We use a GMSA account to backup our domain controllers and SQL server application aware, it only seems to work when the DCs and SQL server are allowed to retrieve the GMSA password.
If the DCs and SQL are not in the group that is allowed to retrieve the password, the backup job fails with:
7/1/2025 8:46:38 AM :: Unable to subscribe to guest processing components: Failed to call RPC function 'Vss.DetectOracleInstallation': Error code: 0x80004005. Failed to invoke func [DetectOracleInstallation]: Unspecified error. Failed to detect Oracle installation. Failed to create a process token for MSA account: %gMSAUsername$%, domain: %Domain%. Win32 error:The user name or password is incorrect. Code: 1326.. Failed to call RPC function 'Vss.DetectOracleInstallation': Error code: 0x80004005. Failed to invoke func [DetectOracleInstallation]: Unspecified error. Failed to detect Oracle installation. Failed to create a process token for MSA account: %gMSAUsername$%, domain: %Domain%. Win32 error:The user name or password is incorrect. Code: 1326.
Even though this article says that it should work, with only the guest processing proxy in the group?
I think the community post you found introduced a slight confusion, as from our User Guide on gMSA:
If you back up a machine using a gMSA, both the guest interaction proxy and the target machine must have network access to the domain controllers and be in the same domain to obtain the gMSA password. On the target machine the gMSA must be added to the Administrators group (local or domain). Domain Administrator permissions are only required for Microsoft Active Directory backups, for other supported applications local Administrator permissions are sufficient.
Reviewing the community post, I think what the author meant was that of the Veeam infrastructure, only the Guest Interaction Proxy must be in domain, the rest of the VBR infrastructure does not (and best practice is to NOT join the backup infrastructure to domain)
David Domask | Product Management: Principal Analyst
I know all of that, but the issue is that when the "clients" (Domain controllers and SQL servers) is not in the AD group used to allow to retrieve GMSA passwords, the backup jobs fails.
So both the guest interaction proxy AND the clients should be in the group that can retrieve password.