Introduction to Azure Backup for Windows Server 2019

Azure Backup is Microsoft’s cloud-native backup service that extends data protection to Windows Server 2019 without the need to manage your own offsite backup infrastructure. It stores backups in Azure Recovery Services Vaults, which provide geo-redundant storage by default. The service supports file-and-folder backups, system state backups, and full server (bare metal recovery) backups. Azure Backup uses incremental forever backup methodology after the initial full backup, which reduces bandwidth consumption and storage costs significantly. This guide walks through creating a Recovery Services Vault, installing the Microsoft Azure Recovery Services (MARS) agent on Windows Server 2019, and configuring automated backup policies.

Prerequisites and Planning

Before configuring Azure Backup, you need an active Azure subscription. Your Windows Server 2019 machine requires outbound internet access on TCP port 443 to reach Azure Backup endpoints. If you operate behind a proxy or firewall, you must whitelist the Azure Backup and Azure Storage service endpoints for your region. The MARS agent requires .NET Framework 4.5 or later, which is included with Windows Server 2019 by default.

Plan your Recovery Services Vault location carefully. Create the vault in the same Azure region as your primary workloads to minimize egress costs during restore operations. Choose Geo-Redundant Storage (GRS) for the vault replication setting to ensure backups survive a regional Azure outage, or Locally Redundant Storage (LRS) if cost is the primary concern.

Creating a Recovery Services Vault in Azure

Log into the Azure Portal at portal.azure.com. Navigate to Recovery Services Vaults and click Create. Fill in the subscription, resource group, vault name (for example, prod-backup-vault-eastus), and region. Click Review + Create, then Create. Once deployed, open the vault and navigate to Properties > Backup Configuration. Set the Storage Replication Type to Geo-redundant before registering any servers, as this setting cannot be changed after a backup item is registered.

Alternatively, create the vault using Azure CLI or Azure PowerShell. Using Azure PowerShell:

Connect-AzAccount

New-AzResourceGroup -Name "backup-rg" -Location "East US"

New-AzRecoveryServicesVault -ResourceGroupName "backup-rg" -Name "prod-backup-vault" -Location "East US"

Set-AzRecoveryServicesBackupProperty -Vault (Get-AzRecoveryServicesVault -Name "prod-backup-vault") -BackupStorageRedundancy GeoRedundant

Downloading and Installing the MARS Agent

The Microsoft Azure Recovery Services (MARS) agent is the software installed on Windows Server 2019 to communicate with Azure Backup. From the Azure Portal, open your Recovery Services Vault, click Backup, select On-premises as the workload location, and select Files and folders (and optionally System State) as the backup goal. Click Prepare Infrastructure to download the MARS agent installer (MARSAgentInstaller.exe) and generate vault credentials file (.VaultCredentials).

Transfer both files to the Windows Server 2019 machine. Run MARSAgentInstaller.exe as Administrator. Accept the installation path defaults unless you have a specific reason to change them. On the Proxy Configuration page, enter proxy settings if your server accesses the internet through a proxy. Complete the installation wizard. The agent does not require a server reboot.

Registering the Server with the Recovery Services Vault

After installation, the Microsoft Azure Backup agent console opens automatically. If it does not, launch it from the Start menu or by running C:Program FilesMicrosoft Azure Recovery Services Agentbinwabui.exe. In the console, click Register Server in the right-hand Actions pane.

In the registration wizard, browse to the .VaultCredentials file you downloaded from the Azure Portal. The wizard validates the credentials against Azure. Next, you are prompted to create a passphrase for encrypting backups. This passphrase is critically important — it is used to encrypt all backup data before it leaves your server. Store the passphrase in a secure password manager or offline location. Azure does not store this passphrase and cannot recover your data if it is lost. Click Register to complete server registration.

Configuring a Backup Policy

After registration, click Schedule Backup in the MARS agent console Actions pane. The Schedule Backup Wizard launches. On the Select Items to Backup page, click Add Items and select the files, folders, or volumes you want to protect. You can also select System State if you want Active Directory and system configuration included in the backup.

On the Specify Backup Schedule page, set the daily backup frequency (up to three times per day) and the time for each backup. On the Select Retention Policy page, configure retention for daily, weekly, monthly, and yearly recovery points. Azure Backup supports up to 9,999 recovery points per protected item. A typical policy might retain daily backups for 30 days, weekly for 12 weeks, and monthly for 12 months.

On the Choose Initial Backup Type page, select Automatically over the network for small datasets. For large initial backups (hundreds of gigabytes or more), use Azure Import/Export service (offline seeding) to ship an encrypted hard drive to an Azure datacenter, avoiding a massive initial upload over the internet.

Running the Initial Backup

After configuring the schedule, trigger the initial backup immediately to validate the configuration. In the MARS agent console, click Back Up Now in the Actions pane. Select through the wizard to confirm the items and retention, then click Back Up. Monitor the backup progress in the Jobs pane of the console. The initial backup transfers all selected data to Azure and can take several hours for large datasets depending on available upload bandwidth.

You can also trigger and monitor backups via PowerShell using the MARS agent module:

Start-OBBackup

To view the current backup policy configured on the server:

Get-OBPolicy | Get-OBSchedule
Get-OBPolicy | Get-OBRetentionPolicy

Monitoring Azure Backup Jobs

Backup job status is visible in the MARS agent console under the Jobs tab. From the Azure Portal, navigate to your Recovery Services Vault, then click Backup Jobs to see the history of all backup and restore operations for all registered servers. You can filter by time range and status (Completed, Failed, In Progress).

Configure alerts in the Azure Portal by navigating to your vault, then Backup Alerts. Enable email notifications for job failures and warnings so your operations team is alerted immediately when a backup fails. You can also integrate Azure Backup alerts with Azure Monitor action groups to route notifications to Teams, PagerDuty, or a ticketing system via webhook.

Restoring Files from Azure Backup

To restore files, open the MARS agent console and click Recover Data in the Actions pane. Select This Server to restore to the same machine, or Another Server to restore to a different machine (you will need the passphrase and vault credentials). Choose Browse for files on the next page to browse recovery points interactively. Select a recovery point date and time, then mount the volume snapshot. Windows Explorer opens, allowing you to browse and copy individual files and folders from the snapshot as if it were a local drive. Unmount the snapshot when done.

For command-line recovery using the OBRecovery cmdlets:

$rp = Get-OBRecoverableSource | Get-OBRecoverableItem -RecoveryPoint (Get-OBRecoverableSource | Get-OBRecoveryPoints | Select-Object -First 1)
Start-OBRecovery -RecoverableItem $rp -RecoveryOption (New-OBRecoveryOption -DestinationPath "C:Restore" -OverwriteType Overwrite)

Enabling System State Backup via MARS

System state backup via Azure Backup protects the Windows Registry, COM+ Class Registration Database, boot files, and on domain controllers, Active Directory and SYSVOL. To enable system state backup in the MARS agent, re-open Schedule Backup wizard and check the System State checkbox when selecting items. Note that the system state component creates a local staging copy under C:WindowsSystem32WindowsImageBackup before uploading to Azure, so ensure the system volume has adequate free space — typically 30 GB or more.

Cost Optimization Considerations

Azure Backup pricing is based on the number of protected instances and the storage consumed in the vault. To control costs, enable soft delete (enabled by default) only if required for compliance, as it retains deleted backup data for 14 extra days at cost. Use LRS replication for non-critical servers where GRS overhead is not justified. Review and trim retention policies annually to remove unnecessarily long retention periods. For servers with large datasets where full Azure Backup is cost-prohibitive, consider using Azure Backup only for system state and using Azure File Sync or robocopy to a secondary server for data redundancy.