-
- Novice
- Posts: 3
- Liked: 1 time
- Joined: Jun 13, 2024 1:52 pm
- Contact:
Active Directory Backup using adminAccount in Protected Users
Hello,
We are using Veeam Backup & Replication Enterprise v12, the Veeam Backup is a physical server and is not joined to our AD domain.
It is not joined because we do not want to remediate this servers in case there is a ransomware.
It is isolated on a specific VLAN and with L7 firewall rules.
Active Directory Tiering model is applied which mean only T0 Admins shoud be able to do Admin operation (backup)
T0 Admins are member of Protected Users group.
With all of theses security features, we still need to use the Built-In Administrator to backup the domain controllers.
As the Veeam Backup Server is in WORKGROUP, it can only use NTLM auth, but we need/intend to remove NTLM usage in our infrastructure.
What do you recommend in this case if we cannot use NTLM auth (NTLM restriction) nor Kerberos (because not AD joined) ?
We are using Veeam Backup & Replication Enterprise v12, the Veeam Backup is a physical server and is not joined to our AD domain.
It is not joined because we do not want to remediate this servers in case there is a ransomware.
It is isolated on a specific VLAN and with L7 firewall rules.
Active Directory Tiering model is applied which mean only T0 Admins shoud be able to do Admin operation (backup)
T0 Admins are member of Protected Users group.
With all of theses security features, we still need to use the Built-In Administrator to backup the domain controllers.
As the Veeam Backup Server is in WORKGROUP, it can only use NTLM auth, but we need/intend to remove NTLM usage in our infrastructure.
What do you recommend in this case if we cannot use NTLM auth (NTLM restriction) nor Kerberos (because not AD joined) ?
-
- Product Manager
- Posts: 10086
- Liked: 2688 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Active Directory Backup using adminAccount in Protected Users
Hi Sentilop3t
Use gMSA accounts together with a guest interaction proxy which is joined to the same domain as your ad controller. The guest interaction proxy can be added to the backup server with only local admin permissions. Then use gMSA account in the guest processing settings for your active directory controller: https://helpcenter.veeam.com/docs/backu ... ml?ver=120
Or use Veeam Agent with protection group type "Computers with pre-installed backup agents". With it you don't need to store any credentials on the backup server.
Best,
Fabian
Use gMSA accounts together with a guest interaction proxy which is joined to the same domain as your ad controller. The guest interaction proxy can be added to the backup server with only local admin permissions. Then use gMSA account in the guest processing settings for your active directory controller: https://helpcenter.veeam.com/docs/backu ... ml?ver=120
Or use Veeam Agent with protection group type "Computers with pre-installed backup agents". With it you don't need to store any credentials on the backup server.
Best,
Fabian
Product Management Analyst @ Veeam Software
-
- Novice
- Posts: 3
- Liked: 1 time
- Joined: Jun 13, 2024 1:52 pm
- Contact:
Re: Active Directory Backup using adminAccount in Protected Users
Hello Fabian,
I will try this solution, it seems the best one.
But one of the prerequisites is problematic:
Veeam Explorers do not support data recovery using gMSAs.
We are using the Veeam Explorers to restore specifics object that are deleted. AD Bin can do the same but have a retention time of 6 month.
Should I just extend the retention time, and then accept the fact that we will not have the Veeam Explorers feature for ou domains controllers ?
Thank you
I will try this solution, it seems the best one.
But one of the prerequisites is problematic:
Veeam Explorers do not support data recovery using gMSAs.
We are using the Veeam Explorers to restore specifics object that are deleted. AD Bin can do the same but have a retention time of 6 month.
Should I just extend the retention time, and then accept the fact that we will not have the Veeam Explorers feature for ou domains controllers ?
Thank you
-
- Veeam Software
- Posts: 3694
- Liked: 620 times
- Joined: Aug 28, 2013 8:23 am
- Full Name: Petr Makarov
- Location: Prague, Czech Republic
- Contact:
Re: Active Directory Backup using adminAccount in Protected Users
Hello,
I think you should extend the retention time. By the way, support of gMSA by Veeam Explorers is on our road map, but there is no ETA info yet.
Thanks!
I think you should extend the retention time. By the way, support of gMSA by Veeam Explorers is on our road map, but there is no ETA info yet.
Thanks!
-
- Novice
- Posts: 3
- Liked: 1 time
- Joined: Jun 13, 2024 1:52 pm
- Contact:
Re: Active Directory Backup using adminAccount in Protected Users
Alright, thanks for the info !
Who is online
Users browsing this forum: No registered users and 17 guests