RE: What permissions are needed to change service account on clust



There is a good document in MSDN on the security requirements for service
accounts:

http://msdn.microsoft.com/en-us/library/ms143504.aspx

In addition, if you are changing the cluster service account than will you
need to make sure the account has "Impersonate a client after authentication
rights" or you will get a WMI access denied error. Refer to this document:

http://support.microsoft.com/kb/269229









"DBAdan" wrote:

The actual error message we were getting was "WMI Provider Error: Access is
denied. [0x80070005]" Our SA's found this link
http://blogs.msdn.com/psssql/archive/2009/01/05/wmi-provider-error-access-is-denied-0x80070005-from-sql-server-computer-manager.aspx

In short, we use a group to manage the cluster. We created the new service
accounts to run the services, but those service account logins were not
completely added to the cluster group.

"DBAdan" wrote:

We were running services under a single service account such as
prod\svc_sqlagent.

We recently started having multiple instances per host and decided to have a
service account per instance, as in prod\svc_sql_inst01, prod\svc_sql_inst02
etc.. All the service accounts are in the same domain as the instances.

My own login authenticates from a different domain, csystems, but is a local
admin on the hosts in domain = prod.

I am able to change the existing service accounts on our non-clustered
machines.
i.e. Changing from prod\svc_sqlagent to prod\svc_sql_inst01

However, when it comes to our cluster machine, it says "access denied". I
am using the SQL Server Configuration manager to do the password changes.
This is SQL 2005 SP2 on an Active/Passive cluster. I have tried performing
the change on both the passive node and the active node, but get the same
error.

Our system admin thinks that the account that I am logged in as to perform
the change (i.e. csystems\dan ) needs to be in the same domain as the
service accounts. I find this hard to believe because I log in as
csystems\dan when doing the service account changes on the non-clustered
servers.

By the way we are not allowed to log into the production sql hosts using the
service account, only our individual domain login csystems\dan is allowed on
the SQL host.

Can anyone see what I may be doing wrong or let me know what permissions are
needed to change the service account?

Example AD info, modified to hide private information.
Host info
C:\>dsquery computer ou=servers,dc=prod,dc=com -name ClustNode1
"CN=ClustNode1,OU=SQL,OU=Production,OU=Servers,DC=prod,DC=com"

Old service account (changing from)
C:\>dsquery user "ou=user data,dc=prod,dc=com" -name svc_sqlagent
"CN=svc_sqlagent,OU=Service Accounts,OU=User Data,DC=prod,DC=com"

NEW service account (changing to)
C:\>dsquery user "ou=user data,dc=prod,dc=com" -name svc_sql_inst01
"CN=svc_sql_inst01,OU=Service Accounts,OU=User Data,DC=prod,DC=com"

My account I log on to machines as, which has local admin rights, and which
I run SQL Configuration manager in order to change service accounts.
C:\>dsquery user "CN=Servin\, Dan,OU=LocalSite,DC=csystems,DC=com"
"CN=Servin\, Dan,OU=LocalSite,DC=csystems,DC=com"
.



Relevant Pages

  • Re: SQL2005 x64 Analysis Cluster
    ... Check that the service account is NOT a domain admin. ... Principal SQL Infrastructure Consultant ... I've installed SQL2005 DB and cluster it no problem at all. ...
    (microsoft.public.sqlserver.clustering)
  • Re: Cluster service do not start after restart.
    ... Are your machines affected by group policy by ... Did you change the service account by chance? ... > Hi I have a compaq CL 380 cluster server with windows 2000 ad srvr ... > These user rights were granted to the Cluster service account during ...
    (microsoft.public.windows.server.clustering)
  • Re: Question about setup
    ... Cluster Service Account - must be in a domain. ... SQL Service Account - must be in a domain. ... can both nodes access the database file at the same time? ...
    (microsoft.public.sqlserver.clustering)
  • Re: SQL 2000 Problems EVENT ID 17052
    ... The cluster service has to connect to the SQL instance in order to execute ... service account, it could no longer connect, therefore it showed the ... Microsoft SQL Server MVP ... > service logon on sql server & re-create it to have sql working again. ...
    (microsoft.public.sqlserver.clustering)
  • Requirements for non-administrative service account for clustered SQL 2000
    ... I understand from Microsoft that a SQL Server 2000 Cluster on Windows ... Server service account in the local administrators group on both nodes ...
    (microsoft.public.sqlserver.clustering)