Comprehensive data protection for all workloads
Post Reply
grizo
Novice
Posts: 3
Liked: never
Joined: Mar 12, 2010 7:44 pm
Full Name: Gary Rizo
Contact:

Active Directory and Veeam VSS

Post by grizo » Apr 15, 2010 8:51 pm

Have several Windows 2003 AD servers and wanted to backup with Veeam VSS. Anyone have any ideas on the files that Veeam VSS access to quiescence the AD database so I can modify permission to using a process account? I realize the simple way would be to run Veeam under a Domain Admin account but that's not possible in our environment.

Gostev
SVP, Product Management
Posts: 25794
Liked: 3969 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Active Directory and Veeam VSS

Post by Gostev » Apr 15, 2010 9:12 pm

Hi Gary, unfortunately Veeam VSS requires Local Administrator privileges on the processed VM. Generally speaking, VSS quiescence is not just about accessing certain files. What happens instead, is system-wide freeze that affects actual OS and all VSS-aware applications.

grizo
Novice
Posts: 3
Liked: never
Joined: Mar 12, 2010 7:44 pm
Full Name: Gary Rizo
Contact:

Re: Active Directory and Veeam VSS

Post by grizo » Apr 15, 2010 9:17 pm

Yes but domain controllers don't allow local administrators which limits us to using Domain Admin accounts. So our only option is to create a process account and grant that process account domain admin rights. I was hoping that we would be able to narrow in the OS files requiring admin rights for VSS quiescence and grant rights to a non Domain Admin process account.

jyarborough
Veeam ProPartner
Posts: 31
Liked: never
Joined: Apr 03, 2010 2:23 am
Full Name: John Yarborough
Contact:

Re: Active Directory and Veeam VSS

Post by jyarborough » Apr 20, 2010 2:30 pm

You could create a user that is "Domain Admin" level and then in the user object define that it can only logon to specified computers. Or you could enable a domain-wide group policy that adds that user to the "Deny logon locally" computer policy for all servers not being backed up by Veeam. Granted, this would not prevent someone from logging with that user account and modifying its own permissions so depending on how paranoid you really are ( :D ) you might also need to set up some security on that user object/group policy to prevent the from modifying it.

Deny logon locally - http://www.microsoft.com/resources/docu ... x?mfr=true

vbussiro
Enthusiast
Posts: 64
Liked: never
Joined: Feb 18, 2009 10:05 pm
Contact:

Re: Active Directory and Veeam VSS

Post by vbussiro » Apr 21, 2010 9:58 pm

grizo wrote:Yes but domain controllers don't allow local administrators which limits us to using Domain Admin accounts. So our only option is to create a process account and grant that process account domain admin rights. I was hoping that we would be able to narrow in the OS files requiring admin rights for VSS quiescence and grant rights to a non Domain Admin process account.
Maybe you could use a member of "builtin\administrators", which isn't domain admin but "local domain admin" (don't know right term) ? May also give a try to a "server operator" perhaps ?

albertwt
Expert
Posts: 664
Liked: 21 times
Joined: Nov 05, 2009 12:24 pm
Location: Sydney, NSW
Contact:

Re: Active Directory and Veeam VSS

Post by albertwt » Apr 26, 2010 11:26 am

ok, what I'm doing now is to deploy VM from template which use same local admin credentials, therefore i can specify the local\administrator credentials for all of my Windows Server 2003 VM.
--
/* Veeam software enthusiast user & supporter ! */

Post Reply

Who is online

Users browsing this forum: Google [Bot], syscons, tmattprice and 55 guests