Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««123»»

Is RDP Access Needed for a SQL Server Administrator? Expand / Collapse
Author
Message
Posted Monday, December 16, 2013 3:40 PM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Today @ 8:24 AM
Points: 12,887, Visits: 31,835
defyant_2004 (12/16/2013)
We really want to protect the server and limit the amount of unnecessary access. Although I am not an expert at DBA work, I have used SSMS in the past and it seems to provide everything our DBAs should need to maintain our SQL Servers without logging onto the server itself and messing things up. We have a 90% uptime we must keep. We also want to prevent any risk for corrupting our Windows Server installations.


this sounds more like you want to keep people away from what you perceive is your responsibility, rather than making sure the company's needs are best served.

try to get away from putting barriers between you and the DBA's; think of working together instead.

turn your question around: what business do YOU have touching the SQL Server without the DBA knowing about it?

when you think of it that way, maybe you'll think, oh yeah, we need to talk to each other before we install updates/take server offline/defrag disks, etc., and they would do the same when they run out of disk space from backups and other things.


Lowell

--There is no spoon, and there's no default ORDER BY in sql server either.
Actually, Common Sense is so rare, it should be considered a Superpower. --my son
Post #1523468
Posted Monday, December 16, 2013 8:12 PM


SSCoach

SSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoach

Group: General Forum Members
Last Login: Today @ 11:13 AM
Points: 15,527, Visits: 27,909
Gotta land on the other side on this one.

I spent close to 10 years as a DBA for a major insurance company and most of that time I did not have access to the production servers through RDP. I could only get to SQL Server itself and some of the file shares we used for data storage and backups. And I never really missed RDP.

Now, I didn't do installs or I would have needed it. But with that one caveat, it's pretty easy to work around it.

Sorry everyone.


----------------------------------------------------
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood..." Theodore Roosevelt
The Scary DBA
Author of: SQL Server 2012 Query Performance Tuning
SQL Server 2008 Query Performance Tuning Distilled
and
SQL Server Execution Plans

Product Evangelist for Red Gate Software
Post #1523510
Posted Tuesday, December 17, 2013 3:35 AM
SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Friday, July 25, 2014 2:56 AM
Points: 451, Visits: 1,665

this sounds more like you want to keep people away from what you perceive is your responsibility, rather than making sure the company's needs are best served.

try to get away from putting barriers between you and the DBA's; think of working together instead.

I agree with this.

Yes, it is possible to do the work without RDP access to your servers, but it would be like working with one hand tied behind your back.
Post #1523588
Posted Tuesday, December 17, 2013 3:47 AM
SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 1:21 PM
Points: 5,975, Visits: 12,883
defyant_2004 (12/16/2013)
They do not do installs.


Who does? People who are not expert in SQL server?

Not sure what DAC enablement is for? If the server is down, we bring it back up for them.


it might prevent the need to bounce the server to fix problems. If you are not aware of such tools how are you qualified to decide whether DBAs should get RDP access?

We just feel the DBAs need to stay off the server to prevent any possible damage to the server itself.

If SSMS gives them what they need, why risk giving them RDP access?


You just feel? Based on what? SSMS does not give a DBA all they need.


---------------------------------------------------------------------

Post #1523592
Posted Tuesday, December 17, 2013 4:15 AM
SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 1:21 PM
Points: 5,975, Visits: 12,883
defyant_2004 (12/16/2013)
We really want to protect the server and limit the amount of unnecessary access. Although I am not an expert at DBA work, I have used SSMS in the past and it seems to provide everything our DBAs should need to maintain our SQL Servers without logging onto the server itself and messing things up. We have a 90% uptime we must keep. We also want to prevent any risk for corrupting our Windows Server installations.


From your original question, this and other of your replies in the thread it seems you have simple SQL set up and your DBAs are very limited in what they are able to do. It also sounds like they would like to do more and improve the service they provide. You say yourself you are not an expert in DBA work, and using SSMS in the past is no qualification and does not give you an insight into the full range of DBA work.

Talk with your DBAs, either give them RDP and lay down ground rules or provide them remote alternatives so they can do more without having to refer to others all the time. Really I cannot see what things they would 'mess up' if they are professional.

Are any of your database related files large? Having to move those between drives or servers whilst remote involves two hops and is unnecessarily time consuming.


---------------------------------------------------------------------

Post #1523601
Posted Tuesday, December 17, 2013 8:24 AM


SSChasing Mays

SSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing Mays

Group: General Forum Members
Last Login: Today @ 2:20 PM
Points: 604, Visits: 502
how about some middle ground? give them view / user permissions and not admin. If they find a problem, they have you fix it. Almost all work can be done without RDC. If they were reading this thread, I'd just advise them to make a ticket to you and e-mail their request every time they need work done that they cannot do. It's what you're wanting them to do so it shouldn't be an issue.

That being said... I much prefer to have SA access to my SQL servers. I already control all the data, I already have access to most of the system including registry control depending on how you lock down the service accounts.... It is easier on me to manage it top to bottom.

IF the server breaks Christmas night, now you both get called in to fix it since they need to verify the database and you have to bring it up. If one of you are missing... now it's down even longer.

Side note: You're paying an awful lot for a DBA or set of DBAs you don't trust not to break your server. Middle ground of use read access to the server can help them help you.


.
Post #1523725
Posted Tuesday, December 17, 2013 9:14 AM
Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Today @ 11:22 AM
Points: 3,122, Visits: 11,406
I have to come down on the side of RDP access for DBAs.

I have seen many cases where there was a problem with the server and the Windows admins claimed there was no problem. For example, a Windows admin claimed they saw nothing wrong with disk performance when I was able to show that the IO performance was only about 5% of expected throughput.

DBAs often have as much server knowledge as Windows admins because of their greater experience, and may be more motivated to actually find the problem.

IT is a team and you don't want to keep you best players on the bench when there is a problem.

I think you will find that very few DBAs a reckless enough to cause problems with the server, any more that Windows admins are reckless. DBAs tend to have a very conservative approach to these things.






Post #1523754
Posted Tuesday, December 17, 2013 9:38 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Thursday, May 22, 2014 8:22 AM
Points: 45, Visits: 139
I am still not seeing what functions on the server they would need. If they can work in SSMS from their machine, why do they need to login to the Server to use SSMS their? It seems like I would be creating more risk in the environment by letting them login to the machine. Are their resources on the server they need access to?
Post #1523776
Posted Tuesday, December 17, 2013 9:45 AM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Today @ 2:43 PM
Points: 13,110, Visits: 11,944
defyant_2004 (12/17/2013)
I am still not seeing what functions on the server they would need. If they can work in SSMS from their machine, why do they need to login to the Server to use SSMS their? It seems like I would be creating more risk in the environment by letting them login to the machine. Are their resources on the server they need access to?


99.9999% of the time you can do nearly everything with SSMS. It is that small percentage of things, which is usually during an outage, that you need access to the box. Paranoia seems to be more important than teamwork in your shop. The bottom line is that there is no right answer here. That should be obvious from the myriad of opinions you have received so far. If preventing RDP access to the DBA works in your environment then that is what you should do.


_______________________________________________________________

Need help? Help us help you.

Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.

Need to split a string? Try Jeff Moden's splitter.

Cross Tabs and Pivots, Part 1 – Converting Rows to Columns
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs
Understanding and Using APPLY (Part 1)
Understanding and Using APPLY (Part 2)
Post #1523780
Posted Tuesday, December 17, 2013 9:59 AM


SSCoach

SSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoach

Group: General Forum Members
Last Login: Today @ 11:13 AM
Points: 15,527, Visits: 27,909
defyant_2004 (12/17/2013)
I am still not seeing what functions on the server they would need. If they can work in SSMS from their machine, why do they need to login to the Server to use SSMS their? It seems like I would be creating more risk in the environment by letting them login to the machine. Are their resources on the server they need access to?


The thing to think about from a DBA perspective is that we're neither fish nor fowl. We're not developers, yet we work with the development teams and are a major part of most development projects and development deployments. We're not sys admins, yet we have to work within the arena of servers and drives and shares and security that the sysadmins deploy. We straddle both these worlds, yet neither is too crazy about having us around AND yet neither wants to do our jobs.

So, for a DBA, it's easier (not necessarily better, not necessarily required) to just have sysadmin rights. I get done what I need without having to bug the sysadmin's who don't want to talk to me anyway. So, a common example from my past. Log backups fail (or, a new database was created and log backups were never enabled for it) and suddenly the drive where the logs are stored is full. It's 3AM. If I have sysadmin rights, I quickly create another network share, map the server to it, add a log file to my database, and figure out how to fix things from there. If I don't have sysadmin I... 1) Call the sysadmin person and tell them 1/2 of what has to happen, right flipping now 2) Cheat by shrinking other log files in order to free enough space to then get the backup of the full log done. Option 2 is actually much more time consuming and inherently less safe, but it may be the path I take because, let's say, in the past I didn't get quick responses from the admin team.

There are several bad examples at play here (why would we let a database get on the server without log backups, don't we have drive space monitoring, log backup monitoring, log size monitoring, etc.), but, you don't have to meet all the bad examples to understand how that 3AM issue (and it's always 3AM) arises. I worked without sysadmin rights for close to 10 years as the on-call DBA. It's absolutely doable. It's just not as easy.


----------------------------------------------------
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood..." Theodore Roosevelt
The Scary DBA
Author of: SQL Server 2012 Query Performance Tuning
SQL Server 2008 Query Performance Tuning Distilled
and
SQL Server Execution Plans

Product Evangelist for Red Gate Software
Post #1523788
« Prev Topic | Next Topic »

Add to briefcase ««123»»

Permissions Expand / Collapse