Monday, November 08, 2004

SBS Backup Event Logs

I see all too often posts in the newsgroups and Yahoo groups about SBS Backup failing with Event log ID 5634. This is not a surprise, Event ID 5634 means that backup failed.

Let me take a step back here and tell you how the reporting mechanism works.
A program called bkprunner.exe will launch via Task Scheduler and drop event 5632 into the event log, thus marking the start of the backup process. At this point bkprunner.exe will read a bunch of registry settings to figure out what to do. Using the registry, bkprunner will call NTBackup.exe with the correct parameter set according to the registry settings.

NTBackup performs the actual backup. Bkprunner.exe will simply just wait for NTBackup to finish it's task.

Hours later, NTBackup happily exits and bkprunner comes alive. At this point, bkprunner will look for any NTBackup errors scattered around the system, if it finds one, it logs Event ID 5634 as an error, if it doesn't find one, it logs 5633 as a successful backup, then reports the result to the admin console passing along the NTBackup log file.

So, what does this mean? "SBS Backup failed with Event ID 5634" does not mean anything other than it failed. The best way to find out WHY your backup failed, is to actually read the NTBackup log file from the Backup snap-in.

Don't forget that there is a tone of information in the Backing up and Restoring whitepaper. Also, if you're stuck, you should check out the Troubleshooting Backup & Restore online.