Domain Controller required user backup permissions

[mdornfeld]

We're trying to go to least privileged user access required to do backups, and we've generally just been putting the user in the "Administrators" group of a VM as shown here:
http://helpcenter.veeam.com/backup/80/v ... sions.html

But with Active Directory controllers, they obviously don't have their machine specific "administrators" group any more, and when we remove the user from "domain admins", we get this error:
"Failed to prepare guest for hot backup. Error: Failed to connect to guest agent. Errors: 'Cannot connect to the host's administrative share."

What is the least privileged rights we can use to backup an Active Directory Domain Controller?

Thank you!

[PTide]

Hi,

Unfortunately, Domain Admin rights are needed in order to perform DC backup.

Thank you.

[mdornfeld]

Thank you very much for the quick reply.

I assume best practice advice from Veeam would then be to use a service account specific to this requirement, rotate the password, and then use a powershell script as referenced below to trigger the update of the Veeam credential side?
http://helpcenter.veeam.com/backup/80/p ... tials.html

[PTide]

I'm not sure that I fully understand what are you trying to accomplish. Do you have some concerns regarding the usage of an Domain Admin account? Could you elaborate a little bit please?

[mdornfeld]

I was just suggesting that since we need to use a Domain Admin account, that we'd rotate the accounts password on regular basis and use the Veeam powershell command provided to keep it in sync with the password rotation.

[PTide]

Sure, you can keep your credentials relevant with the help of a powershell cmdlet you've mentioned. On the other hand, I don't think it's a big deal to manually edit one password once in couple of weeks, especially if talking about Domain Admin password, not to mention that I'd be very careful when incorporating plain text Domain Admin's password into some script...anyway, it's up to you whether to script or not to script password updates.

Thank you.

[btmaus]

I am looking into backing up my Domain Controllers as well, and getting the VIX error about connecting to the share.

When you say the Domain Admin account is need for a successful backup (I have App Aware backups enabled), is that any "service" account with Domain Admin privileges that I can use, or is it the actual "DomainName\Administrator" account that you are referring too?

[foggy]

Account with Domain Admin privileges should be sufficient, provided you have UAC disabled on the VM.

[btmaus]

OK, and if we cannot disable UAC because of security policy, and there is no local administrator account as it's a Domain Controller, how do we back it up then?

[foggy]

Using the domain’s built-in Administrator account.

[pmagnolfi]

Good morning,

I'm using VB&R with no problem. I now need to backup also a VM domain controller using Veeam.
For all Windows VM that I backup with veeam I use a "service account" as guest OS credential.
The service account is put in local Administrators group for each VM.
How can I use the same service account to backup a DC?
I try to put it in the Domain Admins group, but the backup failed, for the moment I solve the problem using the domain administrator account as guest os credential for the DC.

[btmaus]

Disable UAC on the Domain Controller if you are using a Service Account. Otherwise use the actual Domain Administrator account, i.e. DomainName\Administrator.

[albertwt]

Hi All,

I've already created DOMAIN\service-VBR account for backing up the other VM, I have added it to the local administrators for all servers. But somehow I cannot find the local administrators group for the domain controllers ?

So how can I successfully backup AD domain controllers with Veeam ?

Using DOMAIN\Administrator account is prohibited by the security team due to PCI compliance.

[btmaus]

Domain Controllers do not have the "local" Administrators Group like a standard Domain joined server has. Can you disable UAC on the Domain Controller and then try again with the service account?

[ortoscale]

I've read this in some other post: "You can use VMTools (for VMWare) or Hyper-V Native Quiescence which means VMWare or Hyper-V will inform the guest to take a VSS snapshot rather than Veeam."
So Q now is: Can we simply use Quiescence mode to backup domain controllers?

[DonZoomik]

Add your Veeam guest service account user to "BUILTIN\Administrators" group in "Builtin" OU, it is considered local Administrators on all DCs.
Quiescence should work fine as AD is VSS aware.

[pidthepiper]

Ok, I am having DC backup issues.

Some of my DCs back up application aware fine, but some do not. None of them allow VIX, but they all pass the RPC credentials check.

IF I disable UAC VIX passes, but all my DCs are set to level 3 and some of them backup via RPC fine. We do not really want to disable UAC on them, the service is account for Veeam is in Domain Admins too, yet the issue persists.

I have tried adding the account into BUIltIN\Adminsitrators and then re-enabling UAC and VIX fails .

I cant figure out why some DCs are backing up fine and some are not. I can't seem to figure out what the differences are. They are all 2008R2 Dcs with a 2003 forest level, they are currently on slightly different patch levels.

Case # 02975554 if anyone wants to have a look, I am out of ideas. I guess i do not need to back up every DC, but I would like to simply because I am paying for Veeam and want to use the features it provides ha

[foggy]

Hi Bilal, for backup over VIX, you either need to use built-in Administrator account (that is exempt from UAC) or disable UAC.

[fll]

Hello, I am trying to activate application-aware processing with the backup jobs of two virtual machines that are domain controllers and that are in another domain than Veeam Server, with which there is a bidirectional trust relationship.
I use a Domain Admin credentials to perform the test and give a warning checking standard credentials, via rpc is correct and via VIX gives errors.
Can I apply application-aware in these conditions?

Thank you.

[Dima P.]

Hello fll,

Please check the following:

1. Ensure that the account being used by Veeam is a member of the Local Administrators group on the VM that is to be backed up
2. If the account is not named Administrator, make sure that UAC on the Guest OS is disabled

[fll]

There is no local admins group on a DC
The count name is administrador.
Thanks

[Dima P.]

fll,

To double check, you have VMware tools installed on both hosts, right?

[fll]

Yes.

[Dima P.]

Hi fll.

Looks like all requirements are met and VIX should used. May I ask you to open a support case and investigate this problem with our support team? Please do not forget to share the case ID in this thread for future reference. Thank you in advance.

[fll]

Hi, thanks for the answers.
Despite a warning I have released a backup job and it has not given me errors.
With the rpc connection it has been enough.

Thanks.

[adelino]

Hello fll,

Please check the following:

1. Ensure that the account being used by Veeam is a member of the Local Administrators group on the VM that is to be backed up
2. If the account is not named Administrator, make sure that UAC on the Guest OS is disabled

Is #2 a hard requirement for domain controller application-aware processing still in 9.5 Update 4? I couldn't find any other documentation that specified the account had to be named "administrator" if UAC is not disabled.

Even opened a support ticket and they pointed me to articles that said enterprise administrator or domain administrator membership would be enough.

[adelino]

Spoke with another Veeam support person and they clarified this.

The account named administrator or disabling the UAC is only for VIX application aware processing, which should only happen if RPC application aware processing fails.

RPC application aware processing requires certain ports open and the account credentials specified to be an enterprise admin or domain admin.

Some additional detail on the RPC ports: https://helpcenter.veeam.com/docs/backu ... 95u4#guest
Some additional detail on the VIX requirements: https://www.veeam.com/kb1788

[foggy]

Correct, this is a VIX-specific requirement for cases where account that is not the built-in Administrator account (that is exempt from UAC) is used.