I'm designing a secure Veeam B&R v13 infrastructure with a dedicated Backup domain and struggling to find anyone who has tested a specific gMSA configuration. Looking for real-world feedback.
My setup:
- Dedicated Backup Domain (backup.lan) hosting all Veeam components: Backup Server, Proxy, GIP, Repository, Mount Server
- Production Domain (prod.lan) hosting vCenter, ESXi, and all VMs
- One-way trust: PROD trusts BACKUP (BACKUP accounts can authenticate against PROD resources via Kerberos)
- Goal: Kerberos only, no NTLM, gMSA for all service accounts
Instead of creating the gMSA in the Production domain (which is what every official guide recommends), I want to:
- Create the gMSA in the Backup domain (backup.lan)
- Add the GIP machine account (GIP$@backup.lan) to PrincipalsAllowedToRetrieveManagedPassword
- Keep the GIP in the Backup domain — it retrieves its own gMSA from its own KDC natively
- The GIP then authenticates against Production VMs using that gMSA, leveraging the one-way trust (PROD trusts BACKUP → Production VMs should accept Kerberos tickets issued for BACKUP accounts)
- Add the gMSA to the local Administrators group on Production VMs
- The trust direction (PROD → BACKUP) means Production VMs accept authentication from BACKUP accounts
- The GIP is in BACKUP, so it can retrieve the gMSA password from its own KDC without any cross-domain complexity
- The gMSA then presents a valid Kerberos ticket (trusted by PROD) to the guest VM
- No Veeam component ever needs to join the Production domain
Veeam's helpcenter states: "the GIP must be joined to the domain where the gMSA was created" — which would be satisfied here since both GIP and gMSA are in BACKUP.
However, the same doc also states: "both the GIP and the target machine must be in the same domain" — which would NOT be satisfied, since the target VMs are in PROD.
HannesK confirmed after QA testing in a previous thread that "the GIP has to be in the production domain" for gMSA guest processing, but this was in the context of a gMSA created in PROD. It's unclear whether the same conclusion applies when the gMSA is created in BACKUP and the trust goes the right direction.
My actual questions:
- Has anyone tested this exact scenario (gMSA in BACKUP domain, GIP in BACKUP domain, VMs in PROD domain, PROD trusts BACKUP)?
- At what step does it fail, if it does? Password retrieval by the GIP? Veeam credential validation? SMB/RPC connection to the guest VM? Token creation on the guest?
- Is the "same domain" requirement a hard OS/Kerberos constraint, or a Veeam software limitation?
Thanks in advance — couldn't find a single person who tested this specific combination anywhere online.