Process of recovering lost data files of Hyper-V virtual machines

Others 2022-04-28 08:38:08 views: 0
Abstract: Introduction: Due to the loss of the data files of the virtual machine in the MD3200 storage, the entire Hyper-V service is paralyzed, and the virtual machine cannot be used. The fault environment is Windows Server 2012 server. The Hyper-V virtual machine environment is deployed in the system. The hard disk files and configuration files are stored in DELL MD3200 storage hosted by a hosting center in Chaoyang District (Note: hard disk 600G*4, 4T*1).

Introduction:
Due to the loss of the data files of the virtual machine in the MD3200 storage, the entire Hyper-V service is paralyzed, and the virtual machine cannot be used. The fault environment is a Windows Server 2012 server, and the Hyper-V virtual machine environment is deployed in the system. and configuration files are stored in DELL MD3200 storage hosted by a hosting center in Chaoyang District (Note: hard disk 600G*4, 4T*1). MD3200 storage is an array composed of four 600G hard disks, which are used to store data files of virtual machines. A single 4T hard disk is used as a backup for virtual machine data files.
Failure:
The entire Hyper-V service is paralyzed due to the loss of the data files of the virtual machine in the MD3200 storage, and the virtual machine cannot be used. Perform data detection in the following process:
1. Perform physical inspection on the MD3200 storage server, and find that there is no physical failure in the storage, and all the hard disks involved are working normally
2. Check the operating system: in normal operation, no error process is found, and it is ruled out that the operating system Data loss caused by BUG.
3. Analyze the file system of the hard disk with lost data: open normally, do not meet the performance characteristics of virus damage, and have no virus detected by anti-virus software. After careful analysis of the file system of the hard disk, it is found that the metadata file of this file system was created on November 28, indicating that the file system was created on November 28, which is consistent with the time of data loss. Usually this kind of failure indicates that the file system has been artificially rewritten, that is, the partition has been formatted.
4. Check the system log: It is found that the system log before and on November 28 has been cleared, but the audit log and service log have not been cleared. Normally, this action should be caused by humans. The operation of formatting the partition is only recorded in the system log, which is consistent with the above-mentioned human sabotage.
5. Try to restore the system log: carefully analyze the underlying data of the hard disk, and find that the system log in the bottom layer of the hard disk that needs to be recovered has been overwritten by new log records and cannot be recovered.
6. Analyze all partitions in the operating system: It is found that only the file systems of two partitions in the MD3200 storage have been rewritten to the file system. Usually, the formatting of the two partitions requires two separate processes, so this targeted operation should be caused by humans.

Solution
1. Backup user data
Since all the data is stored in the Dell M3200 storage, it is only necessary to restore the data in the Dell M3200 storage. Label all the hard disks in the Dell M3200 storage with numbers, then unplug them from the storage and hand them over to the hardware department to check whether the hard disks are physically faulty. After checking that there is no problem, make a full disk image for each hard disk, and use a special tool (Winhex) to mirror all sectors in the hard disk to a backup hard disk.
As shown in Figure 1.: Use professional tools to back up all hard disk data
1

2. Reorganize the disk array
After mirroring the RAID 5 related information, such as: stripe size, stripe direction and other information. After reorganizing the hard disks according to this information, analyze the data on each hard disk. After analysis, it was found that four 600G hard disks were made a RAID5, and the other 4T hard disk was used as data backup. Careful analysis of the data structure in the four 600G hard drives can lead to this RAID.
As shown in Figure 2.: Use professional tools to reorganize RAID
2

as shown in Figure 3.: Use professional tools to open the hard disk array
3

3. Scan old file index items
After careful analysis of the underlying data of the hard disk, it is found that there are still many directory entries and file indexes of the previous file system remaining in the underlying hard disk. After careful checking, it is found that the data pointed to by these file indexes are the contents of the files lost by the user. However, because the entire hard disk is too large, it is very slow to manually search the file index, so write a small program to extract file index items, scan all existing file index items in the entire hard disk, and extract the file index items of all files.

4. Analyze
the scanned file index items Do a detailed analysis of all the scanned file index items, and find that the index items are discontinuous, and most of them are aligned with 16K or 8K. Under normal circumstances, the file index entries are continuous, with a fixed size of 1K, and each file index entry corresponds to a file or directory. These discontinuous and incomplete file index items scanned out are the contents of the file that cannot be indexed normally. Therefore, it is necessary to process the scanned file index items. Search for ".VHD" in the scanned file index item, and a file record of ".VHD" can be found. Then the continuous file index entries of this slice are extracted. Then check whether there is a record pointing to the next file index entry or an H20 attribute in the extracted file index entry. If there is, match the next file index entry according to the features in the file index entry, if not, skip this file index entry. According to the above method, most of the file index item fragments can basically be found. The missing file index item fragments may be damaged, but the missing file index item fragments can be searched from the data backup disk, so most of the file index items can be basically searched.
Figure 4: is a screenshot of the file index item
4

5. Form the file index item into a complete directory structure Find all the file index items
according to the above method, and then splicing them into the entire directory item structure according to the number of the file index item. The following are some of the file index items searched. Since some file index items are damaged, only most of the file index items can be found, but these file index items are enough to be spliced ​​into the entire directory structure.
As shown in Figure 5.: It is the fragment of the scanned file index item
5

6: Repair the file system
Replace the reconstructed directory structure with the directory structure in the existing file system, and then use professional tools to modify some of the check values. Then use professional tools to explain the directory structure to see the original lost data.
As shown in Figure 6.: It is the directory structure explained by professional tools.
6 is

as shown in Figure 7.
7

In order to determine whether the data is correct, restore one of the latest VHD files. Then copy it to a server that supports attaching a VHD and try attaching this VHD. The result is attached successfully, check whether the latest data in the VHD is complete. All data will be restored to a hard disk after all checks are complete.
Figure 8 below shows all the recovered virtual machine data files.
8

7. Verify all data Build a Hyper-V environment
on a test server, and connect the recovered virtual machine files to this server. Then, by importing the virtual machine, the recovered data is migrated to the new Hyper-V environment. Then let the customer verify that all virtual machines are complete.
As shown in Figure 9.: The process of importing virtual machines
9

is as shown in Figure 10.
10

8. Migrate all data
After the customer verifies that all virtual machines are OK, copy all data to the customer server. Then use the import method to import the virtual machine into the customer's Hyper-V environment. You need to import the virtual machine in the following way. After importing, no error is reported. Try to start all the virtual machines, and all the virtual machines start without problems.
11
12
13

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=326224189&siteId=291194637
Recommended
Ranking
[Algorithm] greedy _ program scheduling issues
Spring 控制反转(IOC)
Data structure-6.6 figure
Indicates that the class or member method has abstract properties
Huawei v5 server installed Linux operating system
Postgresql source code analysis - creating ordinary tables
Chapter 10 Evaluation Classification Results
Cloud service Ubuntu 20.04 version uses Nginx to deploy static web pages
Java Exercise 17.1
Solve the problem that git cannot automatically push submission in IDEA Push failed: Failed with error: Could not read from remote repository.
Daily
More
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)

Code World

© 2018 codetd.com