Using non-domain local account to connect to a domain

We have domain.local in our datacenter.  The DC is Server 2008.  We have a Windows 2003 Server, Backup1.domain.local, that is used for network storage.  We have created a domain account called "backupuser" for automation purposes.  When we set a scheduled task to backup one of the servers in our domain, we set the task to run as domain\backupuser.  When we set a scheduled task to backup a client's server, which is not in our domain, we create a local user on that server with the same name and password, and set the task to run as that local user.  The scheduled tasks access the network storage server through UNC (i.e., \\backup1\d$\backup_directory).  This has been working fine.

We recently added another network storage server, backup2.  It is using Windows 2008 Server.  This same system is working fine for any machine in our domain, but the local user strategy is now returning 0xc0000064 (user does not exist) during authentication.  We cannot use a domain account to run the task since the local system is not aware of the domain and provides no local access for its accounts.  How can we have a local user account still be able to access the network shares via UNC?
LVL 51
Steve BinkAsked:
Who is Participating?
 
Steve BinkAuthor Commented:
Also, it seems the issue was a combination of two different problems.

1) NTLM passthrough, which is disabled by default in Windows 2008.  It was enabled by default in prior systems.  http://www.appassure.com/support/KB/4130091/
2) Administrator/UAC.  See http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_26951831.html for more information.

We decided not to allow NTLM passthrough (it was a loophole to begin with, and is rightly disabled), and bypassed the UAC restrictions by maintaining a local group for this purpose.
0
 
IroshaCommented:
Run the task with Local Privveleges but do a NET USE to the remote location using the domain credentials...
For example write a batch file that will run before the task, on backup2, without actually mapping a drive... just identifying to the domain... it works even if the machine is not attached/aware of the domain...

NET USE \\backup1 /USER:DOMAIN\username password

this will just introduce itself to the server and supply the correct domain credentials. so when you will try to go to a share on it later on it will grant you access.
0
 
Steve BinkAuthor Commented:
We can't do that because of the security concerns involved with saving a password in a batch file.  It does work, though.  I tested with NET USE to figure out why I was getting access denied when I first discovered the issue.

In case it matters, the backup task is running a third-party app (snapshot) which accesses the network storage by UNC.  The path/filenames it uses are passed on the command line.
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
FarWestCommented:
I think it is better to have a domain for backup servers and joint those servers to it, and create trust relationship with production domain,
this way authonticated users by backup servers domains are trusted in the production domain
0
 
Steve BinkAuthor Commented:
>>> I think it is better to have a domain for backup servers

I will raise this possibility.  That would resolve a couple of issues we are seeking to address, including this authentication problem.
0
 
Steve BinkAuthor Commented:
Using a domain for the backup servers was rejected by management.  In the end, we decided to go with individual local accounts on both the network storage server and the client servers not joined to the domain.  This presents us with a few additional management issues, but it does get the job done.  Servers that are joined to the domain can continue to use the domain account as usual.

0
 
Steve BinkAuthor Commented:
The one suggestion offered worked, but was not acceptable for the task at hand.  It only served to verify the problem.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.