SQL Service account change

  • Hi,

    Log shipping (backup job) failed after we change SQL service account in our production database and DR database server.

    Earlier its was working fine with existing account name (Account name having domain admin rights) but current a/c name doesn't have domain admin rights its normal domain account.

    Is it having any chances to failed log shipping process?

    Pls advice on this...

    thanks.

    Pradeep

  • pradeep.mohan (4/24/2013)


    Hi,

    Log shipping (backup job) failed after we change SQL service account in our production database and DR database server.

    Earlier its was working fine with existing account name (Account name having domain admin rights) but current a/c name doesn't have domain admin rights its normal domain account.

    Is it having any chances to failed log shipping process?

    Pls advice on this...

    thanks.

    Looks like your new domain account doesn't have write privileges to the location of the TLOG backups. Speak to your AD admin should be able to sort it out for you.

    ---------------------------------------------------------

    It takes a minimal capacity for rational thought to see that the corporate 'free press' is a structurally irrational and biased, and extremely violent, system of elite propaganda.
    David Edwards - Media lens[/url]

    Society has varying and conflicting interests; what is called objectivity is the disguise of one of these interests - that of neutrality. But neutrality is a fiction in an unneutral world. There are victims, there are executioners, and there are bystanders... and the 'objectivity' of the bystander calls for inaction while other heads fall.
    Howard Zinn

  • Does the new Service account is added in the Local administrator group on both the servers (Primary and seconday)?

  • what error do you get?

    ---------------------------------------------------------------------

  • yes new account has been added to local administrator group.

    Pradeep

  • Did you change the password of the SQL Server service to?

  • Yes, i changed the password also.

    Pradeep

  • pradeep.mohan (5/1/2013)


    Yes, i changed the password also.

    did you bounce SQL Server after you changed the password?

    Make sure you changed the password in all places as far as MSSQL Server and SQL Agent as well as if you used it for the Log SHipping stuff.

  • Yes i restart the SQL server and i changed both SQL Server Service and agent as well

    Pradeep

  • Please find the error log

    The job failed. The Job was invoked by Schedule 2864 (DefaultCopyJobSchedule). The last step to run was step 1 (Log shipping copy job step.)

    Executed as user: XXXX\sqljobs. The step failed.

    Pradeep

  • Was there any resolution to this issue? I am experiencing a very similar issue at the moment...

  • muthyala_51 (4/29/2013)


    Does the new Service account is added in the Local administrator group on both the servers (Primary and seconday)?

    This is not required - The account just needs to be able to read\write from the location of the logs, both primary and secondary. Do not add service accounts to local admin groups.

  • SQLSteve (10/30/2013)


    muthyala_51 (4/29/2013)


    Does the new Service account is added in the Local administrator group on both the servers (Primary and seconday)?

    This is not required - The account just needs to be able to read\write from the location of the logs, both primary and secondary. Do not add service accounts to local admin groups.

    Can you explain in detail why a service account doesn't need to be added in admin group ? Pros n Cons.

  • When setting up your service accounts you want to follow the principle of least privilege. Basically this means that you only want to grant the necessary rights to your service accounts to do it's job and nothing more. I have never come across a reason that I needed my service account to be a domain admin or a local admin. I simply grant the necessary permissions to the account and that is all.

    The reason for this is security, plain and simply. If you service account gets hacked you want to limit your potential damage by limiting the hackers surface area. Domain admin and/or local admin is a pretty big surface area.

    Now a couple of people have asked if the new account has read/write access to the location of the Tlog backups. Does it? Start there. Also, any changes you make to your service account needs to be done through SQL Server Configuration Manager not by going directly to the service itself.



    Microsoft Certified Master - SQL Server 2008
    Follow me on twitter: @keith_tate

    Forum Etiquette: How to post data/code on a forum to get the best help[/url]

  • Keith Tate (10/31/2013)


    When setting up your service accounts you want to follow the principle of least privilege. Basically this means that you only want to grant the necessary rights to your service accounts to do it's job and nothing more. I have never come across a reason that I needed my service account to be a domain admin or a local admin. I simply grant the necessary permissions to the account and that is all.

    The reason for this is security, plain and simply. If you service account gets hacked you want to limit your potential damage by limiting the hackers surface area. Domain admin and/or local admin is a pretty big surface area.

    Now a couple of people have asked if the new account has read/write access to the location of the Tlog backups. Does it? Start there. Also, any changes you make to your service account needs to be done through SQL Server Configuration Manager not by going directly to the service itself.

    +1

Viewing 15 posts - 1 through 14 (of 14 total)

You must be logged in to reply to this topic. Login to reply