Product Reviews

Ooops! Recovering Deleted Files: Volume Snapshots vs. Undelete 4.0

Microsoft Volume Shadow Copy Services and Undelete 4.0 are a potent one-two punch.

There are few things that take up as much system administrator time as restoring files that users accidentally deleted or otherwise misplaced. There are also few situations as frustrating as working on a document all day, only to have a system error wipe out the entire thing at the last minute.

Anyone who has suffered through these situations well knows that backups are lifesavers, but backups should not be the only answer. In fact, there are ways to provide a first line of defense in document and file protection.
One of the easiest is good file management habits: Save often and always, turn on the auto save feature if your office automation tool includes one, delete files through the Windows Explorer so that they will go first to the Recycle Bin, only empty the Recycle Bin when you have to, and so on. But even then, there are no Recycle Bins on network file shares — not until now, that is.

That's because Windows Server 2003 includes the Volume Shadow Copy Service. VSS is fast and easy to implement — and it has an immediate, positive impact on administrative workloads. That's because of the way the shadow copy service works with shared folders. The VSS service automatically takes a "snapshot" of the files located in any shared folder where the service has been enabled. These snapshots include an image of the contents of the folder at a given point in time. Depending on the space you make available to it (each VSS snapshot is 100MB in size), you could have up to 64 different snapshots of a disk volume. Because Microsoft has made a client component of VSS — the Previous Versions client (see Figure 1) — available along with the VSS, end users themselves can access these snapshots.

Volume Shadow Copy Service
Figure 1. Users can now restore their own files from shadow copies. All they need is to access the properties of the file or folder they want to restore and click on the Previous Versions tab. This tab lists all available shadow copies. Users only need to locate the version they need and either restore it directly or view it to determine if it is the right one. The Previous Versions client must be deployed on workstations and mobile systems before this functionality can be made available to users.

This means that once implemented and the client deployed, users can pretty much recover any lost file by themselves, in the privacy of their own desk, without having to bother anyone and without the embarrassment of having to tell someone they've lost a file once again. The shadow copy service is designed to assist in the process of recovering previous versions of files without having to resort to backups. In this way, VSS is very much like a server "undelete."

By default, Windows Server 2003 creates shadow copies twice a day; at 7:00 a.m. and 12 noon. This schedule can be changed if it doesn't meet your requirements.

Shadow copies do not replace proper backups; they provide a first line of defense, that's all. Nevertheless, this feature is a boon to system administrators because it really does take work off your hands and it's easy to implement. Once your file server is ready, enable shadow copies (through disk properties). Set the copies to be stored on a drive that is separate from the file storage drive and deploy the Previous Versions client — the TWCLI32.MSI can be found in %systemroot%\system32\clients\twclient. Finally, educate your users and evaluate if the shadow copy schedule you set is right for your environment.

Undelete for Servers
If shadow copies aren't enough, you can install Executive Software's Undelete 4.0 on your file server, which replaces the Recycle Bin with an enhanced Recovery Bin (see Figure 2).

Figure 2. Using Undelete Server Edition, administrators can restore files deleted on server shares. Undelete automatically traps all file deletions and stores them in the disk's Recovery Bin. Users do not see server Recovery Bins unless they have a local version of Undelete Professional installed.

You can configure servers to use a single Recovery Bin for all drives or use one bin per drive. The latter will reduce disk input and output operations and improve the protection of your servers. In addition to the Recovery Bin, Undelete includes Undelete from Disk and Emergency Undelete. The first lets you search a disk drive for items that have been emptied from the Recovery Bin for possible recovery. The second lets you boot from the Undelete CD to possibly let you recover data that has been erased from a hard disk. In many cases, Emergency Undelete has more chances of working than Undelete from Disk since it does not perform any operations on the disk you are attempting to recover data from.

The installation of Undelete Server Edition is straightforward. Simply pop in the CD and select Install from the auto run screen. A few minutes and one reboot later, your Recycle Bin will have been replaced by a Recovery Bin. Undelete works by installing an I/O filter that traps all deletions from disk at the moment of deletion. Instead of deleting a file, it renames it and stores it in the Recovery Bin folder. By default, the Recovery Bin is set to take up to 20 percent of each disk drive for which it is activated. When the bin is full, it will automatically begin to replace older versions of its contents.

To recover a file, simply open the Recovery Bin, locate the file to restore and right-click on it to select restore. This operation must be performed by an administrator on the server, unless you have selected to use Undelete's Push Install feature to deploy Undelete Professional to all your workstations. This will not only give users access to server Recovery Bins, but also protect files stored on their local systems. Beware though! Since Undelete stores all deleted files in the same location, this may give curious users access to files they would not normally see.

The major difference between Undelete and the Volume Shadow Copy Service is time. Undelete catches all deletions as they occur, giving you real time protection. VSS takes a snapshot in time of the contents of a disk. This means that if a snapshot was taken an hour ago and you delete a file you were working on for the last fifty minutes, there will be nothing to recover. On the other hand, Undelete only protects files that have been deleted whereas VSS protects everything on the server. If you need to restore a version of a file that is five days old, but was never deleted, VSS will provide it whereas Undelete will never have had a copy in the first place.


Volume Shadow Copy for IT Professionals:

Our recommendation: At the very least, provide a first line of defense by migrating all your Windows file servers to Windows Server 2003 and enabling VSS. Distribute the Previous Versions client to all systems. In fact, make it part of your standard operating environment and base-system build. Follow VSS best practices — found in Windows Server Help — to identify the best schedule for your environment. Educate your users on file recovery. And, if constant recovery of lost files is really important to you, install Undelete Server Edition. This will provide double protection for your user's data. If you want complete protection and peace of mind, deploy Undelete Professional to all your systems. This will enable your users to be completely self-sufficient.

About the Author

Danielle Ruest and Nelson Ruest, both Microsoft MVPs, are IT professionals focused on technologies futures. They are authors of multiple books, including "Microsoft Windows Server 2008: The Complete Reference" (McGraw-Hill Osborne Media, 2008), which focuses on building virtual workloads with Microsoft's new OS.


comments powered by Disqus

Subscribe on YouTube