G’day, and welcome back to UCMadScientist. Today we are continuing our adventures with my Synology DS920+ that was lovingly sent in for review a few months ago.
Okay, you got me. It’s not “Free” you still need to buy the NAS itself, put drives in and power it. But, there are no ongoing software costs, no license fees and no renewal fees to worry about. So essentially free in this day and age. Especially as you need somewhere to store the data anyway!
As I kinda alluded too in the previous article. My “backup” solution previously wasn’t exactly ideal. My Personal OneDrive, for example, was me just syncing the whole lot to my Storage Server.
- My Personal OneDrive was “Backed up” my just syncing it to my server
- This actually caused an issue when I got ransomwared
- My Business OneDrive’s weren’t backed up at all
- I didn’t back up my Teams or Sharepoint Sites
- Or my GitHub Repos
- And I didn’t differentiate between infrequently changing data (Archives) and frequently Changing data
- Whilst I was backing up endpoints and VM’s
- I was backing up the VMs to the same machine
- The disks with backups on held other VM’s which meant they were always spinning
Thus today, I’m going to check out some of the free methods I can leverage my local storage to keep backups of my important data. Both Online and Offline.
My Personal OneDrive
Synology Cloud Sync
Like I mentioned before, my old backup solution wasn’t great. I was basically syncing a local copy of the live data as a “backup” I know its not… But, “It will never happen to me… right?” WRONG.
I store a lot of data in my OneDrive, including all the photos from my phones, our family photo library, out personal documents and even my software library chewing up around 700GB of my OneDrive storage (I might need to clean that one day)
So knowing that let’s take a look at the free OneDrive backup package on the Synology.
If we search the DSM package library, we can see Cloud Sync is a package that might suit our needs, so lets install it and take a look.
Upon opening the package we are greeted with a ton of different cloud providers. OneDrive included, so let’s pick that and hit Next
As soon as I click Next, I get an authentication pop up with my OneDrive as I’m already logged in using this browser session, I’ll just authenticate this on my phone and approve the app.
Then we are brought to the Sync Settings page.
A nice thing to see is that I can make this Sync one way only. So it will only download from OneDrive, not upload. Hopefully, preventing a repeat of last time.
A nice touch is the ability to exclude folders but still grab any new ones.
I don’t exactly need another copy of my Installation Media for Skype.
Now, I’ll just let that run for a while…
It would be nice if you could turn this pop up that comes up every 10 seconds during sync off but…
But, its not backup. Is it? Yet.
And there’s no way to sugar coat it. It’s still just a Sync. It’s not a Backup of my OneDrive. As it’s not a Point in Time system it’s always “the latest” unless I use the Schedule to only let it sync once or twice a week.
Even then, I only have 1 copy of the data. So should my OneDrive get compromised just before a sync. My data is all gone (again)
We can address this, by using Active Backup for Business to take backups of the Sync directory at regular intervals.
Synology Active Backup for Business
Same as before, we go to the Package Manager and install the Active Backup for Business package.
Unlike before however, when we launch the application. It needs to call home and grab a free license. Nothing to major to worry about. Hopefully, Synology doesn’t start charging for it in the future. I assume it’s only using it to stop people from selling it as a service.
The activation wizard was a super painless thing. Agree to terms and conditions, login and press activate.
Next we create a backup Job, navigate to File Server and click Add Server
In the Server Type select SMB Server (you could use Rsync too as the NAS supports that)
Then enter the details of the NAS itself as the Remote Server, clicking Apply and Yes when prompted.
I ended up needing to check the documentation as the blurb describing each of the backup modes wasnt 100% clear.
The “Multi-Versioned” backup allows you to set up the traditional Grandfather-Father-Son backups.
It is important to note, however, that although Active Backup markets it offers Deduplication. This only applies to VM’s, PC’s, and Physical Servers. Not File Servers.
The manual isn’t very clear on this so I figured I’s point it out.
I ended up selecting the Multi-Versioned backup so I could keep multiple copies of the data using retention policies.
Point it to the folder on the NAS thats hosting the OneDrive share and click Next
Then we set the backup target. And as I don’t have oodles of storage, and I have the ability to restore recent file versions from within OneDrive itself. I’ll only configure this to backup once a week.
On the next page, we can set retention policies, which we will set to keep the latest week for 1 week and the latest month for 1 month. Allowing at least 30 days of rollback.
Then we confirm and apply the settings.
After running the backup task, we can see I now have multiple Point in Time versions of my OneDrive. Sorted.
What about my Microsoft 365 Tenant?
Well, this was the main reason Synology opted to send me a unit for a review. To look at their Active Backup for Microsoft 365 product.
To get the most features and best chance at backing up as much configuration as possible. I waited for the Beta version of the product to reach maturity before reviewing the latest release 2.2.1-2324 at the time of writing.
Installing and setting up the package
Same as with all the other packages we have installed on the NAS so far, we simply head over to the Package Centre and Install the Active Backup for Microsoft 365 package and open it.
Same as with Active Backup for Business we need to let the NAS call home and acquire a license.
So after clicking Activate I’m taken to the Synology website again whereas last time. I’m greeted to a similar treatment as before. Agree to a EULA, sign in and Activate.
Registering the Azure AD App
We’re then greeted with a new backup wizard which by default lets you backup a new tenant. It’s nice to see the option here to relink data from an existing backup to a tenant so you don’t have to download everything again!
Active Backup for Microsoft 365 then asks you to run through a tutorial to set up an Azure AD app. It’s basically just downloading and running a PowerShell script on your local machine.
Taking a quick look in the ISE I don’t see anything nefarious going on here. In fact, the cool part is they actually credit their sources in the script and its signed! Nice.
Running the script in interactive mode automatically installs the AzureAD package via NuGet and then prompts for a password for the certificate. This is because the Azure App is using a cert generated on your machine which must be exported with the private key (Which, needs a password to do so)
So make sure you provide a secure password, this cert can be used to access your whole tenant (at an Exchange, Graph and SharePoint level… more on that later)
After that the script will get you to to sign into your Azure AD Tenant via the usual AAS signin box. It’s nice to see this supports MFA as well.
Once that is done the script will output some details about the AAD app. As well as providing a link to a page in Azure detailing the app permissions.
We also need to grant admin permissions for the app whilst we are here. so click on Grant admin consent for orgname
A note on Permissions, specifically for Teams
As you can see the app grants itself full access to both SharePoint and Exchange, but very limited access to Graph.
Whilst this is great from a security perspective, it also lacks important settings to backup core Teams workloads such as calling and channel data. just a few of which you can find below.
This means that today it’s impossible for Active Backup for Microsoft 365 to backup the collaboration and calling aspects of Teams. Should that feature be added in the future you will need to update the permissions appropriately.
Back to the setup
Using the details from the AppGenerator.ps1 script we can fill in the rest of the setup wizard.
Using the details from the script, fill in the form and hit Next
Once that’s done, the app will verify it has all the permissions it needs and then prompt for the backup settings
Picking Users and Groups
On the first page, we set some basic info. but if we take a quick look under the edit button, you can see all the users and groups the app will back up.
Important: In my case, the app by default didn’t select to back up any of my Microsoft 365 Groups. I simply filtered down to M365 groups and selected them all before hitting OK
On the next page, we have settings for New users and groups. the Only change here I made was to backup users “My Site” feature and clicked next
Backup Retention
As with any decent backup product we get to set how often and how long we keep the data. In this case I’m backing up daily and only keeping files for 30 days
We then review the backup settings and apply them
Finally I’m presented with the option to start running the backup now.
More waiting for my slow internet…
Caveats
A few things to note here, As you might know, I focus on Teams and UC a lot. In saying that. There is a lot of data that this product (and many others) don’t back up today for Teams specifically that we are used to backing up in Skype for Business deployments.
- Chat History in Teams (Available in Graph)
- User Policy Settings (PowerShell)
- Tenant calling settings (Dial plans, Voice Routes), Policies, Call logs. (PowerShell and Graph)
- Call Queue and Auto Attendant Settings (PowerShell)
- User and Meeting Room accounts (PowerShell)
There are some scripts out there that do this but are separate from the Active Backup Product as of right now.
Personal Computers
I’ve long been a fan of Veeam Endpoint protection. It’s an awesome free “gateway drug” into the Veeam ecosystem. Backup your local endpoints to a NAS/USB/SMB share for free and restore images/files as needed.
Our business also has a requirement for all data at rest to be encrypted. So we use Bitlocker encryption. Not much good if your backup solution then stores the images un-encrypted on your storage medium. Luckily Veeam supports that too.
If you have a Veeam Backup and Recovery installation. You can back up to your backup repository and do things like boot the backup image directly using an associated hypervisor. Allowing you to do things like connecting to that customer’s weird VPN solution when your SSD has died. (yep, has happened. ask me how I know) But I wont go into that here.
Synology Active Backup apparently has similar functionality. But I’ve not tested it yet and its outside the scope of this article.
Final thoughts.
All in all this is a great bundled solution. If you are already looking at a NAS for storing backups or maybe had something backing up your onsite SBS solution. Why not just use this included package to do the backups of your cloud solution?
However, As it stands today it’s still not a full backup solution for Microsoft 365, but then again, considering how many services are delivered in M365 these days. I doubt many products are.
My understanding is however, like most things these days, that this product is still seeing active development. So here’s hoping in the future we can see even more Teams backup features as well.
Products like these will always need careful evaluation by any potential business looking to use them and speaking with each of their workload experts to ensure they meet their backup requirements!