I have to backup clients that are not domain joined (in a workgroup) from a domain joind B&R server. I already did the following:
created a local admin account on each client. Let's call it "LocaAdmin".
created a protection group on the server with type "Individual computers"
added the clients to the protection group by their IP address because name resolution is not possible for them
disabled local firewalls for testing purpose
Now I am facng th following problems and questions:
At the moment I can not deploy the agent because I get a "Access Denied" error for the ADMIN$ share. I believe this is relatet to "UAC remote restrictions" as explained here. Is the mentioned registry hack the onl way to make deployment work? Is their any guidance or best practice from Veeam?
What is the best practice for managing the local account credetials in B&R server? Adding a login account for every client like "CLIENT1\LocaAdmin", "CLIENT2\LocaAdmin", etc. should work. But will it work with a single account like just "LocaAdmin" or ".\LocaAdmin" if the password is the same on every client? Any experience?
Is it possible to have a scenario where automatic agent deployment is not possible (because File shares are not accessible, for example) but I want a central managment. Meaning, I want to install the agent manually on the client but then centrally manage the job through the server. What account should I use in the protection group for this (user rights)?
StephanF wrote:
At the moment I can not deploy the agent because I get a "Access Denied" error for the ADMIN$ share. I believe this is relatet to "UAC remote restrictions"
Please check that 'File and Printer Sharing' Windows feature is enabled on the client computers.
StephanF wrote:What is the best practice for managing the local account credetials in B&R server?
Hostname\username (or IP address\username) is the best option for hosts added by IP address.
StephanF wrote:Is it possible to have a scenario where automatic agent deployment is not possible (because File shares are not accessible, for example) but I want a central managment.
It’s possible to setup standalone agent and then move it under central management but that won’t solve the resolution issue. Veeam B&R should properly resolve the IP address for the managed host. From the agent side Veeam B&R DNS name must be resolvable too.
Dima P. wrote: ↑Jan 07, 2018 11:05 pm
It’s possible to setup standalone agent and then move it under central management but that won’t solve the resolution issue. Veeam B&R should properly resolve the IP address for the managed host. From the agent side Veeam B&R DNS name must be resolvable too.
Hi Dima,
how do we move a standalone agent to a managed one?
We've tried to install the agent as standalone, but VBR isn't be able to connect to the agent if we rescan the protection group.
It tries to connect to two different ports and fails with the administrative shares.
Admin share is required to upload the components (so called Installer service), so you should allow administrative share on the computer you are about to move under protection group.
I'd add rescan (periodic information collection about the host and job configuration update) and application item recovery (when restoring to the original location). Getting back to your question: unfortunately, it's impossible to run the managed agent with admin share disabled. Cheers!
Ok, that doesn't sound so good.
Please take it as a feature request to make the agents more independent of other services. Other solutions are fully manageable over a single network port.
To be honest we are already working on this request and Update 4 will see some minor improvements (update and info collection should go thru the proprietary protocol instead of the connection to administrative share). We plan to keep enhancing this logic and eventually get rid of admin share requirement in next versions. Thanks for confirming that we are moving in the right direction. Cheers!
We can not seem to get the settings correct to allow our new Veeam Backup Server to connect to standalone Windows 2012 boxes.
The admin share seems to be very picky ? Even Veeam case 03514519 has tried to help with no luck.
So maybe a few questions to the community of gurus will help?
We are running Windows 2012 R2 and have noticed posts vary as the regedit modification:
1) RE: One may like this or not, the solution is luckily pretty simple.
UAC remote restrictions can be disabled by setting the registry value LocalAccountTokenFilterPolicy to 1:Key:
First: Welcome to the forums
Second: They basically both tell the same thing To bypass the UAC restrictions. You might have done this before, but we learned that an update of Microsoft "enabled" it again by accident (I believe it was the march update but I am not so sure...)
To bypass the UAC restrictions. You might have done this before, but we learned that an update of Microsoft "enabled" it again by accident (I believe it was the march update but I am not so sure...)
MSW Ah ok so either or both registry entries should work?
Ok so I have added the registry entry to my client and yet the Veeam server still errors out w/ an RPC error.
Note I can mount \\10.x.y.z\admin on my Veeam server and I can 'see/read' the Veeam directory but on the Veeam server I can not write to the mounted folder ?
When I right click > create rtf doc I recevie the error 'Unable to create the file 'New Rich Text Document.rtf' Access is denied.
I assume I should be able to write to the admin share on the remote machine ?
Quick update. We installed the Veeam Agent for Windows on the target machine and this may have caused issues with the Veeam Server allowing us to 'add' the machine to the Veeam Server. Support is looking into this scenario.
Can you post the support case number here? If necessary for a follow-up from our side? And also let us know what the outcome with the engineers is.
Thanks
Mike
1- created a protection group on the server with type "Individual computers" : I followed this and created this group what do you mean TYPE "Individual computers"
2- added the clients to the protection group by their IP address because name resolution is not possible for them
: How did you achieve this?
Can you please confirm that direct connection from Veeam B&R server to the machine which is going to be protected by agent can be established (is it possible to connect to the client machine from Veeam B&R server via admin share)? Thanks!
Just to follow up, since I see discussion ended few year ago. This problem is still ongoing, when trying to configure a backup of non-domain Windows 2012 Server VM. Backup would work if built in Administrator account is used, but doesn't work with a local admin account that is created for this purpose. Issue is of course, denied access to Admin share and I would like to avoid using built in Administrator account for this. We are using Veeam B&R 10 on our other server that is domain joined.
Did somebody find some other solution, that doesn't involve disabling UAC via Registry? It is strange that there isn't some group policy that would allow access for local admin accounts to Admin shares.
Unfortunately there is no workaround for a local admin account. We will discuss with RnD folks if we can address it somehow, but meanwhile for such case disabling remote UAC is the only option. Thanks!
To bypass the UAC restrictions. You might have done this before, but we learned that an update of Microsoft "enabled" it again by accident (I believe it was the march update but I am not so sure...)