Can't backup DCs with Guest Interaction

[RobMiller86]

We have been onboarding more clients with Veeam. I'm on my 3rd one this month with the exact same issue. All 3 have been the same. Domain Controllers can't pass the credential test in the job, and they can't run app consistent backups, crash consistent only.

Case # 06395099
Case # 06403909

We can browse the c$ or admin$ shares from the hosts as well as the VBR using our veeam service account. We've installed the VeeamInsallerSvc on the VMs. We've tried with firewalls disabled. We've uninstalled our security software SentinelOne. We know to keep it at or below version 23.1.5.886 for now due to safeboot protection issues on DCs, which this problem I'm facing seems identical to that problem, even without S1 at all. We've disabled Defender realtime protection. It doesn't matter what we do, none of our DCs, on 3 different networks can pass the cred test. I can even verify in the sec logs on the DCs during a cred test that the account is being successfully authenticated and granted the proper backup privileges. Nonetheless, the test fails.

Support seems to be struggling with finding a solution. Anyone have any other ideas?

[MarkBoothmaa]

It may not be relevant. Have you tried the remote UAC registry setting?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.
Create a DWORD value called LocalAccountTokenFilterPolicy and assign it a value of 1.

The server will need a reboot.

[RobMiller86]

Thanks Mark. Just gave it a try. Added it to a DC and rebooted. No change. Still fails cred test.

[tyler.jurgens]

Is the account you are using a domain admin?

[RobMiller86]

Yes the account is a dedicated veeam service account that is a domain admin. I'm not precisely sure what the difference is from existing deployments to new deployments, but all of our new deployments are having this issue. The logs from Veeam aren't very specific as to the issue. They just say it can't access the path, admin$ or whatever. Since we can access it from the host or the VBR using that account, that leaves us nothing to go on.

[tyler.jurgens]

Have you tried entering the username as either: domain\username and username@domain.fqdn formats (trying one, then the other?)

[RobMiller86]

Yes I have tried both formats for entering the creds. Both formats work on member servers, neither format works on DCs.

[RaHa]

Hi,

Did you try disable LUA via regedit? Keep in mind it needs reboot.

Do you have any firewall in between?

Did you successfully login manually on the DC with the domain account? - purpose is to create user folder.

[dips]

Are you using Windows Defender ATP with ASR?

[dargueta]

You don't say whether those DCs are Win2022 or 2019s?
I learned the hard way this weekend that to Backup/Replicate Windows 2019 still need "TCP/IP NetBIOS Helper" service (NetBT). I would also check Firewall ports to allow RPC https://helpcenter.veeam.com/docs/backu ... kup-server

[drobbins]

Do you have correct credentials in the credential manager in VBR? Any special characters in the password that it doesn't like?

[randytho]

Is there an issue here with NTLM auth against the domain controllers? Is user in protected group? (As far as I know NTLM is still used here.)