Backup Strategy Guide

Practical backup strategies for MSP and enterprise environments. Focus on reliability, recoverability, and business continuity.

The 3-2-1 Backup Rule

3 Copies of Data

• Production data
• Local backup
• Offsite backup

2 Different Media Types

• On-premises (disk, NAS, tape)
• Cloud storage

1 Copy Offsite

• Cloud backup
• Remote datacenter
• Tape rotation offsite

Modern Addition: 3-2-1-1-0

• 3 copies
• 2 different media
• 1 offsite
• 1 offline/immutable (ransomware protection)
• 0 errors (verify backups regularly)

Backup Types

Full Backup

• What: Complete copy of all data
• Pros:
• Simple restore (only need one backup set)
• No dependency on previous backups Cons:
• Longest backup time
• Most storage space required Schedule: Weekly or monthly

Incremental Backup

• What: Only files changed since last backup (full or incremental)
• Pros:
• Fast backup
• Minimal storage Cons:
• Slower restore (need full + all incrementals)
• More complex Schedule: Daily between fulls

Differential Backup

• What: All files changed since last full backup
• Pros:
• Faster restore than incremental (need only full + last differential)
• Still reasonably fast backups Cons:
• Larger than incremental
• Gets bigger each day until next full Schedule: Daily between fulls

Example Strategy

Sunday: Full
Monday: Incremental (since Sunday)
Tuesday: Incremental (since Monday)
Wednesday: Incremental (since Tuesday)
Thursday: Incremental (since Wednesday)
Friday: Incremental (since Thursday)
Saturday: Incremental (since Friday)

Restore Friday: Need Sunday full + Mon-Fri incrementals

Alternative with Differential:

Sunday: Full
Monday-Saturday: Differential (each since Sunday)

Restore Friday: Need only Sunday full + Friday differential

What to Back Up

Servers

Domain Controllers

Critical:
- System State (AD database, SYSVOL)
- C:\ drive (OS and system files)

Schedule: Daily
Retention: 30 days minimum

File Servers

Critical:
- All data volumes
- Share permissions (captured in system state)
- DFS replication databases

Schedule: Daily
Retention: Based on recovery point objective

Database Servers

Critical:
- Database files (application-aware backup)
- Transaction logs
- Configuration files

Schedule:
- Full: Weekly
- Transaction log: Every 15-60 minutes
- Differential: Daily

Retention: Depends on compliance requirements

Email Servers (Exchange)

Critical:
- Mailbox databases
- Transaction logs
- Exchange configuration

Schedule:
- Database: Daily
- Logs: Hourly (or continuous)

Retention: 30+ days

Application Servers

Critical:
- Application data
- Configuration files
- Databases
- IIS config (if applicable)

Schedule: Daily
Retention: Based on RPO

Workstations

Approach 1: Folder Redirection + Roaming Profiles

• User data stored on file server
• File server backed up
• Workstation backup optional

Approach 2: Cloud Sync

• OneDrive, Google Drive, Dropbox
• Data automatically backed up to cloud
• Workstation backup minimal

Approach 3: Endpoint Backup

• Backup critical folders only
• Document folders, desktop, etc.
• Image-based backup for special users

Recommendation: Combination

• Folder redirection for most users
• Cloud backup for executives/mobile users
• Image backup for specialized workstations

Backup Retention

Standard Retention Policy

Daily backups: 7 days
Weekly backups: 4 weeks
Monthly backups: 12 months
Yearly backups: 7 years (compliance dependent)

GFS (Grandfather-Father-Son)

Son (Daily): Keep 1 week
Father (Weekly): Keep 1 month (4 weeks)
Grandfather (Monthly): Keep 1 year (12 months)

Optionally:
Great-Grandfather (Yearly): Keep 7+ years

Example Schedule:

• Monday-Saturday: Daily (Son) - Keep 7 days
• Sunday: Weekly (Father) - Keep 4 weeks
• Last Sunday of month: Monthly (Grandfather) - Keep 12 months
• Last Sunday of December: Yearly - Keep indefinitely

Compliance-Based Retention

• HIPAA: 6 years minimum
• SOX: 7 years for financial records
• GDPR: Varies by data type
• PCI DSS: 1 year minimum, 3 months immediately available

Check Your Requirements:

• Industry regulations
• Legal hold requirements
• Company policy
• Contractual obligations

Backup Windows

Scheduling Considerations

After-Hours Preferred

Start: 10 PM
Expected completion: 6 AM
Impact window: 8 hours

Workday Impact:

• Slower file access during backup
• Network utilization
• Server performance impact

Best Practices:

• Schedule during lowest activity period
• Avoid business-critical hours
• Account for backup duration trends
• Allow buffer time before business hours

Backup Duration

Monitor Trends:

If backup growing:
- Week 1: 4 hours
- Week 2: 4.5 hours
- Week 3: 5 hours
- Week 4: 5.5 hours

Action: Investigate data growth, adjust schedule

Too Long:

• Change backup type (incremental vs differential)
• Upgrade network
• Add backup proxies/agents
• Compress data
• Deduplicate
• Exclude non-critical data

Backup Technologies

Disk-Based Backup

Pros:

• Fast backup and restore
• Easy management
• Incremental forever
• Deduplication
• Ransomware recovery (snapshots)

Cons:

• More expensive than tape
• Still vulnerable to local disaster
• Ransomware can encrypt backups

Solutions:

• Veeam Backup & Replication
• Acronis Cyber Backup
• Commvault
• Veritas Backup Exec
• Unitrends
• Datto SIRIS

Cloud Backup

Pros:

• Offsite by default
• Scalable storage
• No hardware to maintain
• Geographic redundancy
• Accessible anywhere

Cons:

• Ongoing costs
• Restore time (bandwidth)
• Initial seed may require shipping
• Dependency on internet

Solutions:

• Backblaze B2
• Wasabi
• AWS S3 / Glacier
• Azure Backup
• Datto Cloud
• Veeam Cloud Connect
• Acronis Cloud

Tape Backup

Pros:

• Low cost per GB
• Long-term archival
• True air-gap (ransomware protection)
• Proven technology

Cons:

• Slow restore
• Manual rotation required
• Tape drive maintenance
• Less common now

Use Cases:

• Long-term archival
• Compliance (7+ year retention)
• Air-gap requirement
• Cost-sensitive large datasets

Hybrid Approach

Recommended: Combination

Primary: Disk-based backup (fast restore)
Secondary: Cloud backup (offsite)
Tertiary: Tape (long-term, air-gap)

Example:
- Daily to local disk (Veeam)
- Copy to cloud (after local completes)
- Monthly to tape (compliance)

Application-Aware Backups

SQL Server

VSS-Based Backup:

# Proper SQL backup truncates logs
# Image backup without app-awareness leaves logs growing

Veeam/Acronis: Enable application-aware processing
Check: Transaction Log Backup option

Native SQL Backup:

-- Full backup
BACKUP DATABASE [DatabaseName]
TO DISK = 'D:\Backups\DatabaseName_Full.bak'
WITH INIT, COMPRESSION;

-- Differential
BACKUP DATABASE [DatabaseName]
TO DISK = 'D:\Backups\DatabaseName_Diff.bak'
WITH DIFFERENTIAL, INIT, COMPRESSION;

-- Transaction log
BACKUP LOG [DatabaseName]
TO DISK = 'D:\Backups\DatabaseName_Log.trn'
WITH INIT, COMPRESSION;

Best Practice: Combine both

• Image-based backup of entire VM (disaster recovery)
• Native SQL backups (granular recovery, log shipping)

Exchange Server

Application-Aware:

• Truncates transaction logs
• Allows granular mailbox recovery
• Maintains database integrity

Image-Only (Bad):

• Transaction logs grow continuously
• No granular recovery
• Database may be in inconsistent state

Solutions:

• Veeam Backup for Microsoft 365
• Altaro Office 365 Backup
• Native Exchange backup API

Active Directory

System State Backup:

# Using Windows Server Backup
wbadmin start systemstatebackup -backupTarget:D:\Backups

# Backup should be on every DC
# Retention: 180 days minimum (tombstone lifetime)

What’s Included:

• AD database (ntds.dit)
• SYSVOL
• Registry
• System files
• Boot files

VMware/Hyper-V

Agent-Based vs Agentless:

Agentless (Preferred):

• Backup at hypervisor level
• No agent in each VM
• Uses VSS for application consistency
• Changed block tracking (faster incrementals)

Agent-Based:

• Agent in each VM
• More granular control
• Required for physical servers

Testing Restores

Why Test

Backup without tested restore is not a backup

Statistics:

• 34% of companies never test backups
• 77% of companies have had restore failures
• Average restore test success rate: 86%

Your goal: 100% confidence

What to Test

Monthly:

- [ ] Random file restore
- [ ] Complete folder restore
- [ ] Mailbox item recovery
- [ ] Database recovery to test server

Quarterly:

- [ ] Full server restore to test environment
- [ ] Bare metal restore to dissimilar hardware
- [ ] Disaster recovery scenario

Annually:

- [ ] Full DR exercise (entire infrastructure)
- [ ] Restore from offsite location
- [ ] Restore from tape (if applicable)
- [ ] Third-party verification

Testing Procedure

File Restore Test:

1. Select random date from retention
2. Choose random file
3. Attempt restore
4. Verify file integrity
5. Document time to restore
6. Document any issues

Server Restore Test:

1. Select production server
2. Restore to isolated network/test environment
3. Verify services start
4. Test application functionality
5. Document restore duration
6. Document any issues encountered

DR Scenario Test:

1. Simulate total facility loss
2. Restore critical infrastructure:
   - Domain controllers
   - File servers
   - Email
   - Line of business apps
3. Verify inter-dependencies
4. Test user access
5. Document RTO (Recovery Time Objective)
6. Update DR documentation

Ransomware Protection

Immutable Backups

What: Backups that cannot be modified or deleted

Methods:

• Object lock (S3, Wasabi)
• Write Once Read Many (WORM) storage
• Air-gapped backups
• Offline backups (tape, rotated disk)

Configuration Example (Veeam):

1. Create backup job
2. Copy job to hardened repository
3. Enable immutability:
   - Period: 14-30 days
   - Cannot be deleted or modified
4. Store credentials separately

Separate Credentials

• Bad: Backup admin = Domain admin
• Result: Ransomware can access backups

Good: Separate account

• Different username/password
• Not domain admin
• Stored in password manager
• Used only for backup recovery

3-2-1-1-0 Implementation

3 Copies:
- Production
- Local backup (Veeam to NAS)
- Cloud backup (AWS S3)

2 Media:
- Disk (NAS)
- Cloud (S3)

1 Offsite:
- Cloud backup

1 Offline/Immutable:
- S3 with object lock enabled
- 30-day immutability period

0 Errors:
- Monthly restore tests
- Automated backup verification
- Email reports reviewed daily

Backup Monitoring

What to Monitor

Daily Checks:

- [ ] Backup job completion status
- [ ] Failed jobs (investigate immediately)
- [ ] Warnings (investigate within 24 hours)
- [ ] Backup duration trends
- [ ] Storage capacity

Weekly Checks:

- [ ] Restore test results
- [ ] Backup size trends
- [ ] Deduplication ratio
- [ ] Cloud upload completion
- [ ] Tape rotation status (if applicable)

Monthly Checks:

- [ ] Full restore test
- [ ] Capacity planning
- [ ] Retention policy compliance
- [ ] Offsite storage verification

Alerting

Critical Alerts (Immediate):

• Backup job failed
• No successful backup in 24 hours
• Backup storage capacity <10%
• Immutable backup tampering detected

Warning Alerts (Next business day):

• Backup completed with warnings
• Backup duration increased >20%
• Restore test failed
• Backup size increased significantly

Information (Log only):

• Backup completed successfully
• Restore test passed
• Retention cleanup completed

Automated Reporting

Daily Email:

Subject: Backup Status - $(Get-Date -Format "yyyy-MM-dd")

SUMMARY:
- Jobs completed: 15/15
- Jobs with warnings: 0
- Jobs failed: 0

DETAILS:
✓ DC01 - Full - 45 minutes - 250 GB
✓ FILE01 - Incremental - 20 minutes - 50 GB
✓ SQL01 - Diff - 35 minutes - 120 GB
...

CAPACITY:
- Backup repository: 4.2 TB / 10 TB (42%)
- Cloud storage: 2.1 TB

ACTIONS REQUIRED:
None

Backup Documentation

Disaster Recovery Plan

Document Include:

1. Emergency contacts
2. Backup infrastructure details
3. Recovery procedures by scenario
4. Critical system restore order
5. RTO/RPO for each system
6. Testing schedule and results
7. Vendor contact information
8. Backup credentials location

Recovery Procedures

For Each System:

System: FILE01 - File Server

RPO: 24 hours (daily backup)
RTO: 4 hours

Restore Procedure:
1. Boot from Veeam recovery media
2. Select backup: FILE01-Daily-[Most Recent]
3. Choose restore to original location
4. Estimated time: 2 hours
5. Verify shares accessible
6. Test DFS replication
7. Notify users when complete

Dependencies:
- Domain controller must be online
- Network infrastructure operational
- DNS functioning

Critical shares:
- \\FILE01\Users (Redirected folders)
- \\FILE01\Shared (Department data)
- \\FILE01\Home (Home directories)

Change Log

Track Changes:

Date: 2024-11-05
Change: Extended retention from 30 to 90 days
Reason: New compliance requirement
Approved by: IT Director
Impact: Increased storage utilization

Backup Checklist

Initial Setup:

• Identify all systems requiring backup
• Define RPO/RTO for each system
• Choose backup solution
• Configure backup jobs
• Set up offsite/cloud replication
• Enable immutability/air-gap
• Configure monitoring and alerts
• Document procedures
• Test restores
• Train staff

Daily:

• Review backup reports
• Investigate failures immediately
• Check storage capacity
• Verify cloud uploads

Weekly:

• Perform random restore test
• Review backup trends
• Check tape rotation (if applicable)

Monthly:

• Full server restore test
• Review and update documentation
• Capacity planning review
• Audit backup coverage

Quarterly:

• DR scenario test
• Review retention policy
• Audit backup credentials
• Review costs and optimization

Annually:

• Full DR exercise
• Third-party audit
• Update DR documentation
• Review backup solution adequacy

Common Mistakes

No Offsite Copy

• Fire/disaster destroys production AND backups
• Always have offsite/cloud copy

Never Test Restores

• Discover backups don’t work during emergency
• Test monthly minimum

Backup = Domain Admin

• Ransomware encrypts backups
• Separate credentials, separate network

No Application Awareness

• SQL logs grow forever
• Exchange logs fill disk
• Enable app-aware processing

Ignore Warnings

• Warning today = failure tomorrow
• Investigate all warnings

No Monitoring

• Backup failing for weeks unnoticed
• Daily email reports minimum

Same Credentials Everywhere

• Compromise spreads to backups
• Unique credentials for backup system

No Immutability

• Ransomware deletes backups
• Enable object lock / WORM

Costs and ROI

Budget Considerations

Backup Costs:

• Software licensing
• Storage hardware
• Cloud storage (monthly)
• Bandwidth (cloud uploads)
• Staff time
• Testing/DR exercises

Cost vs Risk:

Example:
- Backup solution: $10,000/year
- Downtime cost: $50,000/day
- Backup pays for itself after preventing 5 hours of downtime

ROI Calculation:

Average ransomware recovery cost: $1.85 million
Average downtime: 21 days

Your backup investment: $15,000/year

ROI if prevents single ransomware incident:
($1,850,000 - $15,000) / $15,000 = 12,233% ROI

Optimization

Reduce Costs:

• Deduplication
• Compression
• Intelligent retention
• Archive old data to cheaper storage
• Exclude non-essential data
• Optimize backup windows

Don’t Cut:

• Offsite copies
• Restore testing
• Monitoring
• Immutable storage

Related Documentation

• Incident Response Playbooks
• Client Onboarding Checklist
• Incident Response Playbooks
• Monitoring Best Practices