locked
Server 2012 R2 domain controller backup using Windows Server Backup with gMSA fails RRS feed

  • Question

  • All,

    I have a Server 2012 R2 forest with an empty root and two child domains. Everything is Server 2012 R2 end-to-end. I've installed Windows Server Backup on a DC in each domain. I've created separate gMSAs in each domain, added them to Domain Admins in their respective domains, and installed them on each of the three DCs to be backed up. I created a share on a server in one of the child domains and gave Domain Admins from each domain full control at the share and security ACL levels.

    I'm creating scheduled tasks to run as gMSAs and they run powershell.exe with the arguments of "wbadmin.exe start systemstatebackup -backupTarget:\\server.contoso.com\backup -quiet"

    Backups on each of the child domains work fine. However, the backup on the root DC is failing with "Error Value: 2147943785" when running as the gMSA. If I switch the user running to use my domain admin account, it runs without issue.

    I've added the gMSA to the local domain admins, backup operators, administrators, even schema and enterprise admins, but nothing works. I've deleted and re-created the gMSA with different names and different principals allowed to recover the managed password.

    I understand that the error value indicates the account doesn't have rights to run as a batch job, but all of the groups in which it's a member do have that right, and I've added the account explicitly to the run as a batch job list, but it still fails.

    Any ideas? Is there a reason a gMSA from a parent domain couldn't talk to a child domain? The trusts are built transitive and there are no issues with communications between the two child domains.

    This is a test domain, and I'd hate to burn hours to call support. Hope someone can help.


    Ron Arestia, MCSA (Server 2012)

    Friday, June 17, 2016 12:27 PM

Answers

  • I resolved this issue.

    I started having issues in one of my child domains, so I went back to review using gMSAs with Task Scheduler. I have a gMSA dedicated to running cleanup scripts in my domains, and I noticed that the account was not in the "Log on as a Batch Job" user rights assignment node but in the "Log on as a Service" node.

    The groups in batch job were different than those in the service node, so I added the Backup Operators group to the service node, started the task, and it ran properly.

    I hope this helps someone having a similar problem!

    TL;DR: Put gMSAs in the "Log on as a Service" node if using them in scheduled tasks to get around the "Error Value: 2147943785" issue.


    Ron Arestia, MCSA (Server 2012)

    • Marked as answer by Ron Arestia Thursday, July 14, 2016 12:59 PM
    Thursday, July 14, 2016 12:59 PM

All replies

  • Some additional information:

    I created a standalone user object with membership in Backup Operators and the domain local security group that provides rights to the backup share. I associated that user to the scheduled task, and it's running without issue.

    Is there something that would prevent a gMSA from running a batch job in the root domain of a forest?


    Ron Arestia, MCSA (Server 2012)

    Friday, June 17, 2016 1:33 PM
  • Hi Ron Arestia,MCSA,

    Thanks for your post.

    Please check local group policy Log On As Batch Job assignment block running the task schedule on the root domain server. Since the user that is configured to run this scheduled task must have "Log on as a batch job" rights on the computer that hosts the exe you are launching

    Have your Network Administrator go to Start Menu > Administrative Tools > Local Security Policy > Local Policies > User Rights Assignment > Log On As Batch Job  

    Add your user to this list

    After this try to configure your scheduld taks again

    Best Regard,

    Mary

     


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 20, 2016 2:06 AM
  • Mary,

    Thank you for the response. However, as discussed in my previous post, this gMSA is already defined in the GPO assigning this right. The gMSA is also a member of every group that is defined in the same. Despite the error, the account has the appropriate rights.

    Note that this is only happening in the root domain of the forest. In every other child domain, this process is working.


    Ron Arestia, MCSA (Server 2012)

    Monday, June 20, 2016 5:55 PM
  • Hi Ron,

    Thanks for your reply.

    But according to your description, especially only limited in the root domain,  I still suspect that your have been blocked by local group policy on the root. Since sometimes, when we have set group policy on the domain level, but we still coudn't do the change on serveral domains, the local group policy may overwrite domain group policy.

    If possible, you could on the root domain server run gp result to check all the domain group policy and local group policy on the server.

    In addition, is there any other 3rd party software on the root domain server. Please also disable temporarily (especially AV software).

    Best Regards,

    Mary


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 21, 2016 8:01 AM
  • Mary,

    Blocked by GP in what way? In SecPol, GPEdit, and even through GPResult, the "Log On As a Batch Job" option is populated with the gMSA:

    Log on as a batch job Administrators, Backup Operators, Performance Log Users, CONTOSO\backupadmin$ Default Domain Controllers Policy

    This identical process works fine on any child domains/trees in the forest. It's just the root of the forest having the issue.

    I also disabled antivirus to test, but the job failed as before.


    Ron Arestia, MCSA (Server 2012)

    Monday, July 11, 2016 12:00 PM
  • I resolved this issue.

    I started having issues in one of my child domains, so I went back to review using gMSAs with Task Scheduler. I have a gMSA dedicated to running cleanup scripts in my domains, and I noticed that the account was not in the "Log on as a Batch Job" user rights assignment node but in the "Log on as a Service" node.

    The groups in batch job were different than those in the service node, so I added the Backup Operators group to the service node, started the task, and it ran properly.

    I hope this helps someone having a similar problem!

    TL;DR: Put gMSAs in the "Log on as a Service" node if using them in scheduled tasks to get around the "Error Value: 2147943785" issue.


    Ron Arestia, MCSA (Server 2012)

    • Marked as answer by Ron Arestia Thursday, July 14, 2016 12:59 PM
    Thursday, July 14, 2016 12:59 PM