Solved

Can a non-domain joined VBR server use a gMSA?


Userlevel 2
Badge

Can non-domain joined VBR v12 servers use a gMSA?

All of our Veeam servers are off our domain, but can communicate with AD, and I'm exploring if I can use gMSA instead of a service account.

I've read the KB on gMSA for Veeam, but it's written in a way that tends me to believe its for domain joined VBRs servers. A few articles online show that non-domain joined containers can run gMSA, but doesn't read as if non-domain joined servers can do that or not.

https://helpcenter.veeam.com/docs/backup/vsphere/using_gmsa.html?ver=120

icon

Best answer by MatzeB 25 May 2023, 23:15

View original

10 comments

Userlevel 5
Badge +3

Yes that’s possible. You need a client in the domain which you use as guest-interaction proxy. You can assign the role to this windows machine. Than the VBR server can be outside the domain.

 

Regards

Matze

Userlevel 7
Badge +20

Yes that’s possible. You need a client in the domain which you use as guest-interaction proxy. You can assign the role to this windows machine. Than the VBR server can be outside the domain.

 

Regards

Matze

This is exactly the way to solution this for your use case.

Userlevel 7
Badge +7

@kyle.briski 

As already confirmed, you can use gMSA and execute ldap queries on the domain even if the VBR is not joined, just open the preparatory ports.

It is advisable to leave the VBR server in a workgroup, or join it to a management domain and not in the client/infrastructure domain you are trying to protect.
Regards

care it

 

Userlevel 1

Can non-domain joined VBR v12 servers use a gMSA?

All of our Veeam servers are off our domain, but can communicate with AD, and I'm exploring if I can use gMSA instead of a service account.

I've read the KB on gMSA for Veeam, but it's written in a way that tends me to believe its for domain joined VBRs servers. A few articles online show that non-domain joined containers can run gMSA, but doesn't read as if non-domain joined servers can do that or not.

https://helpcenter.veeam.com/docs/backup/vsphere/using_gmsa.html?ver=120

Where toy able to solve this? I am on the same scenario and stuck keep getting the following error when testing the gmsa accout:
1/9/2024 1:43:18 PM Failed Cannot connect to the admin share. Host:  *****. Account: [******.;Failed to perform safe logon;Failed to create a process token for account ******$;Win32 error:Access is denied.; Code: 5 ; 
1/9/2024 1:43:18 PM Failed Cannot connect to the admin share. Host:  [********]. Account: *******].;Failed to perform safe logon;Failed to create a process token for account ******$;Win32 error:Access is denied.; Code: 5 ; 
 

Userlevel 2
Badge

Yes I was able to use gMSA on a non-domain joined vbr server

 

Within your backup job, where you configure the Guest Processing and select Server X to be the proxy - if you go to that server and run 

Test-ADServiceAccount "DOMAIN\gmsa01$"

 

Is that server able to access the GMSA account? I believe I needed to add that gMSA account on Server X’s local administrator account as well if memory serves me right

Userlevel 1

ah so I would have to domain join my veeam proxy in order for it to work? thanks for the fast response!!!

 

Userlevel 2
Badge

I got stuck on this too. No need to domain join your veeam server (s). Keep the Veeam servers off the domain if you are able to.

 

What your doing at this step is selecting another server on your domain, that Veeam can use as a Guest Processing Proxy that has access to the gMSA account. This could be a file server, dedicated server or whatever you deicide to select. No need to have a special veeam proxy server created for this, unless thats the route you really want. Your essentially configuring at this step, what proxy server that exists on your domain, that Veeam can use to access the gMSA account

Userlevel 1

I got stuck on this too. No need to domain join your veeam server (s). Keep the Veeam servers off the domain if you are able to.

 

What your doing at this step is selecting another server on your domain, that Veeam can use as a Guest Processing Proxy that has access to the gMSA account. This could be a file server, dedicated server or whatever you deicide to select. No need to have a special veeam proxy server created for this, unless thats the route you really want. Your essentially configuring at this step, what proxy server that exists on your domain, that Veeam can use to access the gMSA account

Thank you very much for your help!!

Userlevel 7
Badge +16

Great additional comments here on how you implemented gMSA @kyle.briski / @techepet 

Userlevel 7
Badge +16

Hi @kyle.briski -

I just wanted to follow up here on your post. It appears you were indeed able to get gMSA working for your non-domain joined VBR server? If one of the comments provided helped you, or if you did so on your own, we ask you select one of the comments as a ‘Best Answer’ so others who have a simliar query and come across your post, may benefit.

Thank you.

Comment