Backup Windows Server 2012 R2 with Microsoft Azure Recovery Services

by [Published on 15 May 2014 / Last Updated on 15 May 2014]

A fundamental tenet of on-premises backups is to make sure they are stored off-site. After all, in the event of a disaster, it’s not really helpful if the backup media was destroyed because it was located in the same physical location where the disaster itself occurred.


Historically, on-premises backups have been performed using some type of physical media, such as data storage tapes. These tapes were then physically transported to an off-site storage facility. This method suffers from a few serious drawbacks, however. There is a period of time in which the backup tapes remain on site before being shipped off, which represents a potential risk if a disaster were to strike during this time. In addition, recovery time is much slower, as tapes must be recalled and transported to the disaster recovery location, which in many instances is located in a distant geographic location.

A better solution is to perform local backups and transport the data electronically to a public cloud provider like Microsoft Azure. Using the Azure Recovery Services feature you can create backup vaults to safely and reliably store backups of on-premises systems and restore the data to any physical location quickly and easily. Azure Recovery Services is a simple, cost effective, integrated offsite backup storage solution that can provide essential data protection to meet your disaster recovery needs.


Microsoft Azure Recovery Services use digital certificates to authenticate the server uploading data to a backup vault. The certificate must be valid (not expired), have a minimum key length of 2048 bits, include the Client Authentication Enhanced Key Usage (EKU), and should be located in the local computer certificate store on the server. The certificate must include a private key, and the validity period cannot exceed three years. This certificate will be exported, without the private key, and later uploaded to the Azure backup vault. You can use a certificate issued by any public Certificate Authority (CA), a local private Public Key Infrastructure (PKI), or a self-signed certificate. In this article I'll demonstrate Azure backup using a certificate issued by an internal PKI. This article assumes that you have obtained a computer certificate from your internal PKI, or one of the other supported methods. It is outside the scope of this article to cover the installation and configuration of PKI, or the process of obtaining a computer certificate either from PKI or a third-party CA.

Certificate Preparation

On the Windows Server 2012 R2 system you plan to backup to Azure, open a new Microsoft Management Console (MMC) and choose File, Add/Remove Snap-in. Select Certificates and click Add. Choose Computer Account, click Next, and then select the Local Computer and click Finish. Expand Personal and Certificates, and then right-click the computer certificate and choose All Tasks and Export. The Certificate Export Wizard will open. Click Next, and then choose not to export the private key. Click Next again and select DER encoded binary X.509 (.CER).

Image 1

Provide the name of the file and a location to save it and click Next and then Finish.

Configure Azure Recovery Services

In the Microsoft Azure management console, click Recovery Services and then click Create a New Vault. Click Backup Vault and then click Quick Create. Provide a name for the vault, specify a region, select a subscription to associate with the vault, and then click Create Vault.

Image 2


Once the vault has been created, highlight the vault, select the Dashboard, and then click Manage Certificate. Provide the certificate file exported previously.

Image 3

Next, click the Download Agent link and choose to download the agent for Windows Server and System Center - Data Protection Manager.

Image 4

Installing Azure Backup Agent

On the Windows Server 2012 R2 server you wish to protect, launch the Azure Backup agent installation. Accept the supplemental notice and wait for the Microsoft Visual C++ 2008 Redistributable to be installed. Both the Microsoft .NET Framework 4 and PowerShell must be installed. The Windows Identity Foundation will be installed by the agent.

Image 5

Provide the location of the Installation Folder and Cache Location, and choose to opt-in to Microsoft Update, if required. Once the installation is completed you are prompted to Check for newer updates.

Image 6

Note: If you chose to check for newer updates you may be prompted to install an update to the agent once the installation completes.


Configuring Azure Backup Agent

To configure the Azure Backup Agent, double-click the Windows Azure Backup shortcut on the desktop. In the Actions pane click Register Server. If your server is located behind a proxy server, supply the necessary information. Next, select the certificate to use authenticate to the Azure Backup Vault and choose the appropriate backup vault.

Image 7

Enter a passphrase that will be used to encrypt and decrypt backups from this server. Be sure to use a long, complex password. Optionally you can choose to generate a passphrase with the installation wizard. Enter a location to save the password file and store it in a secure location, and then click Register.

Image 8

Configure Backup Options and Schedule

To schedule a backup, click Schedule Backup in the Actions pane of the Windows Azure Backup management console. Click Add Items to select which folders to include in the backup. Optionally you can click Exclusion Settings to specify folders, files, and file types to be excluded from backup.

Image 9

Select an appropriate backup time that meets your requirements. Here I’ve chosen to back this server up every weekday beginning at 10:00PM. You can manage the passphrase for this server, as well as configure proxy settings and manage bandwidth policies by clicking Change Properties.

Image 10

Choose the number of days for which the backups will be retained. Azure will always keep the latest backup file. This setting applies to backup files that have been deleted, moved, renamed, or overwritten.

Image 11

Review the configuration settings and click Finish.

Image 12

Now that the Azure Backup Agent has been configured and scheduled, backups will proceed normally. If you need to kick off a backup immediately, click Backup Now in the Actions pane. After a backup has been completed successfully, if a restore should ever be required you can perform that by clicking on the Recover Data link in the Actions pane.


Microsoft Azure Recovery Services provides a quick, efficient, and cost-effective way to provide essential data protection and disaster recovery services by maintaining off-site backups of on-premises systems. In this article I used a simple scenario, backing up a single server to Azure, as a way to demonstrate the capabilities of Azure backup. While this is a rudimentary example, a more common scenario would likely involve backing up multiple systems to Azure. In that case, it is advisable to use a dedicated certificate, as opposed to use the computer certificate assigned to each individual server. Using a common certificate is much more manageable and scalable, and would allow for multiple servers to be registered to a common vault. In any case, it’s definitely worth having a look at Azure Recovery Services. Having quick and convenient access to archived system backups in the cloud could prove to be a lifesaver in the future.

See Also

The Author — Richard Hicks

Richard Hicks avatar

Richard M. Hicks (MCP, MCSE, MCTS, MCITP:EA, MCSA, MVP) is a network and information security expert specializing in Microsoft technologies. He is the founder and principal consultant of Richard M. Hicks Consulting and is focused on helping organizations large and small implement DirectAccess, VPN, and cloud networking solutions on Microsoft Platforms.


Featured Links