Post reply

Transactional Replication cross domain

  • September 25, 2008 at 1:31 pm

    #131558

    The subscriber is located in Domain1

    The Publisher and the distributor are located in Domain2

    Domain1 and Domain2 are separate forest.

    Domain1 and Domain2 are not trusted.

    How can I achieve Transactional Replication. I guess the SQLServerAgent service needs to have a common account?

    Is it still doable in my scenario?

    Thank you all.

    Beachcomber

  • September 25, 2008 at 10:12 pm

    #877419

    Without a trust, you can still do what you need. Replication can be setup so that SQL Logins are used by the relevant agents.

  • September 26, 2008 at 3:00 am

    #877494

    in any sane business you would place the SQL servers in the corporate zone and not DMZ

    - therefore an external (domain2 Distrib) would have to pass through 2 FW's (ie would be rejected)

    perhaps you could permit a simple HTTP (port:80) entry to DMZ, and thence onward to corp zone

    - but no way would you just be able to use SQL-login with unencrypted passwords etc !

    the strong recommendation is NOT to try to write your own security shells [would be broken quickly]

    - use the industry standards of trusts, certificates etc

    Dick

  • September 26, 2008 at 8:35 am

    #877761

    The second SQL Server is not in a DMZ but is rather our Disaster Recovery Server sitting at an offsite location.

    It is still behind a firewall but on a different Domain. Do you think by establishing trust we can have sqlserveragent from Domain1 have access to reqd resources on Domain2. I'm not very glib at windows Networking and AD.

    Thanks again.

  • September 26, 2008 at 8:59 am

    #877779

    your networking experts should be able to advise what ports are/not allowed through the FW

    - many sites have a strict HTTP-only (HTTP=port=80, HTTPS port=443) policy and forbid SQL (ports 1433, 1434)

    but if all within your enterprise it could be looser, especially if all servers are fixed IP [not DHCP]

    - then FW rules could permit explicit IP1-IP2 pairs (although IP's can be spoofed)

    see the protocol and services files in C:\WINDOWS\system32\drivers\etc for background

    Dick

  • September 26, 2008 at 9:09 am

    #877781

    we have port 1433 enabled on the Disaster Recovery site.

    Right now I can manage those DR servers from my WorkStation.

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply