Invenio IT

30-Something Best Practices for the Datto SIRIS

Dale Shulmistra

Dale Shulmistra

Data Protection Specialist @ Invenio IT

Published

Best Practices Datto SIRIS

So, you’ve decided to deploy one of the best data backup technologies on the market. Better make sure you do it properly! We’ve put together these best practices for the Datto SIRIS 5 to ensure that your business gets the highest level of protection possible. From deployment to daily backups, here’s how to get the most out of your Datto.

What are the best practices for sizing a Datto SIRIS?

First, you’ll need to select the ideal size BDR appliance for your business. The SIRIS 5 comes in a wide range of sizes, storage capacities and drive types (i.e. all-Flash SSD or hybrid). Here are some things to consider.

1) Map out your protected machines. Consider how many machines (and what kind) will be protected. Are they individual workstations? Production servers? Terminal servers? Keep in mind that each type will likely require its own backup schedule (see recommendations for each type below).

2) Use the 2-3x multiplier rule. At minimum, your Datto appliance should be 2-3 times the total protected space of the machines being protected, otherwise known as 2-3x Multiplier Rule. You can determine each machine’s total protected size by calculating the currently utilized space on the appliance, and then add a small buffer for potential growth in the future.

3) Reserve at least 30% free space. You’ll need roughly 30% free space on the backed-up drive to ensure optimal backups. Absolute bare minimum is 20%, but you may encounter errors. If so, you will want to try increasing the percentage of free space.  Also, keep in mind that ample storage is needed for virtualizing backups, since a new image-based backup will be created while the previous backup is virtualized. If you don’t utilize the 2-3x Multiplier rule correctly, your device could fill up very quickly.

4) Consider hardware resource requirements. Beyond storage capacity, you need to be sure your Datto appliance is built with enough resources to power local virtualizations. The backup device’s specs should be in line with the machines being backed up. Consider the CPUs and RAM your servers have. Use that to determine what kind of computing power you’ll need in your SIRIS. If the server goes down and you need to virtualize your business-critical applications, then you need to be sure your BDR can handle it without lag or crashes. (Check SIRIS specs here.)

What are the best practices for Datto SIRIS installation and security? 

Properly configuring your Datto is critical to maintaining security and creating an iron-clad backup process. Here are some best practices for the Datto SIRIS 5 (many of which also apply to other Datto devices as well):

1) No inbound Internet. You should never allow inbound access from the Internet to the appliance. The device should be deployed on a secure LAN with only outbound access permitted. 

2) Check disk health before installing agents. Before installing a Datto agent, make sure the target machine is in good health. We recommend running a virus scan, disk defrag and a disk health check.

3) Remove all other backup software. Confirm that no other data backup software is installed on the target server, prior to installing the Datto agent.

4) Restrict outbound communications. Outbound communications from your SIRIS should be restricted to only the networks identified by Datto. Datto has a complete list of permitted networks, ports and firewall settings that you should follow closely here.

5) Enable HTTPS for Web UI. When logging into the Web UI, it’s a good idea to have your login data and session info encrypted. HTTPS ensures this data is protected as it traverses the LAN. You can enable it in the device GUI by going to: Configure > Device Settings > Enable HTTPS.

6) Deploy encrypted agents. By using agent-level encryption, you ensure that backup data written to the ZFS filesystem (and replicated in the cloud) is encrypted at rest, using a unique key that can be generated only with a passphrase held by the administrator.

7) Enable relay forced login. This is another important security protocol that will require all users to enter their login credentials when navigating from Datto’s Partner Portal to the Device UI via the Datto Relay remote web system. You can enable this in: Configure > Device Settings > Datto Relay Forced Login.

8) Limit access to the appliance’s GUI. Only authorized users should be able to manage your Datto SIRIS or access the GUI. An additional way to implement this safeguard is by restricting access at the network. Datto recommends limiting the SIRIS’s management end-user network GUI to trusted networks only.

What are the best practices for Datto SIRIS deployment and configuration?

Do you have enough network bandwidth for your SIRIS to operate as designed? Is your network configured properly? Here’s what you need for a successful deployment:

1) Gigabit network connection required. All SIRIS 5 devices must be connected to protected machines via gigabit network connections. A 100 Mbps network won’t cut it for transferring large datasets between the protected machines and the Datto appliance. Your SIRIS will not function without a gigabit connection.

2) 50-Mbps dedicated uplink for backups over VPN tunnel. Datto strongly advises that your SIRIS and all protected machines be on the same LAN. If you absolutely must use a WAN to protect certain machines, you will need a minimum of 50-Mbps dedicated uplink for every terabyte of protected data.

3) 1 Mbps (125 KBps) Internet uplink per TB of protected data. Ensure that your protected data is reliably synced to the Datto cloud by having an adequate connection between the SIRIS and the Internet. Datto recommends at least 1 Mbps (125 KBps) uplink per terabyte of protected data stored locally on the Datto device.

4) Configure your firewall appropriately. All ICMP packets must be allowed through your firewall. If the firewall allows you to filter application-specific traffic, set the application profile to “all” or “any.” If your configuration requires you to allow specific ports and IP addresses, follow the instructions here.

5) Free up system resources. Again, your protected machines must have the computing resources to perform backup processes optimally. During installation of the Datto Windows Agent, and during backups, there must be at least 1GB of RAM that remains free.

What are the best practices for Datto SIRIS backups and testing?

Once you’re ready to back up your data, you need to be sure you’re doing it wisely. Here are some things to keep in mind:

1) Schedule your backups appropriately. Every company should have its own timetables for backing up data, based on the needs of the business and the objectives outlined within your business continuity plan. While the SIRIS 5 can perform backups as often as every five minutes, that schedule will not be necessary for every business. Here’s a general rule of thumb for how often to back up various types of machines, as suggested by Datto:

  • Exchange & production servers: every hour
  • Terminal servers: Daily
  • Domain controllers: 2-3 times per week

2) Test everything regularly. An administrator should be testing the SIRIS on a regular basis for backup integrity and overall system reliability. Here are some general timetables for testing various components and functionality:

  • Device audit: Daily or every 2 days – This is located under Devices tab in the Partner Portal. Use the audit to check when last backups were taken, whether they were successful, and the status of screenshots.
  • Local web Interface: Every 3-5 days – Use the interface to delve into further detail on the status of backups and screenshots, at least once a week.
  • File restores: Every week – We recommend mounting a recent recovery point once a week, and then browsing the restore via the web interface. Find a file that has been modified very recently and double-check the modified dates and timestamps to ensure they are within expected parameters.
  • Local virtualization: Every month – After disconnecting from the network, spin up the VMs and login to the machine. Test essential services and check for critical files. Verify that applications are functional. Also, try logging in as a different user to ensure that accounts are working properly.
  • Offsite virtualization: 2 times a year – Same as above; make sure the virtual environment (especially business-critical apps) is running smoothly and that backed-up files are available.
  • Offsite DR testing: Once a year – Separate from backup virtualization, Datto recommends performing a full off-site disaster recovery test annually. This can include, but is not limited to, offsite bootability tests, a performance/functionality test, file restore tests, network tests and VPN tests.

3) Make use of automatic system alerts. The Datto SIRIS 5 offers a range of automatic email alerts that can be sent to one or more administrators. These are a simple and efficient way to track what’s going on with your SIRIS and whether your scheduled backups are successful. In the web interface, go to: Protect tab > Configure Agent Settings > Reporting & Alerting > Set Email Notifications. Here, you can designate the email address to receive a variety of alerts: Success/Failure Backup Screenshots, Weekly Backup Reports, Backup Warnings, Critical Errors and Log Digests.

Be sure to also utilize the device alerts within the Partner Portal, which can notify you about hardware failure, device sync problems, low disk space, large amounts of data being deleted and other issues.

4) Back up only what’s necessary. Before you start the first back up, exclude any volumes that do not need to be backed up. (You can do this within the Advanced Options tab.) Consider, for example, any external drives that are connected to the protected machine but don’t need to be backed up. Those drives will be backed up automatically unless you exclude them. 

5) Use caution when backing up laptops. Datto suggests caution when backing up laptops with the Datto Windows Agent. There are many variables involved with the mobile nature of laptops that can result in unreliable backups. Often, it is recommended that laptop users save their data to protected servers instead.

6) Set a realistic retention policy. By default, local backups are retained on the device for 3 months, with additional variations for intra-daily, weekly and monthly backups. Set realistic expectations for how far back you will need to go to perform a full-system backup. Remember: the longer you retain backups, the more space you’ll need.

What are the best practices for Datto SIRIS restores and recovery?

The best practices for restoring data from the Datto SIRIS depend on the unique circumstances of the recovery. The Datto SIRIS offers several recovery methods to fit the demands of each data-loss event. The following guidance outlines methods to use in different situations and when.

1) Use File/Folder Restore for minimal data loss. Do you know what data has been lost? Is it fewer than 5 files or folders? If so, then the quickest and easiest method to recover that data is usually the File/Folder Restore tool. You can do this via the on-site SIRIS or the cloud. Simply select the protected machine and the recovery point you want to restore.

2) Permissions required? Use Direct Restore. When permissions are required for the handful of files/folders you need to recover, then you’ll likely want to use Datto’s Direct Restore Utility. This tool lets you mount volume restores via iSCSI from any recovery point on the Datto appliance. Used in conjunction with Windows Robocopy, you can restore files touched by Windows deduplication or Windows file encryption, and retain file permissions when you transfer the data back to a Windows desktop.

3) Use Rapid Rollback for large unwanted changes. When you need to recover more than 5 files/folders (and the protected machine is booting), then Rapid Rollback is usually the way to go. This tool effectively lets you undo widespread file changes, such as those caused by a ransomware infection or a failed software update. It identifies the files that changed on a production machine since the last backup and restores only those files – so you don’t have to reimage the entire machine.

4) Use Bare Metal Restore when protected machines aren’t booting. Is the protected server dead? For instances in which you need to restore a lot of data from a system that is not booting, you will most likely need to do a Bare Metal Restore (BMR). Datto makes this process easy and in fact recommends virtualizing a recovery point first (to get back to business instantly and identify any potential issues with that recovery point) and then use that recovery point to perform the BMR. This will usually involve using a USB stick to restore the protected system on other hardware.

5) For virtual servers, upload to hypervisor. The Datto SIRIS makes it easy to restore virtual servers by exporting the recovery point to vSphere Hypervisor (via VMDK) or Microsoft Hyper-V (via VHD). You can also use the ESXi Upload option, which will upload a restore point to a connected ESXi host via VMware Converter. The ESXi Upload is ideal if you want to use the ESXi host for computing power and as a datastore.

6) Virtualize for instant access to protected systems. Datto’s backup virtualization allows you to instantly boot a backup as a virtual machine. This is vital in scenarios where you need immediate access to protected files, applications and operating systems while the full recovery is underway. The Datto SIRIS lets you perform this virtualization locally, off-site or via a combination of both (known as hybrid virtualization). Local virtualization is ideal for optimal performance, while cloud virtualization is a dependable failsafe if on-site infrastructure is inaccessible.

7) Deleted cloud snapshot? Use Cloud Deletion Defense. What happens when an agent (and all its associated snapshots) are deleted from the cloud, whether by accident or malicious intent? Datto has a safeguard for this known as Cloud Deletion Defense. While it is not technically a tool in the GUI, it is a failsafe that lets you undo the deletion by contacting Datto Technical Support.

Frequently Asked Questions about Datto Best Practices

If you couldn’t find the specific recommendations you were looking for above, don’t lose hope. Below are a few commonly asked questions about best practices for the Datto SIRIS, followed by contact information for us at Invenio IT, where our experts can help you with your specific situation.

1. What is the best way to free up local storage space on Datto?

The best way to free up local space on your Datto device is to remove recovery points that are already backed up to the cloud or no longer needed. Start by pausing backups within the device’s web interface. Then, on the Protect tab, select Manage Recovery Points to remove unneeded backups.

Also, consider changing the local retention setting. Under the Protect tab, select Configure Agent Settings. Under the Basic section, click Local Backup and Retention Policy, and adjust the retention settings as needed to reduce the number of recovery points stored locally.

2. What is the best way to back up Windows 10 with Datto?

The best way to back up Windows 10 is with Datto’s Cloud Continuity for PCs. This is a software-only backup solution that backs up an entire Windows-based PC to the Datto Cloud without the need for additional hardware.

While Windows 10 has its own backup capabilities through the system image tool, this option is limited and requires using detachable storage. Datto’s Cloud Continuity for PCs provides more robust protection for Windows machines, as well as more seamless transfer of protected files and easier recovery. If you need to back up an entire network, consisting of multiple Windows 10 machines that primarily save data on a server, then consider using Datto SIRIS or ALTO.

3. How do I enable secondary replication on the Datto SIRIS?

Enable secondary replication on the Datto SIRIS by navigating to the Configure tab in the device’s GUI. Under Device Settings, click to enable Secondary Replication. When enabled, the Datto SIRIS will replicate all backups from the primary data center to a secondary data center.

Secondary Replication ensures that backups are still available in the event of unintended deletion of backup data at the primary data center. Data replicated to the secondary site remain available for 90 days after deletion from the primary site.

Want more best practices for the Datto SIRIS 5?

Let our experts guide you. Call Invenio IT at (646) 395-1170, email success@invenioIT.com or request a free demo of the Datto SIRIS today.

Get the Ultimate Employee Cybersecurity Handbook
invenio logo

Join 23,000+ readers in the Data Protection Forum