Which hosts need access to Admin$ for agent deployment?

[pkelly_sts]

I'm trying to continue backing up some VMs that have been moved into a DMZ & security (firewall) tightened up but wanted to confirm exactly which machines need the access.

So, given the following scenario, what needs access to admin$ on the backed-up VMs:

Primary Site:
FC SAN Storage (both VMFS & Backup volumes)
Physical B&R Server (Direct-attach SAN to local SAN) also a Proxy Server
Primary Proxy VM1
Primary Proxy VM2
Primary Proxy VM3

Job 1: Local Backup job + Backup Copy job (to DR site)

DR Site:
FC SAN Storage (both VMFS & Backup volumes)
Physical B&R Server (Direct-attach SAN to local DR SAN) Also a Proxy Server
DR Proxy VM1
DR Proxy VM2
DR Proxy VM3

Job 1: Local backup job (of a few smaller VMs) + Backup Copy job (to Primary site)
Job 2: Replica job, Source is Primary Site SAN, Destination is DR Site SAN

So, in the replication job running at the DR site but "pulling" from the primary site, which element uploads the agent files:
1) The DR B&R Server
2) The DR Proxy VMs
3) The Primary Site Proxy VMs (of which the Primary site B&R server is also a proxy for the DR site B&R)

Thanks,

Paul

[Vitaliy S.]

Hi Paul,

Direct network connection to the backed up VMs is not required, since interaction with Guest OS can be performed via VIX API (VMware Tools). As soon as backup server can reach your source ESXi hosts, then you should be fine.

Let me know if that helps!

[pkelly_sts]

Hmm, I think we've had a similar conversation before now that you say that. Thing is, in this case the VSS side of this job consistently fails (I've configured the job to ignore rather than fail on quiescing for now) so it seems the fail-to-VIX-if-needed doesn't appear to be working in our case.

I recall there's a way you can change the overall default to use VIX instead but I'd rather avoid that if I can.

Can you suggest anything I should look at before I log a call with support?

Paul

[foggy]

Paul, please note that either disabling UAC or using Domain Administrator account is required to perform application-aware image processing work over VIX.

[pkelly_sts]

Ah, thanks for that. I do remember seeing somewhere previously that "THE" Domain Admin account must be used and I deeply frowned upon it as a very bad thing (and still think so) but now I understand the reason, i.e. that it's the only other way around UAC other than disabling it, then this gives me something to go back to the security bods with & let them decide which they want to give up (if they want clean backups of course!).

Thanks,

Paul

[pkelly_sts]

Actually, there is still another option, that is to open the necessary ports to access Admin$ directly, i.e. my original thinking.

Knowing that, if we choose, we can avoid the need by disabling UAC, if TPTB don't want to give up either UAC or Domain Admin creds, then which hosts require access to Admin$, B&R server or source/destination proxies, or all of the above?

Regards,

Paul

[Vitaliy S.]

Backup server should have access to the Guest OS, as runtime process in the backed up VM is managed by the backup server. Thanks!

[pkelly_sts]

Thanks Vitaliy, I'll give that a go.

[ousturali]

Hi
we are trying to backup some vm's which have 2 Ethernet cards ,and the external ip address is firstly detected at virtual center ,
When we try to backup with veeam ,it tries to make connection to this external Ip address for backup and gives this error
""connect to the host's administrative share""

I could not find a way to change or this nic selection at veeam ,
how can this be achived ??

Thanks

[Vitaliy S.]

Direct network access to the backed up VM is not required, most likely you have a different issue, that prevents you from having successful backup job run.

[ousturali]

Hi Vitaliy,

I had read the above conversation ,according to the above info there are some options for succesfull backups
1-let the veaam server ,logon to the vm with admin credentals (yes all pc are in domain ,)
2-Veeam server can access each ESX server (they are in the same lan)
3-Disable UAC (yes this is also done )



but still the vm's which have more then 1 ethernet are having strange problems in backup.
But the other vm's do not have any problems while backip up.

any other ideas?

REgards.

[Vitaliy S.]

Number of NICs does not matter, your VMs can be even located in the DMZ with no network access at tall. Please let our technical team take a look at the debug logs, as it is hard to say what is wrong without seeing this info. BTW, do you have VMware tools up & running on these VMs? Are they up-to-date?