Possible Impacts of Removing the Machine Where Veeam Is Installed From a Domain

Impact 3: Connections May Fail Due to Incorrectly Formatted Saved Credentials

After the machine is removed from the domain, any credentials stored within the Credentials Manager in "dot format" (.\user) may fail.

Review all entries within the Credentials Manager; any credentials listed with a dot format (.\user) that will be used to connect to other Windows machines should be reformated as either <domain>\<user> or <hostname>\<user>.

Note: UPN format (<user>@<domain>) is required when adding some types of Deduplication Appliances, but UPN format will cause disruptions with others (CIFS Repositories and Protection Groups). Carefully review how each credential is used before changing its format between UPN and down-level logon name.

^{Tip: Review the Credentials Manager and remove duplicate or unused entries: KB3224: How to Clean Up the Credentials Manager in Veeam Backup & Replication}

Impact 4: Connecting to Veeam Backup & Replication Console using Domain Credentials Fails

After removing the machine from the domain, attempts to connect to the Veeam Backup & Replication Console using a domain account will fail.

While this may be obvious, it is noteworthy because it may lead to a situation where no account can be used to manage Veeam Backup & Replication. Specifically, if no local accounts were assigned the Veeam Backup Administrator role, which can occur when the default BUILTIN\Administrators user group was removed, and no local account was added to the User and Roles Security panel.

Note: The default configuration of Veeam Backup & Replication is that the BUILTIN\Administrators user group is used to provide all members of that group the Veeam Backup Administrator role.

For example, when Multi-Factor Authentication (MFA) is enabled in Veeam Backup & Replication, all security groups must be removed from the Users and Roles list. This results in the removal of the BUILTIN\Administrators group. Then, if only domain users were added and assigned a role, no local account could be used to administer Veeam Backup & Replication after domain ejection.

Impact 5: Firewall Profile Change From Domain to Private or Public

After removing the machine from the domain, the native firewall will shift to a different profile, which may impact communications.

During the installation of Veeam Backup & Replication and deployment of related components to managed servers, firewall rules are created for Veeam services with the settings "Profile: All," however other default firewall rules such as a File and Printer Sharing may be different depending on the profile in use. After removing the Veeam Backup Server and its managed servers from the domain, check the firewall settings if you experience abnormal communication issues.

Veeam Backup & Replication Port Requirements

Impact 6: Loss of Domain-based Time Sync May Cause Tasks to Fail

After removing the machine from the domain, its clock will no longer be synchronized by the domain. This may lead to task failures.

If you notice tasks begin failing after ejecting the Veeam Backup & Replication machine from the domain, check that the clocks on the different machines match. There have also been reported situations where no issues occur for backup jobs, but during a file level restore, the production machine's clock did not match the Veeam Backup Server, causing restores to fail.

Impact 7: Group Managed Service Accounts (gMSA) Usage Concerns

After removing the machine from the domain, it can no longer be used as a Guest Interaction Proxy if Group Managed Service Accounts (gMSA) are used for Application-Aware Processing. To continue using gMSA for Application-Aware Processing, you must create a dedicated domain-joined Guest Interaction Proxy and assign it within the jobs that utilize gMSA.

As documented in the Veeam Backup & Replication User Guide:

...both the guest interaction proxy and the target machine must have network access to the domain controllers and be in the same domain to obtain the gMSA password.