Unable to establish trust or Browse Failure

When I try to establish a trust or schedule a backup for a Windows 2012 Core Installation Domain Controller I get this error:

Failed to browse...

Failed to log on to Microsoft Windows.

Ensure that your logon credentials are entered and that they meet the following minimum requirements to log on to a Windows computer:

-The credentials used are a member of the Backup Operators group.

-For Windows Vista/2008 and later, the credentials hav ethe Log on as a batch job privilege.

Additional privileges may be required to access resources on the Windows computer.

 

I am running Backup Exec 2012 with Service Pack 2 on Windows Server 2008 R2 Std 64bit

My BE service account is

  • A Domain Admin
  • In the Backup Operators security group
  • In the Exchange Organization Administrators security group
  • Set explicitly as local admin, run as batch, and run as service
  • Is NOT in the Domain Users group

I am backing up Windows 2003, 2008, and 2012 platforms successfully with this service account.

I am also backing up Windows 2012 Core File Server installations successfully with this service account.

There are 4 DCs running Core Installations that have this issue:

  • When adding the DCs to BE it connected and installed with no issues.
  • The services are present and running on the DCs.
  • There are no event logs on the DCs or the BE Server referencing these attempts.
  • Remote Desktop is enabled
  • Firewall is turned off
  • These attempts do not lock out the account

All responses are greatly appreciated Smiley Happy

1 Solution

Accepted Solutions
Highlighted
Accepted Solution!

After calling Symantec Tech

After calling Symantec Tech Support & jumping through lots of Change Management hoops I modified the "Default Domain Controllers Policy" GPO -

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies/User Rights Assignment

I added my BE Account to:

  • Act as a part of Operating System ( Only for Windows Server 2000 ).
  • Create a token object.
  • Log on as a service.
  • Logon as a batch job.
  • Manage auditing and security log.
  • Backup files and directories.
  • Restore files and directories.

Doing all this locally on the problem servers did nothing, but applying the GPO worked.

View solution in original post

10 Replies
Highlighted

Hello, Please make sure these

Hello,

Please make sure these services are running as Domain\Administrator and verify the password is correct: 

  • Backup Exec Agent Browser
  • Backup Exec Device & Media Service
  • Backup Exec Job Engine
  • Backup Exec Management Service
  • Backup Exec Server

also see this link and verify these requirements are in place:  Requirements for the Backup Exec Service Account (BESA)   

 

Highlighted

Thank you for your response

Thank you for your response Smiley Happy

The above services are running as Domain\Administrator and the rights assignments requirements have been met.

The error still occurs.

It is a 2003 domain level - if that makes a difference.

Highlighted

Check to make sure there

Check to make sure there aren't any policies that are restricting access to the servers.

Are the servers using IPV6 or IPV4? Try matching this in Backup Exec by editing the job then under Backup Options under Network make sure it is set to Use any available network interface and in Protocol: select the one that the server is using.

 

Highlighted

We have 11 domain controllers

We have 11 domain controllers and the same policy is applied to all of them. It's only these 4 with Core installed on them that are having the issue.

We're using IPv4. IPv6 is not disabled however. Should it be?

I can't go to Backup Options - I get this error before backup options are available to select. The error comes up when it tries to list the drives available for backup or when it tries to establish a trust.

Highlighted

You should disable IPv6.

You should disable IPv6.

Highlighted

You might need to add the

You might need to add the BESA account (Backup Exec services account) and Backup Operator account for the User Right assignment for some of them(listed below) found under local security policy.

  • Act as a part of Operating System ( Only for Windows Server 2000 ).
  • Create a token object.
  • Log on as a service.
  • Logon as a batch job.
  • Manage auditing and security log.
  • Backup files and directories.
  • Restore files and directories.

NOTE: This should be done on the remote servers which you're unable to backup.

Check the article below on how to add it.

http://www.symantec.com/docs/TECH74365

Hope this resolves the issue!

 

Highlighted

Browse Failure   Failure to

Browse Failure
 
Failure to browse 'ADMIN01.xxx.xxx.xx'.
 
Failed to log on to Microsoft Windows.
 
Ensure that your logon credentials are correctly entered and that they meet the following minimum requirements to log on to a Windows computer:
 
   - The credentials used are a member of the Backup Operators group.
   - For Windows Vista/2008 and later, the credentials have the Log on as a batch job privilege.
 
Additional privileges may be required to access resources on the Windows computer.
 
 
QueryMetaData: MDQ_MachineInfo_View
MDS_MachineInfo_View_Parameter_ConnectionLogon = '10011001-1001-1001-0101-010101010101'
MDS_MachineInfo_View_Parameter_DeviceName = '\\ADMIN01.xxx.xxx.xx'
MDS_MachineInfo_View_Parameter_ServerLogon = 'dbf0c13d-581e-4dbb-a917-bde2963da3be'
 
This  is a domain controller user is backupexec part of the domain admin group
what are the reasons for this error message?
Highlighted

Is there any movement on

Is there any movement on this?  I am having the same issue.

 

Thanks,

 

Robert

Highlighted
Accepted Solution!

After calling Symantec Tech

After calling Symantec Tech Support & jumping through lots of Change Management hoops I modified the "Default Domain Controllers Policy" GPO -

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies/User Rights Assignment

I added my BE Account to:

  • Act as a part of Operating System ( Only for Windows Server 2000 ).
  • Create a token object.
  • Log on as a service.
  • Logon as a batch job.
  • Manage auditing and security log.
  • Backup files and directories.
  • Restore files and directories.

Doing all this locally on the problem servers did nothing, but applying the GPO worked.

View solution in original post

Highlighted

Re: After calling Symantec Tech

This was the magic ticket. Thank you for sharing the solution!