| Author | Messages | |
edpoteet
Posts:15
 | | 11/09/2009 7:43 PM |
| Hello All,
In my current environment we are going to be required to support Veritas Netbackup for Exchange. All of the documentation is saying that the service account is going to need to be a member of the Domain Admins. I haven't found any documentation to find what the actual permissions required are. We are a fairly paranoid group and we only have 4 domain admins for a 30,000 seat environment with a fairly good delegation model, so I would definately prefer to simply have the delegated rights required for the service account. I have only done some initial googling/forum lookups and I have come aross bupkis and was wondering if any of you had come across as I don't really believe in giving service accounts Domain Admin privs.
Thank you for your help!
-Evan
| | | |
| bdesmond
Posts:843
| | 11/09/2009 8:01 PM |
| I've used NetBackup with Exchange many times and have never heard this...
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Evan Poteet
Sent: Monday, November 09, 2009 1:43 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] [OT] Veritas Netbackup for Exchange 2007 SP2
Hello All,
In my current environment we are going to be required to support Veritas Netbackup for Exchange. All of the documentation is saying that the service account is going to need to be a member of the Domain Admins. I haven't found any documentation to find what the actual permissions required are. We are a fairly paranoid group and we only have 4 domain admins for a 30,000 seat environment with a fairly good delegation model, so I would definately prefer to simply have the delegated rights required for the service account. I have only done some initial googling/forum lookups and I have come aross bupkis and was wondering if any of you had come across as I don't really believe in giving service accounts Domain Admin privs.
Thank you for your help!
-Evan
| | | |
| smsadm
Posts:29
| | 11/09/2009 8:03 PM |
| It may just be needed for the install
On Mon, Nov 9, 2009 at 2:59 PM, Brian Desmond <brian@briandesmond.com>wrote:
> *I’ve used NetBackup with Exchange many times and have never heard this…*
>
> * *
>
> *Thanks,*
>
> *Brian Desmond*
>
> *brian@briandesmond.com*
>
> * *
>
> *c - 312.731.3132*
>
> * *
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Evan Poteet
> *Sent:* Monday, November 09, 2009 1:43 PM
> *To:* activedir@mail.activedir.org
> *Subject:* [ActiveDir] [OT] Veritas Netbackup for Exchange 2007 SP2
>
>
>
> Hello All,
>
>
>
> In my current environment we are going to be required to support Veritas
> Netbackup for Exchange. All of the documentation is saying that the service
> account is going to need to be a member of the Domain Admins. I haven't
> found any documentation to find what the actual permissions required are.
> We are a fairly paranoid group and we only have 4 domain admins for a 30,000
> seat environment with a fairly good delegation model, so I would definately
> prefer to simply have the delegated rights required for the service
> account. I have only done some initial googling/forum lookups and I have
> come aross bupkis and was wondering if any of you had come across as I don't
> really believe in giving service accounts Domain Admin privs.
>
>
>
> Thank you for your help!
>
>
>
> -Evan
>
--
smsadm
Sent from Moraine, Ohio, United States
| | | |
| edpoteet
Posts:15
| | 11/09/2009 8:16 PM |
| >From the documentation :-/
Bolded the scary parts for me:
Configuring the NetBackup service account (Exchange 2007)
To configure the NetBackup service account (Exchange 2007)
1 In Active Directory Users and Computers, select the Users directory.
2 Right-click on the Administrator account, click Copy, and create an account
for NetBackup.
Create a user account that has a mailbox with a unique name. A unique name
is one that does not already exist within the Exchange Organization. This
name cannot be contained as a set of characters in an existing name.
For example: EXCH1 is entered as the unique mailbox name, and other mailbox
names such asEXCH1BACKUPorBACKUPEXCH1exist. The backup or restore
of individual mailboxes or both fail.
3 After you create the account, double-click the account, click the Members Of
tab, and add this account to the Domain Admins group.
4 Open the Exchange Management Console.
5 In the Exchange Management Console, click Organization Configuration.
6 Right-click on Organization Configuration and click Add Exchange
Administrator.
7 On the Add Exchange Administrator page, click Browse and select the user
to which you want to delegate control.
8 Click the Exchange Server Administrator role.
9 Under Select the server(s) to which this role has access, click Add.
10 Select the servers to which you want to delegate control and click OK.
11 Click Add.
12 On the Completion page, verify that the delegation was successful and click
Finish.
13 Configure the NetBackup Client Service log on account.
To configure the NetBackup service account (Exchange 2000/2003)
1 Use Active Directory Users and Computers to create a user account that has
a mailbox with a unique name.
A unique name is one that does not already exist within the Exchange
Organization. This name cannot be contained as a set of characters in an
existing name.
For example: EXCH1 is entered as the unique mailbox name, and other mailbox
names such asEXCH1BACKUPorBACKUPEXCH1exist. The backup or restore
of individual mailboxes or both fail.
2 After you create the account, double-click the account, click the Members Of
tab, and add this account to the Domain Admins group.
3 Open Exchange System Manager.
4 Right-click the Exchange Organization and click Delegate Control.
5 Click Next.
6 On the Users or the Groups screen, click Add.
7 In the Delegate Control dialog box, provide the following information.
Group or User Specify the name of the account that was created in step 1.
Role Select Exchange Full Administrator.
8 Complete the Delegation wizard.
9 If you have an Active/Active configuration, you must grant “Receive As” and
“Send As” advanced permission to the account created for the NetBackup
Client Service. Perform this action on each virtual Exchange Server in the
configuration.
See “Granting the NetBackup Client Service account advanced permission
(Exchange 2007)” on page 52.
10 Configure the NetBackup Client Service log on account.
This seems to say that it is needed for more than the original install...
As I have said I have done some initial digging but I coudn't find anything. I can understand most of the permissions needed but what does this account need that much permission in AD? (Not an Exchange guy, just recently got involved with our implementation of exchange)
If no one has run across this before I will stand up some extra test boxes and do some serious auditing to see what properties are being written to but I was hoping it has come up before for someone on the list.
Thanks,
-Evan
________________________________
From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond [brian@briandesmond.com]
Sent: Monday, November 09, 2009 2:59 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Veritas Netbackup for Exchange 2007 SP2
I’ve used NetBackup with Exchange many times and have never heard this…
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Evan Poteet
Sent: Monday, November 09, 2009 1:43 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] [OT] Veritas Netbackup for Exchange 2007 SP2
Hello All,
In my current environment we are going to be required to support Veritas Netbackup for Exchange. All of the documentation is saying that the service account is going to need to be a member of the Domain Admins. I haven't found any documentation to find what the actual permissions required are. We are a fairly paranoid group and we only have 4 domain admins for a 30,000 seat environment with a fairly good delegation model, so I would definately prefer to simply have the delegated rights required for the service account. I have only done some initial googling/forum lookups and I have come aross bupkis and was wondering if any of you had come across as I don't really believe in giving service accounts Domain Admin privs.
Thank you for your help!
-Evan
| | | |
| kennedyjim
Posts:65
| | 11/09/2009 8:20 PM |
| I can't speak for NetBackup but on BackupExec it only needs to be a local admin and have full access to the mailboxes. I would download the demo and give it a test drive.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Evan Poteet
Sent: Monday, November 09, 2009 3:15 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Veritas Netbackup for Exchange 2007 SP2
>From the documentation :-/
Bolded the scary parts for me:
Configuring the NetBackup service account (Exchange 2007)
To configure the NetBackup service account (Exchange 2007)
1 In Active Directory Users and Computers, select the Users directory.
2 Right-click on the Administrator account, click Copy, and create an account
for NetBackup.
Create a user account that has a mailbox with a unique name. A unique name
is one that does not already exist within the Exchange Organization. This
name cannot be contained as a set of characters in an existing name.
For example: EXCH1 is entered as the unique mailbox name, and other mailbox
names such asEXCH1BACKUPorBACKUPEXCH1exist. The backup or restore
of individual mailboxes or both fail.
3 After you create the account, double-click the account, click the Members Of
tab, and add this account to the Domain Admins group.
4 Open the Exchange Management Console.
5 In the Exchange Management Console, click Organization Configuration.
6 Right-click on Organization Configuration and click Add Exchange
Administrator.
7 On the Add Exchange Administrator page, click Browse and select the user
to which you want to delegate control.
8 Click the Exchange Server Administrator role.
9 Under Select the server(s) to which this role has access, click Add.
10 Select the servers to which you want to delegate control and click OK.
11 Click Add.
12 On the Completion page, verify that the delegation was successful and click
Finish.
13 Configure the NetBackup Client Service log on account.
To configure the NetBackup service account (Exchange 2000/2003)
1 Use Active Directory Users and Computers to create a user account that has
a mailbox with a unique name.
A unique name is one that does not already exist within the Exchange
Organization. This name cannot be contained as a set of characters in an
existing name.
For example: EXCH1 is entered as the unique mailbox name, and other mailbox
names such asEXCH1BACKUPorBACKUPEXCH1exist. The backup or restore
of individual mailboxes or both fail.
2 After you create the account, double-click the account, click the Members Of
tab, and add this account to the Domain Admins group.
3 Open Exchange System Manager.
4 Right-click the Exchange Organization and click Delegate Control.
5 Click Next.
6 On the Users or the Groups screen, click Add.
7 In the Delegate Control dialog box, provide the following information.
Group or User Specify the name of the account that was created in step 1.
Role Select Exchange Full Administrator.
8 Complete the Delegation wizard.
9 If you have an Active/Active configuration, you must grant "Receive As" and
"Send As" advanced permission to the account created for the NetBackup
Client Service. Perform this action on each virtual Exchange Server in the
configuration.
See "Granting the NetBackup Client Service account advanced permission
(Exchange 2007)" on page 52.
10 Configure the NetBackup Client Service log on account.
This seems to say that it is needed for more than the original install...
As I have said I have done some initial digging but I coudn't find anything. I can understand most of the permissions needed but what does this account need that much permission in AD? (Not an Exchange guy, just recently got involved with our implementation of exchange)
If no one has run across this before I will stand up some extra test boxes and do some serious auditing to see what properties are being written to but I was hoping it has come up before for someone on the list.
Thanks,
-Evan
________________________________
From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond [brian@briandesmond.com]
Sent: Monday, November 09, 2009 2:59 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Veritas Netbackup for Exchange 2007 SP2
I've used NetBackup with Exchange many times and have never heard this...
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Evan Poteet
Sent: Monday, November 09, 2009 1:43 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] [OT] Veritas Netbackup for Exchange 2007 SP2
Hello All,
In my current environment we are going to be required to support Veritas Netbackup for Exchange. All of the documentation is saying that the service account is going to need to be a member of the Domain Admins. I haven't found any documentation to find what the actual permissions required are. We are a fairly paranoid group and we only have 4 domain admins for a 30,000 seat environment with a fairly good delegation model, so I would definately prefer to simply have the delegated rights required for the service account. I have only done some initial googling/forum lookups and I have come aross bupkis and was wondering if any of you had come across as I don't really believe in giving service accounts Domain Admin privs.
Thank you for your help!
-Evan
| | | |
| deji
Posts:259
| | 11/09/2009 8:28 PM |
| Unless you are using SBS or have your Exchange installed on a DC, then you just need an account that has local admin on the box you are installing it on, AND sendas/receiveas permission on mailboxes.
Domain Admins just makes it easier.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name<http://www.akomolafe.name/> - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________
From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] On Behalf Of Evan Poteet [evan.poteet@nuaxis.com]
Sent: Monday, November 09, 2009 11:42 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] [OT] Veritas Netbackup for Exchange 2007 SP2
Hello All,
In my current environment we are going to be required to support Veritas Netbackup for Exchange. All of the documentation is saying that the service account is going to need to be a member of the Domain Admins. I haven't found any documentation to find what the actual permissions required are. We are a fairly paranoid group and we only have 4 domain admins for a 30,000 seat environment with a fairly good delegation model, so I would definately prefer to simply have the delegated rights required for the service account. I have only done some initial googling/forum lookups and I have come aross bupkis and was wondering if any of you had come across as I don't really believe in giving service accounts Domain Admin privs.
Thank you for your help!
-Evan
| | | |
| edpoteet
Posts:15
| | 11/09/2009 8:57 PM |
| Having used BackupExec in the past I would much preferr that solution, unfortunately that decision was made without my imput and I have a fairly short implementation timeline.
-Evan
________________________________
From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] On Behalf Of Kennedy, Jim [kennedyjim@elyriaschools.org]
Sent: Monday, November 09, 2009 3:17 PM
To: 'activedir@mail.activedir.org'
Subject: RE: [ActiveDir] [OT] Veritas Netbackup for Exchange 2007 SP2
I can’t speak for NetBackup but on BackupExec it only needs to be a local admin and have full access to the mailboxes. I would download the demo and give it a test drive.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Evan Poteet
Sent: Monday, November 09, 2009 3:15 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Veritas Netbackup for Exchange 2007 SP2
>From the documentation :-/
Bolded the scary parts for me:
Configuring the NetBackup service account (Exchange 2007)
To configure the NetBackup service account (Exchange 2007)
1 In Active Directory Users and Computers, select the Users directory.
2 Right-click on the Administrator account, click Copy, and create an account
for NetBackup.
Create a user account that has a mailbox with a unique name. A unique name
is one that does not already exist within the Exchange Organization. This
name cannot be contained as a set of characters in an existing name.
For example: EXCH1 is entered as the unique mailbox name, and other mailbox
names such asEXCH1BACKUPorBACKUPEXCH1exist. The backup or restore
of individual mailboxes or both fail.
3 After you create the account, double-click the account, click the Members Of
tab, and add this account to the Domain Admins group.
4 Open the Exchange Management Console.
5 In the Exchange Management Console, click Organization Configuration.
6 Right-click on Organization Configuration and click Add Exchange
Administrator.
7 On the Add Exchange Administrator page, click Browse and select the user
to which you want to delegate control.
8 Click the Exchange Server Administrator role.
9 Under Select the server(s) to which this role has access, click Add.
10 Select the servers to which you want to delegate control and click OK.
11 Click Add.
12 On the Completion page, verify that the delegation was successful and click
Finish.
13 Configure the NetBackup Client Service log on account.
To configure the NetBackup service account (Exchange 2000/2003)
1 Use Active Directory Users and Computers to create a user account that has
a mailbox with a unique name.
A unique name is one that does not already exist within the Exchange
Organization. This name cannot be contained as a set of characters in an
existing name.
For example: EXCH1 is entered as the unique mailbox name, and other mailbox
names such asEXCH1BACKUPorBACKUPEXCH1exist. The backup or restore
of individual mailboxes or both fail.
2 After you create the account, double-click the account, click the Members Of
tab, and add this account to the Domain Admins group.
3 Open Exchange System Manager.
4 Right-click the Exchange Organization and click Delegate Control.
5 Click Next.
6 On the Users or the Groups screen, click Add.
7 In the Delegate Control dialog box, provide the following information.
Group or User Specify the name of the account that was created in step 1.
Role Select Exchange Full Administrator.
8 Complete the Delegation wizard.
9 If you have an Active/Active configuration, you must grant “Receive As” and
“Send As” advanced permission to the account created for the NetBackup
Client Service. Perform this action on each virtual Exchange Server in the
configuration.
See “Granting the NetBackup Client Service account advanced permission
(Exchange 2007)” on page 52.
10 Configure the NetBackup Client Service log on account.
This seems to say that it is needed for more than the original install...
As I have said I have done some initial digging but I coudn't find anything. I can understand most of the permissions needed but what does this account need that much permission in AD? (Not an Exchange guy, just recently got involved with our implementation of exchange)
If no one has run across this before I will stand up some extra test boxes and do some serious auditing to see what properties are being written to but I was hoping it has come up before for someone on the list.
Thanks,
-Evan
________________________________
From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond [brian@briandesmond.com]
Sent: Monday, November 09, 2009 2:59 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Veritas Netbackup for Exchange 2007 SP2
I’ve used NetBackup with Exchange many times and have never heard this…
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Evan Poteet
Sent: Monday, November 09, 2009 1:43 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] [OT] Veritas Netbackup for Exchange 2007 SP2
Hello All,
In my current environment we are going to be required to support Veritas Netbackup for Exchange. All of the documentation is saying that the service account is going to need to be a member of the Domain Admins. I haven't found any documentation to find what the actual permissions required are. We are a fairly paranoid group and we only have 4 domain admins for a 30,000 seat environment with a fairly good delegation model, so I would definately prefer to simply have the delegated rights required for the service account. I have only done some initial googling/forum lookups and I have come aross bupkis and was wondering if any of you had come across as I don't really believe in giving service accounts Domain Admin privs.
Thank you for your help!
-Evan
| | | |
| CKaiser
Posts:35
| | 11/09/2009 9:15 PM |
| Don't make it a domain admin account, then run a test backup on each target
machine. Likely failure points are Exchange and DCs. With Backup Exec, I
used to use a separate account for backing up DCs with some restrictions
like login hours etc and a non DA account for everything else. You should be
able to delegate the rights for exchange easily enough. DCs are a little
trickier...
***********************
Charlie Kaiser
charliek@golden-eagle.org
Kingman, AZ
***********************
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Evan Poteet
> Sent: Monday, November 09, 2009 12:43 PM
> To: activedir@mail.activedir.org
> Subject: [ActiveDir] [OT] Veritas Netbackup for Exchange 2007 SP2
>
> Hello All,
>
> In my current environment we are going to be required to
> support Veritas Netbackup for Exchange. All of the
> documentation is saying that the service account is going to
> need to be a member of the Domain Admins. I haven't found
> any documentation to find what the actual permissions
> required are. We are a fairly paranoid group and we only
> have 4 domain admins for a 30,000 seat environment with a
> fairly good delegation model, so I would definately prefer to
> simply have the delegated rights required for the service
> account. I have only done some initial googling/forum
> lookups and I have come aross bupkis and was wondering if any
> of you had come across as I don't really believe in giving
> service accounts Domain Admin privs.
>
> Thank you for your help!
>
> -Evan
>
| | | |
| pbbergs
Posts:176
| | 11/09/2009 9:42 PM |
| We are using NBU and a Windows 2008 Geographical Cluster with Exchange 2007 and we don't use this setup at all and everything works just fine.
Thanks
Paul
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Evan Poteet
Sent: Monday, November 09, 2009 1:43 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] [OT] Veritas Netbackup for Exchange 2007 SP2
Hello All,
In my current environment we are going to be required to support Veritas Netbackup for Exchange. All of the documentation is saying that the service account is going to need to be a member of the Domain Admins. I haven't found any documentation to find what the actual permissions required are. We are a fairly paranoid group and we only have 4 domain admins for a 30,000 seat environment with a fairly good delegation model, so I would definately prefer to simply have the delegated rights required for the service account. I have only done some initial googling/forum lookups and I have come aross bupkis and was wondering if any of you had come across as I don't really believe in giving service accounts Domain Admin privs.
Thank you for your help!
-Evan
| | | |
|
|