TI9 and the Acronis Secure Zone

Discussion in 'Acronis True Image Product Line' started by Tabvla, Jun 21, 2006.

Thread Status:
Not open for further replies.
  1. Tabvla

    Tabvla Registered Member

    Joined:
    Apr 21, 2006
    Posts:
    649
    Location:
    London, England
    I am trying to understand the logic and practical implications of using the TI9 Acronis Secure Zone functionality.

    1. Reason for using the Acronis Secure Zone (ASZ)

    The only practical reasons that I can see to use the ASZ is to enable the Acronis Startup Recover Manager and the Acronis Snap Restore. Is there any other reason to implement the ASZ?

    2. Benefits of using the Acronis Startup Recovery Manager (ASRM)

    What are the benefits of using the ASRM? Why not just boot from the TI9 CD? What functionality does the ASRM provide that is not provided when booting from the TI9 CD?

    3. Location of the ASZ

    Common sense dictates that the ASZ should always be located on a different disk to the system. Understandably this disk should be part of the local system and not a network drive. But must the ASZ be located on an Internal Disk or can it be located on an External USB drive? (The documentation isn't very clear about this, it just refers to a "local disk").

    4. The ASRM and the Master Boot Record (MBR)

    The ASRM must be activated before it can be used. When a user activates the ASRM it overwrites the MBR with Acronis proprietary code. Which MBR does it overwrite? The MBR on the System Disk or the MBR on the disk where the ASZ is located?

    5. Risks in using the ASRM

    Overwriting the MBR is a risky business. If this process goes wrong the disk may become unusable and might need to be reformatted. How does Acronis deal with such an eventuality?

    6. 3rd-party Boot Manager

    If the user has a 3rd-party Boot Manager installed on the System Disk (by default the Windows BootLoader will always be installed) then that Boot Manager (or the Windows BootLoader) will become inoperative because it will no longer recognise the MBR. Must the user now reinstall the Boot Manager? If the user installs or reinstalls a Boot Manager AFTER activating the ASRM the MBR will once again be overwritten with the proprietary code of the Boot Manager application. What happens now if the user boots using the ASRM? The MBR will now contain the code of the Boot Manager and not the Acronis code. Will the ASRM boot? If "yes" how is this possible and why does the ASRM overwrite the MBR in the first place. If "no" then what happens?

    7. ASZ on Disk_2

    Assume that on Disk_2 the user has several partitions containing data. The disk also has an additional partition containing the Acronis Secure Zone.

    Assume also that Disk_1 (the System Disk) fails. The user now boots using the ASRM. Where does the ASRM look for the MBR? It won't find it on Disk_1 because that disk has failed. Therefore logic dictates that the Acronis proprietary MBR must be located on the same disk as the ASZ - in this case Disk_2.

    Disk_2 would have initially not had an MBR because it was simply a data disk. When the user activated the ASRM the Acronis proprietary MBR was written to this disk. What are the implications for doing this? How high are the risks? What are the risks?

    8. System Disk Failure

    Assume that the System Disk fails. The user has a ASZ setup on Disk_2. The user removes the failed disk and replaces it with a new disk. The user now boots the system using the ASRM. How will the user reconstruct the failed System Disk to the new disk while ensureing that the new disk geometry matches the Partition Table that is contained within the system image?
     
  2. Xpilot

    Xpilot Registered Member

    Joined:
    May 14, 2005
    Posts:
    2,318
    I will not try to answer all your points but just to say why I find the secure zone the best place for storing my first line of defence backups. On a slave drive there is only a marginal increase in security using the zone but it has the great advantage of being self managing on the FIFO basis. So once one has decided on the size of the zone and set up a simple backup task schedule a user's involvement is no longer required. Backups happen automatically in the background and the zone will always have "n" images of the most recent backups in date and time order.
    I am not really concerned with the design logic behind the secure zone ,though my understanding is that it was originally intended to be a place where images could be kept by users who only had one drive and no external media.
    I can see no merit in using the ASRM though I am sure some users find it helpful. The fact that it alters the MBR should be of no great concern as it is simple to put things back to where they were if one reads the manual and there are also recognised Windows methods available for those who don't bother.
     
  3. TheWeaz

    TheWeaz Registered Member

    Joined:
    Jul 9, 2005
    Posts:
    1,562
    1 - You only have 1 hard drive available.
    2 – Don’t have to search for the CD.
    3 – See response to #1.
    4 – AFAIK it’s the MBR from which the system boots.
    5 – Now backs up the MBR with partition images.
    6 – Never used one.
    7 – Again, see #1.
    8 – See above. :D
     
  4. bVolk

    bVolk Registered Member

    Joined:
    Dec 22, 2005
    Posts:
    954
    There are two more details that should be considered in my opinion.

    While the automatic deletion of image files following the FIFO rule may be convenient to some (scheduling) users, the Secure Zone prevents building an additional level of security by copying the occasional important image to another storage. Or managing the image files in any way, other than automatic FIFO.

    The activation of Startup Recovery Manager, besides modifiying the MBR, takes away the option to boot into Windows Safe mode by means of F8.
     
  5. Acronis Support

    Acronis Support Acronis Support Staff

    Joined:
    Apr 28, 2004
    Posts:
    25,885
    Hello Tabvla,

    Thank you for choosing Acronis Disk Backup Software.

    Acronis Secure Zone is necessary for using Acronis Startup Recovery Manager and Acronis Snap Restore features.

    Acronis True Image bootable rescue CD includes the functionality of Acronis Startup Recovery Manager. However, if you do not want to use the bootable rescue media, you just can press F11 when you boot your computer and use Acronis True Image in rescue mode.

    We do not recommend creating the Acronis Secure Zone on an external drive. If you activate Acronis Startup Recovery Manager and then for some reason disconnect the drive Acronis Secure Zone resides on, your computer may boot with a long delay or not boot at all. You will need to either reconnect the drive with the Acronis Secure Zone or fix the master boot record (MBR). Please take a look at this FAQ article.

    Acronis Startup Recovery Manager overwrites Master Boot Record on the System Disk.

    In this case, we recommend you to repair the MBR of the hard disk using one of the following methods:

    Windows 95/98/Me – boot from Startup Disk (floppy) and run "fdisk /mbr" command;
    Windows 2000/XP/2003 – boot from Installation CD into Recovery Console and run "fixmbr" command.

    Please note that it depends on the Boot Manager peculiarities. If you use Windows boot manager, Acronis Startup Recovery Manager does not affect it.

    If you use Linux based boot loader and you want to use Acronis Startup Recovery Manager, you should install boot loader to the boot partition.

    We recommend you to use Acronis OS Selector which is the part of Acronis Disk Director Suite 10.0 if you want to have multiple operating systems (OSes) on one computer.

    If you activate Acronis Startup Recovery Manager on the computer where Acronis OS Selector is installed, Acronis OS Selector will function without any problems and recognize Acronis Startup Recovery Manager as the additional option.

    As I said above, Acronis Startup Recovery Manager overwrites MBR on System Disk (Disk 1). When you boot the computer using F11 option, the MBR references to the Disk 2 where Acronis Secure Zone is located. If your Disk 1 has failed but MBR is not corrupted, you will be able to load Acronis True Image. If your MBR is corrupted, we recommend you to use the bootable rescue media to restore the image.

    I'm afraid that if you remove the failed disk, you will not be able to boot the computer using Acronis Startup Recovery Manager. In this case, you need to use the bootable rescue media to boot the computer, restore the image to the new hard drive and activate Acronis Startup Recovery Manager once again if you want.

    You can find more information on how to use Acronis True Image 9.0 Home in the respective User's Guide.

    Thank you.
    --
    Tatyana Tsyngaeva
     
  6. Tabvla

    Tabvla Registered Member

    Joined:
    Apr 21, 2006
    Posts:
    649
    Location:
    London, England
    Thanks to all who responded and particularly Tatyana of Acronis Support for a very detailed and informative reply.

    This thread contains some very relevant and important material and forms a good supplement to the appropriate section in the User Guide. Here is a summary of some of the important points to consider BEFORE implementing the Acronis Secure Zone (ASZ) and Acronis Startup Recovery Manager (ASRM).

    1. Points from Thread

    * Booting from the TI9 CD provides the same functionality as the ASRM but with one very big advantage - booting from the CD does not require any changes to be made to the Master Boot Record (MBR) and is therefore a preferred option in most situations.

    * If the System Disk fails due to an electrical or mechnical fault, or if the MBR on the System Disk is corrupted, the ASRM will not function even if the ASZ is on another disk. The user will still need to boot from the TI9 CD or some other bootable media.

    * A large number of PC's are purchased through Original Equipment Manufacturers (OEM's). The "Windows" CD supplied by an OEM with a PC is often proprietary to that specific OEM and usually contains only a subset of Windows functionality. Importantly, many OEM "Windows" CD's do not include the Recovery Console which means that if the MBR is corrupted the user cannot boot into Recovery Console and run "fixmbr".

    * Thanks to bVolk for pointing out that the ASZ and ASRM functionality removes the Windows Safe Mode F8 boot option. (Note for Acronis Support - this should be made clear in the User Guide). Safe Mode is possibly one the least understood Windows utilities. Safe Mode is a very powerful tool that is absolutely indispensible in many critical situations. I would never recommend to a customer that they install any type of utility that removes the ability to boot into Safe Mode. In my view this alone eliminates the ASZ and ASRM as a viable option in most situations.

    * The ASRM will work with Acronis Disk Director and the Windows boot mechanism but may not work with other boot loaders.

    2. Summary

    If a system has more than one disk and has a CD drive then there is no benefit in setting up the Acronis Secure Zone and activating the Acronis System Recovery Manager.

    If a system has only one disk and no CD drive then the ASZ and ASRM provides functionality that may enable such a system to be booted in the event of a failure. However, whether such a system is bootable depends on the nature of the failure.

    3. Conclusion

    The ASZ and ASRM are not appropriate for most installations and should only be implemented in very special circumstances and then only if the benefits outweigh the risks.
     
  7. Xpilot

    Xpilot Registered Member

    Joined:
    May 14, 2005
    Posts:
    2,318
    Having ASZ on a slave drive is an excellent facility. Mine is used every day as the location of my backup images. These are created and managed automatically with no user intervention.

    I would not touch the ASRM with a Barge-Pole.

    Xpilot
     
  8. Tabvla

    Tabvla Registered Member

    Joined:
    Apr 21, 2006
    Posts:
    649
    Location:
    London, England
    Thanks Xpilot for your feedback. You seem to have found a good use for the ASZ, that possibly other users may find helpful. It may be of benefit to others if you detailed how you use the ASZ either in this thread or in a new thread.

    However, in terms of how Acronis intended the ASZ to be used, it is in my view, functionality that is not appropriate for most installations. Acronis Support have stated that the ASZ should only be setup if the user intends to implement the Acronis Startup Recovery Manager and the Acronis Snap Restore. If the user has no intention of using this functionality then there is no purpose in setting up the ASZ.

    Another factor to take into account is that external disks are becoming increasingly popular for storing backups. Particularly the option of purchasing an inexpensive disk and locating it in an external housing is a very cost-effective option. Acronis Support recommend that the ASZ should not be located on an external disk, so this in itself is a limiting factor.
     
  9. shieber

    shieber Registered Member

    Joined:
    Oct 27, 2004
    Posts:
    3,710
    Rather than having to set up a special partition, or create post-command fiels to rename or delete backups to keep them in order and prevent excess accumulation, it would be really nice to be able to tell ATI to do that, to append a suffix serially to backups and whenit get to X, start over at 1, overwriting the existing file, if any.
     
  10. Mascot

    Mascot Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    64
    Also worth mentioning is that on an ATI upgrade it corrupted my secure zone. Or rather the part of the secure zone that contains the recovery manager files (I assume the actual backup image was intact, though I don't know that for a fact). I got a "partition not bootable" or similar error message instead of the "Press F11 for recovery manager" prompt. Windows booted fine though, and once I went through the startup recovery activation wizard again the recovery manager was back in shape too.

    I must admit I actually perform a full backup to an external drive before I dare upgrade ATI. It's a great product when it works, but I do not trust anything in it apart from the core functionality of creating and restoring a full image. That includes its ability to upgrade itself without killing my entire machine.
     
  11. Xpilot

    Xpilot Registered Member

    Joined:
    May 14, 2005
    Posts:
    2,318
    OK,
    This is how I use the Secure Zone. It is set up on a slave drive that is mounted in my PC. It is large enough to hold ten whole main drive images. Images are created while Windows is running. The imaging process is started automatically by the Acronis Task schedule manager. I have chosen that the task is run daily. The main advantages of this way of using the secure zone is that the backups run automatically with no user input, they are managed on the FIFO basis and they are out of harm's way.
    I am aware that this is not the way that the SZ was designed to be used but as they say "So what" I think the way I have found is extremely useful.
    I used to follow the thinking that external disks were the way to go and till recently USB drives were part of my backup stratergy as a second line of defence after the secure zone. But now I have found a better way !
    I will set out the main advantages:- It is no longer necessary to validate images. The process is much quicker than using external drives. DVDs stay next to the TV/Hi FI where they belong:)). The hardware costs are less than external drives. Restores are virtually instantanious.

    The hardware change is to install a Caddy rack in the PC. this caddy drawer holds the main hard drive and another hard drive is kept ready in another Caddy drawer.
    The method of working is simplicity itself. After an automatic backup image has completed the computer is re-booted from the rescue CD having swapped the main drives over. A restore is then run and after it has completed re-boot and you are done.
    So one is left with a population of fully PROVEN backup images, a freshly restored hard drive in the computer and another up to date copy hard drive safe in its Caddy drawer. When a disaster strikes one just has to swap hard drives over and that is it job done.
    NB. At no time is the lengthly and sometimes difficult cloning process used. Imaging and restore can be much quicker and as no validation is needed even more time is saved.
    Now I am certain that the idea of doing a restore in advance was not in the mind of Acronis when they designed True Image but I have not let that stop me :-0
    I believe that this method of working using the best parts of TI and ignoring the rest is hard to beat.

    I apologise for repeating a lot of the content of a previous post of mine but I think the above detail explains my methodolgy more clearly.

    Xpilot
     
Thread Status:
Not open for further replies.