Set up disaster recovery to Azure for on-premises physical servers

The Azure Site Recovery service contributes to your disaster recovery strategy by managing and orchestrating replication, failover, and failback of on-premises machines, and Azure virtual machines (VMs).

This tutorial shows how to set up disaster recovery of on-premises physical Windows and Linux servers to Azure. In this tutorial, you learn how to:

  • Set up Azure and on-premises prerequisites
  • Create a Recovery Services vault for Site Recovery
  • Set up the source and target replication environments
  • Create a replication policy
  • Enable replication for a server


To complete this tutorial:

  • Make sure you understand the architecture and components for this scenario.
  • Review the support requirements for all components.
  • Make sure that the servers you want to replicate comply with Azure VM requirements.
  • Prepare Azure. You need an Azure subscription, an Azure virtual network, and a storage account.
  • Prepare an account for automatic installation of the Mobility service on each server you want to replicate.

Before you begin, note that:

  • After failover to Azure, physical servers can't be failed back to on-premises physical machines. You can only fail back to VMware VMs.
  • This tutorial sets up physical server disaster recovery to Azure with the simplest settings. If you want to learn about other options, read through our How To guides:

Set up an Azure account

Get a Microsoft Azure account.

Verify Azure account permissions

Make sure your Azure account has permissions for replication of VMs to Azure.

Set up an Azure network

Set up an Azure network.

  • Azure VMs are placed in this network when they're created after failover.
  • The network should be in the same region as the Recovery Services vault

Set up an Azure storage account

Set up an Azure storage account.

  • Site Recovery replicates on-premises machines to Azure storage. Azure VMs are created from the storage after failover occurs.
  • The storage account must be in the same region as the Recovery Services vault.

Prepare an account for Mobility service installation

The Mobility service must be installed on each server you want to replicate. Site Recovery installs this service automatically when you enable replication for the server. To install automatically, you need to use the root/admin account that Site Recovery will utilize to access the server.

  • You can use a domain or local account for Windows VMs
  • For Windows VMs, if you're not using a domain account, disable Remote User Access control on the local machine. To do this, in the register under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, add the DWORD entry LocalAccountTokenFilterPolicy, with a value of 1.
  • To add the registry entry to disable the setting from a CLI, type: REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1.
  • For Linux, the account should be root on the source Linux server.

Create a vault

  1. Sign in to the Azure portal > Recovery Services.

  2. Click Create a resource > Monitoring + Management > Backup and Site Recovery.

  3. In Name, specify a friendly name to identify the vault. If you have more than one subscription, select the appropriate one.

  4. Create a resource group, or select an existing one. Specify an Azure region.

  5. To quickly access the vault from the dashboard, click Pin to dashboard > Create.

    Screenshot of the Rescovery Services vault creation options.

    The new vault will appear on the Dashboard > All resources, and on the main Recovery Services vaults page.

Select a protection goal

Select what to replicate, and to replicate it to.

  1. Click Recovery Services vaults > vault.
  2. In the Resource Menu, click Site Recovery > Prepare Infrastructure > Protection goal.
  3. In Protection goal, select To Azure > Not virtualized/Other.

Set up the source environment

Set up the configuration server, register it in the vault, and discover VMs.

  1. Click Site Recovery > Prepare Infrastructure.

  2. Ensure that you have done your deployment planning and run the deployment planner to estimate various requirements. Click Next.

  3. Select if your machines are virtual or physical in the Are your machines virtualized? option.

  4. If you don’t have a configuration server, click +Configuration server.

  5. If you’re enabling protection for virtual machines, then download the Configuration server virtual machine template.

  6. If you’re enabling protection for physical machines, then download the Site Recovery Unified Setup installation file. You will also need to download the vault registration key. You need it when you run Unified Setup. The key is valid for five days after you generate it.

    Screenshot showing the options to download the installation file and registration key.

Register the configuration server in the vault

Do the following before you start:

Verify time accuracy

On the configuration server machine, make sure that the system clock is synchronized with a Time Server. It should match. If it's 15 minutes in front or behind, setup might fail.

Verify connectivity

Make sure the machine can access these URLs based on your environment:

Name Commercial URL Government URL Description
Azure Active Directory Used for access control and identity management by using Azure Active Directory.
Backup * * Used for replication data transfer and coordination.
Replication * * Used for replication management operations and coordination.
Storage * * Used for access to the storage account that stores replicated data.
Telemetry (optional) Used for telemetry.
Time synchronization Used to check time synchronization between system and global time in all deployments.

IP address-based firewall rules should allow communication to all of the Azure URLs that are listed above over HTTPS (443) port. To simplify and limit the IP Ranges, it is recommended that URL filtering be done.

  • Commercial IPs - Allow the Azure Datacenter IP Ranges, and the HTTPS (443) port. Allow IP address ranges for the Azure region of your subscription to support the AAD, Backup, Replication, and Storage URLs.
  • Government IPs - Allow the Azure Government Datacenter IP Ranges, and the HTTPS (443) port for all USGov Regions (Virginia, Texas, Arizona, and Iowa) to support AAD, Backup, Replication, and Storage URLs.

Run setup

Run Unified Setup as a Local Administrator, to install the configuration server. The process server and the master target server are also installed by default on the configuration server.

  1. Run the Unified Setup installation file.

  2. In Before You Begin, select Install the configuration server and process server.

    Screenshot of the Before You Begin screen in Unified Setup.

  3. In Third Party Software License, click I Accept to download and install MySQL.

    Screenshot of the Third Party Software License screen in Unified Setup.

  4. In Registration, select the registration key you downloaded from the vault.

    Screenshot of the Registration screen in Unified Setup.

  5. In Internet Settings, specify how the Provider running on the configuration server connects to Azure Site Recovery over the Internet. Make sure you've allowed the required URLs.

    • If you want to connect with the proxy that's currently set up on the machine, select Connect to Azure Site Recovery using a proxy server.
    • If you want the Provider to connect directly, select Connect directly to Azure Site Recovery without a proxy server.
    • If the existing proxy requires authentication, or if you want to use a custom proxy for the Provider connection, select Connect with custom proxy settings, and specify the address, port, and credentials. Screenshot of the Internet Settings screen in Unified Setup.
  6. In Prerequisites Check, Setup runs a check to make sure that installation can run. If a warning appears about the Global time sync check, verify that the time on the system clock (Date and Time settings) is the same as the time zone.

    Screenshot of the Prerequisites Check screen in Unified Setup.

  7. In MySQL Configuration, create credentials for logging on to the MySQL server instance that is installed.

    Screenshot of the MySQL Configuration screen in Unified Setup.

  8. In Environment Details, select No if you're replicating Azure Stack VMs or physical servers.

  9. In Install Location, select where you want to install the binaries and store the cache. The drive you select must have at least 5 GB of disk space available, but we recommend a cache drive with at least 600 GB of free space.

    Screenshot of the Install Location screen in Unified Setup.

  10. In Network Selection, first select the NIC that the in-built process server uses for discovery and push installation of mobility service on source machines, and then select the NIC that Configuration Server uses for connectivity with Azure. Port 9443 is the default port used for sending and receiving replication traffic, but you can modify this port number to suit your environment's requirements. In addition to the port 9443, we also open port 443, which is used by a web server to orchestrate replication operations. Do not use port 443 for sending or receiving replication traffic.

    Screenshot of the Network Selection screen in Unified Setup.

  11. In Summary, review the information and click Install. When installation finishes, a passphrase is generated. You will need this when you enable replication, so copy it and keep it in a secure location.

    Screenshot of the Summary screen in Unified Setup.

After registration finishes, the server is displayed on the Settings > Servers blade in the vault.

Set up the target environment

Select and verify target resources.

  1. Click Prepare infrastructure > Target, and select the Azure subscription you want to use.

  2. Specify the target deployment model.

  3. Site Recovery checks that you have one or more compatible Azure storage accounts and networks.

    Screenshot of the options for setting up the target environment.

Create a replication policy

  1. To create a new replication policy, click Site Recovery infrastructure > Replication Policies > +Replication Policy.

  2. In Create replication policy, specify a policy name.

  3. In RPO threshold, specify the recovery point objective (RPO) limit. This value specifies how often data recovery points are created. An alert is generated if continuous replication exceeds this limit.

  4. In Recovery point retention, specify how long (in days) the retention window is for each recovery point. Replicated VMs can be recovered to any point in a window. Up to 15 days retention is supported.

  5. In App-consistent snapshot frequency, specify how often (in hours) recovery points containing application-consistent snapshots will be created. Click OK to create the policy.

    Screenshot of the options for creating a replication policy.

By default, a matching policy is automatically created for failback. For example, if the replication policy is rep-policy then a failback policy rep-policy-failback is created. This policy isn't used until you initiate a failback from Azure.

Enable replication

Enable replication for each server.

  • Site Recovery will install the Mobility service when replication is enabled.
  • When you enable replication for a server, it can take 15 minutes or longer for changes to take effect, and appear in the portal.
  1. Click Replicate application > Source.
  2. In Source, select the configuration server.
  3. In Machine type, select Physical machines.
  4. Select the process server (the configuration server). Then click OK.
  5. In Target, select the subscription and the resource group in which you want to create the Azure VMs after failover. Choose the deployment model that you want to use in Azure (classic or resource management).
  6. Select the Azure storage account you want to use for replicating data.
  7. Select the Azure network and subnet to which Azure VMs will connect, when they're created after failover.
  8. Select Configure now for selected machines, to apply the network setting to all machines you select for protection. Select Configure later to select the Azure network per machine.
  9. In Physical Machines, and click +Physical machine. Specify the name and IP address. Select the operating system of the machine you want to replicate. It takes a few minutes for the servers to be discovered and listed.
  10. In Properties > Configure properties, select the account that will be used by the process server to automatically install the Mobility service on the machine.
  11. In Replication settings > Configure replication settings, verify that the correct replication policy is selected.
  12. Click Enable Replication. You can track progress of the Enable Protection job in Settings > Jobs > Site Recovery Jobs. After the Finalize Protection job runs the machine is ready for failover.

To monitor servers you add, you can check the last discovered time for them in Configuration Servers > Last Contact At. To add machines without waiting for a scheduled discovery time, highlight the configuration server (don’t click it), and click Refresh.

Next steps

Run a disaster recovery drill.