Make sure the accounts you are going to use for application-aware processing of Microsoft SQL servers meet the following requirements:
- The user account that you specify for guest processing of the Microsoft SQL Server VM in the backup job must have the sysadmin fixed role assigned on the target SQL Server. For more information, see the Specify Guest Processing Settings section of the Veeam Backup & Replication User Guide.
If you need to provide minimum permissions for the account to perform backup operations, assign the following:
- SQL Server instance-level roles: dbcreator and public
- Database-level roles: db_backupoperator, db_denydatareader, public
For system databases:
- master - db_backupoperator, db_datareader, public
- msdb - db_backupoperator, db_datawriter, db_datareader, public
- Securables: view any definition, view server state
- For truncation of SQL Server 2012 or SQL Server 2014 database transaction logs, the account must have the db_backupoperator database role (minimum required) or the sysadmin server role.
For more information on how you can add accounts to database roles, see this Microsoft article.
- Make sure the account used for application-aware processing has the following security policies applied:
- Logon as a batch job granted.
This policy can be granted by adding a user to any of the following groups: Administrators, Backup Operators, or Performance Log Users on domain controllers and on stand-alone servers.
- Deny logon as a batch job not set.
When using Veeam Backup & Replication Update 3 or any previous version of the solution, ensure the following:
- The account requires the sysadmin fixed role to access the target Microsoft SQL server.
- The account requires minimum Read and Write permissions to access the administrative share on a target machine where database log backup files will be copied for log replay. For more information on scenarios that require log replay, see Planning for Database Restore.
- The account that is used to run Veeam Explorer for Microsoft SQL Server requires minimum Read and Write permissions to access the directory to which you plan to export your database files.
If the log truncation routine fails with the specified account, Veeam will use the NT AUTHORITY\SYSTEM account. For more information on required permissions for SQL Server 2016, 2014 or 2012, see this Veeam Knowledge Base article. When using SQL Server 2008 and 2008 R2, then, by default, the local SYSTEM account will be used for database log truncation.