adding server in untrusted domain with firewalling

Hello,

I want to add a managed SQL Server in a untrusted Domain. Between both domains a firewall is active.
A Connection test at the end of "Add Servers" wizard fails.

I can ping the target machine from diagnostic Manager Server, tcp port is open. MSMS on diagnostic Manager server connects successfully to target machine.
Used SQL Login has sysadmin rights. Anything else I missed to configure for successfully manage this Server?
Are there any logfiles written while connection test?

thanks a lot

  • As far as I know, there are log files in "%LOCALAPPDATA%\Idera\SQLdm\Logs". You can read them with the TracerX.exe found in the SQLdm program directory.

    Do you collect OS Data? If yes, try to register the Server without OS Data, as I had some funny experiences with Kerberos and firewalls and non trusted domains.

    Another option to collect OS data would be to register the server with the plain IP-Address,TCP-Port instead of the real server name. This sometimes changes the authentication method (Kerberos/NTLM).
  • In reply to Dan K:

    thank you for these informations!

    I do not collect os data but Kerberos SPNs are registered. But even without os data no Connection is made. I can add the Server to dm, in SQLdmManagementService log I get entrys like this:

    "
    Inner Exception type: System.Data.SqlClient.SqlException
    Message: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)
    Source: .Net SqlClient Data Provider
    "

    So diagnsotic manager used named pipes to communicate with this Client. Is this a standard behavior?
  • In reply to MM1:

    I remember having some issues in the past with certain servers. The workaround that worked, was creating a SQL Client Alias on the server where the SQLdm collection service is installed. You can do that with the cliconfg.exe.

    Instead of the DNS-Name you may also enter an IP-Address.

    Be aware that there are 2 cliconfg.exe, one for 32-bit and one for 64-bit (default). If you have the 32-bit Version of SQLdm installed you need the one from SysWOW64.

  • In reply to Dan K:

    thank you for sharing this.
    I created an alias, sadly no luck. But I figured out that port 1433 on dm database server is not reachable from client host. So I still have a firewalling Problem. I hope next week the rules are set up and I can connect to the client..
  • In reply to MM1:

    short Feedback: after a looong time waiting for Change implementation now 1433 and 1434 are open between both Hosts and Monitoring SQL instance and os metrics works wonderfull. Maybe something was not set up proper within firewalling
  • In reply to MM1:

    Glad to hear it.