Click here to monitor SSC
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in
Home       Members    Calendar    Who's On

Add to briefcase «««123

Is RDP Access Needed for a SQL Server Administrator? Expand / Collapse
Posted Tuesday, December 17, 2013 10:45 AM

SSChasing Mays

SSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing Mays

Group: General Forum Members
Last Login: Friday, November 4, 2016 10:08 AM
Points: 621, Visits: 585
the question has been answered that your DBA can work without RDP.

What's been addressed is that you now have twice as much work to do since they cannot.

Do you have your own projects? How do you prioritize your time vs the DBAs?
If he needs:
A folder created for a new database.
Drive space checked.
Their SQL Server service restarted.
A registry key changed to add it to the MSX node.
Move a backup and the transaction logs to the mirrored site.
Verify backups are getting to your DR site.
3 AM move the log files.
Look at the system log files to see why SQL failed.
Troubleshoot quicker why that mission critical database that your company lives off of is down.

Do you drop everything to support them in a major outage? San crashing, network being affected by the gods of Asgard, servers coming up without the san and needing to be hand held back into production... You're now doing all that on your own while your DBA is asking for you to move the backup he has from one server to another to get your DR site up. He can have it back up while you keep fighting the fires else where. There's countless reasons it would make your life and your DBA's life better. They don't even need SA... Give them view of the OS drives and full control of the database drives. There is a middle ground. ^.^'

Post #1523815
Posted Tuesday, December 17, 2013 11:05 AM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Today @ 2:24 PM
Points: 332, Visits: 3,202
Here are some examples from my own experience, where I have had to use RDP:

1) Get a call from the users that the application is very slow, and I can't connect from SSMS either. It could be that SQL Server is maxed out, or the box is hung. Hopefully, the former will be limited by the resource governor or WSRM, and then I can log on to the server to investigate further.

2) Good luck loading large event or SQL Server logs over a network.

3) Let's say I have to upload MPS reports to Microsoft. Not really practical to copy huge files to my workstation.

4) If a flat file has to copied from server A to server B to be loaded into SQL Server, then I am going to have to log on to one of them directly, or everything has to go thru my workstation.

As mentioned above, these problems are most likely to occur off hours. Adding a VPN to the equation slows things down even more. And then there is the communication issue. I am already on the phone with someone for the initial problem. Now I have to call my server admin. Maybe I can use Skype for one of the calls, except that it may cause something else to time out. And will your third shift be adequately trained to support DBA's, or will they eventually have to call you as well?

So bottom line, does your management understand and accept the additional downtime and lack of productivity that will result from the DBA's not being fully able to do their job?
Post #1523824
Posted Tuesday, December 17, 2013 11:37 AM


Group: General Forum Members
Last Login: Wednesday, November 16, 2016 9:57 AM
Points: 6,147, Visits: 13,680
defyant_2004 (12/17/2013)
I am still not seeing what functions on the server they would need. If they can work in SSMS from their machine, why do they need to login to the Server to use SSMS their? It seems like I would be creating more risk in the environment by letting them login to the machine. Are their resources on the server they need access to?

I have given some examples but you seem to be ignoring them, perhaps because they do not fit the answer you want?

iptech reiterates one in point 4), and its true of any database related file.

point 1) is valid for the DAC as well which I mentioned

These are the things I tend to access when local to the server to complete my duties (note, none are SSMS)

sql configuration manager
event viewer
component services
computer management
security policies
cluster administrator

I am always very careful when doing this and only touch the parts I understand, by nature DBAs are cautious and I am also lazy and don't want to create problems and therefore extra work for myself.

Some of these your DBAs won't need as they relate to SSIS or SSRS, but that might change one day.


Post #1523830
Posted Tuesday, December 17, 2013 11:45 AM

SSChasing Mays

SSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing Mays

Group: General Forum Members
Last Login: Friday, November 4, 2016 10:08 AM
Points: 621, Visits: 585
I'd love to see the DBA from their shop chime in. ^.^

I've worked without RDP. I can tell you there are real down sides. Downtimes are longer, less people working on the same problem, single points of failure(you getting hit by a bus... per say), fixes take more coordination, and more that aren't on the front of my brain right now.

If you don't trust the DBAs that already control all of your data... Then this shouldn't be a question. Just tell them no, let them come to you with every end user style problem such as *I can't see the drive structure... where's this folder?* and go about your day. It is more work for them, for you, and more down time for everyone. If this isn't SIPR/Secret or higher, I see no reason security should be held that tight within the company as well. It's bad for retention. ^.~

Post #1523834
Posted Tuesday, December 17, 2013 12:45 PM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Friday, September 12, 2014 4:03 PM
Points: 47, Visits: 146
Well, I guess I will need to give this some consideration. They have been asking for it for a long time now. I assumed that SSMS gave them all the tools they needed. I read a couple articles that seemed to indicate that. I strive for an extremely clean, organized server that is the same across the board. I just don't like the idea of them having access to make changes on my server. Thanks for all the input. I will make a decision over the next couple of weeks.

Post #1523857
Posted Tuesday, December 17, 2013 12:48 PM



Group: General Forum Members
Last Login: Today @ 3:13 PM
Points: 2,009, Visits: 7,246
From what you describe in the original post, yes, the DBA's can probably do everything described without RDP access. You can view the event log, file sizes, etc. etc. without RDP access. That is going to require some work from the server team, however.

It really sounds like some education is required. The server team needs to better understand exactly what the DBA's do for a living, and the DBA's need to understand the requirements of security, auditing, etc. etc.

Once this education occurs, an assessment of the practices on both sides regarding compliance, documentation, and so forth should occur. Bring in someone from a different department as a referee!

We have admin privileges on all of the database servers, and additionally have been granted the rights on the physical hosts for the virtualized boxes.
The DBA's rarely use RDP to get into a server. But, we work together as a team and follow the rules set forth by all parties.

Michael L John
If you assassinate a DBA, would you pull a trigger?
To properly post on a forum:
Post #1523860
Posted Tuesday, December 17, 2013 9:36 PM

SSChasing Mays

SSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing Mays

Group: General Forum Members
Last Login: Friday, November 4, 2016 10:08 AM
Points: 621, Visits: 585
I'd like to take the time and say two things.

1) Thank you for coming here and asking DBA's in the field for their opinions.

2) Thank you to the community for treating the question with an honest response and kindness.

I love seeing a forum that handles itself correctly.

Post #1523932
Posted Wednesday, December 18, 2013 10:36 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Thursday, June 4, 2015 10:27 AM
Points: 1, Visits: 132
As a DBA, I would be more afraid of what the server administrators could do to the SQL Server since they don't understand the internals.
Post #1524237
Posted Thursday, December 19, 2013 10:52 AM

Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Wednesday, November 2, 2016 7:04 AM
Points: 1,017, Visits: 3,661
Here's a small, stupid, recent example where I needed RDP access: Making a registry change so that OPENROWSET() calls can read in pipe-delimited files (instead of comma-delimited) for a large ETL project and then changing it back. (SQL 2005 Enterprise, I sure hope this has been changed in more recent releases to accommodate other delimiters without a registry change!)

Here's a URL in case anyone else needs to know how to do this, by the way.

This is a completely candid and non-sarcastic comment coming up, though it may sound like snark: as a former sysadmin and current DBA, I'd be much more concerned about a sysadmin accessing a SQL server than the other way around. Why? I know few SQL DBAs who aren't familiar with Windows server OS's, but I know lots of Windows sysadmins who know nothing about SQL Server. ("We needed to re-boot the server after a Windows update. Was that a bad time for your 10-million-row ETL process?")

I will encourage you to think about this as a collaboration, not a competition. You and your DBAs -- TOGETHER -- hold the keys to the kingdom: your company's data. Your users (from clerks to CIO) expect your systems to be available, efficient, and secure. Ask yourself how you and your DBAs can best achieve that?

Trust is important. I work in a small shop and our sysadmin has full, unfettered access to the SQL Servers. Yet he never reboots or even logs into one without talking to me first, b/c he knows that he doesn't know what he's doing and wants to make sure that systems continue to function. I, in turn, don't make any Windows- or VM-related changes (extending disk volumes, allocating add'l RAM from the VM farm, etc.) without discussing it with him first.

Kudos to you for asking the question and not simply shutting off your DBAs.

Post #1524716
Posted Friday, December 20, 2013 3:28 AM


Group: General Forum Members
Last Login: 2 days ago @ 7:17 AM
Points: 437, Visits: 1,670
I'd have to agree that removing tha ability to remotely log on to the server will hinder the ability for the DBA to do their work.

As long as SQL Server is running properly they could log on to the SQL server using SSMS, enable cmdexec and run all of those nasty changes on the server in any event so I don't see where you are gaining any security benifit.

If SQL server is running slowly or has crashed then they will need to identify why and the ability to get to the OS to diagnose the problem will greatly assist this. I have examined the event logs via SSMS but when it can take a minute to scroll the log rather than virtually instantaneously when logged on to the server itself there is no contest.
Bear in mind that the occassions they will need access to the server are generally the same occassions where accessing things via SSMS is a problem.
Post #1524912
« Prev Topic | Next Topic »

Add to briefcase «««123

Permissions Expand / Collapse