cancel
Showing results for 
Search instead for 
Did you mean: 

Exchange 2010 netbackup rights - What for ?

brpo
Level 2
Hi
we are preparing a test environment for netbackup 7 and exchange 2010 GRT
While i can understand that the netbackup client needs Admin rights on the windows server (although Backup Operators would be more suited) and on Exchange at server level,
I fail to understand why the account would need
Domain Admin rights (AD  - my exchange servers don't run on Domain controllers and most specific rights should be able to be given in another way)
Organization Management (exchange) : this means that Netbackup should be able to install new server, configure the routing of the mail, etc...

It seems to me that those rights are just requested to avoid specific configuration issues (exchange on Domain controller) but are never really used by the client.

Could someone tell me where i could find more information about this ?

also can someone tell me if i can use a Windows 2008R2 Managed Account for Netbackup (this type of account is precisely done for services and are automatically managed by AD)

Thanks in advance
bruno
1 ACCEPTED SOLUTION

Accepted Solutions

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

The reason for specific rights is explained in the NBU for Echange Admin Guide:

For Exchange 2010, NetBackup uses Microsoft Exchange Web Services (EWS) to support a backup that uses the Granular Recovery Technology (GRT).EWSprovides support for the restore of individual mailboxes, mail messages, and public folders from an Exchange 2010 database backup.
....
NetBackup also creates an impersonation role and a role assignment for Exchange Impersonation. Exchange Impersonation role assignment associates the impersonation role with the NetBackup resource credentials you specify for the restore job.

NetBackup creates and assigns the following roles:
■ SymantecEWSImpersonationRole
■ SymantecEWSImpersonationRoleAssignment

About the NetBackup service account
NetBackup must have administrator access to Exchange mailboxes and public folders so it can do the following:
■ Enumerate mailboxes when defining a policy
■ Perform MAPI mailbox and public folder backups (Exchange 2007 and earlier)
■ Restore mailbox and public folder objects from MAPI backups or backups that use Granular Recovery Technology (GRT).
To provide this access, the NetBackup Client Service must be associated with a valid Exchange mailbox. Symantec recommends that you create a uniquely named mailbox and that the NetBackup Client Service uses the same account that runs Exchange Services.
Review the following prerequisites before you create an account for the NetBackup Client Service:
■ Ensure that the NetBackup service account has domain privileged rights.
■ Verify that the NetBackup service account mailbox is not hidden.
If in a cluster or replicated environment, perform the steps in the following procedures on each Exchange node.

View solution in original post

1 REPLY 1

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

The reason for specific rights is explained in the NBU for Echange Admin Guide:

For Exchange 2010, NetBackup uses Microsoft Exchange Web Services (EWS) to support a backup that uses the Granular Recovery Technology (GRT).EWSprovides support for the restore of individual mailboxes, mail messages, and public folders from an Exchange 2010 database backup.
....
NetBackup also creates an impersonation role and a role assignment for Exchange Impersonation. Exchange Impersonation role assignment associates the impersonation role with the NetBackup resource credentials you specify for the restore job.

NetBackup creates and assigns the following roles:
■ SymantecEWSImpersonationRole
■ SymantecEWSImpersonationRoleAssignment

About the NetBackup service account
NetBackup must have administrator access to Exchange mailboxes and public folders so it can do the following:
■ Enumerate mailboxes when defining a policy
■ Perform MAPI mailbox and public folder backups (Exchange 2007 and earlier)
■ Restore mailbox and public folder objects from MAPI backups or backups that use Granular Recovery Technology (GRT).
To provide this access, the NetBackup Client Service must be associated with a valid Exchange mailbox. Symantec recommends that you create a uniquely named mailbox and that the NetBackup Client Service uses the same account that runs Exchange Services.
Review the following prerequisites before you create an account for the NetBackup Client Service:
■ Ensure that the NetBackup service account has domain privileged rights.
■ Verify that the NetBackup service account mailbox is not hidden.
If in a cluster or replicated environment, perform the steps in the following procedures on each Exchange node.