Solved

Backup Exec "Access is denied" for remote agent

Posted on 2009-03-30
26
18,000 Views
Last Modified: 2013-12-01
Hi,

Have BackupExec media server (12.5) intalled on Windows 2003 Server. (SERVER A)
Installed remote agent on second server - Windows 2000 SP4. (SERVER B)

When I want to connect to SERVER B in BE to select files it says "Access is denied".

Remote agent on SERVER B is set to use Local System Account. Have also tried it with Administrator and dedicated backup account - no success.

DNS resolution is fine from both sides.

Port is open and I can connect manually via telnet to port 10000 on SERVER B (the port of the remote agent).
Also when monitoring backupexec agent with ProcessExplorer I see that SERVER A is establishing a connection to remote agent on SERVER B.

Have uninstalled REmote agent and re-installed - no success.

The error is not from a specific file or folder, it is as soon as I click on the server in the selection list (i.o.w the whole server)

I can access all files and folders via windows explorer and hidden shares on SERVER B.


Any ideas?
0
Comment
Question by:schoemans
  • 10
  • 7
  • 2
  • +7
26 Comments
 
LVL 32

Expert Comment

by:Rodney Barnhardt
ID: 24018595
Try checking and making the changes in this document:
http://seer.entsupport.symantec.com/docs/266075.htm  
0
 
LVL 32

Expert Comment

by:Rodney Barnhardt
ID: 24018602
Actually, this is remote agent specific:
http://seer.entsupport.symantec.com/docs/265086.htm  
0
 

Author Comment

by:schoemans
ID: 24018758
Yeah thanks I tried those already.

The agent is running with Local System account.

The thing is I can't go look where I tries to get access to first.
If for instance I could access C: but not D: then I know where to look.
But in this case as soon as I want to expand the the server it gives the error.

I have checked that SYSTEM account has full access from C: and D: and is inherited.

Any other idea?
0
 
LVL 38

Expert Comment

by:Jim P.
ID: 24025473
Do you have the same domain user account that has Backup Operator permissions on the remote machine running as an Remote Agent service as well as running the service on the backup server?

That was long. LocalSystem means exactly that, ServerXYZ with SID {12345} will allow the ServerXYZ\LocalSystem account do just about anything. But if the BackupSrvr\LocalSystem say to ServerXYZ I want you to do something for me, ServerXYZ is go to say screw off BackupSrvr, you have no authority or permissions to anythin on ServerXYZ.

But if MyDomain\User is familiar to both BackupSrvr and ServerXYZ because MyDomain says its good, they talk.

Note that you generally will have to restart services on both the both BackupSrvr and ServerXYZ after you make the changes.
0
 

Author Comment

by:schoemans
ID: 24036771
Yeah on Media server (BackupSrvr as in your ex) the service is running as dedicated backup user which is part of Domain Admins and Backup Operators. I also gave the user the appropriate rights and priviledges in the policies as specified by Symantec.

I have also tried all services with Admin accout still no luck.

The Remote Agent server (ServerXYZ) was previously a DC. It was forcefully demoted (dcpromo /forceremoval) and that seemed to be  successful. It's name was then changed and joined to the current domain.

In the event logs it still gives errors of not being able to replicate and communicate AD info with other DC. This is correct since it is no longer a DC in that domain.

I am thinking maybe that because it still gives errors, the demotion was completely successful and this maybe screwed up something in permissions or something.
I reset the default security using the secsetup.inf template - still no luck.

Is there a utility that can somehow test whether System Account has correct access on its own system?

If it whas a normal user I could simply logon and try accessing the resources and see what happens, but because I can't login as System Account I can't do that.

thanks.
0
 

Author Comment

by:schoemans
ID: 24037824
sorry I meant to say UNsuccessful because of errors...
0
 
LVL 38

Expert Comment

by:Jim P.
ID: 24038403
Ok on ServerXYZ -- there should be an Backup Exec service in the Services menu, IIRC. Is that services Log On As the same as the userid on the BackupSrvr?
0
 

Author Comment

by:schoemans
ID: 24038480
Thanks I'll check it out - have to go to customer's site first.
0
 
LVL 38

Expert Comment

by:Jim P.
ID: 24038587
Can you post from the site? It would be much easier to troubleshoot.
0
 

Author Comment

by:schoemans
ID: 24059186
OK at site now..

No there is no such service - checked on both servers. I also checked image names (xxx.exe) of all services and nothing with such name.

What service is it, what does it do?
0
 
LVL 38

Expert Comment

by:Jim P.
ID: 24059386
There should be a Backup Exec client/agent installed on ServerXYZ. If there isn't, then check in the Backup Server for a client/agent install directory and install it on the ServerXYZ.
0
 

Author Comment

by:schoemans
ID: 24059428
Sorry I'm wrong...

One service on ServerZYX called Backup Exec Remote Agent for Windows System.
Logs on as Local System Account.

A few BE services on Backupsrvr, including Backup Exec Server service - all log on as dedicated account with corrent permissions. Also tried all these with Domain Admin account for testing.




0
 
LVL 38

Expert Comment

by:Jim P.
ID: 24059623
>> Backup Exec Remote Agent for Windows System.

Right click the service, and change the Account to match the account the BackupSrvr is using for BE.

Note that you don't want to use a domain Admin account if possible. You want the account to have the backup operator on the ServerZYX and local administrator on the BackupSrvr.
SQL-Service-Account.jpg
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 

Author Comment

by:schoemans
ID: 24105140
I put the agents logon account to the dedicated backup exec account I created. The account has all the right permissions.....no luck.

I have changed the agents account back to Local System Account like it is suppose to be.

How can I test whether a specific account,i.e System Account, has access to a specific resource except for logging in and manually trying (which is not possible with system account).

How can I debug Backup Exec to get more detail on where exactly the problem is?
0
 
LVL 38

Expert Comment

by:Jim P.
ID: 24106709
Have you looked at the Event Viewer (eventvwr.msc) for entries there?

Or do you have support from BE that you can call them?
0
 

Author Comment

by:schoemans
ID: 24140211
Yeah I checked the event viewer but couldn't find anything. I also turned on auditing of failed security access but nothing.

I used ProccessMonitor from SysInternals, ran it on the agent server and media server and tried to find "denied" requests.
I couldn't find anything although I'm too sure which processes all to monitor - I just monitored the services's executables and system account.

I am busy with BE support but in the past they haven't been very helpful...
0
 
LVL 1

Expert Comment

by:Cegal Smarte Datahoder
ID: 25058515
Hi.

I'm having the exact same issue here. Have you solved it?

In my situation the remote server is a 2008 domain controller in an existing 2003 domain.
Backup Media server is a 2003 server.
BE 12.5 (All servicepacks and hotfixes installed)
Tried to install the Remote Agent maunaully from the RAWS dir or pushed form the media server.
I have no problems connecting to other remote 2008 servers in the same domain.


0
 
LVL 38

Expert Comment

by:Jim P.
ID: 25073725
Is the firewall on on either side?

Do the service agents match throughout the domain?
0
 

Author Comment

by:schoemans
ID: 25115419
Sorry - I haven't solved it yet, but I have stopped trying. I didn't contact Symantec because the customer have lost their support ID and they have not given it to me yet.
0
 

Accepted Solution

by:
schoemans earned 0 total points
ID: 25115437
I'll close the question with this as a solution, since no solution was found. But maybe someone can you use the advise given in this thread to see if it maybe works for them.
0
 

Expert Comment

by:MalmesburySchool
ID: 25684639
I have had the same problem on Windows 2008 servers. Solved after adding Backup Exec Service account into 'Logon as a batch job' policy in Local Security Policies on the affected server.
0
 

Expert Comment

by:leatherleaf
ID: 26191819
MalmesburySchool's solution worked for me as well with Server 2008. I granted the account used to authenticate (Backup Exec service account) 'Log on as a batch job' permissions. Thanks!
0
 
LVL 1

Expert Comment

by:bnbhoover
ID: 29231248
I had the same scenario play out: Windows Server 2003 Active Directory Domain, and Windows Server 2003 SBS with Backup Exec 12 SBS media server, and a Windows 2008 server with the Backup Exec Remote Agent installed.

I used group policy editor to apply the setting above, as Local Security Policy editor was disabled for the affected server.

On the Windows Server 2003 domain controller, run Group Policy Management, and edit whichever group policy object is appropriate. Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Management. Under "Log on as a batch job" add the appropriate user, making SURE that the user is in the form of DOMAIN\USER. This DOMAIN\USER should match exactly the user account that both the media server "Backup Exec Server" service and the remote server's "Backup Exec Remote Agent" service use to log on.

Refreshed the group policy on the Windows Server 2008 box Start -> Run and type in "gpupdate" and upon successful GPO refresh, the media server could then log on to the remote server via the remote agent.

I also made CERTAIN that the Windows firewall on Windows Server 2008 had the appropriate rules in place for allowing communication, and added the beremote.exe service executable to the exceptions list in our virus protection on the Windows Server 2008 server (We use Kaspersky Enterprise Space Security).

Hope this helps someone.
0
 

Expert Comment

by:dgphoton
ID: 32900890
I had similar problem:
Windows SBS 2008
BackupExec 12.5
Could not connect to Vista clients (XP and Win2K were ok).
Adding "logon as a batch job" to my BackupExec domain logon account did the job.
0
 

Expert Comment

by:tech-
ID: 34430721
Worked for me too!   Thanks.

Windows SBS 2008
BackupExec 12.5
Could not connect to other Windows 2008 R2 Servers
Adding "logon as a batch job" to my BackupExec domain logon account did the job.
0
 

Expert Comment

by:northlich
ID: 38687841
In my case ... The BE service account was deleted from Log On To ... within AD. Everything else checked out, but this was the culprit.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
VM backups can be lost due to a number of reasons: accidental backup deletion, backup file corruption, disk failure, lost or stolen hardware, malicious attack, or due to some other undesired and unpredicted event. Thus, having more than one copy of …
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now