While this is a standalone article on the topic of the new Synology ActiveProtect Manager operating system, in case you have missed the hardware and installation part of the DP7400 backup appliance that this OS is driving, be sure to check out the review here.
Table of Content
: ActiveProtect Manager overview
- :: Backup servers
- :: Remote storage
- :: Hypervisors
: ActiveProtect Manager overview
So what is ActiveProtect? If anyone is familiar with Synology's DSM eco-system and more to the point, with their Active Backup apps (Business/M365/Google Workspace), as well as Snapshot Replication and VMM (Virtual Machine Manager), then using ActiveProtect will be very familiar.
View your entire backup infrastructure, including primary backups, backup copies, tiered data
ActiveProtect is a license-based single hybrid platform combining multiple DSM packages and their features and functionalities into one. Using a single dashboard, we will be able to configure, protect, monitor, and more, all of the endpoint devices be it local desktop devices, servers, virtual machines, or cloud tenants.
Some of the benefits of this all-in-one backup solution would be:
- Deploy your server in only 10 minutes
- Detect and restore corrupt data, verify backups, and test your disaster recovery strategy in a sandboxed environment with built-in VMs
- Secure your data with native immutability and isolate your data with air-gapped backups
- Leverage bare-metal or file-level restoration to restore data or perform P2V or V2V restoration to instantly recover data
- Scale your data with ease to meet changing business requirements
To be able to deliver all of these benefits to a business, Synology needed to make the whole experience as easy as possible and scalable for future deployments as well.
Speaking of future deployments, presently, APM can run on the following DataProtection devices:
While these appliances are targeted at businesses, for local implementations, they can be used with Synology's C2 cloud platform as its backup destination as well. Of course, a C2 Object Storage subscription will be needed regardless of the configuration and appliance in question.
ActiveProtect offers data protection of various systems and devices with both local and remote backups (to a distributed node), all configured and monitored through a single dashboard. Having the option to recover a server to a remote or local VM hypervisor, will allow for low RTO periods and quick recovery scenarios with minimum downtime.
One of the benefits of ActiveProtect as well as the BTRFS file systems under the hood is that we can take advantage of global, source-site, and cross-site deduplication. This means that duplicate data will be eliminated in a cross-platform or cross-device configuration, eliminating unnecessary transmissions, saving storage space, and thus shortening backup times overall.
To avoid a general overview of all the various elements of this new operating system, let's move into a more in-depth overview of its functionalities, and see just how well it performs in different scenarios.
: Protection plans
Staying on topic with a fast deployment of the DataProtection device such as DP7400, before starting any backup at all we will need to have a certain protection plan in place. Just as Active Backup for Business has several plans upon installation, so is true with ActiveProtect Manager.
Along with the main backup plan for endpoint devices such as PCs, Macs, and servers, we will also have a single backup plan for the M365-supported cloud tenant. Plans can be deleted, changed, and duplicated to give us a nice boost in creating a new one if we choose to do so, but on top of default and in general, plans that are created under APM, we will also see imported plans from other DP models as well as Synology NAS devices.
The APM has an option to incorporate and take control of the Active Backup for Business package on a Synology NAS, and with it, control over its protection plans as well. As can be seen in the image above, the K-2SO example plans are Synology NAS plans from its ABB package list. More on that integration later on.
A familiar grandfather-father-son retention set is available if we do need a specific set of rules on top of a strict schedule. Of course, we are in a position to alter the options per device type and also define a backup copy destination, be it C2 Object Storage or another Synology NAS/APM (more on this later).
The point of the plan is that it can be applied on the fly to any type of device or service that is supported via APM, and any changes will apply to both existing and future backup versions.
As expected we are unable to apply more than one protection plan per device, so again if there are any particular needs for a single or a group of devices, we can duplicate any plan, alter it, and apply it in a matter of moments.
One more thing that is also a nice addition to the plan details is the included workloads tab. It can show what device is currently using what exact plan.
While the same can be visible from the list of protected devices (see infrastructure management below) it is practical to know what end-point machines will take an immediate effect upon the changes made in that particular plan.
Another element that the plan section supports is archive plans. These are specific types of plans that can be applied to any device once it no longer needs active backup protection. So for example, an old server is being put out of commission and we no longer need an active protection of it, but we do want to keep the backups for a certain period.
With an option to keep or not to keep the very latest version of the backup, the archive plan will allow administrators to not worry about any old server and its backups occupying the appliance storage needlessly.
Once the plans are set, and as mentioned can be added or altered at any point, there is still some configuration to be done in terms of the DataProtection appliance and devices as well as platforms it can talk to, to provide a robust and versatile backup solution.
: Infrastructure management
By reading so far one might start to question when are we gonna back up something. True, once we have access to the APM, we can indeed back up right away. The default plans are there and can be altered later on, the DP device is up and running, so the only thing left to do is to install a client and start the backup.
But before we get into that, let's see how we can manage the DataProtection device via APM, as well as how can we connect it to another device in the network and cloud to get the best possible protection for our data we can.
The infrastructure management section is divided into four main sections: site management, backup servers, remote storage, and hypervisors. To be fair the site management and backup servers are linked in terms that the device under site management is also a main backup server. So by going into its details, we will immediately find ourselves inside the backup server section.
In any event, the site management section, as its name suggests, gives the user the option to configure general settings for a particular DataProtection server as well as configure its failover device for maximum uptime.
:: Backup servers
As said, any further details on the site's main device will launch us into the backup servers section.
Here we can see a general overview of all added and linked devices be it DataProtection ones or Synology NAS (virtual DSM is also an option!). A simple hover over the storage progress bar will also give a useful table of total, used, and unused storage space.
Unlike the DSM operating system, which has the dropdown menu in the upper right corner with reboot and shutdown settings, and a dedicated section in the control panel for updates, APM has all of these options as part of a single dropdown menu for each available backup server (not including connected Synology NAS devices).
Speaking of DSM-like user interface, the APM OS uses several interfaces. The main interface is called the management center, and it is the default one that is presented when we start working with APM. On top of that, there is also an appliance console.
Now those familiar with DSM will immediately recognize the "old" DSM desktop, but without all the functionalities that they are accustomed to.
The purpose of the appliance console is what one would expect. Any number of configurations can be done via the Control Panel and a limited Storage Manager. Anything from certificate management, users, connection to a domain or LDAP, regional options, UPS, and more.
This is a backup appliance and even though there is a DSM-like console, APM has no Package Center option to install additional Synology or 3rd party apps. The only other element that we can see from the image above is the recovery portal, but more on that later when we start to create backups and test restore options.
Moving back into the management center and getting more details on a particular backup server, we get access to information that only APM will be able to present. Storage trends, data transfer size, and data reduction, to name a few. Also, we will see general server information such as internal and external IP address, APM version, status, and more.
Interestingly enough, the bandwidth control options are also part of the management center and not the application console, so we might say that coming from a DSM environment, one might need some time to locate all the options that were previously part of the DSM Control Panel.
As mentioned already several times the ActiveProtect Manager while advertised as a new product is DSM Active Business suite combined into a new platform or OS if you will. Because of this, the integration with said packages is more than apparent but APM goes one step further into something that we have not seen so far with DSM.
By installing Active Backup for Business version 3.0 (currently not available yet), we will have the option to give control of a particular ABB instance over to the DP device running APM. This means that all templates, jobs, and tasks will be handled by APM, while the storage capacity of any backup jobs using NAS plans will be saved on the NAS, and not the DP unit. Moreover, the ABB templates will be visible inside the APM OS and available as plans that we can alter any way we want.
Dubbed apm-cms, this Docker project is handled by the Package Center with the installation of Active Backup for Business. The installation will configure it but binding and finishing the process on the APM will start the Docker stack.
While the process is automated it will take some time because the NAS has to run the whole docker-compose script in the backup including the download of all the images and configuration of the stack. So bear in mind that the ABB 3.0 installation will take some time to install because of this integration.
Joining a Synology NAS on one end and the DP appliance on the other will require us to fill in the correct information such as an FQDN value of the DP device and the connect key that it will generate. Once that is all done, the process will be complete and we can start using the Synology NAS as a backup server destination while controlling all the tasks and plans via APM.
-
PC, Mac, and physical server will continue using Active Backup for Business agent with accounts on Synology NAS for backup.
-
Bare-metal restoration in Active Backup for Business will continue to be performed via Active Backup for Business Recovery Wizard using an administrative account.
What this last remark means is that APM will not be able to handle tasks such as the Synology NAS backup process that ABB supports. This particular task will still be possible using the DSM ABB console.
So this means that even if we do have a DP appliance, a backup of any Synology DSM NAS that we want to keep as a bare metal backup, will still have to be handled by another NAS with ABB support. Will this change in the future version of APM it is hard to say, but at the moment, this is not an option.
The way the NAS will be utilized is by connecting the agent installed on the end-point device and selecting the plan that correlates to this particular connected NAS. More on installing the agent and running the tasks later on.
:: Remote Storage
Connecting other devices to the DP/APM setup might include Synology NAS or other DP models. When we talk about Synology NAS devices, we need to go through a process of preparing them by installing the ActiveProtect Vault package. Similar to the HyperBackup Vault app, the AP Vault will allow for communication and control of the NAS via the DP appliance, utilizing the NAS as one potential remote storage.
The purpose of remote storage targets (as opposed to the backup server section) is that these destinations can be utilized as additional backup destinations on top of the DP itself. This means that once the backup of a certain device has been completed, another backup can run (even on a schedule) to a preconfigured unit such as a Synology NAS, C2 Object Storage, or another S3-like bucket destination.
The same rules apply if we want to connect the DP device with Synology's C2 Object Storage.
As part of their C2 cloud platform Object Storage is a freemium service (up to 15GB free) that is S3 compatible. It means that we can connect it to various applications and services that know how to talk to S3 buckets. As a result, we get a cloud destination that is fully compatible with DP and APM and can serve as a destination for a secondary backup if local backup devices are not an option.
Once the destinations have been configured, we can use the existing or new protection plans to enable and configure backup copy options. The copy in a single plan can go either to a local device (another APM or NAS device) or toward a C2 bucket.
The schedule can be configured as well depending on whether we want to run the backup immediately after the device has been backed up onto the DP, or later at a specific time. It is worth noting that a backup copy if scheduled will be a daily task.
:: Hypervisors
One final element of the supported infrastructure features is APM's support of hypervisors. Before any excitement about potential Proxmox support starts, there is none. Just like with ABB, ActiveProtect does not (at the moment) support Proxmox in any way (KVM or LXC)
On the list of supported hypervisors are the usual suspects, VMWare and Microsoft with their ESXi/vCenter, and Hyper-V solutions. Due to recent events of Broadcom buying VMWare and shutting down ESXi as a product, we might hope that Synology will take this opportunity to finally support Proxmox as yet another hypervisor especially one that has been present for over 15 years.
The principal is identical to Active Backup for Business, and a simple wizard guides us through the connection process.
Once the connection has been established, all VMs will be visible and ready for backup (more on that later on).
From an infrastructure standpoint, we can say that APM unlike ABB goes a few steps further offering connectivity with remote storage destinations and devices, thus allowing for a more versatile and secure backup environment.
With a central management point controlling all the tasks, plans, devices, and jobs, ActiveProtect will for the most part be a single backup point for any administrator using this platform.
: User management
Managing such a feature-rich platform might require the need of multiple users and administrators. APM offers several options when we talk about user management.
The ActiveProtect solution lets us add users and grant them administrative permissions, such as backup, restoration, and server monitoring. With robust access control, we can collaborate with team members to protect workloads while ensuring security.
Apart from local user and group support, APM also supports domain and LDAP accounts, as well as four SSO protocols: OpenID Connect, SAML, CAS, and Synology SSO.
Regardless of the protocol and users being local or remote, ActiveProtect supports permission delegation. Similar to DSM's delegation for its local users, APM has three levels of partial delegations. Backup, restore, and monitoring.
The partial delegation access (as opposed to the full access) is divided into three permission tiers with the following actions.
Backup
- Can implement and cancel manual backups.
- Can view details about protected workloads.
- Can view backup activities.
Restore
- Can perform a bare-metal restore
- Can perform instant/full restore to hypervisors added in the site and built-in hypervisor.
- Can restore files and folders.
- Can download backup versions.
- Can view details about protected, archived, and unmanaged workloads.
- Can view restoration activities.
Monitoring
- Can view all features on AEM (except the Appliance Console and OOB)
It is worth mentioning that delegation can be applied to both individual users and groups alike.
So far, we have seen the overview of APM's features, and what it can do. Now, let's see how well it executes those tasks by configuring backup tasks for desktop devices, as well as servers and VMs.
: Workloads
Before continuing it needs to be said that not all features of the APM were available at the time of these tests. Considering the closed beta version of the system some elements might change in the future.
Saying this, what will be covered in this section is macOS, Linux, and Windows client backups, as well as VMs over ESXi, and finally data restoration.
:: Mac, PC, and server operations
The most obvious and most common backup endpoint will be a client device backup, be it either a Windows or macOS machine.
Adding a machine to the backup will start from the workload section, and as with ABB, we will need to install a compatible APM client to connect and communicate with the APM.
Unlike ABB, the APM will require also something called a connection key. This means we will not authenticate on the client side with a username and password, but rather with a defined connection key that will be bound to a particular protection plan.
During the client installation, actually, right upon completion, the wizard will ask us for the APM destination server address as well as the connection key. Once that is done and the communication has been confirmed, the client will pull down the protection plan and backup can start.
As expected the backup can be manually triggered or on a schedule set by the protection plan.
In terms of speed, DP7400 performed well. As we will see later on, depending on the OS in question as well as if the machine is virtual or physical (local or remote), the speed will vary.
While performing the initial Windows 11 machine backup (physical) the task took 10 minutes for the 23GB with an average speed of 40MB/s in LAN. On top of that, another Windows 11 (also physical) task, only this time remote (WAN), lasted 7 min for its 26GB with an average of 63,3MB/s speed.
The difference between just these two machines is about 11GB in deduplication data as the secondary machine was almost 37GB in size with a backup size of only 26GB, so it is good to see that APM handles compression and dedup well.
Opening a recovery portal for the machine will allow us to go over multiple versions over time and recover/download data that is needed. What needs to be said here, yet again, is that Synology has still not fixed the search function.
In case anyone is unfamiliar with this "issue", it is that the search itself does not search at all but rather filters the current location that is visible inside the portal. This is unfortunate as it makes locating a particular file much more difficult. While on the subject, the C2 Backup cloud service suffers from the same fate when backing up on-prem devices, but not in case we are searching for M365 backed-up data. A bit of an odd situation, but it is what it is. Hopefully, this will get unified and sorted down the line.
Full bare-metal recovery over WAN was about the same time, just under 10 minutes with an average speed of 47-50MB/s. Executing a full backup restore also means that the initial backup after restoration will be full as well.
So far Windows OS machines, both local and remote perform more or less the same in terms of backup and recovery speed. macOS on the other hand behaves a bit differently.
The usual install process is needed just like on the Windows OS, with several exceptions and additional steps. These steps are identical for most Synology or any other 3rd party apps because of the macOS protection mechanism (the Gatekeeper).
The rest of the wizard process is identical to the Windows OS. Once the backup started, several interesting things happened. First off, the speed was better than with the Windows machines but the overall time was longer. Why? Not sure, but it has something to do either with the macOS or APM on macOS.
As can be seen from the images, the process was completed with no issues at all, but unlike the Windows OS, macOS was backing up in increments with gaps between three to five minutes each. A total of 60GB of data was backed up in 28 minutes with an average speed of 40-70MB/s.
With this beta version of APM, the currently supported physical Linux OS are only "server" editions or backups of Linux-based VM-s. So far the client installation for both Windows and macOS has been done via installers, but with Linux, the installation is done via the command line (same as for the ABB agent).
fffffffffffffffe
error code2024-08-19 20:49:17,Error,Backup failed.
2024-08-19 20:49:17,Error,Error code [fffffffffffffffe]: Failed to take a snapshot of [/].
2024-08-19 20:49:17,Information,Taking a snapshot of [/]...
2024-08-19 20:49:17,Error,Error code [fffffffffffffffe]: Failed to take a snapshot of [/boot].
2024-08-19 20:49:17,Information,Taking a snapshot of [/boot]...
Similar to macOS there was an interesting moment performing backup and restore for the Ubuntu system (both physical and virtual) as well. The bare metal Ubuntu server backup with only 15.3GB of used space took five and a half minutes (5:28 min) with an average speed of about 25MB/s.
On the other hand, the same Ubuntu OS as a virtual machine but with 50GB in size took only five (5 minutes) to complete with an average speed of over 170MB/s. For comparison, the restore of that same VM against an ESXi host lasted about 15 minutes in total (speed of about 57MB/s).
I guess the general rule that applies to most Synology backup tools, is also valid with APM and DataProtection devices. Depending on the size, type of machine, and the backup mechanism under the hood, the backup speeds will vary.
:: VM operations
One final workload category remains and that's virtual machines. A popular category no doubt, and something that most businesses will mostly utilize with this new backup appliance.
Picking up where we left off earlier in the article, once DP has been connected to a compatible hypervisor, we will have the option to back up any number of VMs that have been detected.
With this common operation, anyone familiar with Active Backup for Business or even some alternative platforms will have no problems following through. The result is a full VM backup that can be then used to either access the data via the Recovery portal or in this particular case, do a full or instant VM restore.
While the recovery of the server in this example as said earlier took about 15 min, the instant restore will get the machine up and running in under 30 seconds. Of course, the restored machine will have limited performance until it has been completely migrated back to the hypervisor host.
Speaking of recovery, in case there is no need to restore the whole machine, the recovery portal for the VM's as well as macOS will offer the same experience as the one for the Windows OS devices.
:: Cloud tenants - M365 operations
Anyone working with any commercial cloud provider offering PaaS, SaaS, or any similar service will almost always be reminded that the content in the cloud is not backed up. One obvious example of this is Microsoft 365. As mentioned many times in the EULA, M365 offers some great tools, but by default, backup is not one of them.
This is where Active Backup for Business package comes in or in this case, ActiveProtect Manager.
APM as its final separate category lists Cloud Applications offering at the moment, multiple M365 tenant backups.
The process of connecting to the tenant is straightforward as it has been for some time on the ActiveBackup platform as well. There is no need to run separate Powershell scripts to generate the needed IDs and keys.
A short 4-step wizard will allow you to complete the registration with APM and immediately offer manual or automatic workload rules.
Again, same as ABB, APM will offer activation of the user self-service portal to allow non-admin users to restore their data. This will apply to the Exchange and OneDrive content.
One additional option when working with a M365 is the usage of archive plans. As a mandatory feature, those plans will determine the retention period for data that is no longer being actively backed up but kept as an archive.
M365 backup as a turn-key option that allows for the automatic addition of new items, sites, and users, will allow for peace of mind when we talk about a consistent backup policy.
With no account number limitations, APM could become a number-one backup platform for many small or large businesses. Without too much repeating, the M365 recovery options are again offered via the same APM recovery portal.
Those same similarities can also be found in Synology's C2 Backup for Business cloud platform, which allows backing up on-prem devices and M365 tenants alike.
: Conclusion
If you got to the end of this article, congratulations! For those that jumped to the end, here is the summary.
The new APM can be described as a standalone operating system, but to be honest, a very limiting one in terms of what OS usually stands for. Because of that, I would rather call it a "platform" than an OS considering it powers a specific hardware lineup.
As such, we can immediately see that Synology has decided to capitalize on one of its most popular (if not the most popular) DSM packages, the Active Backup for Business.
The ActiveProtect Manager is not just a simple rebrand of the said package but rather an upgrade in many aspects.
Combined with one massive hardware appliance, we now have a very competitive backup device that will for sure find its customers.
Deployment time, ease of use, and versatile backup options allow for many practical scenarios in which the DP device can be utilized. There is always room for improvement, and without a doubt, Synology will continue to develop this platform in the future.
The fate of the Active Backup for Business might also come into question, but time will tell just what the company has in store for it. Is this the beginning of a commercial version of the ABB service? Maybe, maybe not. One thing is for sure, and that is that APM will take the lead moving forward, but as we can see from the feature set, there is still room for ABB in this new setup.
APM is a familiar, yet new platform that will be appealing to both novice and experienced users, regardless of their Synology experience. Guided with the new Synology-only policy, we finally have an end-to-end device that both from a hardware and software side of things is 100% Synology.
This as a result will offer a stable, optimized, and focused backup platform that many have been waiting for. If the success of this platform goes according to plan, we can be certain that APM and DP models will shrink from rack models to desktop versions in the future.