best practises for Backup up a domain controller
Hi
We are in the process of tightening the security up in our office
the first step will be to regularly change our domain admin passwords... others have always been fearful that everything will grind to a halt so they refused to change them
and to use a different account for Backups than our domain admin accounts.
for member servers I do not think this is tough.. .since I'll just make a regular user account and add it to the local admin group for the servers.
But with a DC there is no local admin groups after the promotion so what is the best way to back these up ?
Should I just use a domain Admin account and manually change the password when ever our domain admin passwords change or is there a smarter way?
if it matters we use Backup exec here
We are in the process of tightening the security up in our office
the first step will be to regularly change our domain admin passwords... others have always been fearful that everything will grind to a halt so they refused to change them
and to use a different account for Backups than our domain admin accounts.
for member servers I do not think this is tough.. .since I'll just make a regular user account and add it to the local admin group for the servers.
But with a DC there is no local admin groups after the promotion so what is the best way to back these up ?
Should I just use a domain Admin account and manually change the password when ever our domain admin passwords change or is there a smarter way?
if it matters we use Backup exec here
Comments
-
HeroPsycho
Inactive Imported Users Posts: 1,940
There is a Builtin\Administrators group on a DC. It's just not obvious. However, check your backup software. They will tell you what your backup service account needs.Good luck to all! -
Smallguy
Member Posts: 597
HeroPsycho wrote: »There is a Builtin\Administrators group on a DC. It's just not obvious. However, check your backup software. They will tell you what your backup service account needs.
I thought the builtin\administrators as removed or hidden once the box was promoted
is it accessible via the start run control userpasswords2 command ?? -
Claymoore
Member Posts: 1,637
I thought the builtin\administrators as removed or hidden once the box was promoted
is it accessible via the start run control userpasswords2 command ??
It's only accessible during Directory Services Restore mode. -
blargoe
Member Posts: 4,174 ■■■■■■■■■□
In most cases you should be able to get by without making the backup account a local administrator. Which software are you using?IT guy since 12/00
Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands... -
HeroPsycho
Inactive Imported Users Posts: 1,940
He's using Backup Exec.
That's sorta why I was recommending he check the docs for the security requirements for the account.
You could probably use PowerShell to add the user to the group without having to restart in that mode...
http://kentaylor.spaces.live.com/Blog/cns!7E6EBC6F4550C78A!134.entryGood luck to all! -
Smallguy
Member Posts: 597
HeroPsycho wrote: »He's using Backup Exec.
That's sorta why I was recommending he check the docs for the security requirements for the account.
You could probably use PowerShell to add the user to the group without having to restart in that mode...
Adding Account to the Local Administrators Group with Powershell - Windows Live
that worked confirmed it using net localgroups administrators -
blargoe
Member Posts: 4,174 ■■■■■■■■■□
Sorry missed that last line in the original post
I'm not having to do that in Netbackup, but I remember in Backup Exec we had to make the account a member of Builtin\Administrators in the domain. I think generally Backup Operator is enough though.IT guy since 12/00
Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands... -
HeroPsycho
Inactive Imported Users Posts: 1,940
Sorry missed that last line in the original post
I'm not having to do that in Netbackup, but I remember in Backup Exec we had to make the account a member of Builtin\Administrators in the domain. I think generally Backup Operator is enough though.
I think if you're using Granular Restore options and agents, you likely need full Admin rights. I know for Exchange GRT the account has to have full mailbox access to every mailbox.
P.S. PowerShell strikes again!Good luck to all! -
blargoe
Member Posts: 4,174 ■■■■■■■■■□
Yep, I actually am using a separate Windows account for my Exchange backups because of thatIT guy since 12/00
Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
