Hi Community,
VBR server should not be part of the production domain—Unable to detect whether it should be considered important or not. How can we fix this? Is my VBR already in the production domain, or should I put it back on the workgroup?
Solved
Security & Compliance Analyzer.
+3Best answer by kristofpoppe
It shouldn’t be part of the production domain. For smaller environments you can use a workgroup membership, otherwise a dedicated backup domain can be set-up, but this involves additional DC’s if you want to do it properly. Changing the domain membership can have some impact on database connections (eg. external SQL) also verify the setup of surebackup jobs and all other accounts involved in testing and application awareness.
+9It shouldn’t be part of the production domain. For smaller environments you can use a workgroup membership, otherwise a dedicated backup domain can be set-up, but this involves additional DC’s if you want to do it properly. Changing the domain membership can have some impact on database connections (eg. external SQL) also verify the setup of surebackup jobs and all other accounts involved in testing and application awareness.
Fan since FastSCP | VMCA-1 | VMCE9 | VMCE2022 | VMCE2024 | VMCA2024
+23Hi
Is your server on any domain? Or is it a workgroup?
You can confirm by looking at your system within control panel or just running the following command in CMD:
systeminfo | findstr/i “domain”
If you get a domain, it’s on a domain. If you get something like “WORKGROUP”, then it’s in a workgroup.
If your server is in a domain then you need to ask if it’s a production domain or management domain. Is there one domain/forest that users log into for day to day work, and another dedicated domain/forest for administrative tasks? If the answer is no, you’re on a production domain.
The recommendations for domain/workgroup are:
- Management Domain - Best (typically)
- Workgroup - Good
- Production Domain - BAD
To answer the “why” on this:
If you have a lot of workgroup infrastructure, it can be hard to manage and centrally secure/harden vs a management domain. Hence the recommendation of a management domain. However this headache is still better than joining the production domain, as this domain is what you are trying to protect, and if the domain is compromised, your Veeam platform could be too.
Michael Paul - Opinions are my own and do not necessarily reflect the opinion of Veeam | https://micoolpaul.com | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.com
+3kristofpoppe wrote:
It shouldn’t be part of the production domain. For smaller environments you can use a workgroup membership, otherwise a dedicated backup domain can be set-up, but this involves additional DC’s if you want to do it properly. Changing the domain membership can have some impact on database connections (eg. external SQL) also verify the setup of surebackup jobs and all other accounts involved in testing and application awareness.
thank you
Waqas Ali
+3MicoolPaul wrote:
Hi
Is your server on any domain? Or is it a workgroup?
You can confirm by looking at your system within control panel or just running the following command in CMD:
systeminfo | findstr/i “domain”
If you get a domain, it’s on a domain. If you get something like “WORKGROUP”, then it’s in a workgroup.
If your server is in a domain then you need to ask if it’s a production domain or management domain. Is there one domain/forest that users log into for day to day work, and another dedicated domain/forest for administrative tasks? If the answer is no, you’re on a production domain.
The recommendations for domain/workgroup are:
- Management Domain - Best (typically)
- Workgroup - Good
- Production Domain - BAD
To answer the “why” on this:
If you have a lot of workgroup infrastructure, it can be hard to manage and centrally secure/harden vs a management domain. Hence the recommendation of a management domain. However this headache is still better than joining the production domain, as this domain is what you are trying to protect, and if the domain is compromised, your Veeam platform could be too.
Hi
Waqas Ali
+6Hi
Refer to the Veeam BP about this theme. PS: this is a VMCA exam subject. 😀
https://bp.veeam.com/security/Design-and-implementation/Hardening/Workgroup_or_Domain.html
Luiz Eduardo Serrano. My blog: https://cloudnroll.com
+21I suppress that alarm as we have ours in a domain but it is a separate one from production based on best practice. This alarm always sits that way I believe when domain joined. It does go green I believe in a workgroup IIRC.
Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
Comment
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.