Domain Controller required user backup permissions

VMware specific discussions

Domain Controller required user backup permissions

Veeam Logoby mdornfeld » Wed Aug 26, 2015 1:29 pm

We're trying to go to least privileged user access required to do backups, and we've generally just been putting the user in the "Administrators" group of a VM as shown here:
http://helpcenter.veeam.com/backup/80/v ... sions.html

But with Active Directory controllers, they obviously don't have their machine specific "administrators" group any more, and when we remove the user from "domain admins", we get this error:
"Failed to prepare guest for hot backup. Error: Failed to connect to guest agent. Errors: 'Cannot connect to the host's administrative share."

What is the least privileged rights we can use to backup an Active Directory Domain Controller?

Thank you!
mdornfeld
Expert
 
Posts: 125
Liked: 2 times
Joined: Mon Mar 23, 2009 4:44 pm
Full Name: Matt

Re: Domain Controller required user backup permissions

Veeam Logoby PTide » Wed Aug 26, 2015 1:50 pm

Hi,

Unfortunately, Domain Admin rights are needed in order to perform DC backup.

Thank you.
PTide
Veeam Software
 
Posts: 3017
Liked: 245 times
Joined: Tue May 19, 2015 1:46 pm

Re: Domain Controller required user backup permissions

Veeam Logoby mdornfeld » Wed Aug 26, 2015 1:56 pm

Thank you very much for the quick reply.

I assume best practice advice from Veeam would then be to use a service account specific to this requirement, rotate the password, and then use a powershell script as referenced below to trigger the update of the Veeam credential side?
http://helpcenter.veeam.com/backup/80/p ... tials.html
mdornfeld
Expert
 
Posts: 125
Liked: 2 times
Joined: Mon Mar 23, 2009 4:44 pm
Full Name: Matt

Re: Domain Controller required user backup permissions

Veeam Logoby PTide » Wed Aug 26, 2015 2:29 pm

I'm not sure that I fully understand what are you trying to accomplish. Do you have some concerns regarding the usage of an Domain Admin account? Could you elaborate a little bit please?
PTide
Veeam Software
 
Posts: 3017
Liked: 245 times
Joined: Tue May 19, 2015 1:46 pm

Re: Domain Controller required user backup permissions

Veeam Logoby mdornfeld » Wed Aug 26, 2015 3:21 pm 1 person likes this post

I was just suggesting that since we need to use a Domain Admin account, that we'd rotate the accounts password on regular basis and use the Veeam powershell command provided to keep it in sync with the password rotation.
mdornfeld
Expert
 
Posts: 125
Liked: 2 times
Joined: Mon Mar 23, 2009 4:44 pm
Full Name: Matt

Re: Domain Controller required user backup permissions

Veeam Logoby PTide » Wed Aug 26, 2015 3:46 pm

Sure, you can keep your credentials relevant with the help of a powershell cmdlet you've mentioned. On the other hand, I don't think it's a big deal to manually edit one password once in couple of weeks, especially if talking about Domain Admin password, not to mention that I'd be very careful when incorporating plain text Domain Admin's password into some script...anyway, it's up to you whether to script or not to script password updates.

Thank you.
PTide
Veeam Software
 
Posts: 3017
Liked: 245 times
Joined: Tue May 19, 2015 1:46 pm

Re: Domain Controller required user backup permissions

Veeam Logoby btmaus » Wed Sep 23, 2015 2:09 am

I am looking into backing up my Domain Controllers as well, and getting the VIX error about connecting to the share.

When you say the Domain Admin account is need for a successful backup (I have App Aware backups enabled), is that any "service" account with Domain Admin privileges that I can use, or is it the actual "DomainName\Administrator" account that you are referring too?
btmaus
Expert
 
Posts: 128
Liked: 9 times
Joined: Fri Jul 17, 2015 9:02 am
Full Name: Glenn L

Re: Domain Controller required user backup permissions

Veeam Logoby foggy » Wed Sep 23, 2015 9:42 am

Account with Domain Admin privileges should be sufficient, provided you have UAC disabled on the VM.
foggy
Veeam Software
 
Posts: 14716
Liked: 1075 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

Re: Domain Controller required user backup permissions

Veeam Logoby btmaus » Thu Sep 24, 2015 3:33 am

OK, and if we cannot disable UAC because of security policy, and there is no local administrator account as it's a Domain Controller, how do we back it up then?
btmaus
Expert
 
Posts: 128
Liked: 9 times
Joined: Fri Jul 17, 2015 9:02 am
Full Name: Glenn L

Re: Domain Controller required user backup permissions

Veeam Logoby foggy » Thu Sep 24, 2015 9:17 am

Using the domain’s built-in Administrator account.
foggy
Veeam Software
 
Posts: 14716
Liked: 1075 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

[MERGED]: Veeam Backup Domain Controller

Veeam Logoby pmagnolfi » Thu Jan 14, 2016 5:02 pm

Good morning,

I'm using VB&R with no problem. I now need to backup also a VM domain controller using Veeam.
For all Windows VM that I backup with veeam I use a "service account" as guest OS credential.
The service account is put in local Administrators group for each VM.
How can I use the same service account to backup a DC?
I try to put it in the Domain Admins group, but the backup failed, for the moment I solve the problem using the domain administrator account as guest os credential for the DC.
pmagnolfi
Lurker
 
Posts: 1
Liked: never
Joined: Thu Jan 14, 2016 4:56 pm
Full Name: Paolo Magnolfi

Re: Domain Controller required user backup permissions

Veeam Logoby btmaus » Thu Jan 14, 2016 8:39 pm 1 person likes this post

Disable UAC on the Domain Controller if you are using a Service Account. Otherwise use the actual Domain Administrator account, i.e. DomainName\Administrator.
btmaus
Expert
 
Posts: 128
Liked: 9 times
Joined: Fri Jul 17, 2015 9:02 am
Full Name: Glenn L

[MERGED] Service Account credentials to backup Domain Contro

Veeam Logoby albertwt » Wed Jun 01, 2016 11:16 am

Hi All,

I've already created DOMAIN\service-VBR account for backing up the other VM, I have added it to the local administrators for all servers. But somehow I cannot find the local administrators group for the domain controllers ?

So how can I successfully backup AD domain controllers with Veeam ?

Using DOMAIN\Administrator account is prohibited by the security team due to PCI compliance.
--
/* Veeam software enthusiast user & supporter ! */
albertwt
Expert
 
Posts: 603
Liked: 19 times
Joined: Thu Nov 05, 2009 12:24 pm
Location: Sydney, NSW

Re: Domain Controller required user backup permissions

Veeam Logoby btmaus » Wed Jun 01, 2016 4:53 pm

Domain Controllers do not have the "local" Administrators Group like a standard Domain joined server has. Can you disable UAC on the Domain Controller and then try again with the service account?
btmaus
Expert
 
Posts: 128
Liked: 9 times
Joined: Fri Jul 17, 2015 9:02 am
Full Name: Glenn L


Return to VMware vSphere



Who is online

Users browsing this forum: Bing [Bot], SAMbI4 and 27 guests