RESOLUTION #1:
There is a feature available which requires creating a specific group for backup access
- In each domain you need to backup, create an Active Directory group named "RMAD Backup Operators"
- Grant the least privileged user
- Add the least privileged user as a member of this group
- Preinstall the backup agent on the DCs using an account that is a member of the Domain Administrators group or the Builtin Administrators group in the domain
Note: Make sure you first create the RMAD Backup Operators group, and then install the Backup Agent on the DCs. During its installation, the agent locates that group and saves the group SID in the registry. Then the Backup Agent uses this group SID to check that the user account is a member of the RMAD Backup Operators group. If the Backup Agent was already preinstalled, you can repair the agent’s installation so that the agent can locate the RMAD Backup Operators group - Specify this account in the Agent Settings tab of the computer collection in the Recovery Manager console
- Ensure "use preinstalled backup agent" is enabled)
Note: If you have the option, "Ensure Forest Recovery Agent is deployed" enabled, the account specified for the Backup Agent settings will have to be a member of the Domain Admins or Builtin Administrators group in the domain. To avoid this, you will need to manually install the Forest Recovery Agent on the DCs by either using the Forest Recovery Console to push the agent to the DCs or by manually running the Forest Recovery Agent installer on each DC. Then disable the "Ensure Forest Recovery Agent is deployed" option.
RESOLUTION #2:
Option #1: Use a preinstalled backup agent:
- Install the Backup agent on the DCs using the RMAD console to push the agent or by manually running the Backup Agent installer on each DC. This requires an account with Administrator rights on the DCs.
- The least privileged that you specify on the Agent Settings needs to have write access to the folder "%AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory" on the Recovery Manager server
- The account will also need to be a member of the Active Directory Backup Operators group
Option #2: Do not use a preinstalled backup agent:
- This will require the Backup Agent to be deployed during each backup
- The account specified for the Agent settings will require write access to the folder "%AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory" on the Recovery Manager server
- The account will need to have Administrator rights on each DC to be able to install the agent each time the backup runs. The account will need to be a member of either the Domain Admins or Builtin\Administrators groups in each domain backed up
- Add the account to the Backup Operators group in each domain backed up