Hyper-V Host trust established but credentials check fails?

What happens if the same password is used instead of a different password for the account ?

Hi VJWare,

O.k. before I go and change the password what I don't understand is that all the individual VMs within the Hyper-V host seem fine. That is by doing - Right-Click > Details > Credentials > Test Credentials

Using the same settings on the Hyper-V host server on which the above VM resides I get the following? I would not mind to much about the host but there are data shares on there I need to backup!

So as you can see the VMs use a combination of the Resource domain BackupExec service account and <Use Servers Logon Account> which seems to be working however, on the Hyper-V host selecting <Use Servers Logon Account> from the drop downl list does nothing! It simply resets itself back to the <System Logon Account> which is from a differant resource domain and hence fails!

As things stand I could backup the VMs via the local agent but BE reccomends backing up VMs via the VM agent on the host...plus I need to backup data shares on the host so need to get this working.

Thanks again...

Do you have the System Logon Account set ? By default, it is the same account under which the BE services run (except the Remote Agent service which uses the Local System Account). This account is used for backup of shares. Hence, the credentials fail since the password is different.

Whereas for the VM itself, it is impersonating the account with the different password which is known to the VM.

Becomes easier, if an account with same password is used.

Just to add to VJware's comment

If you backup over shares, the remote agent process on the Backup Exec server could be the one accessing the data, and not any remote agent installed inside the remote computer. If there is a domain boundary between the two systems that might result in some authentication issues. 

BTW We do not recommend performing share level backups on systems that can run a remote agent, you should be installing the remote agent and running a normal file system backup (selection via drive letter) - although if something like DFSR is involved against the shares then you would backup the Shadow Copy Components to protect the data (as the correct method anyway)

One extra point if you change logon details in those drop downs (from your screenshots) you MUST click the Apply button before clicking test as otherwise the test will not be performed against your changes.

Yes, I do have a 'System Logon Account' as set during the installation of the BE Server but as you say it is logical that this will not allow access to shares of the Hyper-V host as it's in a different resource domain. I do actually have a trust setup between the domains. So I added the 'System Logon Account' to the folder permissions directly with modify access and still it fails?

What's confusing is I cannot change the credential options to use on the Hyper-V Host to match those of the VMs? When I try select <Use Server's Logon Account> on the Hyper-V host it won't allow it?

Any ideas why wouldnot be able to use the local service account on the Host server when it works perfect for the VMs on that Host server?

Afaik, "Use Server's Logon Account" is automatically selected for resources such as drives, system state and it cannot be manually selected for other type of resources.

This is by design since one cannot have the option to choose a different account for C:\, System State etc when the top level account is already chosen. Hence, these resources are automatically set to use the top-level account i.e. "User Server's Logon Account".

Are you still receiving errors if you use a single account with the same password ?

Yes still getting errors...only on the Host...very odd?

I deleted the Hyper-V host server from the BE Server inventory. Readded it...once that was done as you say by default the <use server's logon account> came up as the default option, mo apply button present to press as mentioned by Colin.

So now my Hyper-V Host credentials settings are identical to the VM credentials settings on that host but still the host is failing to varify it's resource credentials...the server itself varifies fine???

Also I reset the password as you said...these are my accounts...both with identical passwords in their domains. Both are domain admins.

AMADEUSJHB\BackupExec - System Logon Account - Type = Common

AISJHB\BackupExec - Type = Common

Does the account used to establish a trust with the BE Server matter?

In the secondary resource domain what account should be used for the BE agent publishing? Should it be the BE Server 'System Logon Account' or the additional logon account for the secondary resource domain? For some reason I can't add the IP in the published list on this problematic host. On all the other servers the BE Server IP appears, some in IPv4 for and other in IPv6 format.

The System Logon Account is preferably used.

Do you receive any error when adding the IP address ? Do ensure the BE account has full rights on the Backup Exec registry hive under HKLM\Software\Symantec\Backup Exec.