Migrate Veeam infrastructure out of the domain.

[fll]

Hello, following Gostev's recommendations, I am looking at the possibility of removing the entire Veeam infrastructure from the domain and working with local accounts.
The problem is that everything (Backup Server, Proxy Server, Backup Enterprise Manager, Veeam ONE, Tape Server) is in the domain.
Is it possible to do it without losing data (backup jobs, replica jobs, etc.?
All Veeam servers that need it use local databases.
Thank you.

[nitramd]

As long as you have the proper credentials set up you should not lose any data.

[Egor Yakovlev]

I suggest moving component by component to avoid overlaps with potential problems.
- How to move VBR + EM to a new server guide here.
- How to move Veeam One to a new server guide here.
/Thanks!

[micoolpaul]

Pay particular attention to the SQL Permissions prior to removing from the domain and definitely get your config backup

[fll]

Thanks for all answers.

[ChrisGray]

Hello,
My group and I are whiteboarding the requirements for moving our Veeam B&R to a different AD domain. Currently our Veeam environment backups up servers in two Dev/Test AD domains, plus our production AD. We're looking to move it out of the production AD domain into a new dedicated 'backup' domain.

Our environment is pretty standard, we have one Veeam Enterprise Server, (3) B&R servers in 3 physical locations and our primary DC site has one of the 3 B&R servers plus (2) proxy servers all FC connected local storage. At a high level, all backups are done locally to the local B&R server written to local disk then written to tape, all Veeam infrastructure are physical servers. In addition to the backup jobs, we replicate a few dozen key VMware servers from our main DC to a smaller secondary DC on a regular intervals.

We've accounted for typical domain things, however, aside from the credentials stored inside Veeam for the servers being backed up, I'm looking to see if there's any Veeam specific 'gotchas' that others may have run into. Would I be required to recreate all of my jobs? Since VC or it's inventory isn't being altered I don't think I need to account for the MOREFs changing or anything like that, this sort of thing I'm looking to try and account for.

Thanks for any input.

Chris

[foggy]

Hi Chris, there are no Veeam specific gotchas regarding this, provided all the credentials are set correctly, you should be fine.

[ChrisGray]

Thanks for merging this, I didn't see this thread prior to posting. Each of the B&R server are using the SQL Express, what do you think the SQL permissions are mentioned in the one message? We run the SQL express on each of the B&R servers.

[foggy]

Please check this page for the full list of permissions required for Veeam B&R operation.

[wa15]

Following up on this topic....we have an "all in one" Veeam server that hosts all roles and is currently on the domain. To have a layer of protection against ransomware, I am considering moving it out of the domain into a workgroup. Two questions:

1. If I recall from Gostev's emails, this is a decent first step in locking down the Veeam server, is that correct?
2. Can I simply remove the Veeam server from the domain and put it in a workgroup, without Veeam components breaking? Or do Veeam components rely on FQDN?

[foggy]

1. Correct.
2. In the case of all-in-one installation all local components will not have any issues but pay attention to preserving the access/connectivity with everything beyond.

[Jon.gruber@3e-co.com]

I'm replacing our B&R server (upgrade time), and was wanting to move it off the domain. My plan is to build a VLAN on the firewall and isolate it there, so it can't even be pinged from local machines. step 2 leave the proxy's on the domain and have them reach all the machines to be backed up. The VLAN will have isolated IP's that can reach the server via RDP for access. Just want to know am I over thinking this, or is this the higher, best practice, way to isolate the server?
If this is the right path, is it OK to leave the proxies on Domain? Lastly, we currently use full SQL on the domain for the DB. Will that be accessible from BR VLAN?

[micoolpaul]

Lastly, we currently use full SQL on the domain for the DB. Will that be accessible from BR VLAN?

the database contains all your encryptions keys so you should move this as well. And Veeam needs access to this database, the DB is just as important to protect.

If this is the right path, is it OK to leave the proxies on Domain?

these only host data temporarily so it’s not really a problem. But I’d suggest your environment be consistent. If you have the capacity, I’d suggest a management domain for your Veeam components so you can standardise your policies between all servers via GPOs etc. Less room for configuration drift between servers.

Finally, and I’m sure you were going to anyway, when configuring a topology such as this, keep in mind what ports will require being opened: https://helpcenter.veeam.com/docs/backu ... ml?ver=110

[TheWaterbug]

I recently moved my B&R Server and secondary repo out of my domain, and I encountered the following errors and solutions:

1. First I moved my secondary repository box out of the domain:
   1. My B&R Server (which is also my primary repo) could no longer connect to it (Case #06052303).
   2. Error message was:
      1. Access is denied.
      2. Error code: 0x00000005
      3. Failed to create persistent connection to ADMINS shared folder on host [Repo2].
      4. Failed to install service [VeeamDeploySvc] was not installed on the host [Repo2].
   3. net use \\Repo2 $c worked if I type in the that local admin username and password, as did net use \\ Repo2 $admin
   4. The culprit was UAC, which I fixed by adding DWORD LocalAccountTokenFilterPolicy = 1
   5. to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
2. I let it run that way for a week, and then I moved the B&R Server/Repo out of the domain, now logging into a non-domain, local admin account:
   1. Backups stopped working.
   2. I could not log into the console on the B&R Server (Case #06065192), with the error, ""Failed to connect to Veeam Backup & Replication server: No connection could be made because the target machine actively refused it 127.0.0.1:9392"
   3. Several Veeam services were not running, and could not be Started manually, with the error: "Windows could not start the Veeam Backup Service service on Local Computer. Error 1068: The dependency service or group failed to start."
   4. The fix was to edit each of 4-5 Veeam services and change the Logon from DOMAIN\Administrator to Local Account.

Support was great, but I'm posting this in the hopes that it can help someone find the fix faster.