Please enter search query.
Search <product_name> all support & community content...
NetBackup for VMware backup with Application Protection enabled for Exchange Server fails with Status Codes 156, 130, and 13 when backing up database passive copies
Article: 100015742
Last Published: 2015-06-23
Ratings: 0 0
Product(s): NetBackup & Alta Data Protection
Problem
As per the instructions within 'Veritas NetBackup™ for Microsoft Exchange Server Administrator’s Guide', an Exchange DAG node has been configured for passive database VMware Application State Capture backups but although the node has the passive copy of mailbox databases mounted Application State Capture (ASC) backup job fails with status 156 and then 130 and finally 13. The backup of nodes with Active DBs are completing successfully.Error Message
05/13/2015 10:41:44 - Info ascc (pid=26526) Exchange: snapshot preparation successful, with the following information: Option is set to backup Exchange passive databases during a VMware snapshot.05/13/2015 10:41:48 - Critical ascc (pid=26526) Exchange: vfm_freeze_commit: method: VSS_Writer, type: FIM, function: VSS_Writer_freeze_commit
05/13/2015 10:41:51 - Critical ascc (pid=26526) Exchange: snapshot processing failed, status 156
05/13/2015 10:41:53 - Critical ascc (pid=26526) Exchange: snapshot creation failed - Error attempting to gather metadata., status 130
05/13/2015 10:41:54 - Warning ascc (pid=26526) Exchange: Microsoft Information Store:\* is not frozen
Operation Status: 13
05/13/2015 10:41:55 - end Parent Job; elapsed time 0:03:22
Operation Status: 13
file read failed (13)
Cause
Lack of required permissions and privileges for NetBackup service account for Exchange backups and restores.Solution
- Log in to the VM corresponding to the Exchange DAG node that has the passive database copies mounted and needs to be backed up in the VMware policy.- Open the registry and go to to \\HKLM\SOFTWARE\Veritas\NetBackup\CurrentVersion\Agents\
- Make sure the REG_SZ Key VM_Exchange_Backup_Passive_DBs is present and has the value of 'Yes'
If not, as per the instructions mentioned within 000014730 (https://support.Veritas.com/en_US/article.000014730.html) or the 'Enabling protection of passive copies of the Exchange database with VMware backups' within 'Veritas NetBackup™ for Microsoft Exchange Server Administrator’s Guide' create the key and close the registry
- For DAG 2010 open the Exchange DAG Management Console and from the left go to Microsoft Exchange > Server Configuration > Mailbox
- Select your Exchange DAG node from the right
- From the Database Copies Tab at the bottom make sure there is at least one Passive DB mounted to the node
If there are no passive DBs mounted to the node the ASC backup job will fail with below error:
6/12/2015 3:39:07 AM - Info ascc(pid=1812) Exchange: snapshot preparation successful, with the following information: Found the Veritas VSS Provider installed on this VM.
6/12/2015 3:39:08 AM - Info ascc(pid=1812) Exchange: snapshot preparation successful, with the following information: Option is set to backup Exchange passive databases during a VMware snapshot.
6/12/2015 3:39:08 AM - Critical ascc(pid=1812) Exchange: snapshot creation failed - No mounted or active Exchange databases were found during the enumeration., status 2
Status 13
6/12/2015 3:39:09 AM - end Application State Capture, Application State Capture; elapsed time: 0:01:29
Status 13
6/12/2015 3:39:09 AM - end Parent Job; elapsed time: 0:01:29
file read failed(13)
This error is normal because as it has mentioned in the details status there are no databases mounted on the target Exchange node.
- Verify the NetBackup service account privileges on all the Exchange DAG nodes
As per the 'Creating a privileged NetBackup user account for EWS access (Exchange 2010)' section within 'Veritas NetBackup™ for Microsoft Exchange Server Administrator’s Guide'
To create a privileged NetBackup user account for EWS access (Exchange 2010)
1 In the Exchange Management Console, create a new Exchange mailbox for NetBackup.
This process creates a new user that is automatically a domain user.
2 Double-click on the user account you created.
3 Select the Member Of tab.
4 Click Add and add this user to the Organization Management group.
If permissions issues persist, try adding this user to the Domain Admins group. If the NetBackup Client Service logs on with this account, this account also needs to be a member of the Administrators group.
5 Provide the credentials for this account in the Exchange client host properties.
See “About the Exchange credentials in the client host properties” on page 38.
Veritas recommends that you configure the Exchange credentials in the Exchange client host properties. However, existing NetBackup customers can continue to configure the logon account for the NetBackup Client Service.
6 Configure this account with the right to “Replace a process level token.” See “About configuring the account for NetBackup Exchange operations with
the right to Replace a process level token” on page 48.
If you configure the NetBackup Client Service with a logon account and configure the Exchange credentials in the Exchange client host properties, you
must configure the “Replace a process level token” for both users.
Below describes the requirements for GRT backup and restores
and then from page 48:
About configuring the account for NetBackup Exchange operations with the right to Replace a process level token
On each Exchange mailbox server you must assign the account for NetBackup Exchange operations the right to “Replace a process level token”. This right is necessary to pass the impersonation token to the NetBackup process that performs Active Directory and PowerShell commands.
Note: If you configure only the NetBackup Client Service and the NetBackup Legacy Network Service to run as the account for NetBackup Exchange operations, and you do not configure the account in the Exchange client host properties, you do not need configure the account with the right to “Replace a process level token”.
If you configure the NetBackup Client Service with a logon account and configure the Exchange credentials in the Exchange client host properties, you must configure the “Replace a process level token” for both users.
Configuring the account for NetBackup Exchange operations with the right to Replace a process level token (Local Security Policy)
This procedure describes how to configure the Local Security Policy so that the account for NetBackup Exchange operations has the right to Replace a process
level token.
To configure the account for NetBackup Exchange operations with the right to Replace a process level token (Local Security Policy)
1 Open the Local Security Policy.
2 Click Local Policies.
3 In the User Rights Assignment, add the account for NetBackup Exchange operations to the Replace a process level token property.
4 Run the group policy update command (group policy update) for this change to take effect:
gpupdate /Force
The above should suffice for non-GRT, for GRT backup and restores
Creating a minimal NetBackup account for Exchange operations (Exchange 2010 and later) - Page 44
This procedure describes how to create a minimal account for NetBackup Exchange operations for Exchange 2010 and later. This account is used for the Exchange credentials in the Exchange client host properties, enabling NetBackup to perform operations with Granular Recovery Technology (GRT).
Note the following:
For an Exchange DAG, perform the steps on each database node in the DAG and the CAS server.
To create a minimal NetBackup account for Exchange 2010 and later operations
1 In the Exchange Management Console, create a new Exchange mailbox for NetBackup.
This process creates a new user that is automatically a domain user. This procedure refers to that user as NetBackupUser.
2 Double-click on the user account you created.
3 Select the Member Of tab.
4 Click Add and add this user to the Administrators group.
5 Create a new Role Group, make the account a member of this group, and assign roles. Use the Exchange Management Shell to run the following commands:
Note: If the account does not have the necessary privileges, an administrator needs to perform these tasks.
# New-RoleGroup -Name NetBackupRoles -Roles @("Database Copies", "Databases", "Exchange Servers", "Monitoring", "Mail Recipient Creation", "Mail Recipients","Recipient Policies"
# Add-RoleGroupMember -Identity NetBackupRoles -Member NetBackupUser
Where NetBackupUser is the name of the Active Directory account you created in 1.
6 (Exchange 2010) To perform restores with Granular Recovery Technology (GRT), also run the following commands with the Exchange Management shell:
# New-ManagementRole -Name VeritasEWSImpersonationRole -Parent ApplicationImpersonation
# New-ManagementRoleAssignment -Role VeritasEWSImpersonationRole -User NetBackupUser -Name "NetBackupUser-EWSImpersonation"
# New-ThrottlingPolicy -Name "VeritasEWSRestoreThrottlingPolicy" –EWSPercentTimeInCAS $null -EWSPercentTimeInAD $null -EWSMaxConcurrency $null –EWSPercentTimeInMailboxRPC $null -PowerShellMaxConcurrency $null
# Set-Mailbox -Identity NetBackupUser -ThrottlingPolicy "VeritasEWSRestoreThrottlingPolicy"
7 Provide the credentials for this account in the Exchange client host properties.
See “About the Exchange credentials in the client host properties”.
8 Configure this account with the right to “Replace a process level token.”
See “About configuring the account for NetBackup Exchange operations with the right to Replace a process level token”.
1 In the Exchange Management Console, create a new Exchange mailbox for NetBackup.
This process creates a new user that is automatically a domain user.
2 Double-click on the user account you created.
3 Select the Member Of tab.
4 Click Add and add this user to the Organization Management group.
If permissions issues persist, try adding this user to the Domain Admins group. If the NetBackup Client Service logs on with this account, this account also needs to be a member of the Administrators group.
5 Provide the credentials for this account in the Exchange client host properties.
See “About the Exchange credentials in the client host properties” on page 38.
Veritas recommends that you configure the Exchange credentials in the Exchange client host properties. However, existing NetBackup customers can continue to configure the logon account for the NetBackup Client Service.
6 Configure this account with the right to “Replace a process level token.” See “About configuring the account for NetBackup Exchange operations with
the right to Replace a process level token” on page 48.
If you configure the NetBackup Client Service with a logon account and configure the Exchange credentials in the Exchange client host properties, you
must configure the “Replace a process level token” for both users.
Below describes the requirements for GRT backup and restores
and then from page 48:
About configuring the account for NetBackup Exchange operations with the right to Replace a process level token
On each Exchange mailbox server you must assign the account for NetBackup Exchange operations the right to “Replace a process level token”. This right is necessary to pass the impersonation token to the NetBackup process that performs Active Directory and PowerShell commands.
Note: If you configure only the NetBackup Client Service and the NetBackup Legacy Network Service to run as the account for NetBackup Exchange operations, and you do not configure the account in the Exchange client host properties, you do not need configure the account with the right to “Replace a process level token”.
If you configure the NetBackup Client Service with a logon account and configure the Exchange credentials in the Exchange client host properties, you must configure the “Replace a process level token” for both users.
Configuring the account for NetBackup Exchange operations with the right to Replace a process level token (Local Security Policy)
This procedure describes how to configure the Local Security Policy so that the account for NetBackup Exchange operations has the right to Replace a process
level token.
To configure the account for NetBackup Exchange operations with the right to Replace a process level token (Local Security Policy)
1 Open the Local Security Policy.
2 Click Local Policies.
3 In the User Rights Assignment, add the account for NetBackup Exchange operations to the Replace a process level token property.
4 Run the group policy update command (group policy update) for this change to take effect:
gpupdate /Force
The above should suffice for non-GRT, for GRT backup and restores
Creating a minimal NetBackup account for Exchange operations (Exchange 2010 and later) - Page 44
This procedure describes how to create a minimal account for NetBackup Exchange operations for Exchange 2010 and later. This account is used for the Exchange credentials in the Exchange client host properties, enabling NetBackup to perform operations with Granular Recovery Technology (GRT).
Note the following:
For an Exchange DAG, perform the steps on each database node in the DAG and the CAS server.
To create a minimal NetBackup account for Exchange 2010 and later operations
1 In the Exchange Management Console, create a new Exchange mailbox for NetBackup.
This process creates a new user that is automatically a domain user. This procedure refers to that user as NetBackupUser.
2 Double-click on the user account you created.
3 Select the Member Of tab.
4 Click Add and add this user to the Administrators group.
5 Create a new Role Group, make the account a member of this group, and assign roles. Use the Exchange Management Shell to run the following commands:
Note: If the account does not have the necessary privileges, an administrator needs to perform these tasks.
# New-RoleGroup -Name NetBackupRoles -Roles @("Database Copies", "Databases", "Exchange Servers", "Monitoring", "Mail Recipient Creation", "Mail Recipients","Recipient Policies"
# Add-RoleGroupMember -Identity NetBackupRoles -Member NetBackupUser
Where NetBackupUser is the name of the Active Directory account you created in 1.
6 (Exchange 2010) To perform restores with Granular Recovery Technology (GRT), also run the following commands with the Exchange Management shell:
# New-ManagementRole -Name VeritasEWSImpersonationRole -Parent ApplicationImpersonation
# New-ManagementRoleAssignment -Role VeritasEWSImpersonationRole -User NetBackupUser -Name "NetBackupUser-EWSImpersonation"
# New-ThrottlingPolicy -Name "VeritasEWSRestoreThrottlingPolicy" –EWSPercentTimeInCAS $null -EWSPercentTimeInAD $null -EWSMaxConcurrency $null –EWSPercentTimeInMailboxRPC $null -PowerShellMaxConcurrency $null
# Set-Mailbox -Identity NetBackupUser -ThrottlingPolicy "VeritasEWSRestoreThrottlingPolicy"
7 Provide the credentials for this account in the Exchange client host properties.
See “About the Exchange credentials in the client host properties”.
8 Configure this account with the right to “Replace a process level token.”
See “About configuring the account for NetBackup Exchange operations with the right to Replace a process level token”.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.