locked
Can you please suggest any options how we can configure mirroring on dedicated NIC across servers in different domains without certificates & without enabling trust between doamins RRS feed

  • Question

  • Hi,

         We have planned a SQL Server setup which have 4 nodes cluster in production Datacenter and 3 nodes cluster in DR datacenter, both servers are in seperate domains.

    We have six SQL instances on on production cluster which needs to be mirrored on a dedicated NICs across DR cluster located in DR datacenter.

    As of now we have done following prerequisites:-

    Assign two seperate NIC cards from separate network (different from production) on each cluster node & done the NIC teaming on both clusters.

    Created & assigned an IP address resource from mirroring network on each SQL instance clustered group.

    Register FQDN of each SQL instances in DNS, we have 12 FQDNs overall for all instances.

    Now issue is as both clusters are in different domains, i have given two solutions for DB Mirroring configurations:-

    1. Use certificates for mirroring which they have rejected saying this will require SQL Login creation which we can't as all SQL instances are with windows authentication & they don't want to change it to Mixed mode for security reasons.
    2. Enable the trust relationship between domains & configure the mirroring which they again rejected saying this will also be security lapse.

    Can you please suggest any options how we can go ahead with mirroring in this case & also check prerequisites we did for configuring mirroring on dedicated NICs for multiple SQL instances across two clusters in different domains.

    Tuesday, November 12, 2013 11:08 AM

All replies

  • Hi,

         We have planned a SQL Server setup which have 4 nodes cluster in production Datacenter and 3 nodes cluster in DR datacenter, both servers are in seperate domains.

    We have six SQL instances on on production cluster which needs to be mirrored on a dedicated NICs across DR cluster located in DR datacenter.

    As of now we have done following prerequisites:-

    Assign two seperate NIC cards from separate network (different from production) on each cluster node & done the NIC teaming on both clusters.

    Created & assigned an IP address resource from mirroring network on each SQL instance clustered group.

    Register FQDN of each SQL instances in DNS, we have 12 FQDNs overall for all instances.

    Now issue is as both clusters are in different domains, i have given two solutions for DB Mirroring configurations:-

    1. Use certificates for mirroring which they have rejected saying this will require SQL Login creation which we can't as all SQL instances are with windows authentication & they don't want to change it to Mixed mode for security reasons.
    2. Enable the trust relationship between domains & configure the mirroring which they again rejected saying this will also be security lapse.

    Can you please suggest any options how we can go ahead with mirroring in this case & also check prerequisites we did for configuring mirroring on dedicated NICs for multiple SQL instances across two clusters in different domains.


    Wednesday, November 13, 2013 9:08 AM
  • Hi,

    Your dedicated NIC setup doesn't sound too far off the mark.  I did something similar here: http://sqlsrvr.com/?p=45.  Hope it helps.

    I don't know of another way to setup mirroring other than those you mentioned.  How do your applications connect to your database then?  If you had to failover to your DR server, do you have workstations in that domain?  I can't think of another way it would work.


    Thanks, Andrew
    My blog...

    Wednesday, November 13, 2013 10:23 AM
  • Thanks Andrew

    I have gone through link provided by you, it says that you need to create client access point.

    But in my setup we have created IP address resource for each instance from different cluster network called SQL_Mirror & added to dependency of existing SQL network name.
    We have not created client access point.

    Is that ok?

    Wednesday, November 13, 2013 10:32 AM
  • the client access point is just the friendly name.  It'll work by IP too

    Thanks, Andrew
    My blog...

    Wednesday, November 13, 2013 10:38 AM
  • ok, do you think apart from two solutions we have i.e.:-

    Certificates & Two way trust relationship

    Can we use SQL credentials to configure mirroring with one way trust enabled as our client is happy with one way trust from production to DR.

    Following is the excerpts of one of the forums on sql server central:-

    Hi guys,


    can we do database mirroring in different domains.Is it possible

    can you please provide the answer its very urgent.

    Regards
    venkat 


    Yes - it is possible. How you go about setting it up depends on how the domains are configured. If the domains are fully trusted - there shouldn't be any issues at all.

    If the domains are not trusted - or only use a one way trust from one domain to the other, then you need to use credentials instead.

    Wednesday, November 13, 2013 11:20 AM
  • Hello,

    We can enable certificate authentication for database mirroring,but the connection authenticate is two-way trust. The system administrator must configure each server instance to use certificates on both outbound and inbound connections
    Reference:Use Certificates for a Database Mirroring Endpoint (SQL Server)

    Regards,
    Fanny Liu


    Fanny Liu
    TechNet Community Support

    Wednesday, November 20, 2013 12:58 PM