Windows Service Account Issue When Restoring Master To Another Server
Nov 7, 2007
I noticed when I restore a master database to a server other then the one which created the backup of master, SQL Server contains the following three local security groups that were defined on the source server. The problem is these groups are "local" and do not apply to the server where master was restored.
If you then backup the master database on an instance named MARKETING_PROD and restore it to MARKETING_TEST, the security folder on MARKETING _TEST will now contain the following three entries.
These entries would be invalid because no such server exists and therefor no such local groups exists. There appears to be no Microsoft documentation explaining how to handle these groups when restoring master from one server to another. My assumption is that whenever restoring master to another server you must drop these three groups and add the correct corresponding groups along with the appropriate permissions. I don't understand why SQL Server would not rebuild this information for you during a restore.
I'm having trouble with restoring the master db on w2k3 sql2000 sp3a to a Secondary Standby server. Firstly, I place the server in Single user mode and then restore the master db. The sql server then tries to restart sql services but immediately stops as soon as it starts up.
Wjen sql 2005 is installed a Service Master key is generated using the password of the account under which sql 2005 server runs.
Suppose I use a domain account to run sql server. The account password will change every so often. I presume this change will not impact the validity of the existing Service master key and therefore any data indirectly encrypted by it. Am I correct?
We may need to change the account presently used to run the Windows Service "SQL Server Integration Services".What are the implications of making such a change?
Now, I checked and verified that my backup version of SQL Server is the same as the version installed on the computer I'm restoring too.
I have SQL Server on a production machine that I backed up and want to test a full restore on a dev machine to make sure it will work when I need it to.
Now that I've run the restore command on my tape backup and go to restart the SQL server service I receive:
Configuration block version 0 is not a valid version number. SQL Server is exiting. Restore the master database or reinstall.
I'm afraid I don't understand why this is happening. If the builds are the same, then shouldn't restoring the MASTER database have worked normally and I'd be able to restart the service now?
During install of SQL Server 2005, we can of course use a domain account or the built-in system account for running the services. I lean toward domain for obvious reaons but would like to know a +/- to each option and why I'd choose one over the other and what consequences or limitations one may encounter if I choose one over the other.
Hello! I have the following problem. I developed CLR Stored Procedure "StartNotification" and deploy it on db. This sp calls external web service. Furthermore, this sp is called according with SQL Server Agent Job's schedule. On my PC SQL Server works under Local System account and this web service is called correctly (Executed as user: NT AUTHORITYSYSTEM). But on ther other server the following exception is raised during job running: Date 17.04.2007 16:42:10 Log Job History (FailureNotificationJob)
Step ID 1 Server MSK-CDBPO-01 Job Name FailureNotificationJob Step Name MainStep Duration 00:00:00 Sql Severity 16 Sql Message ID 6522 Operator Emailed Operator Net sent Operator Paged Retries Attempted 0
Message Executed as user: CORPmssqlserver. A .NET Framework error occurred during execution of user defined routine or aggregate 'StartNotification': System.Security.SecurityException: Request for the permission of type 'System.Net.WebPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed. System.Security.SecurityException: at System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet) at System.Security.CodeAccessPermission.Demand() at System.Net. The step failed.
What is the reason of this behaviour? Unfortunately I do not have direct access to this server. I have the following guesses: 1) CORPmssqlserver may have not enough permissions to call web service 2) Something wrong with SQL Server account's permissions 2) Something wrong with SQL Server Agent account's permissions I will take the will for the deed. Thanks.
Hi all, I do understand that it is highly recomended to have aserprate user (perfered a domain user account) for each of the SQL Server service and SQL Agent service. What is the reason behind that? (Someone told me to not run the service with an account that has a powerul privilegs! - I don't undrstanmd this point can you explain it please?) What is the diffrent between: 1- Local System account 2 -Network Service account
I have a server attached to a SAN, all user db's are on the SAN, master, tempdb, and msdb are on the local machine. We will be replacing the machine (not the SAN) to a newer sql server. Our plan was to create the new server with same name, deattach current user db's,backup master and msdb, then connect new server with same name an IP to SAN. I then wanted to restore the master and msdb db's to the new machine, and attach the user db's. We are running log shipping to a stand-by server in this configuration. I was thinking I could let last tran log backup and copy occur, and then let the last restore happen on the standby. I would then shut down the agent. Should I not be able to restore the MSDB and master to the new server (as long as all file folder locations are the same) and be ready to go? Or are there issues when restoring the Master and MSDB to a new server from a different server.
I'm trying to rebuild from a meltdown. I'm using disk backup files. Icould have sworn that I had SQL Server 2000 SP3 installed on the oldmachine, but maybe not.With SP3 installed, I get a message along the lines that the restorecan't be done because the backup was created using server version134218262 and this server is version 134218488.I've searched the documentation and can't find any reference to thoseversion numbers.In any case, I thought SQL Server 2000 could restore backups createdon any SP level to any SP level.Any ideas?--Regards.Richard.
moving to a new sql server box because of a problem with the SAN its connected to. started my named instance in single user mode and restored master. sqlserve.exe -c -m -s ovops now the instance won't start. tried starting it with the -t3608 switch.. won't start!! Its because my drive configuration is different on the new server than it was on the old server, I cannot start the instance because it is expecting model, msdb, temdb and all of the user databases on drives that don't exist?? what can I do?????
i am currently trying to connect to sql server with one of the windows user accounts. I am trying to connect to it via a browser using a dns-less connection. I have put in all the correct user name and password details and it comes back with Login failed for user xxxxxxx.
If i create a user in sql server and put those login details in, it works fine.
Can i use windows users with a dns-less connection???
I have several DTS jobs that runs well as a job with my nt login account for the SQL agent service startup account, but if I use the System account they fail with this error. " Error opening datafile: Access is denied. Error source: Microsoft Data Transformation Services Flat File Rowset Provider"
The data has change access to the System account under the NT security.
SqlServer2k is on the domain serverSqlServer2k is on a laptop tooI want to copy a database from the domain to the laptop over the networkusing the copy database wizard.I have done this before with no problem but this time I get thefollowing error:Your SQL Server Service is running under the local system account. Youneed to change your SQL Server Service account to have the rights tocopy files over the network.I went into the properties of MSSQLSERVER under Services andApplications and see no setting described.Where do manage the SQL Server Service?*** Sent via Developersdex http://www.developersdex.com ***Don't just participate in USENET...get rewarded for it!
We are debating whether to run the SQL Server service as Local System, a domain user without local admin rights, or a domain user with local admin rights. MSDN recommends local admin rights, but doesn't require them. I would like to get some idea of how the real world handles this. If you run as a local admin, how do you handle the security implications? And if you run without local admin rights, what gotchas have you run into with extended stored procs, replication, etc?
I have a SQL 2000 (SP3) running on a Windows NT 4.0 (SP6) box used in our test environment. The SQL Server was configured to run under the local system account before I got here. In an effort to standardize things, I tried changing the SQL Service account to run under a designated domain user account purpose built for the job. We use this particular account for all of our new-build servers (which are W2K). This domain account is configured to be a "Power User" on the NT 4.0 Server in question.
Soon after changing things over to run under the new account, all the developers complained that they could no longer connect to the server. I could through QA and EM, but none of the developers could.
The developers are using WebLogic and JDBC drivers for the most part. I wasn't aware that the SQL Server service account affected client connectivity. Was I wrong or is there something else at work here?
I have recently installed 2005 Standard and 2005 Reporting Services (on a separate server), today we built a service account for the SQL services in Active Directory. I planned to use SQL Configuration tools to change the account but it fails with the message:
'No mapping between account names and security IDs was done'
I ended up going through and following the manual steps outlined in KB article 283811 - http://support.microsoft.com/default.aspx?scid=kb;en-us;Q283811
But I am baffled and concerned as to why it failed.
Guys, I have got WINDOWS 2000 Advanced Server and MS SQL SERVER 7.0 running on my live server. Now when we are planning for replication, we have found that SQL server will require to run under a domain account. At the moment there are so many ASP pages running on our server accesses different databases created using SQL server 7.0. Most of them are DSN connections to the database. Now if i create a domain account and restart the server and MS SQL services with the domain account, how is it going to effect the current web pages running on it? Any help will be greatly appreciated. Thanks
Hi,I changed the login for MSSQLSERVER service for 6.5 box to "Thisaccount" from "system account" and then again changed back to "systemaccount". Now I cann't connect thru Enterprize Manager to my server.All my services r running and I can connect to my database thru anapplication as before. I cannot re-boot the machine as it is inproduction. Any thoughts?Thanks in advance.Subodh
SQL Server Browser listens on a UDP port and accepts unauthenticated requests using SQL Server Resolution Protocol (SSRP). SQL Server Browser should be run in the security context of a low-privileged user to minimize exposure to a malicious attack. By default, SQL Server Browser starts using the Local System account. The logon account can be changed by using the Windows Services program. The minimum user rights for SQL Server Browser are as follows:
* Deny access to this computer from the network. * Deny logon locally. * Deny logon as a batch job. * Deny logon through Terminal Services. * Log on as a service. * Read and write the SQL Server registry keys related to network communication (ports and pipes).
In our case the SQL Server Browser service is running under the same Windows account as our other SQL Server services. Do you recommend creating a separate Windows account for the SQL Server Browser service as described above?
Can you help me understand how an attack can occur?
I'm thinking of using SQL Server Agent Service for my PDA app. But, I want to use different accounts for SQL Server and SQL Server Agent Service. How can we do this in SQL Server 2005? Do we do this when installing it? Thanks
If we have a "pool" SQL login, a one that uses SQL Server authentication, and this login is used by different domain account to access SQL Server, is there a way to audit which domain account used that "pool" login to do something on a object in SQL Server? I have to keep this way of accessing SQL Server, so how to create a login for every domain account accesses SQL Server
Hi, i tried to install MS SQL server 2000 in my XP system but during the setup service account installation, i tried to use a domain user account but it cannot validate my user name and password. I used my windows administrator logon account and password. Please help..thank you.
I'm trying to connect to a database using a service account that we got created. The ID is an AD account and was added to the db as such. When I try to connect to the database using the account with the password I get [login failed for domainid]. The DBA mentioned that its setup to use windows auth, however, I can't connect with this service account using windows Auth, due to I'm using to connect via code.
How can I connect to the database from my code using this ID?
I have the ID and pwd in my code to connect with, does the ID have to be setup differently in the Database?
if you can restore a database to Server B using Server A as the service. Meaning we would issue the command on Server A but somehow point to Server B as where we want the restore to happen.
The backup file would be in a location independent of both servers.
If you were to do a fresh install it would set permissions on the disk so everything just works.
Now when changing the service account (e.g. to a domain user) use the configuration manager, does it do the same magic (possibly sans if the database data/log files are on another disk)? Or do you need to trawl through the dozens of folders and assign rights manually?
Microsoft recommends that you do not use the Network Service account to run the SQL Server service (see http://msdn2.microsoft.com/en-us/library/ms143504.aspx).
Can anyone tell me what the drawbacks are of doing this?
Okay now this is weird, today the Reporting Services was not running and here are the entries in the event log:
Event Type: Error Event Source: Service Control Manager Event Category: None Event ID: 7041 Date: 12/12/2007 Time: 9:47:22 User: N/A Computer: TFS Description: The ReportServer service was unable to log on as DOMAINTFSREPORTS with the currently configured password due to the following error: Logon failure: the user has not been granted the requested logon type at this computer.
Service: ReportServer Domain and account: DOMAINTFSREPORTS
This service account does not have the necessary user right "Log on as a service."
User Action
Assign "Log on as a service" to the service account on this computer. You can use Local Security Settings (Secpol.msc) to do this. If this computer is a node in a cluster, check that this user right is assigned to the Cluster service account on all nodes in the cluster.
If you have already assigned this user right to the service account, and the user right appears to be removed, a Group Policy object associated with this node might be removing the right. Check with your domain administrator to find out if this is happening. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp
I am the administrator of the machines and I can assure you that no domain policy has changed for a couple of weeks. What should I look for?
I have a SP SQL server that uses Handshake for the web parts. I am getting an error on SharePoint about 'An error occurred during Service Master Key Decryption' inside the web parts of the page, everything else comes up, from what I have researched MS says go under SQL Configuration Manager and change the service account. Is this the correct course of action for this type of error? I am just having a hard time believing that changing the engines service account will stop this issue, this account is used on several SQL server with no issues.
