Skip to main content
  • EN

We have Active Directory joined Windows machines in our backup. These machines have a single local administrative account which is managed by LAPS. The password of the account is rotated daily. Now one of these machines needs to be set up again from scratch. Until the machine is usable again, and the data has been restored to it, the machine is running as an instant recovery so people can access the data in the meantime.

I can’t restore the AD computer object to the same date, because the “new” machine has already been joined to the AD and the restore would conflict with the current object.

Now, since the password of the user has been rotated repeatedly since the point where the backup was taken I now have no way to access the password of the admin user at that time. But I need admin privileges to install VMware tools, configure the network, rename the machine and rejoin it to the AD.

Has anyone by chance been in a similar position already and has found a solution for this? Manipulation passwords and user accounts from outside the OS is possible, but very hacky. I was hoping to find a way to have Veeam activate and configure an admin account during restore, but it seems like having it run a Powershell script during restore is limited to Recovery Verification.

Hmm...I’ve not encountered this ​@geschnei ...personally or here on the Community Hub. Maybe someone else has? At the very least, you could ping Veeam Product Managers directly on the Forums to get their suggestions. Interested to hear others’ experience on this.

I can’t restore the AD computer object to the same date, because the “new” machine has already been joined to the AD and the restore would conflict with the current object.

 

I’m not sure I understand here. Is the “new machine” you’re referring to here the instant recovery you have ongoing? If it has already been joined to the domain, wouldn’t you have a domain account that has local admin privileges that could correct this issue?

I’m not sure I understand here. Is the “new machine” you’re referring to here the instant recovery you have ongoing? If it has already been joined to the domain, wouldn’t you have a domain account that has local admin privileges that could correct this issue?

No. The original machine has been reinstalled and joined again. Then an older state of this machine has been restored via instant recovery and needs to be reconfigured so it can be accessed parallel to the current instance.

And domain accounts don’t have local admin privileges, only the sole local account which is managed via LAPS.

I’m assuming the reinstalled machine was joined to the domain with the same hostname as the restored machine and that is causing the conflict?

If so, the only way I can think of that Veeam could help here is if you were to rename the reinstalled machine to something else, then perform an AD computer object restore to the same point that the restored machine was restored.

If that is not possible, then you may have to get “hacky”

Comment


Terms & Conditions