March 18, 2002 at 10:06 am
I am setting up SQL7 on 2 new Win2000 boxes and am not sure how I should set up the services to logon. Below is my plan.
1. Create a Domain logon - domain\SQLServer
2. Configure the SQL services to start using the above account.
Does this domain account need to be an admin on each server? I would like to have 1 account that all of the SQL Servers use... What are the pros/cons?
TIA,
Matt
March 18, 2002 at 10:42 am
As far as admin, then yes I do believe it must be. Domain admin actually is better. The biggest reason to do this is so that each server is able to talk to each other with less issue.
"Don't roll your eyes at me. I will tape them in place." (Teacher on Boston Public)
March 18, 2002 at 11:22 am
The service account doesn't have to be a local administrator, but then there are a log of hoops to jump through to get the account configured for the minimum permissions it needs. There are some details in Books Online which detail what registry keys the account has to be able to access, etc.
K. Brian Kelley
http://www.sqlservercentral.com/columnists/bkelley/
K. Brian Kelley
@kbriankelley
March 18, 2002 at 11:24 am
Whoa, and I just saw the comment on making it a Domain Admin. Using a service account that's a domain admin level account is BAD NEWS. A standard domain user account can have privileges across servers. A domain admin account is not needed. I would strongly recommend against a domain admin account. Here's a short article I wrote on services for SQL 2K, but it's basically the same for SQL 7, just there aren't any named instances and there are no ADHelpServices:
http://www.sqlservercentral.com/columnists/bkelley/services.asp
K. Brian Kelley
http://www.sqlservercentral.com/columnists/bkelley/
K. Brian Kelley
@kbriankelley
March 18, 2002 at 12:02 pm
yeah... I don't think my NT admin would like the domain admin approach.
Brain - I'll read your article. Thanks.
March 18, 2002 at 12:11 pm
I agree with Brian. Doesn't have to be admin, but much easier. HOWEVER, make it a local admin, not a domain admin. Note that this does mean that you do not want to install on a domain controller; you will lose the local SAM.
Steve Jones
March 18, 2002 at 12:44 pm
1 more question - we force password changes every 30 days and I'll have 8 production boxes to manage... will I need to got each box every month and manually change the PW for each service?
Thanks again -
Matt
March 18, 2002 at 12:54 pm
Ahh, I do agree if it wasn't for the fact this whole domain is SQL Servers only, sorry I should have clarified. And there are only 4 machines besides the PDC for this domain. And they are locked in a room. Not much that can happen and they are easier to implement. I do local admin from a domain account when their are other issues. Sorry my error for not clarifying.
"Don't roll your eyes at me. I will tape them in place." (Teacher on Boston Public)
March 18, 2002 at 1:07 pm
When a domain user account is created, it can be created where the password never expires, despite account policies. This is often done with administrator level or service accounts.
Otherwise, yes, the 8 production boxes will need password changes to the service accounts. There isn't anything to keep them in sync.
K. Brian Kelley
http://www.sqlservercentral.com/columnists/bkelley/
K. Brian Kelley
@kbriankelley
March 18, 2002 at 2:11 pm
big help everyone... thanks again.
I just noticed that I am now a "1 star" poster.
March 18, 2002 at 2:18 pm
congrats!!!
BTW, I use a one-time random password for each account. Separate SQL user for each server. Once the service is setup, I toss the pwd. If I need to channge something I chnage the pwd.
Steve Jones
Viewing 11 posts - 1 through 10 (of 10 total)
You must be logged in to reply to this topic. Login to reply