Video Screencast Help

Installing BE2012 with a remote SQL server without a domain

Created: 19 Apr 2013 | 8 comments

Because of a certain set of requirements we have a Windows Server 2008 R2 environment without Domain Controllers in which the MS-SQL 2008 R2 server resides on a different machine from the machine that BE2012 will be running on.  Both machines are heavily secured but I've already installed multiple other applications that are successfully using this SQL server for their access. 

When I try to install BE2012 and I get to the Choose SQL Server step I get the "Cannot connect to Microsoft SQL Server NAME. On the remote SQL Server."  Which the debugging about the remote connections part is not the issue as I've verified it from multiple other application installations.  I've also ensured Named Pipes and the Browser service are enabled as well.  So I'm pretty sure my issue is the "The user who is currently logged on to this system is a member of the Administrators group on the SQL Server NAME."  The account I'm using exists on both systems, however as I stated they are not domain accounts so they're not truly the same account.

I know the BEUTILITY and installation process actually attempt to move files via system access which requires the account being used to be a domain admin account which I do not have.  Is there some way around this?  Could I do a local installation and then move the DB to the remote system manually?  The issue I still see happening is the lack of identical accounts across both systems in order to do this.  If BE just used stored user credentials this would be so much easier instead of the direct account login requirements.

Operating Systems:

Comments 8 CommentsJump to latest comment

CraigV's picture

...why not just use SQL Express that ships with BE 2012?

Alternative ways to access Backup Exec Technical Support:

https://www-secure.symantec.com/connect/blogs/alte...

brentil's picture

The policies these machines are required to run under dictates that DB servers must exist on their own server away from all other applications.  They must also be versions of the DB software that is Common Criteria certified and contains the full auditing features as well which for MS-SQL are the Enterprise/Datacenter editions. 

This is a small group of machines and in order to have a domain controller would require an inordinate amount of configuration and paperwork as well as re-accreditation just for this single need.

CraigV's picture

...makes sense...it would be easier at the end of the day to use SQL Express locally on the BE server, but if you don't come right here, log a call with Symantec and post the feedback here. yes

Thanks!

Alternative ways to access Backup Exec Technical Support:

https://www-secure.symantec.com/connect/blogs/alte...

VJware's picture

I haven't actually tested this type of config..However, would you confirm few things.

Is the SQL instance on the remote server running under local system account ?

Is the Backup Exec account given 'sysadmin' rights on the SQL server/instance ?

Does the Backup Exec have explicit, full permissions over the SQL registry keys under HKLM - Software - Microsoft ?

brentil's picture

Is the SQL instance on the remote server running under local system account ?

It's running as Network Service SQL 2008 R2 generated accounts within the created Groups.

Is the Backup Exec account given 'sysadmin' rights on the SQL server/instance ?

Yes it is.  The account exists on both systems and is both a local administrator and a SQL sysadmin.

Does the Backup Exec have explicit, full permissions over the SQL registry keys under HKLM - Software - Microsoft ?

The local user account they both run under does but I'll have to investigate further if the security requirements have blocked access to that or not remotely.

VJware's picture

And change the SQL service to run under a local system account as well.

brentil's picture

I can do that but it would need to be a completely unique user accounts per service without any type of admin permissions.

Colin Weaver's picture

I very much doubt we have done any testing of what you have asked for (and have therefore not designed Backup Exec to be able to do it)

Basically the services used by Backup Exec have credentials defined against them, these credentials are used (possibly as backround passthrough) to authenticate into SQL. If there is no domain and no trust in place and the instance is not local to the same server that is running BE then I am not sure you will be able to connect.

BTW having the SQL instance remote adds to the complexity of the recovery of your media server in the event of a disaster. Also I hope you still have the BEDB located in a unique SQL instance and not shared with other applications. We strongly recommend a separate instance for production databases because of complexity recovering databases into the same instance as an active BEDB and because from time to time a BE database service restart might be needed and you won't be able to do it if a production database is in the same instance.

 

I have a feeling you are going to have to have an exception for your backup server to allow SQL to be local to the server (although it can still be a full version of SQL instead of the express edition if you want.)