protecting client data - commvault · the encryption can take place on the client or on the media...
TRANSCRIPT
Chapter 9
Protecting Client Data
CommVault Concepts & Design Strategies: https://www.createspace.com/3726838
152 - Protecting Client Data
A client is defined as any production source requiring protection. A server with any Simpana® iDataAgent
installed in it is considered a client and will appear in the client tree in the CommCell console. NDMP devices
that are being protected will also appear as clients in the GUI though no agents will be installed on the NDMP
device.
CommVault® software provides a wide variety of protection methods for protecting physical and virtual
environments. It is important to note that when agents are installed on either a physical or virtual server they will
be considered clients and will be configured and managed in the same manner. Virtual environments can also be
protected using the Virtual Server Agent (VSA) which will be covered in the next chapter.
Client Tree
The Client Tree Structure defines a hierarchy for arranging various components of a client. This hierarchy will
remain consistent throughout all clients which results in simplified administration of a CommCell environment.
Diagram illustrating the client tree structure. All clients will have at least one
iDataAgent. Clients can be associated with a client computer group. Depending on the
agent installed instances can be configured. The data set will be based on the type of
agent being used (backup, archive, replication). Within the data set subclients can be
defined to manage content.
CommVault Concepts & Design Strategies: https://www.createspace.com/3726838
Protecting Client Data - 153
Components of the client tree
Client Computer group
Client computer groups allow the grouping of multiple clients within the group. Clients can be members of
multiple groups. Client computer groups are useful for the following:
Standardizing reports and alerts. By configuring reports and alerts to client groups whenever a client
is added or removed from the group it will be reflected in the report or alert next time it runs.
Grouping machines by function or location. In large CommCell environments it is easier to navigate
clients by grouping them together by function or location.
User Group Security. User group security can be defined at the client group level. Any user group
associated with the client group will have granted capabilities for all clients within the group.
Pushing firewall configurations. Firewall configurations can be set in the properties of the client
computer group as well as associated with selected client groups. All clients within the group will have
firewall configurations pushed from the client group.
Bandwidth throttling. Throttling can be configured in the properties of the client group. The throttling
is configured for the group and settings will take effect for each client within the group. Throttling can
be configured for various days of the week and time periods within each day.
Schedule Policies. Schedule policies can be created and assigned to client groups. It‘s important to note
that when scheduling client groups with schedule policies it is not recommended to configure the
schedule policy to backup all agents at the same time. Set different schedules for different agents and
stagger the schedules.
Client
Any server configured with an iDataAgent within the CommCell environment will show up as a client.
iDataAgent
For each file system and application that CommVault supports and iDataAgent is used to protect the required
data. Each iDataAgent is specifically designed to interact with the file or application using APIs or scripts to
properly protect and manage the data. Depending on the iDataAgent used different options will be available.
Note: In this book the terms iDataAgent and Agent are used interchangeably.
Instance
For some agents multiple instances of the application can be run on a client. For database applications that
support multiple instances, each instance can be separately defined. For the Virtual Server Agent each instance
can be configured to interface with VMware®, Hyper-V®, or Xen® server.
CommVault Concepts & Design Strategies: https://www.createspace.com/3726838
154 - Protecting Client Data
Data Set
The term Data Set refers to backup, archive or replication sets. Depending on what agent is being configured the
corresponding data set will appear in the client tree. By default each agent or instance will have a default data set.
This set represents ALL data the agent or instance is responsible to protect. For some agents, additional data sets
can be created. Each additional data set created will also represent all the data the agent is responsible for. This
means using multiple data sets can result in multiple backups of the agent data. This configuration is not
recommended under normal circumstances. There are special use cases where creating additional data sets may be
desired.
Subclient
The subclient is where the actual content managed within the data set is defined. For most backup data sets
(backup sets) a default subclient will appear. For backup data sets the default subclient will be enabled with auto-
detection capabilities. This means it will protect all data within the backup set unless the data is filtered out or
explicitly defined in a separate custom subclient.
Custom subclients can also be defined explicitly defining content that will be exclusive to the custom subclient.
Once data is defined in the custom subclient it will automatically be excluded from the default subclient. This
means data is mutually exclusive to the subclient where it‘s defined. Contents within a data set can only be
protected once.
Client Properties
Client Side Deduplication
This tab allows you to enable Client Side Deduplication for the Client. If the storage policy is configured to use
Client Side Deduplication, the policy setting will take precedence. If the policy is not configured for Client Side
Deduplication then checking the Perform client side Deduplication can be enabled for the Client.
An optional Client Side Disk Cache can be used to hold a local cache of block signatures. Each subclient will
maintain its own cache and the cache will only contain signatures of blocks the subclient has protected. This
option is only recommended when backing up data over slow WAN links.
Variable Content Alignment can be enabled for large data files, such as database dump files to improve
deduplication ratios. Ratios may improve marginally and additional overhead will be required to align the blocks
for proper signature generation. If you are not achieving the dedupe ratios you expect this may be an option to
experiment with. For typical file data, since Simpana deduplication will automatically align blocks with the start
of each file, this option is not required.
Encryption
Inline encryption can be used to encrypt data during primary protection operations. The encryption can take place
on the Client or on the Media Agent. Encryption is enabled at the Client level and then applied at the Subclient
level. This provides the flexibility of defining data which requires encryption in separate Subclients from data that
does not require encryption.
CommVault Concepts & Design Strategies: https://www.createspace.com/3726838
Protecting Client Data - 155
Once encryption is enabled on the Client the algorithm and key length that will be used can be set. The option to
use a Media Password , which will store keys on media, or not to use the password which will require CommCell
Console access to recover data can be set.
An additional level of protection called Pass-Phrase can also be configured. Where the Media Password is set at
the CommCell or storage policy level, the Pass-Phrase is set at the Client level. Each Client server can have a
unique Pass-Phrase for data recovery. An optional restore access setting With a Pass-Phrase can be set which will
require administrators recovering data through the CommCell Console to enter the Pass-Phrase for recovery.
Note: In the event that the Media Password is not known, contact CommVault support which can assist in
recovering the password. If the Pass-Phrase is not known data CANNOT be recovered through any means using
Simpana software or tools.
Network Throttling
Much of this book focuses on increasing the speed in which data is moved. The Network Throttling will allow
you to throttle back the network bandwidth CommVault will consume. These settings can be defined for Clients
or Client Computer Groups and different throttling rules can be set for different days of the week and different
times of day.
iDataAgents
iDataAgents provide the intelligence to interface with the file system or application being protected. CommVault
uses capabilities inherent in the file system or application to protect data. This means that the capabilities or
limitations in CommVault‘s ability to protect the data are based on the systems capabilities. Through APIs or
scripting, which can be automatically generated by the Simpana software, the iDataAgent will communicate with
the file system or application. This allows the data to be in the proper state to be protected prior to running data
protection operations. Enabling VSS prior to a Windows file system backup or quiescing a database prior to
backup are examples of using the iDataAgent to properly protect required data.
File System iDataAgents
Simpana software provides file system iDataAgent protection for most operating systems. Depending on the
operating system, specific capabilities can be used to protect data. Check with CommVault‘s online
documentation for operating specific configuration options.
CommVault Concepts & Design Strategies: https://www.createspace.com/3726838
156 - Protecting Client Data
The following diagram shows a file system iDataAgent with a data set, a default
subclient and a custom subclient.
Application iDataAgents
Database iDataAgent
The Simpana product suite supports all major database applications. Features are specific to the database
application and use available API or scripting mechanisms native to the application.
Mailbox iDataAgent
For Microsoft Exchange and Lotus Notes Domino granular backup and recovery iDataAgents can be used to
protect objects within the database. This provides a simplified and quick recovery method for objects that does
not require a database restore.
Document iDataAgents
For SharePoint environments document repositories can be protected for granular level recovery operations.
CommVault Concepts & Design Strategies: https://www.createspace.com/3726838
Protecting Client Data - 157
Archive iDataAgent
Archive iDataAgents work by moving infrequently accessed data to one or more tiers in the CommVault
protected environment. This reduces production storage requirements and makes backup and recovery operations
faster.
Archive iDataAgent support:
File system
Exchange messages
Domino mailbox
Network attached storage (NAS)
SharePoint documents
Compliance Archive iDataAgent
In Microsoft Exchange environments journal mailboxes can be used to intercept and preserve all messages going
through the Exchange server. The journal mailboxes can be protected by CommVault and preserved for
compliance and eDiscovery purposes.
Image Level iDataAgents
The Image level iDataAgent conduct backup jobs by copying data blocks from the source volume as opposed to
copying objects. This provides a faster operation by sequentially copying all data blocks and then indexing
objects that have been protected. The Image Level iDataAgent is useful for protecting large volumes of data with
a high number of objects such as a volume containing millions of small files.
NAS NDMP iDataAgents
NDMP iDataAgent can be used to protect data on a NAS filer. A NAS iDataAgent is installed on a Media Agent
proxy server to backup CIFS or NFS shares from the NAS filer to the proxy. This provides granular backup and
recovery using full, incremental, differential and synthetic full operations.
Desktop Laptop Backup
The Desktop Laptop Option (DLO) is used to protect end user workstations by incorporating source side
deduplication with backup jobs to protect change data blocks. This method provides a low impact to the end user
and production network. Backup data can be restored by the administrator or by the end user through the use of
the end user search web interface.
SnapProtect™ Technology
SnapProtect™ technology provides the ability to integrate with hardware based snapshot technologies or the
Simpana Continuous Data Replicator to snap and backup source volumes. The SnapProtect feature is explained in
detail in the SnapProtect chapter.
CommVault Concepts & Design Strategies: https://www.createspace.com/3726838
158 - Protecting Client Data
Subclients
Subclients are used to define the actual content for protection. Depending on the iDataAgent, various subclient
options will be available. It is important to note that server content defined at the subclient level is directed to
storage through a storage policy not the server itself. This means that different data from the same server can be
directed to different storage and have different retention and copies created to manage the data. This is quite
different than many legacy backup products that direct server data in its entirety to storage providing no granular
management of the data.
The Default Subclient
By default most iDataAgents will have a Default Subclient. During the initial installation of the agent software an
option to associate agent data with a storage policy is provided. This determines the storage policy that will
manage the Default Subclient data. All subclients must be associated with a storage policy to protect the data.
The default subclient acts as a catch all for all data managed within a data set. This means the default subclient
will automatically detect and protect all data the agent is responsible to protect. When custom subclients are
defined any data managed by the custom subclient will automatically be excluded from the default subclient. This
is the concept of mutual exclusiveness of contents within a data set. Data is mutually exclusive to the subclient in
which it is defined and data cannot be defined in multiple subclients within the data set. The concept of Simpana
software is to Copy Once and Reuse Extensively (CORE). In other words protect the data to the storage policy
and use secondary copies to create additional copies of data. There are situations where protecting data from the
source location multiple times may be required. To accomplish this you can create additional data sets.
Modifying Contents of the Default Subclient
The content of the default subclient is represented by a slash (backslash for windows based agents and forward
slash for Linux/Unix based clients). It is strongly NOT recommended to modify the contents of the default
subclient. Modifying this content will disable the auto detect functionality of the default subclient. If this is done
any future content required for protection must be explicitly added to the subclient contents.
Default Subclients without AutoDetect
Some iDataAgents will either not define a default subclient or will not use auto-detection within the default
subclient. This is because protection strategies for certain agents should NOT include all data. For these agents all
data must be explicitly added. Some of these agents can have auto-detection enabled and specific rules for auto-
detection can be defined. For more information refer to CommVault online documentation.
CommVault Concepts & Design Strategies: https://www.createspace.com/3726838
Protecting Client Data - 159
Creating Custom Subclients
Custom subclients can be defined to manage specific data. There are many reasons for using custom subclients
and they are based on the following primary reasons:
Improve protection performance
Special retention requirements
Specific data handling
To create a custom subclient select the data set, right click and then All Tasks, New Subclient. For MS-SQL select
the backup set, right click, New Subclient and then select a subclient for database or file/file group.
Improving Performance
Using multiple subclients can improve performance by multi-streaming protection operations. Each subclient will
contain its own stream or set of streams for moving data to protected storage. Some iDataAgents may not support
multi-streaming of subclient data. For these agents using multiple subclients would be the method to multi-stream
operations.
Another performance improvement method is to use multiple subclients in a stagger schedule pattern to distribute
the protection load over a period of time. Full and incremental backups can be staggered throughout the week or
even month. For example: Create seven subclients each for a different day of the week. Schedule a full for a
subclient and then incremental backups. For the next subclient schedule the full for the next day and then
incremental jobs. Repeat this for all seven subclients.
Strategies for improving protection performance will be discussed throughout this book.
Special Retention Requirements
It is quite common in modern data centers to have different retention requirements for data on the same server.
The server may require a two week retention for disaster recovery purposes, home folder data may need to be
kept for 90 days, and a finance share may be required to be kept for seven years.
Special Data Handling
Subclients provide specific configuration options which can be used to ensure data is properly protected. If
content requires specific methods for proper protection it is recommended to define the data in its own subclient
and set configuration options appropriately. The following list several examples:
Open File handling – Using VSS or Simpana QSnap open files can be properly protected during normal
protection jobs. For Windows 2003 or later VSS is recommended. For non-Windows clients QSnap can
be used to protect open files. It is important to note that when open file handlers initialize they create a
Copy-on-Write cache. During the protection job the cache will be used to record changed blocks. If there
are too many block updates or not enough cache space the operation can fail. It is strongly recommended
to use open file handling only for volumes that require it. It is NOT recommended to use open files
handling on system drives or drives containing application databases.
CommVault Concepts & Design Strategies: https://www.createspace.com/3726838
160 - Protecting Client Data
Application data quiescing – For applications that CommVault does not have iDataAgents for, the data
can be backed up with a File System iDataAgent. To ensure application consistent backups of data, the
application needs to quiesce the data. This can be accomplished by using Pre/Post process scripts that
can be inserted into the subclient. Generate scripts to quiesce and unquiesce the application for pre scan
and post backup operations
Data filtering – Filters can be set in the Global Filter applet in Control Panel and assigned to all
subclients. In specific cases additional filters may need to be added or exclusions may need to be added.
In this case define a separate subclient and configure the filters appropriately.
Note: For a complete list of subclient settings and use cases refer to the chapter Creating & Configuring
Subclients.
Defining Subclient Content
Depending on the file system or application different methods will be used to define content for protection. The
following lists explains the basic methods for defining content for different agents:
File System – Data can be defined using drives, folders, files, UNC paths or file wildcards.
o File Type Wildcards can be used to define specific file types such as *:\*\*.DOC which will
protect any files with the DOC extension in any drive and any folder.
o Folder Wildcards can be used to define content based on the first character of a folder. For
example you can use [A-M]* as content to a subclient to protect all folders starting with the
letters A through M. This is useful for backing up very large folder structures when multiple
subclients and stagger scheduling may be needed to meet operation windows.
o UNC paths can be added for protection in the add path text box in the Content tab. When the
path is added an impersonate user dialog box will appear. Add a user account with proper
permissions to protect the network path.
File system data that will not be protected in subclients
o A and B drives (unless explicitly mapped by a subclient).
o Optical drives.
o Mapped network drives.
System State – For Windows systems system state data can be defined as content. By default it will be
included as part of the Default Subclient. If needed a separate subclient can be defined for system state
data. This will allow the system state to be protected and retained separately from other content.
Database data – Databases can be defined as content at the database level. This allows different
databases to be backed up and retained in separate subclient containers. Different application database
such as MS-SQL and Oracle will have additional content options. Check with CommVault online
documentation for more information on application specific capabilities.
CommVault Concepts & Design Strategies: https://www.createspace.com/3726838
Protecting Client Data - 161
Mailboxes – Mailboxes can be protected using the mailbox backup, mailbox archive, or the compliance
archive agents. Mailbox data can be defined as content in a number of ways. The method used to assist
in defining subclient content is defined in the data set for the agent.
o Storage Group Affinity – This will allow mailboxes to be grouped and defined in separate
subclients based on which Exchange storage group they belong to.
o Active Directory Group – This will allow mailboxes to be grouped and defined in separate
subclients based on Active Directory group membership. This can be useful when defining
mailbox backup policies for specific user groups such as Managers or Executives.
o Content based on regular expressions – This will allow mailboxes to be assigned to
subclients based on the name of the mailbox. This can be used in conjunction with the folder
wildcard concept discussed in the file system content bullet point. In this case you could use [A-
M]* as content to a subclient to protect all mailboxes starting with the letters A through M. A
mailbox level subclient cannot be multi-streamed. Dividing mailboxes into different subclients
using wildcards can be used to multi-stream backups by executing simultaneous subclient
backup jobs.
VSA backups – Defining subclient contents when using the Virtual Server Agent is done by associating
VMs with a subclient. Discovery options are configured in backup set of the VSA instance. Depending
on the discovery option selected different options will appear in the subclient contents and Auto
Discovery tabs. The VSA agent is discussed in more detail in the Protecting Virtual Environments
chapter.
Turbo Agent (One Pass Agent)
A new feature in Simpana v9 SP4 is the ability to perform backup and archive jobs in a single operation. An
archive job using a standard file system archive agent is actually a backup operation that will protect all files that
meet archive requirements. After the files are backed up a stubbing operation will run converting the files into
stubs. The concept of using the Turbo Agent is since a backup and archive work the same way, if you run both
operations concurrently the overall protection process will complete faster.
To enable a file system backup for backup and archive, in the File System iDataAgent select the Enable for
Archiving option. This will add a Rules tab for all subclients defined within the agent. Use this tab to define
archiving rules for the subclient data. When a data protection job runs all data defined in the subclient will be
backed up. At the conclusion of the backup, any objects that meet the defined archiving rules will then be
stubbed.
Currently the Turbo Agent is only supported when backing up to disk. This will also require synthetic or DASH
Full backups to be run. This is required to properly prune files from the job based on the appropriate retention
rules. See the Retention chapter for more information on Turbo Agent retention.
CommVault Concepts & Design Strategies: https://www.createspace.com/3726838
162 - Protecting Client Data
Subclient Policies Subclient policies can be used as a template tool to create custom subclients and assign them multiple backup sets
at the same time.
Considerations for using subclient policies:
Subclient policies can only be used with file system iDataAgents.
No custom subclients can exist within the backup set prior to associating with a subclient policy.
Subclient policies can be associated with the default or custom backup sets.
Wildcards can be used to define the path to the content. Example: documents folder is on C:\ or D:\ drive
for different backup sets. Content for subclient policy can be defined as *:\documents.
CommVault Concepts & Design Strategies: https://www.createspace.com/3726838