cancel
Showing results for 
Search instead for 
Did you mean: 

Unable to establish trust or Browse Failure

Metcalf
Level 2

When I try to establish a trust or schedule a backup for a Windows 2012 Core Installation Domain Controller I get this error:

Failed to browse...

Failed to log on to Microsoft Windows.

Ensure that your logon credentials are entered and that they meet the following minimum requirements to log on to a Windows computer:

-The credentials used are a member of the Backup Operators group.

-For Windows Vista/2008 and later, the credentials hav ethe Log on as a batch job privilege.

Additional privileges may be required to access resources on the Windows computer.

 

I am running Backup Exec 2012 with Service Pack 2 on Windows Server 2008 R2 Std 64bit

My BE service account is

  • A Domain Admin
  • In the Backup Operators security group
  • In the Exchange Organization Administrators security group
  • Set explicitly as local admin, run as batch, and run as service
  • Is NOT in the Domain Users group

I am backing up Windows 2003, 2008, and 2012 platforms successfully with this service account.

I am also backing up Windows 2012 Core File Server installations successfully with this service account.

There are 4 DCs running Core Installations that have this issue:

  • When adding the DCs to BE it connected and installed with no issues.
  • The services are present and running on the DCs.
  • There are no event logs on the DCs or the BE Server referencing these attempts.
  • Remote Desktop is enabled
  • Firewall is turned off
  • These attempts do not lock out the account

All responses are greatly appreciated :)

1 ACCEPTED SOLUTION

Accepted Solutions

Metcalf
Level 2

After calling Symantec Tech Support & jumping through lots of Change Management hoops I modified the "Default Domain Controllers Policy" GPO -

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies/User Rights Assignment

I added my BE Account to:

  • Act as a part of Operating System ( Only for Windows Server 2000 ).
  • Create a token object.
  • Log on as a service.
  • Logon as a batch job.
  • Manage auditing and security log.
  • Backup files and directories.
  • Restore files and directories.

Doing all this locally on the problem servers did nothing, but applying the GPO worked.

View solution in original post

10 REPLIES 10

lmosla
Level 6

Hello,

Please make sure these services are running as Domain\Administrator and verify the password is correct: 

  • Backup Exec Agent Browser
  • Backup Exec Device & Media Service
  • Backup Exec Job Engine
  • Backup Exec Management Service
  • Backup Exec Server

also see this link and verify these requirements are in place:  Requirements for the Backup Exec Service Account (BESA)   

 

Metcalf
Level 2

Thank you for your response :)

The above services are running as Domain\Administrator and the rights assignments requirements have been met.

The error still occurs.

It is a 2003 domain level - if that makes a difference.

lmosla
Level 6

Check to make sure there aren't any policies that are restricting access to the servers.

Are the servers using IPV6 or IPV4? Try matching this in Backup Exec by editing the job then under Backup Options under Network make sure it is set to Use any available network interface and in Protocol: select the one that the server is using.

 

Metcalf
Level 2

We have 11 domain controllers and the same policy is applied to all of them. It's only these 4 with Core installed on them that are having the issue.

We're using IPv4. IPv6 is not disabled however. Should it be?

I can't go to Backup Options - I get this error before backup options are available to select. The error comes up when it tries to list the drives available for backup or when it tries to establish a trust.

pkh
Moderator
Moderator
   VIP    Certified

You should disable IPv6.

DNI_1
Level 3

You might need to add the BESA account (Backup Exec services account) and Backup Operator account for the User Right assignment for some of them(listed below) found under local security policy.

  • Act as a part of Operating System ( Only for Windows Server 2000 ).
  • Create a token object.
  • Log on as a service.
  • Logon as a batch job.
  • Manage auditing and security log.
  • Backup files and directories.
  • Restore files and directories.

NOTE: This should be done on the remote servers which you're unable to backup.

Check the article below on how to add it.

http://www.symantec.com/docs/TECH74365

Hope this resolves the issue!

 

TDSil
Not applicable
Browse Failure
 
Failure to browse 'ADMIN01.xxx.xxx.xx'.
 
Failed to log on to Microsoft Windows.
 
Ensure that your logon credentials are correctly entered and that they meet the following minimum requirements to log on to a Windows computer:
 
   - The credentials used are a member of the Backup Operators group.
   - For Windows Vista/2008 and later, the credentials have the Log on as a batch job privilege.
 
Additional privileges may be required to access resources on the Windows computer.
 
 
QueryMetaData: MDQ_MachineInfo_View
MDS_MachineInfo_View_Parameter_ConnectionLogon = '10011001-1001-1001-0101-010101010101'
MDS_MachineInfo_View_Parameter_DeviceName = '\\ADMIN01.xxx.xxx.xx'
MDS_MachineInfo_View_Parameter_ServerLogon = 'dbf0c13d-581e-4dbb-a917-bde2963da3be'
 
This  is a domain controller user is backupexec part of the domain admin group
what are the reasons for this error message?

Robert_Ferguson
Level 3

Is there any movement on this?  I am having the same issue.

 

Thanks,

 

Robert

Metcalf
Level 2

After calling Symantec Tech Support & jumping through lots of Change Management hoops I modified the "Default Domain Controllers Policy" GPO -

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies/User Rights Assignment

I added my BE Account to:

  • Act as a part of Operating System ( Only for Windows Server 2000 ).
  • Create a token object.
  • Log on as a service.
  • Logon as a batch job.
  • Manage auditing and security log.
  • Backup files and directories.
  • Restore files and directories.

Doing all this locally on the problem servers did nothing, but applying the GPO worked.

This was the magic ticket. Thank you for sharing the solution!