I use Veeam to backup my Exchange 2016 environment because (most importantly) it works with an IP-less DAG, and it's relatively quick and easy to do restores.
The issue is: it doesn't tie into Windows as well as something like DPM, so there's a bit of permission tuning you have to do; especially if you have a Resource Forest with a Selective Trust like I do.
We recently created a new dedicated backup account, but this account is located in the Accounts Forest, which means it has to authenticate over to the Resource Forest where Exchange lives.
Because of this, Veeam started throwing the following error:
Failed to prepare guest for hot backup. Error: Failed to connect to guest agent. Errors: 'Cannot connect to the host's administrative share. Host: [EXCH1.exchangeitup.com]. Account: [exchangeitup\exchbackup2]. Win32 error: The computer you are signing into is protected by an authentication firewall. The specified account is not allowed to authenticate to the computer. Code: 1935 Cannot connect to the host's administrative share. Host: [10.10.10.1]. Account: [exchangeitup\exchbackup2].
Deciphering the error:
The backup account doesn't have "Allowed to authenticate" rights on the actual Exchange server(s).
The Fix:
Follow my previous post to create a security group to allow Selective Trust auth:
http://exchangeitup.blogspot.com/2017/04/exchange-resource-forest-creating.html
After you have that set, add that backup account to your new group.
Or a messier way, messier because I don't like adding single users for permissions (use groups, your fellow IT admins will thank you later) you can just add auth rights directly:
1. Log onto a domain controller in the forest where your Exchange servers are homed
2. Open Active Directory Users and Computers (ADUC)
3. Click View
4. Select Advanced Features
5. Browse to the OU where the Exchange Server(s) you are trying to authenticate to
6. Right-click then select Properties, then the Security tab
7. Add the backup user
8. Grant Allowed to authenticate rights
9. Click Apply, then OK.
Now your backups should run without auth errors
Microsoft Enterprise Messaging tips, tricks, and general help.
No comments:
Post a Comment