Host-based backup of Microsoft Hyper-V VMs.
Post Reply
aj_potc
Expert
Posts: 141
Liked: 35 times
Joined: Mar 17, 2018 12:43 pm
Contact:
Contact aj_potc

RPC connection fails with local administrator account

Post by aj_potc »

I just had an interesting experience and wanted to ask the group for some feedback.

I'm running B&R 9.5 with two Hyper-V guests (all Windows Server 2016). After applying the latest Windows updates, Veeam could no longer connect to one of the two Hyper-V guests via RPC (similar to the error described here: https://www.veeam.com/kb1230).

To fix this, I had to change the credentials being used by Veeam. Instead of using the local Administrator account to connect to the guest system, I had to use the domain Administrator account. This is now the only way to connect to the server's admin share.

I suspect this is not a bug in Veeam, and in fact has nothing to do with Veeam, so I don't think it's an issue to raise with support. But I have a few questions:
  • Isn't it better to connect using the local Administator account for backups?
  • If my domain controller is down during the backup, won't this make backups impossible?
  • Does anyone know of a way to enable access to the admin share using the local Administator account, assuming this is "best practice"?
Thanks a lot for any tips!
Top
Mike Resseler
Product Manager
Posts: 8045
Liked: 1263 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:
Contact Mike Resseler

Re: RPC connection fails with local administrator account

Post by Mike Resseler »

Hey Aj_potc

I believe (but I can be wrong) that a change has been made to the local token policy... Can you check the following:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value: LocalAccountTokenFilterPolicy
Data: 1 (to disable, 0 enables filtering)
Type: REG_DWORD (32-bit)

That said, to answer your questions:

* Isn't it better to connect using the local Administator account for backups?
I'm not sure why... With a good design I would think that a domain account (doesn't have to be a domain administrator) is more secure than a local account

* If my domain controller is down during the backup, won't this make backups impossible?
Most likely caching will kick in so it can continue with cached credentials for a certain amount of time.

Does anyone know of a way to enable access to the admin share using the local Administator account, assuming this is "best practice"?
See above, I think your policies are forbidding it. It could be that this is not the right policy though so make sure you "backup" the original key first. My knowledge on this is a bit "rusty" I'm afraid... :-)
Top
aj_potc
Expert
Posts: 141
Liked: 35 times
Joined: Mar 17, 2018 12:43 pm
Contact:
Contact aj_potc

Re: RPC connection fails with local administrator account

Post by aj_potc »

Hi Mike,

Thanks a lot for the reply.

I checked the registry for the key you mentioned, but it seems the key LocalAccountTokenFilterPolicy doesn't exist in Windows Server 2016. So something definitely changed; I just don't know where. :-)

In any case, if you don't see a problem with using a domain account, then I'll go with that. I just had the idea that backing up a a local VM from the hypervisor would be using a local account. However, I suppose that's not true, and there's no good reason not to use the domain controller for all authentication.

Thanks again!
Top
Post Reply

Return to “Microsoft Hyper-V”



Who is online

Users browsing this forum: No registered users and 14 guests