November 12, 2023 at 6:26 pm
Our sysadmin is setting log shipping and has configured to use these 2 accounts:
NT Service\MSSQLSERVER
NT Service\SQLSERVERAGENT
When he attempts to grant read/write to these 2 accounts, he's unable to find them. to get it to work, he's granting the read/write to Everyone.
Are these 2 accounts under another name?
November 13, 2023 at 11:54 am
Hi,
is your account able to see every other account? I think, only a sysadmin can see every account.
And, these 2 accounts should exist on every sql server. Please check the permission of your account.
Kind regards,
Andreas
November 13, 2023 at 12:31 pm
hello andreas - the sysadmin was the one that was helping the setup and he couldn't find the account to grant the share permission.
and yes, both accounts are on every instance. i believe this is default.
November 13, 2023 at 12:34 pm
Hm,
your "sysadmin" was not able to find these accounts. And he was not able to create them?
Strange, I hope he knows what he is doing.
November 13, 2023 at 1:24 pm
You need to access UNC paths.
Ensure that the services are actually running as domain accounts, then grant the domain service accounts/MSA's/gMSA's access to the UNC paths.
The two virtual service accounts NT SERVICE\MSSQLSERVER and NT SERVICE\SQLSERVERAGENT are only visible locally to the machine and not to the wider network.
November 13, 2023 at 1:58 pm
@Ant-Green, so the permission should be granted to a domain service account and not to the 2 virtual service accounts? thanks
November 13, 2023 at 3:47 pm
SQL needs to be running as an actual account, not NT SERVICE, so open SQL Config Manager and check what the services are running as.
Then if they are not a domain account setup the services to be domain service accounts, then you can grant permissions to the UNC shares in logshipping to those accounts and then you can revoke everyone.
November 13, 2023 at 3:49 pm
got it, thanks @Ant-Green.
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply