• EN
Solved

Install veeam backup & replication

E
Userlevel 2

Hello,

I have an environment where I have a domain controller, a domain joined server with a sql server installed. I want to install veeam backup & replication on another server 2022. Do I need to join the veeam server to the domain?

Best regards

icon

Best answer by MicoolPaul 4 March 2024, 12:40

View original

8 comments

MicoolPaul
Userlevel 7
Badge +20

Hi, you don’t need to, and shouldn’t add it to your production domain :)

 

Either a separate management domain, or standalone workgroup will be better!

Michael Paul - #VeeamLegend | #VeeamVanguard | Veeam Certified Architect | VMware vExpert | https://micoolpaul.com | Twitter: @MicoolPaul | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.bsky.social
coolsport00
Userlevel 7
Badge +17

Hi @emmanuel.s -

Welcome to the Community. No...you don't need to join it to the domain, but it's a bit less complex to set up when it is on the domain. You can view Veeam Best Practices here.

https://bp.veeam.com/vbr/2_Design_Structures/D_Veeam_Components/D_VBR_server/backup_server.html

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
JMeixner
Userlevel 7
Badge +17

For me it’s best practice to NOT domain join the backup server.

The domain is an additional attack vector for the backup server. It is no problem to operate the Veeam server as a standalone server and you can use domain accounts to login to system for application-aware backup. But the server cannot be attacked with a compromised domain (admin) account.

Jochen (Joe) Meixner | Veeam Vanguard 2024 | Veeam Legend 2021 - 2023 | Veeam Certified Architect (VMCA) 2022 | Twitter: @JoMeix | BlueSky: @jmeixner.bsky.social
Chris.Childerhose
Userlevel 7
Badge +20

As others have mentioned and as per Veeam the best practice is no domain but if you follow the design doc Shane posted you can do a separate domain but ensure you follow Security best practices for this.  That is the path we are going to be taking here with our setup as the downside to no domain is Access Management to the server using local accounts, etc.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
dloseke
Userlevel 7
Badge +6

I have many that are both but best practices and what I'm going with moving forward is to be standalone (non-domain joined).

Derek M. Loseke, Senior Systems Engineer | Veeam Legend 2022-2023 | VMSP/VMTSP | VCP6-DCV | VSP/VTSP | CCNA | https://technotesanddadjokes.com | @dloseke
E
Userlevel 2

Thank you very much

Iams3le
Userlevel 7
Badge +9

Hi @emmanuel.s

Based on Best practice, and secure deployment, you will have to add the Veeam components to a management domain that resides in a separate Active Directory Forest. You will find this link very usefulhttps://bp.veeam.com/security/Design-and-implementation/Hardening/Workgroup_or_Domain.html

Also, the discussion here: https://forums.veeam.com/veeam-backup-replication-f2/veeam-on-workgroup-or-separate-ad-domain-t49090.html. If you choose the workgroup route, you will find this link very useful as well: 

 

[Microsoft MVP | Veeam Legend 5* | VMware vExpert 4* | Cisco Champion 3* | Object First Ace]
Moustafa_Hindawi
Userlevel 7
Badge +6

It is not recommended to join your Veeam backup Server to your production domain.

Moustafa Hindawi | Blogger | Nutanix Technology Champion | NCSE | NCM-MCI | VMCE | 2xVCAP-DTM & DCV | 2xVCP-NV & CMA | LinkedIn: https://www.linkedin.com/in/moustafaadelmoustafa/ | My Blog: https://cloudwhales.co.uk/author/mhindawi/

Comment


Terms & Conditions