Shulou(Shulou.com)06/01 Report--

I. Overview of Hyper-V Virtualization failures

1. Virtual machine environment

The failure virtualization environment is the ESXI virtualization server, virtual machine environment, and the hard disk files and configuration files of the virtual machine are placed in the DELL MD3200 storage of a server hosting company in Beijing (the storage consists of five hard disks with a capacity of 600G to form a raid disk array). Four hard disks in the storage are used to store data files for the virtual machine. A single hard disk is used as a backup of virtual machine data files.

2. Fault analysis of virtual machine

Physical inspection of the MD3200 storage server: it is found that there is no physical failure in the storage, and all the hard drives involved are working normally.

Check the operating system: working properly, no error process was found, and data loss caused by the operating system BUG was excluded.

Analyze the file system of the lost data hard disk: open normally, do not conform to the characteristics of virus destruction, at the same time, there is no virus detected by antivirus software. After a careful analysis of the file system of the hard disk, it is found that the metafile creation time of this file system is April 24, indicating that the creation time of the file system is April 24, which coincides with the time of data loss. Usually this failure indicates that the file system is artificially rewritten, that is, the partition is formatted.

Check the system log: it is found that the system log before November 28 and the same day's system log has been emptied, but the audit log and service log have not been emptied. In general, this operation should be artificially caused. On the other hand, the operation of formatting the partition is only recorded in the system log, which is consistent with the above artificial destruction.

Try to recover the system log: carefully analyze the underlying data of the hard disk and find that the system log that needs to be recovered at the bottom of the hard disk has been overwritten by the new log record and cannot be recovered.

Analyze all partitions in the operating system: it is found that only two partitions in MD3200 storage have been rewritten to the file system. In general, formatting two partitions requires two separate processes, so this targeted operation should be artificially caused.

3. Summary of the common ways that lead to the failure

You can format the selected partition by right-clicking the partition and selecting the format button.

Enter the "cmd" command in the start menu "run" to enter command line mode, and then use the FORMAT command to format the specified partition.

Create a bat file, write formatting commands to the file, and then run the bat file to format the specified partition.

The above process may have been executed multiple times because of the data loss of two separate file systems. It should be caused by human operation.

Second, formulate a data recovery scheme for virtual machines

1. To the hard drive that lost data. Make a full backup to ensure the security of the data.

two。 Analyze the data of each hard disk and reorganize the RAID array according to the analyzed structure.

3. Analyze the reorganized array to see if the original file index items and corresponding data areas can be found.

4. Check whether the checked file index items are in line with the user data, and check whether the corresponding data area is damaged.

According to the fragment of the scanned file index item, it is spliced into a complete directory structure.

6. According to the spliced directory items, go to the bottom to recover the corresponding data, and check whether the data is correct.

7. Check the data and restore all the data. Third, implement the solution

1. Back up user data

Because all the data is in the Dell M3200 storage, you only need to recover the data in the Dell M3200 storage. Unplug all the hard drive numbers from the Dell M3200 storage and give it to the hardware data recovery team to check if there is a physical failure on the hard drive. After testing that there is no problem, do a full mirror of each hard disk, and use the data recovery tool to mirror all the sectors in the hard disk to a backup hard disk.

As shown below: back up all hard disk data using professional data recovery tools

2. Reorganize the disk array

Analyze the data on each hard disk after mirroring and backing up all the hard drives. It is found that 4 600G hard drives make a RAID5, and another 600G hard disk is used as data backup. Through the detailed analysis of the hard disk structure, the relevant information of the RAID 5 disk array is obtained, such as stripe size, stripe direction and so on. Based on this information, the RAID can be reorganized.

As shown below: reassemble RAID using professional tools

As shown below: it is the case of opening the hard disk array with professional tools

3. Scan the old file index entries

After careful analysis of the underlying data of the hard disk, it is found that there are still many directory entries and file indexes of the previous file system in the bottom of the hard disk. After careful checking, it is found that the data pointed to by the index of these files are all the contents of the files lost by the user. However, because the whole hard disk is too large, it will be very slow to search the file index manually, so write a Mini Program that extracts the file index entries, scan all the existing file index entries in the whole hard disk, and extract the file index entries of all files.

4. Analyze and scan to the file index entry

Based on the analysis of all the scanned file index items, it is found that the index items are discontinuous and most of them are aligned at 14K or 6K. Under normal circumstances, file index entries are continuous and fixed in size, and each file index entry corresponds to a file or directory. These discontinuous and incomplete file index items can not be properly indexed to the contents of the file, so the scanned file index items need to be processed. Search for ".VHD" in the scanned file index entry to find a ".VHD" file record. Then the continuous file index items of this piece are extracted. Then check to see if the extracted file index entry has a record or H20 attribute that points to the next file index entry. If so, the next file index entry is matched according to the characteristics in the file index entry, and if not, the file index entry is skipped. According to the above methods, most of the file index items can be found. The missing file index entry fragments may be destroyed, but the missing file index entry fragments can be found from the data backup disk, so most of the file index entries can be searched.

As shown below: a screenshot of the file index entry

5. compose the file index items into a complete directory structure

Find all the file index entries according to the above method, and splice them into the whole directory entry structure according to the number of the file index entries. The following are some of the file index entries found. Because some of the file index entries are corrupted, only most of the file index entries can be found, but these file index entries are enough to splice into the entire directory structure.

As shown below: it is a fragment of the scanned file index entry.

IV. Repair the file system

Replace the rebuilt directory structure with the directory structure in the existing file system, and then use the data recovery tool to modify some of the check values. Then use the data recovery tool to explain the directory structure and you can see the original lost data.

As shown below: it is a directory structure explained by professional tools.

To determine whether the data is correct, recover one of the latest VHD files. Then copy it to a server that supports additional VHD and try to attach the VHD. As a result, the attachment is successful, and check whether the latest data in VHD is complete. After everything is checked completely, all the data will be restored to a hard disk.

As shown below: all the recovered virtual machine data files

Verify all data

Build the Hyper-V environment on a test server, connect the restored virtual machine files to the server, and migrate the recovered data to the new Hyper-V environment by importing the virtual machine. Finally, it is up to the customer to verify that all virtual machines are complete.

As shown below: it is the process of virtual machine import.

6. Migrate all data

After the customer verifies that all virtual machine data has been successfully restored, copy all data to the customer server. Then import the virtual machine into the customer's Hyper-V environment.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.