.

Keep in mind that a highly available database (using availability groups or database mirroring, for example) is not immune to disasters, especially if these disasters are replicated to downstream database instances.

Point-in-time recovery requires transaction logs that cover the full span of time from the most recent full backup to the time of the incident.

You can see an example of how to restore to a point in time in the section “Restoring a database to a point in time” later in this chapter.

Databases in the full recovery model can be restored to a point in time because transactions are fully logged in that recovery model.

As Figure 11-1 illustrates, a backup chain starts with a full backup, which contains the most recent LSN of the active portion of the transaction log at the time that backup finished. You can then use a combination of the most recent differential backup (which must be based on that same full backup) and any additional transaction log backups to produce a point-in-time recovery. If you do not have a differential backup or the point in time you want to restore to is before the end of the differential backup, you must use transaction log backups. Either option will work as long as the LSNs required in the sequence are contained in each of those backups.

A new database is in the full recovery model by default because it is derived from the model database, which itself is in the full recovery model by default. However, the database will not behave like it is in the full recovery model until the first time a full backup is taken, which is what initializes the backup chain.

Until you run that first full backup on a database in the full or bulk-logged recovery model, the new database is “pseudo-simple,” behaving as though it is in the simple recovery model. Active portions of the log are cleared whenever a database checkpoint is issued, and the transaction log remains at a reasonably stable size, unless a long-running transaction causes it to grow.

For less-experienced data professionals, the sudden and seemingly uncontrolled growth of the transaction log, after the first full backup, can take them by surprise.

We recommend that you configure appropriate maintenance plans (including transaction log backups and monitoring) at the time you create a new database.

You can read more about designing an appropriate backup schedule in the section “Creating backups” later in this chapter. For more on maintenance plans, read Chapter 14.

In this recovery model, after the first full backup takes place (which initializes the backup chain), the virtual log files in the transaction log remain active and are not cleared until a transaction log backup writes these log records to a log backup. Only then will the log be truncated (cleared).

Assuming that you implement a process to ensure that these backups are securely copied off-premises as soon as the backups are completed, and that you regularly test these backups, you can easily restore your database in the event of a disaster. Provided the right circumstances are in play, you might even be able to take a tail-log backup to achieve zero data loss, if that data has been committed and made durable.

You can read more about durability, including delayed durability, in Chapter 2.

It is usually not possible to restore a database in the bulk-logged recovery model to a point in time, but there is a way to get mostly-point-in-time recovery. This allows a more flexible recovery strategy than the simple recovery model (more on this in the next section), without generating large transaction logs for bulk operations.

Suppose that you want to use the bulk-logged recovery model to perform minimally logged operations, without breaking the log backup chain. Your database must be in the full recovery model before the bulk-logged operation is performed. First, you must take a transaction log backup, and then switch to the bulk-logged recovery model. After the bulk-logged operation is complete, you must immediately switch back to the full recovery model, and then back up the log again. This ensures that the backup chain remains unbroken and allows point-in-time recovery to any point before or after the bulk-logged operation.

For more details, read the TechNet article “Operations That Can Be Minimally Logged,” which is available at https://technet.microsoft.com/library/ms191244.aspx.

Databases in the simple recovery model can make use of full and differential backups. This recovery model is better suited to development databases, databases that change infrequently, and databases that can be rebuilt from other sources.

With tape backup now deprecated, media sets with multiple devices are less useful. When backing up to a disk, network, or URL, we recommend limiting backup operations to one file at a time. Nevertheless, a backup will always comprise at least one media set.

To read more about mirrored backup media sets, go to https://docs.microsoft.com/sql/relational-databases/backup-restore/mirrored-backup-media-sets-sql-server.

You could reuse an existing backup set by adding new backups for a database to the end of that media. This grows the media by appending the backup to the end of it. However, we do not recommend this practice, because the integrity of previous backups relies on the consistency of that media. An errant INIT option in the backup command could even accidentally overwrite existing backups in the backup set.

Regardless of the type of backup, the process will always include the active portion of the transaction log, including relevant LSNs, which ensures full transactional consistency when the backup is restored.

As we discussed earlier in the chapter, you can back up a SQL Server database using three main ways, full, differential, and transaction log, to produce the most efficient recovery strategy. A full database backup is the minimum type required to recover a database. Transaction log backups are incremental backups, based on a full backup, that allow point-in-time restores. Differential backups can reduce the amount of time required to restore a database to a point in time, also based on a full backup.

In Enterprise edition, especially for VLDBs, you can take file-level and filegroup-level backups to allow a more controlled procedure when restoring.

You can read more about the files that make up a SQL Server database in Chapter 3.

Every backup contains a header and a payload. The header describes the backup device, what type of backup it is, backup start and stop information (including LSN information), and information about the database files. The payload is the content of the data and/or transaction log files belonging to that backup. If Transparent Data Encryption (TDE) or Backup Encryption was turned on, the payload is encrypted.

You can read more about TDE in Chapter 7.

You can read more about the active portion of the transaction log in Chapter 3.

When a full backup runs with the default settings, a reserved data page known as the differential bitmap is cleared (see the upcoming section “Differential backups”). Any differential backups that are taken on the database after that will be based off that full backup.

You can perform full backups on databases in all recovery models, and you can compress them. Since SQL Server 2016, you can also compress databases that were encrypted with TDE.

You can perform a full backup to a backup disk target with a minimal amount of T-SQL code. For example, a WideWorldImporters database on a default instance with a machine called SERVER can be backed up by using the following code:

Click here to view code image

BACKUP DATABASE WideWorldImporters
TO DISK = N'C:SQLDataBackupSERVER_
WideWorldImporters_FULL_20170918_210912.BAK';
GO

In other words, only differential backups are affected by the COPY_ONLY option. Transaction log backups, and thus the backup chain, are not affected.

In this type of backup, the active portion of the transaction log is backed up. Transaction log backups apply only to databases in the full and bulk-logged recovery models. Databases in the full recovery model can be restored to a point in time, and databases in the bulk-logged recovery model can be restored to a point in time as long as the transaction log does not contain bulk-logged operations.

After you have disconnected any other users from the database, you can switch it to single-user mode and perform a manual log backup on the active portion of the log. This creates a log backup that can be used at the very end of the backup chain to guarantee zero data loss.

You can read more about tail-log backups at https://docs.microsoft.com/sql/relational-databases/backup-restore/back-up-the-transaction-log-when-the-database-is-damaged-sql-server.

In many cases, a differential backup is much smaller than a full backup, which allows for a more flexible backup schedule. You can run a full backup less frequently, and have differential backups running more regularly, taking up less space than the full backup would have taken.

Think back to Chapter 3 in which we looked at extents. As a reminder, an extent is a 64-KB segment in the data file, comprising a group of eight physically contiguous 8-KB data pages.

After a full backup completes (i.e., the default full backup without the copy-only option), the differential bitmap is cleared. All subsequent changes in the database, at the extent level, are recorded in the differential bitmap.

When the differential backup runs, it looks at the differential bitmap and backs up only the extents that have been modified since the full backup, along with the active portion of the transaction log.

This is quite different to a transaction log backup, which records every change in the database even if it’s to the same tables over and over again.

Thus, a differential backup is not the same thing as an incremental backup. If you want to restore a database using a differential backup, you need only the full backup file plus the most recent differential backup file.

Even though you cannot restore a database to a point in time (or LSN) that occurs within the differential backup itself, it can vastly reduce the number of transaction log files required to effect those same changes.

Differential backups apply to databases in the full, bulk-logged and simple recovery models.

You can read more about differential backups at https://docs.microsoft.com/sql/relational-databases/backup-restore/differential-backups-sql-server.

After you switch back to the full recovery model, you can restart the log backup chain without having to perform a full database backup by taking a differential backup. As long as you make use of this or a more recent differential backup in a later recovery, along with the accompanying transaction log backups, the backup chain has been repaired.

You can read more considerations regarding switching between recovery models at https://msdn.microsoft.com/library/ms178052.aspx.

Partial backups contain the primary filegroup, any read-write filegroups, and one or more optional read-only filegroups.

To read more about partial backups, go to https://docs.microsoft.com/sql/relational-databases/backup-restore/partial-backups-sql-server.

Unfortunately, it does increase the complexity due to increased administration of the additional file backups over and above the full, differential, and transaction log backups. This overhead extends to recovery script maintenance.

To read more about file backups, visit https://docs.microsoft.com/sql/relational-databases/backup-restore/full-file-backups-sql-server.

As noted in Chapter 3, you can also compress backups, which is recommended in almost all cases, unless the database makes use of page or row compression, or the database is encrypted with TDE.

To learn more about security and encryption, read Chapter 7.

Remember that the storage requirements for a memory-optimized table can be much larger than its usage in memory, which will affect the size of your backups.

To learn more about how to back up memory-optimized files, go to https://docs.microsoft.com/sql/relational-databases/in-memory-oltp/backing-up-a-database-with-memory-optimized-tables.

Other options also exist, including file-snapshot backups for database files that are already stored in Azure (see Chapter 3), or turning on Managed Backups (also covered in Chapter 3). Although these options are convenient, there is no substitute for a native SQL Server backup.

You can read more about maintenance plans in Chapter 13.

SQL Server Agent is an excellent resource for automating backups, and many third-party solutions make use of it too (as does the Maintenance Plan Wizard).

• A full backup reads the entire database, including the data file(s) and the active portion of the transaction log.

• A differential backup reads extents that have changed in the data file(s) since the last full (non-copy-only) backup as well as the active portion of the log.

• A transaction log backup reads only the active portion of the log.

• A partial backup reads an individual file or filegroup as well as the active portion of the log.

The buffer pool (see Chapter 2) is not used for database backups. The backup buffer is a portion of memory outside of the buffer pool, big enough to read pages from the data file and write those page to the backup file. The backup buffer is usually between 16 MB and 32 MB in size. Be aware that memory pressure can reduce the backup and restore buffer sizes, causing backups and restores to take longer.

You can change this behavior either by a trace flag (TF3023), in the SQL Server Management Studio properties of a backup, or in any T-SQL script you create to perform backups. We recommend that you turn on backup checksum where possible.

Without backup checksum turned on, no validation is performed on data pages or log blocks. This means that any logical corruption will also be backed up without showing any of the errors you might see with a DBCC CHECKDB operation. This is to allow for scenarios in which you can back up a corrupt database before attempting to fix the corruption.

To read more about recovering from corruption, see Chapter 13.

With backup checksum turned on, a checksum is calculated over the entire backup file. Additionally, the page checksum on every 8-KB data page (for both page verification types of checksum or torn-page detection), and log block checksum from the active portion of the log, will be validated.

The backup checksum can significantly increase the time for a backup to run, but adds some peace of mind, short of running a recommended DBCC CHECKDB on a restored database. Backup compression can offset this additional overhead.

There are two ways to verify a backup, and you can probably guess that the best way is to restore it and perform a full consistency check on the restored database by using DBCC CHECKDB.

The other, slightly quicker method, is to use RESTORE VERIFYONLY. If you backed up your database using the checksum option (which is on by default on compressed backups), the restore will verify the backup checksum as well as the data page and log block checksums as it reads through the backup media.

The convenience with RESTORE VERIFYONLY is that you do not need to allocate drive space to restore the data and log files, because the restore will read directly from the backup itself.

However, a DBCC CHECKDB is the only way to know that a database is free of corruption.

If you plan to make use of differential and/or transaction log backups, you must use the NORECOVERY keyword for all but one of the backups.

You restore a database in the simple recovery model by using a full backup to begin, plus the most recent differential backup based on the full backup if one is available.

You can restore a database in the bulk-logged recovery model by using a full backup, along with a most recent differential backup based on that full backup if available. Should you want to restore to a specific point in time for a bulk-logged database, this might be possible if no bulk-logged operations exist in the transaction log backups you use.

You can restore a database in the full recovery model to a point in time using a full backup, plus any transaction log backups that form part of the backup chain. You can use a more recent differential backup (based off that full backup) to bypass a number of those transaction log backups, where appropriate.

Each transaction log backup is replayed against the restoring database, using the NORECOVERY option, as though those transactions are happening in real time. Each file is restored in sequential order up to the required point in time or until the last transaction log backup is reached, whichever comes first.

After the entire chain has been restored (indicated by the WITH RECOVERY option), only then does the recovery kick in (which was covered in some detail in Chapter 3). All transactions that are committed will be rolled forward, and any in-flight transactions will be rolled back.

Some examples of restoring a database are included in the section that follows.

To see the progress of the restore, you can set the statistics to display to the output window. The default is to write progress for every 5% complete. No statistics will be output until the files have been created on the file system first.

Click here to view code image

RESTORE DATABASE WideWorldImporters
FROM DISK = N'C:SQLDataBackupSERVER_
WideWorldImporters_FULL_20170918_210912.BAK'

WITH

MOVE N'WideWorldImporters' TO N'C:SQLDataWWI.mdf',

MOVE N'WideWorldImporters_log' TO N'C:SQLDataWWI.ldf',
STATS = 5,

RECOVERY;

GO

The RECOVERY option (the default) at the end brings the database online immediately after the full backup has been restored. This prevents any further backups from being applied. If you want to restore a differential backup after this full backup, you will need to use the NORECOVERY option and bring the database online only after restoring the differential backup (see the next example).

For this scenario, we recommend creating your own automated scripts. For example, after every transaction log backup, you can use the information in the msdb database to build a script to restore the entire database to that point in time and then save the script in the same folder as the backup file(s).

To see an example by Steve Stedman, go to http://stevestedman.com/2017/10/building-sql-restore-script-backup-runs/.

You restore a database by using the RESTORE command. Full and differential restores use the RESTORE DATABASE option by convention. You can also restore transaction logs by using the RESTORE DATABASE option, but you might prefer to use RESTORE LOG, instead, for clarity:

Click here to view code image

-- First, restore the full backup
RESTORE DATABASE WideWorldImporters
FROM DISK = N'C:SQLDataBackupSERVER_
WideWorldImporters_FULL_20170918_210912.BAK'
WITH
MOVE N'WideWorldImporters' TO N'C:SQLDataWWI.mdf',
MOVE N'WideWorldImporters_log' TO N'C:SQLDataWWI.ldf',
STATS = 5,
NORECOVERY;
GO
-- Second, restore the most recent differential backup
RESTORE DATABASE WideWorldImporters
FROM DISK = N'C:SQLDataBackupSERVER_
WideWorldImporters_DIFF_20170926_120100.BAK'
WITH STATS = 5,
NORECOVERY;
GO
-- Finally, restore all transaction log backups after the differential
RESTORE LOG WideWorldImporters
FROM DISK = N'C:SQLDataBackupSERVER_
WideWorldImporters_LOG_20170926_121500.BAK'
WITH STATS = 5,
NORECOVERY;
GO
RESTORE LOG WideWorldImporters
FROM DISK = N'C:SQLDataBackupSERVER_
WideWorldImporters_LOG_20170926_123000.BAK'
WITH STATS = 5,
NORECOVERY;
GO
-- Bring the database online
RESTORE LOG WideWorldImporters WITH RECOVERY;
GO

Remember that you can use the WITH RECOVERY option in the final transaction log file restore, and exclude the final statement in the previous example.

The RECOVERY option instructs SQL Server to run recovery on the database, which might include an upgrade step if the new instance has a newer version of SQL Server on it. When recovery is complete, the database is brought online.

You can even restore to a specific mark in the transaction log backup, which you specify at transaction creation time by explicitly naming a transaction, though this is less common.

To see more about marking transactions, go to https://docs.microsoft.com/sql/t-sql/statements/restore-statements-transact-sql.

A point-in-time restore works only when restoring transaction log backups, not full or differential backups.

The process is the same as in the previous example, except for the final transaction log file, for which the point in time is specified by using the STOPAT or STOPBEFOREMARK options. Let’s look at each option:

• STOPAT. A timestamp. You will need to know this value from the time an unexpected event occurred, or from exploring the transaction log.

• STOPBEFOREMARK (also STOPATMARK). A log sequence number or transaction name. You will need to know the LSN value from exploring the active portion of the transaction log (see the Inside OUT for sys.fn_dblog in the section “Recovery to a point in time” previously in this chapter).

Assuming that you have followed the same sequence as shown in the previous example, the final transaction log restore might look like this:

Click here to view code image

-- Restore point in time using timestamp
RESTORE LOG WideWorldImporters
FROM DISK = N'C:SQLDataBackupSERVER_
WideWorldImporters_LOG_20170926_123000.BAK'
WITH STOPAT = 'Sep 26, 2017 12:28 AM',
STATS = 5,
RECOVERY;
GO
-- Or restore point in time using LSN
-- Assume that this LSN is where the bad thing happened
RESTORE LOG WideWorldImporters
FROM DISK = N'C:SQLDataBackupSERVER_
WideWorldImporters_LOG_20170926_123000.BAK'
WITH STOPBEFOREMARK = 'lsn:0x0000029f:00300212:0002',
STATS = 5,
RECOVERY;
GO

To read more about database recovery, including syntax and examples, visit https://docs.microsoft.com/sql/t-sql/statements/restore-statements-transact-sql.

Partial recovery is useful for bringing a database online as quickly as possible to allow the organization to continue working. You can then restore any secondary filegroups later, during a planned maintenance window.

Piecemeal restores begin with what is known as the partial-restore sequence. In this sequence, the primary filegroup is restored and recovered first. If the database is under the simple recovery model, all read/write filegroups are then restored.

To learn more about the SQL Server recovery process, read Chapter 3.

While this is taking place, the database is offline until restore and recovery is complete. Any unrestored files or filegroups remain offline, but you can bring them online later by restoring them.

Regardless of the database’s recovery model, the RESTORE command must include the PARTIAL option when doing a piecemeal restore, but only at the beginning of the sequence. Because transactions might span more than just the recovered filegroups, these transactions can become deferred, meaning that any transactions that needs to roll back cannot do so while a filegroup is offline. The transactions are deferred until the filegroup can be brought online again, and any data involved in that deferred transaction is locked in the meantime.

To read more about deferred transactions, go to https://docs.microsoft.com/sql/relational-databases/backup-restore/deferred-transactions-sql-server.

Point-in-time restore is provided under the following conditions:

• The first RESTORE DATABASE command must include the PARTIAL option.

• For a point-in-time restore against read/write filegroups, you need an unbroken log backup chain, and you must specify the time in the restore statement.

To see more about piecemeal restores, including code examples, visit https://docs.microsoft.com/sql/relational-databases/backup-restore/piecemeal-restores-sql-server.

The word “strategy” means that there is a long-term goal. Your recovery strategy will need to adapt to your environmental changes. A run book is a living document; it requires incremental improvements as you test it.

We also discuss recovery strategies around hybrid environments, and briefly discuss Azure SQL Database.

• A UPS was in the wrong place, with no redundant backup

• The internet connection did not have a redundant backup

• There was no run book to guide the accident-prone DBA

• The security on the DR server does not follow recommended best practices

• The off-premises backups were failing

In your run book, ensure that your backup generators and UPS collection can run all necessary equipment for long enough to keep emergency lights on, laptops charging, network equipment live, and the servers running, so that your DBA can log in to the SQL Server instance long enough to run a tail-log backup if necessary.

It might sound like a small detail, but you should even have a list of diesel suppliers in your run book, especially if your generators need to keep running for several hours.

Clean power is also important. Generators cause power fluctuations, which can damage sensitive electronic equipment. Although a power conditioner should be installed with your generator, you need to make sure that it works correctly.

Security of the off-premises location for backups is critical, and no one should have access to that unless they are required to do a recovery.

Automate your backups. Use maintenance plans (see Chapter 13), and make use of established third-party backup tools such as Ola Hallengren’s Maintenance Solution (available from http://ola.hallengren.com) or MinionWare Backup (available from http://www.minionware.net).

Verify that you have a process to check that your backups are taking place. Test that process often. For example, if SQL Server Agent is crashing, none of your notifications might ever fire. Test the backups, as well, by having a machine that restores backups continuously and running DBCC CHECKDB where possible. If you can afford it, have log shipping configured so that all backups are restored as soon as they come into off-premises storage. Ensure that the backup files are being securely copied off-premises as soon as they can.

Run random spot-checks of your backups, as well, by picking a date and time in the backup history and restoring the backup. Aside from testing the databases themselves, this is a good rehearsal for when something goes wrong. Remember to run DBCC CHECKDB on any database you restore.

You might find as databases grow that the SLA becomes out of date and that the RTO is no longer achievable. Running these tests will alert you to this situation long before it becomes a problem and will allow you to tweak how you perform backups in the future.

For example, you might discover that it is much quicker to spin up an Azure virtual machine with SQL Server, and restore the business-critical databases that are stored in Azure Blob Storage, than having to struggle with VPN connections and failed hardware on-premises at another datacenter.

If you must use a remote desktop connection to access a server, protect it by using a VPN. Also, check that you have already downloaded additional tools (like psexec in the example) and documented how to use them.

Keep all passwords and keys (symmetric and asymmetric) in a password manager as well as printed and stored in a secure location with the run book where practical. Make sure that all digital certificates are backed up securely.

The cadence is up to your organization, but a full DR scenario should be tested at least once or twice a year. Any changes you need to make to the run book should be made immediately. If the recovery fails, make notes of how it failed and what you did to resolve the failure. All of this information is extremely valuable.

With cloud services, don’t keep all of your data in one region. Make use of geo-replication, so that if or when one region becomes unavailable, you still have business continuity.

It can be prudent to make use of virtualization technologies that allow for virtual machine snapshots and file system snapshots to ensure that your virtual servers are backed up regularly. You can augment these with appropriate native SQL Server backups that are tested properly.

When designing a recovery strategy for a hybrid environment, pick a DR site that is central, but geo-replicated.

If you are already making use of Azure Storage for your backups, this reduces the network bandwidth and latency issues if you can restore your organization’s databases to Azure virtual machines or databases in Azure SQL Database.

Remember that after failing over to a DR site, you will need to fail back to your on-premises site when it is up and running again.

It’s always good to remember that the backup chain can survive migrations and upgrades. Keep your databases in the full recovery model, and take regular full and transaction log backups (and differential backups where appropriate). Make sure these backups are copied securely off-premises on a regular basis to a central location accessible from each node of your hybrid environment. Test your backups and your recovery strategy regularly, and write it down.

You are now prepared to handle almost any disaster recovery scenario.

• Database replacement. You can replace an existing database using a database backup. This requires that you verify the service tier and performance level of the restored database. To replace your existing database, rename the old one and restore the new one to the old name.

• Database recovery. If you need to recover data from a previous point in time, you can restore your database backup with a different database name and then copy the data you need using T-SQL scripts you write yourself.

• Deleted database. If you deleted a database and you are still within the recovery window, you can restore that deleted database to the time just before it was deleted.

The geo-restore feature can restore a full and differential backup to any server in the Azure region from a geo-redundant backup. However, databases on the basic performance tier can take up to 12 hours to geo-restore. This Estimated Recovery Time should be a consideration in your RTO.

To read more about recovering a database in Azure SQL Database, including associated costs, refer to Chapter 5, or visit https://docs.microsoft.com/azure/sql-database/sql-database-recovery-using-backups.