Skip to main content
Solved

VSA and Guest application processing

  • May 29, 2026
  • 8 comments
  • 33 views
damien commenge
Forum|alt.badge.img+5

Hello,

 

On new V13 VSA installation, I would like to backup some VMs (inside domain) with AAIP enabled.

When I try it as I did with V12, it doesn’t work. 

My VSA is not in a domain.

I saw for authentication only Kerberos or certificates can be used (from Veeam deployment kit) because NTLM is removed.

Does that mean I need to add my VBR server to the production domain if I don’t want to use Veeam deployment kit on all my Windows VMs ? 

 

I don’t find a way for my backup to work with AAIP enabled while I’m using domain\user account with correct privileges.

I have this error : 

29/05/2026 14:33:16 Failed : Failed to connect via Administrative share.

Host: [COMPUTER.domain.com]. (Failed to connect to the guest OS. [Failed to connect to guest agent. Errors: 'Samba failed with error: NT_STATUS_NO_SUCH_DOMAIN [stderr: Kinit for administrateur@DOMAIN to access COMPUTER.domain.com

failed: Cannot find KDC for requested realm;Could not connect to server COMPUTER.domain.com;Connection failed: NT_STATUS_NO_SUCH_DOMAIN. ];

Samba failed with error: NT_STATUS_ACCESS_DENIED [stderr: Kerberos auth with 'administrateur@DOMAIN' (PRODUCTION\administrateur) to access 'a.b.c.d' not possible;Could not connect to server a.b.c.d;Connection failed: NT_STATUS_ACCESS_DENIED. ];']);

Best answer by Chris.Childerhose

Based on what I have seen and can research, you either use the deployment kit for all the Windows boxes to use AAIP or, yes, you join the VSA to the domain.

I would recommend a separate domain from PROD as that is what I have done with our servers and then created a one-way trust.  This is part of the BP guide.

 
 
 
Keep learning day after day

    8 comments

    Chris.Childerhose
    Forum|alt.badge.img+21
    • Chris.Childerhose
    • Veeam Legend, Veeam Vanguard
    • Answer
    • May 29, 2026

    Based on what I have seen and can research, you either use the deployment kit for all the Windows boxes to use AAIP or, yes, you join the VSA to the domain.

    I would recommend a separate domain from PROD as that is what I have done with our servers and then created a one-way trust.  This is part of the BP guide.

     
     
     
    Chris Childerhose (Enterprise Architect) - VMCA | VMCE | VMCE-SP | Veeam Vanguard 8* | Veeam Legend 5* | VUG Canada Leader | vExpert 7* | Toronto VMUG Leader | VCAP-DCV/VCP-DCV/VCP-VVF | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
      damien commenge
      Forum|alt.badge.img+5

      Based on what I have seen and can research, you either use the deployment kit for all the Windows boxes to use AAIP or, yes, you join the VSA to the domain.

      I would recommend a separate domain from PROD as that is what I have done with our servers and then created a one-way trust.  This is part of the BP guide.

       
       
       

      Thanks for your answer.

      This will considerably change the way I configure the product on my customer.

      Until V13 I enabled AAIP on all Windows VM. Now, I will enable it only for DC, SQL, … (Veeam explorer aware) and use the deployment kit with persistent agent check on AAIP.

      Keep learning day after day
        Chris.Childerhose
        Forum|alt.badge.img+21

        Based on what I have seen and can research, you either use the deployment kit for all the Windows boxes to use AAIP or, yes, you join the VSA to the domain.

        I would recommend a separate domain from PROD as that is what I have done with our servers and then created a one-way trust.  This is part of the BP guide.

         
         
         

        Thanks for your answer.

        This will considerably change the way I configure the product on my customer.

        Until V13 I enabled AAIP on all Windows VM. Now, I will enable it only for DC, SQL, … (Veeam explorer aware) and use the deployment kit with persistent agent check on AAIP.

        Not a problem.  v13 has brought some changes and challenges where redesign seem to be required.

         
         
         
        Chris Childerhose (Enterprise Architect) - VMCA | VMCE | VMCE-SP | Veeam Vanguard 8* | Veeam Legend 5* | VUG Canada Leader | vExpert 7* | Toronto VMUG Leader | VCAP-DCV/VCP-DCV/VCP-VVF | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
        damien commenge
        Forum|alt.badge.img+5

        I did some test and the result (for vsphere) :

        If VSA is joined to the domain → I have error when using AAIP with user/password.

        If VSA is not joined to the domain → OK if Deployment kit installed + Persistend guest agent

        If VSA is not joined to the domain → OK if using guest interaction proxy in the domain with user/password or gmsa.

        Keep learning day after day
          Chris.Childerhose
          Forum|alt.badge.img+21

          Interesting findings, especially the domain joined one.  🤔

          So it looks like domain is not a hard requirement and there are other options.

          Chris Childerhose (Enterprise Architect) - VMCA | VMCE | VMCE-SP | Veeam Vanguard 8* | Veeam Legend 5* | VUG Canada Leader | vExpert 7* | Toronto VMUG Leader | VCAP-DCV/VCP-DCV/VCP-VVF | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
          Andanet
          Forum|alt.badge.img+12
          • Andanet
          • Veeam Legend
          • May 29, 2026

          I did some test and the result (for vsphere) :

          If VSA is joined to the domain → I have error when using AAIP with user/password.

          If VSA is not joined to the domain → OK if Deployment kit installed + Persistend guest agent

          If VSA is not joined to the domain → OK if using guest interaction proxy in the domain with user/password or gmsa.

          Hi ​@damien commenge from my point of view the bolded is the best solution. 

          Antonio D'Andrea | VMCE | VMCA | Veeam Legend | VUG Italy Leader | Object First Ace | I want it written on my tombstone "Please start a restore to the last valid backup"
            damien commenge
            Forum|alt.badge.img+5

            I did some test and the result (for vsphere) :

            If VSA is joined to the domain → I have error when using AAIP with user/password.

            If VSA is not joined to the domain → OK if Deployment kit installed + Persistend guest agent

            If VSA is not joined to the domain → OK if using guest interaction proxy in the domain with user/password or gmsa.

            Hi ​@damien commenge from my point of view the bolded is the best solution. 

            To be honest,

            I think the deployment kit + persistent guest agent is my prefered one for 2 reason :

            1. Less network port requirement. In some environment, it could be easier to implement :)
            2. More secure because you don’t have user/password with local admin permissions stored in VBR server (gmsa or not ^^)
            Keep learning day after day
              Andanet
              Forum|alt.badge.img+12
              • Andanet
              • Veeam Legend
              • May 29, 2026

              Right...probablh I supposed you’ve a large infrastructure to save and gMsa reduce the manual operation to manage many accounts. 

              Antonio D'Andrea | VMCE | VMCA | Veeam Legend | VUG Italy Leader | Object First Ace | I want it written on my tombstone "Please start a restore to the last valid backup"
                Terms & ConditionsAccessibility statement