Comprehensive data protection for all workloads
Post Reply
skyforger
Novice
Posts: 4
Liked: never
Joined: Aug 05, 2021 7:41 am
Full Name: skyforger
Contact:

Configuring gMSA account, Veeam v.12

Post by skyforger »

Hi!
We are implementing gMSA accounts for our B&R infra v.12.
In the Veeam documentation is unclear should we run below command ONLY on all domain controllers or ALSO on the target servers and application proxy to make this work?
"To enable gMSA support in Microsoft Windows PowerShell, run the following commands:
Add-WindowsFeature NET-Framework,RSAT-ADDS 2>&1 | Out-Null;
Import-Module ServerManager;
Install-WindowsFeature -IncludeAllSubFeature RSAT | Out-Null;
Import-Module ActiveDirectory;"

Also installing those RSAT features on domain controllers is that a possible security risk at itself, would that open more attack surface on DC:s?

Also how peole are handling backup credentials if AD tier hardening model is in place? Let´s say you server is in tier0 and you cannot access that tier with your backup service account?
I have also support case Case # 05925852 open for this, but hard to get my hear around how to implement gMSA the correct way...
doktornotor
Expert
Posts: 113
Liked: 40 times
Joined: Mar 07, 2018 12:57 pm
Contact:

Re: Configuring gMSA account, Veeam v.12

Post by doktornotor »

Not sure why they suggest to install the entire RSAT.

Code: Select all

Install-WindowsFeature RSAT-AD-PowerShell
Note:
- You need the above PS module on any computer that is supposed to have the gMSA account added.
- Do NOT bother trying to do things with remote PS (Enter-PSSession). It will NOT work.
skyforger
Novice
Posts: 4
Liked: never
Joined: Aug 05, 2021 7:41 am
Full Name: skyforger
Contact:

Re: Configuring gMSA account, Veeam v.12

Post by skyforger »

I followed this guide: https://helpcenter.veeam.com/docs/backu ... ml?ver=120
So running only "Install-WindowsFeature RSAT-AD-PowerShell" on dc:s will be enough not installing entire RSAT feature like they suggest in the guide?
The process goes like this, am I correct:
1. Create root key: Add-KdsRootKey -EffectiveImmediately
2. Run Install-WindowsFeature RSAT-AD-PowerShell on all Domain Controllers
3. Create gMSA accounts
4. Install gMSA on target servers etc.
mkaec
Veteran
Posts: 483
Liked: 144 times
Joined: Jul 16, 2015 1:31 pm
Full Name: Marc K
Contact:

Re: Configuring gMSA account, Veeam v.12

Post by mkaec »

When I run Get-KdsRootKey, I notice that it lists only the domain controller I was on when I ran Add-KdsRootKey. Is the key really dependent on that single system? I thought it being AD and all that it would replicate to the other DCs.
skyforger
Novice
Posts: 4
Liked: never
Joined: Aug 05, 2021 7:41 am
Full Name: skyforger
Contact:

Re: Configuring gMSA account, Veeam v.12

Post by skyforger »

If someone from Veeam could answer these questions?
Support ID: #02242658
doktornotor
Expert
Posts: 113
Liked: 40 times
Joined: Mar 07, 2018 12:57 pm
Contact:

Re: Configuring gMSA account, Veeam v.12

Post by doktornotor » 2 people like this post

These questions have nothing to do with Veeam.

https://learn.microsoft.com/en-us/power ... escription
The Add-KdsRootKey cmdlet generates a new root key for the Microsoft Group Key Distribution Service (KdsSvc) within Active Directory. The Microsoft Group KdsSvc generates new group keys from the new root key. It is required to run this only once per forest.

https://learn.microsoft.com/en-us/windo ... s-root-key
KDS root keys are stored in Active Directory in container CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=<forest name>;. They have an attribute msKds-DomainID that links to the computer account of the Domain Controller that created the object. When this domain controller is demoted and removed from the domain, the value will refer to the tombstone of the computer account. You can ignore the broken value as it is only used to help the administrator track the object when it's freshly created. You may also change the attribute value and point it to the computer object of another domain controller in your forest.
Post Reply

Who is online

Users browsing this forum: No registered users and 40 guests