-
- Novice
- Posts: 4
- Liked: never
- Joined: Aug 05, 2021 7:41 am
- Full Name: skyforger
- Contact:
Configuring gMSA account, Veeam v.12
Hi!
We are implementing gMSA accounts for our B&R infra v.12.
In the Veeam documentation is unclear should we run below command ONLY on all domain controllers or ALSO on the target servers and application proxy to make this work?
"To enable gMSA support in Microsoft Windows PowerShell, run the following commands:
Add-WindowsFeature NET-Framework,RSAT-ADDS 2>&1 | Out-Null;
Import-Module ServerManager;
Install-WindowsFeature -IncludeAllSubFeature RSAT | Out-Null;
Import-Module ActiveDirectory;"
Also installing those RSAT features on domain controllers is that a possible security risk at itself, would that open more attack surface on DC:s?
Also how peole are handling backup credentials if AD tier hardening model is in place? Let´s say you server is in tier0 and you cannot access that tier with your backup service account?
I have also support case Case # 05925852 open for this, but hard to get my hear around how to implement gMSA the correct way...
We are implementing gMSA accounts for our B&R infra v.12.
In the Veeam documentation is unclear should we run below command ONLY on all domain controllers or ALSO on the target servers and application proxy to make this work?
"To enable gMSA support in Microsoft Windows PowerShell, run the following commands:
Add-WindowsFeature NET-Framework,RSAT-ADDS 2>&1 | Out-Null;
Import-Module ServerManager;
Install-WindowsFeature -IncludeAllSubFeature RSAT | Out-Null;
Import-Module ActiveDirectory;"
Also installing those RSAT features on domain controllers is that a possible security risk at itself, would that open more attack surface on DC:s?
Also how peole are handling backup credentials if AD tier hardening model is in place? Let´s say you server is in tier0 and you cannot access that tier with your backup service account?
I have also support case Case # 05925852 open for this, but hard to get my hear around how to implement gMSA the correct way...
-
- Enthusiast
- Posts: 95
- Liked: 31 times
- Joined: Mar 07, 2018 12:57 pm
- Contact:
Re: Configuring gMSA account, Veeam v.12
Not sure why they suggest to install the entire RSAT.
Note:
- You need the above PS module on any computer that is supposed to have the gMSA account added.
- Do NOT bother trying to do things with remote PS (Enter-PSSession). It will NOT work.
Code: Select all
Install-WindowsFeature RSAT-AD-PowerShell
- You need the above PS module on any computer that is supposed to have the gMSA account added.
- Do NOT bother trying to do things with remote PS (Enter-PSSession). It will NOT work.
-
- Novice
- Posts: 4
- Liked: never
- Joined: Aug 05, 2021 7:41 am
- Full Name: skyforger
- Contact:
Re: Configuring gMSA account, Veeam v.12
I followed this guide: https://helpcenter.veeam.com/docs/backu ... ml?ver=120
So running only "Install-WindowsFeature RSAT-AD-PowerShell" on dc:s will be enough not installing entire RSAT feature like they suggest in the guide?
The process goes like this, am I correct:
1. Create root key: Add-KdsRootKey -EffectiveImmediately
2. Run Install-WindowsFeature RSAT-AD-PowerShell on all Domain Controllers
3. Create gMSA accounts
4. Install gMSA on target servers etc.
So running only "Install-WindowsFeature RSAT-AD-PowerShell" on dc:s will be enough not installing entire RSAT feature like they suggest in the guide?
The process goes like this, am I correct:
1. Create root key: Add-KdsRootKey -EffectiveImmediately
2. Run Install-WindowsFeature RSAT-AD-PowerShell on all Domain Controllers
3. Create gMSA accounts
4. Install gMSA on target servers etc.
-
- Veteran
- Posts: 465
- Liked: 136 times
- Joined: Jul 16, 2015 1:31 pm
- Full Name: Marc K
- Contact:
Re: Configuring gMSA account, Veeam v.12
When I run Get-KdsRootKey, I notice that it lists only the domain controller I was on when I ran Add-KdsRootKey. Is the key really dependent on that single system? I thought it being AD and all that it would replicate to the other DCs.
-
- Novice
- Posts: 4
- Liked: never
- Joined: Aug 05, 2021 7:41 am
- Full Name: skyforger
- Contact:
Re: Configuring gMSA account, Veeam v.12
If someone from Veeam could answer these questions?
Support ID: #02242658
Support ID: #02242658
-
- Enthusiast
- Posts: 95
- Liked: 31 times
- Joined: Mar 07, 2018 12:57 pm
- Contact:
Re: Configuring gMSA account, Veeam v.12
These questions have nothing to do with Veeam.
https://learn.microsoft.com/en-us/power ... escription
https://learn.microsoft.com/en-us/windo ... s-root-key
https://learn.microsoft.com/en-us/power ... escription
The Add-KdsRootKey cmdlet generates a new root key for the Microsoft Group Key Distribution Service (KdsSvc) within Active Directory. The Microsoft Group KdsSvc generates new group keys from the new root key. It is required to run this only once per forest.
https://learn.microsoft.com/en-us/windo ... s-root-key
KDS root keys are stored in Active Directory in container CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=<forest name>;. They have an attribute msKds-DomainID that links to the computer account of the Domain Controller that created the object. When this domain controller is demoted and removed from the domain, the value will refer to the tombstone of the computer account. You can ignore the broken value as it is only used to help the administrator track the object when it's freshly created. You may also change the attribute value and point it to the computer object of another domain controller in your forest.
Who is online
Users browsing this forum: apolloxm, Bing [Bot], Google [Bot] and 261 guests