Skip to main content

Hello,

I have an environment where I have a domain controller, a domain joined server with a sql server installed. I want to install veeam backup & replication on another server 2022. Do I need to join the veeam server to the domain?

Best regards

Hi, you don’t need to, and shouldn’t add it to your production domain :)

 

Either a separate management domain, or standalone workgroup will be better!


Hi @emmanuel.s -

Welcome to the Community. No...you don't need to join it to the domain, but it's a bit less complex to set up when it is on the domain. You can view Veeam Best Practices here.

https://bp.veeam.com/vbr/2_Design_Structures/D_Veeam_Components/D_VBR_server/backup_server.html


For me it’s best practice to NOT domain join the backup server.

The domain is an additional attack vector for the backup server. It is no problem to operate the Veeam server as a standalone server and you can use domain accounts to login to system for application-aware backup. But the server cannot be attacked with a compromised domain (admin) account.


As others have mentioned and as per Veeam the best practice is no domain but if you follow the design doc Shane posted you can do a separate domain but ensure you follow Security best practices for this.  That is the path we are going to be taking here with our setup as the downside to no domain is Access Management to the server using local accounts, etc.


I have many that are both but best practices and what I'm going with moving forward is to be standalone (non-domain joined).


Thank you very much


Hi @emmanuel.s

Based on Best practice, and secure deployment, you will have to add the Veeam components to a management domain that resides in a separate Active Directory Forest. You will find this link very usefulhttps://bp.veeam.com/security/Design-and-implementation/Hardening/Workgroup_or_Domain.html

Also, the discussion here: https://forums.veeam.com/veeam-backup-replication-f2/veeam-on-workgroup-or-separate-ad-domain-t49090.html. If you choose the workgroup route, you will find this link very useful as well: 

 


It is not recommended to join your Veeam backup Server to your production domain.


Comment