Windows Agent with Failover Cluster Support

[glamic26]

I'm looking for some help with deploying and configuring Windows Agent backup for a 2-node Windows Failover Cluster. I have read several guides and we are still struggling to get this set up. We have already had a fight with the required firewall ports not being complete on the guide (you have to read a combinations of about 4 different port lists to cover everything).

This guide here (https://helpcenter.veeam.com/docs/backu ... tml?ver=95) states that to support backing up a Windows Failover Cluster I need to add the Active Directory Object for the Cluster (presumably the Cluster Computer Account) to a Protection Group. However, the level of access required is DOMAIN\Administrator group access! Can anyone explain in a bit of detail why this level of access is required? As a security conscious organisation I'm sure Veeam can appreciate that we obviously want to use a theory of least required access and that giving out Domain Administrator access to 3rd party service accounts is nowhere near in line with that. Surely this level of access isn't actually required? It is just lazy programming?

When we asked the Veeam engineer on our case about this he said that we could add in via CSV file if we prefer, however this contradicts the above guide. When we initially tried adding the two nodes for the cluster as individual computers it didn't appear to recognise any cluster so I assume this is not supported for backing up a failover cluster and this engineer is mistaken?

We were hoping Veeam were going to have made it nice and easy to use this great new feature but so far it has been very painful and the guides are not very useful at all.

[Dima P.]

Hi glamic26

to support backing up a Windows Failover Cluster I need to add the Active Directory Object for the Cluster

Correct. Only Active Directory Protection Groups will work with cluster account.

However, the level of access required is DOMAIN\Administrator group access!

Domain admin can be used but it's not required. To rescan active directory you can use any user account with access to AD (Active Directory step of the wizard). To deploy and managed agent on a cluster node you must provide an account which is a part local admin group on a host you are willing to protect (credentials step).

we could add in via CSV file

It's not possible. CSV protection group wont recognize cluster account.

[glamic26]

Domain admin can be used but it's not required. To rescan active directory you can use any user account with access to AD (Active Directory step of the wizard). To deploy and managed agent on a cluster node you must provide an account which is a part local admin group on a host you are willing to protect (credentials step).

So the Line C from this guide is incorrect https://helpcenter.veeam.com/docs/backu ... tml?ver=95?

c. From the Account list, select a user account that is a member of the DOMAIN\Administrators group.

Thanks for the reply, we'll try with a standard user account with access to AD with no further elevated permissions. If this is correct then the guide may need updating to reflect this.

[Iain_Green]

We are still failing to be able to process the cluster within the protection group.

23/02/2018 10:30:09 Error Unable to install backup agent: cannot connect to <Cluster Name> Error: Failed to connect to failover cluster <Cluster Name>

If we add the nodes in we can install the agents, however we are unable to create a fail over backup. If we add the AD object for the cluster, we just get the above message.
As far as we can tell all Firewall ports are in (as my colleague mentioned there were several lists). We have amended the permissions on the account.

[Dima P.]

Iain,

Did you specify the local admin account at the credentials step of the wizard for your cluster? By default, its using the account from the Active Directory step.

[Iain_Green]

Hi,

Yep account all sorted.
Engineer believes the issue is FW related Case # 02620870
Logging to be enabled and deployments tested again.