Oracle Database Backup And Recovery Information

Contents

Options
Backup Modes:
             Offline or Cold Backup
             Online or Hot Backup

Which files to backup
Archive Log Mode
NoArchivelog
Implement a Backup strategy
Guidelines for scheduling Routine backups
Implement Non-routine Backups
Performance
Procedures to enable Archiving Log Mode
Checking Backups for Curruption
Recovery Guidelines
Overview of database recovery
Performing Recovery
Recovery Details
Prevention, detection and repair Notes
Control files
Online redo logs
System tablespace
Rollback segment tablespace
Temp tablespace
Loss of application data file
Case 1: Loss of index data file
Case 2: Loss of application table datafiles
Read-only tablespaces
Archive logs

Backup Guidelines

Options

A quick review of Oracle backup and recovery options.
 

Backup Modes	Backup Types
	Logical	Physical	Offline	Online
Export	Y			Y
Cold		Y	Y
Hot		Y		Y

Online backups are performed while the database is still running, off-line backups are performed while the database is down. Logical backups can also be used for migrating between database versions and Oracle platforms. In Oracle these are performed using the IMPORT/EXPORT utilities.

Backup Modes

a) Offline or Cold Backup

Copying of the datafiles, control file and online redo log files must be done by using an operating system copy utility. This is a considered as a complete backup of the database. Any changes made after this backup will be unrecoverable if the database is running in NOARCHIVELOG mode. All transactions are recorded in online redo log files whether archiving or not. When redo logs are archived (ARCHIVELOG mode), ORACLE allows you to apply these transactions after restoring files that were damaged (assuming an active Redo log file was not among the files damaged). Whenever the schema of the database is changed i.e., a new datafile is added or a file is renamed or a tablespace is created or dropped, shutdown the database and at least make a copy of the control file and the newly added datafile. A complete backup of the database is preferred.

Procedure
1. Execute script to generate suitable backup script to accomplish (5) below (where applicable).
2. Backup the control file to trace file.
3. Shut down application (where applicable).
4. Shut Oracle down cleanly. If a SHUTDOWN ABORT has been issued, the instance must be restarted and closed again.
5. Copy all relevant database files to a staging area. These comprise:

• Data files
• All Redo Log files, including all mirror group members
• Database control file
  
• All associated parameter files ( database initialization parameter file, init.ora, )
  
• The database password file

6. Restart database.
7. Copy files created to offline storage media (i.e. tape). Ideally these copies will be left on disk to minimise the time taken to recover the database.
 

b) Online or Hot Backup

At sites where database must operate 24 hours per day and when it is not feasible to take offline backups, then an alternative is provided by ORACLE to perform physical backups while the database remains available for both reading and updating. For this kind of backup the database must be in ARCHIVELOG mode. Only data files and current control file need to be backed up. Unlike offline backups, the unit of a online backup is tablespace, and any or all tablespaces can backed up whenever needed. Different datafiles can be backed up at different times. This process should be fully automated if possible. Procedure:

• Execute script to generate suitable backup script to accomplish 2) and 3) below ( where applicable ).
  
• Run script to backup all relevant database files, comprising :-
  • Data files are grouped into Tablespaces, and before any file is backed up, its’ Tablespace must be marked by running the command:
    ALTER TABLESPACE xxxx BEGIN BACKUP;
  • Copy the tablespaces.
  • End of backup is marked by the command:
    ALTER TABLESPACE xxxx END BACKUP;
  • Database control file (physical backup, also copied to trace file);
    
  • All associated parameter files ( database initialization parameter file, init.ora);
    
  • The database password file (if used);
    
  • Any required application data files.
  • Perform a 'alter system archive log current;'
  • Archive Redo Log Files (but NOT the Online Redo Log Files, you should query the v$archived_log view )
• Copy files created before to offline storage media (i.e tape).

Not all data files need be backed up in this operation, for example read-only tablespaces only need to be backed-up once after the tablespace is made read-only. All of the above processing can be performed while the database is open. Ideally it should occur during a period of low transaction activity.

Frequency of online backups

In order to determine how frequently to back up the files of a database, balance the amount of time available for taking backups and the time available for recovery after media failure. The time for recovery depends on how old your most recent copy of the damaged file is. The older the backup, the greater the number of redo log files needed to be applied, and the longer recovery will take.

Backup strategies must be tested before being used to protect a production database.

Ensure that backups of all datafiles and of all necessary redo logs are kept, and that backups are restored correctly. (If file compression is used, verify that the file is correct after decompression.)

What happens between BEGIN BACKUP and END BACKUP?

Once the ALTER TABLESPACE ts_name BEGIN BACKUP is issued, two things happen:

(1) Extra information is recorded in the redo logs. Because of this, is it important that on-line backups are done as quickly as possible, and also, if possible, during a quieter period when there is less update activity on the database.

(2) The status in the datafile header is changed to indicate that the datafile is being backed up. Oracle stops recording the occurrence of checkpoints in the header of the database files. This means that when a database file is restored, it will have knowledge of the most recent checkpoint that occurred BEFORE the backup, not any that occurred during the backup. This way, the system will ask for the appropriate set of redo log files to apply should recovery be needed. Since vital information needed for recovery is recorded in the Redo logs, these REDO LOGS are considered as part of the backup. Hence, while backing up the database in this way the database must be in ARCHIVELOG mode. Status in the datafile header is not reset until END BACKUP is issued.

On END BACKUP, the system ceases writing this extra information to the redo-logs, and recommences noting the occurrence of the checkpoints in each file of the database. The checkpoint in the datafile header is changed during the next log switch after END BACKUP is issued. The above information will allow the tablespace to be recovered as if the database had been offline when the backup took place.

Which files to backup

All the files belonging the database are important. Along with other tablespaces, special care should be taken to ensure that the SYSTEM tablespace and tablespaces containing rollback segments, are protected by backups. Also backup the control file and datafile immediately after adding it to a tablespace or after creating tablespace if archiving is enabled. If media failure damages a datafile that has not been backed up, recovering it's tablespace is not possible. After backing up the newly added datafile, include it in the regular datafile backup rotation.

Identifying the files to backup: Use the 'v$' (dynamic performance tables) to find the file names:

Archive Log Mode

Archiving is the process of writing data from a filled online redo log file to a backup destination.
An Oracle database can operate in either NOARCHIVELOG or ARCHIVELOG mode. Oracle writes to the current online redo log file until it fills up, it then begins writing to the next one. When the last online redo log file is full, Oracle cycles back to the first one. In ARCHIVELOG mode each log file is saved before being overwritten. The archive process will backup each redo log file as soon as it is filled. The ARCHIVELOG function enables a whole range of possible backup options:

• provides protection against media and instance failure
• enables 24-hour availability and is mandatory for hot backups
• allows point-in-time recovery
  
• recovery possible without losing any data
  
• allow the database to stay up, preserving the data in the SGA
  
• Archiving can be done manually or automatically.

Points to note:

• Archived redo log files can be used to help recover an Oracle database using any of the backup modes listed above, assuming that all redo log files that have been used since the backup have been archived
• After each redo log is filled the redo log is archived to a backup device
  
• A failed transaction is still a transaction; redo log files keep track of rollback segment extents, so rolled back inserts or deletes affect it just like completed transactions
  
• Repetitive failed load attempts can create massive numbers of redo log files
  
• Until an online redo file is archived it cannot be reused
  
• When it gets stuck, i.e. none of the redo log files are ready for reuse the database comes to a halt
  
• Administration is more complex as the DBA has to keep track of multiple archive log files

Recommendations:

• Use ARCHIVELOG MODE. It is mandatory for full database recovery without loss of data. It is required to support Hot Backups and to recover transactions lost since the last backup.
  
• Size your log files carefully.
  Too small and the database will be archiving too frequently. This means a performance overhead due to frequent check-pointing. It will result in the creation of a large number of small archive log files making file management and recovery more complex. Too large and the archive process will take too long and the archive log files may end up spanning multiple tape volumes.
• Archive to disk and then back up to tape overnight. Archiving directly to tape is complicated and prone to problems.
  
• When recovering. Try to ensure that all of the archive log files that will be needed are on disk. This will greatly speed up the process.

NOARCHIVELOG:

• Provides instance recovery only
• Online redo log files are overwritten when needed Only the most recent changes to the database (or those that are in the current online redo log files) are available at any give time
  
• Recovery will involve the loss of transactions processed since the last backup or export was done
  
• Hot Backups not supported. The database will be unavailable during backups.

Implement a Backup strategy

Its important to identify exactly what recovery facilities are required by the site This will determine the frequency and type of backup that will have to be taken. The answers to several questions must be established before attempting to implement any backup procedures.

• How much data can you afford to lose?
• How often and for how long, can the database be off-line to perform backups?
• Should recovery be needed, how quickly do you need to recover your data?
  
• Do you need the capability to reverse changes made to the database?

Implementing a backup strategy requires consideration of the following.

• How to minimize vulnerabilities during backup and recovery?
• How can physical and logical errors be monitored and checked for?

How much data can you afford to lose?
If you can afford to lose up to a day's worth of data, then running in NOARCHIVELOG mode and taking nightly off-line backups is sufficient. Any changes applied to the database after the most recent backup will be unrecoverable.
If you cannot afford to lose transactions performed since the last backup then you must run in ARCHIVELOG mode. The archived redo log files contain a record of all transactions applied since the last backup. These transactions can be reapplied after restoring from backup any datafiles that were damaged.

How often and for how long, can the database be off-line to perform backups?
Many sites operate 24 hours per day. Even at sites where the database can be shutdown for maintenance, a complete backup may take longer than the window available. When it is not feasible to take off-line backups often enough to provide the protection from data loss the site requires, then online backups are the only option.

Should recovery be needed, how quickly do you need to recover your data?
The cost of downtime (or database outage) may be a key factor in configuring the backup strategy. Recovery time using:

Logical backups (export) take the longest

• Recovery using an Export file requires initializing the database and rebuilding the system tablespace prior to importing the data.
• If the backup contains incremental export files, multiple export files may have to be read in order to reconstruct the database. The more recent your full backup, the faster the recovery will be.

Physical backups provide the fastest recovery times.

• Physical backups depends on the type of backup storage device. Maintaining as much of the backup as possible online will help minimise downtime.
• Cold backups take as long as it takes to restore all the database files
  
• Hot backups depends on the age of the backed up datafile(s) that have to be restored and hence the number of archived redo log files that have to be applied. The number of redo log files will also be determined by their size.(NB. 100Mb redo log files can be applied in 1/2 hour on an HP98XX) If all archived redo log files can be located in the directory specified by the ARCHIVE_LOG_DEST parameter in the init.ora file, then automatic recovery will not require to prompt for redo log file names.

Do you need the capability to reverse changes made to the database?
Do you wish to be able to protect against inadvertent changes made to both the content and structure of the database. For example, bringing back a dropped table, or removing a datafile added to the wrong tablespace.

How to minimize vulnerabilities during backup and recovery?

• backup and recovery procedures must be as simple as possible to reduce the possibility of error.
• Any scripts used to implement a backup strategy must test for any read or write failures, must rollback on error and report errors to the console, via a log file and through mail.
  
• The scripts must be able to be interrupted and restarted at any time without causing any 'holes' in the backup.
  
• A desirable feature is the capability to write a header and label onto each tape used for backups as well as producing a file listing of the tape's contents and a printed tape label. The tape label should be attempted to be read prior to any attempt to write to the tape.
  
• If the database structure changes it is less desirable to have a hard coded list of datafiles used by the backup. Ideally the backup script should query the database to find out which datafiles are currently in use. This option may be compromised if only certain datafiles ot tablespaces are backed up on given days.
  
• Since loss of an archived redo log file disables recovery from that point on, maintaining multiple copies of archived redo log files will allow recovery from multiple media failures.
  
• The archived redo log files for a database ought not reside on the same physical disk device as any database file or online redo log file.
  
• If database files are being backed up to disk, a database file residing on the same physical device as its backup copy is not adequately backed up.

How can physical and logical errors be monitored and checked for?

• Routinely check the database can be restarted
• There are certain parameters that are only checked on startup; errors with rollback segments in particular may only show up during startup operations.
  
• Perform a full export periodically A full system export picks up information that user exports do not; this includes third-party indexes and grants. Export checks that database files are logically readable. [NB: This does not imply that they are logically importable; corrupt records may be exported into the dump file, preventing import.]
  
• The export dump file can be used to retrieve particular tables/users if needed. Its worth running scripts to map the tablespaces to owners, and owners to tablespaces immediately following the export. In the event of a tablespace loss, you would then be able to quickly determine what users/systems will be affected.

Guidelines for scheduling Routine backups

• Backup procedures should be automated and scheduled. Do not rely on ad-hoc backups.
• Have a valid backup for all tablespaces. Do not forget to backup the system tablespace.
  
• Read only tablespaces need to be backed up once
  
• Backup frequency should be determined by the update activity of each tablespace. More frequent backups of heavily used tablespaces will reduce recovery time in the roll forward phase.
  
• Keep archive logs long enough to recover all changes made to the database since the last valid backup.
  
• Keep two copies of archive logs. If only one copy is available then loss will prevent full recovery.
  
• Send backup files off site to prepare for disaster recovery.
  
• If your production schedule allows, take a regular FULL COLD database backup. This is the easiest state to recover to
  
• Test your backup procedures to make sure that they work. Know how long full database recovery and recovery by tablespace takes. Test your disaster recovery strategy.
  
• Make sure all DBAs responsible for recovery understand the process and are involved in the test exercise.

Implement Non-routine Backups

Non routine backups are required in the following circumstances:

• Database Upgrades
• Database Schema Changes
• Whenever the database structure is changed by adding, renaming or dropping a tablespace, datafile, or log file, a control file backup should be performed. The ALTER DATABASE BACKUP CONTROLFILE TO <filename> command can be used to take an online backup of a control file.
  
• When a datafile is added to the database, a backup of the new file be taken immediately. The new file should also be added to any automated backup procedures.
  
• The database can maintain multiple copies of the control file, and so a copy of the control file should be placed on several different disk devices. A control file can be added to the database by shutting down the database, copying the control file, altering the INIT.ORA parameter CONTROL_FILES, and restarting.

Performance

Backup and recovery performance can be improved using the following guidelines:

• Backing up database files to disk can speed recovery, since the file need not be restored from tape. Also, backing up to disk often allows backup procedures that run in a shorter amount of time.
• The procedure of rolling forward a database or database file from a backup can in many cases be simplified and made faster by keeping on disk all archived redo log files needed to roll forward the least recently backed up database file of a database. For many systems, much of the time necessary for recovery is spent loading archived redo log files from tape.
  
• At times maintenance procedures might be performed that would generate large amounts of archived redo logs. Such procedures might benefit from having archiving disabled during their duration.
  
• Using hot backups, only one tablespace at a time should be in backup mode.
  
• Hot backups should be performed during low user activity. When in backup state, a tablespace's activity is still written to the archive logs. However, it's written block-by-block rather than byte-by-byte. So changing one record in a tablespace that's being backed up will result in that record's entire block being written to the archive area.

Implementing a Backup Strategy Using ARCHIVELOG

• The number of online redo log files provide a window of time should the archive destination become full.
• When you start archiving, archived logs will be written every time the redo operation is about to overwrite a previously written log file. It will write it to the directory indicated by the LOG_ARCHIVE_DEST parameter in your init.ora file. They will all be the same size (in V6; V7 can have variably sized archive logs) as your redo logs. They will increase in number until they run out of space on their destination device. At that point the database will freeze until you clear more space for them in the LOG_ARCHIVE_DEST location. SO, have a second location ready to receive them.
  
• Do each tablespace one at a time. That is, rather than setting them all offline, then backing them up, then setting them back online, do them each separately. You don't want to risk having a system crash while the entire database is in begin backup state; recovery is a mess. Minimize your window of vulnerability by having only one tablespace in backup state at any one time.
  
• Before you backup the control file, force an archive log switch (use 'alter system archive log current;' instead of ‘alter system switch logfile;’ ). This will update the header information in the control file.

 
Procedures to enable Archiving Log Mode

Enabling automatic archiving (init.ora) method

Shutdown the database from Server Manager:

• SHUTDOWN;

O/S backup of all database, redo logs, and control files.

Set two parameter in INIT.ORA.

• LOG_ARCHIVE_START = TRUE
• LOG_ARCHIVE_DEST = < device:[dir]FILE_NAME_PREFIX

Startup ARCHIVELOG mode from Server Manager:

• STARTUP MOUNT <dbname>;
• CONNECT INTERNAL;
• ALTER DATABASE <dbname> ARCHIVELOG;
  
• ALTER DATABASE <dbname> OPEN;

Enabling manual archiving method

• Shutdown the database from Server Manager:
• SHUTDOWN <dbname>;
• Operating system backup of all database, redo logs, and control files.
  
• Startup ARCHIVELOG mode from Server Manager:
  
• STARTUP MOUNT <dbname>;
  
• CONNECT INTERNAL;
  
• ALTER DATABASE <dbname> ARCHIVELOG;
  
• ALTER DATABASE <dbname> OPEN;

Disabling automatic archiving

• Disabling Automatic archiving (the database must be mounted but not open.)
• LOG_ARCHIVE_START = FALSE

From within Server Manager:

• STARTUP MOUNT <dbname>;
• CONNECT INTERNAL;
• ALTER DATABASE <dbname> NOARCHIVELOG;

Checking backups for corruption

If you use RMAN to perform backups, the contents of this paper don’t apply to you. Being an Oracle utility, RMAN knows the structure of Oracle blocks, and can therefore detect corruption as it is backing things up. If any corruption is encountered, it will throw an error stack the size of the Empire State Building, and proceed no further.

If you are using Operating System techniques to take your backups, though, then there is a real risk that the resulting copies of Data Files and so forth might get corrupted as part of the backup process -or that the Data Files themselves already contain corruption, which the O/S just happily copies across, oblivious to its presence.

Fortunately, Oracle supplies a handy little utility called "dbverify" which can be used to check the backed up copies of the Data Files for corruption, once the backup has finished. This utility is run from the command line, by typing in the command dbv. You simply tell it what files to check, and supply some other run-time parameters if needed. You might type something like this, therefore:
        C:\> DBV FILE=D:\BACKUPS\SYSTEM01.BKP BLOCKSIZE=8192 LOGFILE=DBVLOG.TXT

Note that you must tell dbverify what size Oracle blocks to expect when it scans the Data File copy. If you miss that parameter out, dbverify will expect to find 2K blocks, and when it encounters anything else, will simply abort with an error.

You’ll also notice there a ‘logfile’ parameter. That’s so that dbverify’s work can be output to a text file for later reading. If you miss it out, the results of the check are simply displayed on screen, which is probably not exactly what you want.

There are some other parameters that can be supplied, too. For example, you can request a check of parts of a Data File copy, by specifying the start and end block addresses. If you need the complete list of available parameters, just type:
    C:\> DBV HELP=Y

Now all the Oracle documentation states that dbverify can only be applied to ‘cache managed files’ -i.e., ones which are read into the Buffer Cache. So that theoretically rules out running it against the Control Files and seeing whether they are internally corrupt. However, in Oracle version 8.0, 8i and 9i, you can run the tool against Control Files.

Well, dbverify honestly cannot be used to verify redo log files, whether of the Online or Archived variety (if you try it, you’ll get a report indicating that the entire file is corrupted, which simply means it doesn’t understand their contents). Therefore, the only really viable tool is Log Miner - and that was only introduced in Oracle 8.1.x (though it can be used from there to examine 8.0.x version logs).

If Log Miner encounters corruption during its analysis session (begun with the EXECUTE DBMS_LOGMNR.START_LOGMNR(DICTFILENAME=>’HJRDICT.ORA’) command), then it simply bombs out with an error -at which point you know you have a problem.
 
 

Recovery Guidelines

This section is divided into two parts.

• An overview of database recovery

A step through the options available to the DBA including example commands.

• Prevention, detection and repair

A more detailed look at recovery based on the database component which has failed.

Overview of database recovery

Instance Failure
Instance failure is a hardware, software, or system failure that prevents an instance from continuing work. It can be caused by a CPU failure, an operating system failure, a power outage, failure of one of the ORACLE background processes or a failure to access a required database file when the file is not lost or damaged.

Instance Recovery
Instance recovery is automatic. Restarting the database performs the instance recovery. It involves two steps.

1) Rolling forward.

• data that has not been recorded in the database
• the contents of rollback segments

2) Rolling back transactions that have been explicitly rolled

• back or have not been committed.

Any resources held by transactions in process at the time of the failure will be released. Instance recovery is not necessary if the database is shutdown normally.

Media failure
Media failure is a hardware, software, or system failure that prevents reading or writing to files that are required to operate the database. Media failure is a failure caused by the loss of the control file, database files or redo log file.

Media Recovery
The database must be operating in ARCHIVELOG mode. In addition, you must have the latest backup of database, all online redo log files, archived logs, current control file.
 

Performing Recovery

You can use different commands to recover your database, they are:

1) RECOVER DATABASE
This command is only used with a current control file. Database must be mounted, but not OPEN. The control file is compared with the datafile header and brings the datafiles up to date by applying archived redo logs to make the control file entries match the datafile header. Online redo logs are applied to make the datafiles current.
Once the recovery is complete open the database with:
ALTER DATABASE OPEN

2) RECOVER DATAFILE ‘filename’
This command is used when database is up and can't be brought down. Can also be used when the database is in mounted state. The tablespace which contains these datafiles must be taken offline.
Issue RECOVER DATAFILE ‘filename’. You will be prompted for log files. The changes will be applied only to these files.
Once the media recovery is complete the tablespace can be brought online. Allows 'multi-tasking' recovery. Different datafiles can be recovered parallelly using different sessions or terminals. Very useful when there are several datafiles to be recovered.

3) RECOVER TABLESPACE ‘tsname’
Tablespace must be offline. Database must be in OPEN state. Recovers a single tablespace to the current state. This command can't be used on SYSTEM tablespace or a tablespace which has rollback segments having a status "in use".

If having database OPEN is not an issue, can recover using standard recovery (RECOVER DATABASE)

4) RECOVER DATABASE UNTIL CANCEL
Manual recovery after media failure enables you to control how many redo log files to apply to the database. This can used to undo an inadvertent change to the database by stopping recovery before the change took place. MANUAL option needed for recovery with a control file backup (old copy) and current control file is not available.
Database must be MOUNT-ed but not OPEN. After MOUNT-ing the database connect internal and issue RECOVER DATABASE UNTIL CANCEL command. Then you will be prompted beginning with the earliest redo log file recorded in the header of each database file. The recovery process will continue to prompt for redo log files until CANCEL is typed when prompted for the next redo log file. Recovery can be cancelled at any time of any redo log.

5) RECOVER DATABASE UNTIL TIME <date&time>
Is same as RECOVER DATABASE UNTIL CANCEL except the granularity is recovery is stopped at a specified in time within a log file.
The format of <date&time> is YYYY-MM-DD:hh:mm:ss where YYY:MM:DD is the year, month and day component of the data, and hh is the hour, mm minutes, and ss seconds component of the time.

6) RECOVER DATABASE &ldots;.. USING BACKUP CONTROLFILE
Can be used for recovery with an old copy (backup) of control file. Everything else is similar to other RECOVER DATABASE commands.

Opening the Database
As security measure before starting the recovery backup datafiles, online logs, and control file. If space is a constraint then at least backup the online logs and control files.
Open the database with: ALTER DATABASE OPEN [NO]RESETLOGS

RESETLOGS
Before using RESETLOGS option take a cold backup of the database. Once RESETLOGS is used then the redo log files can't be used at all.
The RESETLOGS clears all the online redo logs and modifies all the online data files to indicate no recovery is needed. After resetting the redo logs none of the existing log files or data file backups can be used. In the control file log sequence number is modified, which is very important for recovery purposes. The recovery will be applied only to the log files whose sequence number is greater than log sequence number in the control file. One has to be very cautious when using RESETLOGS option. One more important factor to remember is that all datafiles must be online otherwise they will become useless once the database is up.

NORESETLOGS
The NORESTLOGS option will allow to apply the online redo logs and will not clear the redo log files during startup. Leaves online logs intact. Only used in scenario where MANUAL RECOVERY started and CANCELled, and then RECOVER DATABASE is started.
 
 

Recovery Details

Prevention, detection and repair

This report outlines possible database outages and focuses on procedures needed to prevent, detect and repair these outages. The report is sectioned by database component and includes suggestions and recommendations to prevent, detect and repair the loss of the component. Ideally, proactive mechanisms are implemented to reduce the likelihood of outages but if they do occur, recovery should be automated as much as possible.
 

Control files

Control files are key components to recovery. A control file that reflects the physical structure and current status of the database must always be available. The control file should be backed up at the completion of every structural change. For example, after adding a data file or log file and after the completion of a hot backup to the database, the control file should be backed up.
Because a control file is an unreadable binary file, Oracle provides a method to create a readable SQL script. Such a script is generated for a given control file by issuing an alter database backup control file to trace command. Multiple backup copies of control files from different times should be kept to enable point-in-time recovery. Oracle recommends that a backup control file be created after the completion of a hot backup or after a structural change to the database. In addition, backing up of the control file to a trace file should be done as frequently as backing up the control files. The trace files should have a naming standard which includes the timestamp. Trace files with and without the resetlog option should be created and kept readily available in the event the DBA needs to recreate the control file quickly in a recovery situation. This should be standard practice in all database environments.
At least three control files should be used. Each should be on different controllers and disks. Since loss of any control file will result in the database crashing, it is always advisable to have the control files hardware mirrored as well. Hardware striping, which does not give any performance gains since control files are small, should not be used. By using hardware striping, the probability of losing a control file due to disk failure increases dramatically because the control file is striped or distributed across several disks.
In the event of losing a control file and its mirrored copy due to user error or corruption, the DBA can easily restart the instance with the remaining valid control files. If all control files are lost, the DBA needs to startup nomount the instance, recreate the control file by running a valid create control file script, and open the instance.
Failure to write to any one of the control files will result in the database aborting or crashing. Oracle does recommend having multiple copies of the control file spread over multiple disks to reduce the probability of losing all control files due to corruption or disk crash. However, having several copies of the control files should not be the only protection, we recommend that the control files should be mirrored on the hardware level.
If you lose a single control file and have at least one good control file, we recommend that you

• shutdown abort if the instance is not down yet.
• check background trace files to determine which control file is corrupted.
• copy the good control file over the bad one or modify the init.ora to reflect only good control files.
  
• startup

If you lose all your control files, then you should issue the command

• CREATE CONTROLFILE

The create control file command should already be in a script and can easily be created while the database is up by issuing an alter database backup controlfile to trace. The output from the RESETLOGS option is dramatically different from the output without RESETLOGS (NORESETLOGS is default).
The NORESETLOGS option produces a script that does not contain the thread numbers of each group. This may be serious problem if you modify this script to contain the RESETLOGS option. This will ignore the other threads.

Risks and disadvantages of the create controlfile command:

• Lost previous log history.
• Database specific details must be recreated by looking at the file headers.
• Data file information is obtained by data files. If the data files are corrupted or not from a single backup, then there may be problems.
  
• Certain optimizing SCN structures are ignored with a backup controlfile
  
• User error possibility is high when there is not a create controlfile script already in place.
  
• Check if you are in archivelog mode.

When should you backup your controlfile?

• After the completion of a hot backup
• After a database structural change (i.e. add data file, change sizes of files, add log files)
• After a tablespace status change (i.e. READ-ONLY to READ-WRITE or vice versa)
  
• After backing up your control file, you should also create or adjust any create controlfile scripts. Your control file is a key component in recovery. It should always represent the physical configuration and the file status of the time you open the database. In most situations, it is best to recover with the current control file.

What to check for when using the backup controlfile option during recovery?

Make sure that the contents of the controlfile reflect the physical structure of the database you are recovering to.

Alter database open resetlogs is needed when using backup controlfile. A backup is always recommended after resetlogs because the logs are cleared and the sequence numbers are reinitialized.

In the event that media recovery needs to be performed, the current control file should be used if it does reflect the physical structure of the database that you are planning to recover to. The current control file preserves crucial timestamp and stop SCN information which may optimize and ease recovery while using the "backup control file" syntax needs to ignore some timestamp information found in the control file. The "backup control file" syntax relinquishes control of recovery to the user.
 

Control Files	Preventive Steps	Detection Mechanisms
Loss of any control file will result in an outage.	Hardware mirroring Redundant Controllers Three or more control files on separate disks and controllers. Control file backups nightly, after hot backups and after structural changes. Control file create scripts created with alter database backup controlfile to trace command at the same interval. These scripts should be modified to fit the needs of the database.	Parsing the alert.log and background trace files for errors. Monitoring disks and controllers for failures

Types of Outage	Steps	Early Detection	Error Detection
Loss of a single control file Notes: The time metrics do not include analysis of the trace files and modification to the init.ora file. These tests were performed on a 5 GB database)	Shutdown Instance (abort ) Start Background processes Mount exclusive Crash Recovery Open DB	No detection is possible until a checkpoint is performed.	The CKPT process if present, otherwise the LGWR process will generate the error stack OPIRIP, ORA-00447, ORA-00201, ORA-00202. Error number 202 reports the file effected. The full syntax is; ORA-00202: CONTROL FILE: ‘file name’
Loss of all control files Notes: The time metric assume that the ‘alter database backup controlfile to trace’ command has been correctly edited and is available for execution.	Shutdown Instance (abort ) Start Background processes Create Controlfile Media Recovery Archive Log Current Open DB (includes crash & other checks ) 1.56 Mins	No detection is possible until a checkpoint is performed.	The CKPT process if present, otherwise the LGWR process will generate the error stack OPIRIP, ORA-00447, ORA-00201, ORA-00202. Error number 202 reports the file effected. The full syntax is; ORA-00202: CONTROL FILE: ‘file name’

Online redo logs

On-line redo logs are crucial for instance and media recovery. They contain the redo to roll the database forward and the undo needed to rollback any uncommitted transactions. The loss of a current on-line redo log or loss of an unarchived on-line redo log will result in an outage. An unarchived log cannot be dropped unless NOARCHIVELOG mode is enabled; unfortunately, in order to switch to this mode, one needs to shutdown and remount the instance.

To protect from the above outages, Oracle recommends Oracle multiplexing of the redo log files over disk mirroring if both techniques cannot be used. Oracle multiplexing (multiple members per group) protects against user error (e.g. an accidental delete) while hardware mirroring does not. Ideally, each member of the on-line redo group should be on different drives and different controllers and not striped across disks. Here is an example which contrasts OS mirroring of log files versus log file groups. If there is a single operator or configuration error to a mirrored log, the mirrored logs become corrupt and operations are stopped. In contrast, Oracle continues to run if only one member of the multiplexed on-line log is corrupted or destroyed. Thus, Oracle multiplexing of groups are more resilient. Although it requires allocating more on-line redo logs and adds a small performance overhead, Oracle recommends its use in place of mirroring.

For extreme cases where the instance aborts due to a background process dying, the customer may need to bring up the database and perform crash recovery within a small interval of time. This interval of time should reflect the checkpoint interval setting or checkpoint_timeout setting in your database. A checkpoint is the process of writing out dirty buffers from the SGA to the physical data files and updating the files on completion to synchronize them to a point in time. Smaller checkpoint intervals will enable crash recovery to complete faster although it imposes a performance overhead of writing dirty buffers and updating file headers. Oracle, however, always does a checkpoint on a log switch. A typical recommended setting is a checkpoint every 10 to 15 minutes.

Furthermore, the customer should monitor the frequency of checkpoints and archiver wait problems. Although the database is up and running, since it is hung due to checkpoint problems or archiver wait problems, the database is essentially not available. If the checkpoint initiated in a log is not completed before the log needs to be recycled, the database will temporarily freeze all user activity until the checkpoint is finished. Async io should be available and should be default. With Async io, this problem does not usually appear. If async io is not available, multiple database writers (DBWR) and a checkpoint process (CKPT) can reduce checkpoint wait errors but usually is only a temporary fix. However, if this happens frequently, it may be due to the size and number of log files being small relative to the rate of changes being made in the database. A similar situation arises when log writer waits on archiver to complete archiving of a redo log. Again, the solution is to add more log file groups or increase the size of the log file groups to allow the archiver process more time to do its job. One can also increase log_archive_buffer_size to increase the size of a single read from the on-line redo logs by archiver (arch). Multiple archivers are a common solution to archive waits. One can enable another "archiver" process by systematically issuing an ‘alter system archive log current’. Checkpoints should always be monitored to determine if activity predictions are accurate or changing. Log_checkpoints_to_alert is set to TRUE in the init.ora to write checkpoint messages to the alert.log; however, this may cause a flood of messages in the alert.log. Alternatively, the checkpoints can be monitored via querying V$SYSSTAT.

Oracle recommends that log file status be monitored very closely, especially for the STALE or INVALID status. The INVALID log file errors do appear in the alert.log as an IO error and would be detected by alert.log parsing. The STALE status indicates that the state of any pending write on that log is unknown or the log is not complete (a log being written to prior to a shutdown abort). This potential problem does not appear in the alert.log and can only be monitored by V$LOGFILE. If frequent STALE or INVALID status is found on a running database, it may be indicative of hardware problems.

Log files have the highest IO activity along with rollback segments. They should be placed on their own set of disks if possible and definitely separated from the archive files.

Standards:

• Naming convention should be established.
• Multiplexing should be mandatory
• Mirroring on the hardware level is extra protection.
  
• Redo logs (groups) should be isolated from other disk files.
  
• Redo log members should be the same size.
  
• Redo log should be sized to switch once between every fifteen and thirty minutes or depending on your availability standards.
  
• Log checkpoint interval and log checkpoint timeout should be set.
  
• Sufficient redo logs (groups) should be created to prevent archiver induced
  
• file busy waits or checkpoint busy waits.

What do you do when you lose or discover a stale or invalid redo log member of a group?

• Investigate the problem and check if it is still accessible to oracle.
• Drop the invalid or stale member if problems still persist and recreate the log member somewhere else if possible. Stale logs can also be caused by switching a log. Stale implies that the log is not completely full or complete.

What if you lose the entire group that has been archived?

• Attempt to drop the group and recreate a new group.
• If this is successful, then initiate a hot backup because recovery can not skip missing logs.. If not, then this implies that this is the current or next log..
  
• You need to restore and perform incomplete database recovery to the log group preceding the crashed one - using until cancel or until time recovery.

What if you lose a group that has not been archived but is not the current or next group?

• One needs to shutdown the database.
• Startup mount, alter database noarchivelog, and drop the log group.
• Alter database archivelog and then startup. From testing, we sometimes see that if the archive log lossed has not checkpointed then the database will not allow you to startup with archivelog. One must startup with noarchivelog, shutdown, and then restart.
  
• Add subsequent groups.
  
• Strongly suggest running a hot backup at this time because recovery can not recovery pass missing logs.

What do you do if you lose the current online redo log?

• You need to restore and perform incomplete database recovery.

Multiplexing the logs would have the effect of LGWR multiplexing writes and ARCH multiplexing reads. Should one operation be lost, the affected instance would not be crippled. Using mirroring, a read or write could be lost only via a dual hardware or firmware failure; an operating system or mirroring bug; or, more likely, human error overwriting the partition. Here’s another way to contrast OS mirroring of log files versus log file groups. If there is a single operator or configuration error to a mirrored log, the mirrored logs become corrupt and operations are stopped. In contrast, Oracle continues to run if only one member of the multiplex online log is corrupted or destroyed. Thus, Oracle multiplexing groups give more resilience. Although it requires allocating more online redo logs and adds a small performance overhead, we recommend its use in place of mirroring.
 

Online Redo Logs	Preventive Steps	Detection Mechanisms
Online redo logs are needed for recovery.	Oracle multiplexing of log groups Hardware mirroring of logs Never placed Online Redo logs on the same disks as archive logs and application data files Make sure log switch rate is matched by DBWR activity and ARCH activity Make sure log group size is acceptable to availability requirements More than 3 log groups. Implement multiple archivers.	check V$LOG for invalid or stale statuses parse alert.log and background trace file for redo log errors Always check V$LOG and V$LOGFILE to determine which log is current and which log has been archived. Monitor log switch rate and checkpoint rates. Monitor if the archiver keeps up with the log writer.

Types of Outage	Steps	Early Detection	Error Detection
Loss of one and not all of the online redo log members of a particular group	Drop log file member Add log file member (40 MB)	No detection is possible until log switch is performed either exiting or entering the file.	The alert log records the following error stack when switching out of the redo log group. ORA-00316, ORA-00312, ORA-00321, ORA-00312. In addition the LGWR process will generate the same error stack Error number 312 reports the file effected. The full syntax is; ORA-00312: online log 1 thread 1: ‘file name’ The view, V$LOG, should be monitored for statuses of ‘STALE’ or ‘INVALID’.
Loss of inactive archived redo log group Notes: 1. All recovery time are quite static except for the crash recovery. 2. The addition of new redo log group can be done afterwards.	Shutdown abort Startup mount Drop the problem redo log Alter database open (crash recovery)	No detection is possible until the LGWR process write to the redo log	The LGWR process will generate the error stack OPIRIP, the general one ORA-00447 followed by more specific ones. In this test case, they are ORA-00313, ORA-00312 and ORA-07366. The failure of the LGWR will cause other background processes fail with some general error message produced and finally alert log will report a background process failure. (may not be the LGWR process)

Types of Outage	Steps	Early Detection	Error Detection
Loss of an inactive redo log group that has not been archived Notes: 1. All recovery time are quite static except for the crash recovery. 2. The addition of new redo log group can be done afterwards. 3. Cannot drop the unarchived redo log without setting noarchivelog mode.(ORA-00350) 4. Cannot set archivelog after dropping the problem redo log group since instance recovery required.(ORA-00265)	Shutdown abort Startup mount Alter database noarchivelog Drop the problem redo log Alter database open (crash recovery) Shutdown normal Startup mount Alter database archivelog Alter database open	No detection until the ARCH process archive the redo log	The ARCH process will generate archival stoppage message - ARCH: Archival stopped, error occurred. Will continue retrying - followed by informative error messages (ORA-00255, ORA-00312) reporting the problem online redo log and more specific error message(s) telling the cause (in the test case, it is ORA-00286). The same set of error messages will also appear on the alert log file together with archival stoppage message.

Other Online Redo Log Outages	Detection	Steps
Loss of the current online redo log group.	The LGWR process will generate the error stack OPIRIP, the general one ORA-00447 followed by more specific ones. In this test case, they are ORA-00313, ORA-00312 and ORA-07366. The failure of the LGWR will cause other background processes fail with some general error message produced and finally alert log will report a background process failure. (may not be the LGWR process). V$LOG and V$LOGFILE will indicate if this is the current log. If so, we must switch to CRF.	1. Restore and commence incomplete recovery. 2. Commence Disaster Recovery Plan
Silent Redo Log Corruption	Error (ORA 600[3020]) during application of archive log on the standby database site.	1. Rebuild standby database if there is one present. 2. Investigate Primary for any problems. Check alert.logs.
Internal Redo Corruption	ORA 600 [3020] implies that this change in the redo log is corrupted or inconsistent with the changes in the data block. All ORA 600 errors during application or writing of redo logs may be evidence to a corruption in the online redo log.	1. If it does not affect primary, then refresh or rebuild standby database. 2. If primary is down, commence disaster recovery plan

System tablespace

The system tablespace is the most crucial of all tablespaces because it contains the data dictionary tables and objects. The data files should be protected by redundant hardware and controllers. It is not advisable to stripe the system data files across too many disks since this increases the number of potential failure points. Loss of the system data file will result in database recovery or switching to a disaster recovery site.

The system tablespace should be configured and sized properly. By convention, no user objects or temporary segments are created in SYSTEM. This should be enforced using privileges and roles with periodic monitoring to catch any deviations. Basically, the RESOURCE role and UNLIMITED TABLESPACE privilege should not be granted to an user. A typical size of 30-50 MB is common for the system tablespace, while an additional 300 MB - 500 MB may be required if PL/SQL and/or stored procedures are used. Free space and fragmentation should be monitored.

Loss of a system data file:

• The file needs to be restored and rolled forward. The database will be unavailable.
• Or you can recreate the database.
• Or restore from backup and roll forward
  
• Or commence disaster recovery plan.

System Tablespace	Preventive Steps	Detection Mechanisms
System tablespace contains the data dictionary tables.	No non-data dictionary objects should be found in SYSTEM Monitor Space usage Hardware mirroring with redundant controllers No one should have privileges to write to the system tablespace No auditing. Spare disks in case of disk failures.	Monitor threshold on space usage within system Monitor for non-system objects found in system tablespace Parse alert.log and background trace files for ORA 600 errors with your monitoring tool. Monitor disk failures to check if it affects system data files.

System Tablespace Outages	Comments / Detection Mechanisms	Steps
Lack of space or system tablespace fragmentation.	This should be monitored very closely and the monitor tool should ensure that space is sufficient in all their tablespaces. However, if this occurs, the customer needs to add a datafile.	add another data file
Loss of system tablespace.	Monitor tool should track disk failures and correlate with the corresponding data file.	1. restore and recover. 2. commence disaster recovery plan.
Corruption of data dictionary object.	ORA-1578 on a data dictionary object, and ORA 600 may be an indication of data dictionary corruption. These errors should be parsed from the alert.log by the monitoring tool.	1. restore and recover. 2. commence disaster recovery plan.

 

Rollback segment tablespace

Since rollback segment tablespaces typically experience the highest IO activity, RAID 1 is a good choice over RAID 5 to allow for sufficient redundancy without sacrificing too much performance.

Rollback segment configuration is important to allow for continual availability for all applications modifying data. Rollback segments should be configured to minimize space usage, to reduce undo contention, to distribute IO, and to minimize rollback segment maintenance due to application error. The optimum number of rollback segments will be determined by the peak transactional concurrency the database needs to support while the size is determined by the largest amount of rollback that a single transaction can generate The rollback segment tablespace should have ample free space to allow for rollback segment growth while the OPTIMAL parameter should be set on all rollback segments to reclaim space in case of an exceptionally large transaction extend the rollback segment pass average size.

If the system is limited for disk space, the system tablespace and rollback segment tablespace can coexist on the same disk units. Loss of any one of these data files will result in database recovery or resorting to a disaster recovery site. The rollback segments contain information to undo the changes of an aborted transaction and are also used for read consistency. Loss or corruption of an active rollback segment can result in serious data inconsistency. We cannot guarantee the integrity of the database if we lose an active rollback segment.

Loss of a rollback segment data file:

• Attempt to offline all online rollback segments within that tablespace.
• Attempt to drop the rollback segments within that tablespace. You may be force to create other rollback segments in a different tablespace because the database needs at least one active rollback segment other than SYSTEM rollback segment.
  
• Attempt to drop the tablespace. If this fails, then there are active transactions in the rollback segment that has not been applied to your "data" blocks.
  
• Call Oracle Support and see if they can workaround the issue. In most cases, you need to restore from backup and go through recovery.

Rollback segment with "needs recovery" status:

A rollback segment is considered "corrupt" when it cannot rollback an active transaction. Depending on the objects involved and the extent of the "problem", you may be able to startup the database by just taking the segment name out of the init.ora file.

You should also check if all data files are online. Often, this error can be resolved by onlining your data files and allowing Oracle access to apply the undo to the data files’ data blocks.

Set event 10015 in the init.ora file if the database cannot startup. event="10015 trace name context forever"

It prints out the rollback segments it is recovering while it is rolling back active transactions during startup. At times, we can drop the object that needs the undo and the "needs recovery" status will go away because there is no undo to apply to existing objects.

Call Support for further suggestions.

If the rollback segment is indeed corrupted or the rollback segment is lost that contains active transaction, we then suggest restore and attempt database recover to bring the database back to a consistent state. Sometimes, recreation of the database is necessary if no other backup is available.

One can check XIDUSN from V$TRANSACTION to find the active rollback segments by comparing it with the SEGMENT_ID column in DBA_ROLLBACK_SEGS.
 

Rollback Tablespace	Preventive Steps	Detection Mechanisms
Rollback segments contain the undo needed to rollback any statement and for transaction consistency.	Configure and tune rollback segments to the proper size and number to accommodate for the highest TPS and for the largest DML and query. Hardware Mirroring with redundant controllers. No other objects should subside in the rollback segment tablespace. Monitor for disk failures.	Monitor V$ROLLSTAT for threshold and indications that the rollback segment may need to reconfigured. Parse alert.log and trace files for rollback segment errors. (ORA 600) check sys.dba_rollback_segs view for any ‘needs recovery’ status

Rollback Tablespace Outages or Rollback related problems.	Detection Mechanisms/Comments	Realistic/ Tested TTR	Steps
Cannot allocate extents or tablespace fragmentation. Rollback segment maintenance errors.	The customer should monitor any ORA 1538, 1551, 1552, 1553, 1554, 1555, 1556, 1557, 1558, 1559, 1562.	Database availability is not lost. Application errors may occur.	1. Add more space by adding a datafile. 2. Add larger rollback segments or reconfigure to accommodate for larger txn.
ORA-1555 or snapshot too old errors.	ORA 1555	Database availability is not lost. Application errors may occur.	1. A larger rollback segment is needed.
Rollback segment corruption.	ORA 600, 1555, 1578	commence disaster recovery plan	1. attempt to drop rollback segment. If not successful, then commence disaster recovery plan. 2. investigate why rollback segment got corrupted. check trace files and call support
Loss of a rollback segment data file that does not contain active transactions.	Monitor tool needs to detect disk failures and correlate OS files to Oracle files.	Several rollback segment tablespaces are available. Database availability is not lost. Application errors may occur.	1. Drop rollback segments in that data file and drop tablespace.  2. Recreate rollback segment tablespace
Loss of rollback segment data files that currently being used.	Monitor tool needs to detect disk failures and correlate OS files to Oracle files. If we cannot offline and drop affected rollback segment tablespace, then there are active transactions.		1. Restore and recover 2. Commence Disaster recovery Plan.

 

Temp tablespace

Although the loss of the temporary tablespaces will not result in losing access to data, the application, in particular operations that require sort space or temp space, may falter. Temporary tablespace should be hardware mirrored to protect from disk failure. At least two temporary tablespaces should be available while precreated alter user scripts are established to prevent system tablespace fragmentation or application failure in case of loss of a temporary tablespace. Furthermore, .the default initial and next extent sizes for TEMP, with a pctincrease of 0, should be set to ensure that the largest sort space requirement can be met without running out of extents (121 for 2K block size). The initial and next extents should be set greater than sort_area_size and larger than the average sort if it does not conflict with available memory requirements.

Multiple temporary tablespaces will be beneficial in distributing sort allocations for different users and improve the performance of concurrent sorts. Furthermore, if several index rebuilds have to occur due to corruption or maintenance, multiple temp tablespaces will allow the parallelism to restore and create the indexes quickly. For index rebuilds, TEMP space of up to twice the size of indexed data may need to be allocated. As this TEMP space may not be required during normal operation, it is useful to keep spare disk space.

Following the initial index building phase, temporary segments usage is limited to sort activity. For performance reasons, the sort_area_size setting should be high enough to keep disk sorts to a minimum assuming there is enough real memory available. All complex queries which may potentially require disk sorts will then write to the temp tablespace.
 

Temporary Tablespace	Preventive Steps	Detection Mechanisms
Temporary segments are used for sorting and temporary scratch work when the allotted space in memory is insufficient.	Temporary tablespaces should be hardware mirrored with redundant controllers. Alter user scripts should be available to switch users to an alternative temporary tablespace. Enough space should be available if more is needed for the temp. Test and measure the amount temp space needed as your application changes.  Extra disks should be available.	Monitor disks and controllers for failure.

Temporary Tablespace Outages or Temporary tablespace related problems.	Detection Mechanisms/ Comments	Realistic/ Tested TTR	Steps
Cannot allocate extents or tablespace fragmentation.	These errors do not appear in the alert.log; thus, it must be trapped within the application. ORA 1547, ORA 1562 during a sort operation indicates temp tablespace configuration problem.	The customer should configure the TEMP tablespace to avoid problems like this. To fix this problem once it is detected encompasses adding another data file or creating another tablespace.	1. add another data file. .
Losing temporary tablespace data file.			1. Run alter user scripts to switch temporary tablespace usage for users. 2. Create another temp tablespace if possible.

Types of Outage	Steps	Early Detection	Error Detection
Loss of temporary tablespace data file	Drop current temporary tablespace. Create another temporary tablespace. Alter user to use to new temporary tablespace.	Monitor tool needs to detect disk failure and correspond OS files to Oracle files.	Monitor tool needs to detect disk failures and correspond OS files to Oracle files.

 

Loss of application data file

All application data files should be hardware mirrored on different controllers and disks for additional resilience. More importantly, the application should have integrity checks and error checking mechanisms to prevent errors and to automatically recover in case of errors. Security policies and proper prevention techniques will be essential to avoid dropping, deleting or modifying critical data. We also recommend partitioning of data and implementing business rules and database integrity constraints to detect for application data inconsistencies.

Even with built in prevention, user errors, application bugs, hardware failures, etc still occur which will result in some type of recovery. There are several possible solutions to resolve these problems:

• recreate the tablespace and its corresponding objects (only relevant for indices),
• restore from backup and recover the tablespace or
• implement object level recovery plan or
  
• initiate disaster recovery plan.

Application Data	Preventive Steps	Detection Mechanisms
Index segments should only hold indexes.	Sufficient space should be allocated for growth of indices. Hardware mirroring and redundant controllers are recommended. Recreate index scripts should be pre-created. Partitioned accordingly to functionality.	Monitor space usage and b*tree levels with analyze commands. Monitor disk and IO errors Parse and check trace files and alert.log for ORA 1578 that affects indices

Case 1: Loss of index data file
Tablespace recovery and object recovery are two options that are available. Tablespace recovery would entail restoring the affected tablespace from the hot backup and rolling forward. Object recovery consists of recreating the tablespace and recreating the indices. Precreated create index scripts (implemented in parallel or with degrees of parallelism) should be kept ready and ran concurrently touching different temporary tablespaces to expedite recovery. In addition, large temporary tablespaces should be made available to allow for successful index creation .

Although both recovery descriptions allow for full availability of the database and the tables, this is still a serious outage due to the slow performance.
 

Loss of Index Data file	Steps	Early Detection	Error Detection
Recreate Index Tablespace	Drop Index tablespace Create another index tablespace Create all indices in the tablespace in parallel.	Monitor tool should detect disk failure. If the failure is an index tablespace, automated steps are needed to recreate the indices.	Monitor tool should detect disk failures.
Restore from Backup and Recover	Offline tablespace. Restore from hot backup. Set autorecovery on. Bring up recovery processes. Alter database recover automatic tablespace. Alter tablespace online.	Monitor tool should detect disk failure. If the failure is an index tablespace, automated steps are needed to be restore and recover.	Monitor tool should detect disk failures.
Switch to disaster recovery plan.	Switch to standby database or replicated database.	Monitor tool needs to detect disk failure and correspond OS files to Oracle files.	Monitor tool needs to detect disk failures and correspond OS files to Oracle files.

 

Case 2: Loss of application table datafiles
Hopefully, the customer does implement some type of object level backup and recovery strategy to reduce MTTR. If they do not, they must either restore from backup and recover or implement their disaster recovery plan.

Object level recovery only works when there are mechanisms within their application to resynchronize from a determined point of time. When the subset has been restored, then the subset should be able to resynchronized with the rest of the database via the application.

The database should be partitioned in such a way that recovery can occur to subsets of the database while other functionality is not impeded.
 

Loss of Data File	Steps	Early Detection	Error Detection
Recreate Table Tablespace	Only applicable if exports or unloads of the tables are taken. Only applicable if there is an object level recovery plan. (snapshots, unloader, replicated database, etc)	Monitor tool should detect disk failure. If the failure is an index tablespace, automated steps are needed to be restore and recover.	IO errors or ORA 1100s errors.
Restore from Backup and Recover	Offline tablespace. Restore from hot backup Set autorecovery on. Bring up recovery processes. Alter database recover automatic tablespace. Alter tablespace online.	Monitor tool should detect disk failure. If the failure is an index tablespace, automated steps are needed to be restore and recover.	Monitor tool should detect disk failures.
Commence disaster recovery plan	Only applicable if there is a standby database or a replicated database. This can also be accomplished by breaking three-way mirrors to maintain hot backups on site.	Monitor tool needs to detect disk failure and correspond OS files to Oracle files.	Monitor tool needs to detect disk failures and correspond OS files to Oracle files.

Types of Outage	Steps	Early Detection	Error Detection
Cannot allocate extents or tablespace fragmentation	Add datafile	Monitor Space Usage and fragmentation of tablespaces.	ORA-1547 or other error traps need to be trapped within the application
Loss of Index due to user error or corruption.	Drop index. Create index.	Monitor alert.log for ORA-1578 errors that affect index data. Periodic index validation with the analyze command.	ORA-1578 while using or validating an index.
Single Table Loss or Corruption of Single Table.	Object level recovery plan. Restore and recover.	Monitor alert.log for ORA-1578 errors that affect table data. Table can be analyze to check for block corruptions.	ORA-1578 while accessing or analyzing table data.
Reorganize Table - Scheduled Outage.	Drop / Create Unload/ Direct Load Use of Parallelism would be helpful.	Monitor and alarm when objects exceed more than 20 extents or some threshold.	ORA-1556 max extent error should be trapped within the application.
Reorganize Index - Scheduled Outage	Drop/ Create	Monitor and alarm when objects exceed more than 20 extents or some threshold.	ORA-1556 max extent error should be trapped within the application.

 

Read-only tablespaces
Read only tablespaces contain information that is static and the data is accessible only for viewing and not for modification. Read-only tablespaces NEED to be backed up once it becomes READ -ONLY. The recovery session will get an error if a file is READ-ONLY and a backup controlfile is being utilized for recovery.. All read-only tablespace files must be taken offline prior to incomplete recovery. This is what makes backing up READ-ONLY tablespace after changing to READ-ONLY very important. The moral of the story is that you need to restore the READ-ONLY tablespace from your previous backup and offline the read-only tablespace files prior to recovery with a backup controlfile. After opening the database, you then can online the READ-ONLY data files.

If you use the current control file, then recovery will complete successfully even if the tablespace changes from read-write to read-only through the redo logs. Read-only tablespace files are still online files and recovery will still apply changes to these files. Changing a file from read-write or read-only will cause some redo and during recovery, we will apply the redo. Thus the flags are changed.

Read-only tablespaces reduce the amount of work during checkpoints. Read only data files are not checkpointed and updated while only read-write files are. Recovery will ignore read-only files when possible; thus, streamlining recovery even further.

Although read-only files can be restored from backup and should not affect the rest of the database if it is loss, the application may depend on the data and may stop if the data is not accessible. In that case, we recommend that read-only data should also be mirrored to reduce the possibility of an outage due to media failure.
 

Read-Only Data	Preventive Steps	Detection Mechanisms
Index segments should only hold indexes.	1. Partition data according to functionality. 2. Hardware mirroring and redundant controllers	1. Monitor disks and for IO errors
Data segments should hold both tables and clusters.	1. Partition data according to functionality. 2. Hardware mirroring and redundant controllers	1. Monitor disks and for IO errors

Read-Only Data	Steps
Accidental drop of read-only data.	1. Restore from backup 2. commence Disaster Recovery Plan.
Loss of a read-only data file.	1. Restore from backup 2. commence Disaster Recovery Plan.

Archive logs
Archive log files provide the means to roll forward from a previous backup of the database. Since archive log files are applied in order, it is extremely important that all the archive log files be available in order to roll forward to the desired point in time. For that reason, Oracle recommends that archive files are also mirrored to protect from disk failure. For extra protection, copies of the archive files can be kept onsite and offsite in case of some large disaster. Furthermore, archive files from all threads in a parallel instance environment are required for media recovery.

One of the most common errors found on customer sites is a poorly organized archiving procedure which may be backing up incomplete archive files or not detecting corrupted tapes. A scripted methodology and well-tested tape management tool may be required to safeguard from corrupted archive files. Prior to backing up or copying an archive file, the procedure should check from V$LOG table that the corresponding on-line redo log has been completely archived.

Another common problem is that the archive destination becomes full or inadequate to support the number of archive files being created. First, adequate disk space should be provided to allow for sufficient time for the log files to be backed up to tape and to allow at least a day’s worth of archive logs to be onsite or all archive logs starting from the previous database backup (cold or hot) to remain onsite. Second, multiple archival destinations should be created with automated switchover of destination when a certain threshold for available free space is reached. Finally, the archive procedure should dynamically monitor the archive destinations for lack of free space. The following procedure describes in detail how this may be accomplished.

First, two archive destinations or more need to be created with sufficient disk space. Archiving procedure should switch from one destination to another when the previous destination reaches a certain space usage threshold by issuing alter system archive log to destination. More scripts should be developed to periodically monitor free space of the current archive destination. When space usage reaches a certain threshold (75% or some value that will allow for at least two more logs in the current ARCH destination), the monitoring process should alter the archive destination, preferably the oldest archive destination. Concurrently, a separate process or shell script can be created to clean up and backup archive destinations to tape starting from the oldest to the most recent archive destination. The backup script should check that the archive files have been successfully archived and then back them up to tape. Removal of the oldest archive files should only occur prior to switching to the oldest archive destination. The archive destinations should always accommodate at least one day’s worth of archive files onsite. If the archive files are onsite, the recovery time will be reduced by the time needed to restore from tape backup.

Since compression is usually done, we suggest that the archive files are thoroughly tested to ensure that the compression utility is not inadvertently corrupting the archive files or backups. This may be done by comparing checksums of the of the source and tape backed up files or restoring from this backup and checking if the database starts up.

In the event of incomplete or complete database recovery, caution must be exercised to prevent confusion between the current set of archive files and the archive files from the previous version of the database. For example, after successful incomplete recovery, the archive log sequence numbers will reset to one. Therefore, new archive files will be created with sequence number starting from one and up which should not be confused with the older archive logs with the same number. Another example is restoring from a old cold backup and starting up without any roll forward media recovery. The archive logs generated from that point will begin with the number that was stored in the control file. Again, it is necessary to distinguish between the current database’s logs and the previous versions of those logs.

What if you lose an archive log or set of logs?

• A complete backup of the database is necessary and should be accomplish as soon as possible: cold backup or hot backup.

Archive Log Files	Preventive Steps	Detection Mechanisms
Archive log files are required for media recovery and for standby databases.	Scripted procedure to archive to the archive destination and to archive to tape. Tape management tool with error checking mechanisms should be utilized. Hardware mirroring of archive files. Two sets of backups.		Error checking for successful completion of archiving from database to tape Space usage of archive destination needs to be monitored.

Archive Log Files and Archivelog	Detection Mechanisms	Steps
Archiver stuck due to lack of free space in the archive destination.	Monitor free space in the archive destination and alarm when close to reasonable threshold (70%)	1. Free up space in the archive destination 2. Switch to different archived destination.
Loss of archive file(s) due to media failure or user error.	Monitor tool should check for disk failures. Alerts should be available when media failure affects archive logs. When this occurs, automatic procedures should switch to another archive destination.	1. Backup primary. 2. Refresh standby database if one exists.
Archiver can not write to the archive destination due to media failure.	Monitor tool should check for disk failures. Alerts should be available when media failure affects archive logs. When this occurs, automatic procedures should switch to another archive destination.	1. Switch archive destination.
Archive logs are not successfully backed up.	Checksums must be in place during the backup. Investigate problem and retry.	If backup is not successful because of a bad archive log file, one needs to backup Primary and recreate the standby site.
Archiver hangs because someone deactivates archivelog or disable archiving.	This should be checked before every open command.  The archive log list command will	shutdown database startup mount; alter database archivelog alter database open.