Good day,
We are currently in the process moving Veeam One to another server. Therefore we are also checking service accounts permissions. Setup is as follows:
- Veeam One installed on a Hyper-V VM
- Veeam One connecting to a Hyper-V cluster using a domain account which is local administrator on the Hyper-V Hosts
From the deployment guide it reads, that the account used to monitor guest VMs, must have local administrator permissions on the guest OS. Is that really still required, since it might be a security issue to a add a domain account as local administrator on all guest VMs.
If that is still required, is it possible to use a gMSA account for that?
Thanks for any information.
Best regards
Michael
-
reiso22
- Influencer
- Posts: 18
- Liked: never
- Joined: Feb 22, 2011 3:54 pm
- Contact:
-
RomanK
- Veeam Software
- Posts: 785
- Liked: 205 times
- Joined: Nov 01, 2016 11:26 am
- Contact:
Re: Permission question
Hello Michael,
To monitor Hyper-V virtual infrastructure in short:
Connection to VM Guest OS section is required only if you would like to get the additional data from the inside OS. These data: In-Guest Processes and In-Guest Services.
Hope this helps.
About gMSA support it was discussed in this thread. Please take a look.
Thanks
To monitor Hyper-V virtual infrastructure in short:
This is enough to collect all the information from the VI.Standalone Hyper-V hosts:Hyper-V clusters
- member of the Hyper-V Administrators and Performance Monitor Users groups.
- remotely access WMI on Microsoft Hyper-V hosts.
SCVMM
- local Administrator permissions on clusters.
- user role that is based on the Read-Only Administrator profile
Connection to VM Guest OS section is required only if you would like to get the additional data from the inside OS. These data: In-Guest Processes and In-Guest Services.
Hope this helps.
About gMSA support it was discussed in this thread. Please take a look.
Thanks
-
reiso22
- Influencer
- Posts: 18
- Liked: never
- Joined: Feb 22, 2011 3:54 pm
- Contact:
Re: Permission question
Hi Roman,
Thanks for your quick reply which was very helpful.
We have removed the local administrator permission on the guest OS and everything what we require seems to be working fine.
However if we check the "DataProvider_HyperV.log" in Veeam ONE Monitor Logs we can see following errors every hour for each guest VM:
ERROR Failed to create WMI invoker for <GUEST VM\root\cimv2> (user '<Domain Account'>) System.UnauthorizedAccessException: Access is denied.
ERROR Failed to get WMI data provider by DNS name (GUEST VM FQDN) System.UnauthorizedAccessException: Access is denied.
Is that expected and can these errors be ignored?
Best regards
Michael
Thanks for your quick reply which was very helpful.
We have removed the local administrator permission on the guest OS and everything what we require seems to be working fine.
However if we check the "DataProvider_HyperV.log" in Veeam ONE Monitor Logs we can see following errors every hour for each guest VM:
ERROR Failed to create WMI invoker for <GUEST VM\root\cimv2> (user '<Domain Account'>) System.UnauthorizedAccessException: Access is denied.
ERROR Failed to get WMI data provider by DNS name (GUEST VM FQDN) System.UnauthorizedAccessException: Access is denied.
Is that expected and can these errors be ignored?
Best regards
Michael
-
RomanK
- Veeam Software
- Posts: 785
- Liked: 205 times
- Joined: Nov 01, 2016 11:26 am
- Contact:
Re: Permission question
Hello Michael,
In most cases these errors means that something is wrong with WMI access. Maybe an incomplete data is collecting right now, so you see the topology and objects, but some properties could be missed.
I could try only to guess that something is wrong with remote access. Please open a support case and provide case ID in this thread so we could collect all the additional details and investigate it accordingly.
Thanks
In most cases these errors means that something is wrong with WMI access. Maybe an incomplete data is collecting right now, so you see the topology and objects, but some properties could be missed.
I could try only to guess that something is wrong with remote access. Please open a support case and provide case ID in this thread so we could collect all the additional details and investigate it accordingly.
Thanks
-
reiso22
- Influencer
- Posts: 18
- Liked: never
- Joined: Feb 22, 2011 3:54 pm
- Contact:
Re: Permission question
Hello Roman,
Furthermore we have noticed, that without a local administrator user in VMs it is not possible to get information about guest disk usage. Can you confirm that?
Best regards
Michael
Furthermore we have noticed, that without a local administrator user in VMs it is not possible to get information about guest disk usage. Can you confirm that?
Best regards
Michael
-
RomanK
- Veeam Software
- Posts: 785
- Liked: 205 times
- Joined: Nov 01, 2016 11:26 am
- Contact:
Re: Permission question
Hello Michael,
Generally speaking, everything you could see in the Hyper-V manager should be available through the API, perfmon on Hyper-V host and WMI for Veeam ONE to read.
As far as I remember there were two sets of counters, like virtual disk for the VM and the disk from the the inside OS. I do not have working lab at the moment to check, so it would take a time.
Thanks
Generally speaking, everything you could see in the Hyper-V manager should be available through the API, perfmon on Hyper-V host and WMI for Veeam ONE to read.
As far as I remember there were two sets of counters, like virtual disk for the VM and the disk from the the inside OS. I do not have working lab at the moment to check, so it would take a time.
Thanks
Who is online
Users browsing this forum: No registered users and 12 guests