I’ve just installed a client with AD iData agent, pushing it from commcell. Unfortunately the AD backup fails due to no access / wrong user.
I added the AD user as normaly done, “domain\user”, in commcell. But looking at the account used for AD backup on the client it looks like “domain\domain\user”. So it seems that commvault adds the domain to that user account.
I’ve read the documentation but I can’t find anything on that. Can someone point me to documentation stating that behaviour.
We remove this page(step) in latest service pack when you install ad agent. User are not required to input user name/password when they install the Ad agent.
I want to confirm the AD agent is running well after you update the agent properties with correct format username.
In latest service pack, you can install the AD agent, then input the user name/password in command center or commcell console. If you still have issue to update correct format user name, we can check future.
“. But looking at the account used for AD backup on the client it looks like “domain\domain\user”. “
I did notice the same last week, but it’s working fine over here. I used “domain\user”, and commvault made domain.full\domain\user from it.
Ohhh,
As a test, I tried using “domain.full\domain\user” to logon a server and that failed where as “domain.full\user” was successfull. That wasn’t the actual domain admin user though.
But still it’s inconsequent from Commvault to do this behaviour.
To perform Active Directory agent installation, administrator privileges are required. The administrator must be a member of the Domain Administrator Group.
Backup and restore operations require the following permissions:
The backup administrator must be a part of the domain user. By default, the Normal domain user has Read permissions in the Active Directory domain. You can still use an account that is not in the domain to perform backups. Make sure that the account has Read, Change and Create Child Objects permissions in the Active Directory domain. However, DNS Zones are not backed up using that account.
Administrator performing restore operations must at the minimum have Read, Change and Create Child Objects permissions. By default, , the user in Domain Admins group, or Enterprise Admins group, or the Administrators group have all the required permissions.
The credentials should be provided in the format “domain\user”, so if you are continuing to see errors or unexpected double domain added, please let me know.
I would also like to highlight the need to run adLdapTool.exe to enable restores of passwords for users and computers:
I am aware of the requirements for the AD user, and we do use one with enough privalige. The installation was successfull, it’s the AD backup that is failing.
What I don’t understand is where the “’domain’.com” name comes from.
When we did the installation we used “domain/user” as you wrote.
Thanks for the update on adLdapTool, though we never used it.
It may not possible to post in here given the subject matter, but if you would check the ADBackup.log on the client that may help narrow down where the additional domain.com is originating from.
This is from the ADBackup.log, I changed the name from its original to “domain” and user to “user” but apart from that this is what it looks like this.
So some where in the configuration phase of the client it added the domain.
Are the “domain.com” and “domain” entries valid, as in, do they appear correct for your environment? I don’t believe the formatting of the log message is the error, I think this is just stating the domain details in the log. I would like to focus on “ldap bind error [49]”, instead which is a Microsoft error code.
This is suggesting in someway there is an issue with the credentials being provided to bind and there are a few potential issues that might case that error:
sending simple bind request when secure bind is required
different character sets between client/AD can occasionally cause issues if language specific characters are used
unlikely to be network as [49] suggests a response was received back from AD, but worth checking that all required ports are opened
Is it possible to test the LDAP connection and credentials using ldp.exe?
The formatting from the log file is what the account looks like in Commvault. We don’t use the “domain.com/domain/user” formatting in our organisation. We didn’t state that format when we configured the client, it’s my belief that it is added by the software at installation.
Anyways, we have another client to install later today, this time i’ll only use the “user” format for the AD agent configuration, And try to correct the current faulty one.
@Matthew M. Magbee No I didn’t. I’m kind of the console guy since I’ve been using that for the last 7 years. I havent really tried the Command Center out, guess I’ll have to at some point.
Though I did do the AD installtion on another client and for sure, “domain.com” is prefixed with the AD account. But testing with So I guess best is to leave the “domain” even though it’s stated with in dialog box.
Well that didn’t fly.
Maybe it’s only in our environment that it doesen’t work.
I’ll just make a note in documentation for and let it be.
@Matthew M. MagbeeNo I didn’t. I’m kind of the console guy since I’ve been using that for the last 7 years. I havent really tried the Command Center out, guess I’ll have to at some point.
Though I did do the AD installtion on another client and for sure, “domain.com” is prefixed with the AD account. But testing with So I guess best is to leave the “domain” even though it’s stated with in dialog box.
Well that didn’t fly.
Maybe it’s only in our environment that it doesen’t work.
I’ll just make a note in documentation for and let it be.
Thanks for all input.
BR
Henke
Oh man- I am too . love the console-- but give it a shot- there is a TON more options and things to rollout there- And its fast.
@Mike Struening thanks for picking it up. I didn’t use Command Center to get it installed, in fact, it’s not the installation that failed it’s the user domain that changes.
I solved it by doing the installation and afterwards change the domain account to what it is supposed to do.
Unfortunately this is a bit combersume to do as in there are just a few ppl being able to use that domain admin account.
Sorry for the confuse. Let me explain little more here.
First the correct one is Domainname\username, the domain name is the Netbios name, not the FQDN name, For example, your AD domain name is test.abc.com, We need to use test\user1 to run AD agent backup.
If you have issue to run a backup, please correct the username and try again.
In you screenshot, I saw there is a string “domain” between domain-name and user name “doaminname\domain\testuser”.
Could you tell us
Where is the string “domain” come from? We are using LDAP protocol to login Domain controller to run backup/restore. The format you are using is not correct. We need to know how this happend.
Please let us know, How you installed the ad agent? from commcell console or command center?
If you are do the installation from commcell console, what user name you are input ? Could you provide the log with the job ID?
We remove this page(step) in latest service pack when you install ad agent. User are not required to input user name/password when they install the Ad agent.
I want to confirm the AD agent is running well after you update the agent properties with correct format username.
In latest service pack, you can install the AD agent, then input the user name/password in command center or commcell console. If you still have issue to update correct format user name, we can check future.
We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.