Subscribe

SMSP in a DMZ architecture with differents domains without trust relationship??

[ Edited ]

Hello everybody,

We would like to know if this SMSP architecture is possible:

- In a DMZ environment (with domain nº 1)

  • 1WFE (SMSP Control and Member Agent)
  • 1 Index (SMSP Media and Member Agent)

- In the Intranet environment (with domain nº 2)

  • 1 SQL2005 in cluster (SMSP Manager and Member Agent)

Both domains haven't trust relationship. By this reason, we use two differents SMSP domain account (one for domain nº1 and another different on the domain nº2):

- Privileges for the domain account nº 1 --> Farm administrator, Admin local in the WFE and Index Server.

- Privileges for the domain account nº2 --> Admin local in the SQLServer cluster and SQLprivileges: sysadmin, processadmin, DBOwner for all Sharepoint Databases, security admin and view server state.

After a lot of communications problems, all the agents seem that can communicate correctly.

Problem:

- Whe we try lo run the Backup Builder, we can't discover any information. After waiting for a few minutes, the process ends with the message "An error ocurred while loading the tree".

Reviewing the Events on the WFE (where is the Control Agent as I said) these messages appears after one information message that said "begin farm discover":

* Exception happened when updating meta-data

It repeats several times and then the GUI error appear on the SMSP Console GUI.

We suppose that the problem is related to the lack of "view Server state" permission on the domain nº1 SMSP account.

Anyone knows if this environment is supported? Could it be possible to manage two different domain accounts in this situation?

Any information or suggestion will be wellcome

Thanks in advance and best regards.

Re: SMSP in a DMZ architecture with differents domains without trust relationship??

I am trying to confirm if the problem is with the lack of permissions in MS SQL.

A workaround would be to set up a WFE on the intranet with Central Administration installed that is not used by end users and an SMSP Control Agent installed using credentials that have permissions in MS SQL.

Thanks,
Mark

Re: SMSP in a DMZ architecture with differents domains without trust relationship??

I just confirmed what you were suspecting as the issue being related to the service account on the WFE in the intranet needing view server state permissions in SQL.

For the control agent on the WFE in the DMZ, the service account needs SharePoint Farm Administrator rights, Local Administrator rights on the WFE, and View Server State permissions on the SQL server.

For the member agent on the SQL in the intranet, the service account needs SQL sysadmin permissions to the SharePoint databases and local administrator rights on the SQL server.

The workaround of putting a WFE in the intranet is one way to support this architecture.

Thanks,
Mark

Re: SMSP in a DMZ architecture with differents domains without trust relationship??

Hello people

would it be possible to use when trying to run the Backup Builder from WFE in domain number-1  to add a checkbox (or similar) to use an alternative user from another domain or service account (in the other intranet domain number-2) with the right credentials in order to be able to Backup Builder?

thxs  

Re: SMSP in a DMZ architecture with differents domains without trust relationship??

Javier,

I will pass your request onto the engineering team.

Thanks,
Mark