Unable to restore backup in domain environment

Discussion in 'Acronis True Image Product Line' started by uviuar, Feb 10, 2009.

Thread Status:
Not open for further replies.
  1. uviuar

    uviuar Registered Member

    Joined:
    Jul 17, 2008
    Posts:
    7
    Using latest version of Acronis True Image Workstation:

    When trying to use the bootdisc recovery environment, I can see the share name on the network, however whenever I try to open the share I get prompted to supply a username and password. I enter in the appropriate credentials and get prompted again. When I view event viewer on the host machine I see failed logon attempts as follows:

    user: NT AUTHORITY\SYSTEM
    event id 529
    Reason: Unknown user name or bad password
    User Name: administrator
    Domain: ecs1
    Logon Type: 3
    Logon Process: NtLmSsp
    Authenticatino package: NTLM
    Workstation name: \\192.168.2.170

    The username and password's being entered are correct. It appears as though somehow True Image is simply parsing them incorrectly or something. I have tried using domain\username, workstation\username, and just username to login. Each login attempt fails in the same manner.

    Being in a domain I even tried having TI login to various workstations using domain admin credentials, domain user credentials, and local workstation credentials. Every time each host records the same failed login attempts in event viewer, claiming a bad username or password was supplied.
     
    Last edited: Feb 10, 2009
  2. uviuar

    uviuar Registered Member

    Joined:
    Jul 17, 2008
    Posts:
    7
    Update: I have disjoined a workstation from the domain to see if the acronis recovery environment could connect to it via workstation name and it could. The issue appears to be related to some group policy settings on the domain controller forbidding the recovery environment from properly authenticating. Furthermore I noticed in the security log on the disjoined workstation that the Guest account makes the initial connection attempt before any user credentials are allowed. I suspect this is the start of the problem.
     
  3. the_poet

    the_poet Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    10
    It is a local security policy issue.
    Go to your workstation under local security policy and search for "Network access: Sharing and security model for local accounts" change model from "Guest" to "Classic" and try again.
    If you want to deploy this policy to the entire domain you have to set a GPO on one domain controller
     
  4. uviuar

    uviuar Registered Member

    Joined:
    Jul 17, 2008
    Posts:
    7
    No dice. The setting was already set to classic. For kicks I switched it to guest anyway, and then switched back to classic. Both attempts failed however, and event viewer continues to record "bad username or password" as the faulting issue, which is not possible.

    For the record, the machine and login names are as follows

    Machine name: BACKUPSERV
    Domain: ECS1
    Domain login: INSTALL
    Local login: administrator


    So I have tried connecting to the machine using the following logins:

    ECS1\INSTALL
    BACKUPSERV\administrator
    INSTALL
    administrator

    and of course the password follows in the next field. And yes I know my own password as I use it 500x per day, even the local admin password.
     
  5. uviuar

    uviuar Registered Member

    Joined:
    Jul 17, 2008
    Posts:
    7
    Conclusion: Ok I finally have my backup server accessible through the recovery environment. Unfortunately I cannot give a specific solution to the problem. It was indeed policy related. I simply removed the server from the existing group policy it belonged to and stuck it in a new one with default settings by itself, and it works now. So somewhere buried in active directory is a value which acronis just doesnt like, and turns up as a failed security audit in the servers security log.
     
  6. Acronis Support

    Acronis Support Acronis Support Staff

    Joined:
    Apr 28, 2004
    Posts:
    25,885
    Hello all,

    Thank you for using Acronis Corporate Products

    The user name should be specified in the form of SERVER\USER or DOMAIN\USER.

    If you are trying to access a server in a domain that is controlled by Windows Server 2003 and still cannot log in to a server, please try the following:

    1. Open Active Directory Users and Computers on the domain controller (Windows Server 2003).

    2. In the console tree, right-click Domain Controllers, click Properties, and then click the Group Policy tab.

    3. Click Default Domain Controllers Policy, and then click Edit.

    4. Open the Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Security Options folder.

    5. Locate the Microsoft network server: Digitally sign communications (always) policy setting, and then click Disabled or Do Not Configure. Please also check the Microsoft network server: Digitally sign communications (if the client agrees) policy setting is Enabled.

    Also, the problem may be caused by the Integrated Windows Authentication (IWA) level set on the machine where the backup archive resides.

    You can change the IWA level on the network machine where the backup archive is. Acronis Bootable Rescue Media created by means of Acronis True Image Build 3633 and lower supports IWA level 0,1 and 2.

    The configuration of this IWA level can be found in the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\LMCompatibilityLevel

    The registry key values are:

    0 - Send LM & NTLM responses
    1 - Send LM & NTLM: use NTLMv2 session security if negotiated
    2 - Send NTLM response only
    3 - Send NTLMv2 response only
    4 - Send NTLMv2 response only\refuse LM
    5 - Send NTLMv2 response only\refuse LM & NTLM

    This setting can also be configured in the Local Security Policy of Windows:

    Windows 2000

    Start -> Control Panel -> Administrative Tools -> Local Security Policy -> Local Policies -> Security Options -> Network Security: LAN Manager Authentication Level

    Windows XP

    Start -> Control Panel -> Administrative Tools -> Local Security Policy -> Local Policies -> Security Options -> Network Security: LAN Manager Authentication Level

    The released versions of Acronis True Image newer than Build 3633 support all levels of IWA (0-5).

    Thank you.

    --

    Oleg Lee
     
  7. bruceau

    bruceau Registered Member

    Joined:
    Jun 15, 2007
    Posts:
    1
    Hello Acronis support

    I have similar problem. Since we are running disaster recovery drill which means the production servers are temporarily shutdown and will be turned on again after the drill. Your suggested solutions may affect the production servers login the domain.

    Any other better solutions ?

    Thanks.
     
  8. Acronis Support

    Acronis Support Acronis Support Staff

    Joined:
    Apr 28, 2004
    Posts:
    25,885
    Hello bruceau,

    Thank you for your interesting in Acronis True Image
    Check the following Microsoft KB article regarding this issue. Use the following link

    Best regards,
    --
    Dmitry Nikolaev
     
Thread Status:
Not open for further replies.