Solved

Backup Exec "Access is denied" for remote agent

Posted on 2009-03-30
26
17,933 Views
Last Modified: 2013-12-01
Hi,

Have BackupExec media server (12.5) intalled on Windows 2003 Server. (SERVER A)
Installed remote agent on second server - Windows 2000 SP4. (SERVER B)

When I want to connect to SERVER B in BE to select files it says "Access is denied".

Remote agent on SERVER B is set to use Local System Account. Have also tried it with Administrator and dedicated backup account - no success.

DNS resolution is fine from both sides.

Port is open and I can connect manually via telnet to port 10000 on SERVER B (the port of the remote agent).
Also when monitoring backupexec agent with ProcessExplorer I see that SERVER A is establishing a connection to remote agent on SERVER B.

Have uninstalled REmote agent and re-installed - no success.

The error is not from a specific file or folder, it is as soon as I click on the server in the selection list (i.o.w the whole server)

I can access all files and folders via windows explorer and hidden shares on SERVER B.


Any ideas?
0
Comment
Question by:schoemans
  • 10
  • 7
  • 2
  • +7
26 Comments
 
LVL 32

Expert Comment

by:Rodney Barnhardt
Comment Utility
Try checking and making the changes in this document:
http://seer.entsupport.symantec.com/docs/266075.htm  
0
 
LVL 32

Expert Comment

by:Rodney Barnhardt
Comment Utility
Actually, this is remote agent specific:
http://seer.entsupport.symantec.com/docs/265086.htm  
0
 

Author Comment

by:schoemans
Comment Utility
Yeah thanks I tried those already.

The agent is running with Local System account.

The thing is I can't go look where I tries to get access to first.
If for instance I could access C: but not D: then I know where to look.
But in this case as soon as I want to expand the the server it gives the error.

I have checked that SYSTEM account has full access from C: and D: and is inherited.

Any other idea?
0
 
LVL 38

Expert Comment

by:Jim P.
Comment Utility
Do you have the same domain user account that has Backup Operator permissions on the remote machine running as an Remote Agent service as well as running the service on the backup server?

That was long. LocalSystem means exactly that, ServerXYZ with SID {12345} will allow the ServerXYZ\LocalSystem account do just about anything. But if the BackupSrvr\LocalSystem say to ServerXYZ I want you to do something for me, ServerXYZ is go to say screw off BackupSrvr, you have no authority or permissions to anythin on ServerXYZ.

But if MyDomain\User is familiar to both BackupSrvr and ServerXYZ because MyDomain says its good, they talk.

Note that you generally will have to restart services on both the both BackupSrvr and ServerXYZ after you make the changes.
0
 

Author Comment

by:schoemans
Comment Utility
Yeah on Media server (BackupSrvr as in your ex) the service is running as dedicated backup user which is part of Domain Admins and Backup Operators. I also gave the user the appropriate rights and priviledges in the policies as specified by Symantec.

I have also tried all services with Admin accout still no luck.

The Remote Agent server (ServerXYZ) was previously a DC. It was forcefully demoted (dcpromo /forceremoval) and that seemed to be  successful. It's name was then changed and joined to the current domain.

In the event logs it still gives errors of not being able to replicate and communicate AD info with other DC. This is correct since it is no longer a DC in that domain.

I am thinking maybe that because it still gives errors, the demotion was completely successful and this maybe screwed up something in permissions or something.
I reset the default security using the secsetup.inf template - still no luck.

Is there a utility that can somehow test whether System Account has correct access on its own system?

If it whas a normal user I could simply logon and try accessing the resources and see what happens, but because I can't login as System Account I can't do that.

thanks.
0
 

Author Comment

by:schoemans
Comment Utility
sorry I meant to say UNsuccessful because of errors...
0
 
LVL 38

Expert Comment

by:Jim P.
Comment Utility
Ok on ServerXYZ -- there should be an Backup Exec service in the Services menu, IIRC. Is that services Log On As the same as the userid on the BackupSrvr?
0
 

Author Comment

by:schoemans
Comment Utility
Thanks I'll check it out - have to go to customer's site first.
0
 
LVL 38

Expert Comment

by:Jim P.
Comment Utility
Can you post from the site? It would be much easier to troubleshoot.
0
 

Author Comment

by:schoemans
Comment Utility
OK at site now..

No there is no such service - checked on both servers. I also checked image names (xxx.exe) of all services and nothing with such name.

What service is it, what does it do?
0
 
LVL 38

Expert Comment

by:Jim P.
Comment Utility
There should be a Backup Exec client/agent installed on ServerXYZ. If there isn't, then check in the Backup Server for a client/agent install directory and install it on the ServerXYZ.
0
 

Author Comment

by:schoemans
Comment Utility
Sorry I'm wrong...

One service on ServerZYX called Backup Exec Remote Agent for Windows System.
Logs on as Local System Account.

A few BE services on Backupsrvr, including Backup Exec Server service - all log on as dedicated account with corrent permissions. Also tried all these with Domain Admin account for testing.




0
 
LVL 38

Expert Comment

by:Jim P.
Comment Utility
>> Backup Exec Remote Agent for Windows System.

Right click the service, and change the Account to match the account the BackupSrvr is using for BE.

Note that you don't want to use a domain Admin account if possible. You want the account to have the backup operator on the ServerZYX and local administrator on the BackupSrvr.
SQL-Service-Account.jpg
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 

Author Comment

by:schoemans
Comment Utility
I put the agents logon account to the dedicated backup exec account I created. The account has all the right permissions.....no luck.

I have changed the agents account back to Local System Account like it is suppose to be.

How can I test whether a specific account,i.e System Account, has access to a specific resource except for logging in and manually trying (which is not possible with system account).

How can I debug Backup Exec to get more detail on where exactly the problem is?
0
 
LVL 38

Expert Comment

by:Jim P.
Comment Utility
Have you looked at the Event Viewer (eventvwr.msc) for entries there?

Or do you have support from BE that you can call them?
0
 

Author Comment

by:schoemans
Comment Utility
Yeah I checked the event viewer but couldn't find anything. I also turned on auditing of failed security access but nothing.

I used ProccessMonitor from SysInternals, ran it on the agent server and media server and tried to find "denied" requests.
I couldn't find anything although I'm too sure which processes all to monitor - I just monitored the services's executables and system account.

I am busy with BE support but in the past they haven't been very helpful...
0
 
LVL 1

Expert Comment

by:Cegal Smarte Datahoder
Comment Utility
Hi.

I'm having the exact same issue here. Have you solved it?

In my situation the remote server is a 2008 domain controller in an existing 2003 domain.
Backup Media server is a 2003 server.
BE 12.5 (All servicepacks and hotfixes installed)
Tried to install the Remote Agent maunaully from the RAWS dir or pushed form the media server.
I have no problems connecting to other remote 2008 servers in the same domain.


0
 
LVL 38

Expert Comment

by:Jim P.
Comment Utility
Is the firewall on on either side?

Do the service agents match throughout the domain?
0
 

Author Comment

by:schoemans
Comment Utility
Sorry - I haven't solved it yet, but I have stopped trying. I didn't contact Symantec because the customer have lost their support ID and they have not given it to me yet.
0
 

Accepted Solution

by:
schoemans earned 0 total points
Comment Utility
I'll close the question with this as a solution, since no solution was found. But maybe someone can you use the advise given in this thread to see if it maybe works for them.
0
 

Expert Comment

by:MalmesburySchool
Comment Utility
I have had the same problem on Windows 2008 servers. Solved after adding Backup Exec Service account into 'Logon as a batch job' policy in Local Security Policies on the affected server.
0
 

Expert Comment

by:leatherleaf
Comment Utility
MalmesburySchool's solution worked for me as well with Server 2008. I granted the account used to authenticate (Backup Exec service account) 'Log on as a batch job' permissions. Thanks!
0
 
LVL 1

Expert Comment

by:bnbhoover
Comment Utility
I had the same scenario play out: Windows Server 2003 Active Directory Domain, and Windows Server 2003 SBS with Backup Exec 12 SBS media server, and a Windows 2008 server with the Backup Exec Remote Agent installed.

I used group policy editor to apply the setting above, as Local Security Policy editor was disabled for the affected server.

On the Windows Server 2003 domain controller, run Group Policy Management, and edit whichever group policy object is appropriate. Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Management. Under "Log on as a batch job" add the appropriate user, making SURE that the user is in the form of DOMAIN\USER. This DOMAIN\USER should match exactly the user account that both the media server "Backup Exec Server" service and the remote server's "Backup Exec Remote Agent" service use to log on.

Refreshed the group policy on the Windows Server 2008 box Start -> Run and type in "gpupdate" and upon successful GPO refresh, the media server could then log on to the remote server via the remote agent.

I also made CERTAIN that the Windows firewall on Windows Server 2008 had the appropriate rules in place for allowing communication, and added the beremote.exe service executable to the exceptions list in our virus protection on the Windows Server 2008 server (We use Kaspersky Enterprise Space Security).

Hope this helps someone.
0
 

Expert Comment

by:dgphoton
Comment Utility
I had similar problem:
Windows SBS 2008
BackupExec 12.5
Could not connect to Vista clients (XP and Win2K were ok).
Adding "logon as a batch job" to my BackupExec domain logon account did the job.
0
 

Expert Comment

by:tech-
Comment Utility
Worked for me too!   Thanks.

Windows SBS 2008
BackupExec 12.5
Could not connect to other Windows 2008 R2 Servers
Adding "logon as a batch job" to my BackupExec domain logon account did the job.
0
 

Expert Comment

by:northlich
Comment Utility
In my case ... The BE service account was deleted from Log On To ... within AD. Everything else checked out, but this was the culprit.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

In this article we have discussed the manual scenarios to recover data from Windows 10 through some backup and recovery tools which are offered by it.
Storage devices are generally used to save the data or sometime transfer the data from one computer system to another system. However, sometimes user accidentally erased their important data from the Storage devices. Users have to know how data reco…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now