Data Backup
Content
Backup, Archiving and
Disaster Recovery
Access Control System
SIPORT Enterprise R1
The Security Solution for
Life Science Environments
Building Technologies
42359_Siport_BU_en.indd 1
s
14.1.2008 8:08:53 Uhr
42359_Siport_BU_en.indd 2
14.1.2008 8:08:56 Uhr
Table of Contents
1 Abbreviations and Synonyms
5
2 System Environment
6
2.1
2.2
2.3
2.3.1
2.3.2
2.3.3
Backup Software
Image Software
Backup Hardware
Backup Drives
Tape Technologies
Hard Disk Drives
3 Backup Procedures
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
3.10
3.11
3.12
3.13
3.14
Backup Responsibilities / Logs
Creating Images
SQL Database Backup
Backup Master Database
Backup Model Database
Backup msdb Database
Backup SiportNTAcc Database
Backup SiportNTAcc Transaction Log
Backup SiportNTAcc_Hist Database
SIPORT Kernel Database Backup
Save Backup on Tapes
Backup Time Schedule
Media Rotation
Tape Drive Cleaning Procedure
4 Restore Procedures
4.1
4.2
4.3
Validating Tape Drive Contents
Restore Procedure SIPORT Server (Disaster Recovery)
Restore Procedure SIPORT Databases
7
7
7
7
7
8
9
9
9
10
11
12
13
14
15
16
17
19
19
20
21
21
21
21
23
3
42359_Siport_BU_en.indd 3
14.1.2008 8:08:56 Uhr
List of illustrations
Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20
Fig. 21
Fig. 22
Fig. 23
Fig. 24
Fig. 25
Fig. 26
Fig. 27
Fig. 28
Fig. 29
Fig. 30
Fig. 31
Fig. 32
Fig. 33
Fig. 34
Fig. 35
Fig. 36
Fig. 37
Fig. 38
System environment 1
System environment 2
Hard disk as a backup volume
Hard disk RAID 1 + 0
Backup Workflow
Backup Jobs
Backup Master Database
Backup Job general Master Database
Backup Job steps Master Database
Backup Job schedules Master Database
Backup Model Database
Backup Job general Model Database
Backup Job steps Model Database
Backup Job schedules Model Database
Backup msdb Database
Backup Job general msdb Database
Backup Job steps msdb Database
Backup Job schedules msdb Database
Backup SiportNTAcc Database
Backup Job general SiportNTAcc Database
Backup Job steps SiportNTAcc Database
Backup Job schedules SiportNTAcc Database
Backup SiportNTAcc transaction log
Backup Job general SiportNTAcc transaction log
Backup Job steps SiportNTAcc transaction log
Backup Job schedules SiportNTAcc transaction log
Backup SiportNTAcc_Hist Database
Backup Job general SiportNTAcc_Hist Database
Backup Job steps SiportNTAcc_Hist Database
Backup Job schedules SiportNTAcc_Hist Database
Backup jobs
Backup Job general SIPORT Kernel Database
Backup Job steps SIPORT Kernel Database
Backup Job SIPORT schedules Kernel Database
Backup Command EXOS386D
Backup time schedule
Restore Procedure Server
Restore Procedure Database
6
6
8
8
9
10
11
11
11
11
12
12
12
12
13
13
13
13
14
14
14
14
15
15
15
15
16
16
16
16
17
17
17
17
18
19
22
23
4
42359_Siport_BU_en.indd 4
14.1.2008 8:09:03 Uhr
Introduction
This document describes the backup and
archiving of data on a SIPORT Enterprise
system used within a pharmaceutical
environment.
This includes the system components:
1
■ SIPORT Enterprise R1
■ WINDOWS 2003 R2 Server
■ Hardware (Server, Clients, Backup
media etc.)
■ Software Backup Tools
Abbreviations and Synonyms
FDA
21 CFR, Partxxx
U.S. Food and Drug Administration
Good automated manufacturing practice, 4th edition.
GMP guide to validate automation systems.
21 Code of Federal Regulations, Partxxx
GMP
Good Manufacturing Practice
ISPE
International Society for Pharmaceutical Engineering
GxP
Good x Practice
GAMP4
x stands for:
Manufacturing
Laboratory
Engineering
Installation
NAS
CIxx
Network Attached Storage
Applies to plants or partial plants not requiring validation, which can
therefore be planned, installed and commissioned like a normal plant.
Computer Identifier x
WIN2003
Windows 2003 Server operating system
WINXP
Windows XP operating system
Non GxP
LTO
Line-Tape-Open
IT
Information Technology
HD System volume (operating system)
HD Data volume (contains data)
HD Backup volume
HD
Hard disk volume
SAN
Storage Array Network
SES SOL TEC
Security Systems Solution Technology Center in Karlsruhe (Germany)
SID
Security Identifier
5
42359_Siport_BU_en.indd 5
14.1.2008 8:09:09 Uhr
2
System Environment
The described backup procedure is based
on the following topology. It shows a
high-end scenario using a Microsoft
Server Cluster with two nodes working
in fail-over mode. For external storage,
two SAN are used connected to the
Server Cluster with redundant Fiber
Channel Switches. SIPORT will run on the
Microsoft Windows Server 2003 R2
Enterprise Edition cluster with full functionality, even during fail-over from one
node to the other. A client computer
system will only see one virtual server
and transmit all access data, history and
configuration updates to the virtual
Server.
Client 1
Client 2
Client …
Client … Client n-1 Client n
LAN WAN
Node B
Node A
Backup
Server
Fiber
Channel
Switch
(SAN)
Fiber
Channel
Switch
(SAN)
In the given example, the possible downtime for the system is minimized.
Backup
Tape
Drive
Storage
Controler and
Storage
Storage
Controler and
Storage
SAN A
SAN B
Building A
Fig. 1
Client 1
Client 2
Client …
Building B
System environment 1
Client … Client n-1 Client n
LAN WAN
If the redundancy is not needed, the
scenario can be abstracted to a standalone server using the local hard drives
to store the data. All functions such as
SIPORT Server, Backup Server, etc. can
be integrated on this single server. This
two nodes fail-over Cluster can be seen
as one virtual Server, so there is nearly
no difference to the backup strategy.
Server
Backup
Tape Drive
Fig. 2
System environment 2
6
42359_Siport_BU_en.indd 6
14.1.2008 8:09:10 Uhr
2.1 Backup Software
2.3.1 Backup Drives
2.3.2 Tape Technologies
Currently you will find two suitable software products on the market fulfilling
our requirements. They are:
When considering backup media, you
can use CDs, DVDs, Blue-Ray discs, NAS,
hard disks and tape drives.
All of these media are able to store the
information offline and in separated
places.
With regards to the typical amount of
data to be backed-up, CDs and DVDs are
not suitable, as media have to be
exchanged during the backup process.
The first decision you have to make is
the selection of the right tape technology.
This can be a nightmare, because comparing the different tape technologies is
like asking the question: “Is Linux better
than WINDOWS?”
The decision is relatively easy if we look
at the amount of data which each tape
technology can store as well the speed
of copying data to the medium.
■
■
CA Brightstor ArcServe
Veritas BackupExec (Symantec)
Both software products have similar
functionalities. The decision which
product should be used, depends on
the hardware of your server, too.
2.2 Image Software
Tape technologies comparison
In the case of a disaster, the image of
the whole server guarantees a 100%
recovery of the data and configuration.
There are several software solutions
available for making an image of a
server, the most usual ones are:
The following table compares the performance and capacity of the various tape
technologies.
■
■
Symantec Ghost
Acronis True Image
The functionalities and complexity of
these products are nearly the same.
2.3 Backup Hardware
The backup can be realized with
different media. To find the right one
is not always easy, because some
preconditions have to be fulfilled:
■
■
■
■
■
■
Capacity of the media
Amount of data to be backed up
Speed of the media
Availability of media
Availability of spare parts
Accessibility
The most important of these are capacity
and speed.
Technology
DAT 24 (DDS-3)
Release
Year
1996
Tape capacity Tape speed
Tape capacity
uncompressed uncompressed compressed
12 GB
1 MB/s
24 GB
DAT 40 (DDS-4)
1999
20 GB
3 MB/s
40 GB
DAT 72 (DDS-5)
2003
36 GB
3 MB/s
72 GB
DLT 8000
1999
40 GB
6 MB/s
SDLT 320
2002
160 GB
16 MB/s
DLT VS80
2001
40 GB
3 MB/s
LTO-1
2000
100 GB
20 MB/s
200 GB
LTO-2
2002
200 GB
40 MB/s
400 GB
LTO-3
2005
400 GB
80 MB/s
800 GB
LTO-4
End 2007
800 GB
120 MB/s
1,6 TB
LTO-5 *
Tba.
1,6 TB
180 MB/s
3,2 TB
The comparison shows the impressive
enhancement of tape technologies.
In the next table we shall see how long it
would take to back up 100GB and
500GB.
We are not using any compression, and
we have the full server performance for
the backup.
* The LTO-5 is planned. The information
is not final.
7
42359_Siport_BU_en.indd 7
14.1.2008 8:09:10 Uhr
Technology
100 GB
No. of tapes
500 GB
Duration *
No. of tapes
Duration *
DAT 24 (DDS-3)
9
28 hours
42
142 hours
DAT 40 (DDS-4)
5
9 hours
25
47 hours
DAT 72 (DDS-5)
3
9 hours
14
47 hours
DLT 8000
3
5 hours
13
24 hours
SDLT 320
1
2 hours
4
9 hours
DLT VS80
3
9 hours
4
47 hours
LTO-1
1
1,4 hours
5
7 hours
LTO-2
1
0,7 hours
3
3,5 hours
LTO-3
1
0,35 hours
2
1,75 hours
LTO-4
1
0,24 hours
1
1,2 hours
* The question is whether the server is able to serve the required speed to the tape
drive.
2.3.3 Hard Disk Drives
The hard disk can be used for backup
storage to speed up the backup time.
As offline storage, this is not the best
solution, because you have to install it,
or you have to mount or dismount the
disk.
To make the backup on different hard
disks you have to install an additional
HD, or you need hot-plug HDs which can
easily be exchanged. However, hot-plug
HDs should be exchanged only in the
event of a fault.
The used HD must have enough space to
store all backup data.
If one HD is not sufficient to store all
the data, more HDs have to be installed.
Then a RAID 1 + 0 or a RAID 0 only can
be built.
RAID 1 + 0 is the combination of RAID 0
(stripping) and RAID 1 (mirroring)
With RAID 0, we enhance the capacity
of the HDs, and with the RAID 1 we have
the security and reliability of the system.
RAID 1 + 0 has a higher performance
compared to other RAID levels like RAID
5. RAID 5 is much slower in writing data
to the HDs than RAID 1 + 0.
RAID 1 + 0 can lose one HD per RAID 1
and the system will still work.
However, the capacity of the RAID 1 +
0 is unsatisfactory, because 50% of the
total HD capacity is lost.
RAID 1
Server
Fig. 3
Server
RAID 1
RAID 1
RAID 1
Single HD
HD Pool with
hot plug HD's
Hard disk as a backup volume
Example to Fig. 4:
RAID 1 (1) = 300GB
RAID 1 (2) = 300GB
RAID 1 (3) = 300GB
-------------900GB / 2 = 450GB
gross capacity
Server
RAID 1
RAID 1
RAID 1
(1)
Even if you make the backup on a HD
or on a HD RAID, you must store the
backups in another physical location, or
on the server.
In the “worst case” you could lose all
data as result of hardware crash, fire,
flood, etc.
RAID 1
(2)
RAID 0
RAID 1
(3)
Fig. 4
Hard disk RAID 1 + 0
The strategy must include the facility for
external storage. Another possibility is
to store the backups on a separate server
on the network.
This solution is more reliable, but it also
needs a reliable network installation.
8
42359_Siport_BU_en.indd 8
14.1.2008 8:09:10 Uhr
3
Backup Procedures
3.1 Backup Responsibilities /
Logs
The operator / backup administrator is
responsible for all the backups, backup
verification and tape changing. All
performed actions are recorded in a
backup log.
The backup log is a manual, paper-based
log, and will show the inserted tape and
contains the successfully verified backups. Any remarks, e.g. tape replacements, will also be noted, along with the
physical location of off-site tapes.
Backup logs will be archived for a period
of 24 months.
3.2 Creating Images
Creating an image is done for all computers after the final configuration, and
forms the basis for a disaster recovery.
The image of a computer includes all
software, configuration, and files, and is
a 1:1 copy of the whole hard disk.
The image must be repeated if any
static files have changed on the system.
The bootable CD establishes a network
connection to the backup server. Thus,
the image is made directly via the network and stored on the backup server.
An MD5 checksum file is stored together
with the image in the image folder.
This MD5 checksum file is used to check,
whether the data is correct, and to
ensure that nothing was corrupted
during the copying of the image file.
The image must be updated after any of
the following:
■ Installing new programs on the
computer
■ Installing a patch on the computer
■ Installing a hotfix on the computer
■ Installing a service pack on the
computer
■ Changing the configuration of the
computer or programs
■ Before and after change of hardware
■ In any case which could have an
influence on the integrity of the
installation
The workflow below shows how we
create an image.
All images are saved with the backup
software on a tape and removed from
the backup server.
Create an image
Close all programs and
switch off the computer
Boot the computer in
WINDOWS
safe mode
Create an MD5 check
sum file for the folder;
Siemens
Shut down
the computer and boot
from the boot CD
Start the image program
and create an image.
Copy the data via
network directly to the
backup server
image file stored on the
backup server
Fig. 5
Backup Workflow
9
42359_Siport_BU_en.indd 9
14.1.2008 8:09:11 Uhr
3.3 SQL Database Backup
The SQL databases are located on the
SAN. For the Database backup, the
Microsoft SQL Server Agent is used,
which has defined jobs, listed below:
Full backup of the:
■ Master database
■ Model database
■ msdb database
■ SiportNTAcc database
■ SIPORTNTAcc_Hist database
and backup of the SiportNTAcc cc database transaction log.
Fig. 6
Backup Jobs
The full backup of the master, model and
msdb database from the Microsoft SQL
server 2005 are scheduled once a day.
The transaction log is not backed up,
because there are not normally many
changes to be made and the databases
are in „simple recovery mode“. With
each backup the corresponding files
in the backup folder of the SAN are
overwritten.
The full backup of the SiportNtAcc database is also done daily. With each backup
the existing file in the backup folder of
the SAN is overwritten. The backup of
the transaction log of the SiportNTAcc
database is scheduled for a cyclic run
hourly, starting 00:15 am. The transaction log backups are appended to the
last full backup of the SiportNTAcc database.
The full backup of the SiportNtAcc_Hist
database is done daily. With each backup
the existing file in the backup folder of
the SAN is overwritten. The transaction
log is not backed up because the database is in “simple recovery model”.
All backups are written to the MSSQL\
backup folder located on the SAN. This
folder will be saved with the backup
software on a tape. The procedure is
described in a following section.
10
42359_Siport_BU_en.indd 10
14.1.2008 8:09:11 Uhr
3.4 Backup Master Database
The full backup of this database is done
daily at 20:00. Because the database is in
simple mode there are no transaction
logs to save. The backup overwrites the
existing backup file. If a problem occurs
and the backup fails, a log entry is
created in the SIPORT Error logbook.
Start
Backup
Master Database
NO
Fig. 8
Backup Job general Master Database
Fig. 9
Backup Job steps Master Database
Fig. 10
Backup Job schedules Master Database
Succeed
YES
Report
backup failure
End
Fig. 7
Backup Master Database
The backup is written to the MSSQL\
backup folder located on the SAN. This
folder will be saved with the backup software on a tape. The procedure is described in a following section.
11
42359_Siport_BU_en.indd 11
14.1.2008 8:09:11 Uhr
3.5 Backup Model Database
The full backup of this database is done
daily at 20:05. Because the database is in
simple mode there are no transaction
logs to save. The backup overwrites the
existing backup file. If a problem occurs
and the backup fails, a log entry is created in the SIPORT Error logbook.
Start
Backup
Model Database
NO
Fig. 12
Backup Job general Model Database
Fig. 13
Backup Job steps Model Database
Fig. 14
Backup Job schedules Model Database
Succeed
YES
Report
backup failure
End
Fig. 11
Backup Model Database
The backup is written to the MSSQL\
backup folder located on the SAN. This
folder will be saved with the Backup
software on a tape. The procedure is
described in a following section.
12
42359_Siport_BU_en.indd 12
14.1.2008 8:09:13 Uhr
3.6 Backup msdb Database
The full backup of this database is done
daily at 20:10. Because the database is in
simple mode there are no transaction
logs to save. The backup overwrites the
existing backup file. If a problem occurs
and the backup fails, a log entry is created in the SIPORT Error logbook.
Start
Backup
msdb atabase
NO
Fig. 16
Backup Job general msdb Database
Fig. 17
Backup Job steps msdb Database
Fig. 18
Backup Job schedules msdb Database
Succeed
YES
Report
backup failure
End
Fig. 15
Backup msdb Database
The backup is written to the MSSQL\
backup folder located on the SAN. This
folder will be saved with the Backup
software on a tape. The procedure is
described in a following section.
13
42359_Siport_BU_en.indd 13
14.1.2008 8:09:14 Uhr
3.7 Backup SiportNTAcc
Database
The full backup of this database is done
daily at 05:45. Prior to the backup, an
integrity check and an attempt to shrink
the database file size are done. The
backup overwrites the existing backup
file. If a problem occurs and the backup
fails, a log entry is created in the SIPORT
Error logbook.
Start
Check Database
Fig. 20
Backup Job general SiportNTAcc Database
Fig. 21
Backup Job steps SiportNTAcc Database
Fig. 22
Backup Job schedules SiportNTAcc Database
NO
Succeed
YES
Shrink Database
NO
Succeed
YES
Backup
SiportNTAcc
Database
NO
Succeed
Report
backup failure
YES
End
Fig. 19
Backup SiportNTAcc Database
The backup is written to the MSSQL\
backup folder located on the SAN. This
folder will be saved with the Backup
software on a tape. The procedure is
described in a following section.
14
42359_Siport_BU_en.indd 14
14.1.2008 8:09:16 Uhr
3.8 Backup SiportNTAcc
Transaction Log
The transaction log backups are done
hourly starting at 00:15. The backups are
appended to the last full backup. If a
problem occurs and the backup fails, a
log entry is created in the SIPORT Error
logbook.
Start
Backup
SiportNT
transaction log
NO
Fig. 24
Backup Job general SiportNTAcc transaction log
Fig. 25
Backup Job steps SiportNTAcc transaction log
Fig. 26
Backup Job schedules SiportNTAcc transaction log
Succeed
YES
Report
backup failure
End
Fig. 23
Backup SiportNTAcc transaction log
The backup is written to the MSSQL\
backup folder located on the SAN. This
folder will be saved with the Backup
software on a tape. The procedure is
described in a following section.
15
42359_Siport_BU_en.indd 15
14.1.2008 8:09:17 Uhr
3.9 Backup SiportNTAcc_
Hist Database
The full backup of this database is done
daily at 02:45. Because the database is in
simple mode there are no transaction
logs to save. Prior to the backup, an integrity check and an attempt to shrink the
database file size are done. The backup
overwrites the existing backup file. If a
problem occurs and the backup fails, a
log entry is created in the SIPORT Error
logbook.
Start
Check
SipotNTAcc_Hist
Database
Fig. 28
Backup Job general SiportNTAcc_Hist Database
Fig. 29
Backup Job steps SiportNTAcc_Hist Database
Fig. 30
Backup Job schedules SiportNTAcc_Hist Database
NO
Succeed
YES
Shrink Database
NO
Succeed
YES
Backup
SiportNTAcc_Hist
Database
NO
Succeed
Report
backup failure
YES
End
Fig. 27
Backup SiportNTAcc_Hist Database
The backup is written to the MSSQL\
backup folder located on the SAN. This
folder will be saved with the Backup
software on a tape. The procedure is
described in a following section.
16
42359_Siport_BU_en.indd 16
14.1.2008 8:09:19 Uhr
3.10 SIPORT Kernel Database
Backup
The SIPORT Kernel database consists
of single files located in the EXOS386D
folder on the SAN. Because these files
are locked by the SIPORT Kernel, they
can not be saved directly.
The backup of SIPORT Kernel database
is initiated by the SQL Server Agent.
Therefore a job Siport_Kernel_Backup is
created on the SQL Server. The backup is
executed at three hour intervals between
00:30 and 21:30.
The backup is written to the MSSQL\
backup folder located on the SAN. This
folder will be saved with the Backup
software on a tape. The procedure is
described in a following section.
Fig. 31
Fig. 32
Backup Job general SIPORT Kernel Database
Fig. 33
Backup Job steps SIPORT Kernel Database
Fig. 34
Backup Job SIPORT schedules Kernel Database
Backup jobs
The batch program copies all database
files from the original EXOS386D to
an EXOS386D_sav folder to avoid the
locked file problem. In this EXOS386D_sav
folder. The single files are compressed
into an archive file using the program
Info-ZIP. With this batch the last 7 backups are kept and the oldest is replaced,
resulting in a total of 8 backup files.
17
42359_Siport_BU_en.indd 17
14.1.2008 8:09:20 Uhr
The following shows an example of the backup.cmd:
Fig. 35
Backup Command EXOS386D
All backups are written to the EXOS386D_sav folder located on the SAN. This folder
will be saved with the Backup software on a tape. The procedure is described in a
following section.
18
42359_Siport_BU_en.indd 18
14.1.2008 8:09:22 Uhr
3.11 Save Backup on Tapes
3.12 Backup Time Schedule
The backups on the local hard drives are
fast to create and allow quick access in
case of a needed recovery. To ensure
that the backups are also available in
case of a disaster recovery, and also to
increase the covered back-up period, it
is very important to store all backups to
external media. This media is for example
a FibreCAT TX24 drive with LTO-3 tapes.
The LTO-3 tape allows 400GB of uncompressed data and 800GB of compressed
data to be stored on a single tape. Since
the daily backups to be saved do not
exceed this storage capacity, it is enough
to use one tape per day. The tape drive is
equipped with 2 cartridges of 12 slots for
tapes. For the backups, 11 slots are used.
We need 6 slots for the daily backup
tapes from Saturday to Thursday, 3 slots
for the weekly backup tapes, one slot for
the monthly backup tape, and one slot
for the cleaning tape. For redundancy,
the second cartridge is also used and
equipped with 10 tapes. On these
additional tapes the daily backups are
mirrored. The media rotation is described
in a following section.
To store the backups on the tape drive
and to perform the tape change, Backup
software installed on the Backup Server
is used. The Backup Server establishes a
connection to a shared folder from the
cluster’s active node, giving access to all
the backup files. The streaming to tape is
activated twice; for the tape in the first
cartridge, and for the tape used as a
mirror in the second cartridge.
The files streamed to tape are:
1
2
3
4
5
6
MASTERDmp.bak
MODELDmp.bak
MSDBDmp.bak
Siportntacc_dmp.bak
Siportntacc_hist_dmp.bak
backup_001.zip
Fig. 36
Backup time schedule
19
42359_Siport_BU_en.indd 19
14.1.2008 8:09:27 Uhr
3.13 Media Rotation
For the media rotation the GFS (Grandfather, Father, Son) method is used
being the most popular tape rotation
algorithm. With this method, 21 tapes
are needed per year using one cartridge.
10 tapes are stored in the tape changer
cartridge at the same time. The backups
from Saturday to Thursday are each
stored on a single tape. The backups on
Fridays are stored on 4 tapes, depending
on the week of the month. The backups
of the first three weeks, and also the last
Friday of the month, are each stored on a
single tape. The backup tape of the last
Friday in the month is removed from the
tape changer, stored in a secured place
and replaced by a new tape. Once a year,
the tapes used for the backups from
Saturday to Thursday and for the first
three weeks in a month are replaced by
new ones.
With the option of using the second cartridge for mirroring the backups, a total
of 42 tapes is needed per year.
This method ensures the permanent
availability of backups from the last 7
days, from the Fridays up to three weeks
prior and from the last Fridays in a
month up to 12 months back.
This method also ensures that a single
tape is not used more than 47 times.
The following table shows the use of
the tapes in one cartridge, the second
cartridge is used in the same way. The
grey cells indicate show when a
tape change has to be performed.
Week
Saturday
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
1
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week1 T7
2
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week2 T8
3
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week3 T9
Month1 T10
4
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
5
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week1 T7
6
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week2 T8
7
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week3 T9
8
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Month2 T11
9
10
11
Sat T1
Sat T1
Sat T1
Sun T2
Sun T2
Sun T2
Mon T3
Mon T3
Mon T3
Tue T4
Tue T4
Tue T4
Wed T5
Wed T5
Wed T5
Thu T6
Thu T6
Thu T6
Week1 T7
Week2 T8
Week3 T9
Month3 T12
12
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
13
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week1 T7
14
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week2 T8
15
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week3 T9
16
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Month4 T13
17
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week1 T7
18
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week2 T8
19
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week3 T9
20
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Month5 T14
21
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week1 T7
22
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week2 T8
23
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week3 T9
24
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Month6 T15
25
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week1 T7
26
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week2 T8
27
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week3 T9
28
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Month7 T16
29
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week1 T7
30
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week2 T8
31
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week3 T9
32
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Month8 T17
33
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week1 T7
34
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week2 T8
35
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week3 T9
36
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Month9 T18
37
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week1 T7
38
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week2 T8
39
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week3 T9
40
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Month10 T19
41
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week1 T7
42
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week2 T8
43
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week3 T9
44
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Month11 T20
45
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week1 T7
46
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week2 T8
47
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week3 T9
48
Sat T22
Sun T23
Mon T24
Tue T25
Wed T26
Thu T27
Month12 T21
49
Sat T22
Sun T23
Mon T24
Tue T25
Wed T26
Thu T27
Week1 T28
50
Sat T22
Sun T23
Mon T24
Tue T25
Wed T26
Thu T27
Week2 T29
51
Sat T22
Sun T23
Mon T24
Tue T25
Wed T26
Thu T27
Week3 T30
20
42359_Siport_BU_en.indd 20
14.1.2008 8:09:32 Uhr
3.14 Tape Drive Cleaning
Procedure
The Autoclean option of the FibreCAT
TX24 enables the library to automatically
perform tape drive cleaning without
operator intervention. When Autoclean
is enabled, the library monitors the
cleaning requirements of the tape drive.
When a tape drive indicates it needs
cleaning, the library loads the cleaning
cartridge into the tape drive. After the
cleaning cycle is completed, the tape
4
drive unloads and ejects the cleaning
cartridge, and the library resumes
operation. The cleaning cartridge must
be installed in the lowest cell available
in the library.
The cleaning option of the backup
application has to be turned OFF. The
cleaning cartridge has to be replaced
each 6 months.
Restore Procedure
4.1 Validating Tape Drive
Content
4.2 Restore Procedure SIPORT
Server (Disaster Recovery)
The daily backups stored on the tapes
are validated regularly twice weekly with
Backup software by loading the tape to
the tape drive and checking whether if
the expected content is shown by the
program. By restoring one of the ZIP
archives to a folder at the backup server
and testing the zip-file integrity with the
command line option ‘zip –T <archive
name>’ it is ensured that the files on the
tape can be used for restoring purposes.
A variety of factors can result in a server
being restored: hardware crash, failure
of installation software which blocks the
machine, a virus, corrupted files, incompatible updates, service packs, hot fixes
etc.
The created images of the servers have
to be validated by the MD5 checksum
which is located together with the image
on the tape.
Because the SIPORT SERVER is a Microsoft Server Cluster which has to be
equipped with an external storage
system, the databases are not stored
locally on the server. Therefore recovery
is done by re-establishing the operating
system and application functionality. It is
assumed that the databases on the SAN
are still in good condition.
With the images that were made before
and during the ongoing operation, the
whole server can be restored. The
appropriate image has to be restored to
the backup server.
The image creation program has to be
booted from the CD to restore from the
image. The program connects to the
backup server via the network to access
the image file, and recreates the local
hard drive of the server. After restoration,
the server is restarted in Windows save
mode to ensure a minimum number of
running programs. The MD5 checksum
check is performed and stored to the
Siemens folder. If the check is ok, the
integrity of the image is granted.
The Security Identifier (an alphanumeric
character string commonly known as
SID) is a unique name assigned by a Windows Domain controller during the logon process. It is used to identify an
object such as a user or a computer or a
group of users in a network of
2000/2003 systems. The SID changes
regularly every 21 days. If the SID is
older than 21 days, the authority check
will fail, because the SID has become
invalid. In such a case, the server has to
be removed from the Domain Active
Directory and re-assigned to the domain,
the server will get a new SID.
21
42359_Siport_BU_en.indd 21
14.1.2008 8:09:32 Uhr
If the functionality check of the cluster node shows no problems, the cluster
resources are online, and the attached clients can connect, the restore is done.
Restoring a Server
Close all programs and
switch off the server
Start the server via
boot CD
Start the image tool and
restore the whole
image
Start the server in
WINDOWS safe mode
and check the
MD5 check sum
Make a test on another
server to ensure the
integrity and conduct
a risk analysis
MD5
check sum ok?
False
True
Is the SID
older than
21 days?
Delete server from the
active directory at the
WINDOWS Domain
Controller to get
a new SID
True
False
Start the server
Start the server
Remove server from the
Domain and restart the
server
Join the server to the
domain and restart the
server
Check connection
and software
Server is restored
Fig. 37
Restore Procedure Server
22
42359_Siport_BU_en.indd 22
14.1.2008 8:09:32 Uhr
4.3 Restore Procedure SIPORT
Databases
If one of the databases on the SAN gets
corrupted, or data is lost by any accident
like application problems or human
failure, it is necessary to restore the data
as close as possible in a status as prior to
the error occurrence.
The SIPORT Server functionality is not
available when restoring SIPORT databases, except for the SiportNTAcc_Hist
database containing only archived data.
The connected workstations are not
allowed to (and cannot) make changes in
the system. Therefore all SIPORT services
and the SQL Server Agent have to be terminated. The SIPORT Kernel has to be
stopped manually.
The database backups have to be retrieved from the tape, and placed in the
backup folder on the SAN.
The restoring of the needed databases of
the Microsoft SQL Server is covered by
the SQL Server Books Online installed on
the SIPORT Server. The described procedures apply to the master, model, and
msdb Database.
The SiportNTAcc_Hist database keeping
the archived logs of the SACS is in simple
mode i.e. no transactions are logged to
the database. This effects the restoration
so that only the last good backup has to
be restored. There is no additional action
to perform; the not yet included logs are
automatically taken over from the
SiportNTAcc database by the archive
creating procedure.
The SiportNTAcc database transaction
log is backed-up hourly and appended to
the last full backup. This allows the
operator to go back in one-hour-steps to
the time before the problem occurred.
The full backup and all transaction log
backups up to the time when the problem occurred are restored with the SQL
Server Management Studio. The exact
procedure is also covered in the Server
Books Online installed on the SIPORT
SERVER.
By replacing the SiportNTAcc Database it
also becomes necessary to restore the
SIPORT Kernel Database as close as
possible to the time when the problem
occurred. The appropriate backup can be
opened by the Windows Explorer and the
included database files are copied to the
EXOS386D folder on the SIPORT Server.
Restoring a Database
Terminate the services
and close all programs
Restore the backups
from tape to disk
Start SQL Server
Management Studio
Restore the full backup
and necessary
transaction logs
Is restore of
SiportNTAcc
False
True
Extract the SIPORT
Kernel databases from
zip archive to the
EXOS386D folder
Start the services
Database is restored
Fig. 38
Restore Procedure Database
23
42359_Siport_BU_en.indd 23
14.1.2008 8:09:32 Uhr
Siemens Switzerland Ltd
Building Technologies Group
International Headquarters
Gubelstrasse 22
CH-6301 Zug
Tel. +41 41 724 24 24
Fax +41 41 724 35 22
Siemens Building Technologies
Security Systems
SES SOL TeC
Siemensallee 84
D-76187 Karlsruhe
Tel. +49-721-595-3103
Fax +49-721-595-8191
The information in this document contains general descriptions of technical options available,
which do not always have to be present in individual cases. The required features should therefore
be specified in each individual case at the time of closing the contract.
Subject to change • Order no. 0-92104-en •
© Siemens Switzerland Ltd • Printed in Switzerland • xxxxx Ni/Ah
www.siemens.com/buildingtechnologies-pharma
42359_Siport_BU_en.indd 24
14.1.2008 8:09:33 Uhr
Disaster Recovery
Access Control System
SIPORT Enterprise R1
The Security Solution for
Life Science Environments
Building Technologies
42359_Siport_BU_en.indd 1
s
14.1.2008 8:08:53 Uhr
42359_Siport_BU_en.indd 2
14.1.2008 8:08:56 Uhr
Table of Contents
1 Abbreviations and Synonyms
5
2 System Environment
6
2.1
2.2
2.3
2.3.1
2.3.2
2.3.3
Backup Software
Image Software
Backup Hardware
Backup Drives
Tape Technologies
Hard Disk Drives
3 Backup Procedures
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
3.10
3.11
3.12
3.13
3.14
Backup Responsibilities / Logs
Creating Images
SQL Database Backup
Backup Master Database
Backup Model Database
Backup msdb Database
Backup SiportNTAcc Database
Backup SiportNTAcc Transaction Log
Backup SiportNTAcc_Hist Database
SIPORT Kernel Database Backup
Save Backup on Tapes
Backup Time Schedule
Media Rotation
Tape Drive Cleaning Procedure
4 Restore Procedures
4.1
4.2
4.3
Validating Tape Drive Contents
Restore Procedure SIPORT Server (Disaster Recovery)
Restore Procedure SIPORT Databases
7
7
7
7
7
8
9
9
9
10
11
12
13
14
15
16
17
19
19
20
21
21
21
21
23
3
42359_Siport_BU_en.indd 3
14.1.2008 8:08:56 Uhr
List of illustrations
Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20
Fig. 21
Fig. 22
Fig. 23
Fig. 24
Fig. 25
Fig. 26
Fig. 27
Fig. 28
Fig. 29
Fig. 30
Fig. 31
Fig. 32
Fig. 33
Fig. 34
Fig. 35
Fig. 36
Fig. 37
Fig. 38
System environment 1
System environment 2
Hard disk as a backup volume
Hard disk RAID 1 + 0
Backup Workflow
Backup Jobs
Backup Master Database
Backup Job general Master Database
Backup Job steps Master Database
Backup Job schedules Master Database
Backup Model Database
Backup Job general Model Database
Backup Job steps Model Database
Backup Job schedules Model Database
Backup msdb Database
Backup Job general msdb Database
Backup Job steps msdb Database
Backup Job schedules msdb Database
Backup SiportNTAcc Database
Backup Job general SiportNTAcc Database
Backup Job steps SiportNTAcc Database
Backup Job schedules SiportNTAcc Database
Backup SiportNTAcc transaction log
Backup Job general SiportNTAcc transaction log
Backup Job steps SiportNTAcc transaction log
Backup Job schedules SiportNTAcc transaction log
Backup SiportNTAcc_Hist Database
Backup Job general SiportNTAcc_Hist Database
Backup Job steps SiportNTAcc_Hist Database
Backup Job schedules SiportNTAcc_Hist Database
Backup jobs
Backup Job general SIPORT Kernel Database
Backup Job steps SIPORT Kernel Database
Backup Job SIPORT schedules Kernel Database
Backup Command EXOS386D
Backup time schedule
Restore Procedure Server
Restore Procedure Database
6
6
8
8
9
10
11
11
11
11
12
12
12
12
13
13
13
13
14
14
14
14
15
15
15
15
16
16
16
16
17
17
17
17
18
19
22
23
4
42359_Siport_BU_en.indd 4
14.1.2008 8:09:03 Uhr
Introduction
This document describes the backup and
archiving of data on a SIPORT Enterprise
system used within a pharmaceutical
environment.
This includes the system components:
1
■ SIPORT Enterprise R1
■ WINDOWS 2003 R2 Server
■ Hardware (Server, Clients, Backup
media etc.)
■ Software Backup Tools
Abbreviations and Synonyms
FDA
21 CFR, Partxxx
U.S. Food and Drug Administration
Good automated manufacturing practice, 4th edition.
GMP guide to validate automation systems.
21 Code of Federal Regulations, Partxxx
GMP
Good Manufacturing Practice
ISPE
International Society for Pharmaceutical Engineering
GxP
Good x Practice
GAMP4
x stands for:
Manufacturing
Laboratory
Engineering
Installation
NAS
CIxx
Network Attached Storage
Applies to plants or partial plants not requiring validation, which can
therefore be planned, installed and commissioned like a normal plant.
Computer Identifier x
WIN2003
Windows 2003 Server operating system
WINXP
Windows XP operating system
Non GxP
LTO
Line-Tape-Open
IT
Information Technology
HD System volume (operating system)
HD Data volume (contains data)
HD Backup volume
HD
Hard disk volume
SAN
Storage Array Network
SES SOL TEC
Security Systems Solution Technology Center in Karlsruhe (Germany)
SID
Security Identifier
5
42359_Siport_BU_en.indd 5
14.1.2008 8:09:09 Uhr
2
System Environment
The described backup procedure is based
on the following topology. It shows a
high-end scenario using a Microsoft
Server Cluster with two nodes working
in fail-over mode. For external storage,
two SAN are used connected to the
Server Cluster with redundant Fiber
Channel Switches. SIPORT will run on the
Microsoft Windows Server 2003 R2
Enterprise Edition cluster with full functionality, even during fail-over from one
node to the other. A client computer
system will only see one virtual server
and transmit all access data, history and
configuration updates to the virtual
Server.
Client 1
Client 2
Client …
Client … Client n-1 Client n
LAN WAN
Node B
Node A
Backup
Server
Fiber
Channel
Switch
(SAN)
Fiber
Channel
Switch
(SAN)
In the given example, the possible downtime for the system is minimized.
Backup
Tape
Drive
Storage
Controler and
Storage
Storage
Controler and
Storage
SAN A
SAN B
Building A
Fig. 1
Client 1
Client 2
Client …
Building B
System environment 1
Client … Client n-1 Client n
LAN WAN
If the redundancy is not needed, the
scenario can be abstracted to a standalone server using the local hard drives
to store the data. All functions such as
SIPORT Server, Backup Server, etc. can
be integrated on this single server. This
two nodes fail-over Cluster can be seen
as one virtual Server, so there is nearly
no difference to the backup strategy.
Server
Backup
Tape Drive
Fig. 2
System environment 2
6
42359_Siport_BU_en.indd 6
14.1.2008 8:09:10 Uhr
2.1 Backup Software
2.3.1 Backup Drives
2.3.2 Tape Technologies
Currently you will find two suitable software products on the market fulfilling
our requirements. They are:
When considering backup media, you
can use CDs, DVDs, Blue-Ray discs, NAS,
hard disks and tape drives.
All of these media are able to store the
information offline and in separated
places.
With regards to the typical amount of
data to be backed-up, CDs and DVDs are
not suitable, as media have to be
exchanged during the backup process.
The first decision you have to make is
the selection of the right tape technology.
This can be a nightmare, because comparing the different tape technologies is
like asking the question: “Is Linux better
than WINDOWS?”
The decision is relatively easy if we look
at the amount of data which each tape
technology can store as well the speed
of copying data to the medium.
■
■
CA Brightstor ArcServe
Veritas BackupExec (Symantec)
Both software products have similar
functionalities. The decision which
product should be used, depends on
the hardware of your server, too.
2.2 Image Software
Tape technologies comparison
In the case of a disaster, the image of
the whole server guarantees a 100%
recovery of the data and configuration.
There are several software solutions
available for making an image of a
server, the most usual ones are:
The following table compares the performance and capacity of the various tape
technologies.
■
■
Symantec Ghost
Acronis True Image
The functionalities and complexity of
these products are nearly the same.
2.3 Backup Hardware
The backup can be realized with
different media. To find the right one
is not always easy, because some
preconditions have to be fulfilled:
■
■
■
■
■
■
Capacity of the media
Amount of data to be backed up
Speed of the media
Availability of media
Availability of spare parts
Accessibility
The most important of these are capacity
and speed.
Technology
DAT 24 (DDS-3)
Release
Year
1996
Tape capacity Tape speed
Tape capacity
uncompressed uncompressed compressed
12 GB
1 MB/s
24 GB
DAT 40 (DDS-4)
1999
20 GB
3 MB/s
40 GB
DAT 72 (DDS-5)
2003
36 GB
3 MB/s
72 GB
DLT 8000
1999
40 GB
6 MB/s
SDLT 320
2002
160 GB
16 MB/s
DLT VS80
2001
40 GB
3 MB/s
LTO-1
2000
100 GB
20 MB/s
200 GB
LTO-2
2002
200 GB
40 MB/s
400 GB
LTO-3
2005
400 GB
80 MB/s
800 GB
LTO-4
End 2007
800 GB
120 MB/s
1,6 TB
LTO-5 *
Tba.
1,6 TB
180 MB/s
3,2 TB
The comparison shows the impressive
enhancement of tape technologies.
In the next table we shall see how long it
would take to back up 100GB and
500GB.
We are not using any compression, and
we have the full server performance for
the backup.
* The LTO-5 is planned. The information
is not final.
7
42359_Siport_BU_en.indd 7
14.1.2008 8:09:10 Uhr
Technology
100 GB
No. of tapes
500 GB
Duration *
No. of tapes
Duration *
DAT 24 (DDS-3)
9
28 hours
42
142 hours
DAT 40 (DDS-4)
5
9 hours
25
47 hours
DAT 72 (DDS-5)
3
9 hours
14
47 hours
DLT 8000
3
5 hours
13
24 hours
SDLT 320
1
2 hours
4
9 hours
DLT VS80
3
9 hours
4
47 hours
LTO-1
1
1,4 hours
5
7 hours
LTO-2
1
0,7 hours
3
3,5 hours
LTO-3
1
0,35 hours
2
1,75 hours
LTO-4
1
0,24 hours
1
1,2 hours
* The question is whether the server is able to serve the required speed to the tape
drive.
2.3.3 Hard Disk Drives
The hard disk can be used for backup
storage to speed up the backup time.
As offline storage, this is not the best
solution, because you have to install it,
or you have to mount or dismount the
disk.
To make the backup on different hard
disks you have to install an additional
HD, or you need hot-plug HDs which can
easily be exchanged. However, hot-plug
HDs should be exchanged only in the
event of a fault.
The used HD must have enough space to
store all backup data.
If one HD is not sufficient to store all
the data, more HDs have to be installed.
Then a RAID 1 + 0 or a RAID 0 only can
be built.
RAID 1 + 0 is the combination of RAID 0
(stripping) and RAID 1 (mirroring)
With RAID 0, we enhance the capacity
of the HDs, and with the RAID 1 we have
the security and reliability of the system.
RAID 1 + 0 has a higher performance
compared to other RAID levels like RAID
5. RAID 5 is much slower in writing data
to the HDs than RAID 1 + 0.
RAID 1 + 0 can lose one HD per RAID 1
and the system will still work.
However, the capacity of the RAID 1 +
0 is unsatisfactory, because 50% of the
total HD capacity is lost.
RAID 1
Server
Fig. 3
Server
RAID 1
RAID 1
RAID 1
Single HD
HD Pool with
hot plug HD's
Hard disk as a backup volume
Example to Fig. 4:
RAID 1 (1) = 300GB
RAID 1 (2) = 300GB
RAID 1 (3) = 300GB
-------------900GB / 2 = 450GB
gross capacity
Server
RAID 1
RAID 1
RAID 1
(1)
Even if you make the backup on a HD
or on a HD RAID, you must store the
backups in another physical location, or
on the server.
In the “worst case” you could lose all
data as result of hardware crash, fire,
flood, etc.
RAID 1
(2)
RAID 0
RAID 1
(3)
Fig. 4
Hard disk RAID 1 + 0
The strategy must include the facility for
external storage. Another possibility is
to store the backups on a separate server
on the network.
This solution is more reliable, but it also
needs a reliable network installation.
8
42359_Siport_BU_en.indd 8
14.1.2008 8:09:10 Uhr
3
Backup Procedures
3.1 Backup Responsibilities /
Logs
The operator / backup administrator is
responsible for all the backups, backup
verification and tape changing. All
performed actions are recorded in a
backup log.
The backup log is a manual, paper-based
log, and will show the inserted tape and
contains the successfully verified backups. Any remarks, e.g. tape replacements, will also be noted, along with the
physical location of off-site tapes.
Backup logs will be archived for a period
of 24 months.
3.2 Creating Images
Creating an image is done for all computers after the final configuration, and
forms the basis for a disaster recovery.
The image of a computer includes all
software, configuration, and files, and is
a 1:1 copy of the whole hard disk.
The image must be repeated if any
static files have changed on the system.
The bootable CD establishes a network
connection to the backup server. Thus,
the image is made directly via the network and stored on the backup server.
An MD5 checksum file is stored together
with the image in the image folder.
This MD5 checksum file is used to check,
whether the data is correct, and to
ensure that nothing was corrupted
during the copying of the image file.
The image must be updated after any of
the following:
■ Installing new programs on the
computer
■ Installing a patch on the computer
■ Installing a hotfix on the computer
■ Installing a service pack on the
computer
■ Changing the configuration of the
computer or programs
■ Before and after change of hardware
■ In any case which could have an
influence on the integrity of the
installation
The workflow below shows how we
create an image.
All images are saved with the backup
software on a tape and removed from
the backup server.
Create an image
Close all programs and
switch off the computer
Boot the computer in
WINDOWS
safe mode
Create an MD5 check
sum file for the folder;
Siemens
Shut down
the computer and boot
from the boot CD
Start the image program
and create an image.
Copy the data via
network directly to the
backup server
image file stored on the
backup server
Fig. 5
Backup Workflow
9
42359_Siport_BU_en.indd 9
14.1.2008 8:09:11 Uhr
3.3 SQL Database Backup
The SQL databases are located on the
SAN. For the Database backup, the
Microsoft SQL Server Agent is used,
which has defined jobs, listed below:
Full backup of the:
■ Master database
■ Model database
■ msdb database
■ SiportNTAcc database
■ SIPORTNTAcc_Hist database
and backup of the SiportNTAcc cc database transaction log.
Fig. 6
Backup Jobs
The full backup of the master, model and
msdb database from the Microsoft SQL
server 2005 are scheduled once a day.
The transaction log is not backed up,
because there are not normally many
changes to be made and the databases
are in „simple recovery mode“. With
each backup the corresponding files
in the backup folder of the SAN are
overwritten.
The full backup of the SiportNtAcc database is also done daily. With each backup
the existing file in the backup folder of
the SAN is overwritten. The backup of
the transaction log of the SiportNTAcc
database is scheduled for a cyclic run
hourly, starting 00:15 am. The transaction log backups are appended to the
last full backup of the SiportNTAcc database.
The full backup of the SiportNtAcc_Hist
database is done daily. With each backup
the existing file in the backup folder of
the SAN is overwritten. The transaction
log is not backed up because the database is in “simple recovery model”.
All backups are written to the MSSQL\
backup folder located on the SAN. This
folder will be saved with the backup
software on a tape. The procedure is
described in a following section.
10
42359_Siport_BU_en.indd 10
14.1.2008 8:09:11 Uhr
3.4 Backup Master Database
The full backup of this database is done
daily at 20:00. Because the database is in
simple mode there are no transaction
logs to save. The backup overwrites the
existing backup file. If a problem occurs
and the backup fails, a log entry is
created in the SIPORT Error logbook.
Start
Backup
Master Database
NO
Fig. 8
Backup Job general Master Database
Fig. 9
Backup Job steps Master Database
Fig. 10
Backup Job schedules Master Database
Succeed
YES
Report
backup failure
End
Fig. 7
Backup Master Database
The backup is written to the MSSQL\
backup folder located on the SAN. This
folder will be saved with the backup software on a tape. The procedure is described in a following section.
11
42359_Siport_BU_en.indd 11
14.1.2008 8:09:11 Uhr
3.5 Backup Model Database
The full backup of this database is done
daily at 20:05. Because the database is in
simple mode there are no transaction
logs to save. The backup overwrites the
existing backup file. If a problem occurs
and the backup fails, a log entry is created in the SIPORT Error logbook.
Start
Backup
Model Database
NO
Fig. 12
Backup Job general Model Database
Fig. 13
Backup Job steps Model Database
Fig. 14
Backup Job schedules Model Database
Succeed
YES
Report
backup failure
End
Fig. 11
Backup Model Database
The backup is written to the MSSQL\
backup folder located on the SAN. This
folder will be saved with the Backup
software on a tape. The procedure is
described in a following section.
12
42359_Siport_BU_en.indd 12
14.1.2008 8:09:13 Uhr
3.6 Backup msdb Database
The full backup of this database is done
daily at 20:10. Because the database is in
simple mode there are no transaction
logs to save. The backup overwrites the
existing backup file. If a problem occurs
and the backup fails, a log entry is created in the SIPORT Error logbook.
Start
Backup
msdb atabase
NO
Fig. 16
Backup Job general msdb Database
Fig. 17
Backup Job steps msdb Database
Fig. 18
Backup Job schedules msdb Database
Succeed
YES
Report
backup failure
End
Fig. 15
Backup msdb Database
The backup is written to the MSSQL\
backup folder located on the SAN. This
folder will be saved with the Backup
software on a tape. The procedure is
described in a following section.
13
42359_Siport_BU_en.indd 13
14.1.2008 8:09:14 Uhr
3.7 Backup SiportNTAcc
Database
The full backup of this database is done
daily at 05:45. Prior to the backup, an
integrity check and an attempt to shrink
the database file size are done. The
backup overwrites the existing backup
file. If a problem occurs and the backup
fails, a log entry is created in the SIPORT
Error logbook.
Start
Check Database
Fig. 20
Backup Job general SiportNTAcc Database
Fig. 21
Backup Job steps SiportNTAcc Database
Fig. 22
Backup Job schedules SiportNTAcc Database
NO
Succeed
YES
Shrink Database
NO
Succeed
YES
Backup
SiportNTAcc
Database
NO
Succeed
Report
backup failure
YES
End
Fig. 19
Backup SiportNTAcc Database
The backup is written to the MSSQL\
backup folder located on the SAN. This
folder will be saved with the Backup
software on a tape. The procedure is
described in a following section.
14
42359_Siport_BU_en.indd 14
14.1.2008 8:09:16 Uhr
3.8 Backup SiportNTAcc
Transaction Log
The transaction log backups are done
hourly starting at 00:15. The backups are
appended to the last full backup. If a
problem occurs and the backup fails, a
log entry is created in the SIPORT Error
logbook.
Start
Backup
SiportNT
transaction log
NO
Fig. 24
Backup Job general SiportNTAcc transaction log
Fig. 25
Backup Job steps SiportNTAcc transaction log
Fig. 26
Backup Job schedules SiportNTAcc transaction log
Succeed
YES
Report
backup failure
End
Fig. 23
Backup SiportNTAcc transaction log
The backup is written to the MSSQL\
backup folder located on the SAN. This
folder will be saved with the Backup
software on a tape. The procedure is
described in a following section.
15
42359_Siport_BU_en.indd 15
14.1.2008 8:09:17 Uhr
3.9 Backup SiportNTAcc_
Hist Database
The full backup of this database is done
daily at 02:45. Because the database is in
simple mode there are no transaction
logs to save. Prior to the backup, an integrity check and an attempt to shrink the
database file size are done. The backup
overwrites the existing backup file. If a
problem occurs and the backup fails, a
log entry is created in the SIPORT Error
logbook.
Start
Check
SipotNTAcc_Hist
Database
Fig. 28
Backup Job general SiportNTAcc_Hist Database
Fig. 29
Backup Job steps SiportNTAcc_Hist Database
Fig. 30
Backup Job schedules SiportNTAcc_Hist Database
NO
Succeed
YES
Shrink Database
NO
Succeed
YES
Backup
SiportNTAcc_Hist
Database
NO
Succeed
Report
backup failure
YES
End
Fig. 27
Backup SiportNTAcc_Hist Database
The backup is written to the MSSQL\
backup folder located on the SAN. This
folder will be saved with the Backup
software on a tape. The procedure is
described in a following section.
16
42359_Siport_BU_en.indd 16
14.1.2008 8:09:19 Uhr
3.10 SIPORT Kernel Database
Backup
The SIPORT Kernel database consists
of single files located in the EXOS386D
folder on the SAN. Because these files
are locked by the SIPORT Kernel, they
can not be saved directly.
The backup of SIPORT Kernel database
is initiated by the SQL Server Agent.
Therefore a job Siport_Kernel_Backup is
created on the SQL Server. The backup is
executed at three hour intervals between
00:30 and 21:30.
The backup is written to the MSSQL\
backup folder located on the SAN. This
folder will be saved with the Backup
software on a tape. The procedure is
described in a following section.
Fig. 31
Fig. 32
Backup Job general SIPORT Kernel Database
Fig. 33
Backup Job steps SIPORT Kernel Database
Fig. 34
Backup Job SIPORT schedules Kernel Database
Backup jobs
The batch program copies all database
files from the original EXOS386D to
an EXOS386D_sav folder to avoid the
locked file problem. In this EXOS386D_sav
folder. The single files are compressed
into an archive file using the program
Info-ZIP. With this batch the last 7 backups are kept and the oldest is replaced,
resulting in a total of 8 backup files.
17
42359_Siport_BU_en.indd 17
14.1.2008 8:09:20 Uhr
The following shows an example of the backup.cmd:
Fig. 35
Backup Command EXOS386D
All backups are written to the EXOS386D_sav folder located on the SAN. This folder
will be saved with the Backup software on a tape. The procedure is described in a
following section.
18
42359_Siport_BU_en.indd 18
14.1.2008 8:09:22 Uhr
3.11 Save Backup on Tapes
3.12 Backup Time Schedule
The backups on the local hard drives are
fast to create and allow quick access in
case of a needed recovery. To ensure
that the backups are also available in
case of a disaster recovery, and also to
increase the covered back-up period, it
is very important to store all backups to
external media. This media is for example
a FibreCAT TX24 drive with LTO-3 tapes.
The LTO-3 tape allows 400GB of uncompressed data and 800GB of compressed
data to be stored on a single tape. Since
the daily backups to be saved do not
exceed this storage capacity, it is enough
to use one tape per day. The tape drive is
equipped with 2 cartridges of 12 slots for
tapes. For the backups, 11 slots are used.
We need 6 slots for the daily backup
tapes from Saturday to Thursday, 3 slots
for the weekly backup tapes, one slot for
the monthly backup tape, and one slot
for the cleaning tape. For redundancy,
the second cartridge is also used and
equipped with 10 tapes. On these
additional tapes the daily backups are
mirrored. The media rotation is described
in a following section.
To store the backups on the tape drive
and to perform the tape change, Backup
software installed on the Backup Server
is used. The Backup Server establishes a
connection to a shared folder from the
cluster’s active node, giving access to all
the backup files. The streaming to tape is
activated twice; for the tape in the first
cartridge, and for the tape used as a
mirror in the second cartridge.
The files streamed to tape are:
1
2
3
4
5
6
MASTERDmp.bak
MODELDmp.bak
MSDBDmp.bak
Siportntacc_dmp.bak
Siportntacc_hist_dmp.bak
backup_001.zip
Fig. 36
Backup time schedule
19
42359_Siport_BU_en.indd 19
14.1.2008 8:09:27 Uhr
3.13 Media Rotation
For the media rotation the GFS (Grandfather, Father, Son) method is used
being the most popular tape rotation
algorithm. With this method, 21 tapes
are needed per year using one cartridge.
10 tapes are stored in the tape changer
cartridge at the same time. The backups
from Saturday to Thursday are each
stored on a single tape. The backups on
Fridays are stored on 4 tapes, depending
on the week of the month. The backups
of the first three weeks, and also the last
Friday of the month, are each stored on a
single tape. The backup tape of the last
Friday in the month is removed from the
tape changer, stored in a secured place
and replaced by a new tape. Once a year,
the tapes used for the backups from
Saturday to Thursday and for the first
three weeks in a month are replaced by
new ones.
With the option of using the second cartridge for mirroring the backups, a total
of 42 tapes is needed per year.
This method ensures the permanent
availability of backups from the last 7
days, from the Fridays up to three weeks
prior and from the last Fridays in a
month up to 12 months back.
This method also ensures that a single
tape is not used more than 47 times.
The following table shows the use of
the tapes in one cartridge, the second
cartridge is used in the same way. The
grey cells indicate show when a
tape change has to be performed.
Week
Saturday
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
1
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week1 T7
2
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week2 T8
3
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week3 T9
Month1 T10
4
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
5
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week1 T7
6
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week2 T8
7
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week3 T9
8
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Month2 T11
9
10
11
Sat T1
Sat T1
Sat T1
Sun T2
Sun T2
Sun T2
Mon T3
Mon T3
Mon T3
Tue T4
Tue T4
Tue T4
Wed T5
Wed T5
Wed T5
Thu T6
Thu T6
Thu T6
Week1 T7
Week2 T8
Week3 T9
Month3 T12
12
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
13
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week1 T7
14
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week2 T8
15
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week3 T9
16
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Month4 T13
17
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week1 T7
18
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week2 T8
19
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week3 T9
20
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Month5 T14
21
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week1 T7
22
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week2 T8
23
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week3 T9
24
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Month6 T15
25
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week1 T7
26
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week2 T8
27
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week3 T9
28
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Month7 T16
29
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week1 T7
30
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week2 T8
31
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week3 T9
32
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Month8 T17
33
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week1 T7
34
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week2 T8
35
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week3 T9
36
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Month9 T18
37
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week1 T7
38
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week2 T8
39
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week3 T9
40
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Month10 T19
41
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week1 T7
42
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week2 T8
43
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week3 T9
44
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Month11 T20
45
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week1 T7
46
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week2 T8
47
Sat T1
Sun T2
Mon T3
Tue T4
Wed T5
Thu T6
Week3 T9
48
Sat T22
Sun T23
Mon T24
Tue T25
Wed T26
Thu T27
Month12 T21
49
Sat T22
Sun T23
Mon T24
Tue T25
Wed T26
Thu T27
Week1 T28
50
Sat T22
Sun T23
Mon T24
Tue T25
Wed T26
Thu T27
Week2 T29
51
Sat T22
Sun T23
Mon T24
Tue T25
Wed T26
Thu T27
Week3 T30
20
42359_Siport_BU_en.indd 20
14.1.2008 8:09:32 Uhr
3.14 Tape Drive Cleaning
Procedure
The Autoclean option of the FibreCAT
TX24 enables the library to automatically
perform tape drive cleaning without
operator intervention. When Autoclean
is enabled, the library monitors the
cleaning requirements of the tape drive.
When a tape drive indicates it needs
cleaning, the library loads the cleaning
cartridge into the tape drive. After the
cleaning cycle is completed, the tape
4
drive unloads and ejects the cleaning
cartridge, and the library resumes
operation. The cleaning cartridge must
be installed in the lowest cell available
in the library.
The cleaning option of the backup
application has to be turned OFF. The
cleaning cartridge has to be replaced
each 6 months.
Restore Procedure
4.1 Validating Tape Drive
Content
4.2 Restore Procedure SIPORT
Server (Disaster Recovery)
The daily backups stored on the tapes
are validated regularly twice weekly with
Backup software by loading the tape to
the tape drive and checking whether if
the expected content is shown by the
program. By restoring one of the ZIP
archives to a folder at the backup server
and testing the zip-file integrity with the
command line option ‘zip –T <archive
name>’ it is ensured that the files on the
tape can be used for restoring purposes.
A variety of factors can result in a server
being restored: hardware crash, failure
of installation software which blocks the
machine, a virus, corrupted files, incompatible updates, service packs, hot fixes
etc.
The created images of the servers have
to be validated by the MD5 checksum
which is located together with the image
on the tape.
Because the SIPORT SERVER is a Microsoft Server Cluster which has to be
equipped with an external storage
system, the databases are not stored
locally on the server. Therefore recovery
is done by re-establishing the operating
system and application functionality. It is
assumed that the databases on the SAN
are still in good condition.
With the images that were made before
and during the ongoing operation, the
whole server can be restored. The
appropriate image has to be restored to
the backup server.
The image creation program has to be
booted from the CD to restore from the
image. The program connects to the
backup server via the network to access
the image file, and recreates the local
hard drive of the server. After restoration,
the server is restarted in Windows save
mode to ensure a minimum number of
running programs. The MD5 checksum
check is performed and stored to the
Siemens folder. If the check is ok, the
integrity of the image is granted.
The Security Identifier (an alphanumeric
character string commonly known as
SID) is a unique name assigned by a Windows Domain controller during the logon process. It is used to identify an
object such as a user or a computer or a
group of users in a network of
2000/2003 systems. The SID changes
regularly every 21 days. If the SID is
older than 21 days, the authority check
will fail, because the SID has become
invalid. In such a case, the server has to
be removed from the Domain Active
Directory and re-assigned to the domain,
the server will get a new SID.
21
42359_Siport_BU_en.indd 21
14.1.2008 8:09:32 Uhr
If the functionality check of the cluster node shows no problems, the cluster
resources are online, and the attached clients can connect, the restore is done.
Restoring a Server
Close all programs and
switch off the server
Start the server via
boot CD
Start the image tool and
restore the whole
image
Start the server in
WINDOWS safe mode
and check the
MD5 check sum
Make a test on another
server to ensure the
integrity and conduct
a risk analysis
MD5
check sum ok?
False
True
Is the SID
older than
21 days?
Delete server from the
active directory at the
WINDOWS Domain
Controller to get
a new SID
True
False
Start the server
Start the server
Remove server from the
Domain and restart the
server
Join the server to the
domain and restart the
server
Check connection
and software
Server is restored
Fig. 37
Restore Procedure Server
22
42359_Siport_BU_en.indd 22
14.1.2008 8:09:32 Uhr
4.3 Restore Procedure SIPORT
Databases
If one of the databases on the SAN gets
corrupted, or data is lost by any accident
like application problems or human
failure, it is necessary to restore the data
as close as possible in a status as prior to
the error occurrence.
The SIPORT Server functionality is not
available when restoring SIPORT databases, except for the SiportNTAcc_Hist
database containing only archived data.
The connected workstations are not
allowed to (and cannot) make changes in
the system. Therefore all SIPORT services
and the SQL Server Agent have to be terminated. The SIPORT Kernel has to be
stopped manually.
The database backups have to be retrieved from the tape, and placed in the
backup folder on the SAN.
The restoring of the needed databases of
the Microsoft SQL Server is covered by
the SQL Server Books Online installed on
the SIPORT Server. The described procedures apply to the master, model, and
msdb Database.
The SiportNTAcc_Hist database keeping
the archived logs of the SACS is in simple
mode i.e. no transactions are logged to
the database. This effects the restoration
so that only the last good backup has to
be restored. There is no additional action
to perform; the not yet included logs are
automatically taken over from the
SiportNTAcc database by the archive
creating procedure.
The SiportNTAcc database transaction
log is backed-up hourly and appended to
the last full backup. This allows the
operator to go back in one-hour-steps to
the time before the problem occurred.
The full backup and all transaction log
backups up to the time when the problem occurred are restored with the SQL
Server Management Studio. The exact
procedure is also covered in the Server
Books Online installed on the SIPORT
SERVER.
By replacing the SiportNTAcc Database it
also becomes necessary to restore the
SIPORT Kernel Database as close as
possible to the time when the problem
occurred. The appropriate backup can be
opened by the Windows Explorer and the
included database files are copied to the
EXOS386D folder on the SIPORT Server.
Restoring a Database
Terminate the services
and close all programs
Restore the backups
from tape to disk
Start SQL Server
Management Studio
Restore the full backup
and necessary
transaction logs
Is restore of
SiportNTAcc
False
True
Extract the SIPORT
Kernel databases from
zip archive to the
EXOS386D folder
Start the services
Database is restored
Fig. 38
Restore Procedure Database
23
42359_Siport_BU_en.indd 23
14.1.2008 8:09:32 Uhr
Siemens Switzerland Ltd
Building Technologies Group
International Headquarters
Gubelstrasse 22
CH-6301 Zug
Tel. +41 41 724 24 24
Fax +41 41 724 35 22
Siemens Building Technologies
Security Systems
SES SOL TeC
Siemensallee 84
D-76187 Karlsruhe
Tel. +49-721-595-3103
Fax +49-721-595-8191
The information in this document contains general descriptions of technical options available,
which do not always have to be present in individual cases. The required features should therefore
be specified in each individual case at the time of closing the contract.
Subject to change • Order no. 0-92104-en •
© Siemens Switzerland Ltd • Printed in Switzerland • xxxxx Ni/Ah
www.siemens.com/buildingtechnologies-pharma
42359_Siport_BU_en.indd 24
14.1.2008 8:09:33 Uhr
