Skip to main content

Can non-domain joined VBR v12 servers use a gMSA?

All of our Veeam servers are off our domain, but can communicate with AD, and I'm exploring if I can use gMSA instead of a service account.

I've read the KB on gMSA for Veeam, but it's written in a way that tends me to believe its for domain joined VBRs servers. A few articles online show that non-domain joined containers can run gMSA, but doesn't read as if non-domain joined servers can do that or not.

https://helpcenter.veeam.com/docs/backup/vsphere/using_gmsa.html?ver=120

Yes that’s possible. You need a client in the domain which you use as guest-interaction proxy. You can assign the role to this windows machine. Than the VBR server can be outside the domain.

 

Regards

Matze


Yes that’s possible. You need a client in the domain which you use as guest-interaction proxy. You can assign the role to this windows machine. Than the VBR server can be outside the domain.

 

Regards

Matze

This is exactly the way to solution this for your use case.


@kyle.briski 

As already confirmed, you can use gMSA and execute ldap queries on the domain even if the VBR is not joined, just open the preparatory ports.

It is advisable to leave the VBR server in a workgroup, or join it to a management domain and not in the client/infrastructure domain you are trying to protect.
Regards

care it

 


Can non-domain joined VBR v12 servers use a gMSA?

All of our Veeam servers are off our domain, but can communicate with AD, and I'm exploring if I can use gMSA instead of a service account.

I've read the KB on gMSA for Veeam, but it's written in a way that tends me to believe its for domain joined VBRs servers. A few articles online show that non-domain joined containers can run gMSA, but doesn't read as if non-domain joined servers can do that or not.

https://helpcenter.veeam.com/docs/backup/vsphere/using_gmsa.html?ver=120

Where toy able to solve this? I am on the same scenario and stuck keep getting the following error when testing the gmsa accout:
1/9/2024 1:43:18 PM Failed Cannot connect to the admin share. Host:  *****. Account: :******.;Failed to perform safe logon;Failed to create a process token for account ******$;Win32 error:Access is denied.; Code: 5 ; 
1/9/2024 1:43:18 PM Failed Cannot connect to the admin share. Host:  :********]. Account: *******].;Failed to perform safe logon;Failed to create a process token for account ******$;Win32 error:Access is denied.; Code: 5 ; 
 


Yes I was able to use gMSA on a non-domain joined vbr server

 

Within your backup job, where you configure the Guest Processing and select Server X to be the proxy - if you go to that server and run 

Test-ADServiceAccount "DOMAIN\gmsa01$"

 

Is that server able to access the GMSA account? I believe I needed to add that gMSA account on Server X’s local administrator account as well if memory serves me right


ah so I would have to domain join my veeam proxy in order for it to work? thanks for the fast response!!!

 


I got stuck on this too. No need to domain join your veeam server (s). Keep the Veeam servers off the domain if you are able to.

 

What your doing at this step is selecting another server on your domain, that Veeam can use as a Guest Processing Proxy that has access to the gMSA account. This could be a file server, dedicated server or whatever you deicide to select. No need to have a special veeam proxy server created for this, unless thats the route you really want. Your essentially configuring at this step, what proxy server that exists on your domain, that Veeam can use to access the gMSA account


I got stuck on this too. No need to domain join your veeam server (s). Keep the Veeam servers off the domain if you are able to.

 

What your doing at this step is selecting another server on your domain, that Veeam can use as a Guest Processing Proxy that has access to the gMSA account. This could be a file server, dedicated server or whatever you deicide to select. No need to have a special veeam proxy server created for this, unless thats the route you really want. Your essentially configuring at this step, what proxy server that exists on your domain, that Veeam can use to access the gMSA account

Thank you very much for your help!!


Great additional comments here on how you implemented gMSA @kyle.briski / @techepet 


Hi @kyle.briski -

I just wanted to follow up here on your post. It appears you were indeed able to get gMSA working for your non-domain joined VBR server? If one of the comments provided helped you, or if you did so on your own, we ask you select one of the comments as a ‘Best Answer’ so others who have a simliar query and come across your post, may benefit.

Thank you.


Comment