After reading this blog: https://community.veeam.com/blogs-and-p ... eness-9406 looks like the Veeam backup infrastructure can now be migrated to Linux appliances with PostgreSQL DB and Linux VMs for the Backup proxy.
Since the Linux appliances and the virtual machines are not joined to Active Directory as member servers, I am wondering what the requirements are for all of the service accounts. Additionally, I have on-premises Hyper-V and VMware that need to back up to the physical Linux Veeam Immutable Repository server.
Please share some thoughts and the AD service Accounts I must create and its privilege as well.
-
Backup.Operator
- Expert
- Posts: 117
- Liked: 7 times
- Joined: Oct 31, 2022 11:39 pm
- Full Name: Backup Administrator
- Contact:
-
vnikiforov
- Product Manager
- Posts: 29
- Liked: 8 times
- Joined: Aug 17, 2022 5:03 am
- Full Name: Vladimir Nikiforov
- Location: Romania
- Contact:
Re: Veeam Backup service account requirements
Hello,
Backup Proxies can be Linux and not domain-joined for quite some time.
Regarding the required Service Account Permissions, these permissions for each scenario or application are documented in Help Center: Permissions V13
We also have a dedicated vSphere permission guide, if granular vSphere permissions are required: Vsphere V13
The same goes for Restore Permissions.
Each Explorer requires a user account with different permissions: Explorers V13
Something to keep in mind: If you want to use Veeam Software Appliance (Rocky Linux based image), it comes with some Kerberos limitations/considerations. As an example, protecting VMs on a Hyper-V Cluster requires a domain joined backup server. Hyper-V Clusters do not support Deployment Kit yet: Before you begin
Backup Proxies can be Linux and not domain-joined for quite some time.
Regarding the required Service Account Permissions, these permissions for each scenario or application are documented in Help Center: Permissions V13
We also have a dedicated vSphere permission guide, if granular vSphere permissions are required: Vsphere V13
The same goes for Restore Permissions.
Each Explorer requires a user account with different permissions: Explorers V13
Something to keep in mind: If you want to use Veeam Software Appliance (Rocky Linux based image), it comes with some Kerberos limitations/considerations. As an example, protecting VMs on a Hyper-V Cluster requires a domain joined backup server. Hyper-V Clusters do not support Deployment Kit yet: Before you begin
---
BR,
Vladimir
Veeam Software
BR,
Vladimir
Veeam Software
-
Backup.Operator
- Expert
- Posts: 117
- Liked: 7 times
- Joined: Oct 31, 2022 11:39 pm
- Full Name: Backup Administrator
- Contact:
Re: Veeam Backup service account requirements
Thank you, @vnikiforov,
I have a multi-hypervisor environment Hyper-V and VMware, with most of the VMs being Windows-based running the typical Active Directory, SQL Server, Exchange Server and file servers, backing up to the Hardened Repo as a physical server.
I guess for this purpose, the migration to all Veeam Linux-based infrastructure can still be done, but with the additional steps, like below:
I will create the rest of the traditional AD Users with complex passwords, rotated daily using 3rd-party software.
I have a multi-hypervisor environment Hyper-V and VMware, with most of the VMs being Windows-based running the typical Active Directory, SQL Server, Exchange Server and file servers, backing up to the Hardened Repo as a physical server.
I guess for this purpose, the migration to all Veeam Linux-based infrastructure can still be done, but with the additional steps, like below:
As for the Windows AD-based service account, which services by Veeam supports using gMSA ?[For Linux-based backup servers] Both the Hyper-V nodes and the backup server must be joined to the same Active Directory domain. If they are not joined to the same Active Directory domain, additional manual configuration of the krb5.conf file is required.
I will create the rest of the traditional AD Users with complex passwords, rotated daily using 3rd-party software.
-
vnikiforov
- Product Manager
- Posts: 29
- Liked: 8 times
- Joined: Aug 17, 2022 5:03 am
- Full Name: Vladimir Nikiforov
- Location: Romania
- Contact:
Re: Veeam Backup service account requirements
Hello,
You can use gMSAs to only run guest processing tasks
The VBR service account, proxy connections, hypervisor credentials, and repository accounts cannot use gMSA
Reference: gMSA usage
Make sure to review Requirements and Limitations section in that article.
For image-level backups or replicas, using a gMSA is supported for VMs that run Microsoft Active Directory (domain controllers), Microsoft Exchange, Microsoft SQL Server, and Oracle 12c Release 2 and later. You cannot back up or replicate VMs that run Microsoft SharePoint with the gMSA.
For Veeam Agent backups, using a gMSA is supported only in backup jobs managed by the backup server, and only for Microsoft SQL Server and scripts processing.
You can use gMSAs to only run guest processing tasks
The VBR service account, proxy connections, hypervisor credentials, and repository accounts cannot use gMSA
Reference: gMSA usage
Make sure to review Requirements and Limitations section in that article.
For image-level backups or replicas, using a gMSA is supported for VMs that run Microsoft Active Directory (domain controllers), Microsoft Exchange, Microsoft SQL Server, and Oracle 12c Release 2 and later. You cannot back up or replicate VMs that run Microsoft SharePoint with the gMSA.
For Veeam Agent backups, using a gMSA is supported only in backup jobs managed by the backup server, and only for Microsoft SQL Server and scripts processing.
---
BR,
Vladimir
Veeam Software
BR,
Vladimir
Veeam Software
Who is online
Users browsing this forum: No registered users and 26 guests