cancel
Showing results for 
Search instead for 
Did you mean: 

Netbackup Exchnage 2016 GRT Permissions

AndersA
Level 4

Hallo All.

Can anybody plz tell me which permissions the exchange/AD account should have.

what is needed for restore and what is needed for backup only.

plz dont refer me to the admin guide......i have lookeed at it :)....what persmissions are you using ? :)

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Lowell_Palecek
Level 6
Employee

I had a long response, but Vox lost it. Here's my short answer.

For GRT backup but not restore, you don't need to create an EWSImpersonation role or a throttling policy.

In the rolegroup we tell you to create, you don't need recipient creation. You may not need recipient policies.

Be advised that you can't back up passive database copies with the "minimal user." You need a user that is a member of Organization Management or Domain Admins. That's because the Active Directory System Interface (ADSI) API does not enumerate database copies for the minimal user.

View solution in original post

5 REPLIES 5

RiaanBadenhorst
Level 6
Partner    VIP    Accredited Certified

What is wrong with the admin guide? There is an entire section dedicated to this topic

"Configuring the account for NetBackup Exchange operations"

In the version 8 documents is section 4. 

Is something not clear? Please let me know so I can inform Veritas if there is any ambiguity or it is not clear what the required permissions are.

Its not clear to me what rights i should have, to only do a backup (not restore)

RiaanBadenhorst
Level 6
Partner    VIP    Accredited Certified

"NetBackup gains access to Exchange through the account for NetBackup Exchange operations, an Active Directory user account that is associated with a unique Exchange mailbox. This mailbox has sufficient roles or group memberships to perform backups and restores. Use the account for NetBackup Exchange operations for the Exchange credentials in the Exchange client host properties."

 

There is no seperate requirement for restore. You should however pay attention to the distributed application mapping as it comes into play more during restore, than during backups i.e you can probably perform backups successfully (even with GRT) without defining it, but restore most certainly will fail.

For starters for those who remember having to set the user credentials for executing NetBackup services, this is no longer the case. In current NetBackup versions, you set Exchange credentials in the client host configurations. Services on the client can run as LocalSystem. (I acknowledge that this isn't the question that was asked.)

When are Exchange credentials needed? (Still not quite the question. Be patient with me.)

It was once the case that for database backup and restore (not GRT), you could leave the Exchange credentials blank in the client host configuration. GRT backups, though, return status 1 and do not catalog mailboxes unless you set the Exchange credentials in the client host properties.

With each new Exchange version and features, this gets more problematic:

- Running without Exchange credentials, bpresolver may not be able to assign correct DAG nodes for backing up databases.

- In an IP-less DAG, which is the default for Exchange 2016, the NetBackup Discovery Framework (nbdisco) on each mailbox server needs Exchange credentials to associate the mailbox server with its DAG. The NetBackup master server needs this discovered information to resolve the DAG to a mailbox server.

- For GRT backups with Exchange 2013 and 2016, nbdisco needs Exchange credentials to enumerate the mailboxes for each database.

Do I need all the credentials listed in the Admin Guide just for backup? (That's the question asked.)

No. The doc gives a single set of memberships for both backup and restore. Our testing in the Exchange 2010 timeframe produced different lists of the minimal user rights needed for different situations. We decided to document a single list, because the narrative was complicated. That was also before we implemented the credentials in the client host configuration, and you had to configure the services on every client.

Given the progression of needs listed above, the complication for both quality assurance testing and documentation would have gotten progressively worse in the subsequent Exchange versions and features.

The easy one: For backup, you don't have to create an EWSImpersonation role or a throttling policy.

Otherwise, we tell you to create this rolegroup:

New-RoleGroup -Name NetBackupRoles -Roles @("Database Copies","Databases","Exchange Servers","Monitoring", "Mail Recipient Creation","Mail Recipients","Recipient Policies")

You need the first four roles for non-GRT backup.

For GRT backup (not restore), you need Mail Recipients. You don't need Mail Recipient Creation. You may not need Recipient Policies.

A final note

You can't back up passive database copies using this minimal user. To back up passive copies, you have to set your user to be a member of Organization Management or Domain Admins. That's because the Microsoft Active Directory System Interface (ADSI) API won't return database copy information to the minimal user.

Lowell_Palecek
Level 6
Employee

I had a long response, but Vox lost it. Here's my short answer.

For GRT backup but not restore, you don't need to create an EWSImpersonation role or a throttling policy.

In the rolegroup we tell you to create, you don't need recipient creation. You may not need recipient policies.

Be advised that you can't back up passive database copies with the "minimal user." You need a user that is a member of Organization Management or Domain Admins. That's because the Active Directory System Interface (ADSI) API does not enumerate database copies for the minimal user.