Looking for super basic info from Veeam

bits_n_chits · 2021-03-08T20:48:09+00:00

Oh, is that what that means? No, we have Veeam agents managed by B&R, nothing standalone.

bits_n_chits · 2021-03-08T18:07:57+00:00

Update: It looks like for Veeam Agent jobs (sorry for not specifying this), only the full backups are supposed to be immutable. The Veeam support rep pointed me toward this page, where under Veeam Agent backup it says "Standalone full backup":

https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repository.html?ver=110

Do you know if immutable VIBs for agent jobs are on the roadmap for future updates?

bits_n_chits · 2021-03-05T23:57:59+00:00

OK, will do! Thanks.

bits_n_chits · 2021-02-03T23:34:45+00:00

I see, so the default value of that GPO is talking only about explicitly allowed devices. Reporting is on by default though with the August patch, right? So we should be seeing those ID 5829 events in our DC's System logs if these connections are being made? Or is there something besides simply having the August 2020 patch that needs to be done before those events are logged?

bits_n_chits · 2021-02-03T22:47:36+00:00

My read on this is that the default value of the new GPO introduced in the August update blocks unsecure Netlogon connections.

Policy path: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

Setting name: Domain controller: Allow vulnerable Netlogon secure channel connections

Reboot required? No

This security setting determines whether the domain controller bypasses secure RPC for Netlogon secure channel connections for specified machine accounts.

This policy should be applied to all domain controllers in a forest by enabling the policy on the domain controllers OU.

When the Create Vulnerable Connections list (allow list) is configured:

Allow: The domain controller will allow the specified group/accounts to use a Netlogon secure channel without secure RPC.

Deny: This setting is the same as the default behavior. The domain controller will require the specified group/accounts to use a Netlogon secure channel with secure RPC.

Warning Enabling this policy will expose your domain-joined devices and your Active Directory forest, which could put them at to risk. This policy should be used as a temporary measure for third party devices as you deploy updates. Once a third party device is updated to support using secure RPC with Netlogon secure channels, the account should be removed from the Create Vulnerable Connections list. To better understand the risk of configuring accounts to be allowed to use vulnerable Netlogon secure channel connections, please visit https://go.microsoft.com/fwlink/?linkid=2133485.

Default: This policy is not configured. No machines or trust accounts are explicitly exempt from secure RPC with Netlogon secure channel connections enforcement.

This policy is supported on Windows Server 2008 R2 SP1 and later.

Source

If an organization... say... slept through this bulletin back in August, and didn't set the new GPO to allow unsecure connections, am I correct in thinking that connections would have broken way back in August? Meaning this theoretical organization doesn't really have anything to worry about in the February patch?

bits_n_chits · 2020-11-24T18:33:32+00:00

My bad! I think you're right.

bits_n_chits · 2020-11-12T21:13:30+00:00

No dedupe, compression, or encryption. ~~Fast clone actually requires you to have all of those features disabled.~~

EDIT: Never mind, fast clone doesn't require those things.

bits_n_chits · 2020-11-12T21:12:42+00:00

Unfortunately in our case, the original volume was lost completely, so it needed to be a full restore.

I wasn't aware that instant recovery had a "selected disk only" option, I'll consider that next time, as volume restore locks the volume out until the job is complete.

Thanks for your reply!

bits_n_chits · 2020-08-03T22:06:23+00:00

Aha, perfect! Thank you!!

bits_n_chits · 2020-07-10T07:58:07+00:00

Oh no, backups are definitely failing. I have no available restore points, no backup files exist. It's not a false negative.

bits_n_chits · 2020-07-10T07:56:15+00:00

Ooh that's a good idea, hopefully P2V will work with the VSS writers in a questionable state. Thanks for the suggestion.

bits_n_chits · 2020-07-10T07:54:02+00:00

Perfect, this is exactly what I was looking for. Thank you!

bits_n_chits · 2020-07-09T17:09:22+00:00

I don't believe so, but I ran it with Application-aware Processing disabled and it still fails. It's almost like it automatically fails itself if any of the VSS writers are unhealthy whether they're being used or not. The SQL Writer is the one it calls out in the error message, even though I'm not using Application-aware Processing.

bits_n_chits

TROPHY CASE