How to backup windows with AAIP

[matteu]

Hello,

I would like to know what is the best to backup all windows VM with AAIP enabled.

I know I need to create service account and put it on local admin group of all my VMs.
There is one issue for this : Domain controller.... That means the account need to be domain admin.

Maybe I missed something ?

I do some search and I find 2 workarrounds :
-Veeam agent on domain controllers
-Persistent agent on domain controller. On this workaround, I need to deploy veeam installer service only and when job occurs, agent will be deployed without the AAIP account configured in the job need any permission on my DC right ?

I think the second way could be perfect for all my future installations if it works like I think ! I will not need the service account on domain admin group...

Thanks for your answer

[Regnor]

You don't need to give the backup user domain administrator rights; it's sufficient when you add the account to the Builtin administrator ggroup.
The persistent agent only changes the way how you connect to the VM, but you still need the necessary permissions.

[Mildur]

Builtin administrator ggroup.

This group doesn‘t exist on a domain controller. That‘s matteus main issue in his request.

I am not sure, if using the persistent guest agent will allow you to use AAIP without a user account.

@matteu
I recommend to test your both workarounds and see if AAIP is working and test restore to a isolated network will bring the domain controller back.

[matteu]

Thanks for your answer.

built in administrator exists on domain controller but when you are member of this group, you are domain controler admin.
When you are domain controller admin, you can give yourself domain admin permission.
It's a big problem

I'll try to test it and say you.

[matteu]

You were right

Peristent agent is just to avoid to deploy it again and again. It doesn't change anything about how AAIP is done and account with admin right is needed.

Is there any way to veeam agent to avoid it ? I don't think but maybe someone has an other answer

[Regnor]

This group doesn‘t exist on a domain controller. That‘s matteus main issue in his request.

It does exist But I wasn't sure that with being a member of this group you can also add yourself to the domain admin group.

Using the Veeam agent could work, but you cannot manage/update the agent from VBR if you don't have an administrative account for your DC.

[matteu]

My issue is not really to have or not have domain admin account.
My issue is to not store domain admin credentials in veeam credential vault for security reason

And unfortunately there is only veeam agent for this

You can deploy pre installed agent to avoid veeam to know domain controller credential and you can probably then upgrade it on new version... I never tried it but I suppose it should work.