Challenge
When using Veeam Backup & Replication with a VMware environment the following error may be seen when using the Guest Credentials Test or when processing a VM that is in a DMZ or Isolated environment.
Processing <vmname> Error: Cannot upload guest agent's files to the administrative share [C:\Windows]. Could not create guest directory [C:\Windows\VeeamVssSupport] Could not create guest [vm-xxx] directory [C:\Windows\VeeamVssSupport] Could not invoke guest operation Unable to access file C:\Windows\VeeamVssSupport
Cause
VIX is a network-less connection method that Veeam Backup & Replication can use to interact with the Guest OS of a VM being Backed up or Replicated. Because of the way VIX operates it can be blocked by Windows User Account Controls. Also because it's reliance on VMware Tools, if they are out of date it can also cause issue.
Solution
In VMware environments Veeam Backup & Replication is able to use two methods to connect to a guest, RPC and VIX. If RPC is testing successfully, it is generally acceptable for the VIX test to fail as it will not likely be used as RPC connectivity is more efficient.
If the VM being protected is in a DMZ or other network isolated configuration it may not be possible to get RPC working and require that connectivity via VIX be functional.
In order to use VIX for Guest Processing one of the following must be true:
- The account specified to connect to the Guest OS is the Built-in Local or Domain Administrator account
Note: This must be the original Built-in Administrator which has a SID that ends in -500, this user is unique and has the ability to bypass Windows User Account Controls. Even if the account was renamed, it will work.
or
- To use any account other than the Built-in Local or Domain Administrator, Windows User Account Control (UAC) must be disabled on VM that is being protected.
- For Server 2008 & 2008 R2, in the “Change User Account Control Settings”, move slider to Never Notify
- Starting with Server 2012 the “EnableLUA” DWORD in HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system must be set to a value of '0' (zero).
More Information
For more information regarding disabling UAC under 2012 and 2012 R2, please review the following: http://social.technet.microsoft.com/Forums/windowsserver/en-US/0aeac9d8-3591-4294-b13e-825705b27730/how-to-disable-uac?forum=winserversecurity
In a blog post regarding Windows 10 and UAC Microsoft has stated "Disabling UAC on Windows 10 puts you into an untested and unsupported configuration. It also blocks your ability to run many modern applications."