December 21, 2015 at 2:10 pm
I have a question about SQL service and SQl agent service account.
Usually I will create a domain account and use that as SQL service account.
Most of the cases it is because this server has some jobs like SSIS that will use the sql servie account to access other servers to do ETL. so it is pretty reasonable to have it as a domain account.
But for some vendor product like Microsoft SCCM and Solarwinds, when I create the SQL server account, since I think the SQL service account will not access resources of other servers, so I thought just to use default network service account.
Or is it better to use domain account even it doesnot need to access resources on other servers.
The other reason is when we create a service account in AD, it does need a licsence for each account even it is not expensive.
So I think if not necessary , then do not need to create a domain account.
correct?
Thanks,
December 22, 2015 at 11:55 am
I have a standard install for all of my SQL installations. My standard includes the service accounts for the engine, ssas, ssis, service account. Standard maintenance scripts, jobs, etc. Some servers of course need to deviate a bit, but they always start with the standard. This way, I always know how my servers are configured, and if I ever need to change something, I can do it as a blanket change.
For service accounts, I always recommend using domain service accounts. They should not be interactive accounts (not allow logon locally) and should just be domain users. If they need access to any network resources such as shares, do them individually or create an AD group if it's necessary, but you always want to keep the domain accounts with low-level domain access.
December 23, 2015 at 12:36 pm
Shouldn't the recommendation be to use a local server service account if it does not need access to network resources?
December 23, 2015 at 12:42 pm
Joe O'Connor (12/23/2015)
Shouldn't the recommendation be to use a local server service account if it does not need access to network resources?
That is my question too.
December 23, 2015 at 12:49 pm
I thought you had asked if you should use the Network service account, which would never be recommended.
for answering this question
December 23, 2015 at 1:24 pm
Joe O'Connor (12/23/2015)
I thought you had asked if you should use the Network service account, which would never be recommended.for answering this question
Thanks, that is good to know by reading from the link you provide:
Any SQL Server services that runs on Network Service Account, can access network resources by using the credentials of the computer account. This account shows up as “NET AUTHORITY\NETWORK SERVICE” when configuring SQL Server Services.
December 23, 2015 at 2:33 pm
these days I use managed service accounts instead of regular domain accounts for sql server services.
As for local system account, it has a lot more privileges than are needed by SQL Server on the local box (https://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx).
December 23, 2015 at 2:57 pm
Robert klimes (12/23/2015)
these days I use managed service accounts instead of regular domain accounts for sql server services.
Thanks, on the link you provided for managed service accounts, it also mentioned virtual account which is NT SERVICE\ServiceName, that is also what I talked in my above posts.
So does that mean virtual account is not recommended either?
Thanks,
December 23, 2015 at 3:05 pm
December 24, 2015 at 2:50 pm
It would be helpful to know what version you are using. I've recently done some SQL Server 2014 installations and have found the managed service accounts to be wonderful. I'm not sure what this is the first version as I've skipped from 2008R2 to 2014, and I think I've read they are in 2012. Can't swear to that.
Their main limitation is that they access other servers with the machine account and they can't access resources outside the domain. In that case, domain accounts are probably the better option. Neither one of those is a concern for me.
Viewing 10 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply