RE: What permissions are needed to change service account on clust
- From: Jsisson <Jsisson@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 15 Jun 2009 07:10:01 -0700
There is a good document in MSDN on the security requirements for service
accounts:
http://msdn.microsoft.com/en-us/library/ms143504.aspx
In addition, if you are changing the cluster service account than will you
need to make sure the account has "Impersonate a client after authentication
rights" or you will get a WMI access denied error. Refer to this document:
http://support.microsoft.com/kb/269229
"DBAdan" wrote:
The actual error message we were getting was "WMI Provider Error: Access is.
denied. [0x80070005]" Our SA's found this link
http://blogs.msdn.com/psssql/archive/2009/01/05/wmi-provider-error-access-is-denied-0x80070005-from-sql-server-computer-manager.aspx
In short, we use a group to manage the cluster. We created the new service
accounts to run the services, but those service account logins were not
completely added to the cluster group.
"DBAdan" wrote:
We were running services under a single service account such as
prod\svc_sqlagent.
We recently started having multiple instances per host and decided to have a
service account per instance, as in prod\svc_sql_inst01, prod\svc_sql_inst02
etc.. All the service accounts are in the same domain as the instances.
My own login authenticates from a different domain, csystems, but is a local
admin on the hosts in domain = prod.
I am able to change the existing service accounts on our non-clustered
machines.
i.e. Changing from prod\svc_sqlagent to prod\svc_sql_inst01
However, when it comes to our cluster machine, it says "access denied". I
am using the SQL Server Configuration manager to do the password changes.
This is SQL 2005 SP2 on an Active/Passive cluster. I have tried performing
the change on both the passive node and the active node, but get the same
error.
Our system admin thinks that the account that I am logged in as to perform
the change (i.e. csystems\dan ) needs to be in the same domain as the
service accounts. I find this hard to believe because I log in as
csystems\dan when doing the service account changes on the non-clustered
servers.
By the way we are not allowed to log into the production sql hosts using the
service account, only our individual domain login csystems\dan is allowed on
the SQL host.
Can anyone see what I may be doing wrong or let me know what permissions are
needed to change the service account?
Example AD info, modified to hide private information.
Host info
C:\>dsquery computer ou=servers,dc=prod,dc=com -name ClustNode1
"CN=ClustNode1,OU=SQL,OU=Production,OU=Servers,DC=prod,DC=com"
Old service account (changing from)
C:\>dsquery user "ou=user data,dc=prod,dc=com" -name svc_sqlagent
"CN=svc_sqlagent,OU=Service Accounts,OU=User Data,DC=prod,DC=com"
NEW service account (changing to)
C:\>dsquery user "ou=user data,dc=prod,dc=com" -name svc_sql_inst01
"CN=svc_sql_inst01,OU=Service Accounts,OU=User Data,DC=prod,DC=com"
My account I log on to machines as, which has local admin rights, and which
I run SQL Configuration manager in order to change service accounts.
C:\>dsquery user "CN=Servin\, Dan,OU=LocalSite,DC=csystems,DC=com"
"CN=Servin\, Dan,OU=LocalSite,DC=csystems,DC=com"
- Prev by Date: Re: Password Expired
- Next by Date: Re: Password Expired
- Previous by thread: Password Expired
- Next by thread: Data obfuscation
- Index(es):
Relevant Pages
|
