- 
				albertwt
- Veteran
- Posts: 965
- Liked: 55 times
- Joined: Nov 05, 2009 12:24 pm
- Location: Sydney, NSW
- Contact:
Backing up Active Directory ?
Hi all,
What's the backup service account credentials or granular privilege that is required to backup Active Directory domain controllers ?
I've been told not to use DOMAIN\Administrator so I don't know what to use now.
			
			
									
						
							What's the backup service account credentials or granular privilege that is required to backup Active Directory domain controllers ?
I've been told not to use DOMAIN\Administrator so I don't know what to use now.
--
/* Veeam software enthusiast user & supporter ! */
			
						/* Veeam software enthusiast user & supporter ! */
- 
				widmerkarl
- Expert
- Posts: 122
- Liked: 29 times
- Joined: Jan 06, 2015 10:03 am
- Full Name: Karl Widmer
- Location: Switzerland
- Contact:
Re: Backing up Active Directory ?
Hi,
I use DOMAIN\Administrator. Didn't think about it, it just works.
Of course you can create some kind of service account or so, especially when some compliance or security policies of the company have to be implemented.
Please have a look at the helpcenter, the permissions needed are explained in detail.
https://helpcenter.veeam.com/backup/vsp ... sions.html
https://helpcenter.veeam.com/backup/exp ... sions.html
			
			
									
						
							I use DOMAIN\Administrator. Didn't think about it, it just works.
Of course you can create some kind of service account or so, especially when some compliance or security policies of the company have to be implemented.
Please have a look at the helpcenter, the permissions needed are explained in detail.
https://helpcenter.veeam.com/backup/vsp ... sions.html
https://helpcenter.veeam.com/backup/exp ... sions.html
Karl Widmer
IT System Engineer
vExpert 2017-2024
VMware VCP-DCV 2023 / VCA6-DCV / VCA5-DCV / VCA5-Cloud / VMUG Leader
Former Veeam Vanguard / VMCE v9 / VMTSP v9 / VMSP v9
Personal blog: https://www.driftar.ch
Twitter: @widmerkarl
			
						IT System Engineer
vExpert 2017-2024
VMware VCP-DCV 2023 / VCA6-DCV / VCA5-DCV / VCA5-Cloud / VMUG Leader
Former Veeam Vanguard / VMCE v9 / VMTSP v9 / VMSP v9
Personal blog: https://www.driftar.ch
Twitter: @widmerkarl
- 
				albertwt
- Veteran
- Posts: 965
- Liked: 55 times
- Joined: Nov 05, 2009 12:24 pm
- Location: Sydney, NSW
- Contact:
Re: Backing up Active Directory ?
Thanks Karl,
But somehow there is no Local Administrators group in the Domain Controllers, hence at the moment I'm stuck with the DOMAIN\Administrator account.
PCI compliance dictates that the high privillege account cannot be used for service / backup.
			
			
									
						
							But somehow there is no Local Administrators group in the Domain Controllers, hence at the moment I'm stuck with the DOMAIN\Administrator account.
PCI compliance dictates that the high privillege account cannot be used for service / backup.
--
/* Veeam software enthusiast user & supporter ! */
			
						/* Veeam software enthusiast user & supporter ! */
- 
				jmmarton
- Veeam Software
- Posts: 2097
- Liked: 312 times
- Joined: Nov 17, 2015 2:38 am
- Full Name: Joe Marton
- Location: Chicago, IL
- Contact:
Re: Backing up Active Directory ?
It's still there.  You just can't do it from the GUI.  Here's an article on adding users to the local administrators group on a DC via command-line.
http://www.richardawilson.com/2010/06/a ... or-on.html
Joe
			
			
									
						
										
						http://www.richardawilson.com/2010/06/a ... or-on.html
Joe
- 
				albertwt
- Veteran
- Posts: 965
- Liked: 55 times
- Joined: Nov 05, 2009 12:24 pm
- Location: Sydney, NSW
- Contact:
Re: Backing up Active Directory ?
Joe,
yes, that does make sense.
It is working.
Thanks for the tips.
			
			
									
						
							yes, that does make sense.
It is working.
Thanks for the tips.

--
/* Veeam software enthusiast user & supporter ! */
			
						/* Veeam software enthusiast user & supporter ! */
- 
				albertwt
- Veteran
- Posts: 965
- Liked: 55 times
- Joined: Nov 05, 2009 12:24 pm
- Location: Sydney, NSW
- Contact:
Re: Backing up Active Directory ?
Joe, if I got different AD domain controller to be backed up, am I still be able to use the same AD service account from domain 1 ?
Note: This is the updated thread veeam-backup-replication-f2/backing-up- ... 39344.html. there is no AD trust in between the two AD domain.
			
			
									
						
							Note: This is the updated thread veeam-backup-replication-f2/backing-up- ... 39344.html. there is no AD trust in between the two AD domain.
--
/* Veeam software enthusiast user & supporter ! */
			
						/* Veeam software enthusiast user & supporter ! */
- 
				jmmarton
- Veeam Software
- Posts: 2097
- Liked: 312 times
- Joined: Nov 17, 2015 2:38 am
- Full Name: Joe Marton
- Location: Chicago, IL
- Contact:
Re: Backing up Active Directory ?
Look at the other thread, I agree with Alex's suggestion.  Open a support ticket as everything you've described in the other thread sounds like it should work.
Joe
			
			
									
						
										
						Joe
- 
				joebranca
- Enthusiast
- Posts: 61
- Liked: never
- Joined: Oct 28, 2015 9:36 pm
- Full Name: Joe Brancaleone
- Contact:
Re: Backing up Active Directory ?
Resurrecting this old thread, since this time are there additional security related recommendations wrt backing up AD domain controllers with stored credentials other than a domain administrator? 
Our Windows admin team wants to be able to do this, but in the current ransomware protection urgency atmosphere, any chance of a compromised domain admin credential needs to be absolutely minimized. Not being a Windows admin myself, what are the security implications of using a DC's local admin account if that were to be compromised through the Veeam server?
They also wanted to ask about Kerberos authentication support and gMSA accounts, if there's any information on that.
			
			
									
						
										
						Our Windows admin team wants to be able to do this, but in the current ransomware protection urgency atmosphere, any chance of a compromised domain admin credential needs to be absolutely minimized. Not being a Windows admin myself, what are the security implications of using a DC's local admin account if that were to be compromised through the Veeam server?
They also wanted to ask about Kerberos authentication support and gMSA accounts, if there's any information on that.
- 
				matteu
- Veeam Legend
- Posts: 895
- Liked: 141 times
- Joined: May 11, 2018 8:42 am
- Contact:
Re: Backing up Active Directory ?
Hello,
Only security solution now is to use pre installed agent.
This avoid credentials stored on veeam server.
Gmsa are not supported on v11.
There is no really local admin on DC because these account can grant themselves domain admin ...
			
			
									
						
										
						Only security solution now is to use pre installed agent.
This avoid credentials stored on veeam server.
Gmsa are not supported on v11.
There is no really local admin on DC because these account can grant themselves domain admin ...
- 
				joebranca
- Enthusiast
- Posts: 61
- Liked: never
- Joined: Oct 28, 2015 9:36 pm
- Full Name: Joe Brancaleone
- Contact:
Re: Backing up Active Directory ?
Hi,
To make sure I understand, do you mean installing the Veeam agent for Windows on the DC (even if its a VM), and setting up a self managed backup schedule by an admin on the DC admin? Is there a KB article or doc on this?
			
			
									
						
										
						To make sure I understand, do you mean installing the Veeam agent for Windows on the DC (even if its a VM), and setting up a self managed backup schedule by an admin on the DC admin? Is there a KB article or doc on this?
- 
				Mildur
- Product Manager
- Posts: 10984
- Liked: 3016 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Backing up Active Directory ?
Hi Joe
Matteu is talking about pre installed agents.
Meaning, you create a protection group from the type „Computers with pre-installed agent“, generate the installation packages for windows and deploy them manually on the domain controller. You don‘t have to store credentials on the vbr server for this type of group.
This agent will connect to the vbr server with the help of the provided xml file. You can configure an agent backup job on the vbr server for this domain controller. You don‘t have to manage agent jobs directly on the agent.
			
			
									
						
							Matteu is talking about pre installed agents.
Meaning, you create a protection group from the type „Computers with pre-installed agent“, generate the installation packages for windows and deploy them manually on the domain controller. You don‘t have to store credentials on the vbr server for this type of group.
This agent will connect to the vbr server with the help of the provided xml file. You can configure an agent backup job on the vbr server for this domain controller. You don‘t have to manage agent jobs directly on the agent.
Product Management Analyst @ Veeam Software
			
						- 
				matteu
- Veeam Legend
- Posts: 895
- Liked: 141 times
- Joined: May 11, 2018 8:42 am
- Contact:
Re: Backing up Active Directory ?
Hello,
Mildur explained perfectly what i talked about
			
			
									
						
										
						Mildur explained perfectly what i talked about

- 
				BjarneWahl
- Novice
- Posts: 5
- Liked: never
- Joined: Mar 02, 2016 2:47 pm
- Full Name: Bjarne Wahl Hansen
- Contact:
Re: Backing up Active Directory ?
Have you thought about limiting the account, to specific logon hours?
I know, it would be annoying when restoring (you'd have to change the logon hours), but security is costly and we all know it and live with it
			
			
									
						
							I know, it would be annoying when restoring (you'd have to change the logon hours), but security is costly and we all know it and live with it

Kind regards
Bjarne Wahl Hansen
Microsoft, vCenter/ESXi and Veeam nerd
			
						Bjarne Wahl Hansen
Microsoft, vCenter/ESXi and Veeam nerd
- 
				matteu
- Veeam Legend
- Posts: 895
- Liked: 141 times
- Joined: May 11, 2018 8:42 am
- Contact:
Re: Backing up Active Directory ?
The issue when you use domain admin credential is that credentials are stored in Veeam database.
If your backup server is compromise, all your entire domain is...
When you want security, you don't want any account from AD can compromise Backup infrastructure but this statement is also true in the other side
			
			
									
						
										
						If your backup server is compromise, all your entire domain is...
When you want security, you don't want any account from AD can compromise Backup infrastructure but this statement is also true in the other side
Who is online
Users browsing this forum: Baidu [Spider] and 49 guests