v13 B&R Server on Domain

[ec.bryantu]

With the release of the v13 Appliance - is it now not a bad practice to have the B&R server to be joined to the domain. I was following this thread because we want to enable this and it said to add backup server to domain. I believe when we worked with our SE on our initial install he said it was not good practice to have B&R on the domain.
veeam-backup-replication-f2/users-with- ... ml#p553045

[Mildur]

Hi Eric,

The same best practice still applies: never connect your backup server to your production domain.
However, joining the backup server to a management domain is still acceptable.

Best,
Fabian

[Gostev]

I'm thinking now, since VSA host admins and security officers can never be domain accounts anyway, what is the actual issue of having a software appliance joined the production domain @Mildur. Honest question, may be I'm missing something.

I believe that joining VSA domain by itself is not a problem. It is using domain accounts for the VBR User & Roles that enables hackers to attack the VBR application once they have taken over the production domain. But not the appliance itself because host admins can only be local appliance users by design.

[Mildur]

Personally, I don't want to see attackers gaining admin access to the backup application by using compromised production account credentials.

However, these risks and their potential impact can be mitigated by implementing options such as backup console MFA or lockdown mode.

Best,
Fabian

[ec.bryantu]

So how do we configure the SAML SSO like you said in another post. We only have 1 domain.

Entra ID SSO with SAML
The configuration steps are completed in the Backup Console (Windows-based Console) and are documented in our Helpcenter. You’ll need to work with your Entra ID team to prepare an Entra ID application for SSO on their side.

Currently, there isn’t a dedicated guide for Entra ID with Veeam Backup & Replication, but I’ll check with our help center team about adding documentation similar to what we have for Veeam Service Provider Console or Veeam Backup for Azure.

Domain User
***************The backup server must be joined to your domain*******************
This can be done in the Host Management Console. Please see our helpcenter for guidance.
Once the backup server is added to the domain, you can add users or groups (helpcenter) using the following format with the Backup Console (Windows-based Console):

- DOMAIN\USERNAME
- DOMAIN\GROUPNAME

[Mildur]

I’ve provided the relevant Helpcenter links in the other topic. The steps are explained in our documentation.

1. Open Veeam Host Management Web UI.
2. Add your backup server to the domain.
2a. Approve with Security Officer (if security officer is enabled).
3. Add AD users or AD groups using the Windows-based backup console and assign them a role.

Best,
Fabian