Possible Impacts of Removing the Machine Where Veeam Is Installed From a Domain
Purpose
Solution
Impact 1: DNS Resolution Failures
After removing the machine where Veeam is installed from the domain, the software may not be able to resolve the DNS for hostnames of other machines still in the domain. Another permutation of this issue is that the machine can only resolve FQDNs, but not hostnames.
To correct this, determine which hostnames/FQDNs cannot be resolved, test that the native OS cannot resolve them, and then take the appropriate actions to correct DNS issues.
Note: In some cases, customers have reported having to add DNS suffixes manually to the NIC on the machine where Veeam Backup & Replication is installed.
Impact 2: Veeam Services Configured to Use Domain Account Fail to Start
After the machine is removed from the domain, any services associated with Veeam that were configured to 'Log on as' a domain account will fail to start.
The default configuration of Veeam Backup & Replication uses a self-deployed database engine, and the services are set to use the "Local System Account."
When customers have elected to host the Configuration Database remotely, and the services are set to use a domain account, that domain account will fail as the local machine can no longer validate the domain account. In such a situation, the services should be changed to "Local System Account," and the Database Configuration tool should be used to reconfigure Veeam Backup & Replication to connect to the remote database location using native authentication*.
*This would require that you have configured native authentication within the remote database engine software.
Impact 3: Connections May Fail Due to Incorrectly Formatted Saved Credentials
After the machine is removed from the domain, any credentials stored within the Credentials Manager in "dot format" (.\user) may fail.
Review all entries within the Credentials Manager; any credentials listed with a dot format (.\user) that will be used to connect to other Windows machines should be reformated as either <domain>\<user> or <hostname>\<user>.
Note: UPN format (<user>@<domain>) is required when adding some types of Deduplication Appliances, but UPN format will cause disruptions with others (CIFS Repositories and Protection Groups). Carefully review how each credential is used before changing its format between UPN and down-level logon name.
Tip: Review the Credentials Manager and remove duplicate or unused entries: KB3224: How to Clean Up the Credentials Manager in Veeam Backup & Replication
Impact 4: Connecting to Veeam Backup & Replication Console using Domain Credentials Fails
After removing the machine from the domain, attempts to connect to the Veeam Backup & Replication Console using a domain account will fail.
While this may be obvious, it is noteworthy because it may lead to a situation where no account can be used to manage Veeam Backup & Replication. Specifically, if no local accounts were assigned the Veeam Backup Administrator role, which can occur when the default BUILTIN\Administrators user group was removed, and no local account was added to the User and Roles Security panel.
Note: The default configuration of Veeam Backup & Replication is that the BUILTIN\Administrators user group is used to provide all members of that group the Veeam Backup Administrator role.
For example, when Multi-Factor Authentication (MFA) is enabled in Veeam Backup & Replication, all security groups must be removed from the Users and Roles list. This results in the removal of the BUILTIN\Administrators group. Then, if only domain users were added and assigned a role, no local account could be used to administer Veeam Backup & Replication after domain ejection.
More Information
This article may not cover all potential issues that may occur when removing the machine where Veeam Backup & Replication is installed from a domain. Every environment is different, and other undocumented issues may occur. Veeam Support has done its best to document the most common problems that customers have reported.
If you are facing an issue after removing the Veeam Backup & Replication server from a domain, and require assistance, please create a support case.
If you'd like to suggest an addition to the list on this KB Article, please use the Send Article Feedback form.
Tip: The most common reason someone might want to remove their Veeam Backup & Replication server from a domain is for security reasons; as such, we strongly encourage customers to review: https://bp.veeam.com/vbr/Security/Security_domains.html
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.