BP for Veeam Access to Server\SQL upon a DC failure

[chris.atwood]

Thanks for ready, looking for some advice and best practices when using Veeam Backup and Replication in regards to the administrator account that Veeam uses to connect to all the VM Servers it is backing up. When Veeam was originally setup it was given the domain admin account to connect to all the servers for hot adds, backups, etc. and there hadn't been any issues.

A few weeks back however, our office had a brief power failure that killed all the servers (we don't have any UPS, but are working on getting them installed now after this issue). Upon trying to bring everything up we found that our SBS 2011 DC was getting stuck at "applying computer settings" and would never reach the login page. After trying a few things to try and get it to come back up we decided to try and restore it from a previous Veeam backup. However, at first my coworker and I were concerned that it wouldn't work back Veeam was using a domain administrator account to do everything it does. Fortunately in our case enough of the services on our DC started that Veeam could authenticate itself and we were able to restore the backup and get the DC to come back online.

However, this scare with the DC failure has lead me to want to see what the best practices are from other people when it comes to the accounts you use with Veeam to have access to your servers or SQL databases. Do you use local admin accounts for each server and setup a local account with access to SQL? Just looking to prevent a potentially major headache in the future.

Thanks

[veremin]

People that have Application Aware Image Processing option enabled typically provide domain admin, indeed.

As to your major concern, I believe that problem can be approached from the different angle, namely, by using domain controller replication. Thus, if something happens with DC, you will have a workable replica at hand.

Thanks.

[chris.atwood]

Thanks for the reply v.Eremin.

I agree with you replication would be the easier and arguably the best course of action to solve this issue. However, at this moment we don't have a server that can handle the replication load (that is top of the list for 2015) so I'm just trying to find some potential proactive things that could be done in the short-term.

Just to make sure as I may not have been clear in my first post, I am referring to the credentials that are used to run the Veeam Services on the Server running Veeam itself, not the credentials that Veeam asked from when you go in to setup a backup job.

Here is a screenshot of the area I am referring to, specifically what the services are using to "Log On As". Some are using Local System and others are using our domain admin account.

[veremin]

Got it. Those services can be run under local admin account, indeed. That's what many of our customers are doing.

If you want to switch them from domain admin to the local one, stop all veeam services as well as processes, switch accounts, and restart a server.

Thanks.

[chris.atwood]

Thanks v.Eremin I appreciate, that pretty much wraps it up for this.

Just one last question: is the "local system account" and "a local admin account" the same when as far as Veeam is concerned?

[Gostev]

Not sure I understand the question, but these are very different in terms of Windows security.