William Stanek - Windows Server 2012 R2 Storage, Security, & Networking Pocket Consultant

Windows Server 2012 R2 provides separate processes for system state and full server recovery and the recovery of individual volumes and files and folders. You can use the Recovery Wizard in Windows Server Backup to recover nonsystem volumes and files and folders from a backup. Before you begin, you should be sure that the computer you are recovering files to is running Windows Server 2012 R2. If you want to recover individual files and folders, you should be sure that at least one backup exists on an internal or external disk or in a remote shared folder. You cannot recover files and folders from backups saved to DVDs or removable media.

With this in mind, you can recover nonsystem volumes, files and folders, or application data by following these steps:

1.Start Windows Server Backup. In the Actions pane or on the Action menu, tap or click Recover to start the Recovery Wizard.

2.On the Getting Started page, specify whether you will recover data from the local computer or from another location, and then tap or click Next.

3.If you are recovering data from another location, specify whether the backup you want to restore is on a local drive or in a remote shared folder, tap or click Next, and then specify location-specific settings. When you are recovering from a local drive, on the Select Backup Location page, select the location of the backup from the drop-down list. When you are recovering from a remote shared folder, on the Specify Remote Folder page, enter the path to the folder that contains the backup. In the remote folder, the backup should be stored at \\ BackupServer \WindowsImageBackup\ ComputerName .

4.If you are recovering from another location, on the Select Server page, select which server’s data you would like to recover. Tap or click Next.

5.On the Select Backup Date page, select the date and time of the backup you want to restore by using the calendar and the time list. Backups are available for dates shown in bold. Tap or click Next.

6.On the Select Recovery Type page, do one of the following:

■To restore individual files and folders, tap or click Files And Folders, and then tap or click Next. On the Select Items To Recover page, under Available Items, tap or click the plus sign (+) to expand the list until the folder you want is visible. Tap or click a folder to display the contents of the folder in the adjacent pane, tap or click each item you want to restore, and then tap or click Next.

■To restore noncritical, nonoperating system volumes, tap or click Volumes, and then tap or click Next. On the Select Volumes page, you’ll find a list of source and destination volumes. Select the check boxes associated with the source volumes you want to recover, and then select the location to which you want to recover the volumes by using the Destination Volume lists. Tap or click Next. If prompted to confirm the recovery operation, tap or click Yes. Skip steps 7 and 8.

■To restore application data, tap or click Applications, and then tap or click Next. On the Select Application page, under Applications, tap or click the application you want to recover. If the backup you are using is the most recent, you might encounter a check box labeled Do Not Perform A Roll-Forward Recovery Of The Application Databases. Select this check box if you want to prevent Windows Server Backup from rolling forward the application database that is currently on your server. Tap or click Next. Because any data on the destination volume will be lost when you perform the recovery, make sure that the destination volume is empty or does not contain information you will need later.

7.Next, you can specify whether you want to restore data to its original location (nonsystem files only) or an alternate location. For an alternate location, enter the path to the restore location or tap or click Browse to select it. With applications, you can copy application data to an alternate location. You cannot, however, recover applications to a different location or computer.

8.For file and folder recovery, choose a recovery technique to apply when files and folders already exist in the recovery location. You can create copies so that you have both versions of the file or folder, overwrite existing files with recovered files, or skip duplicate files and folders to preserve existing files. You also can restore the original security permissions to files and folders being recovered.

9.On the Confirmation page, review the details, and then tap or click Recover to restore the specified items.

If you’re an administrator for an organization that uses the Encrypting File System (EFS), your disaster-recovery planning must include additional procedures and preparations. You need to consider how to handle issues related to personal encryption certificates, EFS recovery agents, and EFS recovery policy. These issues are discussed in the sections that follow.

File encryption is supported on a per-folder or per-file basis. Any file placed in a folder marked for encryption is automatically encrypted. Files in encrypted format can be read only by the person who encrypted the file. Before other users can read an encrypted file, the user must decrypt the file.

Every file that’s encrypted has a unique encryption key. This means that encrypted files can be copied, moved, and renamed just like any other file-and in most cases these actions don’t affect the encryption of the data. The user who encrypted the file always has access to the file if the user’s private key is available in the user’s profile on the computer or the user has credential roaming with Digital Identification Management Service (DIMS). For this user, the encryption and decryption process is handled automatically and is transparent.

EFS is the process that handles encryption and decryption. The default setup for EFS makes it possible for users to encrypt files without needing special permission. Files are encrypted by using a public/private key that EFS generates automatically on a per-user basis. By default, Windows uses the Advanced Encryption Standard (AES) algorithm for encrypting files with EFS. Internet Information Services 7 and later can use an AES provider for encrypting passwords by default.

Encryption certificates are stored as part of the data in user profiles. If a user works with multiple computers and wants to use encryption, an administrator needs to configure a roaming profile for that user. A roaming profile ensures that the user’s profile data and public-key certificates are accessible from other computers. Without this, users won’t be able to access their encrypted files on another computer.

TIP An alternative to a roaming profile is to copy the user’s encryption certificate to the computers the user uses. You can do this by using the certificate backup and restore process discussed in “Backing up and restoring encrypted data and certificates” later in this chapter. Just back up the certificate on the user’s original computer, and then restore the certificate on each of the other computers the user logs on to.

EFS has a built-in, data-recovery system to guard against data loss. This recovery system ensures that encrypted data can be recovered if a user’s public-key certificate is lost or deleted. The most common scenario in which this occurs is when a user leaves the company and the associated user account is deleted. Although a manager might have been able to log on to the user’s account, check files, and save important files to other folders, encrypted files will be accessible afterward only if the encryption is removed by the manager acting as the user who encrypted the files or, if while logged on as the user, the manager moves the files to a FAT or FAT32 volume (where encryption isn’t supported).