Backup failing due to UAC?

Availability for the Always-On Enterprise

Re: Backup failing due to UAC?

Veeam Logoby tsightler » Mon Aug 06, 2012 4:19 pm 1 person likes this post

Rik wrote:In another post I read something about manually installing a Veeam Proxy Agent. Could this work? If so, how do I install this thing?

No, this is only for installing the Veeam Installer and Transport agent services, it has nothing to do with VMs that are being backed up.
tsightler
Veeam Software
 
Posts: 4737
Liked: 1728 times
Joined: Fri Jun 05, 2009 12:57 pm
Full Name: Tom Sightler

Re: Backup failing due to UAC?

Veeam Logoby tsightler » Mon Aug 06, 2012 4:27 pm 2 people like this post

You can use VMware tools quiescence, instead of Veeam application aware processing. Assuming you are using recent VMware tools this will work and will provide application consistency, although not at the level that Veeam AAP can provide.

Unfortunately the issue that you are seeing is not something that is easy to overcome since it is simply the way that UAC works. With a direct network connection it works because UAC is not enforced on network connections, however, when using "connectionless" mode we are leveraging the VIX API to connect locally to the host. In this case UAC will block any attempts to escalate except for the "built-in" administrator. With UAC local connections attempting to perform administrative task require interactive approval to escalate privileges.

"Security" is all about having balance. You have to decide if having such strict "security" is better than having slightly less than ideal backups (note that VSS isn't required for taking a backup, your backups will be "crash consistent" even without them which is likely all you need in 99% of cases, and if you use recent VMware tools and VMware tools quiescence then you will still have consistent backups). However, it could be argued that not having a 100% consistent backup isn't very good "security" either.

Of course, you may point out that other products that leverage agents can provide backups without this restriction, but that's not really a fair comparison. These agents generally run as a service with privileged status, and then provide an open connection to the world on which the backup server connects, in many cases provided their own, quite weak, authentication. One of the most common methods used by penetration testers is the compromise of these "agents" that are deployed on servers.
tsightler
Veeam Software
 
Posts: 4737
Liked: 1728 times
Joined: Fri Jun 05, 2009 12:57 pm
Full Name: Tom Sightler

Re: Backup failing due to UAC?

Veeam Logoby dellock6 » Mon Aug 06, 2012 9:53 pm 2 people like this post

Oh Tom, your post reminds me of my past activities in the security field, when I was actually using for real my CISSP certification :)

Well, the issue is basically security means different things. You can have Confidentiality, Integrity, or Availability (known as the CIA triad). You can't have all of them at the highest level at the same time, so you need to evaluate what is more important for you. Often in backups, integrity is the first goal (be sure your data are the same as you saved them, when you restore them), but then you choose between availability and confidentiality. Encrypted backups are the best example, you prefer to be fast on restores (availability) or be sure only authorized people can restore data?
Everything in a design exercise is about balancing and choosing options...

Luca.
Luca Dell'Oca
EMEA Cloud Architect @ Veeam Software

@dellock6
http://www.virtualtothecore.com
vExpert 2011-2012-2013-2014-2015-2016
Veeam VMCE #1
dellock6
Veeam Software
 
Posts: 4983
Liked: 1307 times
Joined: Sun Jul 26, 2009 3:39 pm
Location: Varese, Italy
Full Name: Luca Dell'Oca

Application Aware Backup of 2008 R2 Domain Controller

Veeam Logoby brupnick » Wed Aug 22, 2012 4:07 pm

[merged]

Good afternoon-

I'm having trouble running an application aware backup of my Windows Server 2008 R2 domain controller. The error that I'm receiving is:
Code: Select all
Failed to prepare guest for hot backup. Error: Failed to connect to guest agent. Errors: 'Cannot connect to the host's administrative share. Host: [A.B.50.50]. Account: [DOMAIN\domainadmin]. Win32 error:The network name cannot be found. Code: 67 '

There are firewalls between my VBR server and these two DCs, so RPC fails. This is the case with all VMs in my environment, but the failover to VIX works everywhere else.

As far as I can tell, this issue is related to UAC. If I disable UAC on my DC, the backup is successful. If UAC is anything but disabled, it fails. Disabling UAC is not an option, so are there any ways to get around this? Has anyone else experienced this issue? My support ticket is ID#5210282.

Thanks in advance,
Brian
brupnick
Expert
 
Posts: 196
Liked: 13 times
Joined: Sat Feb 05, 2011 5:09 pm
Location: New York, USA
Full Name: Brian Rupnick

Re: Application Aware Backup of 2008 R2 Domain Controller

Veeam Logoby chrisdearden » Wed Aug 22, 2012 4:15 pm

try using the actual administrator account for the application aware permissions. ( it has some hard coded bypass for UAC )
chrisdearden
Expert
 
Posts: 1529
Liked: 225 times
Joined: Wed Jul 21, 2010 9:47 am
Full Name: Chris Dearden

Re: Application Aware Backup of 2008 R2 Domain Controller

Veeam Logoby brupnick » Wed Aug 22, 2012 4:17 pm

Please correct me if I'm wrong, but because it's a DC, there are no local accounts to use. On my non-DC 2008 R2 machines, using a local admin rather than a domain admin was the fix.
brupnick
Expert
 
Posts: 196
Liked: 13 times
Joined: Sat Feb 05, 2011 5:09 pm
Location: New York, USA
Full Name: Brian Rupnick

Re: Backup failing due to UAC?

Veeam Logoby Vitaliy S. » Thu Aug 23, 2012 10:03 am

Hi Brian,

Yes, you're right there are no local accounts to use, but what account are you using to backup your DC VM? Is it a default domain administrator?

Thanks!
Vitaliy S.
Veeam Software
 
Posts: 19450
Liked: 1092 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: Backup failing due to UAC?

Veeam Logoby brupnick » Thu Aug 23, 2012 11:36 am

Good morning Vitaliy-

Could you please clarify what you mean by a "default domain administrator?" As opposed to a...?

Thanks!
Brian
brupnick
Expert
 
Posts: 196
Liked: 13 times
Joined: Sat Feb 05, 2011 5:09 pm
Location: New York, USA
Full Name: Brian Rupnick

Re: Backup failing due to UAC?

Veeam Logoby foggy » Thu Aug 23, 2012 1:14 pm

Built-in vs the one that is created manually and made a member of the Domain Admins group.
foggy
Veeam Software
 
Posts: 14560
Liked: 1060 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

Re: Backup failing due to UAC?

Veeam Logoby Gostev » Thu Aug 23, 2012 1:22 pm

DOMAIN\Administrator account
Gostev
Veeam Software
 
Posts: 21354
Liked: 2333 times
Joined: Sun Jan 01, 2006 1:01 am
Full Name: Anton Gostev

Re: Backup failing due to UAC?

Veeam Logoby brupnick » Thu Aug 23, 2012 1:28 pm

For security purposes, we rename all of our administrator accounts, both local and domain. Is there a way for me to know if one of my renamed accounts was at one point the built-in?
brupnick
Expert
 
Posts: 196
Liked: 13 times
Joined: Sat Feb 05, 2011 5:09 pm
Location: New York, USA
Full Name: Brian Rupnick

Re: Backup failing due to UAC?

Veeam Logoby Gostev » Thu Aug 23, 2012 1:34 pm

The account you are looking for will have well known SID.
Gostev
Veeam Software
 
Posts: 21354
Liked: 2333 times
Joined: Sun Jan 01, 2006 1:01 am
Full Name: Anton Gostev

Re: Backup failing due to UAC?

Veeam Logoby dellock6 » Thu Aug 23, 2012 3:09 pm

SID: S-1-5-21domain-500.

You can check all the well-known SID here:
http://support.microsoft.com/kb/243330/en-us
Luca Dell'Oca
EMEA Cloud Architect @ Veeam Software

@dellock6
http://www.virtualtothecore.com
vExpert 2011-2012-2013-2014-2015-2016
Veeam VMCE #1
dellock6
Veeam Software
 
Posts: 4983
Liked: 1307 times
Joined: Sun Jul 26, 2009 3:39 pm
Location: Varese, Italy
Full Name: Luca Dell'Oca

Re: Backup failing due to UAC?

Veeam Logoby brupnick » Thu Aug 23, 2012 3:33 pm

That's very interesting. The account that I'm using does not end in -500, so it is not the default domain administrator account. The account that does end in -500 has been disabled and replaced with a new account (the one that I'm trying to use).
brupnick
Expert
 
Posts: 196
Liked: 13 times
Joined: Sat Feb 05, 2011 5:09 pm
Location: New York, USA
Full Name: Brian Rupnick

Re: Backup failing due to UAC?

Veeam Logoby Vitaliy S. » Thu Aug 23, 2012 6:14 pm

Seems like we've nailed it, you should be using account which ends in -500 to bypass the UAC built-in policies.
Vitaliy S.
Veeam Software
 
Posts: 19450
Liked: 1092 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

PreviousNext

Return to Veeam Backup & Replication



Who is online

Users browsing this forum: Bing [Bot], Google Feedfetcher and 23 guests