This chapter covers the three fundamental backup types: full, incremental, and differential. Understanding these is critical for the CompTIA Network+ N10-009 exam, specifically under Objective 3.4 (Network Operations - Backup and Recovery). While not a large percentage of the exam, backup concepts appear in 2-3 questions, often scenario-based, testing your ability to choose the right backup strategy based on recovery time objectives (RTO) and recovery point objectives (RPO). You will also need to know the impact on storage and network bandwidth. This chapter provides the technical depth needed to answer those questions confidently.
Jump to a section
Think of a library with 1000 books. A full backup is like photocopying every single book in the library. It's a complete record but takes a lot of time and paper. An incremental backup is like only photocopying the books that were checked out or returned since your last visit—whether that last visit was a full backup or an incremental one. So if you come every day, you only copy the books that changed that day. A differential backup is like photocopying all books that have changed since the last full backup. So if the full backup was on Sunday, and you come on Wednesday, you copy all books changed on Monday, Tuesday, and Wednesday. To restore: with full + incrementals, you must first restore the full backup, then apply each incremental in order (if you have 5 incrementals, you apply all 5). With full + differentials, you restore the full backup and then only the latest differential. The library analogy works because the 'changed books' are like changed files, and the 'photocopy' is the backup copy. The key mechanistic insight: incremental records only changes since any previous backup (full or incremental), while differential records all changes since the last full backup. This directly maps to how backup software marks files as archived (clearing the archive bit) for incremental vs not for differential.
What Backup Types Are and Why They Exist
Backup types define how data is copied from a source (e.g., a server, database, or file system) to a backup medium (tape, disk, cloud). The three primary types—full, incremental, and differential—differ in what data they copy and how they track changes. The purpose of having multiple types is to balance three competing factors: backup time, restore time, and storage space. A full backup is the slowest to create but fastest to restore; incremental is the fastest to create but slowest to restore; differential sits in the middle.
How Full Backups Work
A full backup copies all selected data regardless of when it was last changed. Every file in the backup set is copied in its entirety. After a full backup, the archive bit (a file attribute in Windows) is cleared for all backed-up files. In Unix/Linux systems, the modification time is used; backup software typically tracks a 'last backup time' in its catalog. During a full backup, the backup software reads every file from disk and writes it to the backup medium. This process is I/O-intensive and consumes significant network bandwidth if backing up over a network. Full backups are typically performed weekly or monthly.
How Incremental Backups Work
An incremental backup copies only files that have changed since the last backup of any type (full or incremental). It relies on the archive bit (Windows) or modification timestamp. After the backup, the archive bit is cleared. This means each incremental backup is small and fast. However, to restore a system, you need the last full backup and every incremental backup taken since then, applied in order. If any incremental is missing or corrupt, you lose all data from that point forward. The number of incrementals can become large, increasing restore time and risk.
How Differential Backups Work
A differential backup copies all files that have changed since the last full backup. It does NOT clear the archive bit. So each differential grows larger over time until the next full backup. To restore, you need only the last full backup and the most recent differential backup. This simplifies and speeds up restoration compared to incremental. However, differential backups take longer and use more space than incremental as the week progresses.
The Archive Bit Mechanism
The archive bit is a single-bit file attribute in NTFS (Windows). It is set to 1 when a file is created or modified. Backup software can read and clear this bit. Full backup: clears all archive bits. Incremental: clears archive bits on files it backs up. Differential: does NOT clear archive bits. This is the core mechanism. In Unix/Linux, backup software (e.g., tar, rsync) uses timestamps or a separate state file to track changes. The principle is the same: incremental records changes since the last backup (any type), differential records changes since the last full backup.
Key Values, Defaults, and Timers
Full backup frequency: Typically weekly (e.g., Sunday night).
Incremental frequency: Daily or more often (e.g., every 6 hours).
Differential frequency: Daily (e.g., Monday through Saturday).
Retention periods: Vary by policy; common is 4 weeks of full backups plus intervening incrementals/differentials.
Backup window: The time allowed for backups; must be shorter than the period between backups (e.g., incremental must finish before next incremental starts).
Restore time: Full restore = time to restore full backup + time to restore all incrementals (or latest differential).
Storage space: Full = size of all data; Incremental = sum of changes each day; Differential = size of all changes since last full (cumulative).
Configuration and Verification Commands
On Windows Server, you can use Windows Server Backup (wsb) or PowerShell. Example to create a full backup:
wbadmin start backup -backupTarget:E: -include:C: -allCritical -quietFor incremental:
wbadmin start backup -backupTarget:E: -include:C: -allCritical -quiet -incrementalNote: wbadmin does not support differential natively; you would need third-party software.
On Linux, using tar:
# Full backup
tar -czf /backup/full-backup-$(date +%Y%m%d).tar.gz /data
# Incremental (using --listed-incremental)
tar -czf /backup/incr-$(date +%Y%m%d).tar.gz --listed-incremental=/backup/snapshot.snar /data
# Differential: tar does not have a native differential; use rsync with --link-dest
rsync -a --link-dest=/backup/full /data/ /backup/diff-$(date +%Y%m%d)Verification: Always test restore by restoring a sample file to an alternate location. Use wbadmin get versions to list backups.
Interaction with Related Technologies
Deduplication: Backup software often deduplicates data across backups. Full backups benefit most from deduplication because they contain all data. Incrementals may have high deduplication ratios because they contain only changed blocks.
Compression: Applied after backup type is chosen. Compressing a full backup takes longer but saves space.
Replication: Backup data is often replicated offsite. Incrementals are preferred for replication because they are smaller.
Snapshots: Hardware snapshots (e.g., SAN) can be used as a backup source. Backup types still apply to the data within the snapshot.
Cloud backup: Many cloud services (e.g., AWS Backup) use incremental-forever strategies, where only one full backup is ever uploaded, and subsequent backups are block-level incremental.
Exam-Specific Details
The N10-009 exam expects you to know:
The definition of each backup type.
The effect on archive bit.
The relative backup and restore speeds.
The number of tapes/media needed for restore (e.g., full + 5 incrementals = 6 tapes; full + 1 differential = 2 tapes).
The impact on RPO and RTO: incremental gives best RPO (smallest data loss) but worst RTO (longest restore); differential gives moderate RTO; full gives best RTO but worst backup time.
Common scenarios: Which backup type to use for a database that changes hourly? (Incremental). Which for a static file server? (Full weekly, differential daily).
Common Pitfalls
Assuming differential clears archive bit: It does not. This is a frequent exam trap.
Confusing incremental and differential restore steps: Incremental requires all backups in sequence; differential requires only full + latest differential.
Thinking incremental is always better: It is not; restore time and complexity increase with the number of incrementals.
Ignoring the backup window: A full backup of a large dataset may exceed the available window, forcing use of incremental or differential.
Summary Table
| Backup Type | Copies | Archive Bit Cleared? | Restore Requires | Backup Speed | Restore Speed | Storage Space | |-------------|--------|----------------------|------------------|--------------|---------------|---------------| | Full | All data | Yes | Full backup only | Slowest | Fastest | Most | | Incremental | Changes since last backup (any type) | Yes | Full + all incrementals in order | Fastest | Slowest | Least (each) | | Differential | Changes since last full backup | No | Full + latest differential | Moderate | Moderate | Moderate (grows) |
Real-World Configuration Example
A typical backup schedule for a small business:
Sunday 10 PM: Full backup to tape.
Monday through Saturday 10 PM: Differential backup to tape.
Additionally, every 4 hours during business hours: Incremental backup to disk for quick restore.
Restore steps: If a file is lost on Thursday, check the latest incremental (if within 4 hours) or restore from Sunday full + Thursday differential.
Troubleshooting Backup Failures
Backup fails because of open files: Use Volume Shadow Copy Service (VSS) on Windows or snapshot on Linux.
Incremental backup larger than expected: Check for many small file changes or a large file that was modified.
Restore fails because missing incremental: Always verify backup chain integrity. Use backup software that validates each backup.
Conclusion
Mastering backup types is essential for network administrators. The N10-009 exam tests not just definitions but the ability to apply them in scenarios. Remember the archive bit mechanism—it is the key to understanding the difference between incremental and differential. Practice with real backup software to solidify the concepts.
Perform a full backup
The backup software reads every file in the selected set from the source volume. For each file, it reads the data and writes it to the backup medium (tape, disk, cloud). After successfully copying, it clears the archive bit (Windows) or updates the last backup timestamp (Unix). This process can take hours for large datasets. The backup software may also create a catalog or index of backed-up files. The result is a complete, self-contained copy that can restore the system independently. Network bandwidth utilization is high, especially for network backups.
Perform an incremental backup
The backup software scans the source volume for files with the archive bit set (Windows) or with a modification time later than the last backup timestamp. Only those files are copied. After copying each file, the software clears the archive bit or updates the timestamp. This step is fast because only a small subset of files is copied. However, each incremental backup is dependent on the previous backup in the chain. If any incremental is missing, subsequent incrementals are useless. The backup catalog records which files are in each incremental.
Perform a differential backup
The backup software scans for files with the archive bit set (Windows) or modified since the last full backup. It copies all such files. Critically, it does NOT clear the archive bit. Therefore, the next differential will again copy all files that have changed since the last full backup (including those already copied in the previous differential). This causes the size of differentials to grow over time. The backup catalog records the full backup as the base and the differential as a cumulative set of changes.
Restore from full + incrementals
First, restore the full backup. Then, restore each incremental backup in chronological order. Each incremental overwrites files that have changed. The restore process must apply every incremental from the oldest to the newest. If any incremental is missing or corrupt, data from that point forward may be lost. The total restore time equals the time to restore the full backup plus the time to restore all incrementals. This is the slowest restore method but uses the least backup storage.
Restore from full + differential
First, restore the full backup. Then, restore the most recent differential backup. The differential contains all changes since the full backup, so no other differentials are needed. This is faster than incremental restore because only two backup sets are involved. However, the differential itself may be large if many files changed. The restore time is the time to restore the full backup plus the time to restore the differential. This method balances storage and restore speed.
In a typical enterprise environment, backup strategies are designed to meet Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). For example, a hospital's patient database might have an RPO of 15 minutes and an RTO of 1 hour. This requires transaction log backups every 15 minutes (essentially incremental at the database level) combined with nightly differentials and weekly full backups. The database administrator configures SQL Server to perform full backups Sunday night, differential backups nightly, and transaction log backups every 15 minutes. Restoring to a point in time requires the full backup, the latest differential, and all transaction log backups since that differential. This is a common scenario tested on N10-009.
Another scenario: a large media company with video files (hundreds of GB each) uses a weekly full backup to tape and daily incremental backups to disk. The full backup takes 12 hours over the weekend. Daily incrementals take 1-2 hours. Restoring a single video file from Tuesday requires the full tape and the Monday and Tuesday incrementals. If the Tuesday incremental is corrupt, the file cannot be restored. To mitigate this, the company might switch to differential backups, accepting larger daily backups but simpler restore.
A third scenario: a cloud-based SaaS provider uses AWS Backup with an 'incremental-forever' strategy. The first backup is a full backup to Amazon S3. Subsequent backups are block-level incremental, meaning only changed blocks are uploaded. AWS Backup automatically manages the chain and can restore from any point in time by combining the full backup with the relevant incremental blocks. This is efficient for storage and network, but the restore process is more complex internally. The exam may ask about the trade-offs between on-premises tape and cloud backup.
Common misconfigurations: setting differential backups but clearing archive bits (making them act like incrementals), or not scheduling full backups frequently enough, causing differentials to become nearly as large as a full backup. Performance considerations: backup windows must be respected; if a full backup exceeds the window, you may need to use a backup acceleration appliance or change to a different strategy. Also, network bandwidth for remote backups must be monitored; throttling may be needed to avoid impacting production traffic.
The N10-009 exam (Objective 3.4) tests your understanding of backup types primarily through scenario-based questions. You will be given a situation with specific RPO and RTO requirements and asked to choose the best backup strategy. The most common wrong answers are:
Choosing incremental when the question emphasizes fast restore time – Candidates see 'incremental is fast' and forget that restore is slow. The correct answer often is differential or full.
Thinking differential clears the archive bit – This is a classic trap. The exam may ask: 'Which backup type does NOT clear the archive bit?' The answer is differential.
Confusing the number of tapes needed for restore – For incremental, you need the full backup plus every incremental. For differential, you need the full plus the latest differential. The exam may give a scenario with 5 incrementals and ask how many tapes are needed for restore (6, including the full).
Assuming full backups are always the best for RPO – Full backups provide the best RTO but not necessarily the best RPO; if you do a full backup weekly, you can lose up to a week of data. Incremental backups (or continuous data protection) give better RPO.
Key terms that appear verbatim: 'archive bit', 'backup window', 'RTO', 'RPO', 'full backup', 'incremental backup', 'differential backup'. Know the exact definitions: differential backs up all changes since the last full backup; incremental backs up all changes since the last backup of any type.
Edge cases: When a file is moved, the archive bit may be set on the new location. Backup software may treat this as a new file. Also, some backup software uses block-level changes (e.g., changed blocks within a file) rather than file-level. The exam may ask about the impact on backup size.
How to eliminate wrong answers: If the question says 'restore must be as fast as possible' and 'backup time is not a concern', choose full. If 'backup time must be minimized' and 'restore time can be longer', choose incremental. If 'backup time and restore time are both moderate', choose differential. Always consider the number of tapes/media: incremental requires many, differential requires few.
Full backup: copies all data, clears archive bit, slowest backup, fastest restore, most storage.
Incremental backup: copies data changed since last backup (any type), clears archive bit, fastest backup, slowest restore, least storage per backup.
Differential backup: copies data changed since last full backup, does NOT clear archive bit, moderate backup and restore speed, storage grows over cycle.
Restore from incremental requires full backup plus every incremental in chronological order.
Restore from differential requires full backup plus the most recent differential backup.
The archive bit is a Windows attribute; Unix uses timestamps.
RPO (Recovery Point Objective) is best with incrementals (frequent backups); RTO (Recovery Time Objective) is best with full backups.
A common exam scenario: choose differential when RTO is moderate and you want simple restore.
Backup window must accommodate the time needed for the backup type chosen.
Always verify backups by performing test restores.
These come up on the exam all the time. Here's how to tell them apart.
Incremental Backup
Copies only files changed since any previous backup (full or incremental).
Clears the archive bit after backup.
Smallest backup size each time.
Slowest restore: requires full + all incrementals in order.
Best for minimizing backup time and storage.
Differential Backup
Copies all files changed since the last full backup.
Does NOT clear the archive bit.
Grows in size over the backup cycle.
Faster restore: requires full + latest differential only.
Best for balancing backup time and restore time.
Mistake
Differential backups clear the archive bit.
Correct
Differential backups do NOT clear the archive bit. Only full and incremental backups clear it. This is because differential copies all changes since the last full backup, and clearing the bit would make subsequent differentials miss files that changed before the last full but after the last differential.
Mistake
Incremental backups are always smaller than differential.
Correct
Incremental backups are generally smaller than differential backups taken at the same time, because incremental only copies changes since the last backup (which could be a recent incremental), while differential copies all changes since the last full backup (which could be several days of changes). However, if the last backup was a full backup, the first incremental and first differential after that full are the same size.
Mistake
Restoring from incremental backups is faster than from differential.
Correct
Restoring from incremental backups is slower because you must restore the full backup and then each incremental in sequence. Restoring from differential requires only the full and the latest differential. Therefore, differential restore is faster.
Mistake
Full backups are unnecessary if you use incrementals.
Correct
Full backups are essential as the base of the backup chain. Without a full backup, incrementals have nothing to build upon. Additionally, full backups provide a single point of restore that is independent of other backups.
Mistake
The archive bit is used in all operating systems.
Correct
The archive bit is a Windows NTFS attribute. Unix/Linux systems use timestamps or other mechanisms (e.g., rsync uses file size and modification time). The concept is similar, but the term 'archive bit' is specific to Windows.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Incremental backup copies files that have changed since the last backup of any type (full or incremental) and clears the archive bit. Differential backup copies all files that have changed since the last full backup and does NOT clear the archive bit. This means incremental backups are smaller but require a chain for restore, while differential backups grow over time but need only the latest differential for restore.
Full backup provides the fastest restore because only one backup set is needed. Differential restore is next fastest (full + latest differential). Incremental restore is the slowest because you must apply the full backup and every incremental in order. On the exam, if the question asks for fastest restore, choose full.
The archive bit is a file attribute in Windows NTFS that indicates whether a file has been modified since the last backup. Backup software uses this bit to determine which files to copy. Full and incremental backups clear the bit after backing up; differential backups do not. This mechanism is key to understanding how backup software tracks changes.
To restore from incremental backups, you need the full backup tape plus each incremental tape in order. For example, if you have a full backup and 5 incrementals, you need 6 tapes. This is a common exam question. In contrast, differential restore requires only the full tape and the latest differential tape (2 tapes).
The backup window is the time period during which backups can be performed without impacting production operations. It is typically scheduled during low-activity hours (e.g., overnight). The backup type chosen must fit within this window. For example, a full backup of a large database may exceed the window, so incremental or differential backups are used.
No. Incremental backups record changes since the last backup. Without a full backup as a baseline, there is no starting point. A full backup must be performed first. Some modern backup solutions use 'incremental forever' where the first backup is a full, and subsequent backups are block-level incrementals, but a full is always required initially.
RPO (Recovery Point Objective) is the maximum acceptable amount of data loss measured in time. For example, an RPO of 1 hour means you can lose at most 1 hour of data. RTO (Recovery Time Objective) is the maximum acceptable time to restore operations. Backup type selection affects both: frequent incrementals improve RPO, while full backups improve RTO.
You've just covered Backup Types: Full, Incremental, Differential — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?