Save to My DOJO
For any enterprise application that you deploy on your Windows Server infrastructure, if data integrity and consistency are important, then one of the first things you need to verify is whether it supports backups using the Volume Shadow Copy Service (VSS). Data consistency means that the information for the application or file is complete and not corrupted so that when it is restored from a backup, it works as expected. For example, if you restore a Hyper-V virtual machine (VM), you want to make sure that it is not corrupted and runs normally, or else the backup effectively worthless. Being able to take a backup of an application, rather than the entire disk, is also advantageous because it provides more flexibility when creating the backup, more granularity when restoring the application’s data, and it can save storage space.
This article will explain how VSS works with applications and some common tools used to manage the process.
Volume Shadow Copy Service (VSS) Components
The Volume Shadow Copy Service (VSS) is a set of Windows COM interfaces and commands that create complete backups while the target application continues to run. Since enterprise applications need to continually serve customers and are rarely taken offline, they need to be backed up while they are online and still generating data. This means that the data files are often large, remain open, and in an inconsistent state, while the data is constantly changing. VSS provides coordination between the running enterprise application (such as a Hyper-V VM), backup application (such as Altaro VM Backup), the storage management software (such as Windows Server), and the storage hardware. VSS is built into both Windows and Windows Server.
Volume Shadow Copy Service consists of the following components:
- VSS Service – The Windows Service which coordinates and communicates between the application and backup components.
- VSS Requester – This is the backup software that creates and manages the VSS copies. Windows Server Backup and System Center Data Protection Manager are commonly used in the Microsoft ecosystem, but almost every third-party backup solution for Windows also supports VSS, including Altaro VM Backup.
- VSS Provider – This is the component that creates and manages the shadow copies and can run in either the software on the operating system or in the hardware.
- VSS Writer – This application-specific component ensures that the data is consistent when it is backed up and is usually included with each enterprise application. As a best practice, make sure that your application includes a VSS writer as it typical with all Microsoft enterprise applications.
Due to the component/segmented feature nature of Windows, Windows Server includes the following 34 built-in VSS writers right out of the box:
- Active Directory Domain Services (NTDS) VSS Writer
- Active Directory Federation Services Writer
- Active Directory Lightweight Directory Services (LDS) VSS Writer
- Active Directory Rights Management Services (AD RMS) Writer
- Automated System Recovery (ASR) Writer
- Background Intelligent Transfer Service (BITS) Writer
- Certificate Authority Writer
- Cluster Service Writer
- Cluster Shared Volume (CSV) VSS Writer
- COM+ Class Registration Database Writer
- Data Deduplication Writer
- Distributed File System Replication (DFSR)
- Dynamic Host Configuration Protocol (DHCP) Writer
- File Replication Service (FRS)
- File Server Resource Manager (FSRM) Writer
- Hyper-V Writer
- IIS Configuration Writer
- IIS Metabase Writer
- Microsoft Message Queuing (MSMQ) Writer
- MSSearch Service Writer
- NPS VSS Writer
- Performance Counters Writer
- Registry Writer
- Remote Desktop Services (Terminal Services) Gateway VSS Writer
- Remote Desktop Services (Terminal Services) Licensing VSS Writer
- Shadow Copy Optimization Writer
- Sync Share Service Writer
- System Writer
- Task Scheduler Writer
- VSS Metadata Store Writer
- Windows Deployment Services (WDS) Writer
- Windows Internal Database (WID) Writer
- Windows Internet Name Service (WINS) Writer
- WMI Writer
As mentioned in the definition of VSS writer above, these writers allow the targeted applications/features to gracefully “pause” in such a way that allows the backup application to back up the associated configuration and data without bringing the application or service down. This could be a VM running on Hyper-V, an on-prem Exchange server, a SQL box, a domain controller running AD. Any constantly running service or application that you want to run backups against should have a supported VSS writer. Without a supported VSS writer for an application, the application will be backed up in whatever state it’s in at the time of backup.
For example, let’s say you have a MySQL Database. There currently is no supported VSS writer for MySQL. In this situation, let’s say you run a backup against it. All may seem fine on the surface, but there is a good chance that there were pending data writes in memory as the backup was happening. When you go to restore the database, the tables associated with that pending data will likely be wrong. Worst case, you could run into full-blown corruption of the MySQL database upon restoration, which is not a good time to be finding out about database corruption. The alternative in this situation, where you have no supported VSS Writer, is to use a scheduled task to gracefully stop the service in question prior to the backup and then start it again after the backup has been completed. This certainly isn’t an ideal scenario, but if you’re using an application with no supported VSS writer (they are few and far between anyway), your hands are somewhat tied.
Alternatively, if you run into this situation, it would be a good point in time to take a good hard look at the affected application and ask yourself if it can be replaced with something that has a supported VSS writer. In the long-term, a legacy application like this will not scale well for your organization and will continue to cause headache after headache.
System, Software, and Hardware Providers
Organizations can select from several options for the VSS provider, including the built-in system providers, a third-party software provider, or a hardware provider. The system provider comes with Windows Server as Windows Server Backup using the volsnap.sys driver and swprv.dll library. This provider is perfectly fine to use if you do not have any advanced backup utilities and only need basic functionality.
Third-party software-based providers have a richer feature set than the system provider and may have more backup options, such as defining the location where shadow copies are stored or the number of copies, and when restoring from backups, there may be options to restore specific files or items.
Hardware-based providers are recommended if they support VSS. By running the backup process from the hardware, it offloads the resource-intensive operation backup task from the server operating system so that more processing cycles can be consumed by the application.
How Volume Shadow Copy Service (VSS) Works
In terms of a textbook description, it’s hard to beat Microsoft’s exhaustive documentation on this well-established service. So I suggest you read that if you want an ultra-comprehensive look into the inner workers of VSS. That said, if you want a quick overview that will cover 90% of situations, then read on!
When a backup is created using VSS, a series of actions are triggered to coordinate the snapshot across the service, provider, requester, and writer.
- When a user creates a manual backup or a task triggers an automatic backup, the requester (backup application) asks VSS to prepare the system.
- The writer gathers metadata about the application and data that needs to be backed up, how the application will be restored, and provides a list of application components that can be individually backed up.
- Once the components are selected by the requester, the writer will prepare the data so it is in a consistent state and can be successfully restored. This will usually include completing open transactions, temporarily pausing any new write requests, and flushing any buffers or caches. Since the application is still running, it can still accept new read requests.
- Once the application’s data is effectively “frozen,” the VSS service tells the provider to create the shadow copy, which can last up to a maximum of 10 seconds.
- The backup is now complete.
NOTE: If the freeze takes longer than 60 seconds or the shadow copy commitment takes longer than 10 seconds, then the operation is aborted and will be retried later, ideally at a time when the application is processing less data so the operation can be completed faster.
Once the backup is complete or if the task has been aborted, then the application is unfrozen or “thawed.” First, the VSS service will release then flush all the paused file system write requests, and the application returns to its normal disk writing behavior. The VSS service then returns the file location back to the requestor so that it can be tracked and recovered in the event of a disaster.
Volume Shadow Copy (VSS) Tools
There are two free tools provided by Microsoft to help administrators manage their snapshots, VssAdminandDiskShadow. Additionally, there are several registry settings that can be configured.
VssAdmin is a tool used to manage shadow copies and includes commands to create a shadow copy, delete a shadow copy to reclaim storage space, list all registered VSS providers, list all registered VSS writers, and change the size of the storage area. However, this tool will only work with the built-in system provider, so if you are using a third-party provider, you would use that storage management utility.
DiskShadow is a VSS requester used to manage any software or hardware snapshots on Windows Server. It lets admins perform a variety of tasks for shadow copies, including listing all writers, providers, and shadow copies, setting file data and metadata, loading metadata, listing writers, adding volumes, creating a shadow copy, starting a full backup, ending a full backup, starting a restore, ending a restore, simulating a restore, deleting a shadow copy, importing a shadow copy, and managing volume drive letters.
There are three registry settings that admins may also want to change using the Regedit utility.VssAccessControl is a security setting that defines which users have access to the shadow copies. MaxShadowCopiesspecifies the maximum number of shared copies for shared folders, which can be stored on each volume of the computer. MinDiffAreaFileSize defines the initial size of the shadow copy storage area.
By using Volume Shadow Copy tools, you can ensure that your running applications can be backed up successfully with data consistency. For more information about the Volume Shadow Copy Service, check out Microsoft’s official documentation at https://docs.microsoft.com/en-us/windows/desktop/vss/volume-shadow-copy-service-portal.
Not a DOJO Member yet?
Join thousands of other IT pros and receive a weekly roundup email with the latest content & updates!