I have searched for and found numerous posts regarding Backup Exec and Group Managed Service Accounts. Unfortunately, they are rather non-committal about whether doing so is either good or bad.
Here is my situation. I have a small AD enterprise of about 30 workstations and servers that are being backed up via Backup Exec 20. I am currently using the same domain admin equivalent account for both the Logon account and the BE services credentials. The system is working fine as it is.
This system will eventually be turned over to a customer and I am looking to simplify their usage. Part of their responsibilites will be to change the passwords of all accounts on a regular basis. This will include the BE account mentioned earlier.
Under my current setup, the AD/System administrator would change the password in Active Directory, then change both the Logon account password in the Logon Account Wizard and change the services account password in Backup Exec Services Manager. This would be followed by a restart of all BE services from within the same screen. No problem but I built this thing so it makes sense to me. The client may think otherwise.
Would it be better to implement a separate gMSA for the Backup Exec services? If I understand it correctly, only the Logon account would need to be changed regularly and the gMSA would manage its passwords on its own, independantly of the Logon account. Of course, this would render the Backup Exec Services Manager useless, which introduces potential support troubles of its own.
Does Veritas have any best practice documentation or direction regarding the use of gMSA's? Has anyone here implemented (even if only temporary) gMSA's in their Backup Exec environments? If so, what was your experience? Were you satisfied with the results?
Thanks,
Chuck
