#1 Global Leader in Data Resilience

Possible Impacts of Removing the Machine Where Veeam Is Installed From a Domain

KB ID: 4469
Product: Veeam Backup & Replication | 5.0 | 6.1 | 6.5 | 7.0 | 8.0 | 9.0 | 9.5 | 10 | 11 | 12 | 12.1 | 12.2 | 12.3
Published: 2023-08-02
Last Modified: 2024-08-19
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please, try again later.

Purpose

This article documents the most common side-effects customers may experience when removing the machine where Veeam Backup & Replication is installed from a domain.

Solution

Not all of the issues listed below may be experienced. These are all heavily dependent on the configuration of the machine and the environment itself. 

Impact 1: DNS Resolution Failures

After removing the machine where Veeam is installed from the domain, the software may not be able to resolve the DNS for hostnames of other machines still in the domain. Another permutation of this issue is that the machine can only resolve FQDNs, but not hostnames.

To correct this, determine which hostnames/FQDNs cannot be resolved, test that the native OS cannot resolve them, and then take the appropriate actions to correct DNS issues.

Note: In some cases, customers have reported having to add DNS suffixes manually to the NIC on the machine where Veeam Backup & Replication is installed.

Impact 2: Veeam Services Configured to Use Domain Account Fail to Start

After the machine is removed from the domain, any services associated with Veeam that were configured to 'Log on as' a domain account will fail to start. 

The default configuration of Veeam Backup & Replication uses a self-deployed database engine, and the services are set to use the "Local System Account."

When customers have elected to host the Configuration Database remotely, and the services are set to use a domain account, that domain account will fail as the local machine can no longer validate the domain account. In such a situation, the services should be changed to "Local System Account," and the Database Configuration tool should be used to reconfigure Veeam Backup & Replication to connect to the remote database location using native authentication*.

*This would require that you have configured native authentication within the remote database engine software.

Impact 3: Connections May Fail Due to Incorrectly Formatted Saved Credentials

After the machine is removed from the domain, any credentials stored within the Credentials Manager in "dot format" (.\user) may fail.

Review all entries within the Credentials Manager; any credentials listed with a dot format (.\user) that will be used to connect to other Windows machines should be reformated as either <domain>\<user> or <hostname>\<user>.

Note: UPN format (<user>@<domain>) is required when adding some types of Deduplication Appliances, but UPN format will cause disruptions with others (CIFS Repositories and Protection Groups). Carefully review how each credential is used before changing its format between UPN and down-level logon name.

Tip: Review the Credentials Manager and remove duplicate or unused entries: KB3224: How to Clean Up the Credentials Manager in Veeam Backup & Replication

Impact 4: Connecting to Veeam Backup & Replication Console using Domain Credentials Fails

After removing the machine from the domain, attempts to connect to the Veeam Backup & Replication Console using a domain account will fail.

While this may be obvious, it is noteworthy because it may lead to a situation where no account can be used to manage Veeam Backup & Replication. Specifically, if no local accounts were assigned the Veeam Backup Administrator role, which can occur when the default BUILTIN\Administrators user group was removed, and no local account was added to the User and Roles Security panel.

Note: The default configuration of Veeam Backup & Replication is that the BUILTIN\Administrators user group is used to provide all members of that group the Veeam Backup Administrator role.

For example, when Multi-Factor Authentication (MFA) is enabled in Veeam Backup & Replication, all security groups must be removed from the Users and Roles list. This results in the removal of the BUILTIN\Administrators group. Then, if only domain users were added and assigned a role, no local account could be used to administer Veeam Backup & Replication after domain ejection.

Impact 5: Firewall Profile Change From Domain to Private or Public

After removing the machine from the domain, the native firewall will shift to a different profile, which may impact communications.

During the installation of Veeam Backup & Replication and deployment of related components to managed servers, firewall rules are created for Veeam services with the settings "Profile: All," however other default firewall rules such as a File and Printer Sharing may be different depending on the profile in use. After removing the Veeam Backup Server and its managed servers from the domain, check the firewall settings if you experience abnormal communication issues.

Veeam Backup & Replication Port Requirements

Impact 6: Loss of Domain-based Time Sync May Cause Tasks to Fail

After removing the machine from the domain, its clock will no longer be synchronized by the domain. This may lead to task failures.

If you notice tasks begin failing after ejecting the Veeam Backup & Replication machine from the domain, check that the clocks on the different machines match. There have also been reported situations where no issues occur for backup jobs, but during a file level restore, the production machine's clock did not match the Veeam Backup Server, causing restores to fail.

Impact 7: Group Managed Service Accounts (gMSA) Usage Concerns

After removing the machine from the domain, it can no longer be used as a Guest Interaction Proxy if Group Managed Service Accounts (gMSA) are used for Application-Aware Processing. To continue using gMSA for Application-Aware Processing, you must create a dedicated domain-joined Guest Interaction Proxy and assign it within the jobs that utilize gMSA.

As documented in the Veeam Backup & Replication User Guide:

...both the guest interaction proxy and the target machine must have network access to the domain controllers and be in the same domain to obtain the gMSA password.

More Information

This article may not cover all potential issues that may occur when removing the machine where Veeam Backup & Replication is installed from a domain. Every environment is different, and other undocumented issues may occur. Veeam Support has done its best to document the most common problems that customers have reported.

If you are facing an issue after removing the Veeam Backup & Replication server from a domain, and require assistance, please create a support case.

If you'd like to suggest an addition to the list on this KB Article, please use the Send Article Feedback form.

Tip: The most common reason someone might want to remove their Veeam Backup & Replication server from a domain is for security reasons; as such, we strongly encourage customers to review: https://bp.veeam.com/vbr/Security/Security_domains.html

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please, try again later.