I found this security domain document, https://bp.veeam.com/vbr/Security/Security_domains.html, to make Veeam more secure by not setting it up within the production domain, but instead to create a forest with a management domain.
Sorry if this has already been asked or if this is a dumb question. But I can not locate any other document that specifically lists which components from Veeam need to be installed on the management domain and which ones needs to installed on the production domain.
Should I install all Veeam components within the management domain, or do some components need to be installed on the production domain as well for backing up our data?
Any assistance is much appreciated!
-
InfiniteHyperlink
- Lurker
- Posts: 1
- Liked: never
- Joined: Nov 09, 2022 4:51 pm
- Contact:
-
Mark
- Service Provider
- Posts: 12
- Liked: 1 time
- Joined: Sep 17, 2012 5:20 am
- Full Name: Mark Cummings
- Contact:
Re: Management Domain Setup Questions
The way we do this is:
Install all Veeam components on the Management domain, the server, proxies, repositories, etc.
Point all Management machines to their own Management DNS server.
Use conditional forwarding to locate the hosts and Virtual Centre in the Production domain.
Use specific Production domain accounts to make the connections for backup.
Install all Veeam components on the Management domain, the server, proxies, repositories, etc.
Point all Management machines to their own Management DNS server.
Use conditional forwarding to locate the hosts and Virtual Centre in the Production domain.
Use specific Production domain accounts to make the connections for backup.
-
HannesK
- Product Manager
- Posts: 14844
- Liked: 3086 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Management Domain Setup Questions
Hello,
and welcome to the forums.
Yes, the only exception could be with V12 and you like to use group managed service accounts (gMSA), where the guest interaction proxy has to be in the production domain.
The document is also a bit "ahead of time": Kerberos only is only fully supported in V12. It works okay-ish also in V11, but upgrades fail as far as I remember.
Best regards,
Hannes
and welcome to the forums.
Yes, the only exception could be with V12 and you like to use group managed service accounts (gMSA), where the guest interaction proxy has to be in the production domain.
The document is also a bit "ahead of time": Kerberos only is only fully supported in V12. It works okay-ish also in V11, but upgrades fail as far as I remember.
Best regards,
Hannes
-
StoopidMonkey
- Enthusiast
- Posts: 39
- Liked: 4 times
- Joined: Nov 14, 2019 7:12 pm
- Full Name: Chris Lukowski
- Contact:
Re: Management Domain Setup Questions
I also was under the impression that some Veeam components HAD to be in the production domain for certain functions to work correctly be it gMSAs, SQL mounts, etc. What's the consensus now that V12 has been out a while?
-
HannesK
- Product Manager
- Posts: 14844
- Liked: 3086 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Management Domain Setup Questions
Hello,
my answer directly above still applies. Only the guest interaction proxy with needs to be in the domain when gMSAs are used. For other scenarios, no Veeam component needs to be in the production domain (well, Enterprise Manager for self-service, but that could be solved with SAML).
Best regards,
Hannes
my answer directly above still applies. Only the guest interaction proxy with needs to be in the domain when gMSAs are used. For other scenarios, no Veeam component needs to be in the production domain (well, Enterprise Manager for self-service, but that could be solved with SAML).
Best regards,
Hannes
Who is online
Users browsing this forum: Google [Bot] and 84 guests