-
- Expert
- Posts: 101
- Liked: 5 times
- Joined: Oct 27, 2021 8:07 pm
- Full Name: Ser
- Contact:
Veeam Backup Server out of domain
Can the Veeam Backup Server be taken out of domain?
-
- Chief Product Officer
- Posts: 31814
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
-
- Veeam Software
- Posts: 688
- Liked: 150 times
- Joined: Jan 22, 2015 2:39 pm
- Full Name: Stefan Renner
- Location: Germany
- Contact:
Re: Veeam Backup Server out of domain
As gostev said this is not an issue at all.
And these days, where Crypto Trojans are all around, it is a very common thing to have Veeam components incl the vbr server out of AD. Just make sure you understand how all components work with each other an that for example DNS is very much needed for lot of things.
And these days, where Crypto Trojans are all around, it is a very common thing to have Veeam components incl the vbr server out of AD. Just make sure you understand how all components work with each other an that for example DNS is very much needed for lot of things.
Stefan Renner
Veeam PMA
Veeam PMA
-
- Expert
- Posts: 101
- Liked: 5 times
- Joined: Oct 27, 2021 8:07 pm
- Full Name: Ser
- Contact:
Re: Veeam Backup Server out of domain
Hi rennerstefan.
Based on what you tell me.
If it is removed from the domain, some of the components such as proxies or repositories that were registered by name could not be connected anymore?
Based on what you tell me.
If it is removed from the domain, some of the components such as proxies or repositories that were registered by name could not be connected anymore?
-
- Product Manager
- Posts: 9848
- Liked: 2607 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Veeam Backup Server out of domain
Make sure, that dns resolutions works after removing the windows server from the domain.
And if you have used dedicated server for proxy and repo, reconfigure the credentials in the proxy and backup repo properties to a local administrative account, if you have used a domain admin account before.
And if you have used dedicated server for proxy and repo, reconfigure the credentials in the proxy and backup repo properties to a local administrative account, if you have used a domain admin account before.
Product Management Analyst @ Veeam Software
-
- Expert
- Posts: 101
- Liked: 5 times
- Joined: Oct 27, 2021 8:07 pm
- Full Name: Ser
- Contact:
Re: Veeam Backup Server out of domain
Thanks Mildur.
The credentials are changed from Managed Servers of the servers that have the role of proxy and repository.
Credentials are not loaded in that component.
It is right?
The credentials are changed from Managed Servers of the servers that have the role of proxy and repository.
Credentials are not loaded in that component.
It is right?
-
- Product Manager
- Posts: 9848
- Liked: 2607 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Veeam Backup Server out of domain
Credentials are stored on the veeam backup server configuration database.
For an example, you configured veeam to use an active directory user to connect to the managed server working as a proxy.
If you remove the managed server with the proxy from your domain (AD), veeam will not be able to connect to this managed server with the proxy component anymore. You must change the credentials. You can do that under managed servers. Open the properties of each managed server that you have removed from the domain and change the credentials from ad credentials to local credentials. You need to create a local user with administrative permissions first on the managed server. Then you can use it in veeam.
Edit managed servers
For an example, you configured veeam to use an active directory user to connect to the managed server working as a proxy.
If you remove the managed server with the proxy from your domain (AD), veeam will not be able to connect to this managed server with the proxy component anymore. You must change the credentials. You can do that under managed servers. Open the properties of each managed server that you have removed from the domain and change the credentials from ad credentials to local credentials. You need to create a local user with administrative permissions first on the managed server. Then you can use it in veeam.
Edit managed servers
Product Management Analyst @ Veeam Software
-
- Chief Product Officer
- Posts: 31814
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Veeam Backup Server out of domain
Domain credentials work just fine whether or not backup server itself is a part of the domain, so usually there's no reason to swap them for local credentials following the removal of the backup server from a domain.
-
- Product Manager
- Posts: 9848
- Liked: 2607 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Veeam Backup Server out of domain
Sorry, i mixed up some topics of @SerSunal. Anton is right.
I thought this one is also about removing the proxy and repo from the domain.
I thought this one is also about removing the proxy and repo from the domain.
Product Management Analyst @ Veeam Software
-
- Enthusiast
- Posts: 40
- Liked: 13 times
- Joined: Apr 08, 2015 11:52 am
- Full Name: Christian Naenny
- Location: Zurich, Switzerland
- Contact:
Re: Veeam Backup Server out of domain
Is there a a concise document on how to operate the Veeam B&R Infrastructure without using Active Directory? Possibly with a section on how to remove the Veeam B&R components from the existing AD infrastructure?
-
- Veeam Software
- Posts: 688
- Liked: 150 times
- Joined: Jan 22, 2015 2:39 pm
- Full Name: Stefan Renner
- Location: Germany
- Contact:
Re: Veeam Backup Server out of domain
Hi Christian,
don't know of any document that talk specifically about it. But as mentioned by Gostev and Mildur, Veeam is fine operating with components that are not part of AD. All credentials, even the ones you need to connect to AD e.g. for App Aware processing will be stored in our internal DB. As I mentioned yesterday you should just make sure your DNS is working well (which is not depending on AD).
Also you need to be aware that some other services like Enterprise Manager will work differently (in case you use self service etc.).
It will be hard to explain everything on the forum but feel free to add any details or further questions as needed.
Thanks
don't know of any document that talk specifically about it. But as mentioned by Gostev and Mildur, Veeam is fine operating with components that are not part of AD. All credentials, even the ones you need to connect to AD e.g. for App Aware processing will be stored in our internal DB. As I mentioned yesterday you should just make sure your DNS is working well (which is not depending on AD).
Also you need to be aware that some other services like Enterprise Manager will work differently (in case you use self service etc.).
It will be hard to explain everything on the forum but feel free to add any details or further questions as needed.
Thanks
Stefan Renner
Veeam PMA
Veeam PMA
-
- Enthusiast
- Posts: 40
- Liked: 13 times
- Joined: Apr 08, 2015 11:52 am
- Full Name: Christian Naenny
- Location: Zurich, Switzerland
- Contact:
Re: Veeam Backup Server out of domain
Hi Stefan
Thanks for your answer.
I was just wondering as we're exploring options to protect our backup infrastructure against a multitute of attacks. Of course this has to include the possibility of attacks on the AD infrastructure.
We will have to create a step-by-step document on how to do this (VBR outside AD) and I thought maybe somebody has already done this...
Thanks for your answer.
I was just wondering as we're exploring options to protect our backup infrastructure against a multitute of attacks. Of course this has to include the possibility of attacks on the AD infrastructure.
We will have to create a step-by-step document on how to do this (VBR outside AD) and I thought maybe somebody has already done this...
-
- Veeam Software
- Posts: 688
- Liked: 150 times
- Joined: Jan 22, 2015 2:39 pm
- Full Name: Stefan Renner
- Location: Germany
- Contact:
Re: Veeam Backup Server out of domain
Totally get your point.
There is a little bit of informations in the Best Practise guide here:
https://bp.veeam.com/vbr/Security/Security_domains.html
And also, there is a couple of content available in the forums here:
veeam-backup-replication-f2/veeam-serve ... 55751.html
veeam-backup-replication-f2/moving-veea ... 69532.html
veeam-backup-replication-f2/non-domain- ... 63217.html
Maybe that helps to speed up your process.
There is a little bit of informations in the Best Practise guide here:
https://bp.veeam.com/vbr/Security/Security_domains.html
And also, there is a couple of content available in the forums here:
veeam-backup-replication-f2/veeam-serve ... 55751.html
veeam-backup-replication-f2/moving-veea ... 69532.html
veeam-backup-replication-f2/non-domain- ... 63217.html
Maybe that helps to speed up your process.
Stefan Renner
Veeam PMA
Veeam PMA
-
- Chief Product Officer
- Posts: 31814
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Veeam Backup Server out of domain
Someone on Reddit did this move a few weeks ago and did not run any roadblocks. Basically he came back to say it was a simple and smooth experience, and nothing broke.
-
- Novice
- Posts: 6
- Liked: 4 times
- Joined: Jul 23, 2020 9:48 pm
- Full Name: Vladimir Mikhelson
- Contact:
Re: Veeam Backup Server out of domain
Hi,
Not so smooth here. I have a case open with Veeam on that exact topic for more than a month. Case # 05140230.
Specific problems are related to out-of-domain Managed Servers having issues performing guest interrogation and / or installing necessary Veeam components on AD joined VMs they are backing up. RPC calls failing, etc.
And yes, I do have all DNS names resolving, all local and AD credentials in place.
Still hope to see all my Veeam servers out of AD one day.
-Vladimir
Not so smooth here. I have a case open with Veeam on that exact topic for more than a month. Case # 05140230.
Specific problems are related to out-of-domain Managed Servers having issues performing guest interrogation and / or installing necessary Veeam components on AD joined VMs they are backing up. RPC calls failing, etc.
And yes, I do have all DNS names resolving, all local and AD credentials in place.
Still hope to see all my Veeam servers out of AD one day.
-Vladimir
-
- Expert
- Posts: 104
- Liked: 13 times
- Joined: Jun 12, 2014 11:01 am
- Full Name: Markko Meriniit
- Contact:
Re: Veeam Backup Server out of domain
Seems more like a network problem. With segmented network where switches limit/filter traffic these kind of problems can happen.
-
- Influencer
- Posts: 11
- Liked: 1 time
- Joined: Apr 20, 2021 3:19 pm
- Full Name: Steve Pogue
- Contact:
Re: Veeam Backup Server out of domain
It should be noted that Veeam Backup for Office 365 requires a domain joined server. We moved our VBR server to workgroup 6 months ago and it works great. However, VBO365 failed after it was moved to workgroup and and we had to move that server back into the domain.
-
- Product Manager
- Posts: 9848
- Liked: 2607 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Veeam Backup Server out of domain
@steve
VBO365 v5.0 can be used without an ad joined machine.
That was a new feature for V5.0, using vbo 365 in a workgroup environment. My vbo server doesn‘t use active directory and it works fine. But it was build from start without an AD integration.
VBO365 v5.0 can be used without an ad joined machine.
That was a new feature for V5.0, using vbo 365 in a workgroup environment. My vbo server doesn‘t use active directory and it works fine. But it was build from start without an AD integration.
Product Management Analyst @ Veeam Software
-
- Veeam Software
- Posts: 224
- Liked: 62 times
- Joined: Jan 07, 2011 2:43 am
- Full Name: Charles Clarke
- Contact:
Re: Veeam Backup Server out of domain
One of the American SA's and an SE has actually written a paper and presentation on this topic (more accurately, moving VBR from a production domain to a non-prod (i.e. management) domain but it goes via a Workgroup). Let me see if I can dig out a shareable copy.
-
- Service Provider
- Posts: 27
- Liked: 11 times
- Joined: Jul 26, 2016 6:49 pm
- Full Name: Oscar Suarez
- Contact:
Re: Veeam Backup Server out of domain
We have successfully taken out of AD most of the Veeam installations we manage, and moved them to Workgroup
It's not hard, most issues we had were DNS related, sometimes fixed adding name records in the host file of the server or the component. Another common issue was that some components servers (proxies for example) couldn't be reached, and they were fixed forcing the removal from the backup infrastructure on the VBR console and adding them back.
I also remember issues with Aplication Aware Processing , that could only be fixed using the DOMAIN\Administrator account, because of the Windows UAC control.
In the end, as someone already said, it is a best practice to have your backup infra outside your AD, to add an extra layer (or time) of protection when adversaries has already taken control of credentials inside your AD. Also having and inmutable repository as a "designated survivor" helps in this case. We do know that in this scenario, the repository is not part of any Active Directory.
It's not hard, most issues we had were DNS related, sometimes fixed adding name records in the host file of the server or the component. Another common issue was that some components servers (proxies for example) couldn't be reached, and they were fixed forcing the removal from the backup infrastructure on the VBR console and adding them back.
I also remember issues with Aplication Aware Processing , that could only be fixed using the DOMAIN\Administrator account, because of the Windows UAC control.
In the end, as someone already said, it is a best practice to have your backup infra outside your AD, to add an extra layer (or time) of protection when adversaries has already taken control of credentials inside your AD. Also having and inmutable repository as a "designated survivor" helps in this case. We do know that in this scenario, the repository is not part of any Active Directory.
-
- Chief Product Officer
- Posts: 31814
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Veeam Backup Server out of domain
Active Directory by itself is not a problem. The real goal is to ensure that the backup server is not a part of production domain. You can have it in a completely different AD forest with one way trust from production forest. As far as I know, larger customers tend to place the backup server into a dedicated AD forest, as opposed to just having it sit outside any AD in a workgroup.
-
- Novice
- Posts: 4
- Liked: 1 time
- Joined: Jan 25, 2019 3:54 pm
- Full Name: Justin Huntington
- Contact:
[MERGED] Veeam Backup Server out of domain
HI All. I am also looking at the task of removing my Veeam server from our domain.
We use Backup jobs, Backup copy jobs to NAS offsite in addition to on-prem HLR, App aware processing etc.
Is there an official document containing a checklist or something. I am quite daunted at the prospect of removing it and breaking everything at present. I rebuilt my Veeam server on new hardware 12 months ago wish I had considered this then!
TIA
We use Backup jobs, Backup copy jobs to NAS offsite in addition to on-prem HLR, App aware processing etc.
Is there an official document containing a checklist or something. I am quite daunted at the prospect of removing it and breaking everything at present. I rebuilt my Veeam server on new hardware 12 months ago wish I had considered this then!
TIA
-
- Veeam Software
- Posts: 688
- Liked: 150 times
- Joined: Jan 22, 2015 2:39 pm
- Full Name: Stefan Renner
- Location: Germany
- Contact:
Re: Veeam Backup Server out of domain
Hi,
you can find some details on different security domain here: https://bp.veeam.com/vbr/Security/Security_domains.html
I'm sorry but don't think there is the one any only best practice as every customer is kind of different when it comes to the infrastructure and with that dependencies he has.
As discussed in the thread above, there is no real downside of removing the Veeam components from AD.
Of course you should check first on all the dependencies you may have (accounts, DNS etc.) and maybe build you an own overview.
But overall it is recommended to take that step.
And if you are doing it, you should also take the chance to harden your environment even further by using:
- different local accounts for each server
- usage of hardened linux backup respository
- management and data traffic seperation
- fireall hardening of the servers
- ...etc.
Thanks
you can find some details on different security domain here: https://bp.veeam.com/vbr/Security/Security_domains.html
I'm sorry but don't think there is the one any only best practice as every customer is kind of different when it comes to the infrastructure and with that dependencies he has.
As discussed in the thread above, there is no real downside of removing the Veeam components from AD.
Of course you should check first on all the dependencies you may have (accounts, DNS etc.) and maybe build you an own overview.
But overall it is recommended to take that step.
And if you are doing it, you should also take the chance to harden your environment even further by using:
- different local accounts for each server
- usage of hardened linux backup respository
- management and data traffic seperation
- fireall hardening of the servers
- ...etc.
Thanks
Stefan Renner
Veeam PMA
Veeam PMA
-
- Novice
- Posts: 4
- Liked: never
- Joined: Aug 12, 2021 1:44 pm
- Full Name: Craig Shephard
- Contact:
[MERGED]Removing Veeam Servers From Domain
Hi,
We currently have all of our servers joined to our domain and would like to remove them. Has anyone already done this and can provide tips/advice?
We have a VBR server, 2x proxy servers and 2x SQL servers (failover cluster)
Thanks in advance!
We currently have all of our servers joined to our domain and would like to remove them. Has anyone already done this and can provide tips/advice?
We have a VBR server, 2x proxy servers and 2x SQL servers (failover cluster)
Thanks in advance!
-
- Product Manager
- Posts: 9848
- Liked: 2607 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Veeam Backup Server out of domain
Hi Craig
Yes, others have done that successfully.
I moved your question to this topic, where you can find some advice and tips.
Thanks
Fabian
Yes, others have done that successfully.
I moved your question to this topic, where you can find some advice and tips.
Thanks
Fabian
Product Management Analyst @ Veeam Software
-
- Novice
- Posts: 4
- Liked: never
- Joined: Aug 12, 2021 1:44 pm
- Full Name: Craig Shephard
- Contact:
Re: Veeam Backup Server out of domain
Thank you Fabian for moving that over.
From reading this thread, it seems simple enough to remove our servers from the domain and use local accounts to connect the VBR to the proxy servers. Do the proxy servers need to be re added to the VBR or will they still work, providing the DNS is set up correctly?
We have our database in a separate SQL instance across 2 servers using HA. Has anyone got theirs setup in this way and have removed those from the domain?
From reading this thread, it seems simple enough to remove our servers from the domain and use local accounts to connect the VBR to the proxy servers. Do the proxy servers need to be re added to the VBR or will they still work, providing the DNS is set up correctly?
We have our database in a separate SQL instance across 2 servers using HA. Has anyone got theirs setup in this way and have removed those from the domain?
-
- Product Manager
- Posts: 9848
- Liked: 2607 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Veeam Backup Server out of domain
Your welcome, Craig.
Yes, removing it is simple. If you only remove the vbr server from the domain, just make sure how you authenticate on the sql server for the configuration database.
It needs to be SQL Server Authentication after removing the vbr from the active directory. If you used windows authentication, it will not work anymore.
If you remove a Windows proxies from the domain, make sure that they are available with the same hostname.
You should only have to reconfigure the proxy to use the new local credentials. If that's not working, remove the proxy and add it again with local credentials. There is not much to loose when you removed a proxy.
For removing the SQL Server in a HA environment, I don't know how it will behave. I don't have any experience with SQL HA deployements.
Let us wait if someone else has some recommendations here.
Yes, removing it is simple. If you only remove the vbr server from the domain, just make sure how you authenticate on the sql server for the configuration database.
It needs to be SQL Server Authentication after removing the vbr from the active directory. If you used windows authentication, it will not work anymore.
If you remove a Windows proxies from the domain, make sure that they are available with the same hostname.
You should only have to reconfigure the proxy to use the new local credentials. If that's not working, remove the proxy and add it again with local credentials. There is not much to loose when you removed a proxy.
For removing the SQL Server in a HA environment, I don't know how it will behave. I don't have any experience with SQL HA deployements.
Let us wait if someone else has some recommendations here.
Product Management Analyst @ Veeam Software
-
- Enthusiast
- Posts: 39
- Liked: 4 times
- Joined: Nov 14, 2019 7:12 pm
- Full Name: Chris Lukowski
- Contact:
Re: Veeam Backup Server out of domain
I really wish Veeam would include guidance in the standard documentation on how to create custom accounts for these functions that follow the Principle of Least Privilege.
Who is online
Users browsing this forum: Bing [Bot], Semrush [Bot] and 83 guests