How to Configure Azure Backup Agent on Windows Server 2012 R2
The Microsoft Azure Backup Agent (also known as the MARS agent — Microsoft Azure Recovery Services) enables you to back up files, folders, and system state directly from Windows Server 2012 R2 to Microsoft Azure Recovery Services Vault, without requiring Azure virtual machines or Azure Site Recovery infrastructure. This cloud backup approach provides off-site, encrypted backup storage with configurable retention policies, bandwidth throttling to minimize production impact, and the ability to restore individual files or complete system state on demand. This guide covers creating an Azure Recovery Services Vault, downloading and installing the MARS agent, registering the server, configuring backup schedules and retention policies, and performing a test restore.
Prerequisites
- Windows Server 2012 R2 with PowerShell 4.0
- An active Microsoft Azure subscription
- Outbound internet access on TCP 443 (HTTPS) to *.backup.windowsazure.com
- At least .NET Framework 4.5.2 (included with WS2012 R2)
- The Azure PowerShell module installed for scripted vault creation
- At minimum 5% free disk space on the volumes being backed up (for VSS shadow copies)
Step 1: Create an Azure Recovery Services Vault
Install the Azure PowerShell module and create the Recovery Services Vault where backups will be stored:
# Install Azure PowerShell module (requires NuGet provider)
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Install-Module -Name Az -Repository PSGallery -Force -AllowClobber
# Connect to Azure
Connect-AzAccount
# Create a Resource Group and Recovery Services Vault
$Location = "East US"
$ResourceGroupName = "rg-backup-ws2012r2"
$VaultName = "rsv-ws2012r2-backup"
New-AzResourceGroup -Name $ResourceGroupName -Location $Location
New-AzRecoveryServicesVault -Name $VaultName -ResourceGroupName $ResourceGroupName -Location $Location
Write-Host "Recovery Services Vault created: $VaultName"Alternatively, create the vault through the Azure Portal: navigate to Azure Portal > Create a Resource > Backup and Site Recovery > Create, fill in the name and region, and click Review + Create.
Step 2: Download the MARS Agent Installer
In the Azure Portal, navigate to your Recovery Services Vault, click Backup under Getting Started, select On-premises as the workload location, and select Files and folders as the backup goal. Click Prepare Infrastructure, then download the Recovery Services Agent (MARS agent installer). Also download the Vault Credentials file — this is an encrypted certificate file that authenticates your server to the vault and is valid for only 48 hours after generation.
# Download MARS agent via PowerShell
Invoke-WebRequest -Uri "https://aka.ms/azurebackup_agent" -OutFile "C:TempMARSAgentInstaller.exe"Step 3: Install the MARS Agent
Run the MARS agent installer silently:
Start-Process -FilePath "C:TempMARSAgentInstaller.exe" -ArgumentList "/q /nu" -Wait -PassThru
Write-Host "MARS Agent installed"
# Verify installation
Get-Service "obengine" | Select-Object Name, Status, StartTypeThe installation creates the obengine service (Online Backup Engine) which handles all backup and restore operations.
Step 4: Register the Server with the Vault
Register this server with the Azure Recovery Services Vault using the vault credentials file downloaded in Step 2. This establishes the encrypted trust relationship between your server and the vault:
$MARSInstallDir = "C:Program FilesMicrosoft Azure Recovery Services Agent"
$AgentExe = "$MARSInstallDirbinAzureBackupSetup.exe"
# Register using the vault credentials file
Start-Process -FilePath $AgentExe -ArgumentList `
"RegisterServer",
"/VaultCredentials:`"C:TempVaultCredentials.VaultCredentials`"",
"/SecurityPin:`"YourSecurityPIN`"" `
-Wait -PassThruThe Security PIN is required for all critical operations (registration, passphrase change) and is obtained from the vault in the Azure Portal under Settings > Properties > Security PIN > Generate. Without it, registration will fail as a security protection against ransomware that might attempt to disable backup.
Step 5: Configure Backup Schedule and Retention via PowerShell
After registration, configure the backup policy using the MARS agent PowerShell cmdlets. These cmdlets are available after the agent is installed:
Import-Module "$MARSInstallDirbinMSOnlineBackup.psm1"
# Create a new backup policy
$Policy = New-OBPolicy
# Set the backup schedule (daily at 10PM and 2AM)
$Schedule = New-OBSchedule -DaysOfWeek Sunday,Monday,Tuesday,Wednesday,Thursday,Friday,Saturday -TimesOfDay 22:00,02:00
Set-OBSchedule -Policy $Policy -Schedule $Schedule
# Set retention policy (30 days daily, 8 weeks weekly, 12 months monthly)
$RetentionPolicy = New-OBRetentionPolicy -RetentionDays 30 -RetentionWeeklyPolicy -RetentionWeeks 8 -RetentionMonthlyPolicy -RetentionMonths 12
Set-OBRetentionPolicy -Policy $Policy -RetentionPolicy $RetentionPolicy
# Add files and folders to the backup scope
$Spec = New-OBFileSpec -FileSpec @("C:","D:Data") -Exclude @("C:WindowsTemp","C:Temp","*.tmp","*.log")
Add-OBFileSpec -Policy $Policy -FileSpec $Spec
# Set the encryption passphrase (store this in a secure vault - loss means permanent data loss)
$Passphrase = "YourSecureEncryptionPassphrase123!@#"
$SecurePass = ConvertTo-SecureString -String $Passphrase -AsPlainText -Force
Set-OBMachineSetting -EncryptionPassphrase $SecurePass
# Apply the policy
Set-OBPolicy -Policy $Policy -Confirm:$false
Write-Host "Backup policy configured and applied"Step 6: Configure Bandwidth Throttling
Limit backup bandwidth during business hours to prevent backup jobs from saturating production network links:
# Throttle to 512 Kbps during work hours, unlimited outside work hours
Set-OBMachineSetting -WorkDay Monday,Tuesday,Wednesday,Thursday,Friday `
-StartWorkHour 08:00 -EndWorkHour 18:00 `
-WorkHourBandwidth 512 -NonWorkHourBandwidth 0Step 7: Trigger a Manual Backup and Verify
# Start an immediate backup
$Policy = Get-OBPolicy
Start-OBBackup -Policy $Policy -Async
# Monitor backup status
$BackupJob = Get-OBJob -Previous 1
Write-Host "Job status: $($BackupJob.JobStatus)"
Write-Host "Job type : $($BackupJob.JobType)"
# Wait for completion
do {
Start-Sleep -Seconds 30
$BackupJob = Get-OBJob -Previous 1
Write-Host "Status: $($BackupJob.JobStatus) - $($BackupJob.HResult)"
} while ($BackupJob.JobStatus -in @("InProgress","NotStarted"))Step 8: Restore Files from Azure Backup
To restore files, mount the recovery point as a local drive and copy files from it:
# List available recovery points
$RecoveryPoints = Get-OBRecoverableItem -Source (Get-OBRecoverableSource)
# Select the most recent recovery point
$LatestRP = $RecoveryPoints | Sort-Object PointInTime -Descending | Select-Object -First 1
# Initiate recovery
$RecoverOptions = New-OBRecoverOptions -RestoreType Original -OverwriteType Overwrite
Start-OBRecovery -RecoverableItem $LatestRP -RecoverOptions $RecoverOptions -AsyncStep 9: Verify Agent Status
Get-Service obengine | Select-Object Name, Status
Get-OBPolicy | Format-List
Get-OBJob -Previous 5 | Select-Object JobId, JobType, JobStatus, StartTime, EndTime | Format-Table -AutoSizeSummary
The Microsoft Azure Backup (MARS) agent is now installed and configured on Windows Server 2012 R2, providing encrypted off-site backup of files, folders, and system state to Azure Recovery Services Vault. The configuration includes a twice-daily backup schedule with 30-day daily retention extending to 12 months for monthly recovery points, bandwidth throttling during business hours to protect production network performance, and encryption with a passphrase that ensures data remains private even from Microsoft. This Azure Backup configuration fulfills off-site backup requirements with minimal infrastructure overhead and pays only for the storage consumed.
