protecting client data - commvault · the encryption can take place on the client or on the media...

Chapter 9

Protecting Client Data

CommVault Concepts & Design Strategies: https://www.createspace.com/3726838

152 - Protecting Client Data

A client is defined as any production source requiring protection. A server with any Simpana® iDataAgent

installed in it is considered a client and will appear in the client tree in the CommCell console. NDMP devices

that are being protected will also appear as clients in the GUI though no agents will be installed on the NDMP

device.

CommVault® software provides a wide variety of protection methods for protecting physical and virtual

environments. It is important to note that when agents are installed on either a physical or virtual server they will

be considered clients and will be configured and managed in the same manner. Virtual environments can also be

protected using the Virtual Server Agent (VSA) which will be covered in the next chapter.

Client Tree

The Client Tree Structure defines a hierarchy for arranging various components of a client. This hierarchy will

remain consistent throughout all clients which results in simplified administration of a CommCell environment.

Diagram illustrating the client tree structure. All clients will have at least one

iDataAgent. Clients can be associated with a client computer group. Depending on the

agent installed instances can be configured. The data set will be based on the type of

agent being used (backup, archive, replication). Within the data set subclients can be

defined to manage content.


Protecting Client Data - 153

Components of the client tree

Client Computer group

Client computer groups allow the grouping of multiple clients within the group. Clients can be members of

multiple groups. Client computer groups are useful for the following:

Standardizing reports and alerts. By configuring reports and alerts to client groups whenever a client

is added or removed from the group it will be reflected in the report or alert next time it runs.

Grouping machines by function or location. In large CommCell environments it is easier to navigate

clients by grouping them together by function or location.

User Group Security. User group security can be defined at the client group level. Any user group

associated with the client group will have granted capabilities for all clients within the group.

Pushing firewall configurations. Firewall configurations can be set in the properties of the client

computer group as well as associated with selected client groups. All clients within the group will have

firewall configurations pushed from the client group.

Bandwidth throttling. Throttling can be configured in the properties of the client group. The throttling

is configured for the group and settings will take effect for each client within the group. Throttling can

be configured for various days of the week and time periods within each day.

Schedule Policies. Schedule policies can be created and assigned to client groups. It‘s important to note

that when scheduling client groups with schedule policies it is not recommended to configure the

schedule policy to backup all agents at the same time. Set different schedules for different agents and

stagger the schedules.

Client

Any server configured with an iDataAgent within the CommCell environment will show up as a client.

iDataAgent

For each file system and application that CommVault supports and iDataAgent is used to protect the required

data. Each iDataAgent is specifically designed to interact with the file or application using APIs or scripts to

properly protect and manage the data. Depending on the iDataAgent used different options will be available.

Note: In this book the terms iDataAgent and Agent are used interchangeably.

Instance

For some agents multiple instances of the application can be run on a client. For database applications that

support multiple instances, each instance can be separately defined. For the Virtual Server Agent each instance

can be configured to interface with VMware®, Hyper-V®, or Xen® server.



Data Set

The term Data Set refers to backup, archive or replication sets. Depending on what agent is being configured the

corresponding data set will appear in the client tree. By default each agent or instance will have a default data set.

This set represents ALL data the agent or instance is responsible to protect. For some agents, additional data sets

can be created. Each additional data set created will also represent all the data the agent is responsible for. This

means using multiple data sets can result in multiple backups of the agent data. This configuration is not

recommended under normal circumstances. There are special use cases where creating additional data sets may be

desired.

Subclient

The subclient is where the actual content managed within the data set is defined. For most backup data sets

(backup sets) a default subclient will appear. For backup data sets the default subclient will be enabled with auto-

detection capabilities. This means it will protect all data within the backup set unless the data is filtered out or

explicitly defined in a separate custom subclient.

Custom subclients can also be defined explicitly defining content that will be exclusive to the custom subclient.

Once data is defined in the custom subclient it will automatically be excluded from the default subclient. This

means data is mutually exclusive to the subclient where it‘s defined. Contents within a data set can only be

protected once.

Client Properties

Client Side Deduplication

This tab allows you to enable Client Side Deduplication for the Client. If the storage policy is configured to use

Client Side Deduplication, the policy setting will take precedence. If the policy is not configured for Client Side

Deduplication then checking the Perform client side Deduplication can be enabled for the Client.

An optional Client Side Disk Cache can be used to hold a local cache of block signatures. Each subclient will

maintain its own cache and the cache will only contain signatures of blocks the subclient has protected. This

option is only recommended when backing up data over slow WAN links.

Variable Content Alignment can be enabled for large data files, such as database dump files to improve

deduplication ratios. Ratios may improve marginally and additional overhead will be required to align the blocks

for proper signature generation. If you are not achieving the dedupe ratios you expect this may be an option to

experiment with. For typical file data, since Simpana deduplication will automatically align blocks with the start

of each file, this option is not required.

Encryption

Inline encryption can be used to encrypt data during primary protection operations. The encryption can take place

on the Client or on the Media Agent. Encryption is enabled at the Client level and then applied at the Subclient

level. This provides the flexibility of defining data which requires encryption in separate Subclients from data that

does not require encryption.



Once encryption is enabled on the Client the algorithm and key length that will be used can be set. The option to

use a Media Password , which will store keys on media, or not to use the password which will require CommCell

Console access to recover data can be set.

An additional level of protection called Pass-Phrase can also be configured. Where the Media Password is set at

the CommCell or storage policy level, the Pass-Phrase is set at the Client level. Each Client server can have a

unique Pass-Phrase for data recovery. An optional restore access setting With a Pass-Phrase can be set which will

require administrators recovering data through the CommCell Console to enter the Pass-Phrase for recovery.

Note: In the event that the Media Password is not known, contact CommVault support which can assist in

recovering the password. If the Pass-Phrase is not known data CANNOT be recovered through any means using

Simpana software or tools.

Network Throttling

Much of this book focuses on increasing the speed in which data is moved. The Network Throttling will allow

you to throttle back the network bandwidth CommVault will consume. These settings can be defined for Clients

or Client Computer Groups and different throttling rules can be set for different days of the week and different

times of day.

iDataAgents

iDataAgents provide the intelligence to interface with the file system or application being protected. CommVault

uses capabilities inherent in the file system or application to protect data. This means that the capabilities or

limitations in CommVault‘s ability to protect the data are based on the systems capabilities. Through APIs or

scripting, which can be automatically generated by the Simpana software, the iDataAgent will communicate with

the file system or application. This allows the data to be in the proper state to be protected prior to running data

protection operations. Enabling VSS prior to a Windows file system backup or quiescing a database prior to

backup are examples of using the iDataAgent to properly protect required data.

File System iDataAgents

Simpana software provides file system iDataAgent protection for most operating systems. Depending on the

operating system, specific capabilities can be used to protect data. Check with CommVault‘s online

documentation for operating specific configuration options.



The following diagram shows a file system iDataAgent with a data set, a default

subclient and a custom subclient.

Application iDataAgents

Database iDataAgent

The Simpana product suite supports all major database applications. Features are specific to the database

application and use available API or scripting mechanisms native to the application.

Mailbox iDataAgent

For Microsoft Exchange and Lotus Notes Domino granular backup and recovery iDataAgents can be used to

protect objects within the database. This provides a simplified and quick recovery method for objects that does

not require a database restore.

Document iDataAgents

For SharePoint environments document repositories can be protected for granular level recovery operations.



Archive iDataAgent

Archive iDataAgents work by moving infrequently accessed data to one or more tiers in the CommVault

protected environment. This reduces production storage requirements and makes backup and recovery operations

faster.

Archive iDataAgent support:

File system

Exchange messages

Domino mailbox

Network attached storage (NAS)

SharePoint documents

Compliance Archive iDataAgent

In Microsoft Exchange environments journal mailboxes can be used to intercept and preserve all messages going

through the Exchange server. The journal mailboxes can be protected by CommVault and preserved for

compliance and eDiscovery purposes.

Image Level iDataAgents

The Image level iDataAgent conduct backup jobs by copying data blocks from the source volume as opposed to

copying objects. This provides a faster operation by sequentially copying all data blocks and then indexing

objects that have been protected. The Image Level iDataAgent is useful for protecting large volumes of data with

a high number of objects such as a volume containing millions of small files.

NAS NDMP iDataAgents

NDMP iDataAgent can be used to protect data on a NAS filer. A NAS iDataAgent is installed on a Media Agent

proxy server to backup CIFS or NFS shares from the NAS filer to the proxy. This provides granular backup and

recovery using full, incremental, differential and synthetic full operations.

Desktop Laptop Backup

The Desktop Laptop Option (DLO) is used to protect end user workstations by incorporating source side

deduplication with backup jobs to protect change data blocks. This method provides a low impact to the end user

and production network. Backup data can be restored by the administrator or by the end user through the use of

the end user search web interface.

SnapProtect™ Technology

SnapProtect™ technology provides the ability to integrate with hardware based snapshot technologies or the

Simpana Continuous Data Replicator to snap and backup source volumes. The SnapProtect feature is explained in

detail in the SnapProtect chapter.



Subclients

Subclients are used to define the actual content for protection. Depending on the iDataAgent, various subclient

options will be available. It is important to note that server content defined at the subclient level is directed to

storage through a storage policy not the server itself. This means that different data from the same server can be

directed to different storage and have different retention and copies created to manage the data. This is quite

different than many legacy backup products that direct server data in its entirety to storage providing no granular

management of the data.

The Default Subclient

By default most iDataAgents will have a Default Subclient. During the initial installation of the agent software an

option to associate agent data with a storage policy is provided. This determines the storage policy that will

manage the Default Subclient data. All subclients must be associated with a storage policy to protect the data.

The default subclient acts as a catch all for all data managed within a data set. This means the default subclient

will automatically detect and protect all data the agent is responsible to protect. When custom subclients are

defined any data managed by the custom subclient will automatically be excluded from the default subclient. This

is the concept of mutual exclusiveness of contents within a data set. Data is mutually exclusive to the subclient in

which it is defined and data cannot be defined in multiple subclients within the data set. The concept of Simpana

software is to Copy Once and Reuse Extensively (CORE). In other words protect the data to the storage policy

and use secondary copies to create additional copies of data. There are situations where protecting data from the

source location multiple times may be required. To accomplish this you can create additional data sets.

Modifying Contents of the Default Subclient

The content of the default subclient is represented by a slash (backslash for windows based agents and forward

slash for Linux/Unix based clients). It is strongly NOT recommended to modify the contents of the default

subclient. Modifying this content will disable the auto detect functionality of the default subclient. If this is done

any future content required for protection must be explicitly added to the subclient contents.

Default Subclients without AutoDetect

Some iDataAgents will either not define a default subclient or will not use auto-detection within the default

subclient. This is because protection strategies for certain agents should NOT include all data. For these agents all

data must be explicitly added. Some of these agents can have auto-detection enabled and specific rules for auto-

detection can be defined. For more information refer to CommVault online documentation.



Creating Custom Subclients

Custom subclients can be defined to manage specific data. There are many reasons for using custom subclients

and they are based on the following primary reasons:

Improve protection performance

Special retention requirements

Specific data handling

To create a custom subclient select the data set, right click and then All Tasks, New Subclient. For MS-SQL select

the backup set, right click, New Subclient and then select a subclient for database or file/file group.

Improving Performance

Using multiple subclients can improve performance by multi-streaming protection operations. Each subclient will

contain its own stream or set of streams for moving data to protected storage. Some iDataAgents may not support

multi-streaming of subclient data. For these agents using multiple subclients would be the method to multi-stream

operations.

Another performance improvement method is to use multiple subclients in a stagger schedule pattern to distribute

the protection load over a period of time. Full and incremental backups can be staggered throughout the week or

even month. For example: Create seven subclients each for a different day of the week. Schedule a full for a

subclient and then incremental backups. For the next subclient schedule the full for the next day and then

incremental jobs. Repeat this for all seven subclients.

Strategies for improving protection performance will be discussed throughout this book.

Special Retention Requirements

It is quite common in modern data centers to have different retention requirements for data on the same server.

The server may require a two week retention for disaster recovery purposes, home folder data may need to be

kept for 90 days, and a finance share may be required to be kept for seven years.

Special Data Handling

Subclients provide specific configuration options which can be used to ensure data is properly protected. If

content requires specific methods for proper protection it is recommended to define the data in its own subclient

and set configuration options appropriately. The following list several examples:

Open File handling – Using VSS or Simpana QSnap open files can be properly protected during normal

protection jobs. For Windows 2003 or later VSS is recommended. For non-Windows clients QSnap can

be used to protect open files. It is important to note that when open file handlers initialize they create a

Copy-on-Write cache. During the protection job the cache will be used to record changed blocks. If there

are too many block updates or not enough cache space the operation can fail. It is strongly recommended

to use open file handling only for volumes that require it. It is NOT recommended to use open files

handling on system drives or drives containing application databases.



Application data quiescing – For applications that CommVault does not have iDataAgents for, the data

can be backed up with a File System iDataAgent. To ensure application consistent backups of data, the

application needs to quiesce the data. This can be accomplished by using Pre/Post process scripts that

can be inserted into the subclient. Generate scripts to quiesce and unquiesce the application for pre scan

and post backup operations

Data filtering – Filters can be set in the Global Filter applet in Control Panel and assigned to all

subclients. In specific cases additional filters may need to be added or exclusions may need to be added.

In this case define a separate subclient and configure the filters appropriately.

Note: For a complete list of subclient settings and use cases refer to the chapter Creating & Configuring

Subclients.

Defining Subclient Content

Depending on the file system or application different methods will be used to define content for protection. The

following lists explains the basic methods for defining content for different agents:

File System – Data can be defined using drives, folders, files, UNC paths or file wildcards.

o File Type Wildcards can be used to define specific file types such as *:\*\*.DOC which will

protect any files with the DOC extension in any drive and any folder.

o Folder Wildcards can be used to define content based on the first character of a folder. For

example you can use [A-M]* as content to a subclient to protect all folders starting with the

letters A through M. This is useful for backing up very large folder structures when multiple

subclients and stagger scheduling may be needed to meet operation windows.

o UNC paths can be added for protection in the add path text box in the Content tab. When the

path is added an impersonate user dialog box will appear. Add a user account with proper

permissions to protect the network path.

File system data that will not be protected in subclients

o A and B drives (unless explicitly mapped by a subclient).

o Optical drives.

o Mapped network drives.

System State – For Windows systems system state data can be defined as content. By default it will be

included as part of the Default Subclient. If needed a separate subclient can be defined for system state

data. This will allow the system state to be protected and retained separately from other content.

Database data – Databases can be defined as content at the database level. This allows different

databases to be backed up and retained in separate subclient containers. Different application database

such as MS-SQL and Oracle will have additional content options. Check with CommVault online

documentation for more information on application specific capabilities.



Mailboxes – Mailboxes can be protected using the mailbox backup, mailbox archive, or the compliance

archive agents. Mailbox data can be defined as content in a number of ways. The method used to assist

in defining subclient content is defined in the data set for the agent.

o Storage Group Affinity – This will allow mailboxes to be grouped and defined in separate

subclients based on which Exchange storage group they belong to.

o Active Directory Group – This will allow mailboxes to be grouped and defined in separate

subclients based on Active Directory group membership. This can be useful when defining

mailbox backup policies for specific user groups such as Managers or Executives.

o Content based on regular expressions – This will allow mailboxes to be assigned to

subclients based on the name of the mailbox. This can be used in conjunction with the folder

wildcard concept discussed in the file system content bullet point. In this case you could use [A-

M]* as content to a subclient to protect all mailboxes starting with the letters A through M. A

mailbox level subclient cannot be multi-streamed. Dividing mailboxes into different subclients

using wildcards can be used to multi-stream backups by executing simultaneous subclient

backup jobs.

VSA backups – Defining subclient contents when using the Virtual Server Agent is done by associating

VMs with a subclient. Discovery options are configured in backup set of the VSA instance. Depending

on the discovery option selected different options will appear in the subclient contents and Auto

Discovery tabs. The VSA agent is discussed in more detail in the Protecting Virtual Environments

chapter.

Turbo Agent (One Pass Agent)

A new feature in Simpana v9 SP4 is the ability to perform backup and archive jobs in a single operation. An

archive job using a standard file system archive agent is actually a backup operation that will protect all files that

meet archive requirements. After the files are backed up a stubbing operation will run converting the files into

stubs. The concept of using the Turbo Agent is since a backup and archive work the same way, if you run both

operations concurrently the overall protection process will complete faster.

To enable a file system backup for backup and archive, in the File System iDataAgent select the Enable for

Archiving option. This will add a Rules tab for all subclients defined within the agent. Use this tab to define

archiving rules for the subclient data. When a data protection job runs all data defined in the subclient will be

backed up. At the conclusion of the backup, any objects that meet the defined archiving rules will then be

stubbed.

Currently the Turbo Agent is only supported when backing up to disk. This will also require synthetic or DASH

Full backups to be run. This is required to properly prune files from the job based on the appropriate retention

rules. See the Retention chapter for more information on Turbo Agent retention.



Subclient Policies Subclient policies can be used as a template tool to create custom subclients and assign them multiple backup sets

at the same time.

Considerations for using subclient policies:

Subclient policies can only be used with file system iDataAgents.

No custom subclients can exist within the backup set prior to associating with a subclient policy.

Subclient policies can be associated with the default or custom backup sets.

Wildcards can be used to define the path to the content. Example: documents folder is on C:\ or D:\ drive

for different backup sets. Content for subclient policy can be defined as *:\documents.


protecting client data - commvault · the encryption can take place on the client or on the media...

Documents