Question

Can a non-domain joined VBR server use a gMSA?


Can non-domain joined VBR v12 servers use a gMSA?

All of our Veeam servers are off our domain, but can communicate with AD, and I'm exploring if I can use gMSA instead of a service account.

I've read the KB on gMSA for Veeam, but it's written in a way that tends me to believe its for domain joined VBRs servers. A few articles online show that non-domain joined containers can run gMSA, but doesn't read as if non-domain joined servers can do that or not.

https://helpcenter.veeam.com/docs/backup/vsphere/using_gmsa.html?ver=120


3 comments

Userlevel 3
Badge +2

Yes that’s possible. You need a client in the domain which you use as guest-interaction proxy. You can assign the role to this windows machine. Than the VBR server can be outside the domain.

 

Regards

Matze

Userlevel 7
Badge +18

Yes that’s possible. You need a client in the domain which you use as guest-interaction proxy. You can assign the role to this windows machine. Than the VBR server can be outside the domain.

 

Regards

Matze

This is exactly the way to solution this for your use case.

Userlevel 7
Badge +7

@kyle.briski 

As already confirmed, you can use gMSA and execute ldap queries on the domain even if the VBR is not joined, just open the preparatory ports.

It is advisable to leave the VBR server in a workgroup, or join it to a management domain and not in the client/infrastructure domain you are trying to protect.
Regards

care it

 

Comment