SQL Server service and Agent (Domain AC)
-
In the past when setting up new SQL Servers we have created new Domain Account and Exchange Account and used these for running the SQL Server service and SQLAgent services.
So now we have approx 20 Domain & Exchange Accounts, I'm now wondering if this is necessary i.e would it be better to have just one Domain & Exchange Account and use this account for all of our SQL Servers. I'm not quite sure how we would deal with the Exchange side of things here as I don't think we would know what SQLAgent alert the server come from.
Would be interested to hear other peoples experiences/views on this, thankyou in advance.
-
My thoughts for what they're worth...
There's two ways of looking at this. On the one hand, you have 20+ plus accounts to manage. This means that for instance, if you have someone leave the company that had access to these accounts, you'd need to change each and every password and communicate that information to anyone else that needed it.
On the other hand, if you 'centralize' the service accounts this makes maintenance much eaiser but you can have problems with all of your instances if there's a problem with the single account (ie. lockouts, password expiration, etc.). Therefore what would have been a problem for only one of your servers before has now been globalized. Believe it or not, we have had instances where someone was doing maintenance and inadvertently deleted a bunch of active logins.
That's one reason why I tend to keep my installations separate. But then again I'm not dealing with the number of servers that you have. My hovercraft is full of eels.
-
I would suggest grouping of your SQL Servers and having one accout per group. For example, you could use one account for all Developement Servers, One Account for Test Servers, One Account for Servers not accessible to Internet/external users. Ofcourse you may retain seperate accounts for sensitive production servrers. This way you can reduce the maintenance work.
M.S. Reddy
-
M.S. Reddy makes an excellent point. I have several systems with different credentials for the Production and Development environments. This forces me to think for an extra moment or two about which environment I'm logging onto before doing maintenance, applying upgrades, etc.
My hovercraft is full of eels.
-
Most of the potential issues raised (management, locked out accounts, security, etc) are really no-brainers when one sits down and plans a bit. Every site I've been at for the last decade has used one domain account for SQL Server and another domain account for the SQL Agent. Just make sure that your Windows Admin sets the 'password never expires', 'not allow the user to change the password,' not allow these 'service' accounts the ability to login interactively'. Then you have your Windows Admin (via AD) limit which servers that these accounts can access to ONLY the SQL servers. Once all of this is complete you can change the services via Computer Managment - Services. Then all you are left with is a mundane imlpementation plan to stop and restart the services on each server.
RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply