Comprehensive data protection for all workloads
Post Reply
albertwt
Veeam Legend
Posts: 879
Liked: 46 times
Joined: Nov 05, 2009 12:24 pm
Location: Sydney, NSW
Contact:

Backing up Active Directory ?

Post by albertwt »

Hi all,

What's the backup service account credentials or granular privilege that is required to backup Active Directory domain controllers ?

I've been told not to use DOMAIN\Administrator so I don't know what to use now.
--
/* Veeam software enthusiast user & supporter ! */
widmerkarl
Expert
Posts: 122
Liked: 29 times
Joined: Jan 06, 2015 10:03 am
Full Name: Karl Widmer
Location: Switzerland
Contact:

Re: Backing up Active Directory ?

Post by widmerkarl » 1 person likes this post

Hi,

I use DOMAIN\Administrator. Didn't think about it, it just works.

Of course you can create some kind of service account or so, especially when some compliance or security policies of the company have to be implemented.

Please have a look at the helpcenter, the permissions needed are explained in detail.

https://helpcenter.veeam.com/backup/vsp ... sions.html

https://helpcenter.veeam.com/backup/exp ... sions.html
Best regards,
Karl

-----------------------
vExpert 2017-2024
VMware VCP-DCV 2023 / VCA6-DCV / VCA5-DCV / VCA5-Cloud
Former Veeam Vanguard / VMCE v9 / VMTSP v9 / VMSP v9
Personal blog: https://www.driftar.ch
Twitter: @widmerkarl
albertwt
Veeam Legend
Posts: 879
Liked: 46 times
Joined: Nov 05, 2009 12:24 pm
Location: Sydney, NSW
Contact:

Re: Backing up Active Directory ?

Post by albertwt »

Thanks Karl,

But somehow there is no Local Administrators group in the Domain Controllers, hence at the moment I'm stuck with the DOMAIN\Administrator account.
PCI compliance dictates that the high privillege account cannot be used for service / backup.
--
/* Veeam software enthusiast user & supporter ! */
jmmarton
Veeam Software
Posts: 2092
Liked: 309 times
Joined: Nov 17, 2015 2:38 am
Full Name: Joe Marton
Location: Chicago, IL
Contact:

Re: Backing up Active Directory ?

Post by jmmarton » 1 person likes this post

It's still there. You just can't do it from the GUI. Here's an article on adding users to the local administrators group on a DC via command-line.

http://www.richardawilson.com/2010/06/a ... or-on.html

Joe
albertwt
Veeam Legend
Posts: 879
Liked: 46 times
Joined: Nov 05, 2009 12:24 pm
Location: Sydney, NSW
Contact:

Re: Backing up Active Directory ?

Post by albertwt »

Joe,

yes, that does make sense.

It is working.

Thanks for the tips. :)
--
/* Veeam software enthusiast user & supporter ! */
albertwt
Veeam Legend
Posts: 879
Liked: 46 times
Joined: Nov 05, 2009 12:24 pm
Location: Sydney, NSW
Contact:

Re: Backing up Active Directory ?

Post by albertwt »

Joe, if I got different AD domain controller to be backed up, am I still be able to use the same AD service account from domain 1 ?

Note: This is the updated thread veeam-backup-replication-f2/backing-up- ... 39344.html. there is no AD trust in between the two AD domain.
--
/* Veeam software enthusiast user & supporter ! */
jmmarton
Veeam Software
Posts: 2092
Liked: 309 times
Joined: Nov 17, 2015 2:38 am
Full Name: Joe Marton
Location: Chicago, IL
Contact:

Re: Backing up Active Directory ?

Post by jmmarton »

Look at the other thread, I agree with Alex's suggestion. Open a support ticket as everything you've described in the other thread sounds like it should work.

Joe
joebranca
Enthusiast
Posts: 49
Liked: never
Joined: Oct 28, 2015 9:36 pm
Full Name: Joe Brancaleone
Contact:

Re: Backing up Active Directory ?

Post by joebranca »

Resurrecting this old thread, since this time are there additional security related recommendations wrt backing up AD domain controllers with stored credentials other than a domain administrator?

Our Windows admin team wants to be able to do this, but in the current ransomware protection urgency atmosphere, any chance of a compromised domain admin credential needs to be absolutely minimized. Not being a Windows admin myself, what are the security implications of using a DC's local admin account if that were to be compromised through the Veeam server?

They also wanted to ask about Kerberos authentication support and gMSA accounts, if there's any information on that.
matteu
Veeam Legend
Posts: 703
Liked: 114 times
Joined: May 11, 2018 8:42 am
Contact:

Re: Backing up Active Directory ?

Post by matteu »

Hello,
Only security solution now is to use pre installed agent.
This avoid credentials stored on veeam server.
Gmsa are not supported on v11.

There is no really local admin on DC because these account can grant themselves domain admin ...
joebranca
Enthusiast
Posts: 49
Liked: never
Joined: Oct 28, 2015 9:36 pm
Full Name: Joe Brancaleone
Contact:

Re: Backing up Active Directory ?

Post by joebranca »

Hi,

To make sure I understand, do you mean installing the Veeam agent for Windows on the DC (even if its a VM), and setting up a self managed backup schedule by an admin on the DC admin? Is there a KB article or doc on this?
Mildur
Product Manager
Posts: 8549
Liked: 2223 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Backing up Active Directory ?

Post by Mildur » 1 person likes this post

Hi Joe

Matteu is talking about pre installed agents.
Meaning, you create a protection group from the type „Computers with pre-installed agent“, generate the installation packages for windows and deploy them manually on the domain controller. You don‘t have to store credentials on the vbr server for this type of group.

This agent will connect to the vbr server with the help of the provided xml file. You can configure an agent backup job on the vbr server for this domain controller. You don‘t have to manage agent jobs directly on the agent.
Product Management Analyst @ Veeam Software
matteu
Veeam Legend
Posts: 703
Liked: 114 times
Joined: May 11, 2018 8:42 am
Contact:

Re: Backing up Active Directory ?

Post by matteu »

Hello,

Mildur explained perfectly what i talked about :)
BjarneWahl
Novice
Posts: 5
Liked: never
Joined: Mar 02, 2016 2:47 pm
Full Name: Bjarne Wahl Hansen
Contact:

Re: Backing up Active Directory ?

Post by BjarneWahl »

Have you thought about limiting the account, to specific logon hours?
I know, it would be annoying when restoring (you'd have to change the logon hours), but security is costly and we all know it and live with it ;)
Kind regards

Bjarne Wahl Hansen
Microsoft, vCenter/ESXi and Veeam nerd
matteu
Veeam Legend
Posts: 703
Liked: 114 times
Joined: May 11, 2018 8:42 am
Contact:

Re: Backing up Active Directory ?

Post by matteu »

The issue when you use domain admin credential is that credentials are stored in Veeam database.
If your backup server is compromise, all your entire domain is...

When you want security, you don't want any account from AD can compromise Backup infrastructure but this statement is also true in the other side
Post Reply

Who is online

Users browsing this forum: Mildur and 147 guests