cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

AD GRT restore and NetBackup account's permissions

Mike_Gavrilov
Moderator
Moderator
Partner    VIP    Accredited Certified

on ‎10-24-2016 12:42 PM

What permissions should NetBackup account have on windows server to be able to do GRT restore of AD objects? Documentation says that "Domain  Administrator" is more than enough... Recently I've faced with an interesting issue.  Our customer tried to restore some object in AD but he couldn't and blamed GRT. I started investigation. Job Details said that it was regular error 2808:

23.08.2016 17:42:44 - Error bpbrm (pid=90469) client restore EXIT STATUS 5: the restore failed to recover the requested files

23.08.2016 17:42:44 - restored from image dc.companyname.com_1471852730; restore time: 0:00:48 23.08.2016 17:42:45 - Warning bprd (pid=29220) Restore must be resumed prior to first image expiration on Mon Sep  5 10:58:50 2016

23.08.2016 17:42:45 - end Restore; elapsed time 0:00:50 Windows File System policy restore error  (2808)  

ncfgre log on the client had some signals that Domain Administrator hadn't sufficient rights for the restore objects and even for reading object properties:

08/23/2016 16:37:45.653 [RAIConsumer::_objectOpenAndWrite()] id: System?State\Active Directory\CN=Configuration\CN=Services\CN=Microsoft Exchange\CN=CompanyName\CN=Transport Settings\CN=Rules, bytes written: 8882 (../RAIConsumer.cpp:1104)

08/23/2016 16:37:45.653 [[fsys\adgran]       ]      ADProv:Error 80072030 reading object properties [CN=Transport Settings] at D:1066 (../BEDSContext.cpp:159)
.......................................................................................................................

08/23/2016 16:37:46.581 [Object::create()] FS_CloseObj() Failure! (0xE0008488:Access is denied.) (../Object.cpp:499) 08/23/2016 16:37:46.581 [RAIConsumer::_objectOpenAndWrite()] create() failed, status = 6 (../RAIConsumer.cpp:971)

08/23/2016 16:37:46.581 [RAIConsumer::writeToRai(CFEObj,Root)] create and write failure, status = 6 (../RAIConsumer.cpp:1328)

08/23/2016 16:37:46.581 [Error] V-158-11 unable to create object for restore: \System State\Active Directory\Active Directory\CN=Configuration\CN=Services\CN=Microsoft Exchange\CN=CompanyName\CN=Transport Settings\CN=Rules\CN=TransportVersioned\CN=some email rule, rai error = 6

We used Microsoft's DSACLS tool to verify security privileges of containers mentioned in log and found that Domain Administrator didn't have enough permissions to restore objects and NetBackup services need run as Enterprise Administrator. After adding NetBackup user into Enterprise Administrators group  (and services recycle) we managed to restore those objects. So, sometimes we need more privileges.

Version history
Last update:
‎10-24-2016 12:42 PM
Updated by:
Moderator
Contributors