Re: What type of Domain group

The reason is order to abstract the security mechanism out of the SQL Server
installation and place it in the AD, where security is defined, and
centrally controlled.

For stand-alone installations, the Security Best Practices recommendations
have always been to create server local groups and assign AD groups and/or
users to these server local groups for access. Then, the SQL Server
administrators would only need to define the local groups, grant them login
and database user role rights, once at design time, and then be out of the
security administration day to day operations.

The problem with clustered configurations is that local groups on each of
the cluster nodes would have different SIDs by default; so, in order to
apply this best practice, one would have to map both sets of groups, one
from each node, which is redundant, and only viable, one node at a time,
alternatingly.

With SS2K5, this is "fixed" by using Domain Local Groups that serve as
proxies for clustered virtualized local host groups. As such, the AD
Administrators would be wise to consider creating a dedicated OU for each
clustered installation, containing the security contexts and virtual server
computer account names and service accounts.

Sincerely,


Anthony Thomas


--

"Angelo Cook" <AngeloCook@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B695F0CC-BF27-464F-8500-CDBC60144082@xxxxxxxxxxxxxxxx
I'm sorry, yes, this is for SQL 2005. I've created them as Domain Local
within our departmental OU. so far all seems to be working. I don't
understand why this is, I guess it has to do with the eventual switch to
longhorn.

"Rodney R. Fournier [MVP]" wrote:

Are you asking about the Groups required for SQL 2005?

Cheers,

Rodney R. Fournier

MVP - Windows Server - Clustering
http://www.nw-america.com - Clustering Website
http://msmvps.com/clustering - Blog
http://www.clusterhelp.com - Cluster Training
ClusterHelp.com is a Microsoft Certified Gold Partner


"Angelo Cook" <AngeloCook@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:259E59DB-FB6D-4708-A1FC-829D86CE0F7C@xxxxxxxxxxxxxxxx
Does it matter on the type of domain group to create; Domail Local,
Global,
Universal.

Does it matter where in the AD it resides, under departmental OU's or
highe.





.

Relevant Pages

  • Cluster not compatible with Windows Server 2003 Security Guide NTL
    ... environment with the settings in Microsoft's 2003 security guide. ... override two settings in the security guide GPO for the cluster servers. ... The node cannot join the server cluster because it cannot ...
    (microsoft.public.windows.server.clustering)
  • Re: Migrating security & sharing permissions and local groups
    ... What is the reason here for use of local groups? ... You can still move existing shares from one server to another. ... Microsoft MVP - Windows Security ... I need to migrate these folders and files along with the ...
    (microsoft.public.windows.server.general)
  • Re: Print Groups
    ... Setup a printer with the security setting you desire. ... you can set all the printer on the cluster or remote machine ... One for test and then one for all printer objects on a server. ... Change the settings on one printer, ...
    (microsoft.public.windows.server.clustering)
  • Re: Moving databases to a cluster
    ... But I have been told that there are a number of security ... >Moving data to SQL Cluster or a Stand Alone SQL server, ... Cluster is still a SQL ... >> What is the best method for moving databases from one ...
    (microsoft.public.sqlserver.clustering)
  • Re: High security inf
    ... Event Type: Error ... The Cluster Resource Monitor could not load the DLL ... >> imported the High security server inf security template. ...
    (microsoft.public.win2000.security)