I am taking a Windows Azure introductory course and one of the prerrequisites for it is to have installed SQL Server 2008 R2 on my machine.
When I'm installing SQL Server in the Server Configuration section it asks for 2 users: one for the SQL Server Agent and other one for the SQL Server Analysis.
I am a begginer, so that's why I'm asking you to recommend me wich users should I use. And also, is it possible to change the users after installation?
Thanks in advance.
Yes, you can change the user after you install those services. The services will run using those accounts and therefore the services will have the same rights as the accounts.
For DEV/test you can use the local system account.
For production you should create a dedicated domain account for those services.
The best account to use in this instance would be The Network Service Account.
Be aware that the Local Service account is not supported for the SQL Server or SQL Server Agent services.
The Network Service account is a built-in account that has more access to resources and objects than members of the Users group. Services that run as the Network Service account access network resources by using the credentials of the computer account. The actual name of the account is "NT AUTHORITY\NETWORK SERVICE".
Network Service Account is the only account which is supported by SQL Server and SQL Server Agent Services, allows for network file system access i.e. SSMS DBA tasks, and yet still avoids using a Local System Account.
http://msdn.microsoft.com/en-us/library/ms143504(v=sql.105).aspx
To change which account the service runs under, do so in the same GUI that you are currently using inside SQL Server Configuration Manager
Related
Our solution stack consists of multiple services, each of which can be run on individual host machines. For a variety of reasons, the services are hosted as a windows service running under a virtual account. Many of these services need to connect to a MS SQL 2008R2 instance running on a remote host. Each of the host machines running the services thus need to added to the MS SQL2008R2 instances as logins. e.g if our services are running on hostnames machine1, machine2...machinen, machine accounts machine1$, machine2$... machinen$ need to be added to MS SQL as logins. I thought I could simplify this by adding each host machine to a machine group on the domain and add the machine group as a login on the MS SQL instance. This did not work. Am I missing some steps ? OR am I forever condemned to add each individual machine accounts to MS SQL instance ? I know that I can run the windows services under a domain user (or maybe have the services impersonate a domain user if possible) and add the domain user to the MS SQL instance but I do not want to try this approach as the password for the domain user now needs to be managed.
Any help appreciated
Once the server and workstation were rebooted, it worked. Now just having the security group on MS SQL and no individual machine account on MS SQL gets our solution stack up and running. Thank you SQLChao for keeping me on track.
I have SSIS packages that have connections that use project params(only database and server), the actual login is set to windows authentication.
So when a SQL Server Agent runs that job step(package) how does it connect with windows authentication? Does it use it's own service account? If so as long as the service account has the same permissions as my windows account it shouldn't have issues right? All the objects in the SSIS packages are tables stored in that same server instance.
If I had external objects that use tables on different servers and such would it encounter issues then?
If the job owner is sysadmin and different server are in same domain it should be straight foward.
The secure way is to create a proxy on sql and give the Windows auth credentials. Then configured the package to run as "proxy defined".
I'm trying to install SQL Server 2012 on Windows Server 2012, but when I get to:
The SQL Server Analysis Services are empty so I can't continue instalation proces. Any idea what Account Name should be there? And how to add it?
Not sure why a default is missing, but this is a service account, so as with any other service account, best practice is to create a user in AD for this purpose only and to assign this user account (making sure it has sufficient permissions on the local machine where SSAS is running) to the SSAS service on installation.
The MSA(Managed Service Account) must be created in the Active Directory by the domain administrator before SQL Server setup can use it for SQL Server services.
Check here ~ Configure Windows Service Accounts and Permissions
Our custom SharePoint site uses a standard connection string (in web.config) to a remote sql server using a sql server authentication. I need to know if it is possible to change this connection to use a SharePoint service account instead of a sql server account. If so, how do specify the service account in the connection string and how do you create a login and user for an sp service account when that user does not exist on the sql server machine and nor is it available on Active Directory.
Update:
I think I need to use integrated security in the connection string and run db calls within SPSecurity.RunWithElevatedPrivileges block. If i use this as a delegate, what sp account will the code be executed under and how do i assign a sql server login to a sharepoint account on a remote machine. Any links to sample code or articles explaining this process would be helpful.
Thanks.
From the SQL Server side, you should create a domain account for Sharepoint in AD. Then you log in to SQL Server via Management Studio (SQL2005 or later), on the left hand side click on security tab, and add a new login - you'll enter the domain Sharepoint service account, and give it the relevant permissions to the databases it needs to access.
For the Sharepoint side, you probably can edit web.config but there must be a Sharepoint admin tool to take care of this properly.
I have a web service that stores data in a local SQL Server 2008 database. If I run the web service under my account the web service can successfully access the database. However, if I use the DefaultAppPool (IUSR) account then accessing the database from the web service fails.
How do I set security on SQL Server to allow access to a specific database via IIS?
The specific error message I am getting is:
Login failed for user 'IIS APPPOOL\DefaultAppPool'
You have two options (obvious maybe!):
Instead of using Windows Integrated
Security use SQL Authentication
instead.
If you can't or don't want to, then you have
to create a new user in SQL Server
that relates to that Windows account.
Or (third option) you can change the web service to run under an account that you know works.
I generally run the app pool under a domain user account, that way you control the specific user for each site on your server.
If I can't use a domain account, I'll run the site as "Network Service" - and the user that would correspond to that in SQL would be the machine account (MACHINENAME$ - replace "machinename" with your IIS server name").
If you plan to use the new IIS7 IIS users - which are not windows users - you'll have to use SQL Authentication instead of Windows authentication for your SQL database access.