Having trouble running log shipping from one domain to another domain

Trying to log ship from one domain to another domain with one way trust. Trust is from source domain to target domain. I have set the SQL Backup Agents to use same name/password accounts in their respective domains. I wanted to use the target domain account in the source domain to run log shipping but that account is not able to perform backups. Error: Error 880: BACKUP DATABASE permission denied in database:  (Name of database)
SQL error 15404: Could not obtain information about Windows NT group/user 'name of target domain\name of matched service level account running SQL Backup Agents', error code 0x5.

Answers

  • squigleysquigley Posts: 173 Gold 1
    edited January 8, 2020 11:24PM
    Good Morning!

    Thanks for your inquiry and sorry to hear about your issue with SQL Backup.

    The basic problem with configuring log shipping between servers located in two separate domains, is that both the SQL Backup Agent service on both the source and destination servers need security permissions to the network share to be able to write, read and move files from the share. Your issue might be the result of the trust only going one way.

    You should be able to workaround this via following the below directions from the SQL Backup permissions documentation:

    Working with servers on different Windows domains

    If you are working with servers which do not participate in the same Windows domain, you can still use SQL Backup Pro to work with them as usual by setting up "matching accounts". This will be necessary if you want to copy backups to a locked down network share on a different Windows domain, or set up log shipping between servers on different domains.

    1. Create accounts on each machine with identical user names and passwords.
    2. Set the SQL Backup Agent service to log in to the SQL Server using the account created in step 1, using the sqbsetlogin extended stored procedure. For more information, see Changing the authentication mode above.
      When log shipping, the SQL Backup Agent on both SQL Servers must log in using the matched account.
    3. Give the account on the other domain access permissions to the relevant locations.

    Let me know if trying the above helps you out.

    Sean Quigley | Product Support Engineer | Redgate Software

    Have you visited our Help Center?





  • bolingermbolingerm Posts: 10 Bronze 2
    Thanks Sean for your reply. I was able to find and follow: 

    https://forum.red-gate.com/discussion/10801/permission-denied

    This worked but was surprised that I needed to edit Registry and is not managed in application by now with appropriate permissions. I think the log shipping documentation should provide better direction when another domain is in use and would have thought it common to ship to another domain.

  • bolingermbolingerm Posts: 10 Bronze 2
    Thanks Sean for your reply. I was able to find and follow: 

    https://forum.red-gate.com/discussion/10801/permission-denied

    This worked but was surprised that I needed to edit Registry and is not managed in application by now with appropriate permissions. I think the log shipping documentation should provide better direction when another domain is in use and would have thought it common to ship to another domain.

  • squigleysquigley Posts: 173 Gold 1
    Good Morning!
    Glad to hear that you were able to workaround the issue. I'll pass your feedback regarding the documentation over to the relevant teams as well.

    Thanks and hope you have a great rest of your week!

    Sean Quigley | Product Support Engineer | Redgate Software

    Have you visited our Help Center?





  • Have one way trust from the source domain to the target domain and target domain does not trust source domain. I was able to create backups on source domain using the target domain account but am now stuck with log shipping not working ('file not found' when creating log shipping jobs in Redgate Backup GUI). When log shipping from one domain to another domain should I create the log shipping job on the source server (instead of the target DR server) and use a local domain account on source server and have the source server to run the Redgate GUI log shipping task or use the remote (target DR) domain account to run the Redgate Backup GUI (on the source server)? I think the source server should be running the Redgate log shipping job using an account on the target server domain that also has folder access (same service level account name and password as on source domain) as there is no trust from the target domain back to the source domain.

  • I have also tried setting regedit values for AllowSQLBrowsing and BrowsingUserList on source server (added both domain accounts to BrowsingUserList) and Redgate Backup GUI still indicates 'folder not found'.
  • bolingermbolingerm Posts: 10 Bronze 2
    Working now after rechecking Windows Service accounts and making change for Redgate Backup to have the 'matched account' for both domains.
Sign In or Register to comment.