Skip to main content

Introduction

In the first of 4 blog posts of this [Migrate Veeam Infrastructure Off Production Domain series], we described the fundamental security reasons behind moving the Veeam infrastructure components OFF Production domain.

 

In this blog post, we will provide step by step guidance for moving a Veeam Backup and Replication™️ (VBR) infrastructure to Child Domain of the Production Domain.

 

Disclaimer: This is not intended to be a complete Security Best practice reference, nor does it address every possible scenario. A Veeam Solutions Architect can be engaged as needed to assist with VBR Security Best Practices, especially with complex deployments.

Setup

The scenario is comprised of the following servers:

  • A Production Domain Controller / DNS server
  • A Child Domain Controller server
  • 2 ESX hosts and 1 vCenter
  • Veeam Backup and Replication server (VBR) with local PostgreSQL database
  • Veeam Enterprise Manager server (VBEM) with local PostgreSQL database
  • Veeam Gateway server
  • Veeam Mount server
  • Veeam ONE server
  • Veeam Proxy server
  • Veeam Recovery Orchestrator server

 

All servers are currently joined to the Production Domain.

VBR is configured with multiple backup jobs.

 

Move VBR from a Production Domain to a Child Domain

In this scenario, like with many existing environments, Veeam components will have been deployed onto the Production Domain. This scenario describes how to better protect the Veeam environment by moving it into a Child Domain.

Though not an absolute requirement, this scenario will also cover changing the IP addresses of all Veeam servers.

 

Important Note:

Moving to a Child Domain only satisfies a requirement to be off Production Domain, however a Child Domain and its Parent have a two-way transitive trust; therefore, it is not the most secure option.

Moving Veeam to a Workgroup or onto a separate Backup Domain with a one-way trust to the Production Domain offer a better approach to security domain separation and will be addressed to the subsequent blog posts.

 

Assumptions

  • Production Domain (veeamhol.local) and Backup Domain (backup.veeamhol.local) setup as parent/Child Domains.
  • Production Domain and Child Domain each have their respective DNS server with adequate forwarders in place.
  • No change in hostnames, only changes in the FQDN for each component.
  • Veeam servers IPs will be changed.

Order of operations

This is the order in which we need to address the Veeam components for a successful move to a Child Domain.

  1. Enterprise Manager server
  2. Veeam Backup and Replication server
  3. All other Veeam components

Enterprise Manager

  • Log into Enterprise Manager Server as a local account Administrator to avoid issues while getting off the Production Domain.
  • Export the Enterprise Manager Keyset and store it in a safe location as per the user guide.
  • Add the local administrator user as a portal administrator.
  • Identify and backup the Enterprise Manager Configuration database (see kb1471).

We will use the DBconfig utility.

  • Stop all Veeam Services and set to disabled.
  • Backup the Enterprise Manager database using pgdump from an elevated powershell console to the directory of your choice.

& "C:\Program Files\PostgreSQL\15\BIN\pg_dump.exe" -U postgres -F c -b -f "C:\BACKUPS\VBEM DB BACKUP\PGDBBackup_$($env:computername)_$(get-date -f yyyy-MM-dd_HH.mm).sql" VeeamBackupReporting

  • Remove the Enterprise Manager server from the Production Domain and reboot.
  • Ensure that the Enterprise Manager server was properly removed from the Production Domain.
  • Change the Enterprise Manager’s IP address.
  • Regardless of IP change, update the Enterprise Manager Server’s DNS with the Child Domain’s DNS.
  • Join the Child Domain and reboot.
  • Validate that you can still connect to the database with DBconfig.

Note: If you run into a “SSPI authentication failed for user” then modify the pg_ident.conf with the Child Domain’s account used to log in.

For instance, you can add both the local administrator and the Child Domain’s account used to login to Enterprise Manager to pg_ident.conf (see kb4542).

 

Note: To tighten the Postgres DB security, make sure to remove any Production Domain principals.

  • Edit the following registry keys with Enterprise Manager’s new FQDN.

HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup Reporting\EnterpriseServerName

HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup Reporting\XMLURL

  • Change the Veeam Services startup back to “Automatic (Delayed)” and start the services.
  • Note that HTTP access works but the certificate must be fixed to enable HTTPS access (see kb1168).
  • Make sure to add a Child Domain user as a portal administrator. Remove Production Domain accounts and groups.
  • Add a static DNS entry for Enterprise Manager on the Production Domain DNS so that name resolution works both with the old and new FQDN.
  • After VBR has been joined to the Child Domain, make sure to re-add it to Enterprise Manager.

Veeam Backup and Replication

  • Wait for all jobs to complete.
  • Backup the Veeam Backup and Replication server config. Make sure encryption is enabled.

 

  • Disable running jobs (CDP, T-Logs, BCJ …) and close the console.
  • Stop all Veeam Services and set them to “Disabled”.
  • Remove Veeam Backup and Replication server from the Production Domain and reboot.
  • Ensure that the Veeam Backup and Replication server was properly removed from the Production Domain.
  • Change the Veeam Backup and Replication server’s IP address and update its DNS with the Child Domain’s DNS.
  • Join the Child Domain, re-enable the Veeam Services and reboot.
  • Add a static DNS entry for Veeam Backup and Replication on the Production Domain DNS so that name resolution works both with the old and new FQDN.

Domain joined CDP Proxy

  • After joining the Backup Child Domain, add a static DNS entry on the Production DNS server.
  • Under Managed Server, update the CDP proxy credentials.
  • Note that the I/O filters are still managed by VBR registered with the Production FQDN.

 

Note: ​​​​​​Updating the CDP coordinator name

If there is no DNS entry for the Veeam Backup and Replication server on the Production Domain, then the CDP coordinator name must be updated.

Update the coordinator name in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam CDP Proxy Service\CoordinatorName

Restart the Veeam CDP Coordinator Service.

 

App-Aware Backups and Domain joined Guest Interaction Proxy

The Veeam documentation states that the guest interaction proxy must be part of the Production Domain for Application-Aware backups to function properly.

Since when creating a Child Domain, a two-ways transitive trust is automatically created with the parent domain, please note that application-aware backups will still operate. This won’t be the case for a Veeam Backup infrastructure that has been moved to a Workgroup or a separate Backup Domain.

 

Domain joined Proxy

  • Remove the proxy from the Production Domain and ensure that the server has been removed from the Production Domain AD.
  • Change the Veeam Backup and Replication server’s IP address and update its DNS with the Child Domain’s DNS.
  • Join the Child Domain.
  • Note that the proxy is no longer available.
  • Ensure proper DNS resolution by a static entry on your Production Domain’s DNS. Adding DNS suffix is also recommended.
  • Update the proxy server’s credentials using a Backup Domain or a local account.

 

Domain joined Gateway or Repository

  • Remove Veeam server from the Production Domain and reboot.
  • Ensure that the Veeam server was properly removed from the Production Domain.
  • Change the Veeam server’s IP address and update its DNS with the Child Domain’s DNS.
  • Join the Child Domain and reboot.
  • While backup operations may appear to function properly, note that the managed server cannot be reached properly and if acting as a gateway, the object store is inaccessible.

 

  • After joining the Backup Child Domain, add a static DNS entry on the Production DNS server.
  • Under Manager Servers, update the server’s credentials.

Summary

In this blog post, we provided detailed step by step instructions to Migrate the Veeam Infrastructure OFF the Production Domain onto a Child Domain.

Moving to a Child Domain only satisfies a requirement to be off Production Domain, however a Child Domain and its Parent have a two-way transitive trust; therefore, it is not the most secure option.

Moving Veeam to a Workgroup or onto a separate Backup Domain with a one-way trust to the Production Domain offer a better approach to security domain separation.

Stay tuned for part 3 and 4 of this series. Coming up next:

  • Migrate the Veeam Infrastructure from a Production Domain to a Backup Workgroup
  • Migrate the Veeam Infrastructure from a Production Forest/Domain to a Backup Forest/Domain

Love the second part @olivier.rossi as I am going through this now with migrating to a new domain for our Veeam servers.  😎


Sure, this topic need to save to my bookmark !

Merci @olivier.rossi !


Nice Details!


Comment