First Defense-ISR 2.1
Roll back from OS mishaps in a snap.
by Danielle Ruest and Nelson Ruest

Posted June 10, 2004

By juxtaposing the words Immediate, System, and Recovery in the product name of Raxco Software's new First Defense-ISR (FD-ISR), the company sets a high expectation for system administrators. Does FD-ISR really deliver immediate system recovery, as its name promises? Under the right circumstances, the answer is yes.

Large and small IT shops struggle with system recovery constantly. Some use backups for system protection. Others use third-party software such as disk imaging tools to protect their entire system. Still others use a combination of both along with additional methods supported by the operating system.

Microsoft has come a long way in simplifying system restoration for both users and IT shops. Windows XP, for example, now includes the ability to create System Restore Points, which automatically capture the running state of a system before any major change. If anything goes wrong after the change, you can simply use the System Restore tool to revert to a previous restore point. Both Windows XP and Windows Server 2003 also include Automated System Recovery, a tool that creates a bootable floppy disk that can be used to directly connect to your backup device to restore a nonworking system. Although these tools simplify the restoration of a server or a workstation, they still require time to perform the restoration.

That's where FD-ISR comes in. It is designed to capture snapshots of the operating system—but not the data a system holds—and allow you to boot to a previous snapshot in the event of a mishap. That means it will save an image of your operating system automatically and store it in a secure location on your hard disk. You have the option of booting to the FD-ISR boot screen from which you can select a snapshot to boot into. When you do so, it launches your system with the information stored in the snapshot.

Several technologies work together to make FD-ISR work. The first is the snapshot capability. This begins when you install FD-ISR, since it considers the state of the operating system at installation as the first snapshot. Once installed, you use the Getting Started Wizard to create an additional snapshot. By default, this is called the second snapshot. Just follow the instructions (see Figure 1). This snapshot is a duplicate of your operating system (OS); therefore, if your OS takes up 2 GB on your disk, the snapshot will take up 2 GB as well.

Second, FD-ISR can take snapshots of the operating system while it is running because it includes a special open file manager that will automatically take a copy of files even if they are open. Without this capability, FD-ISR would only create partial copies of the OS—copies that would be less than useful.

Third, FD-ISR allows you to anchor your data files. Data anchoring refers to the exclusion of data files from both the snapshot and the snapshot reboot process. This means that when you exclude data files, the OS snapshot will be smaller in size. It also means that when you reboot into a snapshot, the files and folders you excluded will not be overwritten by the snapshot, letting you continue to work with a previous edition of the OS, but with current data files.

Fourth, it can use incremental copies when creating additional versions of a snapshot. This helps save disk space for snapshot storage. And fifth, in the event of a system breakdown, you can use FD-ISR's boot loader (or boot floppy if your master boot record is damaged) to boot into a safe snapshot (see Figure 2). These five features make up most of FD-ISR's capabilities.

For servers, FD-ISR can be run through the command line, which lets you script snapshot operations. Alas, no central management console is available. FD-ISR supports Windows 2000 and later, which leaves Windows 95, 98, Me, and NT machines out in the cold. In addition, it only works with NTFS drives; no version of FAT is supported.

FD-ISR controls the protected area of your disk through NTFS permissions. By setting deny access permissions to the special C:\$ISR folder that FD-ISR creates, it ensures that the only way to access the snapshots you take is through the FD-ISR application. For FD-ISR to work, both the boot and the system partitions must be on the same disk. A disk can't be an NTFS dynamic volume; it must be a basic disk. Though FD-ISR supports the protection of servers, even clustered servers, this does have an impact on its use. Most administrators build servers with multiple partitions: for example, C drive for the system, D drive for data, and E drive for transaction logs or other temporary data. Because the C drive only holds the system, administrators tend to make it smaller than the others, say between 4 and 6 GB. Administrators using FD-ISR to protect servers will have to reconsider this approach because the hidden FD-ISR folder is automatically created on the boot drive. If your OS takes up 2 GB and your C partition is only 4 GB in size, you will be dangerously close to a full system drive, something that can cause system failure by itself (see Figure 3). You may have to rebuild your server system partitions (because they can't be expanded easily) before running FD-ISR on your servers. This shouldn't be an issue for workstations because they tend to have only one partition.

FD-ISR is a fine tool for system protection, especially if you don't have any other protection method. However, it protects you as long as you don't experience a complete drive failure since all snapshots are stored locally on the system drive. If you want to use FD-ISR for server protection, you'll have to make sure you have some form of Redundant Array of Independent Disks (RAID) in place because drive failures are the most common hardware failure in IT.

FD-ISR can help protect against virus infections. It can easily replace the "Last Known Good Configuration" reboot option in Windows, and protect from bad driver installations and some hardware failures. Because it supports both snapshot update scheduling and incremental snapshots, it can easily capture images of your OS in time and let you return to them when required. In this way, it is much like a virtual machine with nonpersistent disks. You can take a snapshot, try new software on your system, and return to the snapshot when the test is done, reverting your system to a pristine state.

FD-ISR is useful for home PCs because few users have the skills to repair damaged systems. It provides protection for servers, but it means system administrators need to rethink the way they construct the system drive. It also means performing manual operations on each server (though this can be done through a remote desktop connection). Two great additions for server use would be remote storage of the snapshots and central administration. As for workstations, IT shops should already have technologies in place for the protection of user data and the rapid construction/reconstruction of PCs, so we can't see the workstation edition of FD-ISR deployed in large organizations. Be warned, though. Because FD-ISR operates from the system disk, you'll have to make sure you also have other means of protection.

Quick Facts
Raxco Software's First Defense-ISR 2.1
Web: www.raxco.com/products/fdisr/
Phone: 800-546-9728
Pricing: $44.95 per workstation; $349.95 per server; volume licensing is available
Quick Facts: By taking snapshots of the OS, First Defense-ISR simplifies and speeds system restoration on desktops and servers using Windows 2000 and later.
Pros: Allows you to boot from an earlier snapshot of your OS in the event of a mishap.
Cons: Doesn't protect against complete drive failure. Requires rebuilding of system partitions on most servers. No central management console.

About the Author
Danielle Ruest and Nelson Ruest (MCSE, MCT) are multiple book authors focusing on systems design, administration, and management. They run a consulting company that concentrates on IT infrastructure architecture and change and configuration management. You can reach them at .