Skip to main content

Hello,

I’m trying to add a Cluster object in a new Protection Group as `Microsoft Active Directory Objects` and at the credentials tab when I click on `Test Now` I get this error.

9/23/2022 5:19:21 PM :: Processing Microsoft failover cluster XXXX.XXX.local Error: Failed to get cluster nodes

 

I faced the same problem. The log C:\ProgramData\Veeam\Backup has the same error as the author.

On the master node of the cluster I found an error in the system log:
10036
The server-side authentication level policy does not allow the user IT\ХХХ SID (S-1-5-21-ХХХХХХХХХ-ХХХХХХХХХ-ХХХХХХХ-ХХХ) from address 10.ХХ.Х.Х to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

The server with veeam has not received windows updates for a long time, and the cluster I was accessing had all the latest patches.

The solution that helped me:
Install all current windows updates on the veeam server.
You can also install updates only related to changes in DCOM Server (CVE-2021-26414).


@TACSupport - probably best to open a support case, if you haven’t already. It may be a bug in v12 and thus they’ll need to address it.


anyone have the solution?


we have the same issue now too, seems it started after version 12 upgrade.

the protection groups test with creds fail, however the backups still backup the nodes in the cluster.

 


The same problem happens here.


I got the same problem and to solve it, i set DNS of my the nodes cluster in the network card of my veeam backup server


Hi @m.saleh, any update on this?


If you can add them individually and it’s fine, sounds like an AD permissions issue to read your cluster object?


Hi, that says it’s trying to use WMI to access, which if you’re saying you’ve got the firewalls disabled on ALL nodes, you should be fine, but I’d check the WMI service is running on all nodes.

 

Next I’d also check that within the guest OS credentials section  if you have a default “master” and then have configured overriding credentials for individual objects that one of the two conditions is true:

  • Master credentials are the appropriate account, with no overriding credentials configured for any individual nodes or the cluster name
  • Master credentials are not the appropriate account, but overriding credentials configured for the cluster and nodes where appropriate.

I’d suggest checking out this section of the help guide: https://helpcenter.veeam.com/docs/backup/agents/protection_group_accounts.html?ver=110

Particularly around the format required for the account “DOMAIN\Username” and required permissions within AD.

Hello,

I checked the WMI service on each node and found it not running on 2 of them so i started the service and tried the Test again but still fails.

I checked the user account again for veeam and it’s a Domain Admin and i’m using it as a MasterAccount and it still fails. I don’t know why actually. I tried on another Veeam server but still the same however when i’m trying to add the cluster nodes separately `Computer Objects` not a cluster it success.

 

 


Hi, that says it’s trying to use WMI to access, which if you’re saying you’ve got the firewalls disabled on ALL nodes, you should be fine, but I’d check the WMI service is running on all nodes.

 

Next I’d also check that within the guest OS credentials section  if you have a default “master” and then have configured overriding credentials for individual objects that one of the two conditions is true:

  • Master credentials are the appropriate account, with no overriding credentials configured for any individual nodes or the cluster name
  • Master credentials are not the appropriate account, but overriding credentials configured for the cluster and nodes where appropriate.

I’d suggest checking out this section of the help guide: https://helpcenter.veeam.com/docs/backup/agents/protection_group_accounts.html?ver=110

Particularly around the format required for the account “DOMAIN\Username” and required permissions within AD.


Can you grab the logs from the Veeam server please, rather than event viewer.

 

Default location: C:\ProgramData\Veeam\Backup

I found this access is denied error but i’m pretty sure the credentials are correct.

 

The message after the messages you have marked says “Check if you have local admistrator privileges on computer xxx"

Do you have them with the account Veeam uses?

Yes it uses a domain admin user account and have access to each node.

 


Can you grab the logs from the Veeam server please, rather than event viewer.

 

Default location: C:\ProgramData\Veeam\Backup

I found this access is denied error but i’m pretty sure the credentials are correct.

 

The message after the messages you have marked says “Check if you have local admistrator privileges on computer xxx"

Do you have them with the account Veeam uses?


To troubleshoot outside of Veeam, you could try the following on the VBR server:

  • Install the Failover-Cluster Powershell Module:
Install-WindowsFeature -Name RSAT-Clustering-Powershell
  • Get the cluster object from AD (cluster needs to be reachable as well):
Get-Cluster -Name myClusterName
  • Get the cluster nodes from AD and their status from the cluster directly:
Get-ClusterNode -Cluster myClusterName

If all goes well, this should output the name and status of the cluster nodes. In my lab it looks like this:

Name State Type
---- ----- ----
cn1 Up Node
cn2 Up Node

If this doesn’t work, there must be an issue outside of Veeam, and the Powershell error messages might direct you to the root cause.

To clean up, you can remove the PS module afterwards:

Remove-WindowsFeature -Name RSAT-Clustering-Powershell

(reboot is required to complete the removal process)

Cluster is working fine.

 


Can you grab the logs from the Veeam server please, rather than event viewer.

 

Default location: C:\ProgramData\Veeam\Backup

I found this access is denied error but i’m pretty sure the credentials are correct.

 


To troubleshoot outside of Veeam, you could try the following on the VBR server:

  • Install the Failover-Cluster Powershell Module:
Install-WindowsFeature -Name RSAT-Clustering-Powershell
  • Get the cluster object from AD (cluster needs to be reachable as well):
Get-Cluster -Name myClusterName
  • Get the cluster nodes from AD and their status from the cluster directly:
Get-ClusterNode -Cluster myClusterName

If all goes well, this should output the name and status of the cluster nodes. In my lab it looks like this:

Name State Type
---- ----- ----
cn1 Up Node
cn2 Up Node

If this doesn’t work, there must be an issue outside of Veeam, and the Powershell error messages might direct you to the root cause.

To clean up, you can remove the PS module afterwards:

Remove-WindowsFeature -Name RSAT-Clustering-Powershell

(reboot is required to complete the removal process)


Can you grab the logs from the Veeam server please, rather than event viewer.

 

Default location: C:\ProgramData\Veeam\Backup


The error message indicates there‘s a problem with the VBR server connecting the AD DC while trying to query the AD cluster object for the cluster nodes. Have you checked firewall restrictions between those as well?

Firewall is disabled. I tried to change the DC but still the same issue.

All AD ports are opened.

EDIT: I’m able to add Hyper-V hosts using the AD credentials and they’re added successfully but while adding a cluster object it’s not working.


The error message indicates there‘s a problem with the VBR server connecting the AD DC while trying to query the AD cluster object for the cluster nodes. Have you checked firewall restrictions between those as well?


I have the same problem in one client environment. It’s a firewall problem, but I didn’t have time to solve it up top now. 😏

But firewall is disabled on all servers and they’re on the same VLAN so all ports are allowed any to any

Just edited my post and added - at least in my case. 😎

DNS resolution for all related systems is ok, too?

Yes yes. I can ping and resolve the cluster and nodes 


I have the same problem in one client environment. It’s a firewall problem, but I didn’t have time to solve it up top now. 😏

But firewall is disabled on all servers and they’re on the same VLAN so all ports are allowed any to any

Just edited my post and added - at least in my case. 😎

DNS resolution for all related systems is ok, too?


I have the same problem in one client environment. It’s a firewall problem, but I didn’t have time to solve it up top now. 😏

But firewall is disabled on all servers and they’re on the same VLAN so all ports are allowed any to any


I have the same problem in one client environment. It’s a firewall problem - at least in my case -, but I didn’t have time to solve it up top now. 😏


No actually i didn’t see anything related to this. but i found many warnings 

 


Can you check your logs and see if there’s anything that gives an indication as to what’s going on, before or after this event?


Comment