Problem
Backup Selection browse fails with error "Failure to browse server"
Or
Error Message
Backup Selection browse fails with error "Failure to browse 'server'. Failed to log on to Microsoft Windows."
Connection with server failed. Hit <F5> to retry when trying to edit/create a backup job on Windows 2008 server
Cause
[ A ] The password set for the Backup Exec System Logon Account (Network -> Logon Accounts) or the Backup Exec Service Account (BESA) does not match to the password set in Active Directory or for the local administrator user account section.
[ B ] If the BESA does not have the right to Logon as a batch job.
By default this policy is applied to Administrators and the Backup Operators group. This user right is defined in the default Domain Controller's Group Policy object (GPO) and in the Local Security Policy of workstations & servers and it allows a user to be logged on by means of a batch-queue facility.
For more information on this user right, refer to:
http://technet.microsoft.com/en-us/library/cc780182(WS.10).aspx
[ C ] If the BESA is included in Deny logon as a batch job policy.
'Deny logon as a batch job' determines which accounts are prevented from being able to log on as a batch job. This policy setting supercedes the Log on as a batch job policy setting if a user account is subject to both policies.
[ E ] This issue may occurs if the Remote Agent for Windows Server (RAWS) service is stopped. As the Job engine service is dependent on RAWS, the Job Engine service will also be stopped.
Solution
Note: Backup Exec Service account can be set to a user with local administrator rights.
- Act as part of the operating system [ a.k.a. TcbPrivilege ].
- Backup files and directories (provides rights to backup files and directories) [ a.k.a. BackupPrivilege ] .
- Create a token object (which can be used to access any local resources) [ a.k.a. TokenRightPrivilege].
- Log on as a batch job (allows a user to be logged on by means of a batch-queue facility) [ a.k.a. BatchLogonRight ].
- Log on as a service [ a.k.a. ServiceLogonRight ].
- Manage auditing and security log [ a.k.a. AuditPrivilege ].
- Restore files and directories (provides rights to restore files and directories [ a.k.a. RestorePrivilege ].
- Take ownership of files and other objects [ a.k.a TakeOwnershipPrivilege ].
Note: Due to security implementations in Microsoft Small Business Server, the service account must be "Administrator".
For Windows 2008 / 2008 R2 / 2012 / 2012 R2
1. Go to Start | Programs | Administrative Tools | Group Policy Management.
2. From the left pane, expand Domains | Domain_Name | Group Policy Objects.
3. Right click on Default Domain Controllers Policy and click on Edit.
Ensure that the group policy being edited is set to Enforced or else the changes would not apply.
4. From the left pane, expand Computer Configuration and go to Policies | Windows Settings | Security Settings | Local Policies | User Rights Assignments.
5. From the right pane, right-click Log on as a batch Job --> Properties.
6. Click Add user or Group.
7. For the Add user or Group window, click Browse
8. Type the desired user account to act as your Backup Exec System Account, then click Browse and then click Ok.
9. Back in the "Group Policy Management Editor" note that your Backup Exec System Account now has "Log on as a batch Job" privilege.
10. Repeat steps 1 through 9 for any additional policies.
[ C ] Make sure the BESA is NOT included in the 'Deny Logon as a Batch' or 'Deny Logon as a service' because the deny supersedes the allow and even adding the account under 'Logon as a Batch' or 'Logon as a service' would not resolve the issue.
Refresh the group policy
Click Start > Run and type gpupdate /target: computer /force (this will force update the Group Policy)
For Windows 2008 / 2008 R2 / 2012 / 2012 R2 :
1. Go to Start | Programs | Administrative Tools | Group Policy Management.
2. From the left pane, expand Domains | Domain_Name | Group Policy Objects.
3. Right click on Default Domain Controllers Policy and click on Edit.
Ensure that the group policy being edited is set to Enforced or else the changes would not apply.
4. From the left pane, expand Computer Configuration and go to Windows Settings | Security Settings | Local Policies | User Rights Assignments.
5. From the right pane, right-click Create a token object.
6. Click "Add user or Group".
7. For the "Add user or Group" window, click Browse.
8. Type the desired user account to act as your Backup Exec System Account, then click Browse and then click Ok.
9. Back in the "Group Policy Management Editor" note that your Backup Exec System Account now has "Create a token object" privilege.
6. Repeat steps 1 through 9 for any additional policies.
[ C ] Make sure the BESA is NOT included in the 'Deny Logon as a Batch' or 'Deny Logon as a service' because the deny supersedes the allow and even adding the account under 'Logon as a Batch' or 'Logon as a service' would not resolve the issue. (Figure 4)
Figure 4
Refresh the group policy
Click Start > Run and type gpupdate /target: computer /force ( this will force update the Group Policy)
For Windows 2003 / 2003 R2 :
1. On the domain controller, click Start | Programs | Administrative Tools | Active Directory Users and Computers.
2. From the left pane, expand the Domain name, and right-click Domain Controllers organizational unit, and then select Properties.
3. Select the Group Policy tab.
4. Select the Default Domain Controllers Policy and then click Edit (Figure 2).
Figure 2
5. From the left pane, expand Computer Configuration and go to Policies | Windows Settings | Security Settings | Local Policies | User Rights Assignments.
[ D ] Make sure BESA has all the required permissions
1. Check the permissions for the Backup Exec System Account ( BESA ) which shows under Network - Logon Accounts. Make sure it is a member of the local administrator group (built in admins) if applicable, and/or domain admins. Remove this account from any groups that do not have full administrative rights.
2. If performing the above steps do not resolve the issue, create a new user account in active directory and add it to the following groups only if a domain admin can be used else in case of a non DC a local user account part of the Local administrators group can also be used.
- Domain Admins (Primary Group)
- Local Admins or Administrators
- Remove Domain Users from the list.
Then use this new account for Backup Exec services, add it under Network - Logon Accounts and make that as a default account.
Note: This applies to Windows Server 2008/R2 (Domain controller and member servers) as well.
[ E ] Make sure all Backup Exec services are started.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.