... how to successfully use Windows Server 2025 with Veeam v13 in a workgroup
A well-known song by the famous Italian singer Domenico Modugno, called 'Meraviglioso', began like this:
È vero
Credetemi è accaduto
Di notte su di un ponte
Guardavo l'acqua scura
Con la dannata voglia
Di fare un tuffo giù
Introduction
Today I’m going to tell you a true story.
Last Saturday, a former colleague contacted me in order to request my help to resolve a complex situation involving one of his clients.
I'm turning into a superhero!
Situation
The architecture has been implemented with a Veeam Backup & Replication v13 server and a Veeam ONE server, both of which are operating in Workgroup on Windows Server 2025. The customer does not have a domain, and therefore no Active Directory from which vulnerabilities could be inherited. They don't have a DNS server, so I've configured hosts files on both servers.
Having verified that static IP addresses were configured as part of the same VLAN and that firewalls on the VMs were disabled (to be reactivated later with specific rules), the next step was to connect to the Veeam ONE web console to add VBR and start monitoring.
I open the console, enter the username and password of a user created specifically for this purpose, with local administration privileges on VBR, but after a few seconds this error appears:
The push of the Analytics Service package fails.
Task
OK, let's check the Veeam Knowledge Base and we find this KB4828. The guide suggests several solutions, including checking for permission issues, checking remote access to WMI, and disabling MFA for the account that has been created. So let's try lowering the UAC and enabling the LocalAccountTokenFilterPolicy key in the registry.
No luck. The Veeam ONE console kept showing the same error.
We then checked the Windows Event Viewer on the VBR server. And just as the connection was being attempted, I found this: Event ID 4625: Failed Logon Attempt.
The VBR server was rejecting the credentials. The user is in the Administrators group, I had also tried with the local Administrator, and the password is correct.
Action
So the problem isn't Veeam, and it isn't the credentials either. I'm just thinking logically.
Veeam ONE attempts to install the package on the VBR server by copying it to the hidden Admin$ share.
But I remember that with the new Veeam v13, the old NTLM, RPC and WMI protocols were replaced by Kerberos. I'll check the What's new file and find:
Microsoft RPC and Microsoft WMI discontinuation — V13 eliminates the usage of these protocols for communication between backup infrastructure components and to protected workloads in favor of cross-platform gRPC protocol. In addition to improving performance and reliability, this change reduces the number and the range of ports required for Veeam Backup & Replication to function, thereby reducing your network exposure to cyberattacks and simplifying deployment with reduced number of ports to open in firewalls. This does mean that you will need to work with your networking team to adjust firewall settings when upgrading to V13!NTLM authentication deprecation — NTLM usage for connection between backup infrastructure components and protected workloads is discontinued in V13 Software Appliance and is deprecated in V13 Windows installable software in favor of Kerberos authentication. This change improves security by eliminating legacy authentication protocols, reducing your exposure to known NTLM vulnerabilities and aligning with modern standards.
OK, so this means that Veeam tries Kerberos first. But as the virtual machines are in a workgroup with no Domain Controller to request a Kerberos ticket from, it switches to the old NTLM instead.
Windows Server 2025 has a problem with this. Microsoft has said that they are no longer developing the NTLM protocol and will be removing NTLMv1 in Windows Server 2025.
So, because I can't use remote deployment, I'm trying to find a way to do a manual installation. I can download the package, and then I copy it to the VBR server. Finally, I install it by following a few simple steps.
- Go to the Veeam ONE WebUI, click on Configuration > Data Collection > Veeam Analytics Service.
- Click on Download package and select Windows.
- Then, move the .msi file to the target Windows VBR server.
- Right-click the file and select 'Run as administrator'.
- Just install it and wait for the installation to finish.
Result
The local installation is completed in just a few seconds.
The service on the VBR starts automatically, and the Analytics Service connects to Veeam ONE, with traffic using TCP port 2805. After a few minutes, the light on the console will turn green and the VBR will be shown as Connected. From this point onwards, you can see all the available data.
Closing thoughts
This experience has taught me a vital lesson that I want to share with all of you who are designing data protection infrastructures using Veeam v13. Things aren’t always as they seem, and what might appear to be simple tasks can turn into real headaches.
Security best practices recommend keeping VBR servers in a Workgroup to reduce the scope of ransomware attacks, but if you’re using Windows Server 2025, resign yourself to it, arm yourself with patience and install the components manually. Your security will thank you for it.
See you soon!
