Hello,
Until V11 I used pre provisioned agent to backup domain controller and local admin account on all the other server.
With V12, I see we can use gMSA.
VBR is in workgroup but gMSA need guest interaction proxy only to be in domain. I'm thinking about keep all my Veeam server out of domain but build 1 VM for guest interaction proxy inside domain and use it for all my backup. My issue is :
1)Does this will slow down my backup because all the Windows backup will have to use this Guest interaction proxy VM ?
I often work with customer with arround 200 / 300 VM with often arround 20 VM backuped at the same time. This design will need to add at least 1 VM and maybe 2 but Veeam will not have anymore any local server password into it.
2) For security reason, I guess it's better to have 2 gMSA : 1 for all server + 1 for all DC right ?
I already read it : https://helpcenter.veeam.com/docs/backu ... ml?ver=120
-
- Veeam Legend
- Posts: 824
- Liked: 128 times
- Joined: May 11, 2018 8:42 am
- Contact:
-
- Product Manager
- Posts: 14970
- Liked: 3159 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: gMSA and VBR 12
Hello,
1) unlikely. But you can add more if needed anyway
2) I cannot find hard evidence for your guess. But I don't see anything that can go wrong by using two.
Best regards,
Hannes
1) unlikely. But you can add more if needed anyway
2) I cannot find hard evidence for your guess. But I don't see anything that can go wrong by using two.
Best regards,
Hannes
-
- Veeam Legend
- Posts: 824
- Liked: 128 times
- Joined: May 11, 2018 8:42 am
- Contact:
Re: gMSA and VBR 12
Hello,
Thanks for your answer.
Good to know it for 1) . It's excellent if I can improve the security with only 1 more VM
2) It's because when you talked about Tier architecture, nothing can be used at the same time for workstation / server / DC.
Workstation = T2
Server = T1
DC = T0 (and other critical server)
What can logon on T2 should be only be able to logon on T2 and not T1. If something goes wrong with the account, only T2 can be compromised.
Have a nice day !
Thanks for your answer.
Good to know it for 1) . It's excellent if I can improve the security with only 1 more VM

2) It's because when you talked about Tier architecture, nothing can be used at the same time for workstation / server / DC.
Workstation = T2
Server = T1
DC = T0 (and other critical server)
What can logon on T2 should be only be able to logon on T2 and not T1. If something goes wrong with the account, only T2 can be compromised.
Have a nice day !
Who is online
Users browsing this forum: Bing [Bot], masahide.k, Semrush [Bot], steamingPeople and 48 guests