Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Backup Exec 2012 System Logon Account for Domain Controller

Created: 08 Oct 2012 • Updated: 09 Oct 2012 | 14 comments
NBS's picture
This issue has been solved. See solution.

Hi,

We have up till now on Backup Exec 2010 been using a dedicated service account (which essentially has Backup Operator rights) as the System Logon Account. However the same account that worked fine in Backup Exec 2010 no longer has enough rights for Backup Exec 2012. Can someone provide the list of rights that the System Logon Account needs to back up a domain controller. Admin or Domain admin are not acceptable answers.

Thanks,

David

Comments 14 CommentsJump to latest comment

NBS's picture

Thanks for the links - I had already seen them. Although the second link doesn't work.

Unfortunatley they say you need domain admin or admin rights. This is not an option for us in our environment. Surely there must be certain things I can give access short of full domain admin or admin?

Donald Eady's picture

What is the error code/message that you're seeing when the backup job fails out?

 

 

I hope this posting was helpful

  

Donald Eady's picture

rather than give the system logon account domain admin rights perhaps you can add an admin/domain admin account as a restricted logon account in BE, give it the necessary rights and use it to back up the d.c. 

 

http://www.symantec.com/docs/HOWTO73278

 

I hope this posting was helpful

  

NBS's picture

When I create the backup job it shows the attached error. One thing to note is teh same account works fine on Backup Exec 2010.

backupexecerror.png
Sym-cr@zy's picture

Hi NBS,

Create a new Domain Admin Account and also take care of the permissions listed below for the newly created Domain Admin Account:

The newly created Domain Admin account acting as Backup Exec Service Account (BESA) requires the following User Rights in group policy and group memberships:
User rights requirements:

Act as part of the operating system  

Backup files and directories

Create a token object

Log on as a batch job Log on as a service 

Manage auditing and security log (BE 2010 R3 and later)

Restore files and directories

Take ownership of files and other objects

Group Memberships or equivalent access:

  • Domain Admins or Administrators.
  • Backup Operators.

Use the below TECH ARTICLE to change the BE services to use the new Domain Admin Account:

http://www.symantec.com/docs/TECH82969

NOTE: Make sure from services.msc that all the BE Services are changed to use the new Domain Admin Account, if not then manually change it by Right Click-> Properties-> Logon

Also, the Error Recording Service and RAWS Service and SQL (<Instance Name>) Service should be in Local System.

The creation of new Domain Account when the previous Domain Account was successfully working with previous version of BE may sound crazy troubleshooting step, but in many scenarios it works.

          Appreciate every help you get, to help yourself better
                                  & 
      Please mark 'SOLUTION' for the post which resolved your issue.
NBS's picture

Thanks for the reply - however a domain admin acccount is not an acceptable account to use to backup. Is there no other level or right or permission that we could granularly assign to our service account?

Donald Eady's picture

Unfortunately NBS... i am not aware of any other rights/permissions that can be assigned to the service account to replace the need to grant it domain admin/admin rights.... would it be at all possible to not grant domain rights but local admin rights to the service account

I hope this posting was helpful

  

NBS's picture

It's a domain controller and therfore does not have local users or groups!

Donald Eady's picture

My appoligies that is correct.... but im am not aware any rights that can be granted the service account that would replace the need to grant admin rights.. 

I hope this posting was helpful

  

Donald Eady's picture

NBS.. Please verify that all other permisions listed on the documents provided earlier are in place. Outside of this i would suggest creating a support case with Symantec so that the issue can be looked at a little more closely.

I hope this posting was helpful

  

CraigV's picture

David: You can try using an account that is added to the domain's Backup Operators group.

However, it is a requirement that the BESA have domain admin rights, as stated in the documents listed above, and Symantec isn't the only backup vendor who requires this. Not the answer you want, but that's the answer you will get.

There are no role-based rights within BE although this has been asked for on MANY occasions. Check the Ideas section and you should see a couple of them.

Alternative ways to access Backup Exec Technical Support:

https://www-secure.symantec.com/connect/blogs/alte...

SOLUTION
pkh's picture

You need domain admin rights to backup AD.

NBS's picture

Thanks for the responses everyone - this is what I had feared. I still don't understand why it worked fine without Domain Admin credentials on Backup Exec 2010 though!