Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
elwoos
Master Smack Fu Yak Hacker
2052 Posts |
 Posted - 2006-05-19 : 03:26:07
|
| I only have a couple of SQL Servers but am about to be given responsibility for a few more. I'm trying to pull together a checklist of things to go through with them. One of the things that I'm unsure about is to do with SQL Server access for the network admins. I'm the only "dba" so it doesn't really make sense for me to deny our network admins any access but they aren't dba's which is why I am taking these servers over. Anyone have any suggesetions of best practice for this sort of scenario?thankssteve-----------Oh, so they have internet on computers now! |
|
|
jen
Master Smack Fu Yak Hacker
4110 Posts |
Posted - 2006-05-19 : 03:38:23
|
you getting soft on your "netadmins"?  if they can help you with DBA things especially when you're not around, then grant them the permissions but not SAhere are a couple of things:1. lock down the sql service accounts/password -- to make sure that they will not use this in another server to gain access if you did #22. remove builtin/administrator --even if they're domain admins they won't be able to gain access unless you specify in sql server3. veritas backup can work even without SA, anyways, just let them backup bak files not the mdf/ldf files (exempt from file backup)P.S.it's kinda worse if you're the only DBA, start finding your center especially when they start saying "your sql server" ha ha ha...  --------------------keeping it simple... |
 |
|
|
elwoos
Master Smack Fu Yak Hacker
2052 Posts |
Posted - 2006-05-19 : 03:57:40
|
Thanks Jen,I'm not getting soft, just trying to be realistic.No-one has SA password, though a few people know where it is - mind you the safe is broken at the moment, so let's hope for no real emergencyIt's the removal of the builtin admins that makes me nervous slightly. If I move on then they will be shafted. Unfortunately my conscience is telling me that's a bad thing  At the moment, the idea that they are "my" SQL Servers may not be a bad thing, though that won't last I'm sure.steve-----------Oh, so they have internet on computers now! |
|
|
|
jen
Master Smack Fu Yak Hacker
4110 Posts |
Posted - 2006-05-19 : 04:15:14
|
sounds to me you need to clarify your "dba role"if the builtin\administrator is there, you lose accountability since anyone (netadmins) who has access to the server can get into the sql server databases and... (i shudder at the thought)anyways, it may be good to have that black and white piece of duties and responsibility thingie, coz if something breaks in the sql server, it is likely that all fingers will point to you  just ask this question to yourself, are they capable and responsible enough to be provided with sa privilege?--------------------keeping it simple... |
|
|
|
elwoos
Master Smack Fu Yak Hacker
2052 Posts |
Posted - 2006-05-19 : 04:32:30
|
| Good points Jen, many thanks. The initial suggestion was only concerning performance monitoring but I know they have few if any SQL Server related skills so I can see it expanding rapidly.steve-----------Oh, so they have internet on computers now! |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2006-05-19 : 05:43:05
|
| "Anyone have any suggesetions of best practice for this sort of scenario?"Does the MS Best Practice tool work for knackered old versions of SQL Server? If so it would be worth seeing what it reports.I'd also run a "Slow Query" report in Profiler - if you can spot some badly written queries that can easily be improved you might be "in" with the users of these new servers.Kristen |
|
|
|
elwoos
Master Smack Fu Yak Hacker
2052 Posts |
Posted - 2006-05-19 : 06:39:31
|
| Thanks Kristen, doesn't your FAQ have a link to a list of suggested tasks on first taking over new server(s)?Must go looksteve-----------Oh, so they have internet on computers now! |
|
|
|
Kristen
Test
22859 Posts |
|
|
|
|
|
|
|
Best Practice