[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 18232
  • Last Modified:

Backup Exec "Access is denied" for remote agent

Hi,

Have BackupExec media server (12.5) intalled on Windows 2003 Server. (SERVER A)
Installed remote agent on second server - Windows 2000 SP4. (SERVER B)

When I want to connect to SERVER B in BE to select files it says "Access is denied".

Remote agent on SERVER B is set to use Local System Account. Have also tried it with Administrator and dedicated backup account - no success.

DNS resolution is fine from both sides.

Port is open and I can connect manually via telnet to port 10000 on SERVER B (the port of the remote agent).
Also when monitoring backupexec agent with ProcessExplorer I see that SERVER A is establishing a connection to remote agent on SERVER B.

Have uninstalled REmote agent and re-installed - no success.

The error is not from a specific file or folder, it is as soon as I click on the server in the selection list (i.o.w the whole server)

I can access all files and folders via windows explorer and hidden shares on SERVER B.


Any ideas?
0
schoemans
Asked:
schoemans
  • 10
  • 7
  • 2
  • +7
1 Solution
 
Rodney BarnhardtServer AdministratorCommented:
Try checking and making the changes in this document:
http://seer.entsupport.symantec.com/docs/266075.htm  
0
 
Rodney BarnhardtServer AdministratorCommented:
Actually, this is remote agent specific:
http://seer.entsupport.symantec.com/docs/265086.htm  
0
 
schoemansAuthor Commented:
Yeah thanks I tried those already.

The agent is running with Local System account.

The thing is I can't go look where I tries to get access to first.
If for instance I could access C: but not D: then I know where to look.
But in this case as soon as I want to expand the the server it gives the error.

I have checked that SYSTEM account has full access from C: and D: and is inherited.

Any other idea?
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
Jim P.Commented:
Do you have the same domain user account that has Backup Operator permissions on the remote machine running as an Remote Agent service as well as running the service on the backup server?

That was long. LocalSystem means exactly that, ServerXYZ with SID {12345} will allow the ServerXYZ\LocalSystem account do just about anything. But if the BackupSrvr\LocalSystem say to ServerXYZ I want you to do something for me, ServerXYZ is go to say screw off BackupSrvr, you have no authority or permissions to anythin on ServerXYZ.

But if MyDomain\User is familiar to both BackupSrvr and ServerXYZ because MyDomain says its good, they talk.

Note that you generally will have to restart services on both the both BackupSrvr and ServerXYZ after you make the changes.
0
 
schoemansAuthor Commented:
Yeah on Media server (BackupSrvr as in your ex) the service is running as dedicated backup user which is part of Domain Admins and Backup Operators. I also gave the user the appropriate rights and priviledges in the policies as specified by Symantec.

I have also tried all services with Admin accout still no luck.

The Remote Agent server (ServerXYZ) was previously a DC. It was forcefully demoted (dcpromo /forceremoval) and that seemed to be  successful. It's name was then changed and joined to the current domain.

In the event logs it still gives errors of not being able to replicate and communicate AD info with other DC. This is correct since it is no longer a DC in that domain.

I am thinking maybe that because it still gives errors, the demotion was completely successful and this maybe screwed up something in permissions or something.
I reset the default security using the secsetup.inf template - still no luck.

Is there a utility that can somehow test whether System Account has correct access on its own system?

If it whas a normal user I could simply logon and try accessing the resources and see what happens, but because I can't login as System Account I can't do that.

thanks.
0
 
schoemansAuthor Commented:
sorry I meant to say UNsuccessful because of errors...
0
 
Jim P.Commented:
Ok on ServerXYZ -- there should be an Backup Exec service in the Services menu, IIRC. Is that services Log On As the same as the userid on the BackupSrvr?
0
 
schoemansAuthor Commented:
Thanks I'll check it out - have to go to customer's site first.
0
 
Jim P.Commented:
Can you post from the site? It would be much easier to troubleshoot.
0
 
schoemansAuthor Commented:
OK at site now..

No there is no such service - checked on both servers. I also checked image names (xxx.exe) of all services and nothing with such name.

What service is it, what does it do?
0
 
Jim P.Commented:
There should be a Backup Exec client/agent installed on ServerXYZ. If there isn't, then check in the Backup Server for a client/agent install directory and install it on the ServerXYZ.
0
 
schoemansAuthor Commented:
Sorry I'm wrong...

One service on ServerZYX called Backup Exec Remote Agent for Windows System.
Logs on as Local System Account.

A few BE services on Backupsrvr, including Backup Exec Server service - all log on as dedicated account with corrent permissions. Also tried all these with Domain Admin account for testing.




0
 
Jim P.Commented:
>> Backup Exec Remote Agent for Windows System.

Right click the service, and change the Account to match the account the BackupSrvr is using for BE.

Note that you don't want to use a domain Admin account if possible. You want the account to have the backup operator on the ServerZYX and local administrator on the BackupSrvr.
SQL-Service-Account.jpg
0
 
schoemansAuthor Commented:
I put the agents logon account to the dedicated backup exec account I created. The account has all the right permissions.....no luck.

I have changed the agents account back to Local System Account like it is suppose to be.

How can I test whether a specific account,i.e System Account, has access to a specific resource except for logging in and manually trying (which is not possible with system account).

How can I debug Backup Exec to get more detail on where exactly the problem is?
0
 
Jim P.Commented:
Have you looked at the Event Viewer (eventvwr.msc) for entries there?

Or do you have support from BE that you can call them?
0
 
schoemansAuthor Commented:
Yeah I checked the event viewer but couldn't find anything. I also turned on auditing of failed security access but nothing.

I used ProccessMonitor from SysInternals, ran it on the agent server and media server and tried to find "denied" requests.
I couldn't find anything although I'm too sure which processes all to monitor - I just monitored the services's executables and system account.

I am busy with BE support but in the past they haven't been very helpful...
0
 
Cegal Smarte DatahoderCommented:
Hi.

I'm having the exact same issue here. Have you solved it?

In my situation the remote server is a 2008 domain controller in an existing 2003 domain.
Backup Media server is a 2003 server.
BE 12.5 (All servicepacks and hotfixes installed)
Tried to install the Remote Agent maunaully from the RAWS dir or pushed form the media server.
I have no problems connecting to other remote 2008 servers in the same domain.


0
 
Jim P.Commented:
Is the firewall on on either side?

Do the service agents match throughout the domain?
0
 
schoemansAuthor Commented:
Sorry - I haven't solved it yet, but I have stopped trying. I didn't contact Symantec because the customer have lost their support ID and they have not given it to me yet.
0
 
schoemansAuthor Commented:
I'll close the question with this as a solution, since no solution was found. But maybe someone can you use the advise given in this thread to see if it maybe works for them.
0
 
MalmesburySchoolCommented:
I have had the same problem on Windows 2008 servers. Solved after adding Backup Exec Service account into 'Logon as a batch job' policy in Local Security Policies on the affected server.
0
 
leatherleafCommented:
MalmesburySchool's solution worked for me as well with Server 2008. I granted the account used to authenticate (Backup Exec service account) 'Log on as a batch job' permissions. Thanks!
0
 
bnbhooverCommented:
I had the same scenario play out: Windows Server 2003 Active Directory Domain, and Windows Server 2003 SBS with Backup Exec 12 SBS media server, and a Windows 2008 server with the Backup Exec Remote Agent installed.

I used group policy editor to apply the setting above, as Local Security Policy editor was disabled for the affected server.

On the Windows Server 2003 domain controller, run Group Policy Management, and edit whichever group policy object is appropriate. Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Management. Under "Log on as a batch job" add the appropriate user, making SURE that the user is in the form of DOMAIN\USER. This DOMAIN\USER should match exactly the user account that both the media server "Backup Exec Server" service and the remote server's "Backup Exec Remote Agent" service use to log on.

Refreshed the group policy on the Windows Server 2008 box Start -> Run and type in "gpupdate" and upon successful GPO refresh, the media server could then log on to the remote server via the remote agent.

I also made CERTAIN that the Windows firewall on Windows Server 2008 had the appropriate rules in place for allowing communication, and added the beremote.exe service executable to the exceptions list in our virus protection on the Windows Server 2008 server (We use Kaspersky Enterprise Space Security).

Hope this helps someone.
0
 
dgphotonCommented:
I had similar problem:
Windows SBS 2008
BackupExec 12.5
Could not connect to Vista clients (XP and Win2K were ok).
Adding "logon as a batch job" to my BackupExec domain logon account did the job.
0
 
tech-Commented:
Worked for me too!   Thanks.

Windows SBS 2008
BackupExec 12.5
Could not connect to other Windows 2008 R2 Servers
Adding "logon as a batch job" to my BackupExec domain logon account did the job.
0
 
northlichCommented:
In my case ... The BE service account was deleted from Log On To ... within AD. Everything else checked out, but this was the culprit.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 10
  • 7
  • 2
  • +7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now