Backup and restoration of Administration Server settings

Backup of the settings of Administration Server and its database is performed through the backup task and klbackup utility. A backup copy includes all the main settings and objects pertaining to the Administration Server, such as certificates, primary keys for encryption of drives on managed devices, keys for various licenses, structure of administration groups with all of its contents, tasks, policies, etc. With a backup copy you can recover the operation of an Administration Server as soon as possible, spending from a dozen minutes to a couple of hours on this.

If no backup copy is available, a failure may lead to an irrevocable loss of certificates and all Administration Server settings. This will necessitate reconfiguring Kaspersky Security Center from scratch, and performing initial deployment of Network Agent on the organization's network again. All primary keys for encryption of drives on managed devices will also be lost, risking irrevocable loss of encrypted data on devices with Kaspersky Endpoint Security. Therefore, do not neglect regular backups of Administration Server using the standard backup task.

The Quick Start Wizard creates the backup task for Administration Server settings and sets it to run daily, at 4:00 AM. Backup copies are saved by default in the folder %ALLUSERSPROFILE%\Application Data\KasperskySC.

If an instance of Microsoft SQL Server installed on another device is used as the DBMS, you must modify the backup task by specifying a UNC path, which is available for write by both the Administration Server service and the SQL Server service, as the folder to store backup copies. This requirement, which is not obvious, derives from a special feature of backup in the Microsoft SQL Server DBMS.

If a local instance of Microsoft SQL Server is used as the DBMS, we also recommend to save backup copies on a dedicated medium in order to secure them against damage together with Administration Server.

Because a backup copy contains important data, the backup task and klbackup utility provide for password protection of backup copies. By default, the backup task is created with a blank password. You must set a password in the properties of the backup task. Neglecting this requirement causes a situation where all keys of Administration Server certificates, keys for licenses, and primary keys for encryption of drives on managed devices remain unencrypted.

In addition to the regular backup, you must also create a backup copy prior to every significant change, including installation of Administration Server upgrades and patches.

If you use Microsoft SQL Server as the DBMS, you can minimize the size of backup copies. To do this, enable the Compress backup option in the SQL Server settings.

Restoration from a backup copy is performed with the utility klbackup on an operable instance of Administration Server that has just been installed and has the same version (or later) for which the backup copy was created.

The instance of Administration Server on which the restoration is to be performed, must use a DBMS of the same type (for example, the same SQL Server or MariaDB) and the same or later version. The version of Administration Server can be the same (with an identical or later patch), or later.

This section describes standard scenarios for restoring settings and objects of Administration Server.

Using a file system snapshot to reduce the backup duration

In Kaspersky Security Center 13.1, the idle time of Administration Server during backup has been reduced as compared to earlier versions. Moreover, the Use file system snapshot for data backup feature has been added to the task settings. This feature provides additional idle reduction by using the klbackup utility, which creates a shadow copy of the disk during backup (this takes a few seconds) and simultaneously copies the database (this takes a few minutes at longest). When klbackup creates a shadow copy of the disk and a copy of the database, the utility makes the Administration Server connectible again.

You can use the file system snapshotting feature only if these two conditions are met:

• The Administration Server shared folder and the %ALLUSERSPROFILE%\KasperskyLab folder are located on the same logical disk and are local in reference to the Administration Server.
• The %ALLUSERSPROFILE%\KasperskyLab folder does not contain any symbolic links that have been created manually.

Do not use the feature if either of these conditions cannot be met. In this case, the application would return an error message in response to any attempt to create a file system snapshot.

To use the feature, you must have an account that has been granted the permission to create snapshots of the logical disk storing the %ALLUSERSPROFILE% folder. Note that the Administration Server service account has no such permission.

To use the file system snapshotting feature in order to reduce the backup duration:

1. In the Tasks section, select the backup task.
2. In the context menu, select Properties.
3. In the task properties window that opens, select the Settings section.
4. Select the Use file system snapshot for data backup check box.
5. In the User name and Password fields, enter the name and password of an account that has the permission to create snapshots of the logical disk storing the %ALLUSERSPROFILE% folder.
6. Click Apply.

At any further startup of the backup task, the klbackup utility will create file system snapshots thus reducing the Administration Server idle time during the task run.

A device with Administration Server is inoperable

If a device with Administration Server is inoperable due to a failure, you are recommended to perform the following actions:

• The new Administration Server must be assigned the same address: NetBIOS name, FQDN, or static IP (depending on which of them was set when Network Agents were deployed).
• Install Administration Server, using a DBMS of the same type, of the same (or later) version. You can install the same version of Server with the same (or later) patch, or a later version. After installation, do not perform the initial setup through the Wizard.
• In the Start menu, run the klbackup utility and perform restoration.

The settings of Administration Server or the database are corrupted

If Administration Server is inoperable due to corrupted settings or database (e.g., after a power surge), you are recommended to use the following restoration scenario:

1. Scan the file system on the damaged device.
2. Uninstall the inoperable version of Administration Server.
3. Reinstall Administration Server, using a DBMS of the same type and of the same (or later) version. You can install the same version of Server with the same (or later) patch, or a later version. After installation, do not perform the initial setup through the Wizard.
4. In the Start menu, run the utility klbackup and perform restoration.

It is prohibited to restore Administration Server in any way other than through the klbackup utility.

Any attempts to restore Administration Server through third-party software will inevitably lead to desynchronization of data on nodes of the distributed application Kaspersky Security Center and, consequently, to improper functioning of the application.