August 16, 2004 at 9:34 am
We recently enabled auditing of failed logins on all our SQL 2000 servers. On a few of them, we keep getting the following message whenever a Windows NT backup runs:
]DATE/TIME: 8/16/2004 9:40:14 AM
DESCRIPTION: 18456
Login failed for user 'NT AUTHORITY\SYSTEM'.
COMMENT: (None)
JOB RUN: (None)
Any ideas why this would keep happening? The backup is running under an account that has sysadmin privileges within SQL Server. I just need some more info on this.
Thanks!
John
August 18, 2004 at 12:33 am
Is that error message appearing in the Windows Event Log , or in SQL Server's SQL Log?
Are you using the Microsoft Backup included in Windows (NTBACKUP.exe)? or a 3rd party program (like VERITAS with SQL agent)?
How do you execute the backup? from a batch file? do you have any steps defined to do something to SQL Server before the nt backup occurs?
At first hand it looks like a permissions issue, which begs the question, NT or 2000 OS? in a domain or not?
Julian Kuiters
juliankuiters.id.au
August 18, 2004 at 6:03 am
The message is in both the windows event log & sql log. We are using the NTBackup.exe and it is doing purely a windows backup. A scheduled task fires a bat job which fires the ntbackup.exe. It doesn't have any steps to do something to SQL Server before the nt backup occurs. This is happening on our Windows 2003 servers which are inside a domain. I agree, I think it looks like a permission but I have no idea why the ntbackup would be trying to do something to SQL Server. I know that windows 2003 security is more tight than windows 2000 so maybe I am missing something there. We don't get this login failure on our Windows 2000 servers.
Thanks!
john
August 18, 2004 at 7:19 am
Could it be the way that Windows 2003 server uses shadow copy during a NT Backup? Could it be trying to make a copy of the database files why they are in use and that is when it causes the login failure? I will have to do a little research on shadow copy to see if that is what could be causing the login failure.
John
August 18, 2004 at 7:30 am
Did it happen only to Windows 2003? Do you use local system account or domain account to run SQL Server services? Is login BUILTIN\Aministrators in those SQL Servers?
August 18, 2004 at 7:38 am
Yes, it is only happening on our Windows 2003 servers. SQL Server is currently running under a domain admin account. I will be changing it to run under a normal domain account in the near future. I did remove the Builtin\Administrators group in SQL SErver.
I did some test runs with the backups. I disabled shadow copy on one of the runs and it did not produce the login failure. I am now going to try excluding the database & log files from the backup to see if that will correct it as well. I don't want to disable shadow copy if possible.
John
August 18, 2004 at 8:49 am
I excluded mdf,ndf & ldf files from being backed up under the advanced option and ran the backup. I received the same login failure. So it has to be related to the shadow copy. I did a search on google and found one post that gave me a link to a KBB that describes an issue with shadow copy & SQL SErver. It is not the exact same problem that we are experiencing but similar. The KBB article is 828481.
After doing some more investigating, it was the shadow copy trying to access the database files when the NT Backup was starting. I ended up disabling this feature using the following switch: /SNAPFF. I no longer receive the login failure alerts. If you think about it, why would you need to use shadow copy on a database server? It doesn't really make sense.
John
August 18, 2004 at 6:06 pm
Shadow copy lets you backup those nasty .dll files and other files that are locked. Somewhat important for system state backups.
But obviously grabbing a sql database file off the disk mid transaction is just asking for trouble. Seems a problem specific to Windows 2003 and only when your database is not set to SIMPLE recovery. Odd. Didn't the NTBACKUP programmers know about SQL Server?
It makes sense thet excluding the mdf,ndf,ldf files isn't going to make shadow copy happy, it's a different service. A quick search shows theres no options to exclude files from shadow copy.
But yeah. Seems your only option is to not use shadow copy in this case.
Julian Kuiters
juliankuiters.id.au
October 14, 2004 at 12:47 pm
I'm having the same problem. I get it every couple of seconds. Anyone know why?
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply