Backup & Recovery

What permissions should NetBackup account have on windows server to be able to do GRT restore of AD objects? Documentation says that "Domain  Administrator" is more than enough... Recently I've faced with an interesting issue.  Our customer tried to restore some object in AD but he couldn't and blamed GRT. I started investigation. Job Details said that it was regular error 2808:

23.08.2016 17:42:44 - Error bpbrm (pid=90469) client restore EXIT STATUS 5: the restore failed to recover the requested files

23.08.2016 17:42:44 - restored from image dc.companyname.com_1471852730; restore time: 0:00:48 23.08.2016 17:42:45 - Warning bprd (pid=29220) Restore must be resumed prior to first image expiration on Mon Sep  5 10:58:50 2016

23.08.2016 17:42:45 - end Restore; elapsed time 0:00:50 Windows File System policy restore error  (2808)  

ncfgre log on the client had some signals that Domain Administrator hadn't sufficient rights for the restore objects and even for reading object properties:

08/23/2016 16:37:45.653 [RAIConsumer::_objectOpenAndWrite()] id: System?State\Active Directory\CN=Configuration\CN=Services\CN=Microsoft Exchange\CN=CompanyName\CN=Transport Settings\CN=Rules, bytes written: 8882 (../RAIConsumer.cpp:1104)

08/23/2016 16:37:45.653 [[fsys\adgran]       ]      ADProv:Error 80072030 reading object properties [CN=Transport Settings] at D:1066 (../BEDSContext.cpp:159)
.......................................................................................................................

08/23/2016 16:37:46.581 [Object::create()] FS_CloseObj() Failure! (0xE0008488:Access is denied.) (../Object.cpp:499) 08/23/2016 16:37:46.581 [RAIConsumer::_objectOpenAndWrite()] create() failed, status = 6 (../RAIConsumer.cpp:971)

08/23/2016 16:37:46.581 [RAIConsumer::writeToRai(CFEObj,Root)] create and write failure, status = 6 (../RAIConsumer.cpp:1328)

08/23/2016 16:37:46.581 [Error] V-158-11 unable to create object for restore: \System State\Active Directory\Active Directory\CN=Configuration\CN=Services\CN=Microsoft Exchange\CN=CompanyName\CN=Transport Settings\CN=Rules\CN=TransportVersioned\CN=some email rule, rai error = 6

We used Microsoft's DSACLS tool to verify security privileges of containers mentioned in log and found that Domain Administrator didn't have enough permissions to restore objects and NetBackup services need run as Enterprise Administrator. After adding NetBackup user into Enterprise Administrators group  (and services recycle) we managed to restore those objects. So, sometimes we need more privileges.

Tags (3)
Contributors