20-Something Best Practices for the Datto SIRIS 3
So, you’ve decided to deploy one of the best data backup technologies on the market. Better make sure you do it properly! We’ve put together these best practices for the Datto SIRIS 3 to ensure that your business gets the highest level of protection possible. From deployment to daily backups, here’s how to get the most out of your Datto.
SIZING UP YOUR DATTO
First, you’ll need to select the ideal size BDR appliance for your business. The SIRIS 3 comes in a wide range of sizes, storage capacities and drive types (i.e. all-Flash SSD or hybrid). Here are some things to consider.
1) Map out your protected machines. Consider how many machines (and what kind) will be protected. Are they individual workstations? Production servers? Terminal servers? Keep in mind that each type will likely require its own backup schedule (see recommendations for each type below).
2) Use the 2-3x multiplier rule. At minimum, your Datto appliance should be 2-3 times the total protected space of the machines being protected, otherwise known as 2-3x Multiplier Rule. You can determine each machine’s total protected size by calculating the currently utilized space on the appliance, and then add a small buffer for potential growth in the future.
3) Reserve at least 30% free space. You’ll need roughly 30% free space on the backed-up drive to ensure optimal backups. Absolute bare minimum is 20%, but you may encounter errors. If so, you will want to try increasing the percentage of free space. Also, keep in mind that ample storage is needed for virtualizing backups, since a new image-based backup will be created while the previous backup is virtualized. If you don’t utilize the 2-3x Multiplier rule correctly, your device could fill up very quickly.
4) Consider hardware resource requirements. Beyond storage capacity, you need to be sure your Datto appliance is built with enough resources to power local virtualizations. The backup device’s specs should be in line with the machines being backed up. Consider the CPUs and RAM your servers have. Use that to determine what kind of computing power you’ll need in your SIRIS. If the server goes down and you need to virtualize your business-critical applications, then you need to be sure your BDR can handle it without lag or crashes. (Check SIRIS specs here.)
PRE-INSTALLATION & SECURITY PROTOCOLS
Properly configuring your Datto is critical to maintaining security and creating an iron-clad backup process. Here are some best practices for the Datto SIRIS 3 (many of which also apply to other Datto devices as well):
1) No inbound Internet. You should never allow inbound access from the Internet to the appliance. The device should be deployed on a secure LAN with only outbound access permitted.
2) Check disk health before installing agents. Before installing a Datto agent, make sure the target machine is in good health. We recommend running a virus scan, disk defrag, and a disk health check.
3) Remove all other backup software. Confirm that no other data backup software is installed on the target server, prior to installing the Datto agent.
4) Restrict outbound communications. Outbound communications from your SIRIS should be restricted to only the networks identified by Datto. Datto has a complete list of permitted networks, ports and firewall settings that you should follow closely here.
5) Enable HTTPS for Web UI. When logging into the Web UI, it’s a good idea to have your login data and session info encrypted. HTTPS ensures this data is protected as it traverses the LAN. You can enable it in the device GUI by going to: Configure > Device Settings > Enable HTTPS.
6) Deploy encrypted agents. By using agent-level encryption, you ensure that backup data written to the ZFS filesystem (and replicated in the cloud) is encrypted at rest, using a unique key that can be generated only with a passphrase held by the administrator.
7) Enable relay forced login. This is another important security protocol that will require all users to enter their login credentials when navigating from Datto’s Partner Portal to the Device UI via the Datto Relay remote web system. You can enable this in: Configure > Device Settings> Datto Relay Forced Login.
DEPLOYMENT & CONFIGURATION
Do you have enough network bandwidth for your SIRIS to operate as designed? Is your network configured properly? Here’s what you need for a successful deployment:
1) Gigabit network connection required. All SIRIS 3 devices must be connected to protected machines via gigabit network connections. A 100 Mbps network won’t cut it for transferring large datasets between the protected machines and the Datto appliance. Your SIRIS will not function without a gigabit connection.
2) 50-Mbps dedicated uplink for backups over VPN tunnel. Datto strongly advises that your SIRIS and all protected machines be on the same LAN. If you absolutely must use a WAN to protect certain machines, you will need a minimum of 50-Mbps dedicated uplink for every terabyte of protected data.
3) 1 Mbps (125 KBps) Internet uplink per TB of protected data. Ensure that your protected data is reliably synced to the Datto cloud by having an adequate connection between the SIRIS and the Internet. Datto recommends at least 1 Mbps (125 KBps) uplink per terabyte of protected data stored locally on the Datto device.
4) Configure your firewall appropriately. All ICMP packets must be allowed through your firewall. If the firewall allows you to filter application-specific traffic, set the application profile to “all” or “any.” If your configuration requires you to allow specific ports and IP addresses, follow the instructions here.
5) Free up system resources. Again, your protected machines must have the computing resources to perform backup processes optimally. During installation of the Datto Windows Agent, and during backups, there must be at least 1GB of RAM that remains free.
BACKUP PROCEDURES & TESTING
Once you’re ready to back up your data, you need to be sure you’re doing it wisely. Here are some things to keep in mind:
1) Schedule your backups appropriately. Every company should have its own timetables for backing up data, based on the needs of the business and the objectives outlined within your business continuity plan. While the SIRIS 3 can perform backups as often as every five minutes, that schedule will not be necessary for every business. Here’s a general rule of thumb for how often to back up various types of machines, as suggested by Datto:
- Exchange & production servers: every hour
- Terminal servers: Daily
- Domain controllers: 2-3 times per week
2) Test everything regularly. An administrator should be testing the SIRIS on a regular basis for backup integrity and overall system reliability. Here are some general timetables for testing various components and functionality:
- Device audit: Daily or every 2 days – This is located under Devices tab in the Partner Portal. Use the audit to check when last backups were taken, whether they were successful, and the status of screenshots.
- Local web Interface: Every 3-5 days – Use the interface to delve into further detail on the status of backups and screenshots, at least once a week.
- File restores: Every Month – We recommend mounting a recent recovery point once a month, and then browsing the restore via the web interface. Find a file that has been modified very recently and double-check the modified dates and timestamps to ensure they are within expected parameters.
- Local virtualization: Every quarter – After disconnecting from the network, spin up the VMs and login to the machine. Test essential services and check for critical files. Verify that applications are functional. Also, try logging in as a different user to ensure that accounts are working properly.
- Offsite virtualization: 2 times a year – Same as above; make sure the virtual environment (especially business-critical apps) are running smoothly and that backed-up files are available.
3) Make use of automatic system alerts. The Datto SIRIS 3 offers a range of automatic email alerts that can be sent to one or more administrators. These are a simple and efficient way to track what’s going on with your SIRIS and whether your scheduled backups are successful. In the web interface, go to: Protect tab > Configure Agent Settings > Reporting & Alerting > Set Email Notifications. Here, you can designate the email address to receive a variety of alerts: Success/Failure Backup Screenshots, Weekly Backup Reports, Backup Warnings, Critical Errors and Log Digests.
Be sure to also utilize the device alerts within the Partner Portal, which can notify you about hardware failure, device sync problems, low disk space, large amounts of data being deleted and other issues.
4) Back up only what’s necessary. Before you start the first back up, exclude any volumes that do not need to be backed up. (You can do this within the Advanced Options tab.) Consider, for example, any external drives that are connected to the protected machine but don’t need to be backed up. Those drives will be backed up automatically unless you exclude them.
5) Use caution when backing up laptops. Datto suggests caution when backing up laptops with the Datto Windows Agent. There are many variables involved with the mobile nature of laptops that can result in unreliable backups. Often, it is recommended that laptop users save their data to protected servers instead.
6) Set a realistic retention policy. By default, local backups are retained on the device for 3 months, with additional variations for intra-daily, weekly and monthly backups. Set realistic expectations for how far back you will need to go to perform a full-system backup. Remember: the longer you retain backups, the more space you’ll need.