Pretty soon Veeam is going to be moving to a Linux Veeam appliance. The proxy and repositories can already run on Linux too. Even better if you do Hardened repositories. 

For a small environment of only 3 vSphere hosts, I'd just do a single Veeam server not on a domain, running in the backup location. 

I have designed both scenarios and we settled on a separate domain with a one-way trust to our production domain.  It is secured and works well for backups.  Also we have put many security aspects in to play as well like Duo for RDP access, MFA, four eyes, etc.

Both of them work just depends on your environment.

Hi,

One of the main reasons we recommend a management domain is consistency across your Veeam servers. Consistent security posture and hardening for example.

We also advise to keep it “KISS” (Keep it simple, stupid!) and if you feel like it’s being over engineered, it likely is.

In my opinion, investing time into a secure immutability strategy and hardening the key resources is going to be a better use of your time.

If you want to share more of your planned architecture, happy to discuss further.

i think big role are costs in your scenario, but security is first

if you have only VBR as windows and rest of components, if they are dedicated, are linux

then for one server is not needed to create domain controller, if you can manage users of VBR by different secure way (like another software to manage users), or if security is ok by that way.

Domain is better for scaling, delegation, and central GPO management. For a small environment, it’s fine to go with a workgroup and you can control everything.

Worked in both small and large VBR infrastructures. We implemented DISA STIG GPOs to harden domain security posture, including for VBR servers.

To further strengthen security, we use DUO for RDP and MFA, disable interactive logins for service accounts, and implement Zero Trust solutions like ThreatLocker, along with SIEM for monitoring.

Hi ​@stryker54141 -

I don’t have a whole bunch more to offer with what was already shared, except the following → With you being a small environment, how secure you wanna get is up to you. And really, that’s where the decision needs to come from. If you implement a solid secure design now, and your org does grow, there won’t be any need to change anything down the road to fit your org growth as you already implemented Veeam by secure best practices. 

Or, you could implement some secure practices now...and maybe incorporate others with new Veeam releases down the road (a staggard implementation approach)? Again..all up to you. Although...choosing a mgmt domain vs workgroup implementation is an “all or nothing” deal really.

At the end of the day, those with malicious intentions sometimes don't care about org size as much as they do about what they can get by infiltrating a given environment. So plan aoccordingly.

Best.

Hi ​@stryker54141, from your question, I would settle for a very simple and secure, yet recommended setup by using the workgroup. Here is a guide for more information: https://bp.veeam.com/security/Design-and-implementation/Hardening/Workgroup_or_Domain.html

You will find the installation steps in this guide: https://techdirectarchive.com/2024/03/08/install-veeam-backup-and-replication-with-the-default-postgresql 

+1

Hi ​@stryker54141 - did you get an answer to your question and if so can you please share so we can mark an answer as “Best Answer” even if it is yours.

Hi everyone!  Sorry, I’ve been away for a few days.  Thank you for all of your tips and input.  I’ve decided to go the workgroup route.  It seems like it makes the most sense for our environment based on all of your feedback.

No worries ​@stryker54141 ...glad to help. Good luck with the deployment!