March 11, 2011 at 10:15 am
Rudy,
That's what is so puzzling about this.
I am part of the Local Admin groups, but I sill can't access it.
At this point, I think the next option would be to nuke it and start over.
Thank you
March 11, 2011 at 10:34 am
Did you start the SQL Server in Single user mode, and are you connecting with the DAC connection?
March 11, 2011 at 11:58 am
jswong05 (11/5/2009)
David is smart. That is exactly right. http://support.microsoft.com/kb/937682How would this feature pass SOX audit? which is trying to control access.
This is one of many reasons why SOX compliance needs to include auditing actions by privileged users. Which anyone with sysadmin is. Although I wonder what user shows up in sql trace if you come in this way.
March 11, 2011 at 12:30 pm
Steve,
Yes, I actually tried using the DAC.
I had the impression that using the DAC or the command prompt are the same.
It is recommended to use the CMD becasue it is easier to ensure that you have only ONE connection, instead of the Studio Mgt that also opens the Object explorer, which already account for one connection.
I get another shot tonight and I will try to use the CMD prompt.
Thank you all
March 11, 2011 at 12:32 pm
DAC and command prompt are not the same. DAC can be used from Management Studio. If you have it open when you start up the instance, connect with "Admin:" and the server. Note that this usually must be used for a local connection. You cannot be on a remote workstation
http://voiceofthedba.wordpress.com/2010/12/28/getting-a-dedicated-admin-connection/
You can also use SQLCMD from a command prompt.
And you are starting SQL Server with -m, correct?
March 11, 2011 at 12:36 pm
Yes, I am starting SQL using the -m parameter, for single use.
I guess I'll give it another try tonight... I'll keep you guys posted.
March 11, 2011 at 1:11 pm
MiguelSQL (3/11/2011)
My windows ID is part of the Local Administrators GroupWhen I start the server in single mode, and I try to log in, I get the error:
Login Failed for user ". The user is not associated with a trusted SQL Server connection.
That sounds like your account might be in a different domain and that the trust between the two domains isn't working 100%.
I would try creating a local account on the server, add it to the local administrators group, then log on to the server using the local account and start SQL Server in single user mode. That way you take all the domain portions out of the picture. Once you have regained SA access you can just delete the local account.
March 11, 2011 at 1:13 pm
Good point. I think this will correct the problem you are having.
Rudy
Rudy
March 11, 2011 at 3:48 pm
SOLVE IT.
It is a problem with the domain trust.
So I created a local account, login using the LOCAL account, and was able to start SQL on single mode and connect using CMD.
Thanks all for your support.
PS: no idea how to solve that problem with the trust.
Now I added a Windows Group for all DBAs, but the DBAs can't connect to the server (get the trusted domain error) their account is not listed on the sysadmin group. Even though they are part of the Windows Group.
But that's another story for another post.
Miguel SQL
March 11, 2011 at 4:20 pm
MiguelSQL (3/11/2011)
SOLVE IT.It is a problem with the domain trust.
So I created a local account, login using the LOCAL account, and was able to start SQL on single mode and connect using CMD.
Thanks all for your support.
Glad we could help, and thanks for letting us know. (At least you should have the SA password now so you can get on to the server and look at/adjust things.)
PS: no idea how to solve that problem with the trust.
Your Windows Server/AD team will probably have to work on that, it is likely related to delegation and/or SPNs. It might end up being easier to join the server to the actual Domain you want, unless there is a reason for it to be different.
March 11, 2011 at 5:59 pm
Useful article - scary but useful! I didn't realise this was possible.
Also works on SQL 2008 R2 by the way...
March 12, 2011 at 1:20 pm
It is scary, but requiring local access mitigates it a little. It's a back door that's designed this way, specifically for the people that forget SA or have a rouge administrator. I wasn't thrilled with it at first, but it probably makes some sense to have this.
March 14, 2011 at 7:12 am
Yes, this is scary and I can' think of any other way to provide a safer back door. If you have ever worked on a SQL server who's DBA was let go or fired then you can see why this is a good thing.
Scary can be good.
Rudy
Rudy
March 14, 2011 at 7:46 am
If your windows accout dont have permission how will use sqlcmd and create login ?????/
March 14, 2011 at 8:27 am
Akkare (3/14/2011)
If your windows accout dont have permission how will use sqlcmd and create login ?????/
Akkare,
If you read the article carefully, you will see that by starting the SQL in Single Mode, every member of the Windows Administrators group becomes a sysadmin in SQL automagically.
Viewing 15 posts - 76 through 90 (of 97 total)
You must be logged in to reply to this topic. Login to reply