Hello all, I am having some difficulties with a customer trying to get them to understand that the account running the backup jobs requires local administrator rights on the VM guest to allow VEEAM VSS to work. The permission requirements in the user guide doesn't exactly state this requirement clearly.
I am using VEEAM ver 5.0 for 8 separate sites and I am having to run the actual jobs with my own account for them to complete successfully. The service account provided has been given the rights to install to the backup server and SQL server but the jobs themselves fail as they don't have local admin rights on the individual VM guests at each site. So I am in essence running a workaround to get by. I can't even get the Virtual Centre server added due to perm issues. All backups currently running to local ESXi hosts using root login in the GUI and jobs themselves with my account.
Can anyone point me to an official VEEAM statement or line in the user guide that states it in case its just me not reading it correctly or understanding it.
If you want to use "application-aware image processing" option you need to specify an account with local admin privileges on the VMs being processed. This is stated directly in the UI, and in the User Guide (page 24).
I am trying to document our setup for Veeam on our customers - when I asked our engineers what permissions they give the account that Veeam uses for VSS access to windows boxes they all said Domain Admins.
I am wondering if there is a more restrictive account you can use for accessing VSS so as not to have to give the veeam account domain admin rights which is a very high level permission.
Or can you create an account and then assign VSS permissions to it.
I have a question in regards of the rights the local administrator needs to be able to do application-aware image processing.
I was planning on creating a new admin user, with limited rights so it can only be used to take those backups.
But I'm not able to find anywhere what rights are needed, only that it needs to be a local administrator account.
Does this account need the full admin rights?
Hello
When we are defining a new Job, and Enable VSS integration option selected,, anyone knows what kind of privileges must the user have?, in order the Veeam VSS agent work properly?
I mean I know the documentation says that administrator credentials are required to access the guest OS, but we can´t do that for security reasons. A Windows Copy Operator profile sould work?
Customer can create special veeam user in AD and add it as a local admin on all VMs that needs to be backed up. With secure password to be undestand. And then enter it once while editing job sitting behind your keyboard.
As per the article below for I need for VSS an account with administrative privileges, what account membership can I use that is not domain administrator?
We have just set up a new Sharepoint installation, with two front-end app servers and a separate back-end SQL server. We have created a backup job in Veeam 7.0 to take daily backups of the two app servers (the SQL server is backed up using native SQL jobs currently). In the job properties we have ticked the option to "Enable application-aware image processing", and enabled our usual Guest credentials.
Every day when the backup job runs, our SQL monitoring fires alerts showing login failures from the Guest account, trying to connect to the SQL server from each of the app servers (the account currently doesn't have access to SQL).
I assume the application-aware backup process is trying to query Sharepoint in some way, and as a result, trying to query SQL. My question is, what permissions do I need to grant, either within Sharepoint or directly in to SQL Server, in order for this process to work correctly? Also, if this does work, will the backup job attempt to take any kind of backup of the SQL databases? If so, this may interfere with the native backup jobs that are already configured.
FYI, the backup jobs of the two app servers appear to complete successfully, although they both contain this log message:
20/01/2015 18:02:13 :: Failed to inventory guest system: Cannot get host information.
Cannot collect host info.
Microsoft SharePoint farm topology collector process is failed with exit code -1
Win32 error:The operation completed successfully.
Code: 0
Yes, the account in the backup job has local admin rights (it is actually in the domain admins group). However by default in SQL 2012, local admins do not have any permissions to connect to SQL.
jalean wrote:FYI, the backup jobs of the two app servers appear to complete successfully, although they both contain this log message:
Is this displayed in the job summary or you have spotted it in the debug log?
Domain admins is not the same as local admins on the machine, so there could be difference as well. Can you try a local admin account and run the job?
jalean wrote:Also, if this does work, will the backup job attempt to take any kind of backup of the SQL databases? If so, this may interfere with the native backup jobs that are already configured.
Sorry missed this question for some reason. Yes, since you've enabled application-aware image processing then VSS writers will be triggered for SQL Server.
The account does have local admin permissions on the server - Domain Admins by default is a member of the local Admins group. It just doesn't have any permissions to connect to SQL.
As an experiment I granted the user sysadmin privileges into SQL last night, and we didn't get the login failure alerts, or the message in the Veeam backup job. However, there was no evidence of it having taken any kind of SQL backup, which is what I would expect - remember the SQL databases are on a separate server, which isn't part of any job in Veeam - only the two app servers are being backed up.
It still appears that the only reason it's connecting to SQL is to try and inventory the Sharepoint system as part of the Application-Aware processing on the app servers - it's not actually trying to backup the SQL databases.
We are currently trialling the improved SQL backups in Veeam 8.0 (point-in-time restores etc.) so hopefully we will start using that for the SQL server too soon anyway, at which point I guess we will still need to provide sysadmin access to the user account.
Yes, you were right. When SharePoint VM is backed up, Veeam backup server also establishes connection to the SQL Server hosting SharePoint data, this is required for a proper application-aware backup.
I have just talked to our dev team, and they said that these permissions should be enough:
On the SQL Server instance level:
-Dbcreator
-public
On the database level:
-db_backupoperator
-db_denydatareader
-public
Securables:
-view any definition
-view server state
Just completed upgrade to Patch 2 for several clients. Getting these truncate errors in many places. Is there a walkthrough on setting these SQL permissions? Some of these servers are SharePoint, and some are just SQL 2008
I went thought SQL management studio but not exactly clear what I should do
You either need to go to security properties (via SQL Management Studio) of the databases and select the granular permissions above or assign administrative permissions to the entire SQL Server instance for the account specified in the application-aware image processing option.
We happen to be using domain\administrator
We added sysadmin privileges, but that didn’t seem to do anything different
Because this is a SharePoint SQL database, I was hoping that maybe we missed something else
