We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


Backup Exec 10 does it work in more than 2 AD Domain?

jpyph asked
Medium Priority
Last Modified: 2013-12-01

This is my first posting, apologies for the English grammar.

I have Backup Exec 10 install in Win2K server - Primary AD let us call "ABC". I have another Primary AD let us call "DEF".
They are in same subnet, can ping IP Addresses. Can go to the Network Neighborhood. But my Backup Exec 10 cannot backup the files in Domain "DEF".
I am sure it is the right password. Do I need to configure the network protocols?
Error below
The Media Server was unable to connect to Remote Machine SERVER01. The machine could not be found on the network.
The Media Server will fall back on the local agent to try and complete the operation.

hope you can help me with this, as I will add more domain in my network.

Watch Question

Are you able to browse to the server using the network neighbourhood? PING is a command that uses DNS if configured, but Backup exec uses the NetBIOS name of the server. Configure a WINS server if possible.

Secondly, the account you're using to run Backup Exec (the service account) needs permissions on the remote domain to function.

If the remote host is a domain controller, then add the service useraccount to the local Administrators group and the Backup Operators group in the DEF domain. If the remote server is a domain member (non-dc) then add the service account to the local Administrators and Backup Operators group on the server.
Make sure DNS is working correctly, and ping by using the hostname. If you cannot ping with the hostname, then that is your problem. You can do a quick workaround by creating an hosts file on each machine with the proper IPs specified.

I suspect you may need to create a trust between the domains in order to grant the backup account sufficient access.


hi disorganise,

Any workaround  without using trust? I don;t like using trust it makes my servers slow.

Thanks for the info


Hi shankshank,

I can ping the hostname, but it so happen that the media server (where the BE is installed) is my DNS server. When I ping it gives me Public IP address. Do you think that is the problem?


Yeah, create all domains in the same forest.


Hi rant32,

I can go to the DEF server in my Network neighborhood. Also, I've just installed WINS Server on my media server then add the private IP Address of DEF. But still the C$ and D$ on the BackupExec interface is still grayed out.

I have not tried putting the service account yet, but will let you know what is the result of this.

BTW, remote agent and AOFO are installed on DEF just to let you guys know.


Usually the public IP address should not be in the AD DNS zone. I recommend to disable dynamic DNS registration for the WAN network interface, and then delete the public IP address from the DNS zone. Make sure the LAN/private IP address is there.

Also check the binding and adapter order on the Advanced properties in the Network Connections control panel. The LAN adapter should be listed first.

If you can see the shares, C$ and D$ then I'm quite sure this is a permissions problem, so either with the trust (if the 2 domains are not within the same forest) or the service account is not a local Administrator. By making it a backup operator you can circumvent NTFS permissions for backup purposes.


Hi RANT32,

1. BackupExec Server -> Server1 (name of server) -> ABC (Name of Domain)
2. The one to backup -> Server2 (name of server) -> DEF (Name of Domain)

Should I add something like this in Server2?

BKSERVICE -> then put in the logon this account in the BE remote agent service?



Is there a particular reason why you're using different domains?  I see in your question that you are considering adding more domains.  you do realise you can delegate most rights to OU's?  the only real problem is domain admins - which I guess is one reason for many domains.  however, if you make a 'placeholder  domain' and then add all your other domains as child domains to the placeholder, there is automatic trusts and your DA's are still separate.  You still have Enterprise Admin of course, but that's easily addressed by having only one member and locking the password in the safe for schema changes and the like only.

Anyways...can you map a network drive to the other domain?  eg" net use ? \\server2\c$ /user:DEF\BackupAccount"
where BackupAccount is replaced by a valid userwith sufficient rights (like DA).  This will at least prove whether you can talk to the other domain correctly or not.  I've seen some switches in the past that somehow interfere with such communications.  Let's rule that out first before worrying about the application.


net use ? \\server2\c$ /user:DEF\BackupAccount is successful.

Different domains for security reasons, I've got a 3 suppliers handling the DEF server. I don't want it to be included in ABC domain as it is for our office use. The DEF server are web servers with diff web applications, there is no need to be included in my ABC domain.

I hope this explains.


In this case I think you should also test

net use ? \\server2\c$ /user:ABC\BackupAccount

(note the ABC instead of DEF) because the backup application is in ABC, right? The BE service account runs with ABC domain credentials.

If Server2 does not accept ABC domain accounts then you should create a one-way trust from DEF to ABC. You don't want ABC to trust DEF. This is also the only way to make ABC user-accounts member of the local Administrators/Backup Operators groups, which is a requirement anyway.

jpyph, you're completely right about not putting the DEF server in your office domain for security reasons. But I also agree with Disorganise here - a seperate sibling domain in the same forest does not automatically receive rights to do anything in another domain. You just don't have to take care of the trusts anymore. But maybe it's a bit late to change any of that.
Always worked fine cross-domains for me, just use Hosts file if needed and specify  a user/domain/passwd in the foreign domain under the jobs credentials tab. Install RANT32 directly on the target machine if you haven't got the permissions available to push it from the BE console / service account. Never dared tell a customer to change his AD/DNS just to suit the backup software even if they have got multiple forests for no logical reason.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.