02-12-2018 04:05 AM - edited 02-12-2018 04:38 AM
Hi All,
we need to set the backup mode of the VS from a remote server
we have 6 Enterprise Vault (11.0.1) installed on Win2012r2 and 2 SQL with windows 2012
we have used the script below:
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -psconsolefile "\\SERVERNAME\c$\Program Files (x86)\Enterprise Vault\EVShell.psc1" -command "& {Set-VaultStoreBackupMode -Name EVSite -EVServerName EVNAME -EVObjectType Site}"
the Error message of this script is:
WARNING: The following errors occurred when loading console
\\SERVERNAME\\c$\Program Files (x86)\Enterprise Vault\EVShell.psc1:
Cannot load Windows PowerShell Snap-In
Symantec.EnterpriseVault.PowerShell.Snapin because of the following error: No
snap-ins have been registered for Windows PowerShell version 3.
Command '& {Set-VaultStoreBackupMode -Name EVSite -EVServerName EVNAME -EVObjectType Site}' could not be run because some Windows Pow
erShell Snap-Ins did not load.
We have also tested with a different script to set in backup mode the VS
$EVServerSession = New-PSSession -ComputerName SERVERNAME -ConfigurationName Microsoft.Powershell32
Invoke-Command -Session $EVServerSession -scriptblock {Add-PSSnapin Symantec.EnterpriseVault.PowerShell.Snapin}
Invoke-Command -Session $EVServerSession -scriptblock {Set-VaultStoreBackupMode -Name EVSite -EVServerName EVNAME -EVObjectType Site}
Remove-PSSession -Session $EVServerSession
from the second script the VaultStore hosted on SERVERNAME are set in backup mode but fro the vaultstore hosted on the other 5 Enterprise Vault server i have the error (permisison are set as https://www.veritas.com/support/en_US/article.000015971)
User does not have permission to change backup mode for vault stores. Check permissions for the user's role in
Enterprise Vault roles-based administration.
+ CategoryInfo : PermissionDenied: (Symantec.Enterp...StoreBackUpMode:SetVaultStoreBackUpMode) [Set-Vault
StoreBackupMode], COMException
+ FullyQualifiedErrorId : UnauthoriseToUpdateVaultStoreBackupMode,Symantec.EnterpriseVault.PowerShell.Commands.Set
VaultStoreBackUpMode
+ PSComputerName : SERVERNAME
Can someone have fixed the issue of remote setting of backupmode?
02-12-2018 07:26 AM
Your second script is almost correct. The reason you're getting the "User does not have permission..." error is that you didn't specify the Vault Service Account when you created the PSSession.
Try adding one of these to the beginning of your script:
# Enter password interactively - more secure $vsaCreds = Get-Credential -Message "Please enter the Vault Service Account password" -UserName "MyVaultServiceAccountUserName"
or
# Save username and password in script - less secure $vsaUserName = "DOMAIN\MyVaultServiceAccountUserName" $vsaPassword = ConvertTo-SecureString -String "VSA Password" -AsPlainText -Force $vsaCreds = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $vsaUserName, $vsaPassword
Then just pass the credentials when you create the session:
$EVServerSession = New-PSSession -ComputerName SERVERNAME -ConfigurationName Microsoft.Powershell32 -Credential $vsaCreds
So the whole thing looks like this:
$vsaCreds = Get-Credential -Message "Please enter the Vault Service Account password" -UserName "MyVaultServiceAccountUserName" $EVServerSession = New-PSSession -ComputerName SERVERNAME -ConfigurationName Microsoft.Powershell32 -Credential $vsaCreds Invoke-Command -Session $EVServerSession -scriptblock {Add-PSSnapin Symantec.EnterpriseVault.PowerShell.Snapin} Invoke-Command -Session $EVServerSession -scriptblock {Set-VaultStoreBackupMode -Name EVSite -EVServerName EVNAME -EVObjectType Site} Remove-PSSession -Session $EVServerSession
Works like a charm in my lab. Hope it helps.
--Chris
02-12-2018 10:22 AM
Hi Chris,
Thanks for your support but unfortunately it do not work :(
Here the script used (your less secure)
# Save username and password of the backup user (not the VSA but a user with the RBA permisison to set /clear Backup mode)
$vsaUserName = "BCK_USER"
$vsaPassword = ConvertTo-SecureString -String "BCK_PASSWORD" -AsPlainText -Force
$vsaCreds = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $vsaUserName, $vsaPassword
$EVServerSession = New-PSSession -ComputerName EVCOMPUTERNAME_1 -ConfigurationName Microsoft.Powershell32 -Credential $vsaCreds
Invoke-Command -Session $EVServerSession -scriptblock {Add-PSSnapin Symantec.EnterpriseVault.PowerShell.Snapin}
Invoke-Command -Session $EVServerSession -scriptblock {Set-VaultStoreBackupMode -Name EVSite -EVServerName -EVObjectType Site}
Remove-PSSession -Session $EVServerSession
The script set in backup mode the VS of the EVCOMPUTERNAME_1 but for the server EVCOMPUTERNAME_2 ai receive the error below
User does not have permission to change backup mode for vault stores. Check permissions for the user's role inEnterprise Vault roles-based administration.
+ CategoryInfo : PermissionDenied: (Symantec.Enterp...StoreBackUpMode:SetVaultStoreBackUpMode) [Set-Vault
StoreBackupMode], COMException
+ FullyQualifiedErrorId : UnauthoriseToUpdateVaultStoreBackupMode,Symantec.EnterpriseVault.PowerShell.Commands.Set
VaultStoreBackUpMode
+ PSComputerName : EVCOMPUTERNAME_2
02-12-2018 10:42 AM
Sorry to hear that it did not work. The error is pretty plain: it's saying that the user you're running as doesn't have the RBA permissions necessary to set and clear Backup Mode.
To verify this, you can try the same script using the VSA's credentials, just to see. If that works correctly, then you know the problem is with the account and RBA, and not with the PowerShell script.
If you want to troubleshoot the RBA permissions, then it will be helpful to check the Event log on EVCOMPUTERNAME_2. It should have a warning 4216 event that contains the username that failed and the role that user is missing. According to the documentation, a user needs to be in the "Storage Administrator" role to set Backup Mode on a Vault Store. You should be able to check whether the user has that role by running
Get-EVRBARoleMember -Identity "Storage Administrator"
If all this checks out and it still doesn't work right, then I guess open a case and we'll see what's going on.
--Chris
02-12-2018 10:50 AM
Hi Chris,
i've try with the VSA and it do not works. we have the same permisison error
i've check the EventViewer EVCOMPUTERNAME_2 and no 4216 are logged .
this is very strange
02-12-2018 10:59 AM - edited 02-12-2018 11:01 AM
Agreed, very strange. Time to open a case. Point the assigned TSE to this thread if you want to give him a head start.
02-12-2018 11:40 PM
This might be totally not relevant, but on the servers where the script does not work:
Login as VSA. Go to Programs, Enterprise Vault, EV Management Shell. When the pwrshell window is started, exit.
Try the script (local), then remote.
In earlier version, the snap-in needed to be 'initialized' somehow. One of the steps I have in installdocumentation is to do just the above.