Agent-based backup of Windows, Linux, Max, AIX and Solaris machines.
Post Reply
sentilop3t
Novice
Posts: 3
Liked: 1 time
Joined: Jun 13, 2024 1:52 pm
Contact:

Active Directory Backup using adminAccount in Protected Users

Post by sentilop3t »

Hello,

We are using Veeam Backup & Replication Enterprise v12, the Veeam Backup is a physical server and is not joined to our AD domain.
It is not joined because we do not want to remediate this servers in case there is a ransomware.

It is isolated on a specific VLAN and with L7 firewall rules.

Active Directory Tiering model is applied which mean only T0 Admins shoud be able to do Admin operation (backup)
T0 Admins are member of Protected Users group.

With all of theses security features, we still need to use the Built-In Administrator to backup the domain controllers.
As the Veeam Backup Server is in WORKGROUP, it can only use NTLM auth, but we need/intend to remove NTLM usage in our infrastructure.

What do you recommend in this case if we cannot use NTLM auth (NTLM restriction) nor Kerberos (because not AD joined) ?
Mildur
Product Manager
Posts: 10086
Liked: 2688 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Active Directory Backup using adminAccount in Protected Users

Post by Mildur »

Hi Sentilop3t

Use gMSA accounts together with a guest interaction proxy which is joined to the same domain as your ad controller. The guest interaction proxy can be added to the backup server with only local admin permissions. Then use gMSA account in the guest processing settings for your active directory controller: https://helpcenter.veeam.com/docs/backu ... ml?ver=120

Or use Veeam Agent with protection group type "Computers with pre-installed backup agents". With it you don't need to store any credentials on the backup server.

Best,
Fabian
Product Management Analyst @ Veeam Software
sentilop3t
Novice
Posts: 3
Liked: 1 time
Joined: Jun 13, 2024 1:52 pm
Contact:

Re: Active Directory Backup using adminAccount in Protected Users

Post by sentilop3t »

Hello Fabian,

I will try this solution, it seems the best one.
But one of the prerequisites is problematic:

Veeam Explorers do not support data recovery using gMSAs.

We are using the Veeam Explorers to restore specifics object that are deleted. AD Bin can do the same but have a retention time of 6 month.

Should I just extend the retention time, and then accept the fact that we will not have the Veeam Explorers feature for ou domains controllers ?

Thank you
PetrM
Veeam Software
Posts: 3694
Liked: 620 times
Joined: Aug 28, 2013 8:23 am
Full Name: Petr Makarov
Location: Prague, Czech Republic
Contact:

Re: Active Directory Backup using adminAccount in Protected Users

Post by PetrM » 1 person likes this post

Hello,

I think you should extend the retention time. By the way, support of gMSA by Veeam Explorers is on our road map, but there is no ETA info yet.

Thanks!
sentilop3t
Novice
Posts: 3
Liked: 1 time
Joined: Jun 13, 2024 1:52 pm
Contact:

Re: Active Directory Backup using adminAccount in Protected Users

Post by sentilop3t » 1 person likes this post

Alright, thanks for the info !
Post Reply

Who is online

Users browsing this forum: No registered users and 17 guests