locked
Can't get TFS Express 2012 backup plan to pass the permissions test for a share on another computer

    Question

  • I'm trying to get TFS Express 2012 backup configured to back-up its data onto another computer.

    Both machines in the test are running Windows 7 Ultimate and are part of the same Homegroup.

    The TFS 2012 installation is on a machine called DEV, and the backup share is on ASUS\TFSBackup (which is shared with the Homegroup with Read/Write access - done using the normal Windows Explorer context menu options).

    I (Dev/David) can read and write files on the share ASUS\TFSBackup using Windows Explorer from the DEV machine, so in essense I'd expect things to work (though TFS Admin Console runs elevated, so that may be affecting things).

    When I run through the Backup Plan Wizard, it fails at the Permissions test, reporting:

    "Account Dev\David failed to create backups using path \\ASUS\TFSBackup"

    If I create a share on the DEV machine (in the same way as I've done on the remote one), of course things work fine.

    What am I doing wrong?

    Has this simple scenario been tested?

    Monday, November 05, 2012 11:59 PM

All replies

  • Hi David,

    Thanks for your post!

    Please check if the accounts does really have full control over the file system folder that is shared both share and folder permissions allow writing?

    Try monitoring the destination with Process Monitor to see if it is a failure in SQL Server (i.e. fails before any file create/write) or in writing.

    For more information, please refer to http://blog.hinshelwood.com/creating-a-backup-in-team-foundation-server-2010-using-the-power-tools/

    Hope it helps!

    Best Regards,


    Cathy Kong [MSFT]
    MSDN Community Support | Feedback to us

    Tuesday, November 06, 2012 8:25 AM
    Moderator
  • Hi Cathy,

    Process Monitor shows loads of failures from sqlservr.exe, starting with these:

    09:41:41.9922561 sqlservr.exe 1472 CreateFile \\ASUS\TFSBackup\filestream.hdr ACCESS DENIED Desired Access: Read Attributes, Dis, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
    09:41:42.3222449 sqlservr.exe 1472 CreateFile \\ASUS\TFSBackup\temp_20121106094141.bak ACCESS DENIED Desired Access: Read Attributes, Synchronize, Dis, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a
    09:41:42.3233073 sqlservr.exe 1472 CreateFile \\ASUS\TFSBackup\temp_20121106094141.bak ACCESS DENIED Desired Access: Read Attributes, Synchronize, Dis, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a

    Now, how do I make it work?

    It shouldn't be this difficult. I can't believe that after all this time, something so fundamental as getting a reliable backup (and restore) of TFS just doesn't work in simple scenarios.

    Tuesday, November 06, 2012 9:47 AM
  • HI David,

    Thanks for your feedback!

    Please verify the user account you are using to backup SQL Server has the following user rights:

    http://support.microsoft.com/kb/2000257

    You may be missing
    SeBackupPrivilege.

    Hope it helps!

    Best Regards,

    .


    Cathy Kong [MSFT]
    MSDN Community Support | Feedback to us

    Wednesday, November 07, 2012 2:41 AM
    Moderator
  • Hi Cathy,

    >Please verify the user account you are using to backup SQL Server has the following user rights:
    http://support.microsoft.com/kb/2000257
    You may be missing
    SeBackupPrivilege.
    <

    That KB article appears to be about problems installing SQL Server - in fact the installation of TFS (and hence its SQL server) on the DEV machine is fine - and backing up to a share on the DEV machine is also fine (albeit useless as it's not much of a backup if it's on the same machine).

    The problem is undoubtably a permissions issue to the backup share (ASUS/TFSBackup), so I've done what's suggested in that KB article for that machine, but it's made no difference, the error from the Backup Plan Wizard is the same.

    Has anyone got this simple scenario (2 Win7 machines in a homegroup) to work?

    If this was some ultra secure locked down system I could imagine there would be problems to solve, but these are not such scenarios. It ought to work out of the box.

    Wednesday, November 07, 2012 3:45 PM
  • HI David,

    Thanks for your feedback!

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
     
    Thank you for your understanding and support.

    Best Regards,


    Cathy Kong [MSFT]
    MSDN Community Support | Feedback to us

    Friday, November 09, 2012 2:48 AM
    Moderator
  • Hi,

    The network configuration is key.

    What if you map the network share: on Dev, set up mapping to ASUS\TFSBackup. Then you can use local drive letter in backup plan setting.

    Let me know if it work for you.

    regards,


    Forrest Guo | MSDN Community Support | Feedback to manager

    Friday, November 09, 2012 9:04 AM
    Moderator
  • Nice try, but specifying a mapped drive letter results in the Backup Plan Wizard now reporting 3 errors:

    "
    Backup Path must be a network path

    MSSQL Server service account NT AUTHORITY\NETWORKSERVICE, NT AUTHORITY\LOCAL SERVICE does not have the required permissions to create backups on the backup path m:\

    Account Dev\David failed to create backups using path m:\
    "

    m: is a working mapped share to my ASUS\TFSBackup location.

    Could someone from MS test this not highly unlikely scenario and document how to get it working - please.

    I'd like to use TFS Express for my stand-alone development work, but without a reliable backup and restore (don't forget to document that too), I think I'll be sticking with VSS.

    Dave

    Friday, November 09, 2012 9:51 AM
  • Hi David,

    I have just faced the same problem today in TFS2012.

    The suggestion of Cathy to take a look in ProcessMonitor is already half of the solution. If you double-click the event in which the process is trying to write into the destination directory, ProcessMonitor shows the Event Properties.

    In Process tab the user is shown which is trying to write into the share. 

    In my case the user didn't have the permission to write into the share. As soon as I added the permission, it worked.

    I hope this works for you, too.

    Best regards
    Markus



    • Edited by Markus607 Friday, November 09, 2012 12:48 PM
    Friday, November 09, 2012 12:45 PM
  • Hi Markus,

    In the Process Explorer Event Properties, Process tab, the User for the ACCESS DENIED errors is shown as "NT AUTHORITY\NETWORK SERVICE".

    If I try to add that user to the share permissions I get a "Name Not Found" dialog. If I instead add the name NETWORK SERVICE, it succeeds, but the backup still fails the same.

    So,  have you chosen some specific named account in the Backup Plan Wizard rather than use the default system account of NT AUTHORITY\NETWORK SERVICE?

    Dave

    Friday, November 09, 2012 2:14 PM
  • Hi Dave,

    it is sufficient to add the user NETWORK SERVICE without the preamble NT AUTHORITY. 

    Take a look if you gave full access to the user both in the share options and in the ntfs security settings.

    Best regards

    Markus

    Friday, November 09, 2012 7:08 PM
  • You'll have to be more specific - it doesn't make any difference on my machine.

    Just to be clear what I've tried...

    On the ASUS machine, for the TFSBackup directory I'm sharing out, I right click, use Share with, Specific People, and I've added NETWORK SERVICE and given it Read/Write permission. The "File Sharing" dialog at that point shows 3 items:

    David - Owner
    Homegroup - Read/Write
    NETWORK SERVICE - Read/Write

    However, after pressing Share and re-displaying that dialog, only the first 2 persist!

    If from the TFSBackup directory, I use Properties, Sharing tab, Advanced Sharing..., Permissions, I see "Everyone" and "Administrators (asus\Administrators)" listed, and both have full control.

    If I add NETWORK SERVICE there and give it Full Control, that does perist - however it makes no difference when I try to backup TFS to there from the DEV machine.

    Dave

    Friday, November 09, 2012 11:24 PM
  • NETWORK SERVICE is local account, which is available on all computers. Apparently it's not shared successfully. In addition to folder > right click>Share With, you can also set up sharing by folder properties > Security > Edit

    My suggestion is that: you share the TFSBackup folder on ASUS with everyone. Since this is in home group, I don't think there's security risk.

    Hope this helps.


    Forrest Guo | MSDN Community Support | Feedback to manager

    Monday, November 12, 2012 6:25 AM
    Moderator
  • >NETWORK SERVICE is local account, which is available on all computers. Apparently it's not shared successfully.
    <
    Apparently? Either it is, or it isn't. :)

    I can well believe that if the computers involved are not part of the same domain (which of course they aren't), that trying to add NETWORK SERVICE is the wrong thing to be doing - not least because it clearly doesn't work for me.

    >My suggestion is that: you share the TFSBackup folder on ASUS with everyone.

    See my last message on the thread. It already allows "Everyone" (with full access).

    What would be really good is if someone from MS responsible for TFS backup & restore could try setting up a couple of new Win7 VMs in a homegroup. Install VS2012, TFS Express 2012, and the TFS 2012 Power Tools on one machine, and get it to backup & restore TFS to a share from the other machine.

    When you've made it work, please thoroughly document how you've done it.

    Dave

    Monday, November 12, 2012 10:32 AM
  • Hi,

    I'm trying to get other people help, please wait some time.

    thanks.


    Forrest Guo | MSDN Community Support | Feedback to manager

    Tuesday, November 13, 2012 6:40 AM
    Moderator
  • Hi,

       I have not been able to get this to work when the machines are in a home-group or work-group environment. I don't think the backup tool was intended to be used in this scenario. I have no problems doing this in a domain environment.

    From a support perspective this is really beyond what we can do here in the forums. If you cannot determine your answer here or on your own, consider opening a support case with us. Visit this link to see the various support options that are available to better meet your needs:  http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone

    Mark (Microsoft)

    Friday, November 16, 2012 8:39 PM
  • Thanks for trying (and failing) - at least I'm not alone.

    I'm incredibly disappointed that the tool doesn't address such a basic scenrio - surely it's not an unrealistic one!

    Friday, November 16, 2012 11:43 PM
  • Hi David,

    I think that error message is wrong.  The identity that creates the backup (and requires write permissions to the network share) is the SQL Server account, not you.  So you need to make sure that the SQL service account has write access.

    Try changing the SQL Server database engine service to run as a user account and give that user account write permissions to ASUS\TFSBackup.  Or give write access to HOMEGROUP\DEV$ on that file share.

    Will

    Wednesday, November 28, 2012 2:43 PM
  • Will, thanks for that suggestion.

    If I change the "SQL Server (SQLEXPRESS)" service to run as .\David (it's default was Network Service I think), the backup plan wizard reports:

    "Account NT AUTHORITY\LOCAL SERVICE failed to create backups using path \\ASUS\TFSBackup"

    ... odd that it now reports the correct configured name for the scheduled backup plan!

    However, as .\David (aka Dev\David) ought to have permissions (I'm assuming as that account can create/read/write/delete files on ASUS\TFSBackup using Explorer), shouldn't that work?

    What I do see as a result of running the readiness checks now is 2 files being created:
    temp_20121128210524.bak
    temp_20121128210526.bak

    Aha! If as well as changing the service account user, I also set the TFS Backup schedule task to use DEV\David, it appears to be backing up.

    I'm now stuck trying to suss out how to get restore to work. Running the Restore Databases Wizard (on the DEV machine), I think it's coaxed me into removing the project collection(s) I had, but it's now giving these errors:

    "Database Tfs_Configuration exists on SQL instance Dev\SqlExpress. Please drop or rename the existing database before the restore operation.
    Database Tfs_DefaultCollection exists on SQL instance Dev\SqlExpress. Please drop or rename the existing database before the restore operation.
    "

    I've no idea what I'm supposed to do now. What does "drop" mean - the term "detach" is used elsewhere in the UI, is that it? If so, I've already done that as far as I can ascertain.

    I hope you can make this work somewhat more seamlessly in the future and I appreciate it's a difficult task to make it appear easy given a variety of complex topologies that you must need to cater for. Backup/Restore across a network needs to be simple and reliable. If you're serious about people using TFS Express for small projects I think you need to do some serious usability testing with developers who're not familiar with doing SQL management tasks - it's something I've never done, and judging from my experiences trying this, it's not remotely intuitive.

    In the mean time, if someone can get this backup/restore scenario to work and document it such that a non-SQL management proficient developer can do it - that'd be very useful information. Perhaps Brian Harry could blog it.

    Wednesday, November 28, 2012 10:06 PM