If your company has a computing policy that’s at all responsible,
you backup your data on a regular basis. That’s just common sense.
But a little-known feature of Microsoft’s Group Policy Objects (GPOs)
may be making it harder for you to have a sensible backup program.
Allow me to explain.
Three Basic Types of Backups
Corporate backup procedures come in an infinite variety, but the
following three types are among the most well-known:
• Full backup.
A complete copy of all files is made. The backup software clears or resets
the “archive bit” that each file carries. If a file is modified at some point
after a backup, the operating system turns the file’s archive bit back on.
This allows backup programs to select those files that have recently changed.
• Incremental backup.
Since full backups can be very time-consuming, incremental backups can be
scheduled. These copy only new and modified files: those that have the archive
bit set “on.” Software that performs an incremental backup then clears the
archive bit, so the next incremental won’t copy files unnecessarily.
If you performed a full backup on a Sunday night, and incremental backups
on Monday and Tuesday nights, a disk failure on Wednesday morning would
require you to run a restore operation from the Sunday, Monday, and
Tuesday night backup media.
• Differential backup.
Because restoring from multiple backup media can be time-consuming,
some companies use differential backups. These copy files that have
the archive bit set “on,” but do not clear the archive bit.
Every time a differential is made, it copies every file that have been
modified since the last full backup. A disk failure on a Wednesday
morning, to use the example above, would require you to run a restore
operation only from Sunday’s full backup and Tuesday’s differential.
The Problem with Microsoft’s Group Policy Objects
Group Policy Objects are used by administrators of Windows 2000 Server and
Windows Server 2003 domains. GPOs are very helpful in setting rules that
users and specific computers on a network must follow.
Unfortunately, using GPOs has the negative side-effect of setting the archive
bit on all files and folders within the affected server’s organizational
unit (OU). This makes so-called incremental and differential backups copy
far more files than they should. You can demonstrate this yourself on a Windows
server, via a procedure suggested by reader Gary Busby:
• New folder.
Create a folder on a server in a Windows 2000 or 2003 domain.
• New file.
Create a new text file in this folder or, better yet, copy into the
folder a text file that was last modified weeks ago.
• Clear the archive bit.
In the file’s Advanced Properties, uncheck the box marked
“File is ready for archiving,” if it is checked. This should make the
file appear to be unmodified. It therefore would not take up time and space
in an incremental or differential backup.
• New GPO.
Create a Group Policy Object on the OU that houses the server.
• New policy.
Create a computer file-system security policy for the folder
you created above. Grant “full control” to any selected group or user you wish, using
the same Access Control List (ACL) rights as the folder and file you created.
• Update policies.
Refresh the policies on the server, using the command secedit
(on Windows 2000 Server) or gpupdate (on Windows Server 2003)
— or simply wait until the policies are updated automatically,
which usually occurs on Windows servers several times a day.
Now examine the Advanced Properties of the file you created.
Its archive bit has been set — as though it had been modified.
With thousands of files involved, your incremental or differential backups
might take just as long and be just as large as a full backup.
There isn’t a patch for this kind of behavior yet. You can, however, try to work around the “feature” if your backup software permits a type known as Daily. Using this setting,
the backup software copies all files that were modified on a certain
date. Daily backups ignore the archive bit and leave it unchanged. If this is
the alternative you choose, you’re compelled to create, in effect, an
incremental backup once a day.
Of course, if you currently don’t backup your network on a frequent basis,
being forced to make a backup once a day might be an improvement!