NTBackup - Unable To Restore To XP Hosted Alternate Path

[Guest]

We have a secure data center with two Windows 2003 Enterprise Servers. A DLT
tape is attached to the production server and uses NTBackup to archive
message log files.

Restoring log files to the production server is sometimes impractical
because of disk space requirements. Therefore the ability to restore across
the LAN to another computer is useful. We are able to restore to shared
folders on LAN attached computers except for Windows XP Professional
workstations.

Successful Restores To:
Alternate Path On: Windows Enterprise Server 2003.
Alternate Path On: Windows 2000 Professional Workstations.

Unsuccessful Restores To:
Alternate Path On: Windows XP Professional Workstations.
-----------
NTBackup successfully recreates the directory path on the Windows XP Shared
directory (warnings logged) but the data files in those directories are not
being copied. A synopsis (summary) of the error/warning messages found in the
NTBackup log are as follows:

Unable to restore the folder "tape backup folder"

Warning: Unable to create "<sharepath>tape backup folder" - skipped.

Reason: Access is denied

(The folder "tape backup folder" and backup directory tree are actually
created on the shared directory. As for Files: they are not being restored to
the shared directory tree.)

Warning: Unable to create "<sharepath>\tape backup folder\filename.dat" -
skipped.

Reason: Access is denied
--------------------------------
It is possible using the Windows File Explorer to copy files and directories
to the Windows XP shared resource. But using NTBackup fails when specifying
that same resource as an alternate restore path.

===================================================
On the Windows XP Professional Workstation operating in a workgroup, simple
file sharing is enabled by default. For NTBackup to save to XP Professional
Workstation, uncheck the standard file sharing permissions. Information on
how to do this is in the following knowledge base article.

<http://support.microsoft.com/kb/307874/>


Control Panel -> Folder Options -> View

(___) Use simple file sharing (Recommended)

This box should not be checked when using NTBackup on a server that restores
to XP Workstation as an althernate restore path.

This box being checked prevents NTBackup from using XP Professional
Workstation shared directories as an alternate location file restore path.

There appears to be something related to XP permissions that prevents
NTBackup from restoring from a server to the XP workstation even though other
programs operate successfully to manipulate XP Worstation shares.

 

[Steven L Umbach]

Are your XP Pro computer using simple file sharing or not or was I just
reading info from the KB article??

A couple things to check are that the XP Pro firewall is disabled or has the
correct exemptions and look in the security log of the XP Pro computer for
failed logon events that occur at the time that these restore attempts occur
that may give a clue. I would also configure auditing on the computer trying
to be used for privilege user for failure to see if any such events are
being shown that would indicate the account being used lacks a user right.
Since the problem seems to be network related make sure that the share
permissions are correct for the share being used. You might want to start
with full control for everyone for share access and then tighten down from
there if that works. -- Steve

 

[Guest]

... My reply is inserted in your text .. // Steve Hathaway

Are your XP Pro computer using simple file sharing or not or was I just
reading info from the KB article??

The KB article only describes the the ability or lack thereof to administer XP
folder permissions settings from a graphical user interface. It does not
reference anything other than showing or hiding an administrative feature
in the graphical user interface.

My XP Pro operates in a Workgroup environment, not a domain environment.
The ()simple file sharing folder option is default in workgroup environments.
To make the NTBackup perform properly, the feature needed to be unchecked.

The XP Pro firewall is disabled and not used.

File share permissions were open to everyone, and still NTBackup on a
Windows Enterprise Server 2003 was unable to restore files to the XP
Pro workstation. Users of the server (except for NTBackup) were able
to properly create directories and files to the XP Pro shared folder, both
before and after (unchecking) the simple file sharing in the XP Pro folder
options. NTBackup was unable to restore directories without errors, and
was unable to restore files until the (unchecking) simple file sharing was
performed.

There were no security log errors on the XP Pro resulting from server
based NTBackup (restore) operations to an XP Pro hosted alternate
path.

Why? (unchecking) the simple file sharing in the XP Pro folder options
appears to have resolved the problem. -- This frustration and
experimental work-around is the purpose for sending this posting.

I have also posted to an MSDN developer's forum. The forum moderator
requested that I research the Technet community for solutions. I found
none posted, but stumbled on what appears to be a work-around
until Microsoft Engineers develop a patch or official work-around to
NTBackup.

A couple things to check are that the XP Pro firewall is disabled or has the
correct exemptions and look in the security log of the XP Pro computer for
failed logon events that occur at the time that these restore attempts occur
that may give a clue. I would also configure auditing on the computer trying
to be used for privilege user for failure to see if any such events are
being shown that would indicate the account being used lacks a user right.

FYI: The privileged user on the server (same as privileged user on XP Pro)
could not mount the disk drive administrative share (drive)$ to the server,
until after XP Pro did an (unset) of the simple file sharing capability.
This may be a security hole??? -- but it allowed NTBackup to perform.

I am thankful that our network environment is an isolated network segment with
no Internet access. We are therefore comfortable with workgroup networking
on this segment.

Since the problem seems to be network related make sure that the share
permissions are correct for the share being used. You might want to start
with full control for everyone for share access and then tighten down from
there if that works. -- Steve

....
What follows is my experiment -- hinted from the KB article.
The KB article does not mention NTBackup applicability -- but I thought
the issue was worth a try. What resulted when unchecking the simple
file sharing, was a fixup in the permissions that NTBackup, residing on
the Server 2003, was expecting.

This is the area where Microsoft Engineering needs to look in order to
develop and test a patch for NTBackup operations.
....

 

[Steven L Umbach]

What simple file sharing does is to authenticate any attempt to access a
share on the computer where it is enabled as guest/anonymous. The problem in
your case is that guest does not have permissions to access administrator
shares and it does not have the user right to restore files and directories
which is why it fails. Once you disable simple file sharing then the user
authenticates as themselves when they try to access a share or perform a
task on the computer such as restore files and folders. Simple file sharing
is the same as the security option you see in Local Security Policy under
local policies/security options - network access: sharing and security model
for local accounts where the two options are guest only or classic - local
users authenticate as themselves. --- Steve

 

[Guest]

Why can (Simple File Sharing Enabled) a user other than NTBackup
create directories and files on the remote XT Pro? It appears that
Server 2003 users can create authenticate and create directories on the
remote XT Pro when using a Server 2003 system console. But NTBackup
fails.

But when (Simple File Sharing Disabled) then NTBackup on the Server 2003
has user authentication to the remote XT Pro resources and works properly.
I also notice that Server 2003 console users can mount the XT Pro
administrative resources if the Server 2003 login permissions map to an
XT Pro administrator. This is the default functionality when the remote
workstation is Win 2000 Pro.

 

[Steven L Umbach]

The user could create file and directories anywhere that "everyone" is
allowed to in share/NTFS permissions. The user account used for NTbackup
needs the user rights for backup and restore files. If you enable auditing
of privilege use for failure on the computer you will probably see privilege
use failures for that when the user attempt to use NTbackup fails. --- Steve