Comprehensive data protection for all workloads
Post Reply
tehinternet2
Novice
Posts: 3
Liked: 1 time
Joined: Sep 12, 2023 2:17 pm
Full Name: Mike
Contact:

gMSA w/ non-domain Veeam server question

Post by tehinternet2 »

Hello,

If I were to use an gMSA for application-aware processing to process backups on domain machines, but the Veeam server is not on a domain, I understand that I'd need a Guest Interaction Proxy in the middle that is also on the same domain. That way the proxy can validate the gMSA account.

My question is, when adding the guest interaction proxy to Veeam as a Managed Server it asks for credentials. It's unclear to me if those credentials need to be domain admin priviledged credentials, or if local admin credentials to the proxy server are satisfactory -- especially if those local admin can access the ADMIN$ share on the proxy and the gMSA account can access the ADMIN$ share on the guest OS to backup

I've found I can get the proxy added to veeam as a managed server using local admin credentials, but I question if that is enough for jobs to succeed.

Is my understanding of the required architecture correct? I know it needs to be on a domain server, but does the Guest Interaction Proxy need privileged credentials in Veeam /on the domain to function?

Thanks.
Gostev
Chief Product Officer
Posts: 32759
Liked: 7967 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: gMSA w/ non-domain Veeam server question

Post by Gostev »

Hello, these credentials are only needed to install Veeam components on the server, so local Administrator account is more than enough. Thanks
tehinternet2
Novice
Posts: 3
Liked: 1 time
Joined: Sep 12, 2023 2:17 pm
Full Name: Mike
Contact:

Re: gMSA w/ non-domain Veeam server question

Post by tehinternet2 »

Thanks for the reply Gostev. That makes sense.

In that setup above which I described, I'm still scratching my head how the app-aware backup job works using gMSA if the proxy is added with domain admin creds. But if the proxy is added with only local admin creds the backup job can't access the destination server to backup's ADMIN$ share with the gMSA. But in that same backup job if I test the gMSA creds using the same proxy it passes the test.

I feel like I'm still missing something.
tehinternet2
Novice
Posts: 3
Liked: 1 time
Joined: Sep 12, 2023 2:17 pm
Full Name: Mike
Contact:

Re: gMSA w/ non-domain Veeam server question

Post by tehinternet2 » 1 person likes this post

I solved my problem/question.

my gMSA's would 'test' in a backup job using the test functionality just fine. But when the job would run, it would fail if my guest interaction proxy was added to veeam using only local admin rights and not domain admin. That was fully reproducible.

My veeam server is NOT on a domain, but can still communicate on our domain. So for example from the backup server I can access an ADMIN$ share on a different server on our NameofCompany.local domain.

When I added the Guest Interaction Proxy server, I added it as ServerName.NameOfCompany.local in Veeam.

When the backup job would run when proxy not installed using domain admin, it would claim it couldn't find the proxy and would try to use a different one and switch to the non-domain joined backup server itself and since it's not on the domain it couldn't resolve gMSA accounts.

To fix this, on a hunch, I removed the guest interaction proxy from veeam which was setup using DNS and re-added it using only it's LAN IP address. Then everything started working and it didn't matter what account was used to install the guest interaction proxy.

It seems testing of credentials in veeam is not the same as running the backup job. But there is still a weird thing where using domain admin to install the proxy covers up the 'problem'.

Hopefully this helps someone else.
Gostev
Chief Product Officer
Posts: 32759
Liked: 7967 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: gMSA w/ non-domain Veeam server question

Post by Gostev »

It's not DNS.
There is a no way it's DNS.
It was DNS.
Post Reply

Who is online

Users browsing this forum: Google [Bot], ncapponi, Semrush [Bot] and 32 guests