Here we’ll show you how to install the Windows Server Backup feature in Windows Server 2016 with PowerShell and then configure basic server backups.
We’ll also take a quick look at how the backup files are stored and see if they are at all encrypted or not.
In order to perform simple backup and restores out of the box, Windows Server 2016 provides the Windows Server Backup feature. While this does work it is fairly basic and lacks many useful features, if you have many critical servers to backup I highly recommend that you look at something else such as Microsoft’s Data Protection Manager (DPM) or a third party backup solution from some other vendor.
An example of this is that when you backup over the network to an external share with Windows Server Backup you can only store one restore point at a time, any further backups will overwrite existing ones which isn’t very useful if you actually need some sort of retention. The backups are also managed on a per server basis which makes them difficult to maintain and manage.
Install Windows Server Backup Feature
Before we can actually configure the backups, we must first install the Windows Server Backup feature. This can be done through the graphical user interface, however it’s just faster to simply use PowerShell.
First we’ll use the Get-WindowsFeature cmdlet to search for available features that contain the string ‘*Backup*’ in the Name field.
PS C:\> Get-WindowsFeature -Name *Backup*
As we can see Windows-Server-Backup is available for install but not currently installed.
Next we use the Install-WindowsFeature cmdlet to install the Windows-Server-Backup feature, as shown below.
Once complete we should see that the installation has completed successfully, no reboot is required for this feature, we can begin using it straight away.
Now that we have installed the Windows Server Backup feature, we can begin to configure our server backups. To begin we’re going to open the Windows Server Backup console from the Tools menu in Server Manager as shown below.
From the wbadmin window that opens up, select “Local Backup” from the menu on the left. We will see that there is a warning noting that no backup has been configured for this computer, which is currently expected. We can either configure a backup schedule which will perform the backup as we define, or we can perform a once off backup. Here we’ll setup a backup schedule, by clicking “Backup Schedule” on the right.
This will open up a Getting Started window advising that we can use this wizard to configure a regular backup schedule for the full server, system state, selected files, folders or entire volumes – click Next to proceed.
On the next Select Backup Configuration window we can select if we want to perform a full server backup which is the recommended and default action, or we can optionally select custom to pick specific volumes or files that we want to backup rather than the full server. In this example we will be configuring a full server backup, however you can change this to suit your requirements.
The next window allows us to specify the time the backup should run. We can set the backup to run once daily at a specified time, or we can optionally have it run multiple times per day by selecting the more than once a day option and adding the times the backup should run to the right side.
Next we will be asked to specify the destination of our backup data. The recommended option is to store the data on a separate disk that is attached to the server, however we can also change this to backup to another volume, or a network share. In this example I’ll be using a network share as I have one available, however note that there is a limitation of this, we will only be able to store one backup point at a time as new backups will overwrite the existing one. This limitation does not exist when you backup to another disk or volume.
We will now specify the network location, here I pick a file share that is available on the local network and click Next to continue. If you selected a disk or volume destination rather than network, you would instead be asked to pick that disk or volume here.
Finally we are presented with a confirmation screen which will summarize our options, click the Finish button to complete the process and accept this, or otherwise go back and make any changes as needed. The summary notes that as we are performing a full backup, we will be able to perform bare metal recovery of the entire system which is fairly powerful.
That’s it, the backup should automatically start at the time specified. We can manually initiate it by going back to the Windows Server Backup window and selecting “Backup Once”. From here we are given the option to create a once off backup based off of our scheduled backup, so all of the same settings will be used but we will be running the backup now rather than at the scheduled time.
Are Windows Server Backups Encrypted?
This is a common question that I’ve seen asked a few times, so I thought I’d take the opportunity to answer it here. No, by default backups in Windows Server 2016 (and previous versions for that matter) are not encrypted. We can confirm this by simply browsing to the location that we have specified to backup the data to and look through it. Primarily a .vhdx file is created for the C:\ drive of the server, which we can easily mount through disk manager, assign a drive letter to and then browse through the files and folders.
To encrypt the backup files we could setup Bitlocker on the disks where the backups are being stored, however note that this only protects the data at rest. If the data can be accessed while the drive is available for the backup to work, it could also be read by any potential attacker during this time.
We have shown you how to install the Windows Server Backup feature in Windows Server 2016 using PowerShell, and then configure a basic backup schedule to a network share.
We also then confirmed that the backup files are not encrypted, so additional steps should be taken to protect them.