Transcription

Disaster&Recovery&of&File&Servers&&&July&2015&

aster&Recovery&of&File&Servers&June&2015& 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved.Notices&&This document is provided for informational purposes only. It represents AWS’scurrent product offerings and practices as of the date of issue of this document,which are subject to change without notice. Customers are responsible formaking their own independent assessment of the information in this documentand any use of AWS’s products or services, each of which is provided “as is”without warranty of any kind, whether express or implied. This document doesnot create any warranties, representations, contractual commitments, conditionsor assurances from AWS, its affiliates, suppliers or licensors. The responsibilitiesand liabilities of AWS to its customers are controlled by AWS agreements, andthis document is not part of, nor does it modify, any agreement between AWSand its customers.Page&2&of&22&&

Page&3&of&22&Abstract4!Introduction4!Planning the Deployment5!Identify the Requirements5!Distributed File System tion8!Step 1: Connect Corporate Networks8!Step 2: Extend Directory Services9!Step 3: Provision a Windows File Server10!Step 4: Establish Replication Using DFSR12!Step 5: Implement a DFS Namespace15!Step 6: Configure Backups16!Step 7: Test cument Revisions19!Appendix A: IAM Policy for Amazon EBS Snapshots20!Appendix B: SSM Configuration Document21!&

Businesses of all sizes maintain file server infrastructure for storage and sharingof corporate documents. Although many businesses have recovery plans in place,they are often rarely tested or rely on traditional backup solutions that may notalways meet the recovery time objectives (RTO) or recovery point objectives(RTO), particularly for large file servers.This paper describes a step-by-step approach to implementing a proven and costeffective disaster recovery solution for Windows-based file servers that canminimize data loss and provide fast, automatic recovery of file services runningon the AWS cloud.Introduction&Businesses are using the AWS cloud to enable faster recovery of their critical ITsystems without incurring the expense or operational overhead of a secondphysical site.AWS offers a highly flexible platform, where resources like corporate file serverscan be provisioned on demand, on a pay-as-you-go basis, and scaled to meet theneeds of businesses over time.For businesses that do not have a disaster recovery strategy in place or havefound disaster recovery to be cost-prohibitive, AWS is a cost-effective, simple,and flexible solution.For business that already have disaster recovery facilities and strategies in place,AWS can lower your costs; improve recovery time through scripting, automationand managed service offerings; and, by providing access to more than ten AWSregions, add geographic redundancy for your systems and data.Page&4&of&22&&

the&Deployment&This section describes requirements, dependencies, and design and Here are some things to consider before you start the implementation: & RPO and RTO – This architecture implements asynchronous or nearreal-time data replication and fast failover (generally 90 seconds) usingMicrosoft DFS Namespaces. If you require zero data loss or instantfailover, then you may need to consider other options. & Data staging – The size of your file server data, your available networkbandwidth, and your timeframe will determine whether you need to eitherstage (pre-seed) most of the data on physical media and ship it to AWSusing AWS Import/Export or stage the data across the network using acopy operation. 1You can use the formula below to guide you:o& Where,&&c& &estimated&convergence&time&(hours),&&a& &total&data&size&(GB),&&b& 60%&efficiency&ED FG 0.6&80003600If convergence time is greater than three days, then you may want toconsider using AWS Import/Export to ship your data on physical harddrive ibuted File System Replication (DFSR) is a Microsoft multi-master filereplication engine designed to keep files synchronized across servers. DFSR usesPage&5&of&22&&

aster&Recovery&of&File&Servers&June&2015&RPC to communicate; it implements Remote Differential Compression (RDC) toefficiently update files over limited bandwidth networks.A DFS namespace provides a virtual or abstracted view of files and folders hostedon multiple servers for improving availability and performance.Both DFSR and DFS Namespaces will be used in this paper.Microsoft Windows Server 2012 R2 introduces two major feature enhancementsto DFSR: & Database cloning to improve initial sync performance. & Cross-file RDC to improve WAN data transfer performance.Dependencies&In addition to the following technical requirements, you should also have someexperience with Windows PowerShell, AWS Identity and Access Management(IAM), Amazon Elastic Compute Cloud (Amazon EC2), and Amazon VirtualPrivate Cloud (Amazon VPC).Technical&Requirements& & File servers running Windows Server 2012 R2. & An Active Directory domain with at least one domain controller. & Active Directory schema updated to Windows Server 2008 R2 or later.Note&If your file servers are running Windows Server 2008 R2, you can do asimple in-place upgrade to Windows Server 2012 R2.Limitations&DFS Replication has been tested to support volumes up to 100 TB and 70 millionfiles 2.Amazon Elastic Block Store (Amazon EBS) supports up to 16 TB volumes. If yourdataset is larger than 16 TB, then you can either partition the data into individualvolumes (recommended) or create one contiguous volume using a software-basedPage&6&of&22&&

aster&Recovery&of&File&Servers&June&2015&RAID stripe across several Amazon EBS volumes. If you choose the secondoption, Amazon EBS snapshots should not be used for backups.Page&7&of&22&&

ation&The following diagram shows the proposed architecture:&This section describes the implementation steps. You will start by establishingnetwork and directory services connectivity; then launch and configure a fileserver instance; then configure the file server instance for DFSR; and then finallyset up a DFS namespace for automatic failover.Step&1:&Connect&Corporate&Networks&&&AWS provides two options for seamlessly, reliably, and securely extending youron-premises, private networking environments into the cloud. & Site-to-site VPN: encrypted VPN tunnels across the Internet. & AWS Direct Connect: private connectivity over a fixed or leased line.For an outline of the concepts and implementation requirements for each, see theAWS VPC Connectivity Options 3 white paper.Page&8&of&22&&

aster&Recovery&of&File&Servers&June&2015&VPC subnet network ACLs and on-premises firewalls must be configured toenable communication between the on-premises servers (including ActiveDirectory and file servers) and AWS instances. The following ports must 5535&Step&2:&Extend&Directory&Services&&This step is optional, but recommended.AWS Directory Service is a fully managed domain controller-compatible service.You can use the AD Connector feature in AWS Directory Service to simply,securely, and easily enable administrative single sign-on (SSO) to the AWSManagement Console and automatically join an Amazon EC2 for Windowsinstance to your on-premises Active Directory Domain Services (AD DS)environment. & Set up the AWS Directory Service AD Connector 4 feature.Note AD Connector does not replicate any of your directory data. Instead, it actsas a proxy to directory requests such as authentications, domain joins, anddirectory lookups to your on-premises directory. AD Connector cannot be used asa disaster recovery solution for Active Directory environments.Page&9&of&22&&

aster&Recovery&of&File&Servers&June&2015&If you are unable to use the AWS Directory Service, or if you would like to haveyour Active Directory domain replicated and available on AWS for disasterrecovery purposes, see the Implement Active Directory Domain Services in theAWS Cloud 5 white paper.Step&3:&Provision&a&Windows&File&Server&In this step, you will use IAM, Amazon EC2, and Amazon EC2 Simple SystemsManager (SSM) to configure your Windows file server instance.1.& Follow the steps in the Amazon EC2 User Guide 6 to create an IAM roleand associate a trust policy with the role. Use the AmazonEC2RoleForSSMtemplate.2.& Select a region and launch a new Amazon EC2 instance for your file server.a.& For Instance type, see the following ume&3&IOPS&/&GB&30&IOPS&/&GB&(3,000&Burst& &1TB)&&b.& For Domain Join Directory, choose your directory, or skip thisstep.c.& For IAM Role, choose the role you created in step 1.d.& For Network and Subnet, specify your VPC and subnet.Page&10&of&22&&

aster&Recovery&of&File&Servers&June&2015&e.& For Advanced Details – User Data, copy and paste thefollowing code to install the File Services role onto the instance andenable deduplication. powershell # Install Roles and FeaturesAdd-WindowsFeature File-Services –IncludeManagementToolsAdd-WindowsFeature Fs-Dfs-Namespace, Fs-Dfs-Replication,Rsat-Dfs-Mgmt-Con, Fs-Data-Deduplication# Enable De-duplicationGet-Volume Where-Object { .DriveLetter –ne “ 0” –And .DriveLetter –ne “C” } Enable-DedupVolume /powershell f.& For EBS Storage, using the preceding table for reference, createan additional Amazon EBS volume. For more information, see theLimitations section of this white paper.g.& For EBS Encryption, choose enabled. (Recommended)h.& Security Group Settings: Configure the following ports forinbound 89&3389&&5985&49152T65535&49152T65535&Note For SSM to function and to join the domain, the instance must haveInternet access.Page&11&of&22&&

aster&Recovery&of&File&Servers&June&2015&3.& Wait approximately 10 minutes for the instance to be launched andconfigured. Remote Desktop Protocol (RDP) access will be blocked untilconfiguration is complete.4.& Log in to the instance and confirm:a.& The instance is joined to your Active Directory domain.b.& The Windows File Services and DFS features have been installed.c.& Data volumes have been mounted and formatted.d.& Deduplication has been configured.5.& On the EC2Config Service Settings dialog box, select the AmazonCloudWatch Logs integration check box.Next, set up basic Window event log and performance counter monitoring usingCloudWatch logs and Amazon EC2 SSM.6.& In the AWS Management Console, open CloudWatch and create a newCloudWatch log group. You will use this log group later.7.& Follow the steps in Sending Performance Counters to CloudWatch andLogs to CloudWatch Logs 7.a.& For a sample Amazon EC2 SSM configuration document, seeAppendix B.Step&4:&Establish&Replication&Using&DFSR&Now you will use Windows PowerShell to create a DFSR group on the primaryfile server.Before you begin, be sure you have values for each of the properties in thefollowing table because they will be used in the scripts Folder&Name& Folder &Logical&folder&name&CorporateShare* SourceHost &Host&name&&FS1*File&Server&Destination& DestHost &Host&name&FS2*Content&Path&(Source)& ContentPath urce&Page&12&of&22&&

on&Example&June&2015&Database&Clone&Path&(Source)& ClonePath ne&Database&Clone&Drive&(Source)& CloneDrive &Volume&where&database&will&reside&(above)&&D:& DestContentPath &media&\\FS2\D WS&Import/Export)& DestClonePath ver&or&physical&media&\\FS2\D Path&(Destination)&SMB&Share& ShareName Import/Export)&DFS&Root&Name& DFSRootName &DFS&Share&Name&E.g.&Corporate&DFS&Share&Name& DFSShareName &DFS&Share&Name&E.g.&Corporate& DCHostName ler&Host&1.& Log in to the primary file server.2.& Create and configure the replication group.New-DfsReplicationGroup -GroupName “RG1"New-DfsReplicatedFolder -GroupName “RG1" -FolderName Folder Add-DfsrMember -GroupName "RG1" -ComputerName SourceHost Set-DfsrMembership -GroupName "RG1" -FolderName Folder -ContentPath ContentPath -ComputerName SourceHost -PrimaryMember TrueUpdate-DfsrConfigurationFromAD –ComputerName SourceHost 3.& Wait for DFS Replication event ID 4112, which confirms that the serviceinitialized the replicated folder.Get-WinEvent “Dfs replication” -MaxEvents 10 flPage&13&of&22&&

aster&Recovery&of&File&Servers&June&2015&Use DFSR database cloning to speed up the initial sync process.4.& Clone and export the DFSR database.New-Item -Path " ClonePath " -Type DirectoryExport-DfsrClone -Volume CloneDrive -Path " ClonePath "5.& Wait for DFS Replication event ID 2402, which indicates the exportprocess was completed successfully.6.& Now copy the files either directly across the network to the secondaryserver, or to a physical media device to be used by AWS Import/Export.Robocopy.exe “ ContentPath " “ DestContentPath " /E /B /COPYALL/R:6 /W:5 /MT:64 /XD DfsrPrivate /TEE /LOG :preseed.logRobocopy.exe “ ClonePath ” “ DestClonePath ” /B7.& If you are staging (pre-seeding) the files to physical media, follow the stepsin the AWS Import/Export Developer Guide 8 to ship the physical mediaand import data into an Amazon EBS snapshot.8.& (Optional) Verify the integrity of the data. Use the PowerShell GetDfsrFileHash command to compare the signatures on a sample of fileson each server.Now that the data has been staged on AWS, you will import the DFSR databaseand establish DFSR connections between the primary and secondary servers sothat any remaining files can be synchronized.9.& Log in to the secondary server running on AWS.10.&Import the DFSR database.Import-DfsrClone -Volume D: -Path " DestClonePath "Page&14&of&22&&

aster&Recovery&of&File&Servers&June&2015&11.&Check CloudWatch logs for event ID 2404 in the DFS Replication log. Thisindicates the clone was imported successfully.12.&Establish the connection between the primary and secondary servers.Add-DfsrMember -GroupName "RG1" -ComputerName " DestHost " SetDfsrMembership -FolderName “ Folder " ContentPath " DestContentPath "Add-DfsrConnection -GroupName "RG1" SourceComputerName " SourceHost " DestinationComputerName “ DestHost "Update-DfsrConfigurationFromAD SourceHost , DestHost New-SmbShare -Name ShareName -Path DestContentPath 13.&Monitor replication progress.# Unreplicated changes count(Get-DfsrBacklog -GroupName "RG1" -FolderName " Folder " SourceComputerName " SourceHost " -DestinationComputerName" DestHost " -Verbose 4 &1).Message.Split(':')[2]# Detailed reportGet-DfsrState –ComputerName “ DestHost ” Format-Table filename,updatestate,inbound,source* -auto -wrapStep&5:&Implement&a&DFS&Namespace&In this section, you will create a domain-based DFS namespace.1.& Create a share for the new DFS root on each domain controller, if required.New-Item -Path \\ DCHost\c \DFSRoots\ DFSRootName -typedirectory -ForceNew-SmbShare -Name DFSRootName -Path C:\DFSRoots\ DFSRootName -ReadAccess everyone -CimSession DCHost Page&15&of&22&&

aster&Recovery&of&File&Servers&June&2015&2.& Create the DFS namespace on the domain controllers. (Repeat for eachdomain controller.)New-DfsnRoot -TargetPath “\\ DCHost \ DFSRootName " -TypeDomainV2 -Path “\\corp.local\ DFSRootName ”3.& Finally, set the folder targets for the namespace, ensuring that the AWSfile server instance is set to the lowest priority class so that it is activatedonly if the primary file server fails.New-DfsnFolderTarget -Path“\\ Domain \ DFSRootName \ DFSShareName " -TargetPath"\\ SourceHost \ ShareName " -ReferralPriorityClass GlobalHighNew-DfsnFolderTarget -Path“\\ Domain \ DFSRootName \ DFSShareName " -TargetPath“\\ DestHost \ ShareName " -ReferralPriorityClass GlobalLowNote When you use PowerShell to manually create DFS folder targets, the DFSmanagement console will not update the replication group publication status orthe Folder Targets tab. If you would like these items to appear, then after youhave completed step 2, open the DFS console, publish the replication group toyour namespace, and set the referral ordering through the GUI.Step&6:&Configure&Backups&Point-in-time volume-based Amazon EBS snapshots can be used to quicklyrecover from Amazon EBS volume failures, data corruption, and the accidental ormalicious erasure of data.1.* Update the existing IAM role to include the appropriate permissions tocreate snapshots. For an example IAM policy, see Appendix A.2.& Use Task Manager or a similar tool to create a scheduled task that executesthe following PowerShell script. This script will automate the creation ofAmazon EBS snapshots for the instance on which it is running.Page&16&of&22&&

aster&Recovery&of&File&Servers&June&2015&The script will tag both the instance and the snapshots with metadata, suchas the original device name, owner, and backup time and date.# .NOTE Script excludes the boot volume# .NOTE Set the default region first, Set-DefaultAWSRegion awsregion myInstanceID ) volumes (Get-EC2Volume).Attachment where { .InstanceId -eq myInstanceID –and .Device –ne '/dev/sda1'} Select VolumeId, Deviceforeach ( volume in volumes){ dt (Get-Date).DateTime snapshot New-EC2Snapshot volume.VolumeId -Description ("[" myInstanceID "] backup at " dt)New-EC2Tag -Resource myInstanceID -Tag @{ Key "last-backup"; Value dt}New-EC2Tag -Resource snapshot.snapshotId -Tag @( @{ Key "backupdatetime"; Value dt }, @{ Key "owner"; Value myInstanceID}, @{ Key "fromdevice"; Value volume.Device})}Note Restoring snapshots of DFS replicated folders can cause DFS databasecorruption. To avoid this, create a new Amazon EBS volume from the snapshot,attach it to the instance, and then selectively copy the required files.For more information, see this Microsoft Support Article. 9Step&7:&Test&Failover/Failback&&&Now that your servers are configured, DFSR is functioning, and the namespace isactive, perform some basic failover testing.1.& Log in to a Windows client.2.& Create the following PowerShell script and save it as a .ps1 file. Thescript continuously performs a directory listing of your DFS share.while ( true) {Page&17&of&22&&

aster&Recovery&of&File&Servers&June&2015&ls \\ Domain \ DFSRootName \ DFSShareName select -last 3 format-table (Get-Date).DateTime, FullNamesleep 1}3.& Run the script.4.& Shut down the primary file server.5.& Observe the timing in the script to ensure the client successfullyreconnects and the directory listings continue (typically around 90seconds).6.& Test failback by turning on the primary server and shutting down thesecondary server running on AWS.&Alternatives&&Amazon WorkDocs 10 is an alternative to traditional workgroup or corporate fileservers. This fully managed, secure enterprise storage and sharing serviceprovides strong administrative controls and feedback capabilities to improve userproductivity. You can securely access files stored in Amazon WorkDocs frommobile and desktop devices using integrated single sign-on (SSO) to your existingActive Directory domain.Conclusion&File server disaster recovery environments can be built and run on AWS usingfamiliar tools like Microsoft DFS Replication. This paper has outlined the stepsand best practices for deploying a DFS-based solution while leveraging serviceslike AWS Directory Service and Amazon CloudWatch to simplify administrationand operations.Companies of all sizes can benefit from AWS security, automation, global datacenter footprint, and low cost of operating disaster recovery environments.Page&18&of&22&&

Revisions&June 2015 – Initial revision.Page&19&of&22&&

A:&IAM&Policy&for&Amazon&EBS&Snapshots&Here is an example IAM policy for Amazon EBS snapshots.{"Version": "2012-10-17","Statement": [{"Sid": "Stmt1426256275000","Effect": "Allow","Action": ource": ["*"]}]}Page&20&of&22&&

B:&SSM&Configuration&Document&&This snippet sample sends DFS Replication event logs and performance countersto CloudWatch Logs and CloudWatch, respectively. Replace NAME and UUID with your DFS replicated folder name and UUID.{"EngineConfiguration": {"PollInterval": "00:00:15","Components": [ {"Id": EC2.Windows.CloudWatch","Parameters": {"LogName": "DFS Replication","Levels": "7"}},{"Id": ","Parameters": {"CategoryName": "DFS Replicated Folders","CounterName": "Total Files Received","InstanceName": " NAME -{ UUID }","MetricName": "DFS-Files-Received","Unit": "Count","DimensionName": "","DimensionValue": ""}},], &Page&21&of&22&&

aster&Recovery&of&File&Servers&June&2015&Notes&DFS Replication: Frequently Asked Questions icrosoft.com/en-US/library/cc773238.aspx#BKMK 0073https://media.amazonwebservices.com/AWS Amazon VPC Connectivity rvice/latest/adminguide/setting menting Active Directory Domain Services in the AWS age&22&of&22&http://aws.amazon.com/workdocs/&

ter&Recovery&of&File&Servers& June&2015& Page&10&of&22& & If you are unable to use the AWS Directory Service, or if you would like to have your Active Directory domain replicated and available on AWS for disaster recovery purposes, see the Implement Active Directory Domain Services in the