Solved

AD iData Agent installation

  • 4 February 2021
  • 20 replies
  • 1870 views

Userlevel 4
Badge +13

Hello,

I’ve just installed a client with AD iData agent, pushing it from commcell. Unfortunately the AD backup fails due to no access / wrong user.

I added the AD user as normaly done, “domain\user”, in commcell. But looking at the account used for AD backup on the client it looks like “domain\domain\user”. So it seems that commvault adds the domain to that user account.

I’ve read the documentation but I can’t find anything on that. Can someone point me to documentation stating that behaviour.

BR

Henke

icon

Best answer by qlu 1 March 2021, 18:16

View original

20 replies

Userlevel 3
Badge +6

Hi Henke,

 

most of the time if you also need to fill the domain name itself its automatically been added. So in that case only the username should be enough. 

Userlevel 4
Badge +13

@M Scheepers

Hello

Not sure what you mean.

Installing a client require a domain, not added automatically.

 

BR

Henke

Userlevel 6
Badge +13

“. But looking at the account used for AD backup on the client it looks like “domain\domain\user”. “

 

I did notice the same last week, but it’s working fine over here.
I used “domain\user”, and commvault made domain.full\domain\user from it.

Userlevel 4
Badge +13

“. But looking at the account used for AD backup on the client it looks like “domain\domain\user”. “

 

I did notice the same last week, but it’s working fine over here.
I used “domain\user”, and commvault made domain.full\domain\user from it.

 

Ohhh,

As a test, I tried using “domain.full\domain\user” to logon a server and that failed where as “domain.full\user” was successfull. That wasn’t the actual domain admin user though.

 

But still it’s inconsequent from Commvault to do this behaviour.

Userlevel 7
Badge +15

Hi Henke

Thank you for your question.
To confirm, it is expected that domain admin account credentials are provided:
https://documentation.commvault.com/commvault/v11_sp20/article?p=14404.htm

Before You Begin

  • To perform Active Directory agent installation, administrator privileges are required. The administrator must be a member of the Domain Administrator Group.
  • Backup and restore operations require the following permissions:
    • The backup administrator must be a part of the domain user. By default, the Normal domain user has Read permissions in the Active Directory domain. You can still use an account that is not in the domain to perform backups. Make sure that the account has Read, Change and Create Child Objects permissions in the Active Directory domain. However, DNS Zones are not backed up using that account.
    • Administrator performing restore operations must at the minimum have Read, Change and Create Child Objects permissions. By default, , the user in Domain Admins group, or Enterprise Admins group, or the Administrators group have all the required permissions.

The credentials should be provided in the format “domain\user”, so if you are continuing to see errors or unexpected double domain added, please let me know.

 

I would also like to highlight the need to run adLdapTool.exe to enable restores of passwords for users and computers:

https://documentation.commvault.com/commvault/v11_sp20/article?p=14408.htm

 

Thanks,

Stuart

Userlevel 4
Badge +13

Hello @Stuart Painter, thanks for the answer.

I am aware of the requirements for the AD user, and we do use one with enough privalige. The installation was successfull, it’s the AD backup that is failing.

What I don’t understand is where the “’domain’.com” name comes from.

When we did the installation we used “domain/user” as you wrote.

 

Thanks for the update on adLdapTool, though we never used it.

 

Br

Henke

 

Userlevel 7
Badge +15

Hi Henke

It may not possible to post in here given the subject matter, but if you would check the ADBackup.log on the client that may help narrow down where the additional domain.com is originating from.

Thanks,

Stuart

Userlevel 4
Badge +13

Hey.

This is from the ADBackup.log, I changed the name from its original to “domain” and user to “user” but apart from that this is what it looks like this.

So some where in the configuration phase of the client it added the domain.

 

7532  1834  02/02 15:01:34 2228950 adBackupClass::getAdParameters() - ******  Starting new adbackup  ******
7532  1834  02/02 15:01:34 2228950 adBackupClass::getAdParameters() -     CommCellId       : [2]
7532  1834  02/02 15:01:34 2228950 adBackupClass::getAdParameters() -     AppId            : [1758]
7532  1834  02/02 15:01:34 2228950 adBackupClass::getAdParameters() -     VM               : [Instance001]
7532  1834  02/02 15:01:34 2228950 adBackupClass::getAdParameters() -     Job Id           : [2228950]
7532  1834  02/02 15:01:34 2228950 adBackupClass::getAdParameters() -     Username Length  : [25]
7532  1834  02/02 15:01:34 2228950 adBackupClass::getAdParameters() -     Password Length  : [28]
7532  1834  02/02 15:01:50 2228950 cvldap() - CvLdap::simpleBind(3233): -Debug-: ldap bind error. [49]
7532  1834  02/02 15:01:50 2228950 EvEvent::setMsgEventArguments() - MsgId[0x4800001b], Arg[1] = [domain.com\domain]
7532  1834  02/02 15:01:50 2228950 EvEvent::setMsgEventArguments() - MsgId[0x4800001b], Arg[2] = [user]
7532  1834  02/02 15:01:50 2228950 EvEvent::setMsgEventArguments() - [MsgId[0x4800001b][]: [2] Args Pushed, [3] Args expected.

 

Userlevel 7
Badge +15

Hi Henke

Are the “domain.com” and “domain” entries valid, as in, do they appear correct for your environment? I don’t believe the formatting of the log message is the error, I think this is just stating the domain details in the log. I would like to focus on “ldap bind error [49]”, instead which is a Microsoft error code.

This is suggesting in someway there is an issue with the credentials being provided to bind and there are a few potential issues that might case that error:

  • sending simple bind request when secure bind is required
  • different character sets between client/AD can occasionally cause issues if language specific characters are used
  • unlikely to be network as [49] suggests a response was received back from AD, but worth checking that all required ports are opened

Is it possible to test the LDAP connection and credentials using ldp.exe?

Thanks,

Stuart

Userlevel 4
Badge +13

Hello,

The formatting from the log file is what the account looks like in Commvault. We don’t use the “domain.com/domain/user” formatting in our organisation. We didn’t state that format when we configured the client, it’s my belief that it is added by the software at installation.

 

Anyways, we have another client to install later today, this time i’ll only use the “user” format for the AD agent configuration, And try to correct the current faulty one.

 

BR

Henke

Userlevel 4
Badge +11

Just out of curiosity, have you tried to deploy via the commandcenter? And go through protecting AD that way? 

 

Userlevel 4
Badge +13

@Matthew M. Magbee No I didn’t. I’m kind of the console guy since I’ve been using that for the last 7 years. I havent really tried the Command Center out, guess I’ll have to at some point.

 

Though I did do the AD installtion on another client and for sure, “domain.com” is prefixed with the AD account. But testing with So I guess best is to leave the “domain” even though it’s stated with in dialog box.

 

Well that didn’t fly.

 

 

Maybe it’s only in our environment that it doesen’t work.

I’ll just make a note in documentation for and let it be.

Thanks for all input.

BR

Henke

Userlevel 4
Badge +11

@Matthew M. MagbeeNo I didn’t. I’m kind of the console guy since I’ve been using that for the last 7 years. I havent really tried the Command Center out, guess I’ll have to at some point.

 

Though I did do the AD installtion on another client and for sure, “domain.com” is prefixed with the AD account. But testing with So I guess best is to leave the “domain” even though it’s stated with in dialog box.

 

Well that didn’t fly.

 

 

Maybe it’s only in our environment that it doesen’t work.

I’ll just make a note in documentation for and let it be.

Thanks for all input.

BR

Henke

Oh man- I am too . love the console-- but give it a shot- there is a TON more options and things to rollout there- And its fast. 

What is the domain for test user?

Userlevel 7
Badge +23

@Henke , were you able to do the install via Command Center? if this is an environmental issue, I’d rather expect it would fail in the same manner.

Curious to see how it behaved.

Userlevel 7
Badge +23

@Henke , were you able to do the install via Command Center? if this is an environmental issue, I’d rather expect it would fail in the same manner.

Curious to see how it behaved.

Userlevel 4
Badge +13

@Mike Struening thanks for picking it up.
I didn’t use Command Center to get it installed, in fact, it’s not the installation that failed it’s the user domain that changes.

I solved it by doing the installation and afterwards change the domain account to what it is supposed to do.

Unfortunately this is a bit combersume to do as in there are just a few ppl being able to use that domain admin account.

But it works for now.

BR

Userlevel 7
Badge +23

That’s definitely cumbersome, and flat out odd.

I’m going to get some devs to take a look, though we MAY need to get a case created assuming you have all the log files handy. 

Badge +1

Sorry for the confuse. Let me explain little more here. 

First the correct one is Domainname\username, the domain name is the Netbios name, not the FQDN name, For example, your AD domain name is test.abc.com, We need to use test\user1 to run AD agent backup. 

If you have issue to run a backup, please correct the username and try again. 

In you screenshot, I saw there is a string “domain” between domain-name and user name “doaminname\domain\testuser”.

Could you tell us

  • Where is the string “domain” come from? We are using LDAP protocol to login Domain controller to run backup/restore. The format you are using is not correct. We need to know how this happend. 
  • Please let us know, How you installed the ad agent? from commcell console or command center? 
  • If you are do the installation from commcell console, what user name you are input ? Could you provide the log with the job ID? 
  • What is the service pack you are using? 

Thanks

Userlevel 4
Badge +13

@qlu , I thought I made the process we used pretty clear in the thread above.

 

To explain it short, we add “domain\user” as for the user credentials for AD backup when we install the AD iDataagent.

When installation is done successfull when I open the AD client in Commcell, for some reason the credential name changed to “domain.com\domain\user”.

I am defenetly using the correct format, so it’s the installation process changing the credentials.

At the time we where on 11.20.17 I belive.

 

 

Badge +1

@Henke 

We remove this page(step) in latest service pack when you install ad agent. User are not required to input user name/password when they install the Ad agent. 

I want to confirm the AD agent is running well after you update the agent properties with correct format username.

 

In latest service pack, you can install the AD agent, then input the user name/password in command center or commcell console. If you still have issue to update correct format user name, we can check future. 

Reply