Recovering data from a corrupted VMWare guest

Recently I had a client whose previous support team had set them up with 2 servers running VMWare with one of them being duplicated to the other using Veeam. The one thing they failed to do was limit the growth of the VM partition to the available space of the drive so guess what happened? Yep the VM storage drive ran out of space and corrupted the heck out of the 2 disks attached to the only guest on it. Veeam then dutifully copied over the corrupted data. Once they called us the machine was beyond recovery as a usable machine (did I mention this was their DC?) even after trying several snapshots. We freed up enough space to boot the guest and got a solid 45 minutes of check disk repair and then a notice that were was no available AD information and a notice we needed to boot into recovery mode and restore that data. Too bad that was gone. So now the client really just wants their data back and a new machine built but how were we going to get into the drive hosted on a Unix machine with multiple snapshots?  It turns out this ended up being easier than expected.  There is a great bootable CD called SystemRescueCD which I was able to upload to the storage partition on VMWare and attach it as a CD image to the corrupted guest and boot from. Once booted you can attach the drives using the mount command and the drive name in our case it was sdb1 so:

mount -t ntfs /dev/sdb1 /mnt/windows -o ro

Once the drive is mounted you can copy the data off over the network just like normal assuming the rescue cd was able to initialize your network card. I would recommend the use of a program like teracopy to do the copy rather than normal windows copy. Keep in mind this mounts the drive read only so any tools like teracopy need to be installed on the destination machine. You can mount the drive read/write but this is not recommended.

No comments:

Post a Comment