Backup of enterprise applications (Microsoft stack, IBM Db2, MongoDB, Oracle, PostgreSQL, SAP)
Post Reply
nochangeforyou1
Novice
Posts: 4
Liked: 1 time
Joined: Jun 20, 2023 5:50 pm
Full Name: AJ
Contact:

gMSA Issue on DC

Post by nochangeforyou1 »

I am currently in the process of setting up Veeam to back up all virtual servers that need application aware processing with gMSAs. On all servers except the domain controllers this worked flawlessly. On the domain controllers the error "Logon failure: the user has not been granted the requested logon type at this computer" is thrown. The MSA is set up with the exact same permissions as a standard account that works just fine completing this task, however I don't want to utilize a standard account for these tasks.

Things I have already tested/verified:

- MSA in Domain Admins group
- Logon as batch job rights granted for DCs
- Access this computer from the network rights granted
- Allow logon locally rights granted
- Allow logon through RDP rights granted
- Added account to the built in "Administrators" account in AD
- Ran Test-ADServiceAccount -Identity msaname (works fine)

Are there any other settings that might prevent MSAs from working on domain controllers that I haven't covered? It just seems odd that a standard account has no issues when the MSA won't work as they are set up with the same permissions.
PetrM
Veeam Software
Posts: 3705
Liked: 621 times
Joined: Aug 28, 2013 8:23 am
Full Name: Petr Makarov
Location: Prague, Czech Republic
Contact:

Re: gMSA Issue on DC

Post by PetrM »

Hello and Welcome to Veeam R&D Forums!

I'm going to research this question and I'll let you know if I have other ideas than what you've tried already. Did you create a support case? If yes, please share ID with us, it seems we're talking about a technical issue that happens during AAIP. If a case is not yet created, please contact our support team for a detailed investigation.

Thanks!
PetrM
Veeam Software
Posts: 3705
Liked: 621 times
Joined: Aug 28, 2013 8:23 am
Full Name: Petr Makarov
Location: Prague, Czech Republic
Contact:

Re: gMSA Issue on DC

Post by PetrM »

@nochangeforyou1 you may also check that the option "Logon as a service" is enabled in group policies for the gMSA acount.

Thanks!
nochangeforyou1
Novice
Posts: 4
Liked: 1 time
Joined: Jun 20, 2023 5:50 pm
Full Name: AJ
Contact:

Re: gMSA Issue on DC

Post by nochangeforyou1 »

Tried with the "Logon as a service" right, that did not work either.
nochangeforyou1
Novice
Posts: 4
Liked: 1 time
Joined: Jun 20, 2023 5:50 pm
Full Name: AJ
Contact:

Re: gMSA Issue on DC

Post by nochangeforyou1 » 1 person likes this post

Also case is #06131231
sebastian.mair
Influencer
Posts: 12
Liked: never
Joined: Apr 11, 2013 12:24 pm
Contact:

Re: gMSA Issue on DC

Post by sebastian.mair »

hi, just trying to use gmsa with our domain controllers, any update on this? was this resolved? gettint the "access denied" error. the powershell test with test-adserviceaccount has no error, not on the backupserver(proxy) and the DC trying to backup
nochangeforyou1
Novice
Posts: 4
Liked: 1 time
Joined: Jun 20, 2023 5:50 pm
Full Name: AJ
Contact:

Re: gMSA Issue on DC

Post by nochangeforyou1 »

No, the case is still ongoing. The gMSA still is not working on DCs.
PetrM
Veeam Software
Posts: 3705
Liked: 621 times
Joined: Aug 28, 2013 8:23 am
Full Name: Petr Makarov
Location: Prague, Czech Republic
Contact:

Re: gMSA Issue on DC

Post by PetrM »

Hello,

I asked our support leaders to prioritize the the case 06131231, looks like the issue is quite complicated.

Thanks!
sebastian.mair
Influencer
Posts: 12
Liked: never
Joined: Apr 11, 2013 12:24 pm
Contact:

Re: gMSA Issue on DC

Post by sebastian.mair »

OK, thanks, but why is there no hint in the documentation, that it´s not working at the moment. i think there are a lot of people who are trying this . are there more support cases about this topic right now?
PetrM
Veeam Software
Posts: 3705
Liked: 621 times
Joined: Aug 28, 2013 8:23 am
Full Name: Petr Makarov
Location: Prague, Czech Republic
Contact:

Re: gMSA Issue on DC

Post by PetrM »

Hello,

The only case I'm aware of is the one above and it is still being researched. You may contact our support team as well, maybe the root cause in your case is different and it can be sorted out faster. Please don't forget to provide us with a support case number.

Thanks!
ITdrone
Lurker
Posts: 1
Liked: never
Joined: Jan 26, 2024 2:35 pm
Full Name: IT Drone
Contact:

Re: gMSA Issue on DC

Post by ITdrone »

Hi. Just curious if there was ever a resolution for this issue?

Thanks
PetrM
Veeam Software
Posts: 3705
Liked: 621 times
Joined: Aug 28, 2013 8:23 am
Full Name: Petr Makarov
Location: Prague, Czech Republic
Contact:

Re: gMSA Issue on DC

Post by PetrM »

Hello,

Yes, the issue reported above was successfully resolved but since it was an environment-specific problem, please open a support case and let our support engineers work on it. Also, don't forget to share a support case ID so that I can keep an eye on it.

Thanks!
shui
Lurker
Posts: 2
Liked: never
Joined: Aug 01, 2024 11:56 am
Contact:

Re: gMSA Issue on DC

Post by shui »

And what was the solution?

We receive the same error message when trying to backup the DCs with an GMSA account. In our case we use an AD tiering model for security purposes.
PetrM
Veeam Software
Posts: 3705
Liked: 621 times
Joined: Aug 28, 2013 8:23 am
Full Name: Petr Makarov
Location: Prague, Czech Republic
Contact:

Re: gMSA Issue on DC

Post by PetrM »

Hello and Welcome to Veeam R&D Forums!

The fact that you have the same error message does not necessarily mean that the solution that worked in one case will help in your situation.

Please contact our support team and provide a support case ID as requested when you make a post about a technical issue. We cannot troubleshoot technical issues effectively over the forum posts. All posts about technical issues without case ID will be eventually deleted by the forum moderator. You can also upload debug logs for our support as per the instructions of this KB.

Thanks!
shui
Lurker
Posts: 2
Liked: never
Joined: Aug 01, 2024 11:56 am
Contact:

Re: gMSA Issue on DC

Post by shui »

Thx for the greetings.

I know that it might not help in our issue. But isn't this the intention of this forum, to share solutions?
Otherwise we all could just open cases and stop posting here :)
Gostev
Chief Product Officer
Posts: 31973
Liked: 7441 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: gMSA Issue on DC

Post by Gostev » 1 person likes this post

Sure, you're more than welcome to share the solution for your specific issue here once you obtain them from Support or through personal troubleshooting.

Otherwise yes, "we all could just open cases and stop posting here" is precisely the behavior we're trying to enforce for environment-specific issues, with the forum rules displayed when you click New Topic.

Note that this community is not a support forum, it has a very specific purpose. Many people ignore it and still try to use this forum as an alternative to opening a support case, which is making it really hard for us to keep up with the traffic and to even simply read through all contributions, due to the sheer number of active users Veeam has these days.
Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests