Solved

VBR outside domain - possible issues

1 year ago
6 December 2022
6 comments
221 views

Userlevel 7

Michael Melter
Veeam Legend
100 comments

For well know reasons myself and many here recommend to - if possible - deploy VBR and especially it’s repos outside of the Windows domain.

Certain issues come as a downside with doing that:

Maintaining multiple local admin logins, remote-UAC (LocalAccountTokenFilterPolicy), firewall behavior outside of domain networks etc. being some of those.

Recently I stumbled upon a situation were we could not establish a connection from a non-domain-joined VBR server to a newly deployed non-domain-joined Windows 2019 repo server. Other older proxies/repos to the same VBR were available and functioning.

From the VBR server the admin$ share of the to-be-connected new repo was not accessible (“invalid login”).

VBR also stated “invalid login” during Windows server onboarding. But from another (domain joined) Windows system in the same (direct, non-routed) network, the repo’s admin$ share was well available with the same user/pw.

Of course no Windows firewall whatsoever was active.

Very strange.

Has anyone seen something alike already? I would welcome more ideas to troubleshoot. Case is open, but I assume it’s basically a Windows issue as the admin$ share is already not accessible.

Thanks,

Michael

icon

Best answer by Michael Melter 7 December 2022, 11:03

View original

6 comments

Userlevel 7

+20

Chris.Childerhose
Veeam Legend, Veeam Vanguard
6277 comments
1 year ago
6 December 2022

Have not seen this one before as we tend to domain join our Veeam servers due to administrative management (this will change with v12). Best of luck finding a solution.

Userlevel 7

+10

Rick Vanover
RICKATRON
702 comments
1 year ago
6 December 2022

I hope it wasn’t something simple like Windows Firewall? That gets me when I do non-domain memberships. So much so that I committed to memory turning it off (netsh advfirewall set allprofiles state off).

Userlevel 7

+14

regnor
Veeam MVP
1280 comments
1 year ago
6 December 2022

Is it in a hardened environment? And what does the security eventlog of the target server say during the failed logins?

Userlevel 7

+11

Nico Losschaert
Veeam Legend
661 comments
1 year ago
6 December 2022

Great post @Michael Melter. I also implement always VBR in a workgroup, also in a separate VLAN segmentation. I also need to implement the setting for LocalAccountTokenFilterPolicy. Do not forget to reboot the server afterwards. As @Rick Vanover already mentioned, mostly something to do with the Windows Firewall.

Another thing that could be the cause is the notation of the local account. Normally use only the name of the account (without .\). Did you try the built-in local administrator account already?

Userlevel 7

Michael Melter
Author
Veeam Legend
100 comments
1 year ago
7 December 2022
Answer

As expected and always welcome, we found the reason. 😎

LAN managers auth level was restricted due to some hardening applied to Windows. Not clear right now, if via Windows update or actively by the customers policies.

HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel on VBR was set to 1.

→ Network security LAN Manager authentication level (Windows 10) | Microsoft Learn

Once set back to 5, it works as expected. Repos also had 5 (which is default for non-domain-joined systems).

Thanks all for contributing.

Userlevel 7

+14

regnor
Veeam MVP
1280 comments
1 year ago
10 December 2022

You’re a hero @Michael Melter !

Just the same day I was analyzing a problem, where the Veeam service user got locked when a accessing it’s proxy. It was rather weired and everything else looked ok. Then I remembered you’re post, checked the registry and bingo; LmCompatibilityLevel was set to “0”. 🤓

I’m also not sure why this would be set to 0 while everything else was at 5. Is this just a coincidence?

Comment

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded