Required Permissions to perform GRT Backup & Restore for Exchange 2010

Article: 100027103
Last Published: 2015-09-27
Ratings: 1 1
Product(s): NetBackup & Alta Data Protection

Problem

Required Permissions to perform GRT Backup & Restore for Exchange 2010

Solution

Step 1: Permissions and Roles required to perform Backup / Restore of Exchange 2010.

Make sure that the NetBackup Service Account used for Backup and Restore of Exchange 2010 has below permissions :
 
Should be a member of Built in Administrators Group in Active Directory.
Should be a member of Domain Admins in Active Directory.
Should be a member of Backup Operators in Active Directory.
Should be a member of Organization Management in RBAC (Role Based Access Control).
Should be a member of EWS Impersonation Role in Exchange (For more details refer to Step 2).

Make sure that the NetBackup account used for Backup and Restore of Exchange 2010 has a unique and active mailbox associated with it.

   a) Make sure that the NetBackup account used for Backup and Restore of Exchange 2010 has a unique and active mailbox associated with it.

   b) Make sure that EWS(Exchange Web Service) is functioning properly.

Note :
If the Exchange Server is in DAG make sure that the NetBackup Client is installed on all the nodes in DAG, Including Mailbox servers and CAS servers.
 
Step 2: How to check if an account has the proper Role assignment.

Run the following command from Exchange PowerShell to check whether the role exist or not :
 
Get-ManagementRoleAssignment -Role "EWSImpersonationRole"

Note :
This should return information on this role including the "RoleAssineeName" which should list Netbackup Service Account (See Figure 1). If the role does not exist or has not been set for the NetBackup Account, refer to below instruction.

Command to create a new role called EWSImpersonationRole:

New-ManagementRole -Name EWSImpersonationRole -Parent ApplicationImpersonation
 
Command to assign a user to EWSImpersonationRoleAssignment:

New-ManagementRoleAssignment -Role EWSImpersonationRole -User <Netbackup Username> EWSImpersonationRoleAssignment

Note:
The new VeritasEWSImpersonationRoleAssignment has been associated with the respective user. After configuring this Role, the restore job should now complete successfully.
 
Step 3: Confirm that EWS is functioning properly:

Logon to the Exchange 2010 server that holds the Client Access (CAS) role, and run the following command from the Exchange PowerShell to test the EWS connectivity.

Command to test the EWS connectivity :

test-webservicesconnectivity -MailboxCredential $(get-credential) -TrustAnySSLCertificate  | FL

Note:
A PowerShell Credentials window will appear if the command is entered properly. Please enter the credentials for the Netbackup service account. Review the output for any failures. Microsoft will need to be contacted to help resolve issues with EWS.
 
Step 4: NFS Client & PortMapper
 
a) Make sure that NFS client is installed on all Mailbox / CAS and NetBackup Media Servers .

b) Make sure that NFS Server service should be in disabled state.

c) Make sure that PortMapper driver is installed on the Media Server.

Was this content helpful?