Monday, August 18, 2014

Symantec System State Backup error "AOFO: Initialization failure on: "System?State". Advanced Open File Option used: Microsoft Volume Shadow Copy Service (VSS).Snapshot provider error (0xE000FE7D): Access is denied." is reported in the job log.


V-79-57344-65149 - AOFO: Initialization failure on: "System?State". Advanced Open File Option used: Microsoft Volume Shadow Copy Service (VSS).
Snapshot provider error (0xE000FE7D): Access is denied. To back up or restore System State, administrator privileges are required.


This error is usually generated when the Symantec Backup Exec (tm) for Windows server service account has insufficient rights.


Please note :The backup account used as the default account and the account used to start the Backup Exec Services must be a member on the following Group Policy objects :
  • Act as part of the operating system
  • Create a token object (which can be used to access any local resources)
  • Log on as a service
  • Log on as a batch job (allows a user to be logged on by means of a batch-queue facility)
  • Backup files and directories (provides rights to backup files and directories)
  • Restore files and directories (provides rights to restore files and directories)
  • Manage auditing and security log
  • Take ownership of files and other objects
For more information on any of the above User Rights Assignment, please refer to the link below: 
Solution 1 - To resolve the error  
A. Change the service account from the default Administrator to something unique
B. Grant the current service account specific and required rights
Follow instructions below:
1. Go to Control Panel | Administrative Tools | Services
2. Double-click the Backup Exec Server Service
3. Click the Log on tab
4. Check the service account name
5. If the service account name is displayed with a ".\" in front of the account name (Figure 1), this account is a local computer account (authenticating with Windows not with Active Directory).
6. If this account has the Windows 2003 forest domain name in front of the account name, this account is established at the forest level and has rights in all domains (tree\child) within that forest
If the Backup Exec for Windows services are using a local account and that account is given full administrator rights, access to all domain shares will be enabled but attempts to attach to the System State of remote machines may still result in "access denied." "Remote Machine" refers to any server other than the one running the Backup Exec console. The Backup Exec Service Account (BESA) that is used in all Backup Exec services must be configured/added at the forest root level (highest domain level possible) in order for Windows 2003 server/DC to allow access to these remote server System States.

If the Backup Exec services are set to the local account, perform the following:
1. Create/confirm a Windows 2003 domain level user account for Backup Exec on the domain controller at the forest level
a. Go to Active Directory Users and Computers, then right-click the Users folder
b. If a new account is desired, select New | User, and enter all the appropriate settings such as the account name and password. Click Next twice, and then click Finish. To configure the existing account, locate that account and continue to step c.
c. Open the Users folder, right-click the user, and click Properties
d. Click on the Member Of tab, confirm/add the Administrators
e. If Domain Admins is not the primary group, select Domain Admins and click Set Primary Group
f. Ensure that all other groups besides Administrators, Domain Admins, such as Domain Users are removed. Do not remove Schema Admins or Enterprise Admins (if listed)
g. The account should also have the Log on as a service right. For detailed instructions on granting this user right, see the Related Documents section
2. Go to Control Panel | Administrative Tools | Services
3. Stop all Backup Exec services
4. Enter the correct forest level Backup Exec service account name and password for all Backup Exec services
5. Restart all Backup Exec services
6. After resetting services, open Backup Exec and run a test backup of a remote System State and monitor for success.
Note: If access is not needed at the forest level, the account should be created on the domain controller of the highest level domain requiring backups from the Backup Exec server in question.
Solution 2: Check the system logon account (default logon account), Backup Exec service account which is responsible for backing up the System state of the remote server/DC is preceded by the domain name.
To check this, following needs to be performed,
1. On the Backup Exec console, click on Network | Logon accounts.
2. If the domain name is missing in front of the user name then add the domain name with a "\".

Note: It is recommended to use a NetBIOS syntax for the Domain Admin account instead of a DNS or UPN syntax.  From a previous example:  ‘NT2KDOMAIN\BackupExec’.

3. Run the backup job of system state of the machine which is giving this error message and monitor for success.

Under account credentials, change "domain.local\account" to "domain\account"
Solution 3: Add the built-in Administrator account and attempt to run the backup job.

No comments:

Post a Comment