I have several small transaction volume windows servers running in XCPng with backup set to delta, regular snapshots, CBT, and 30 day full interval. Those servers are DC, DHCP, Print, Bell Scheduler (hardly ever changes), and a DVR (data disk excluded). My nightly backups are averaging 7-10GiB, and randomly some will be 40+. I see no correlation to windows updates, amount of traffic/users on the network during the day (ie we are a small school and same things happen over the weekend when no one is there.) I’ve tried ways to shrink the backup size with scheduled sdelete on free space and making sure I don’t have any excess logging turned on. Our most busy server is the windows based SIS system and often times it’s backups are smaller than the others. None of the linux based systems seem to have this issue averaging less than 500Mb per.
Bottom line is there a good way to see what files are changing on each of the backups so I can figure out how to reduce their size?
Also, just for understanding are the delta backups (non key) deltas since the key or deltas since the delta? I am not seeing a progressively larger delta each time so I assume it is delta since last delta.
I am not much of a Windows expert but as I understand it even light workloads can trigger frequent writes to the NTFS MFT, USN journal, event logs, prefetch data, Defender signatures, and Windows Search indexing. Each of these cause block-level changes that CBT or delta backup systems see as new data, even if the file content itself hasn’t changed.
It could be the page files (pagefile.sys), which by default exists on the C:. One way around this would be to place the page file on it’s own disk, disabling it on other disks, and exclude that disk from backups.
Thank you LTS_Tom and Moseph_V for the input. Had not thought about the pagefile, I just moved it to a NOBAK disk, the current pagefile auto had it set to 2G so that may account for a good amount. I also now understand that block-level tracking will not produce a file necessarily.
Still feel like I am shooting in the dark. Is there a way to log (in the OS itself) block changes and what is triggering them?
I just tried ProcMon and filter for writes, that is the closest thing to what I think I am looking for. There are a ton of files I didn’t expect to see constantly changing, but they were all small <50Mb log files, not that many of them, and defiantly wouldn’t add up to my average backup size.
Tom, you have converted me to be a believer in Linux! Still daily driving windows but slowly converting. Video suggestion, what does it take to move a small company from Windows AD based system to opensource alternatives, still maintaining centralized user authentication and end user windows integration etc. I might volunteer my 20 staff and 100 students to be a case study
