Comprehensive data protection for all workloads
Post Reply
SerSunal
Expert
Posts: 101
Liked: 5 times
Joined: Oct 27, 2021 8:07 pm
Full Name: Ser
Contact:

Veeam Backup Server out of domain

Post by SerSunal »

Can the Veeam Backup Server be taken out of domain?
Gostev
Chief Product Officer
Posts: 31806
Liked: 7300 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Veeam Backup Server out of domain

Post by Gostev »

Sure.
rennerstefan
Veeam Software
Posts: 688
Liked: 150 times
Joined: Jan 22, 2015 2:39 pm
Full Name: Stefan Renner
Location: Germany
Contact:

Re: Veeam Backup Server out of domain

Post by rennerstefan »

As gostev said this is not an issue at all.
And these days, where Crypto Trojans are all around, it is a very common thing to have Veeam components incl the vbr server out of AD. Just make sure you understand how all components work with each other an that for example DNS is very much needed for lot of things.
Stefan Renner

Veeam PMA
SerSunal
Expert
Posts: 101
Liked: 5 times
Joined: Oct 27, 2021 8:07 pm
Full Name: Ser
Contact:

Re: Veeam Backup Server out of domain

Post by SerSunal »

Hi rennerstefan.

Based on what you tell me.
If it is removed from the domain, some of the components such as proxies or repositories that were registered by name could not be connected anymore?
Mildur
Product Manager
Posts: 9846
Liked: 2607 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Veeam Backup Server out of domain

Post by Mildur »

Make sure, that dns resolutions works after removing the windows server from the domain.
And if you have used dedicated server for proxy and repo, reconfigure the credentials in the proxy and backup repo properties to a local administrative account, if you have used a domain admin account before.
Product Management Analyst @ Veeam Software
SerSunal
Expert
Posts: 101
Liked: 5 times
Joined: Oct 27, 2021 8:07 pm
Full Name: Ser
Contact:

Re: Veeam Backup Server out of domain

Post by SerSunal »

Thanks Mildur.

The credentials are changed from Managed Servers of the servers that have the role of proxy and repository.
Credentials are not loaded in that component.
It is right?
Mildur
Product Manager
Posts: 9846
Liked: 2607 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Veeam Backup Server out of domain

Post by Mildur »

Credentials are stored on the veeam backup server configuration database.
For an example, you configured veeam to use an active directory user to connect to the managed server working as a proxy.

If you remove the managed server with the proxy from your domain (AD), veeam will not be able to connect to this managed server with the proxy component anymore. You must change the credentials. You can do that under managed servers. Open the properties of each managed server that you have removed from the domain and change the credentials from ad credentials to local credentials. You need to create a local user with administrative permissions first on the managed server. Then you can use it in veeam.

Edit managed servers
Product Management Analyst @ Veeam Software
Gostev
Chief Product Officer
Posts: 31806
Liked: 7300 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Veeam Backup Server out of domain

Post by Gostev »

Domain credentials work just fine whether or not backup server itself is a part of the domain, so usually there's no reason to swap them for local credentials following the removal of the backup server from a domain.
Mildur
Product Manager
Posts: 9846
Liked: 2607 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Veeam Backup Server out of domain

Post by Mildur »

Sorry, i mixed up some topics of @SerSunal. Anton is right.
I thought this one is also about removing the proxy and repo from the domain.
Product Management Analyst @ Veeam Software
christian.naenny
Enthusiast
Posts: 40
Liked: 13 times
Joined: Apr 08, 2015 11:52 am
Full Name: Christian Naenny
Location: Zurich, Switzerland
Contact:

Re: Veeam Backup Server out of domain

Post by christian.naenny »

Is there a a concise document on how to operate the Veeam B&R Infrastructure without using Active Directory? Possibly with a section on how to remove the Veeam B&R components from the existing AD infrastructure?
rennerstefan
Veeam Software
Posts: 688
Liked: 150 times
Joined: Jan 22, 2015 2:39 pm
Full Name: Stefan Renner
Location: Germany
Contact:

Re: Veeam Backup Server out of domain

Post by rennerstefan » 1 person likes this post

Hi Christian,

don't know of any document that talk specifically about it. But as mentioned by Gostev and Mildur, Veeam is fine operating with components that are not part of AD. All credentials, even the ones you need to connect to AD e.g. for App Aware processing will be stored in our internal DB. As I mentioned yesterday you should just make sure your DNS is working well (which is not depending on AD).
Also you need to be aware that some other services like Enterprise Manager will work differently (in case you use self service etc.).
It will be hard to explain everything on the forum but feel free to add any details or further questions as needed.

Thanks
Stefan Renner

Veeam PMA
christian.naenny
Enthusiast
Posts: 40
Liked: 13 times
Joined: Apr 08, 2015 11:52 am
Full Name: Christian Naenny
Location: Zurich, Switzerland
Contact:

Re: Veeam Backup Server out of domain

Post by christian.naenny »

Hi Stefan
Thanks for your answer.
I was just wondering as we're exploring options to protect our backup infrastructure against a multitute of attacks. Of course this has to include the possibility of attacks on the AD infrastructure.
We will have to create a step-by-step document on how to do this (VBR outside AD) and I thought maybe somebody has already done this...
rennerstefan
Veeam Software
Posts: 688
Liked: 150 times
Joined: Jan 22, 2015 2:39 pm
Full Name: Stefan Renner
Location: Germany
Contact:

Re: Veeam Backup Server out of domain

Post by rennerstefan »

Totally get your point.

There is a little bit of informations in the Best Practise guide here:
https://bp.veeam.com/vbr/Security/Security_domains.html

And also, there is a couple of content available in the forums here:
veeam-backup-replication-f2/veeam-serve ... 55751.html
veeam-backup-replication-f2/moving-veea ... 69532.html
veeam-backup-replication-f2/non-domain- ... 63217.html

Maybe that helps to speed up your process.
Stefan Renner

Veeam PMA
Gostev
Chief Product Officer
Posts: 31806
Liked: 7300 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Veeam Backup Server out of domain

Post by Gostev » 1 person likes this post

Someone on Reddit did this move a few weeks ago and did not run any roadblocks. Basically he came back to say it was a simple and smooth experience, and nothing broke.
vmikhelson
Novice
Posts: 6
Liked: 4 times
Joined: Jul 23, 2020 9:48 pm
Full Name: Vladimir Mikhelson
Contact:

Re: Veeam Backup Server out of domain

Post by vmikhelson »

Hi,

Not so smooth here. I have a case open with Veeam on that exact topic for more than a month. Case # 05140230.

Specific problems are related to out-of-domain Managed Servers having issues performing guest interrogation and / or installing necessary Veeam components on AD joined VMs they are backing up. RPC calls failing, etc.

And yes, I do have all DNS names resolving, all local and AD credentials in place.

Still hope to see all my Veeam servers out of AD one day.

-Vladimir
sasilik
Expert
Posts: 104
Liked: 13 times
Joined: Jun 12, 2014 11:01 am
Full Name: Markko Meriniit
Contact:

Re: Veeam Backup Server out of domain

Post by sasilik » 2 people like this post

Seems more like a network problem. With segmented network where switches limit/filter traffic these kind of problems can happen.
stevepogue
Influencer
Posts: 11
Liked: 1 time
Joined: Apr 20, 2021 3:19 pm
Full Name: Steve Pogue
Contact:

Re: Veeam Backup Server out of domain

Post by stevepogue »

It should be noted that Veeam Backup for Office 365 requires a domain joined server. We moved our VBR server to workgroup 6 months ago and it works great. However, VBO365 failed after it was moved to workgroup and and we had to move that server back into the domain.
Mildur
Product Manager
Posts: 9846
Liked: 2607 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Veeam Backup Server out of domain

Post by Mildur » 1 person likes this post

@steve

VBO365 v5.0 can be used without an ad joined machine.
That was a new feature for V5.0, using vbo 365 in a workgroup environment. My vbo server doesn‘t use active directory and it works fine. But it was build from start without an AD integration.
Product Management Analyst @ Veeam Software
vcharlie
Veeam Software
Posts: 224
Liked: 62 times
Joined: Jan 07, 2011 2:43 am
Full Name: Charles Clarke
Contact:

Re: Veeam Backup Server out of domain

Post by vcharlie » 2 people like this post

One of the American SA's and an SE has actually written a paper and presentation on this topic (more accurately, moving VBR from a production domain to a non-prod (i.e. management) domain but it goes via a Workgroup). Let me see if I can dig out a shareable copy.
oscaru
Service Provider
Posts: 27
Liked: 11 times
Joined: Jul 26, 2016 6:49 pm
Full Name: Oscar Suarez
Contact:

Re: Veeam Backup Server out of domain

Post by oscaru » 1 person likes this post

We have successfully taken out of AD most of the Veeam installations we manage, and moved them to Workgroup
It's not hard, most issues we had were DNS related, sometimes fixed adding name records in the host file of the server or the component. Another common issue was that some components servers (proxies for example) couldn't be reached, and they were fixed forcing the removal from the backup infrastructure on the VBR console and adding them back.
I also remember issues with Aplication Aware Processing , that could only be fixed using the DOMAIN\Administrator account, because of the Windows UAC control.
In the end, as someone already said, it is a best practice to have your backup infra outside your AD, to add an extra layer (or time) of protection when adversaries has already taken control of credentials inside your AD. Also having and inmutable repository as a "designated survivor" helps in this case. We do know that in this scenario, the repository is not part of any Active Directory.
Gostev
Chief Product Officer
Posts: 31806
Liked: 7300 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Veeam Backup Server out of domain

Post by Gostev » 2 people like this post

Active Directory by itself is not a problem. The real goal is to ensure that the backup server is not a part of production domain. You can have it in a completely different AD forest with one way trust from production forest. As far as I know, larger customers tend to place the backup server into a dedicated AD forest, as opposed to just having it sit outside any AD in a workgroup.
JayP
Novice
Posts: 4
Liked: 1 time
Joined: Jan 25, 2019 3:54 pm
Full Name: Justin Huntington
Contact:

[MERGED] Veeam Backup Server out of domain

Post by JayP »

HI All. I am also looking at the task of removing my Veeam server from our domain.

We use Backup jobs, Backup copy jobs to NAS offsite in addition to on-prem HLR, App aware processing etc.

Is there an official document containing a checklist or something. I am quite daunted at the prospect of removing it and breaking everything at present. I rebuilt my Veeam server on new hardware 12 months ago wish I had considered this then!

TIA
rennerstefan
Veeam Software
Posts: 688
Liked: 150 times
Joined: Jan 22, 2015 2:39 pm
Full Name: Stefan Renner
Location: Germany
Contact:

Re: Veeam Backup Server out of domain

Post by rennerstefan »

Hi,

you can find some details on different security domain here: https://bp.veeam.com/vbr/Security/Security_domains.html
I'm sorry but don't think there is the one any only best practice as every customer is kind of different when it comes to the infrastructure and with that dependencies he has.
As discussed in the thread above, there is no real downside of removing the Veeam components from AD.
Of course you should check first on all the dependencies you may have (accounts, DNS etc.) and maybe build you an own overview.
But overall it is recommended to take that step.
And if you are doing it, you should also take the chance to harden your environment even further by using:
- different local accounts for each server
- usage of hardened linux backup respository
- management and data traffic seperation
- fireall hardening of the servers
- ...etc.

Thanks
Stefan Renner

Veeam PMA
craigshephard
Novice
Posts: 4
Liked: never
Joined: Aug 12, 2021 1:44 pm
Full Name: Craig Shephard
Contact:

[MERGED]Removing Veeam Servers From Domain

Post by craigshephard »

Hi,

We currently have all of our servers joined to our domain and would like to remove them. Has anyone already done this and can provide tips/advice?

We have a VBR server, 2x proxy servers and 2x SQL servers (failover cluster)

Thanks in advance!
Mildur
Product Manager
Posts: 9846
Liked: 2607 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Veeam Backup Server out of domain

Post by Mildur »

Hi Craig

Yes, others have done that successfully.
I moved your question to this topic, where you can find some advice and tips.

Thanks
Fabian
Product Management Analyst @ Veeam Software
craigshephard
Novice
Posts: 4
Liked: never
Joined: Aug 12, 2021 1:44 pm
Full Name: Craig Shephard
Contact:

Re: Veeam Backup Server out of domain

Post by craigshephard »

Thank you Fabian for moving that over.

From reading this thread, it seems simple enough to remove our servers from the domain and use local accounts to connect the VBR to the proxy servers. Do the proxy servers need to be re added to the VBR or will they still work, providing the DNS is set up correctly?

We have our database in a separate SQL instance across 2 servers using HA. Has anyone got theirs setup in this way and have removed those from the domain?
Mildur
Product Manager
Posts: 9846
Liked: 2607 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Veeam Backup Server out of domain

Post by Mildur »

Your welcome, Craig.

Yes, removing it is simple. If you only remove the vbr server from the domain, just make sure how you authenticate on the sql server for the configuration database.
It needs to be SQL Server Authentication after removing the vbr from the active directory. If you used windows authentication, it will not work anymore.

If you remove a Windows proxies from the domain, make sure that they are available with the same hostname.
You should only have to reconfigure the proxy to use the new local credentials. If that's not working, remove the proxy and add it again with local credentials. There is not much to loose when you removed a proxy.

For removing the SQL Server in a HA environment, I don't know how it will behave. I don't have any experience with SQL HA deployements.
Let us wait if someone else has some recommendations here.
Product Management Analyst @ Veeam Software
StoopidMonkey
Enthusiast
Posts: 39
Liked: 4 times
Joined: Nov 14, 2019 7:12 pm
Full Name: Chris Lukowski
Contact:

Re: Veeam Backup Server out of domain

Post by StoopidMonkey » 1 person likes this post

oscaru wrote: Jan 11, 2022 11:55 pm I also remember issues with Aplication Aware Processing , that could only be fixed using the DOMAIN\Administrator account, because of the Windows UAC control.
I really wish Veeam would include guidance in the standard documentation on how to create custom accounts for these functions that follow the Principle of Least Privilege.
Post Reply

Who is online

Users browsing this forum: bytewiseits, Lei.Wei and 261 guests