May 5, 2015 at 5:05 am
Hi
I use these accounts for sql server services :
NT Service\MSSQLSERVER
NT Service\SQLSERVERAGENT
Can I Config And Run Always On\HA
with these Accounts ?
OR It's necessary to use Domain User?
May 5, 2015 at 7:03 am
You should set up domain accounts. That's the preferred mechanism of managing SQL Server anyway.
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
- Theodore Roosevelt
Author of:
SQL Server Execution Plans
SQL Server Query Performance Tuning
May 5, 2015 at 10:46 pm
Thank you
But some say the "NT Service\MSSQLSERVER" is more securable for servers that work on internet.
What's your Idea?
May 6, 2015 at 3:58 am
When in doubt, refer back to this book by Denny Cherry. Here's an article talking about it too. Read #7. With an AD account, you can set the minimum possible security needed. It's more work, but it's the right way to go.
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
- Theodore Roosevelt
Author of:
SQL Server Execution Plans
SQL Server Query Performance Tuning
May 8, 2015 at 9:11 am
MotivateMan1394 (5/5/2015)
But some say the "NT Service\MSSQLSERVER" is more securable for servers that work on internet
These are essentially local accounts and unless you've configured certificated authentication you won't be able to use it in an AlwaysOn group config
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
May 8, 2015 at 11:56 am
MotivateMan1394 (5/5/2015)
Thank youBut some say the "NT Service\MSSQLSERVER" is more securable for servers that work on internet.
What's your Idea?
Not sure who says that, but that's not a good idea.
May 9, 2015 at 6:11 am
Thank you all
June 17, 2015 at 3:17 am
Ok I want To use domain user account for our services. (I am going To use HA - Always on- in sql server 2014 and windows server 2012 Data center)
It's abviously , I dont take it in administrator group.
Then, What are the windows Privilage For account for sql server and agent service ?
A- I found These, Do you confirm them :
-------------------------------------------------------------------------------
1- Log on as a service (SeServiceLogonRight)1
2- Replace a process-level token (SeAssignPrimaryTokenPrivilege)
3- Bypass traverse checking (SeChangeNotifyPrivilege)
4- Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)
5- Permission to log on using the batch logon type (SeBatchLogonRight)
6- Permission to start SQL Server Active Directory Helper
7- Permission to start SQL Writer
8- Permission to read the Event Log service
9- Permission to read the Remote Procedure Call service
-------------------------------------------------------------------------------
B - Can I set Default sql server 2014 account for another services . they are not related to Always on ? are they ?
Thank you
June 17, 2015 at 3:30 am
If you change the service account using SQL Server config manager, Config manager will add all the permissions that SQL Server needs. You'll only need to add in optional ones, like access to network shares.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply