-
- Expert
- Posts: 125
- Liked: 3 times
- Joined: Mar 23, 2009 4:44 pm
- Full Name: Matt
- Contact:
Domain Controller required user backup permissions
We're trying to go to least privileged user access required to do backups, and we've generally just been putting the user in the "Administrators" group of a VM as shown here:
http://helpcenter.veeam.com/backup/80/v ... sions.html
But with Active Directory controllers, they obviously don't have their machine specific "administrators" group any more, and when we remove the user from "domain admins", we get this error:
"Failed to prepare guest for hot backup. Error: Failed to connect to guest agent. Errors: 'Cannot connect to the host's administrative share."
What is the least privileged rights we can use to backup an Active Directory Domain Controller?
Thank you!
http://helpcenter.veeam.com/backup/80/v ... sions.html
But with Active Directory controllers, they obviously don't have their machine specific "administrators" group any more, and when we remove the user from "domain admins", we get this error:
"Failed to prepare guest for hot backup. Error: Failed to connect to guest agent. Errors: 'Cannot connect to the host's administrative share."
What is the least privileged rights we can use to backup an Active Directory Domain Controller?
Thank you!
-
- Product Manager
- Posts: 6551
- Liked: 765 times
- Joined: May 19, 2015 1:46 pm
- Contact:
Re: Domain Controller required user backup permissions
Hi,
Unfortunately, Domain Admin rights are needed in order to perform DC backup.
Thank you.
Unfortunately, Domain Admin rights are needed in order to perform DC backup.
Thank you.
-
- Expert
- Posts: 125
- Liked: 3 times
- Joined: Mar 23, 2009 4:44 pm
- Full Name: Matt
- Contact:
Re: Domain Controller required user backup permissions
Thank you very much for the quick reply.
I assume best practice advice from Veeam would then be to use a service account specific to this requirement, rotate the password, and then use a powershell script as referenced below to trigger the update of the Veeam credential side?
http://helpcenter.veeam.com/backup/80/p ... tials.html
I assume best practice advice from Veeam would then be to use a service account specific to this requirement, rotate the password, and then use a powershell script as referenced below to trigger the update of the Veeam credential side?
http://helpcenter.veeam.com/backup/80/p ... tials.html
-
- Product Manager
- Posts: 6551
- Liked: 765 times
- Joined: May 19, 2015 1:46 pm
- Contact:
Re: Domain Controller required user backup permissions
I'm not sure that I fully understand what are you trying to accomplish. Do you have some concerns regarding the usage of an Domain Admin account? Could you elaborate a little bit please?
-
- Expert
- Posts: 125
- Liked: 3 times
- Joined: Mar 23, 2009 4:44 pm
- Full Name: Matt
- Contact:
Re: Domain Controller required user backup permissions
I was just suggesting that since we need to use a Domain Admin account, that we'd rotate the accounts password on regular basis and use the Veeam powershell command provided to keep it in sync with the password rotation.
-
- Product Manager
- Posts: 6551
- Liked: 765 times
- Joined: May 19, 2015 1:46 pm
- Contact:
Re: Domain Controller required user backup permissions
Sure, you can keep your credentials relevant with the help of a powershell cmdlet you've mentioned. On the other hand, I don't think it's a big deal to manually edit one password once in couple of weeks, especially if talking about Domain Admin password, not to mention that I'd be very careful when incorporating plain text Domain Admin's password into some script...anyway, it's up to you whether to script or not to script password updates.
Thank you.
Thank you.
-
- Expert
- Posts: 138
- Liked: 10 times
- Joined: Jul 17, 2015 9:02 am
- Full Name: Glenn L
- Contact:
Re: Domain Controller required user backup permissions
I am looking into backing up my Domain Controllers as well, and getting the VIX error about connecting to the share.
When you say the Domain Admin account is need for a successful backup (I have App Aware backups enabled), is that any "service" account with Domain Admin privileges that I can use, or is it the actual "DomainName\Administrator" account that you are referring too?
When you say the Domain Admin account is need for a successful backup (I have App Aware backups enabled), is that any "service" account with Domain Admin privileges that I can use, or is it the actual "DomainName\Administrator" account that you are referring too?
-
- Veeam Software
- Posts: 21139
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: Domain Controller required user backup permissions
Account with Domain Admin privileges should be sufficient, provided you have UAC disabled on the VM.
-
- Expert
- Posts: 138
- Liked: 10 times
- Joined: Jul 17, 2015 9:02 am
- Full Name: Glenn L
- Contact:
Re: Domain Controller required user backup permissions
OK, and if we cannot disable UAC because of security policy, and there is no local administrator account as it's a Domain Controller, how do we back it up then?
-
- Veeam Software
- Posts: 21139
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: Domain Controller required user backup permissions
Using the domain’s built-in Administrator account.
-
- Lurker
- Posts: 1
- Liked: never
- Joined: Jan 14, 2016 4:56 pm
- Full Name: Paolo Magnolfi
- Contact:
[MERGED]: Veeam Backup Domain Controller
Good morning,
I'm using VB&R with no problem. I now need to backup also a VM domain controller using Veeam.
For all Windows VM that I backup with veeam I use a "service account" as guest OS credential.
The service account is put in local Administrators group for each VM.
How can I use the same service account to backup a DC?
I try to put it in the Domain Admins group, but the backup failed, for the moment I solve the problem using the domain administrator account as guest os credential for the DC.
I'm using VB&R with no problem. I now need to backup also a VM domain controller using Veeam.
For all Windows VM that I backup with veeam I use a "service account" as guest OS credential.
The service account is put in local Administrators group for each VM.
How can I use the same service account to backup a DC?
I try to put it in the Domain Admins group, but the backup failed, for the moment I solve the problem using the domain administrator account as guest os credential for the DC.
-
- Expert
- Posts: 138
- Liked: 10 times
- Joined: Jul 17, 2015 9:02 am
- Full Name: Glenn L
- Contact:
Re: Domain Controller required user backup permissions
Disable UAC on the Domain Controller if you are using a Service Account. Otherwise use the actual Domain Administrator account, i.e. DomainName\Administrator.
-
- Veteran
- Posts: 942
- Liked: 53 times
- Joined: Nov 05, 2009 12:24 pm
- Location: Sydney, NSW
- Contact:
[MERGED] Service Account credentials to backup Domain Contro
Hi All,
I've already created DOMAIN\service-VBR account for backing up the other VM, I have added it to the local administrators for all servers. But somehow I cannot find the local administrators group for the domain controllers ?
So how can I successfully backup AD domain controllers with Veeam ?
Using DOMAIN\Administrator account is prohibited by the security team due to PCI compliance.
I've already created DOMAIN\service-VBR account for backing up the other VM, I have added it to the local administrators for all servers. But somehow I cannot find the local administrators group for the domain controllers ?
So how can I successfully backup AD domain controllers with Veeam ?
Using DOMAIN\Administrator account is prohibited by the security team due to PCI compliance.
--
/* Veeam software enthusiast user & supporter ! */
/* Veeam software enthusiast user & supporter ! */
-
- Expert
- Posts: 138
- Liked: 10 times
- Joined: Jul 17, 2015 9:02 am
- Full Name: Glenn L
- Contact:
Re: Domain Controller required user backup permissions
Domain Controllers do not have the "local" Administrators Group like a standard Domain joined server has. Can you disable UAC on the Domain Controller and then try again with the service account?
-
- Service Provider
- Posts: 252
- Liked: 20 times
- Joined: Aug 02, 2011 9:30 pm
- Full Name: Matjaž Antloga
- Location: Celje, Slovenia
- Contact:
Re: Domain Controller required user backup permissions
I've read this in some other post: "You can use VMTools (for VMWare) or Hyper-V Native Quiescence which means VMWare or Hyper-V will inform the guest to take a VSS snapshot rather than Veeam."
So Q now is: Can we simply use Quiescence mode to backup domain controllers?
So Q now is: Can we simply use Quiescence mode to backup domain controllers?
-
- Service Provider
- Posts: 372
- Liked: 120 times
- Joined: Nov 25, 2016 1:56 pm
- Full Name: Mihkel Soomere
- Contact:
Re: Domain Controller required user backup permissions
Add your Veeam guest service account user to "BUILTIN\Administrators" group in "Builtin" OU, it is considered local Administrators on all DCs.
Quiescence should work fine as AD is VSS aware.
Quiescence should work fine as AD is VSS aware.
-
- Enthusiast
- Posts: 80
- Liked: 7 times
- Joined: Aug 11, 2015 9:10 am
- Full Name: Bilal AHmed
- Contact:
Re: Domain Controller required user backup permissions
Ok, I am having DC backup issues.
Some of my DCs back up application aware fine, but some do not. None of them allow VIX, but they all pass the RPC credentials check.
IF I disable UAC VIX passes, but all my DCs are set to level 3 and some of them backup via RPC fine. We do not really want to disable UAC on them, the service is account for Veeam is in Domain Admins too, yet the issue persists.
I have tried adding the account into BUIltIN\Adminsitrators and then re-enabling UAC and VIX fails .
I cant figure out why some DCs are backing up fine and some are not. I can't seem to figure out what the differences are. They are all 2008R2 Dcs with a 2003 forest level, they are currently on slightly different patch levels.
Case # 02975554 if anyone wants to have a look, I am out of ideas. I guess i do not need to back up every DC, but I would like to simply because I am paying for Veeam and want to use the features it provides ha
Some of my DCs back up application aware fine, but some do not. None of them allow VIX, but they all pass the RPC credentials check.
IF I disable UAC VIX passes, but all my DCs are set to level 3 and some of them backup via RPC fine. We do not really want to disable UAC on them, the service is account for Veeam is in Domain Admins too, yet the issue persists.
I have tried adding the account into BUIltIN\Adminsitrators and then re-enabling UAC and VIX fails .
I cant figure out why some DCs are backing up fine and some are not. I can't seem to figure out what the differences are. They are all 2008R2 Dcs with a 2003 forest level, they are currently on slightly different patch levels.
Case # 02975554 if anyone wants to have a look, I am out of ideas. I guess i do not need to back up every DC, but I would like to simply because I am paying for Veeam and want to use the features it provides ha
-
- Veeam Software
- Posts: 21139
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: Domain Controller required user backup permissions
Hi Bilal, for backup over VIX, you either need to use built-in Administrator account (that is exempt from UAC) or disable UAC.
-
- Enthusiast
- Posts: 51
- Liked: never
- Joined: Sep 05, 2016 10:35 am
- Contact:
[MERGED] application-aware processing with domain controllers
Hello, I am trying to activate application-aware processing with the backup jobs of two virtual machines that are domain controllers and that are in another domain than Veeam Server, with which there is a bidirectional trust relationship.
I use a Domain Admin credentials to perform the test and give a warning checking standard credentials, via rpc is correct and via VIX gives errors.
Can I apply application-aware in these conditions?
Thank you.
I use a Domain Admin credentials to perform the test and give a warning checking standard credentials, via rpc is correct and via VIX gives errors.
Can I apply application-aware in these conditions?
Thank you.
-
- Product Manager
- Posts: 14726
- Liked: 1706 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: application-aware processing with domain controllers
Hello fll,
Please check the following:
1. Ensure that the account being used by Veeam is a member of the Local Administrators group on the VM that is to be backed up
2. If the account is not named Administrator, make sure that UAC on the Guest OS is disabled
Please check the following:
1. Ensure that the account being used by Veeam is a member of the Local Administrators group on the VM that is to be backed up
2. If the account is not named Administrator, make sure that UAC on the Guest OS is disabled
-
- Enthusiast
- Posts: 51
- Liked: never
- Joined: Sep 05, 2016 10:35 am
- Contact:
Re: application-aware processing with domain controllers
There is no local admins group on a DC
The count name is administrador.
Thanks
The count name is administrador.
Thanks
-
- Product Manager
- Posts: 14726
- Liked: 1706 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: application-aware processing with domain controllers
fll,
To double check, you have VMware tools installed on both hosts, right?
To double check, you have VMware tools installed on both hosts, right?
-
- Enthusiast
- Posts: 51
- Liked: never
- Joined: Sep 05, 2016 10:35 am
- Contact:
-
- Product Manager
- Posts: 14726
- Liked: 1706 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: application-aware processing with domain controllers
Hi fll.
Looks like all requirements are met and VIX should used. May I ask you to open a support case and investigate this problem with our support team? Please do not forget to share the case ID in this thread for future reference. Thank you in advance.
Looks like all requirements are met and VIX should used. May I ask you to open a support case and investigate this problem with our support team? Please do not forget to share the case ID in this thread for future reference. Thank you in advance.
-
- Enthusiast
- Posts: 51
- Liked: never
- Joined: Sep 05, 2016 10:35 am
- Contact:
Re: application-aware processing with domain controllers
Hi, thanks for the answers.
Despite a warning I have released a backup job and it has not given me errors.
With the rpc connection it has been enough.
Thanks.
Despite a warning I have released a backup job and it has not given me errors.
With the rpc connection it has been enough.
Thanks.
-
- Influencer
- Posts: 10
- Liked: 1 time
- Joined: Mar 04, 2019 4:38 pm
- Full Name: Al De
- Contact:
Re: application-aware processing with domain controllers
Is #2 a hard requirement for domain controller application-aware processing still in 9.5 Update 4? I couldn't find any other documentation that specified the account had to be named "administrator" if UAC is not disabled.
Even opened a support ticket and they pointed me to articles that said enterprise administrator or domain administrator membership would be enough.
-
- Influencer
- Posts: 10
- Liked: 1 time
- Joined: Mar 04, 2019 4:38 pm
- Full Name: Al De
- Contact:
Re: application-aware processing with domain controllers
Spoke with another Veeam support person and they clarified this.
The account named administrator or disabling the UAC is only for VIX application aware processing, which should only happen if RPC application aware processing fails.
RPC application aware processing requires certain ports open and the account credentials specified to be an enterprise admin or domain admin.
Some additional detail on the RPC ports: https://helpcenter.veeam.com/docs/backu ... 95u4#guest
Some additional detail on the VIX requirements: https://www.veeam.com/kb1788
The account named administrator or disabling the UAC is only for VIX application aware processing, which should only happen if RPC application aware processing fails.
RPC application aware processing requires certain ports open and the account credentials specified to be an enterprise admin or domain admin.
Some additional detail on the RPC ports: https://helpcenter.veeam.com/docs/backu ... 95u4#guest
Some additional detail on the VIX requirements: https://www.veeam.com/kb1788
-
- Veeam Software
- Posts: 21139
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: Domain Controller required user backup permissions
Correct, this is a VIX-specific requirement for cases where account that is not the built-in Administrator account (that is exempt from UAC) is used.
Who is online
Users browsing this forum: No registered users and 39 guests