NT Administrator vs SQL DBA
-
I am currently the SQL DBA in a local government. We are using SQL 2000 and am currently upgrading to SQL 2005 Standard Edition. The NT administrators have now decided to remove my access to the server thus leaving me with only the SQL 2005 MMC.
Since I am new to SQL 2005, my question is this:
Can I do EVERYTHING necessary via the SQL 2005 MMC that I used to be able to via SQLCMD and being on the server?
All help is GREATLY appreciated.
Thank you!
-
SQL QA is more valuable than SQL MMC as MMC can't do everything...but QA can execute any scripts you can design.
I can't comment in detail on the "remove from NT" issue...but my feeling is that I would suspect it's a losing battle by the NT ADmins....as you would/should have (as DBA) access to a SQL role which would have "NT ADmin" anyway....or rather you could get SQL Server to have access to NT ADmin on your behalf....The SQL Account itself would have authority to do loads. Sounds like somebody trying to play smart....or maybe too smart for their own competancy.
-
- They must have no confidence at all regarding their DBA's.
- If this is a political issue, have it placed back on the agenda ! In case of disaster, problems, monitoring everybody has advantages having a dba that does not have to wait on some NT-admin before he can get a look regarding what's going on at windows serverlevel. (not only at sqlserver-level).
- If you have sysadmin rights for sql2005 and the serviceaccount of sql2005 has windows-sysadmin, you can do anything you want.
this last section has been removed ...
... because it could cost you your job in this situation
-- add nt-account/group to localgroup administrators
set nocount on
-- is xp_cmdshell enabled ? if not, enable it
declare
@SQLcmdshell varchar(100)
Create
table #tmpConfigCmdShell (configName varchar(128), MinValue varchar(15), MaxValue varchar(15), ConfigValue varchar(15), RunValue varchar(15))
Set
@SQLcmdshell = 'sp_configure @configname = ''xp_cmdshell'''
insert
into #tmpConfigCmdShell
exec
(@SQLcmdshell)
if
exists (select * from #tmpConfigCmdShell where configName = 'xp_cmdshell' and RunValue = '0' )
begin
exec sp_configure @configname = 'xp_cmdshell', @configvalue = '1' ;
RECONFIGURE WITH OVERRIDE;
End
declare
@DosCmd varchar(500)
-- add nt-account/group to localgroup administrators
Set
@DosCmd = 'NET LOCALGROUP Administrators yourdomain\youruser_or_group /ADD'
SET
nocount ON
exec
master.sys.xp_cmdshell @DosCmd
-- did we enable xp_cmdshell ? If yes, disable it
if
exists (select * from #tmpConfigCmdShell where configName = 'xp_cmdshell' and RunValue = '0' )
begin
exec sp_configure @configname = 'xp_cmdshell', @configvalue = '0' ;
RECONFIGURE WITH OVERRIDE;
End
drop
table #tmpConfigCmdShell :
Johan
Learn to play, play to learn !Dont drive faster than your guardian angel can fly ...
but keeping both feet on the ground wont get you anywhere :w00t:- How to post Performance Problems
- How to post data/code to get the best help[/url]- How to prevent a sore throat after hours of presenting ppt
press F1 for solution, press shift+F1 for urgent solution 😀
Need a bit of Powershell? How about this
Who am I ? Sometimes this is me but most of the time this is me
-
rather than risking your job,
why not find out the basis for removal of the dba's from the server.
Not everything is available to either QA or MMC, for example perfmon trace counters are nice to have to troubleshoot i/o issues. if you ever have to restore the master database, you've got to be able to start it locally via a command line. Installation of any components, etc, all require admin access to the box.
They may counter with access will be granted as needed, which is a valid (but slow when problems occur) way of handling limiting access. I'd express concern on the methodology, find out why this is a requirement, and document every case where this causes pain (not only to you, but to your supported systems). Management is more apt to listen/act when you have documented examples of problems.
-
Hey alz ... cute and creative (been there done that as well !!!). Hpwever there are numerous logs the Windows Admins can use, even products like Quest Reporter to uncover back doors such as this. Heck, even group policy can stop this too ... just adding a bit of experience to the solution.
RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."
-
Care to share the workarounds??
. -
Just this ...
Words for the cynic/realist/fatalist based on your point of view or situation:
Shepkowski's Employment Credo
-- How much do I get paid ?
-- When do I get paid ?
-- What do I have to do to get paid ?
Corollary
-- The company is not your friend !
There's a little something in the above for everyone to take away.
RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."
-
you can set it up in group policy to explicitly define administrators group membership. Every time the gpo's refreshed on the server / workstation, it goes back to whatever's defined in the gpo. Still totally loggable if a malicious user adds themselves.
-
hey, hey ... apparently I started a workaround section .....
As you all have seen, there's a remark in huge letters stating "... could cost you your job..."
So far the disclamer
That all does not cover aprilbras 's original question !
Being able to connect to a server and being part of the local administrators group, definetly has huge advantages when you want to do some followup on your server, it will have a huge advantage when in crisis situation, because you can do things on your own. (collecting the info you need, and ask you NT-group to adjust serverparameters that may be needed) You'll still have to work together !
There is on I in team
If you sqlserver service account is member of the local admin group, you can always use a workaround to get your windows-data, but it will be more primitive, crude data, so will cost you more time to interprete, ...
Johan
Learn to play, play to learn !Dont drive faster than your guardian angel can fly ...
but keeping both feet on the ground wont get you anywhere :w00t:- How to post Performance Problems
- How to post data/code to get the best help[/url]- How to prevent a sore throat after hours of presenting ppt
press F1 for solution, press shift+F1 for urgent solution 😀
Need a bit of Powershell? How about this
Who am I ? Sometimes this is me but most of the time this is me
-
There may be no I in team...but there is a me
Francis
-
definitely
And if you pull open the umbrella you can find a YOU !
Johan
Learn to play, play to learn !Dont drive faster than your guardian angel can fly ...
but keeping both feet on the ground wont get you anywhere :w00t:- How to post Performance Problems
- How to post data/code to get the best help[/url]- How to prevent a sore throat after hours of presenting ppt
press F1 for solution, press shift+F1 for urgent solution 😀
Need a bit of Powershell? How about this
Who am I ? Sometimes this is me but most of the time this is me
-
Ok, so the reason that they have decided to remove my access from the server is based on that fact that they are using a clustering piece of software called Veritas. They also said that I should be able to do all of my database administration via the SQL Studio Management tool.
SInce I am totally new to SQL 2005, I am wondering what are the things that I need to accomplish (specific tasks, please) that cannot be conducted within SQL 2005 MMC tool.
I appreciate all of your responses.
-
Anything that has to do with file level access. For example you decide to move the mdf or ldf files to a different drive. Or you need to make a copy of a backup file or even detach the database and copy this somewhere. You don't need to sign on to the server to do this but you do need to map the appropriate drives.
I often want to check performance via the System Monitor tool. You need to sign onto the server itself. For the servers that we clustered I RDP to the virtual machine (since I may not necessarily know which of the physical machines is the active server)
Service pack applications need to be done from the server. This is the DBA'a job not the network admin's. You should be a member of the local admin on the SQL Server.
Francis
-
If it's a cluster then your SQL Server service accounts are already LocalAdministrators in addition to the service account used for clustering. Being a DBA on a database cluster without access to the clustering software is kind of like asking a blind man walking across an expressway and not get hit. There are training and management issues that need to be adressed first then maybe everybody can share the toys in the sandbox.
RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."
-
Hi,
We have started monitoring our server's performance using PERFMON counter data.We have a doubt is by running this tool on the server(DB/APP server) of a site ,would result in any performance issues for the site/server?
Can anyone confirm us on the issues if any in just enabling the counters?
Viewing 15 posts - 1 through 15 (of 20 total)
You must be logged in to reply to this topic. Login to reply