March 25, 2008 at 9:52 am
Can any pls explain this for me,
Active Directory and its impact on SQL Server (and the DBA)
March 25, 2008 at 10:35 am
MSSQL, its components, and attributes can be registered in an AD domain. MSSQL also supports Kerberos authentication as part of an AD domain (http://support.microsoft.com/kb/319723).
Tommy
Follow @sqlscribeMarch 25, 2008 at 10:57 am
Tommy Bollhofer (3/25/2008)
MSSQL, its components, and attributes can be registered in an AD domain. MSSQL also supports Kerberos authentication as part of an AD domain (http://support.microsoft.com/kb/319723).
Kerberos aside, what are the advantages to registering SQL in AD? How would they than be used?
Thanks
March 25, 2008 at 11:11 am
Buxton69 (3/25/2008)
Tommy Bollhofer (3/25/2008)
MSSQL, its components, and attributes can be registered in an AD domain. MSSQL also supports Kerberos authentication as part of an AD domain (http://support.microsoft.com/kb/319723).Kerberos aside, what are the advantages to registering SQL in AD? How would they than be used?
Thanks
Listing MSSQL in AD doesn't produce any immediate benefits to the best of my knowledge. Listing databases in AD is useful if you develop applications that can take advantage of published databases. i.e. Service Publication, which enables applications to list the name and locations of services they provide, so clients can locate the applications dynamically
Tommy
Follow @sqlscribeMarch 25, 2008 at 1:20 pm
From a security perspective, there's usually an argument against registering SQL Server databases and publications in AD. Anyone with read rights (basically most every authenticated user) can locate the information, including folks who shouldn't have it.
AD - should be leveraged to grant access to your SQL Server through the use of security groups. As a result, it represents a single point of security for your organization. Imagine if you've got 30 SQL Servers, every DBA has a SQL Server login on each one. John signs off for his last day. Now you've got to touch AD + 30 SQL Servers. But putting the account in a group and that group was granted access, when John's account is disabled, John no longer has access to any of the 30.
Kerberos, especially Kerberos delegation, provides security options not previously available. Kerberos authentication allows the client to verify the server (not possible with either NTLM or with SQL Server based logins) and Kerberos delegation allows impersonation.
K. Brian Kelley
@kbriankelley
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply