This does not seem like rocket science but I can't find a recommendation
from MS on which uplevel (from defaults) Security Template (file server,
infrastructure server, etc.) is the best baseline starting point for a SQL
install on a W2K3 AD. I realize that mods will be necessary no matter but
since there are 700+ settings having a head start seems like a good thing. I
have created the OU specifically for the SQL server and just need to
configure it's GP including IPSec. I have implemented most of the suggested
Security settings to the install of SQL itself (see prior post).
Any suggestions?
ThanksThe Enterprise - Member Server Template is the template that should be
used. Also, generate a rollback template to help you with your testing.
The High Security Template should not be used.
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.
Showing posts with label member. Show all posts
Showing posts with label member. Show all posts
Tuesday, March 27, 2012
Sunday, March 25, 2012
Best practise on Database security
Hi All,
In our development server, everyone (Developers) are member of system
administrator (SA).
So on development server, anyone can do all database access.
In our production server, there are only two type of account which are
SA and Public Account.
SA can do all database access i.e.: creating the database, tables, and
security accounts, performing backups, and tuning the database.
Public account (used by application. passwd is created by SA and
encrypted on app setting), they can not execute query directly to
sqlserver, they can only run stored procedure provided.
Now, i want to develop new procedure to manage account and authority
on database.
Can anyone tell me, a best practise on this? (Database security)
I mean, what account should be provided in development and production
svr,
and what can each type of account do?
Rgds
HF
Is it SQL Server 2000/2005?
<harifajri@.gmail.com> wrote in message
news:1176777055.132452.30140@.n59g2000hsh.googlegro ups.com...
> Hi All,
> In our development server, everyone (Developers) are member of system
> administrator (SA).
> So on development server, anyone can do all database access.
> In our production server, there are only two type of account which are
> SA and Public Account.
> SA can do all database access i.e.: creating the database, tables, and
> security accounts, performing backups, and tuning the database.
> Public account (used by application. passwd is created by SA and
> encrypted on app setting), they can not execute query directly to
> sqlserver, they can only run stored procedure provided.
> Now, i want to develop new procedure to manage account and authority
> on database.
> Can anyone tell me, a best practise on this? (Database security)
> I mean, what account should be provided in development and production
> svr,
> and what can each type of account do?
> Rgds
> HF
>
|||On Apr 17, 12:56 pm, "Uri Dimant" <u...@.iscar.co.il> wrote:
> Is it SQL Server 2000/2005?
> <harifa...@.gmail.com> wrote in message
> news:1176777055.132452.30140@.n59g2000hsh.googlegro ups.com...
>
>
>
>
> - Show quoted text -
We are using SQL Server 2000
|||Hi
Use ROLEs to secure the data. Make sure that the users have an EXECUTE
permission only to run stored procedure and /or GRANT SELECT on VIEW...
http://vyaskn.tripod.com/sql_server_security_best_practices.htm --security
best practices
<harifajri@.gmail.com> wrote in message
news:1176862709.039446.313880@.n59g2000hsh.googlegr oups.com...
> On Apr 17, 12:56 pm, "Uri Dimant" <u...@.iscar.co.il> wrote:
> We are using SQL Server 2000
>
sql
In our development server, everyone (Developers) are member of system
administrator (SA).
So on development server, anyone can do all database access.
In our production server, there are only two type of account which are
SA and Public Account.
SA can do all database access i.e.: creating the database, tables, and
security accounts, performing backups, and tuning the database.
Public account (used by application. passwd is created by SA and
encrypted on app setting), they can not execute query directly to
sqlserver, they can only run stored procedure provided.
Now, i want to develop new procedure to manage account and authority
on database.
Can anyone tell me, a best practise on this? (Database security)
I mean, what account should be provided in development and production
svr,
and what can each type of account do?
Rgds
HF
Is it SQL Server 2000/2005?
<harifajri@.gmail.com> wrote in message
news:1176777055.132452.30140@.n59g2000hsh.googlegro ups.com...
> Hi All,
> In our development server, everyone (Developers) are member of system
> administrator (SA).
> So on development server, anyone can do all database access.
> In our production server, there are only two type of account which are
> SA and Public Account.
> SA can do all database access i.e.: creating the database, tables, and
> security accounts, performing backups, and tuning the database.
> Public account (used by application. passwd is created by SA and
> encrypted on app setting), they can not execute query directly to
> sqlserver, they can only run stored procedure provided.
> Now, i want to develop new procedure to manage account and authority
> on database.
> Can anyone tell me, a best practise on this? (Database security)
> I mean, what account should be provided in development and production
> svr,
> and what can each type of account do?
> Rgds
> HF
>
|||On Apr 17, 12:56 pm, "Uri Dimant" <u...@.iscar.co.il> wrote:
> Is it SQL Server 2000/2005?
> <harifa...@.gmail.com> wrote in message
> news:1176777055.132452.30140@.n59g2000hsh.googlegro ups.com...
>
>
>
>
> - Show quoted text -
We are using SQL Server 2000
|||Hi
Use ROLEs to secure the data. Make sure that the users have an EXECUTE
permission only to run stored procedure and /or GRANT SELECT on VIEW...
http://vyaskn.tripod.com/sql_server_security_best_practices.htm --security
best practices
<harifajri@.gmail.com> wrote in message
news:1176862709.039446.313880@.n59g2000hsh.googlegr oups.com...
> On Apr 17, 12:56 pm, "Uri Dimant" <u...@.iscar.co.il> wrote:
> We are using SQL Server 2000
>
sql
Best practise on Database security
Hi All,
In our development server, everyone (Developers) are member of system
administrator (SA).
So on development server, anyone can do all database access.
In our production server, there are only two type of account which are
SA and Public Account.
SA can do all database access i.e.: creating the database, tables, and
security accounts, performing backups, and tuning the database.
Public account (used by application. passwd is created by SA and
encrypted on app setting), they can not execute query directly to
sqlserver, they can only run stored procedure provided.
Now, i want to develop new procedure to manage account and authority
on database.
Can anyone tell me, a best practise on this? (Database security)
I mean, what account should be provided in development and production
svr,
and what can each type of account do?
Rgds
HFIs it SQL Server 2000/2005?
<harifajri@.gmail.com> wrote in message
news:1176777055.132452.30140@.n59g2000hsh.googlegroups.com...
> Hi All,
> In our development server, everyone (Developers) are member of system
> administrator (SA).
> So on development server, anyone can do all database access.
> In our production server, there are only two type of account which are
> SA and Public Account.
> SA can do all database access i.e.: creating the database, tables, and
> security accounts, performing backups, and tuning the database.
> Public account (used by application. passwd is created by SA and
> encrypted on app setting), they can not execute query directly to
> sqlserver, they can only run stored procedure provided.
> Now, i want to develop new procedure to manage account and authority
> on database.
> Can anyone tell me, a best practise on this? (Database security)
> I mean, what account should be provided in development and production
> svr,
> and what can each type of account do?
> Rgds
> HF
>|||On Apr 17, 12:56 pm, "Uri Dimant" <u...@.iscar.co.il> wrote:
> Is it SQL Server 2000/2005?
> <harifa...@.gmail.com> wrote in message
> news:1176777055.132452.30140@.n59g2000hsh.googlegroups.com...
>
>
>
>
>
>
>
> - Show quoted text -
We are using SQL Server 2000|||Hi
Use ROLEs to secure the data. Make sure that the users have an EXECUTE
permission only to run stored procedure and /or GRANT SELECT on VIEW...
http://vyaskn.tripod.com/sql_server...t_practices.htm --sec
urity
best practices
<harifajri@.gmail.com> wrote in message
news:1176862709.039446.313880@.n59g2000hsh.googlegroups.com...
> On Apr 17, 12:56 pm, "Uri Dimant" <u...@.iscar.co.il> wrote:
> We are using SQL Server 2000
>
In our development server, everyone (Developers) are member of system
administrator (SA).
So on development server, anyone can do all database access.
In our production server, there are only two type of account which are
SA and Public Account.
SA can do all database access i.e.: creating the database, tables, and
security accounts, performing backups, and tuning the database.
Public account (used by application. passwd is created by SA and
encrypted on app setting), they can not execute query directly to
sqlserver, they can only run stored procedure provided.
Now, i want to develop new procedure to manage account and authority
on database.
Can anyone tell me, a best practise on this? (Database security)
I mean, what account should be provided in development and production
svr,
and what can each type of account do?
Rgds
HFIs it SQL Server 2000/2005?
<harifajri@.gmail.com> wrote in message
news:1176777055.132452.30140@.n59g2000hsh.googlegroups.com...
> Hi All,
> In our development server, everyone (Developers) are member of system
> administrator (SA).
> So on development server, anyone can do all database access.
> In our production server, there are only two type of account which are
> SA and Public Account.
> SA can do all database access i.e.: creating the database, tables, and
> security accounts, performing backups, and tuning the database.
> Public account (used by application. passwd is created by SA and
> encrypted on app setting), they can not execute query directly to
> sqlserver, they can only run stored procedure provided.
> Now, i want to develop new procedure to manage account and authority
> on database.
> Can anyone tell me, a best practise on this? (Database security)
> I mean, what account should be provided in development and production
> svr,
> and what can each type of account do?
> Rgds
> HF
>|||On Apr 17, 12:56 pm, "Uri Dimant" <u...@.iscar.co.il> wrote:
> Is it SQL Server 2000/2005?
> <harifa...@.gmail.com> wrote in message
> news:1176777055.132452.30140@.n59g2000hsh.googlegroups.com...
>
>
>
>
>
>
>
> - Show quoted text -
We are using SQL Server 2000|||Hi
Use ROLEs to secure the data. Make sure that the users have an EXECUTE
permission only to run stored procedure and /or GRANT SELECT on VIEW...
http://vyaskn.tripod.com/sql_server...t_practices.htm --sec
urity
best practices
<harifajri@.gmail.com> wrote in message
news:1176862709.039446.313880@.n59g2000hsh.googlegroups.com...
> On Apr 17, 12:56 pm, "Uri Dimant" <u...@.iscar.co.il> wrote:
> We are using SQL Server 2000
>
Best practise on Database security
Hi All,
In our development server, everyone (Developers) are member of system
administrator (SA).
So on development server, anyone can do all database access.
In our production server, there are only two type of account which are
SA and Public Account.
SA can do all database access i.e.: creating the database, tables, and
security accounts, performing backups, and tuning the database.
Public account (used by application. passwd is created by SA and
encrypted on app setting), they can not execute query directly to
sqlserver, they can only run stored procedure provided.
Now, i want to develop new procedure to manage account and authority
on database.
Can anyone tell me, a best practise on this? (Database security)
I mean, what account should be provided in development and production
svr,
and what can each type of account do?
Rgds
HFIs it SQL Server 2000/2005?
<harifajri@.gmail.com> wrote in message
news:1176777055.132452.30140@.n59g2000hsh.googlegroups.com...
> Hi All,
> In our development server, everyone (Developers) are member of system
> administrator (SA).
> So on development server, anyone can do all database access.
> In our production server, there are only two type of account which are
> SA and Public Account.
> SA can do all database access i.e.: creating the database, tables, and
> security accounts, performing backups, and tuning the database.
> Public account (used by application. passwd is created by SA and
> encrypted on app setting), they can not execute query directly to
> sqlserver, they can only run stored procedure provided.
> Now, i want to develop new procedure to manage account and authority
> on database.
> Can anyone tell me, a best practise on this? (Database security)
> I mean, what account should be provided in development and production
> svr,
> and what can each type of account do?
> Rgds
> HF
>|||On Apr 17, 12:56 pm, "Uri Dimant" <u...@.iscar.co.il> wrote:
> Is it SQL Server 2000/2005?
> <harifa...@.gmail.com> wrote in message
> news:1176777055.132452.30140@.n59g2000hsh.googlegroups.com...
>
> > Hi All,
> > In our development server, everyone (Developers) are member of system
> > administrator (SA).
> > So on development server, anyone can do all database access.
> > In our production server, there are only two type of account which are
> > SA and Public Account.
> > SA can do all database access i.e.: creating the database, tables, and
> > security accounts, performing backups, and tuning the database.
> > Public account (used by application. passwd is created by SA and
> > encrypted on app setting), they can not execute query directly to
> > sqlserver, they can only run stored procedure provided.
> > Now, i want to develop new procedure to manage account and authority
> > on database.
> > Can anyone tell me, a best practise on this? (Database security)
> > I mean, what account should be provided in development and production
> > svr,
> > and what can each type of account do?
> > Rgds
> > HF- Hide quoted text -
> - Show quoted text -
We are using SQL Server 2000|||Hi
Use ROLEs to secure the data. Make sure that the users have an EXECUTE
permission only to run stored procedure and /or GRANT SELECT on VIEW...
http://vyaskn.tripod.com/sql_server_security_best_practices.htm --security
best practices
<harifajri@.gmail.com> wrote in message
news:1176862709.039446.313880@.n59g2000hsh.googlegroups.com...
> On Apr 17, 12:56 pm, "Uri Dimant" <u...@.iscar.co.il> wrote:
>> Is it SQL Server 2000/2005?
>> <harifa...@.gmail.com> wrote in message
>> news:1176777055.132452.30140@.n59g2000hsh.googlegroups.com...
>>
>> > Hi All,
>> > In our development server, everyone (Developers) are member of system
>> > administrator (SA).
>> > So on development server, anyone can do all database access.
>> > In our production server, there are only two type of account which are
>> > SA and Public Account.
>> > SA can do all database access i.e.: creating the database, tables, and
>> > security accounts, performing backups, and tuning the database.
>> > Public account (used by application. passwd is created by SA and
>> > encrypted on app setting), they can not execute query directly to
>> > sqlserver, they can only run stored procedure provided.
>> > Now, i want to develop new procedure to manage account and authority
>> > on database.
>> > Can anyone tell me, a best practise on this? (Database security)
>> > I mean, what account should be provided in development and production
>> > svr,
>> > and what can each type of account do?
>> > Rgds
>> > HF- Hide quoted text -
>> - Show quoted text -
> We are using SQL Server 2000
>
In our development server, everyone (Developers) are member of system
administrator (SA).
So on development server, anyone can do all database access.
In our production server, there are only two type of account which are
SA and Public Account.
SA can do all database access i.e.: creating the database, tables, and
security accounts, performing backups, and tuning the database.
Public account (used by application. passwd is created by SA and
encrypted on app setting), they can not execute query directly to
sqlserver, they can only run stored procedure provided.
Now, i want to develop new procedure to manage account and authority
on database.
Can anyone tell me, a best practise on this? (Database security)
I mean, what account should be provided in development and production
svr,
and what can each type of account do?
Rgds
HFIs it SQL Server 2000/2005?
<harifajri@.gmail.com> wrote in message
news:1176777055.132452.30140@.n59g2000hsh.googlegroups.com...
> Hi All,
> In our development server, everyone (Developers) are member of system
> administrator (SA).
> So on development server, anyone can do all database access.
> In our production server, there are only two type of account which are
> SA and Public Account.
> SA can do all database access i.e.: creating the database, tables, and
> security accounts, performing backups, and tuning the database.
> Public account (used by application. passwd is created by SA and
> encrypted on app setting), they can not execute query directly to
> sqlserver, they can only run stored procedure provided.
> Now, i want to develop new procedure to manage account and authority
> on database.
> Can anyone tell me, a best practise on this? (Database security)
> I mean, what account should be provided in development and production
> svr,
> and what can each type of account do?
> Rgds
> HF
>|||On Apr 17, 12:56 pm, "Uri Dimant" <u...@.iscar.co.il> wrote:
> Is it SQL Server 2000/2005?
> <harifa...@.gmail.com> wrote in message
> news:1176777055.132452.30140@.n59g2000hsh.googlegroups.com...
>
> > Hi All,
> > In our development server, everyone (Developers) are member of system
> > administrator (SA).
> > So on development server, anyone can do all database access.
> > In our production server, there are only two type of account which are
> > SA and Public Account.
> > SA can do all database access i.e.: creating the database, tables, and
> > security accounts, performing backups, and tuning the database.
> > Public account (used by application. passwd is created by SA and
> > encrypted on app setting), they can not execute query directly to
> > sqlserver, they can only run stored procedure provided.
> > Now, i want to develop new procedure to manage account and authority
> > on database.
> > Can anyone tell me, a best practise on this? (Database security)
> > I mean, what account should be provided in development and production
> > svr,
> > and what can each type of account do?
> > Rgds
> > HF- Hide quoted text -
> - Show quoted text -
We are using SQL Server 2000|||Hi
Use ROLEs to secure the data. Make sure that the users have an EXECUTE
permission only to run stored procedure and /or GRANT SELECT on VIEW...
http://vyaskn.tripod.com/sql_server_security_best_practices.htm --security
best practices
<harifajri@.gmail.com> wrote in message
news:1176862709.039446.313880@.n59g2000hsh.googlegroups.com...
> On Apr 17, 12:56 pm, "Uri Dimant" <u...@.iscar.co.il> wrote:
>> Is it SQL Server 2000/2005?
>> <harifa...@.gmail.com> wrote in message
>> news:1176777055.132452.30140@.n59g2000hsh.googlegroups.com...
>>
>> > Hi All,
>> > In our development server, everyone (Developers) are member of system
>> > administrator (SA).
>> > So on development server, anyone can do all database access.
>> > In our production server, there are only two type of account which are
>> > SA and Public Account.
>> > SA can do all database access i.e.: creating the database, tables, and
>> > security accounts, performing backups, and tuning the database.
>> > Public account (used by application. passwd is created by SA and
>> > encrypted on app setting), they can not execute query directly to
>> > sqlserver, they can only run stored procedure provided.
>> > Now, i want to develop new procedure to manage account and authority
>> > on database.
>> > Can anyone tell me, a best practise on this? (Database security)
>> > I mean, what account should be provided in development and production
>> > svr,
>> > and what can each type of account do?
>> > Rgds
>> > HF- Hide quoted text -
>> - Show quoted text -
> We are using SQL Server 2000
>
Sunday, March 11, 2012
Best practice for SQL cluster and domains
Hi All,
We have a critical 24x7 SQL cluster (W2K), which is a member of an NT 4
domain. As hardware is getting old, and NT4 domain is going to disappear in
the near future, the cluster has to be re-newed. There is also a trusted
Active Directory domain, which holds about all user accounts and groups.
These accounts and groups have been assigned appropriate rights to SQL and
application generated reports.
What makes this a bit more difficult, is that the company is also going to
split, as is network and AD. The split will take place within few months,
but the new AD (where the users finally will be located) is expected to be
in place and fully functional within one year. However, the new cluster
should be up and running within two months. The cluster will be built on
Windows server 2003 Enterprise.
What I should do, is to provide best scenario for implementing new cluster,
so that it minimizes work when AD domains in question change.
As far as I am concerned, if you change a cluster domain membership, you
need to rebuild the whole cluster. This is not what we want to do. We are
prepared to re-assign all appropriate user right and roles as users' domain
changes.
I see following scenarios:
1. join new cluster to present AD domain
2. install new cluster nodes as domain controllers for new "domainlet" or
domain and create trust relationships as needed
3. install separate domain controllers, and join cluster to this domain,
create trust relationships as needed
4. something else?
In scenario 1 I see most work; rebuilding the whole cluster within a year or
so. About scenarios 2 and 3 I'd like to have comments, especially about
using domainlets
(http://www.microsoft.com/windows2000...cluster/domain
lets.asp). Or, there might be a lot better option, which I have not come to
think about.
Please share your opinions and comments,
John
Great questions.
I like option 1, have you read http://support.microsoft.com/?id=319016, no
need to rebuild the cluster and start all over. Pretty easy actually.
Have you read http://support.microsoft.com/?id=298570, so option 2 is not
looking good.
Option 3 will work, but I hate extra trusts, if I can avoid them.
Go with number 1, that is what I would do
Cheers,
Rod
MVP - Windows Server - Clustering
http://www.nw-america.com - Clustering
http://msmvps.com/clustering - Blog
"John" <someone@.microsoft.com> wrote in message
news:41f50ef2@.usenet01.boi.hp.com...
> Hi All,
> We have a critical 24x7 SQL cluster (W2K), which is a member of an NT 4
> domain. As hardware is getting old, and NT4 domain is going to disappear
> in
> the near future, the cluster has to be re-newed. There is also a trusted
> Active Directory domain, which holds about all user accounts and groups.
> These accounts and groups have been assigned appropriate rights to SQL and
> application generated reports.
> What makes this a bit more difficult, is that the company is also going to
> split, as is network and AD. The split will take place within few months,
> but the new AD (where the users finally will be located) is expected to be
> in place and fully functional within one year. However, the new cluster
> should be up and running within two months. The cluster will be built on
> Windows server 2003 Enterprise.
> What I should do, is to provide best scenario for implementing new
> cluster,
> so that it minimizes work when AD domains in question change.
> As far as I am concerned, if you change a cluster domain membership, you
> need to rebuild the whole cluster. This is not what we want to do. We are
> prepared to re-assign all appropriate user right and roles as users'
> domain
> changes.
> I see following scenarios:
> 1. join new cluster to present AD domain
> 2. install new cluster nodes as domain controllers for new "domainlet" or
> domain and create trust relationships as needed
> 3. install separate domain controllers, and join cluster to this domain,
> create trust relationships as needed
> 4. something else?
> In scenario 1 I see most work; rebuilding the whole cluster within a year
> or
> so. About scenarios 2 and 3 I'd like to have comments, especially about
> using domainlets
> (http://www.microsoft.com/windows2000...cluster/domain
> lets.asp). Or, there might be a lot better option, which I have not come
> to
> think about.
> Please share your opinions and comments,
> John
>
|||Rod,
thanks really, this was great information. I'll investigate the options
again in the light of your recent information, the scenario 1 looks now
actually quite good. If you have something to add, please do not hesitate to
share it
Cheers, John
"Rodney R. Fournier [MVP]" <rod@.die.spam.die.nw-america.com> wrote in
message news:%23z6TlkjAFHA.3592@.TK2MSFTNGP11.phx.gbl...[vbcol=seagreen]
> Great questions.
> I like option 1, have you read http://support.microsoft.com/?id=319016, no
> need to rebuild the cluster and start all over. Pretty easy actually.
> Have you read http://support.microsoft.com/?id=298570, so option 2 is not
> looking good.
> Option 3 will work, but I hate extra trusts, if I can avoid them.
> Go with number 1, that is what I would do
> Cheers,
> Rod
> MVP - Windows Server - Clustering
> http://www.nw-america.com - Clustering
> http://msmvps.com/clustering - Blog
> "John" <someone@.microsoft.com> wrote in message
> news:41f50ef2@.usenet01.boi.hp.com...
and[vbcol=seagreen]
to[vbcol=seagreen]
months,[vbcol=seagreen]
be[vbcol=seagreen]
are[vbcol=seagreen]
or[vbcol=seagreen]
year[vbcol=seagreen]
(http://www.microsoft.com/windows2000...cluster/domain
>
We have a critical 24x7 SQL cluster (W2K), which is a member of an NT 4
domain. As hardware is getting old, and NT4 domain is going to disappear in
the near future, the cluster has to be re-newed. There is also a trusted
Active Directory domain, which holds about all user accounts and groups.
These accounts and groups have been assigned appropriate rights to SQL and
application generated reports.
What makes this a bit more difficult, is that the company is also going to
split, as is network and AD. The split will take place within few months,
but the new AD (where the users finally will be located) is expected to be
in place and fully functional within one year. However, the new cluster
should be up and running within two months. The cluster will be built on
Windows server 2003 Enterprise.
What I should do, is to provide best scenario for implementing new cluster,
so that it minimizes work when AD domains in question change.
As far as I am concerned, if you change a cluster domain membership, you
need to rebuild the whole cluster. This is not what we want to do. We are
prepared to re-assign all appropriate user right and roles as users' domain
changes.
I see following scenarios:
1. join new cluster to present AD domain
2. install new cluster nodes as domain controllers for new "domainlet" or
domain and create trust relationships as needed
3. install separate domain controllers, and join cluster to this domain,
create trust relationships as needed
4. something else?
In scenario 1 I see most work; rebuilding the whole cluster within a year or
so. About scenarios 2 and 3 I'd like to have comments, especially about
using domainlets
(http://www.microsoft.com/windows2000...cluster/domain
lets.asp). Or, there might be a lot better option, which I have not come to
think about.
Please share your opinions and comments,
John
Great questions.
I like option 1, have you read http://support.microsoft.com/?id=319016, no
need to rebuild the cluster and start all over. Pretty easy actually.
Have you read http://support.microsoft.com/?id=298570, so option 2 is not
looking good.
Option 3 will work, but I hate extra trusts, if I can avoid them.
Go with number 1, that is what I would do
Cheers,
Rod
MVP - Windows Server - Clustering
http://www.nw-america.com - Clustering
http://msmvps.com/clustering - Blog
"John" <someone@.microsoft.com> wrote in message
news:41f50ef2@.usenet01.boi.hp.com...
> Hi All,
> We have a critical 24x7 SQL cluster (W2K), which is a member of an NT 4
> domain. As hardware is getting old, and NT4 domain is going to disappear
> in
> the near future, the cluster has to be re-newed. There is also a trusted
> Active Directory domain, which holds about all user accounts and groups.
> These accounts and groups have been assigned appropriate rights to SQL and
> application generated reports.
> What makes this a bit more difficult, is that the company is also going to
> split, as is network and AD. The split will take place within few months,
> but the new AD (where the users finally will be located) is expected to be
> in place and fully functional within one year. However, the new cluster
> should be up and running within two months. The cluster will be built on
> Windows server 2003 Enterprise.
> What I should do, is to provide best scenario for implementing new
> cluster,
> so that it minimizes work when AD domains in question change.
> As far as I am concerned, if you change a cluster domain membership, you
> need to rebuild the whole cluster. This is not what we want to do. We are
> prepared to re-assign all appropriate user right and roles as users'
> domain
> changes.
> I see following scenarios:
> 1. join new cluster to present AD domain
> 2. install new cluster nodes as domain controllers for new "domainlet" or
> domain and create trust relationships as needed
> 3. install separate domain controllers, and join cluster to this domain,
> create trust relationships as needed
> 4. something else?
> In scenario 1 I see most work; rebuilding the whole cluster within a year
> or
> so. About scenarios 2 and 3 I'd like to have comments, especially about
> using domainlets
> (http://www.microsoft.com/windows2000...cluster/domain
> lets.asp). Or, there might be a lot better option, which I have not come
> to
> think about.
> Please share your opinions and comments,
> John
>
|||Rod,
thanks really, this was great information. I'll investigate the options
again in the light of your recent information, the scenario 1 looks now
actually quite good. If you have something to add, please do not hesitate to
share it
Cheers, John
"Rodney R. Fournier [MVP]" <rod@.die.spam.die.nw-america.com> wrote in
message news:%23z6TlkjAFHA.3592@.TK2MSFTNGP11.phx.gbl...[vbcol=seagreen]
> Great questions.
> I like option 1, have you read http://support.microsoft.com/?id=319016, no
> need to rebuild the cluster and start all over. Pretty easy actually.
> Have you read http://support.microsoft.com/?id=298570, so option 2 is not
> looking good.
> Option 3 will work, but I hate extra trusts, if I can avoid them.
> Go with number 1, that is what I would do
> Cheers,
> Rod
> MVP - Windows Server - Clustering
> http://www.nw-america.com - Clustering
> http://msmvps.com/clustering - Blog
> "John" <someone@.microsoft.com> wrote in message
> news:41f50ef2@.usenet01.boi.hp.com...
and[vbcol=seagreen]
to[vbcol=seagreen]
months,[vbcol=seagreen]
be[vbcol=seagreen]
are[vbcol=seagreen]
or[vbcol=seagreen]
year[vbcol=seagreen]
(http://www.microsoft.com/windows2000...cluster/domain
>
Thursday, February 16, 2012
Beginning MDX
I'm pretty new at Mdx , so bare with me. I want to make a calculated member called Occupant Fatalities.
The occupant fatalities looks like this right now:
( [Measures].[Fatalities] , [Crash Person].[Person Type].&[Driver])
Now the question is , How do i add another person type to this calculated member. It wont work when i do this.
( [Measures].[Fatalities] , [Crash Person].[Person Type].&[Driver].&[Passenger])
whats the code for having more then one member from a hierachy? or having 2 members from different hierarchies?
any help is appreciated.
Well, one of my co-workers helped with this one. It was right there, and i didnt even know.
I guess you have to put each individual attribute with the measure. Looks like this.
([Crash Person].[Person Type].&[Driver], [Measures].[Fatalities])
+ ([Crash Person].[Person Type].&[Passenger],[Measures].[Fatalities] )
Monday, February 13, 2012
Beginner question - sorry
Suppose I have a group of members and I want they to groups in to different categories. Each member has an ID and I would like each group to have an ID- I guess in programming it would typically done with a 2 dimensional array or something. How does SQL do this? Also each member may belong to more than one group. and also - I though of creating a new table for each group but then I am afraid of the maintenance of so many tables and the groups could quickly go into the thousands and ten thousands. And it really doesn't fit into my design plans also.
Any help or ideas would be appreciated.
Thanks,Hi,
There are a number of solutions to this problem, one would be to create a Groups table, a Users table and a UsersPerGroups table.
Users
UserID | UserName
--------
1 | echo88
2 | taylorza
3 | tmorton
Groups
GroupID | GroupName
--------
1 | Admin
2 | Power User
3 | User
Putting users in groups is as easy as populating the UsersPerGroups table, in this case
echo88 belongs to the Admin and Power User groups
taylorza belongs to the User group
tmorton belongs to no groups
UsersPerGroup
UserID | GroupID
-------
1 | 1
1 | 2
2 | 3
Hope this helps
Subscribe to:
Posts (Atom)