best practises for Backup up a domain controller

Hi

We are in the process of tightening the security up in our office

the first step will be to regularly change our domain admin passwords... others have always been fearful that everything will grind to a halt so they refused to change them

and to use a different account for Backups than our domain admin accounts.

for member servers I do not think this is tough.. .since I'll just make a regular user account and add it to the local admin group for the servers.

But with a DC there is no local admin groups after the promotion so what is the best way to back these up ?

Should I just use a domain Admin account and manually change the password when ever our domain admin passwords change or is there a smarter way?

if it matters we use Backup exec here

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

HeroPsycho

There is a Builtin\Administrators group on a DC. It's just not obvious. However, check your backup software. They will tell you what your backup service account needs.

Smallguy

HeroPsycho wrote: »

There is a Builtin\Administrators group on a DC. It's just not obvious. However, check your backup software. They will tell you what your backup service account needs.

I thought the builtin\administrators as removed or hidden once the box was promoted

is it accessible via the start run control userpasswords2 command ??

Claymoore

Smallguy wrote: »

I thought the builtin\administrators as removed or hidden once the box was promoted

is it accessible via the start run control userpasswords2 command ??

It's only accessible during Directory Services Restore mode.

blargoe

In most cases you should be able to get by without making the backup account a local administrator. Which software are you using?

HeroPsycho

He's using Backup Exec.

That's sorta why I was recommending he check the docs for the security requirements for the account.

You could probably use PowerShell to add the user to the group without having to restart in that mode...

http://kentaylor.spaces.live.com/Blog/cns!7E6EBC6F4550C78A!134.entry

Smallguy

HeroPsycho wrote: »

He's using Backup Exec.

That's sorta why I was recommending he check the docs for the security requirements for the account.

You could probably use PowerShell to add the user to the group without having to restart in that mode...

Adding Account to the Local Administrators Group with Powershell - Windows Live

that worked confirmed it using net localgroups administrators

blargoe

Sorry missed that last line in the original post

I'm not having to do that in Netbackup, but I remember in Backup Exec we had to make the account a member of Builtin\Administrators in the domain. I think generally Backup Operator is enough though.

HeroPsycho

blargoe wrote: »

Sorry missed that last line in the original post

I'm not having to do that in Netbackup, but I remember in Backup Exec we had to make the account a member of Builtin\Administrators in the domain. I think generally Backup Operator is enough though.

I think if you're using Granular Restore options and agents, you likely need full Admin rights. I know for Exchange GRT the account has to have full mailbox access to every mailbox.

P.S. PowerShell strikes again!

blargoe

Yep, I actually am using a separate Windows account for my Exchange backups because of that