Can anyone tell me that whether there can be multiple administrator servers can exist in single Weblogic domain or not? If yes then how the managed server decides which administrator server is used for startup confirmation.
The answer is definitely NO. There is exactly one admin server per domain.
Related
Using Azure Resource Manager.
I have an Azure SQL Database resource, and even when I delete all "allow" firewall (on the sql server's blade) rules, my VM is still able to query the SQL DB.
EVEN when I set "Allow Access" to no for the ip address of the VM, I can still query the DB. How??
Is this because Azure automatically allows resources in the same Resource Group to access it? Even without explicit Firewall allow rules?
Under the Firewall section of the SQL Server blade, there's a switch called "Allow access to Azure services". Having this on will allow any Azure resource to access get through the firewall (they will still need your username and password of course to actually access the server). This includes Azure resources on other people's subscriptions. See this answer.
I had this turned on and that's why my firewall settings made no difference for my VM's.
Not exactly sure what's happening with your specific situation, security-wise, but Resource Groups have nothing to do with it. Resource Groups help organize resources within a single container, where you can manage those resources better (e.g. add users to the Resource Group without adding them to the rest of your subscription). They don't play a role in communication between Azure services.
I'm trying to test a migration of moving a BizTalk SQL Server from one server to another. Here are the details.
Currently it was all on a single server in a dev environment, BizTalk SQL, SSO and BizTalk runtime all on one server. It is a Windows 2008 R2 server with SQL Server 2008 R2.
What I want to do is split out the SSO Master secret server and BizTalk databases to a Windows Server 2012/SQL Server 2012 setup. So far I got SSO all setup on the new SQL server. I configured just the SSO portion on that server and all went well.
I then unconfigured the existing BizTalk Runtime and then went to configure again, using the new Windows/SQL Server/SSO in the configuration process.
All goes well up to the point where it tries to configure the BizTalk runtime. That being said all the database are created, SSODB, BizTalkMessageBoxDb, all of them. But when it goes to configure BizTalk Runtime, it hangs for a while and several of the following errors show up in both of the Server's logs:
Could not access the SSO database. If this condition persists, the SSO service will go offline.
Timeout expired. The timeout period elapsed prior to completion of the operation or the server is not responding..
SQL Error code: 0xFFFFFFFE
It shows up in the SQL/SSO servers logs first, then the Runtime server a few seconds later. Eventually the configuration times out and fails. I believe it's permissions related, but I can't seem to figure out what it would be.
Questions:
what permissions do I need to review?
would the fact that the new server is Windows 2012/SQL 2012 while the runtime server is Windows 2008 be an issue?
is there any way I can get more details on this error?
Edit to add both DTCPing and DTCTester pass with flying colours and I can connect to SQL via SSMS from the server. Firewall has been completely disabled for now in order to eliminate that as well.
How were your service accounts configured in the first environment? Typically a single DEV environment with everything on one box can be done by using a local account on that server. If you now split out your SSO onto another server (it doesn't matter if it's W2K12 instead of W2K8), you are going to have to switch your service account(s) and groups for BizTalk to Domain accounts.
In a multicomputer environment, BizTalk Server supports only domain groups and domain service accounts. Domain groups include Domain Local groups (not recommended), Global groups, and Universal groups. Built-in accounts such as NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\SERVICE, NT AUTHORITY\SYSTEM, and Everyone are not supported if you want to configure BTS in a multicomputer environment.
Make sure your SSO is running as a domain account, and a member of an SSO Administrators domain group - and ensure this domain account/group combo is configured for the SSO system on the SQL server (instead of local accounts):
After that the SSO system you join from the BizTalk Server before configuring the runtime on BizTalk Server usually needs to be configured with the same domain service account for SSO:
I am trying to create Weblogic domain where Admin Server and managed servers on different machines. However I am unable to find any steps which would allow me to do so. The config.sh script always creates an Admin Server. Please help.
It is possible to create managed servers/clusters as well at the time of the domain creation itself at least using 'Graphical Mode' config.sh wizard
If for some reason you are not getting the graphical wizard when config.sh is invoked try checking your DISPLAY variable.
Also check the Oracle doc for reference.
what's the best way to develop with ldap without having the connection to the productive ldap server. Can you recommend some software?
Thanks
I'd say a test instance of OpenLDAP :)
If you're more into the Microsoft space, you could also check out:
Active Directory Lightweight Directory Services (AD LDS)
which is a Windows service based subset of the full AD. You can spin up multiple instances of AD LDS and since it's a Windows service, you can also turn it off when no longer needed.
It depends on what kind of LDAP server you have in production. Usually it's a question "AD or not AD?"
If your productions server is AD then it would be either virtual machine with a domain controller or a local instance of AD LDS (formerly ADAM).
If your production server is a generic LDAP server then there is a wide set of options. These days I would use a virtual machine with any Linux and OpenLDAP or/and Fedora Directory Server, or a local instance(s) of ApacheDS or OpenDS.
If you do not want to install/host/configure a Microsoft Server with Active Directory, you can use the following for LDAP testing purposes:
https://documize.github.io/ad-ldap-test-server/
Try
https://github.com/Upekshe/simple-ldap-server
Its running a nodejs server, highly configurable, supports both ldap and ldaps
Dokerized version
https://hub.docker.com/r/upekshejay/simple-ldap-test-server
Is it wise to use Domain Administrator as a SQL Windows Authentication log-in?
No. Local admin, perhaps, yes: never domain admin
For example, xp_cmdshell would allow complete control over AD and your environment. CLR code could do the same. Although these are disabled by default, you can't rely on that to protect your entire network.
Edit:
Logging in as a user as domain admin is no different to using Exchange or similar with the same acount. For SQL Server. no extra rights are conferred or implied because all permissions are defined within SQL Server.
So if you only have a "SQL Server Admin" group as sysadmin, and the domain and local admins are not in this group or set up as logins, then they get normal user rights as per their login. Or they can't even connect.
Of course, as domain or enterprise admins they could just add themselves to the "SQL Server Admin" group... but this requires an extra step and restricts your sysadmin to the correct admin group.
After all, you wouldn't let me as SQL God near your Exchange server...
I think some of the posts have assumed you mean to run the SQL Server service under a domain administrator account (which I agree, would be a security hole), but as you have said in your clarification, it is just to log in to do stuff against the database, I don't see a problem with it....As long as the user in question (I'm guessing it's you here), knows not to drop the production database etc.!
Certain things you need to do against an install require DBA priveleges, if you acquire those by being a domain admin, then what difference does it make?
a. If you have no security problems than - it doesn't matter.
b. if you are connected to the internet, you shouldn't. someone can attack your domain using holes in sql code if the app you're using uses the domain admin authentication. or if someone get access to your administration machine.
c. there is no linkage between domain admin and sql server admin - so why do it ?
Just to be clear - It is not wise !
In my opinion, I wouldn't use an Administrator account for anything management related (that's my Linux background telling me that root accounts shouldn't be used).
It depends a lot about - well - your size and security practices. It does show a security risk, but whethe rit is wise o wnot depends on the rest of the setup.