Discussions specific to managed agent-based backups
Post Reply
StephanF
Enthusiast
Posts: 54
Liked: 16 times
Joined: Mar 26, 2015 1:15 pm
Contact:

Management of Workgroup clients

Post by StephanF » Jan 05, 2018 4:24 pm 1 person likes this post

Hi,

I have to backup clients that are not domain joined (in a workgroup) from a domain joind B&R server. I already did the following:
  • created a local admin account on each client. Let's call it "LocaAdmin".
  • created a protection group on the server with type "Individual computers"
  • added the clients to the protection group by their IP address because name resolution is not possible for them
  • disabled local firewalls for testing purpose
Now I am facng th following problems and questions:
  • At the moment I can not deploy the agent because I get a "Access Denied" error for the ADMIN$ share. I believe this is relatet to "UAC remote restrictions" as explained here. Is the mentioned registry hack the onl way to make deployment work? Is their any guidance or best practice from Veeam?
  • What is the best practice for managing the local account credetials in B&R server? Adding a login account for every client like "CLIENT1\LocaAdmin", "CLIENT2\LocaAdmin", etc. should work. But will it work with a single account like just "LocaAdmin" or ".\LocaAdmin" if the password is the same on every client? Any experience?
  • Is it possible to have a scenario where automatic agent deployment is not possible (because File shares are not accessible, for example) but I want a central managment. Meaning, I want to install the agent manually on the client but then centrally manage the job through the server. What account should I use in the protection group for this (user rights)?
Thanks,
Stephan

Dima P.
Product Manager
Posts: 10528
Liked: 857 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Management of Workgroup clients

Post by Dima P. » Jan 07, 2018 11:05 pm

Hello Stephan,
StephanF wrote: At the moment I can not deploy the agent because I get a "Access Denied" error for the ADMIN$ share. I believe this is relatet to "UAC remote restrictions"
Please check that 'File and Printer Sharing' Windows feature is enabled on the client computers.
StephanF wrote:What is the best practice for managing the local account credetials in B&R server?
Hostname\username (or IP address\username) is the best option for hosts added by IP address.
StephanF wrote:Is it possible to have a scenario where automatic agent deployment is not possible (because File shares are not accessible, for example) but I want a central managment.
It’s possible to setup standalone agent and then move it under central management but that won’t solve the resolution issue. Veeam B&R should properly resolve the IP address for the managed host. From the agent side Veeam B&R DNS name must be resolvable too.

sraj
Influencer
Posts: 21
Liked: 3 times
Joined: Oct 30, 2017 6:55 am
Full Name: Rajesh Samidurai
Contact:

Re: Management of Workgroup clients

Post by sraj » Jan 23, 2018 2:14 am 1 person likes this post

i too had the same issue. I added the account for each client as below and was able to rescan and deploy the agents.

servername\localadmin

Dima P.
Product Manager
Posts: 10528
Liked: 857 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Management of Workgroup clients

Post by Dima P. » Feb 12, 2018 11:00 am

Can confirm that localhost\administrator account works perfectly if you have several computers with the same local admin account configured.

Regnor
Service Provider
Posts: 318
Liked: 62 times
Joined: Jan 31, 2011 11:17 am
Full Name: Max
Contact:

Re: Management of Workgroup clients

Post by Regnor » Dec 17, 2018 10:39 am

Dima P. wrote:
Jan 07, 2018 11:05 pm
It’s possible to setup standalone agent and then move it under central management but that won’t solve the resolution issue. Veeam B&R should properly resolve the IP address for the managed host. From the agent side Veeam B&R DNS name must be resolvable too.
Hi Dima,

how do we move a standalone agent to a managed one?
We've tried to install the agent as standalone, but VBR isn't be able to connect to the agent if we rescan the protection group.
It tries to connect to two different ports and fails with the administrative shares.

Dima P.
Product Manager
Posts: 10528
Liked: 857 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Management of Workgroup clients

Post by Dima P. » Dec 17, 2018 12:10 pm

Hi Regnor,

Admin share is required to upload the components (so called Installer service), so you should allow administrative share on the computer you are about to move under protection group.

Regnor
Service Provider
Posts: 318
Liked: 62 times
Joined: Jan 31, 2011 11:17 am
Full Name: Max
Contact:

Re: Management of Workgroup clients

Post by Regnor » Dec 17, 2018 12:25 pm

Is it enough to enable the administrative share for the initial setup or are those shares also needed for running backups?

Our customer has disabled the shares on all clients for security reasons.

DGrinev
Veeam Software
Posts: 1739
Liked: 221 times
Joined: Dec 01, 2016 3:49 pm
Full Name: Dmitry Grinev
Location: St.Petersburg
Contact:

Re: Management of Workgroup clients

Post by DGrinev » Dec 17, 2018 3:10 pm

The backup process shouldn't be affected.
However, any product update operation or file-level restore won't work without the access. Thanks!

Dima P.
Product Manager
Posts: 10528
Liked: 857 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Management of Workgroup clients

Post by Dima P. » Dec 17, 2018 3:55 pm

Regnor,

I'd add rescan (periodic information collection about the host and job configuration update) and application item recovery (when restoring to the original location). Getting back to your question: unfortunately, it's impossible to run the managed agent with admin share disabled. Cheers!

Regnor
Service Provider
Posts: 318
Liked: 62 times
Joined: Jan 31, 2011 11:17 am
Full Name: Max
Contact:

Re: Management of Workgroup clients

Post by Regnor » Dec 18, 2018 12:29 pm

Ok, that doesn't sound so good.
Please take it as a feature request to make the agents more independent of other services. Other solutions are fully manageable over a single network port.

Dima P.
Product Manager
Posts: 10528
Liked: 857 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Management of Workgroup clients

Post by Dima P. » Dec 18, 2018 2:21 pm 1 person likes this post

Regnor,

To be honest we are already working on this request and Update 4 will see some minor improvements (update and info collection should go thru the proprietary protocol instead of the connection to administrative share). We plan to keep enhancing this logic and eventually get rid of admin share requirement in next versions. Thanks for confirming that we are moving in the right direction. Cheers!

mwilcox1
Novice
Posts: 4
Liked: never
Joined: Apr 17, 2019 3:53 am
Contact:

Re: Management of Workgroup clients

Post by mwilcox1 » Apr 17, 2019 6:00 am

We can not seem to get the settings correct to allow our new Veeam Backup Server to connect to standalone Windows 2012 boxes.
The admin share seems to be very picky ? Even Veeam case 03514519 has tried to help with no luck.
So maybe a few questions to the community of gurus will help?

We are running Windows 2012 R2 and have noticed posts vary as the regedit modification:

1) RE: One may like this or not, the solution is luckily pretty simple.
UAC remote restrictions can be disabled by setting the registry value LocalAccountTokenFilterPolicy to 1:Key:


2) RE: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemValue: LocalAccountTokenFilterPolicyData: 1 (to disable, 0 enables filtering)Type: REG_DWORD (32-bit)

Which is correct 1 or 2 ?

Mike Resseler
Product Manager
Posts: 5720
Liked: 605 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Management of Workgroup clients

Post by Mike Resseler » Apr 17, 2019 6:29 am

Hey Mwilcox1,

First: Welcome to the forums
Second: They basically both tell the same thing :-) To bypass the UAC restrictions. You might have done this before, but we learned that an update of Microsoft "enabled" it again by accident (I believe it was the march update but I am not so sure...)

mwilcox1
Novice
Posts: 4
Liked: never
Joined: Apr 17, 2019 3:53 am
Contact:

Re: Management of Workgroup clients

Post by mwilcox1 » Apr 17, 2019 5:48 pm

To bypass the UAC restrictions. You might have done this before, but we learned that an update of Microsoft "enabled" it again by accident (I believe it was the march update but I am not so sure...)
MSW Ah ok so either or both registry entries should work?

mwilcox1
Novice
Posts: 4
Liked: never
Joined: Apr 17, 2019 3:53 am
Contact:

Re: Management of Workgroup clients

Post by mwilcox1 » Apr 17, 2019 6:05 pm

Ok so I have added the registry entry to my client and yet the Veeam server still errors out w/ an RPC error.
Note I can mount \\10.x.y.z\admin on my Veeam server and I can 'see/read' the Veeam directory but on the Veeam server I can not write to the mounted folder ?
When I right click > create rtf doc I recevie the error 'Unable to create the file 'New Rich Text Document.rtf' Access is denied.
I assume I should be able to write to the admin share on the remote machine ?

mwilcox1
Novice
Posts: 4
Liked: never
Joined: Apr 17, 2019 3:53 am
Contact:

Re: Management of Workgroup clients

Post by mwilcox1 » Apr 17, 2019 8:10 pm

Quick update. We installed the Veeam Agent for Windows on the target machine and this may have caused issues with the Veeam Server allowing us to 'add' the machine to the Veeam Server. Support is looking into this scenario.

Mike Resseler
Product Manager
Posts: 5720
Liked: 605 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Management of Workgroup clients

Post by Mike Resseler » Apr 18, 2019 5:30 am

Can you post the support case number here? If necessary for a follow-up from our side? And also let us know what the outcome with the engineers is.
Thanks
Mike

raju rawat
Novice
Posts: 6
Liked: 1 time
Joined: Feb 21, 2019 3:47 pm
Full Name: Raju Rawat
Location: Cairo, Egypt
Contact:

[MERGED] Need help for non-domain computers to use veeam agents

Post by raju rawat » Jun 03, 2019 9:27 am

Hi All,
By far Veeam is excellent.

I need help on deploying veeam agents on non-domain computers. Appreciate for any tips, extra workarounds, Etc.

I have done registry entry, nslookup, ping sessions, firewall- antivirus exclusions, host entry, what am I missing here?

THANKS A LOT

DGrinev
Veeam Software
Posts: 1739
Liked: 221 times
Joined: Dec 01, 2016 3:49 pm
Full Name: Dmitry Grinev
Location: St.Petersburg
Contact:

Re: Need help for non-domain computers to use veeam agents

Post by DGrinev » Jun 03, 2019 10:25 am

Hi Raju!

Please review this discussion above, if you will have additional questions do not hesitate to ask. Thanks!

raju rawat
Novice
Posts: 6
Liked: 1 time
Joined: Feb 21, 2019 3:47 pm
Full Name: Raju Rawat
Location: Cairo, Egypt
Contact:

Re: Management of Workgroup clients

Post by raju rawat » Oct 01, 2019 4:09 pm

1- created a protection group on the server with type "Individual computers"
: I followed this and created this group what do you mean TYPE "Individual computers"
2- added the clients to the protection group by their IP address because name resolution is not possible for them
: How did you achieve this?

Can you guide me please. Thankyou.

Dima P.
Product Manager
Posts: 10528
Liked: 857 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Management of Workgroup clients

Post by Dima P. » Oct 01, 2019 4:44 pm

Raju,

Can you please confirm that direct connection from Veeam B&R server to the machine which is going to be protected by agent can be established (is it possible to connect to the client machine from Veeam B&R server via admin share)? Thanks!

Post Reply

Who is online

Users browsing this forum: No registered users and 9 guests