Active Directory and Veeam VSS

[grizo]

Have several Windows 2003 AD servers and wanted to backup with Veeam VSS. Anyone have any ideas on the files that Veeam VSS access to quiescence the AD database so I can modify permission to using a process account? I realize the simple way would be to run Veeam under a Domain Admin account but that's not possible in our environment.

[Gostev]

Hi Gary, unfortunately Veeam VSS requires Local Administrator privileges on the processed VM. Generally speaking, VSS quiescence is not just about accessing certain files. What happens instead, is system-wide freeze that affects actual OS and all VSS-aware applications.

[grizo]

Yes but domain controllers don't allow local administrators which limits us to using Domain Admin accounts. So our only option is to create a process account and grant that process account domain admin rights. I was hoping that we would be able to narrow in the OS files requiring admin rights for VSS quiescence and grant rights to a non Domain Admin process account.

[jyarborough]

You could create a user that is "Domain Admin" level and then in the user object define that it can only logon to specified computers. Or you could enable a domain-wide group policy that adds that user to the "Deny logon locally" computer policy for all servers not being backed up by Veeam. Granted, this would not prevent someone from logging with that user account and modifying its own permissions so depending on how paranoid you really are ( ) you might also need to set up some security on that user object/group policy to prevent the from modifying it.

Deny logon locally - http://www.microsoft.com/resources/docu ... x?mfr=true

[vbussiro]

Yes but domain controllers don't allow local administrators which limits us to using Domain Admin accounts. So our only option is to create a process account and grant that process account domain admin rights. I was hoping that we would be able to narrow in the OS files requiring admin rights for VSS quiescence and grant rights to a non Domain Admin process account.

Maybe you could use a member of "builtin\administrators", which isn't domain admin but "local domain admin" (don't know right term) ? May also give a try to a "server operator" perhaps ?

[albertwt]

ok, what I'm doing now is to deploy VM from template which use same local admin credentials, therefore i can specify the local\administrator credentials for all of my Windows Server 2003 VM.