Discussions specific to the VMware vSphere hypervisor
Post Reply
mdornfeld
Expert
Posts: 125
Liked: 2 times
Joined: Mar 23, 2009 4:44 pm
Full Name: Matt
Contact:

Domain Controller required user backup permissions

Post by mdornfeld » Aug 26, 2015 1:29 pm

We're trying to go to least privileged user access required to do backups, and we've generally just been putting the user in the "Administrators" group of a VM as shown here:
http://helpcenter.veeam.com/backup/80/v ... sions.html

But with Active Directory controllers, they obviously don't have their machine specific "administrators" group any more, and when we remove the user from "domain admins", we get this error:
"Failed to prepare guest for hot backup. Error: Failed to connect to guest agent. Errors: 'Cannot connect to the host's administrative share."

What is the least privileged rights we can use to backup an Active Directory Domain Controller?

Thank you!

P.Tide
Product Manager
Posts: 5304
Liked: 466 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Domain Controller required user backup permissions

Post by P.Tide » Aug 26, 2015 1:50 pm

Hi,

Unfortunately, Domain Admin rights are needed in order to perform DC backup.

Thank you.

mdornfeld
Expert
Posts: 125
Liked: 2 times
Joined: Mar 23, 2009 4:44 pm
Full Name: Matt
Contact:

Re: Domain Controller required user backup permissions

Post by mdornfeld » Aug 26, 2015 1:56 pm

Thank you very much for the quick reply.

I assume best practice advice from Veeam would then be to use a service account specific to this requirement, rotate the password, and then use a powershell script as referenced below to trigger the update of the Veeam credential side?
http://helpcenter.veeam.com/backup/80/p ... tials.html

P.Tide
Product Manager
Posts: 5304
Liked: 466 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Domain Controller required user backup permissions

Post by P.Tide » Aug 26, 2015 2:29 pm

I'm not sure that I fully understand what are you trying to accomplish. Do you have some concerns regarding the usage of an Domain Admin account? Could you elaborate a little bit please?

mdornfeld
Expert
Posts: 125
Liked: 2 times
Joined: Mar 23, 2009 4:44 pm
Full Name: Matt
Contact:

Re: Domain Controller required user backup permissions

Post by mdornfeld » Aug 26, 2015 3:21 pm 1 person likes this post

I was just suggesting that since we need to use a Domain Admin account, that we'd rotate the accounts password on regular basis and use the Veeam powershell command provided to keep it in sync with the password rotation.

P.Tide
Product Manager
Posts: 5304
Liked: 466 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Domain Controller required user backup permissions

Post by P.Tide » Aug 26, 2015 3:46 pm

Sure, you can keep your credentials relevant with the help of a powershell cmdlet you've mentioned. On the other hand, I don't think it's a big deal to manually edit one password once in couple of weeks, especially if talking about Domain Admin password, not to mention that I'd be very careful when incorporating plain text Domain Admin's password into some script...anyway, it's up to you whether to script or not to script password updates.

Thank you.

btmaus
Expert
Posts: 138
Liked: 10 times
Joined: Jul 17, 2015 9:02 am
Full Name: Glenn L
Contact:

Re: Domain Controller required user backup permissions

Post by btmaus » Sep 23, 2015 2:09 am

I am looking into backing up my Domain Controllers as well, and getting the VIX error about connecting to the share.

When you say the Domain Admin account is need for a successful backup (I have App Aware backups enabled), is that any "service" account with Domain Admin privileges that I can use, or is it the actual "DomainName\Administrator" account that you are referring too?

foggy
Veeam Software
Posts: 18348
Liked: 1575 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Domain Controller required user backup permissions

Post by foggy » Sep 23, 2015 9:42 am

Account with Domain Admin privileges should be sufficient, provided you have UAC disabled on the VM.

btmaus
Expert
Posts: 138
Liked: 10 times
Joined: Jul 17, 2015 9:02 am
Full Name: Glenn L
Contact:

Re: Domain Controller required user backup permissions

Post by btmaus » Sep 24, 2015 3:33 am

OK, and if we cannot disable UAC because of security policy, and there is no local administrator account as it's a Domain Controller, how do we back it up then?

foggy
Veeam Software
Posts: 18348
Liked: 1575 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Domain Controller required user backup permissions

Post by foggy » Sep 24, 2015 9:17 am

Using the domain’s built-in Administrator account.

pmagnolfi
Lurker
Posts: 1
Liked: never
Joined: Jan 14, 2016 4:56 pm
Full Name: Paolo Magnolfi
Contact:

[MERGED]: Veeam Backup Domain Controller

Post by pmagnolfi » Jan 14, 2016 5:02 pm

Good morning,

I'm using VB&R with no problem. I now need to backup also a VM domain controller using Veeam.
For all Windows VM that I backup with veeam I use a "service account" as guest OS credential.
The service account is put in local Administrators group for each VM.
How can I use the same service account to backup a DC?
I try to put it in the Domain Admins group, but the backup failed, for the moment I solve the problem using the domain administrator account as guest os credential for the DC.

btmaus
Expert
Posts: 138
Liked: 10 times
Joined: Jul 17, 2015 9:02 am
Full Name: Glenn L
Contact:

Re: Domain Controller required user backup permissions

Post by btmaus » Jan 14, 2016 8:39 pm 1 person likes this post

Disable UAC on the Domain Controller if you are using a Service Account. Otherwise use the actual Domain Administrator account, i.e. DomainName\Administrator.

albertwt
Expert
Posts: 641
Liked: 20 times
Joined: Nov 05, 2009 12:24 pm
Location: Sydney, NSW
Contact:

[MERGED] Service Account credentials to backup Domain Contro

Post by albertwt » Jun 01, 2016 11:16 am

Hi All,

I've already created DOMAIN\service-VBR account for backing up the other VM, I have added it to the local administrators for all servers. But somehow I cannot find the local administrators group for the domain controllers ?

So how can I successfully backup AD domain controllers with Veeam ?

Using DOMAIN\Administrator account is prohibited by the security team due to PCI compliance.
--
/* Veeam software enthusiast user & supporter ! */

btmaus
Expert
Posts: 138
Liked: 10 times
Joined: Jul 17, 2015 9:02 am
Full Name: Glenn L
Contact:

Re: Domain Controller required user backup permissions

Post by btmaus » Jun 01, 2016 4:53 pm

Domain Controllers do not have the "local" Administrators Group like a standard Domain joined server has. Can you disable UAC on the Domain Controller and then try again with the service account?

ortoscale
Service Provider
Posts: 213
Liked: 16 times
Joined: Aug 02, 2011 9:30 pm
Full Name: Matjaž Antloga
Location: Celje, Slovenia
Contact:

Re: Domain Controller required user backup permissions

Post by ortoscale » Jan 17, 2018 8:03 am

I've read this in some other post: "You can use VMTools (for VMWare) or Hyper-V Native Quiescence which means VMWare or Hyper-V will inform the guest to take a VSS snapshot rather than Veeam."
So Q now is: Can we simply use Quiescence mode to backup domain controllers?

DonZoomik
Expert
Posts: 130
Liked: 32 times
Joined: Nov 25, 2016 1:56 pm
Contact:

Re: Domain Controller required user backup permissions

Post by DonZoomik » Jan 17, 2018 2:04 pm

Add your Veeam guest service account user to "BUILTIN\Administrators" group in "Builtin" OU, it is considered local Administrators on all DCs.
Quiescence should work fine as AD is VSS aware.

pidthepiper
Enthusiast
Posts: 80
Liked: 7 times
Joined: Aug 11, 2015 9:10 am
Full Name: Bilal AHmed
Contact:

Re: Domain Controller required user backup permissions

Post by pidthepiper » May 16, 2018 4:10 pm

Ok, I am having DC backup issues.

Some of my DCs back up application aware fine, but some do not. None of them allow VIX, but they all pass the RPC credentials check.

IF I disable UAC VIX passes, but all my DCs are set to level 3 and some of them backup via RPC fine. We do not really want to disable UAC on them, the service is account for Veeam is in Domain Admins too, yet the issue persists.

I have tried adding the account into BUIltIN\Adminsitrators and then re-enabling UAC and VIX fails .

I cant figure out why some DCs are backing up fine and some are not. I can't seem to figure out what the differences are. They are all 2008R2 Dcs with a 2003 forest level, they are currently on slightly different patch levels.

Case # 02975554 if anyone wants to have a look, I am out of ideas. I guess i do not need to back up every DC, but I would like to simply because I am paying for Veeam and want to use the features it provides ha

foggy
Veeam Software
Posts: 18348
Liked: 1575 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Domain Controller required user backup permissions

Post by foggy » May 17, 2018 5:15 pm

Hi Bilal, for backup over VIX, you either need to use built-in Administrator account (that is exempt from UAC) or disable UAC.

fll
Enthusiast
Posts: 37
Liked: never
Joined: Sep 05, 2016 10:35 am
Contact:

[MERGED] application-aware processing with domain controllers

Post by fll » Jun 20, 2018 12:21 pm

Hello, I am trying to activate application-aware processing with the backup jobs of two virtual machines that are domain controllers and that are in another domain than Veeam Server, with which there is a bidirectional trust relationship.
I use a Domain Admin credentials to perform the test and give a warning checking standard credentials, via rpc is correct and via VIX gives errors.
Can I apply application-aware in these conditions?

Thank you.

Dima P.
Product Manager
Posts: 10605
Liked: 871 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: application-aware processing with domain controllers

Post by Dima P. » Jun 20, 2018 1:31 pm

Hello fll,

Please check the following:

1. Ensure that the account being used by Veeam is a member of the Local Administrators group on the VM that is to be backed up
2. If the account is not named Administrator, make sure that UAC on the Guest OS is disabled

fll
Enthusiast
Posts: 37
Liked: never
Joined: Sep 05, 2016 10:35 am
Contact:

Re: application-aware processing with domain controllers

Post by fll » Jun 20, 2018 1:55 pm

There is no local admins group on a DC
The count name is administrador.
Thanks

Dima P.
Product Manager
Posts: 10605
Liked: 871 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: application-aware processing with domain controllers

Post by Dima P. » Jun 20, 2018 3:24 pm

fll,

To double check, you have VMware tools installed on both hosts, right?

fll
Enthusiast
Posts: 37
Liked: never
Joined: Sep 05, 2016 10:35 am
Contact:

Re: application-aware processing with domain controllers

Post by fll » Jun 20, 2018 4:19 pm

Yes.

Dima P.
Product Manager
Posts: 10605
Liked: 871 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: application-aware processing with domain controllers

Post by Dima P. » Jun 21, 2018 2:33 pm

Hi fll.

Looks like all requirements are met and VIX should used. May I ask you to open a support case and investigate this problem with our support team? Please do not forget to share the case ID in this thread for future reference. Thank you in advance.

fll
Enthusiast
Posts: 37
Liked: never
Joined: Sep 05, 2016 10:35 am
Contact:

Re: application-aware processing with domain controllers

Post by fll » Jun 27, 2018 2:38 pm

Hi, thanks for the answers.
Despite a warning I have released a backup job and it has not given me errors.
With the rpc connection it has been enough.

Thanks.

adelino
Influencer
Posts: 10
Liked: 1 time
Joined: Mar 04, 2019 4:38 pm
Full Name: Al De
Contact:

Re: application-aware processing with domain controllers

Post by adelino » Apr 18, 2019 2:24 am

Dima P. wrote:
Jun 20, 2018 1:31 pm
Hello fll,

Please check the following:

1. Ensure that the account being used by Veeam is a member of the Local Administrators group on the VM that is to be backed up
2. If the account is not named Administrator, make sure that UAC on the Guest OS is disabled
Is #2 a hard requirement for domain controller application-aware processing still in 9.5 Update 4? I couldn't find any other documentation that specified the account had to be named "administrator" if UAC is not disabled.

Even opened a support ticket and they pointed me to articles that said enterprise administrator or domain administrator membership would be enough.

adelino
Influencer
Posts: 10
Liked: 1 time
Joined: Mar 04, 2019 4:38 pm
Full Name: Al De
Contact:

Re: application-aware processing with domain controllers

Post by adelino » Apr 18, 2019 11:28 pm 1 person likes this post

Spoke with another Veeam support person and they clarified this.

The account named administrator or disabling the UAC is only for VIX application aware processing, which should only happen if RPC application aware processing fails.

RPC application aware processing requires certain ports open and the account credentials specified to be an enterprise admin or domain admin.

Some additional detail on the RPC ports: https://helpcenter.veeam.com/docs/backu ... 95u4#guest
Some additional detail on the VIX requirements: https://www.veeam.com/kb1788

foggy
Veeam Software
Posts: 18348
Liked: 1575 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Domain Controller required user backup permissions

Post by foggy » Apr 19, 2019 12:50 pm

Correct, this is a VIX-specific requirement for cases where account that is not the built-in Administrator account (that is exempt from UAC) is used.

Post Reply

Who is online

Users browsing this forum: No registered users and 12 guests