In Trend Micro Worry-Free Business Security 6.0 and higher, Trend have implemented new technology that reduces the size of pattern files distributed to the client machines. This combined with other architecture changes means that there is quite a lot of disk activity and change at certain times during the day. The disk activity is really a reorganisation of the pattern files and the database itself and is not actually an increase in the amount of data being stored. In itself this is not a problem because a backup taken once a day with your favourite backup program will only record the differences between that point in time and the last backup which is fairly small. However if you backup more often than that you might run into a problem with having very large incremental backups. This article talks about why that happens and shows how to avoid it.
Any image based backup software such as SBS 2008/SBS2011 inbuilt backup, or third party backup programs such as StorageCraft ShadowProtect have the ability to backup very fast and multiple times a day – as much as every 15 minutes in the case of ShadowProtect. This is great from a disaster recovery perspective as it allows you to minimise the data lost due to a system failure to a very small time window. The way these work is to take a base image one time only and then take some form of incremental backup from that point forward. Windows / SBS Backup automatically consolidates these into it’s backup file which is a VHD. ShadowProtect takes these as incrementals and then ImageManager consolidates these based on various settings.
Now if we look at one of the features of StorageCraft ImageManager called replication – this replication feature allows the incremental images to be sent over a LAN/WAN to another server or via FTP to a remote server. This is a cool feature because it means as soon as an incremental image is created, it can be shipped offsite quickly and efficiently. This however relies on the incrementals being able to be small enough that they can be pushed out quickly to the remote location. Factors such as limited internet bandwidth really come into play here.
Ok – let’s tie this all together now to see the ramifications.
We have Image based backup software that can snapshot the changes made in the last 15 minutes – if there is a program such as WFBS that makes large amounts of disk change in that 15 minutes then the incremental image will be quite a bit larger than normal. It can be that you will get a few Gigabytes of changes in a short period of time. These incrementals are fundamental to restoring the server to that specific point in time and therefore we can’t do anything about them per se.
It’s worthwhile noting that programs such as disk defragmentation utilities can also cause large amounts of disk change in short period of time. Such programs should only be run outside of hours and periodically to minimise the change and therefore backup sizes. There may well be other programs like this that I’ve not specifically called out – be aware of them if you see things like the large incremental backups and investigate to find out the root cause of the problem.
So how do we get around this problem so that we can have the ability to minimise our backup sizes and give us the power to replicate our incrementals quickly? It’s actually quite simple. The solution is to NOT backup these sections of the system every 15 minutes. Now you can’t do that specifically, so what is really needed is for you to create a partition for Utility programs such as this and install those programs to that partition. You can backup the rest of your server every 15minutes if that is what you want, but with this partition, simply back it up once a day. You will find that the REAL amount of data change from the start of the day to the end of the day may only be a few hundred MB at most which can easily be replicated outside of business hours. Now – the inbuilt SBS backup can’t do this – only third party programs such as ShadowProtect or Acronis can have multiple backup jobs scheduled.
Given you now have a utility partition, you might want to think about moving other such programs or databases to it – things that are not updated frequently include WSUS – it typically will synchronise once a day and hand out patches during the day. In a disaster recovery scenario, it typically won’t be an issue to restore the main server from say 4pm today and the utilities partition from 10pm last night.
In my testing, I need to highlight that the problems of large incrementals are not unique to ShadowProtect – when running Trend WFBS on my server with the SBS backup, and 30 minute backup intervals, I observed large incrementals as well – they are just hidden inside the backup itself so it’s not as obvious. The same happened when I ran a defragmentation on my disk drive using SBS backup as well. The moral to that is that it’s very easy to blame one product for another products “working by design”.
I hope this helps you understand the issue and ways to work around it.