Skip to main content

Hey all,

Got some questions around tightening up security in our Commvault setup, especially by reducing reliance on AD. A customer of ours wants to limit exposure, so looking for some practical advice if anyone’s tackled this before. Here’s what we’re thinking:

  1. Separating from AD-Connected vCenter: If we pull Commvault away from an AD-connected vCenter, any gotchas or issues we should watch out for? Trying to keep everything functional while reducing risk.

  2. Dropping AD for Authentication: They want Commvault running on local creds instead of AD. If anyone’s switched from AD to local auth, were there any surprises or smooth enough?

  3. Taking Media Agents Off AD: If we decide to remove the Media Agents from AD, what kind of trouble (if any) are we walking into?

  4. Making Backups Immutable: They’re keen on having backups that can’t be deleted or messed with until a set expiry. Any tips for setting up immutability in Commvault that actually works?

  5. Locking Down Admin Access: Finally, only a few specific accounts should have full access in Commvault. Any straightforward way to set this up so only the right folks have those permissions?

Appreciate any advice or real-world experiences—thanks in advance!

Hello @nicky 

Great questions! 

1. Separating from AD-Connected vCenter: We’ve been running some of our CommCell environments on Windows WorkGroup servers, separate from Active Directory, for the past couple of years, and it’s been working smoothly.
 

2. Switching from AD to Local Authentication: Transitioning to local authentication should be straightforward. You can use local CommServe users/passwords to access the console and perform backups/restores. Before moving the CommServe to a WorkGroup, make sure to take a DR backup to ensure you can restore if needed.
https://documentation.commvault.com/11.20/changing_commserve_computer_name.html
 

3. Taking Media Agents off AD: Removing Media Agents from Active Directory should be fine. Just note that if the communication between Media Agents and Clients relies on DNS, rather than direct IP, you may run into some connectivity issues.

4. Making Backups Immutable: Here’s an article that will help you configure immutability for backups:  https://documentation.commvault.com/2024/essential/configuring_worm_storage_mode_on_disk_libraries.html

5. Locking Down Admin Access: Role-based access control (RBAC) is a great way to restrict admin access. You can find more on how to configure this here:  https://docs.metallic.io/metallic/role_based_access_control.html
 

Hope this helps! Feel free to reach out if you need any more info.

Best Regards,
Mohamed Ramadan
Data Protection Specialist

Great questions & great answers.

I have a question about Configuring WORM Storage Mode on Disk Libraries, when you enable will it take up more of your disk storage ? are they any changes to the DDB ? 

 

Thanks 

Reply


Terms & ConditionsCookie settings