Getting Started with Datto Backup for Microsoft Azure

Topic

This article describes an overview of Datto Backup for Microsoft Azure solution, system requirements, and how to pair a new protected system.

Environment

Datto Backup for Microsoft Azure

Description

System Requirements
Limitations
Pairing
Manual Backup
Pause Backups
Differential Merge Backup
Frequently Asked Questions

System requirements

OS	Datto Backup for Microsoft Azure supports Core, Essentials, Standard and Datacenter editions of the following operating systems: Windows 10/11 Multi-Senssion Windows Server 2012 R2 Windows Server 2016 Datacenter Windows Server 2019 Datacenter Windows Server 2022 Datacenter
Memory requirements	At least 4GB of RAM on the production system
Disk space requirements	Datto Backup for Microsoft Azure supports adding up to seven Protected Systems, with up to six TB of disk space (total storage capacity) between them VMs on per VM billing will instead be limited to 1 TB managed disk capacity per VM. Each protected volume must have 10% of the volume's total size available for the DattoCtrl or Datto.ctl file, The minimum size of this file will be 1GB. If 10% of the volume is more than 10 GB, the file's size will be 10 GB regardless of the size of the volume.
Network	Port 443 on the protected machine must be open outbound. Additionally, port 993, 80, or 587 on the protected machine must be open outbound. Only one of these three ports is necessary; the agent will try all three when attempting to connect to the cloud storage node. The Datto Endpoint Backup Agent's installer will attempt to create an outbound firewall exception for outbound traffic on ports 443, 993, 80, and 587 for the agent's executable (%SYSTEMDRIVE%\Program Files\Datto\Datto Cloud Continuity\DattoCloudContinuity.exe). The agent will use a TLS-based proprietary protocol for communication over the first port that it can reach. All protected machines must be able to resolve mothership.dtc.datto.com,agent-update.datto.com, dattolocal.net and valid-isrgrootx1.letsencrypt.org in the local DNS. See BCDR networking and bandwidth requirements for detailed network requirements and WAN uplink considerations.
Anti-virus exceptions	Create exceptions for Datto Cloud Continuity Service and the DattoProvider service: %SYSTEMDRIVE%\Program Files\Datto\Datto Cloud Continuity\DattoCloudContinuity.exe %SYSTEMDRIVE%\Program Files\Datto\Datto Cloud Continuity\DattoProvider.exe Allow the following file: %SYSTEMROOT%\system32\DattoCbt.sys
Other Requirements	The System PATH variable must have powershell included to allow pairing. See PowerShell isn't recognized as an internal or external command(external link) for more information Windows PowerShell version 3 or higher must be installed on the protected machine. The Microsoft Azure VM agent must be present for the push install to function. If you are migrating existing VMs into Azure from on-prem,the Azure VM agent may not properly install. See Microsoft's Azure Virtual Machine Agent overview (external link) for more information. For any error encountered during agent installation, check the Windows Event Logs for any corresponding events. Visual C++ runtime must be up-to-date and fully-installed. If Visual C++ 2015 runtime is not up to date or not installed properly, this could prevent an install. If you see errors related to the C++ runtime, reinstall the latest Visual C++ update. Before pairing, you should disable and remove all other backup software from the production machine. Depending on the software, you may need to completely uninstall it for backups to run correctly. When uninstalling other backup software, use a high-level program that eliminates all traces of the incompatible software, including registry keys, DLLs, and stray folders. These components can cause conflicts. The system must be able to reach the Azure Instance Metadata Service (IMDS).

Limitations

While there is now Multi-Session OS support, FSLogix profiles associated with these session hosts are NOT being backed up at this time.

Cloud virtualizations have limitations with AADDS (Azure Active Directory Domain Services )
System compression, also known as "Compact OS", is a Windows feature that allows rarely modified files to be compressed using the XPRESS or LZX compression formats and is NOT supported.
Datto Backup for Microsoft Azure does not currently support systems with REFS volumes present.
Backing up external/removable drives is unsupported. See Volume Level Backup Control for Datto Backup for Microsoft Azure for more information.
Backup of User Profile Disks used by the Remote Desktop Service is unsupported. Remote Desktop Service (external link). These volumes should be excluded from backups.
Backup and virtualization of of deduplicated volumes is untested and may produce inconsistent results, particularly with File Restores . Use an alternate restore method where the volume is mounted in Windows to avoid these scenarios.
If you are protecting any volumes on your machine using an anti-virus software that uses VSS to allow for rollback remediation or snapshotting in the event of a security / encryption breach (like SentinelOne, for example), this will need to disabled in order for the Windows agent to properly backup these volumes.

Pairing

In the Datto Partner Portal, click the Status tab, then select BCDR Status from the drop-down menu.
Find your Cloud SIRIS on the BCDR Status page. If the system detects unprotected Microsoft Azure VMs that it can add to the appliance, you will see a Protect a System icon. Click the icon to continue.
In the pop-up window, select any additional VMs to protect. The Microsoft Azure Region and Subscription information will be locked to the options previously selected for other Protected Systems during device registration.
Check the box to Reboot VMs after installation to trigger a reboot with the paired system and ensure snapshots will complete successfully after the Datto Agent software has been installed. Then, click the PROTECT SYSTEM button. Once you have made your selections, click PROTECT SYSTEM to finish the process.

The BCDR Status page will update to reflect the newly protected system. It's status will show as installing until the Datto Agent software finishes installing on the Azure VM. The system's first backup will begin shortly after installation completes.
When the device finishes installing, reboot the Microsoft Azure VM. Once the reboot completes, your protected Microsoft Azure VMs will display in the Protected System column, and backups will begin.

Manual Backup

Datto Backup for Microsoft Azure automatically runs a backup every hour on a 24/7 schedule. You can also manually initiate a backup from the BCDR Status page. Click the kebab icon on the far right of the protected system listing and choose Start Backup from the menu.

Pause Backups

In the same menu on the right of the protected system listing is the option to pause the backup for a set period of time. Once paused, the menu items will be replaced with the option to resume the backups.

Differential Merge Backup

Differential merge backups are a special type of backup that traverses the entire live backup dataset of the protected server, compares it to the protected system volumes, and backs up new changes.

It is not normally necessary to run differential merge backup, and they can take quite a bit longer than standard backups. Differential Merge backups are more resource intensive on the Cloud SIRIS, so it is best to avoid forcing these for multiple agents simultaneously. Manually initiating a differential merge can sometimes help resolve backup problems. They can be a good alternative to creating a new full backup as they offer the benefit of continuing the existing backup chain and require less space than a full backup. If it does not resolve the issue on the next backup, contact Datto Technical Support.

You can run a differential merge backup in the same way as the manual backup outlined above. Click the kebab icon on the far right of the protected system listing and choose Start Diff Merge from the menu.

Frequently Asked Questions

What Microsoft Azure-provided managed disk encryption solution does Datto Support?

Datto backups, file restores, instant virtualizations, image exports, and Microsoft Azure Restores are unencrypted.

Any files that are encrypted-at-rest within a given fileystem at the time of backup are restored in an encrypted-at-rest state.
For more information on Microsoft Azure Encryption and how it works with the Datto solution, refer to: new Article

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the ideas forum!
	Provide feedback for the Documentation team.