Veeam Backup & Replication: Backup of Microsoft Active Directory Domain Controller VMs
To backup a virtual machine, Veeam Backup & Replication needs two permissions:
- permission to access and backup the VM, as well as the
- permission to do specific tasks inside the VM
to guarantee a consistent backup. The former persmission is granted by the user account that is used to access the VMware vCenter server (sorry for the VMW focust at this point). Usually, this account has the Administrator role granted at the vCenter Server level. The latter permission is granted by a user account that has permissions inside the guest operating system.
Something I often see in customer environments is the usage of the Domain Administrator account. But why? Because everything works when this account is used!
There are two reasons for this:
- This account is part of the local Administrator group on every server and client
- customers tend to grant the Administrator role to the Domain Admins group on vCenter Server level
In simple words: Many customers use the same account to connect to the vCenter, and for the application-aware processing of Veeam Backup & Replication. At least for Windows servers backups.
Houston, we have a problem!
Everything is fine until customers have to secure their environments. One of the very first things customers do, is to protect the Administrator account. And at this point, things might go wrong.
Using a service account to connect to the vCenter server is easy. This can be any account from the Active Directory, or from the embedded VMware SSO domain. I tend to create a dedicated AD-based service account. For the necessary permissions in the vCenter, you can grant this account Administrator permissions, or you can create a new user role in the vCenter. Veeam offers a PDF document which documents the necessary permissions for the different Veeam tasks.
The next challenge is the application-aware processing. For Microsoft SQL Server, the user account must have the sysadmin privileges on the Microsoft SQL Server. For Microsoft Exchange, the user must be member of the local Administrator group. But in case of a Active Directory Domain Contoller things get complicated.
A Domain Controller does not have a local user database (SAM). So what user account or group membership is needed to backup a domain controller using application-aware processing?
This statement is from a great Veeam blog post:
Permissions: Administrative rights for target Active Directory. Account of an enterprise administrator or domain administrator.
So the service account used to backup a domain controller is one of the most powerful accounts in the active directory.
There is no other way. You need a Domain or Enterprise Administrator account. I tend to create a dedicated account for this task.
I recommend to create a service account to connect the vCenter, and which is added to the local Administrator group on the servers to backup, and I create a dedicated Domain/ Enterprise Administrator account to backup the virtual Domain Controllers.
The advantage is that I can change apply different fine-grained password policies to this accounts. Sure, you can add more security by creating more accounts for different servers, and applications, add a dedicated role to the vCenter for Veeam etc. But this apporach is easy enough to implement, and adds a significant amount of user account security to every environment that is still using DOMAIN\Administrator to backup their VMs.