I removed the veeam B&R server and Enterprise manager from the domain due to security issues, and now I want to know if it is possible to log in to these servers, which are workgroups, with domain users ?
Is there a best practice?
I removed the veeam B&R server and Enterprise manager from the domain due to security issues, and now I want to know if it is possible to log in to these servers, which are workgroups, with domain users ?
Is there a best practice?
You can only log in with domain users if a domain user has already logged in. Their credentials are cached (i.e. user profiles). But, if/when passwords change for the domain users, the domain users’ credentials wouldn’t reflect the pwd change on the servers. You would need to have local admin users created to be able to use Veeam components.
Veeam actually recommends to put its components in a “management domain”, separate from your regular production environment. It does cause a little complexity obviously, however. But, so does having the components in a workgroup. You just have to decide what route you’re most comfortable with. Veeam discusses your setup in their Best Practice Guide. You can review their recommendations, pros/cons, here.
Hello,
Segmentation - Veeam Backup & Replication Security Best Practice Guide
If you will keep the servers in a Workgroup, then create local accounts with Administrative rights on each server to be able to log in to the VBR/VEM consoles. That is best practice when working with a Workgroup setup, otherwise follow the best practices for a backup domain as noted by others.
Hi,
This is the case due to a few core constraints that are all overcome with a management domain.
Firstly, trust. We don’t trust the domain on our server, so why would the server trust users of the domain that we don’t trust? Without being part of the security ecosystem of an AD domain, we can’t trust identities.
Secondly, authentication methods. Veeam utilises windows authentication of a user account to validate who the user says they are, if windows can’t validate they’re part of the domain, we can’t use windows authentication.
If you deploy a dedicated management domain instead you’ll enjoy your logical separation of production and management, whilst achieving this centralised identity requirement you have
Anyone have insight into using Workgroup and having to restore files to a domain share? Not exactly this topic but close in ways that maybe someone here has insight or can point us in the right direction.
Anyone have insight into using Workgroup and having to restore files to a domain share? Not exactly this topic but close in ways that maybe someone here has insight or can point us in the right direction.
You would need login credentials for the domain but should be able to restore. The other option is restore locally then copy over to the domain.
A simple question : I can see that it’s recommended to include the Hyper-V/.ESXi Host to the trusted zone instead of the management one.
Shouldn’t be wiser to include them also within the management zone? Somebody hacking the trusted zone domain could easily shut down the management domain.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.