Backup Exec 10 does it work in more than 2 AD Domain?

Hi,

This is my first posting, apologies for the English grammar.

I have Backup Exec 10 install in Win2K server - Primary AD let us call "ABC". I have another Primary AD let us call "DEF".
They are in same subnet, can ping IP Addresses. Can go to the Network Neighborhood. But my Backup Exec 10 cannot backup the files in Domain "DEF".
I am sure it is the right password. Do I need to configure the network protocols?
Error below
===============================================================================
The Media Server was unable to connect to Remote Machine SERVER01. The machine could not be found on the network.
The Media Server will fall back on the local agent to try and complete the operation.
================================================================================

hope you can help me with this, as I will add more domain in my network.

JPYPH
jpyphAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rant32Commented:
Are you able to browse to the server using the network neighbourhood? PING is a command that uses DNS if configured, but Backup exec uses the NetBIOS name of the server. Configure a WINS server if possible.

Secondly, the account you're using to run Backup Exec (the service account) needs permissions on the remote domain to function.

If the remote host is a domain controller, then add the service useraccount to the local Administrators group and the Backup Operators group in the DEF domain. If the remote server is a domain member (non-dc) then add the service account to the local Administrators and Backup Operators group on the server.
0
shankshankCommented:
Make sure DNS is working correctly, and ping by using the hostname. If you cannot ping with the hostname, then that is your problem. You can do a quick workaround by creating an hosts file on each machine with the proper IPs specified.
0
DisorganiseCommented:
I suspect you may need to create a trust between the domains in order to grant the backup account sufficient access.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

jpyphAuthor Commented:
hi disorganise,

Any workaround  without using trust? I don;t like using trust it makes my servers slow.

Thanks for the info
0
jpyphAuthor Commented:
Hi shankshank,

I can ping the hostname, but it so happen that the media server (where the BE is installed) is my DNS server. When I ping it gives me Public IP address. Do you think that is the problem?

Thanks

0
Rant32Commented:
Yeah, create all domains in the same forest.
0
jpyphAuthor Commented:
Hi rant32,

I can go to the DEF server in my Network neighborhood. Also, I've just installed WINS Server on my media server then add the private IP Address of DEF. But still the C$ and D$ on the BackupExec interface is still grayed out.

I have not tried putting the service account yet, but will let you know what is the result of this.

BTW, remote agent and AOFO are installed on DEF just to let you guys know.

Thanks
0
Rant32Commented:
Usually the public IP address should not be in the AD DNS zone. I recommend to disable dynamic DNS registration for the WAN network interface, and then delete the public IP address from the DNS zone. Make sure the LAN/private IP address is there.

Also check the binding and adapter order on the Advanced properties in the Network Connections control panel. The LAN adapter should be listed first.
0
Rant32Commented:
If you can see the shares, C$ and D$ then I'm quite sure this is a permissions problem, so either with the trust (if the 2 domains are not within the same forest) or the service account is not a local Administrator. By making it a backup operator you can circumvent NTFS permissions for backup purposes.
0
jpyphAuthor Commented:
Hi RANT32,


1. BackupExec Server -> Server1 (name of server) -> ABC (Name of Domain)
2. The one to backup -> Server2 (name of server) -> DEF (Name of Domain)

Should I add something like this in Server2?

BKSERVICE -> then put in the logon this account in the BE remote agent service?

Thanks

0
DisorganiseCommented:
Is there a particular reason why you're using different domains?  I see in your question that you are considering adding more domains.  you do realise you can delegate most rights to OU's?  the only real problem is domain admins - which I guess is one reason for many domains.  however, if you make a 'placeholder  domain' and then add all your other domains as child domains to the placeholder, there is automatic trusts and your DA's are still separate.  You still have Enterprise Admin of course, but that's easily addressed by having only one member and locking the password in the safe for schema changes and the like only.

Anyways...can you map a network drive to the other domain?  eg" net use ? \\server2\c$ /user:DEF\BackupAccount"
where BackupAccount is replaced by a valid userwith sufficient rights (like DA).  This will at least prove whether you can talk to the other domain correctly or not.  I've seen some switches in the past that somehow interfere with such communications.  Let's rule that out first before worrying about the application.
0
jpyphAuthor Commented:
net use ? \\server2\c$ /user:DEF\BackupAccount is successful.

Different domains for security reasons, I've got a 3 suppliers handling the DEF server. I don't want it to be included in ABC domain as it is for our office use. The DEF server are web servers with diff web applications, there is no need to be included in my ABC domain.

I hope this explains.

Thanks
0
Rant32Commented:
In this case I think you should also test

net use ? \\server2\c$ /user:ABC\BackupAccount

(note the ABC instead of DEF) because the backup application is in ABC, right? The BE service account runs with ABC domain credentials.

If Server2 does not accept ABC domain accounts then you should create a one-way trust from DEF to ABC. You don't want ABC to trust DEF. This is also the only way to make ABC user-accounts member of the local Administrators/Backup Operators groups, which is a requirement anyway.

jpyph, you're completely right about not putting the DEF server in your office domain for security reasons. But I also agree with Disorganise here - a seperate sibling domain in the same forest does not automatically receive rights to do anything in another domain. You just don't have to take care of the trusts anymore. But maybe it's a bit late to change any of that.
0
David_FongCommented:
Always worked fine cross-domains for me, just use Hosts file if needed and specify  a user/domain/passwd in the foreign domain under the jobs credentials tab. Install RANT32 directly on the target machine if you haven't got the permissions available to push it from the BE console / service account. Never dared tell a customer to change his AD/DNS just to suit the backup software even if they have got multiple forests for no logical reason.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Storage Software

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.