VOX

Its not clear to me what rights i should have, to only do a backup (not restore)

"NetBackup gains access to Exchange through the account for NetBackup Exchange operations, an Active Directory user account that is associated with a unique Exchange mailbox. This mailbox has sufficient roles or group memberships to perform backups and restores. Use the account for NetBackup Exchange operations for the Exchange credentials in the Exchange client host properties."

There is no seperate requirement for restore. You should however pay attention to the distributed application mapping as it comes into play more during restore, than during backups i.e you can probably perform backups successfully (even with GRT) without defining it, but restore most certainly will fail.

For starters for those who remember having to set the user credentials for executing NetBackup services, this is no longer the case. In current NetBackup versions, you set Exchange credentials in the client host configurations. Services on the client can run as LocalSystem. (I acknowledge that this isn't the question that was asked.)

When are Exchange credentials needed? (Still not quite the question. Be patient with me.)

It was once the case that for database backup and restore (not GRT), you could leave the Exchange credentials blank in the client host configuration. GRT backups, though, return status 1 and do not catalog mailboxes unless you set the Exchange credentials in the client host properties.

With each new Exchange version and features, this gets more problematic:

- Running without Exchange credentials, bpresolver may not be able to assign correct DAG nodes for backing up databases.

- In an IP-less DAG, which is the default for Exchange 2016, the NetBackup Discovery Framework (nbdisco) on each mailbox server needs Exchange credentials to associate the mailbox server with its DAG. The NetBackup master server needs this discovered information to resolve the DAG to a mailbox server.

- For GRT backups with Exchange 2013 and 2016, nbdisco needs Exchange credentials to enumerate the mailboxes for each database.

Do I need all the credentials listed in the Admin Guide just for backup? (That's the question asked.)

No. The doc gives a single set of memberships for both backup and restore. Our testing in the Exchange 2010 timeframe produced different lists of the minimal user rights needed for different situations. We decided to document a single list, because the narrative was complicated. That was also before we implemented the credentials in the client host configuration, and you had to configure the services on every client.

Given the progression of needs listed above, the complication for both quality assurance testing and documentation would have gotten progressively worse in the subsequent Exchange versions and features.

The easy one: For backup, you don't have to create an EWSImpersonation role or a throttling policy.

Otherwise, we tell you to create this rolegroup:

New-RoleGroup -Name NetBackupRoles -Roles @("Database Copies","Databases","Exchange Servers","Monitoring", "Mail Recipient Creation","Mail Recipients","Recipient Policies")

You need the first four roles for non-GRT backup.

For GRT backup (not restore), you need Mail Recipients. You don't need Mail Recipient Creation. You may not need Recipient Policies.

A final note

You can't back up passive database copies using this minimal user. To back up passive copies, you have to set your user to be a member of Organization Management or Domain Admins. That's because the Microsoft Active Directory System Interface (ADSI) API won't return database copy information to the minimal user.