Hi Community,
VBR server should not be part of the production domain—Unable to detect whether it should be considered important or not. How can we fix this? Is my VBR already in the production domain, or should I put it back on the workgroup?
Page 1 / 1
It shouldn’t be part of the production domain. For smaller environments you can use a workgroup membership, otherwise a dedicated backup domain can be set-up, but this involves additional DC’s if you want to do it properly. Changing the domain membership can have some impact on database connections (eg. external SQL) also verify the setup of surebackup jobs and all other accounts involved in testing and application awareness.
Hi
Is your server on any domain? Or is it a workgroup?
You can confirm by looking at your system within control panel or just running the following command in CMD:
systeminfo | findstr/i “domain”
If you get a domain, it’s on a domain. If you get something like “WORKGROUP”, then it’s in a workgroup.
If your server is in a domain then you need to ask if it’s a production domain or management domain. Is there one domain/forest that users log into for day to day work, and another dedicated domain/forest for administrative tasks? If the answer is no, you’re on a production domain.
The recommendations for domain/workgroup are:
- Management Domain - Best (typically)
- Workgroup - Good
- Production Domain - BAD
To answer the “why” on this:
If you have a lot of workgroup infrastructure, it can be hard to manage and centrally secure/harden vs a management domain. Hence the recommendation of a management domain. However this headache is still better than joining the production domain, as this domain is what you are trying to protect, and if the domain is compromised, your Veeam platform could be too.
It shouldn’t be part of the production domain. For smaller environments you can use a workgroup membership, otherwise a dedicated backup domain can be set-up, but this involves additional DC’s if you want to do it properly. Changing the domain membership can have some impact on database connections (eg. external SQL) also verify the setup of surebackup jobs and all other accounts involved in testing and application awareness.
thank you
Hi
Is your server on any domain? Or is it a workgroup?
You can confirm by looking at your system within control panel or just running the following command in CMD:
systeminfo | findstr/i “domain”
If you get a domain, it’s on a domain. If you get something like “WORKGROUP”, then it’s in a workgroup.
If your server is in a domain then you need to ask if it’s a production domain or management domain. Is there one domain/forest that users log into for day to day work, and another dedicated domain/forest for administrative tasks? If the answer is no, you’re on a production domain.
The recommendations for domain/workgroup are:
- Management Domain - Best (typically)
- Workgroup - Good
- Production Domain - BAD
To answer the “why” on this:
If you have a lot of workgroup infrastructure, it can be hard to manage and centrally secure/harden vs a management domain. Hence the recommendation of a management domain. However this headache is still better than joining the production domain, as this domain is what you are trying to protect, and if the domain is compromised, your Veeam platform could be too.
Hi
Hi
Refer to the Veeam BP about this theme. PS: this is a VMCA exam subject. 
https://bp.veeam.com/security/Design-and-implementation/Hardening/Workgroup_or_Domain.html
I suppress that alarm as we have ours in a domain but it is a separate one from production based on best practice. This alarm always sits that way I believe when domain joined. It does go green I believe in a workgroup IIRC.
Hi
Comment
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.