NetWorker NMM Requirements for SQL Server VDI backups

NetWorker Module for Microsoft (NMM) Requirements for SQL Server VDI backups

The purpose of this document is to identify the key requirements needed for NetWorker Module for Microsoft (NMM) to properly backup.
SQL Server databases using SQL VDI method.  

This document addresses the following areas: 

• Remote User
• Permissions
• User Account Control 

This information is documented in the NMM SQL VDI User guides.

Remote User.

The Remote User field of the SQL Server client resource is required.

In cases of a stand-alone SQL Server with SYSTEM account having been granted sysadmin rights, backups *may* succeed without a remote user field.
In all other cases, including clustered instances and AlwaysOn Availability Groups,  the remote user field is required.

Remote User should be a domain user account which has the following privileges.
In addition, it should have the same privileges on all SQL Server members of a clustered instance or Availability group.

Format of remote user field is DomainName\UserName 

The Password field is also required. 

Permissions

The Remote User must have the following permissions: 

​​​1.  SQL Server rights: sysadmin, dbcreator, and public.
2.  Windows rights: Local Administrators, Backup Operators, Remote Desktop, Users, Domain Users.
3.  Right to log on locally in Windows on SQL Server 
4.  In NetWorker Server, the remote user must belong at least to the "Operators" Usergroup. 


User Account Control (UAC)

When UAC prevents Administrators from running processes in elevated privileges, 
in that case ensure that User Account Control (UAC) has been disabled for Administrators.


Perform these steps on the SQL Server to allow Administrators to run in Admin Approval mode.

1. Open the "Local Security Policy" (secpol.msc) on the Windows Server running the SQL Server.
2. Go to Local Policies > Security Options, and select the following.
3. Change User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode to Elevate without prompting.
4. Disable User Account Control: Run all administrators in Admin Approval Mode.
5. Restart the server.

Alternative Steps to above.

These steps are required to keep User Account Control enabled. 

To enable user access for NMM when User Access Control (UAC) is used, 
grant the Windows "Log on as a batch job" privilege to the Remote User that performs NMM operations. 

This privilege allows the user to log in with a privileged security token. 
 
To grant the "Log on as a batch job" privilege, perform the following steps:
 
1. Open the Local Security Policy (secpol.msc) on the client.
2. Go to Local Policies > User Rights Assignment.
3. Verify that the Windows user or associated group has the Log on as a batch job privilege.