Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12»»

Entering Service Account Details During Install Expand / Collapse
Author
Message
Posted Tuesday, April 2, 2013 4:16 PM
SSC Journeyman

SSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC Journeyman

Group: General Forum Members
Last Login: 2 days ago @ 4:02 PM
Points: 94, Visits: 483
I read an article posted by GilaMonster about remedies for some errors preventing SQL from starting.
One section was on the Service Account being locked out.

This reminded me of a time when the Service Account got locked out during a new SQL installation here.
The incorrect password was entered for the respective services and the Service Account got locked out during the authentication attempts (depends on the password policy of course) -- so all all the production SQL services would now have a locked account and would not be able to be restarted.

So when you perform new installs of SQL do you enter the main prod service account at this point in the installation or do you just use the local system account to get SQL installed, and then use SQL Configuration Manager to change the service accounts post install? This way you can at least do one at a time therefore reducing the chances of a locked account!

Just curious.

thanks
Post #1438124
Posted Tuesday, April 2, 2013 5:16 PM
Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Yesterday @ 6:25 PM
Points: 3,121, Visits: 11,397
Why would the service account get locked out? Are you using the same service account on more than one server?

To answer your question, we setup new service accounts for each new server, generate a strong password (15+ characters with upper, lower, numbers and special characters), store the account and password info in a password safe (KeePass), set the new account to that password, and use that password during the installation.








Post #1438131
Posted Tuesday, April 2, 2013 6:45 PM
SSC Journeyman

SSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC Journeyman

Group: General Forum Members
Last Login: 2 days ago @ 4:02 PM
Points: 94, Visits: 483
That is correct. We have one service account for each service type (SSIS, SQL etc) but the same account is used for multiple production servers.

No excuse but legacy and small company mentality I suppose!!!

Post #1438142
Posted Wednesday, April 3, 2013 6:35 PM
Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Yesterday @ 6:25 PM
Points: 3,121, Visits: 11,397
UncleBoris (4/2/2013)
That is correct. We have one service account for each service type (SSIS, SQL etc) but the same account is used for multiple production servers.

No excuse but legacy and small company mentality I suppose!!!



That is just asking for trouble.

If the account gets locked out, all your servers will go down, and it makes it impossible to change the password without major downtime.


Post #1438622
Posted Thursday, April 4, 2013 6:40 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 4:53 AM
Points: 6,170, Visits: 13,313
i find it absurd that you're able to consistently type the password wrong that many times lol

-----------------------------------------------------------------------------------------------------------

"Ya can't make an omelette without breaking just a few eggs"
Post #1438753
Posted Thursday, April 4, 2013 11:36 AM
SSCarpal Tunnel

SSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal Tunnel

Group: General Forum Members
Last Login: Yesterday @ 11:50 AM
Points: 4,387, Visits: 9,503
Michael Valentine Jones (4/2/2013)
Why would the service account get locked out? Are you using the same service account on more than one server?

To answer your question, we setup new service accounts for each new server, generate a strong password (15+ characters with upper, lower, numbers and special characters), store the account and password info in a password safe (KeePass), set the new account to that password, and use that password during the installation.


I thought I was the only one who did this...

I also use KeePass to generate a 20 character strong password for the sa account. For those systems that I need to setup mixed-mode, I use that password during the installation.

Both the service account and sa account passwords are never shared with anyone - and the accounts are only used to run the services and setup SQL Server.


Jeffrey Williams
Problems are opportunites brilliantly disguised as insurmountable obstacles.

How to post questions to get better answers faster
Managing Transaction Logs
Post #1438937
Posted Thursday, April 4, 2013 12:01 PM
SSC Journeyman

SSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC Journeyman

Group: General Forum Members
Last Login: 2 days ago @ 4:02 PM
Points: 94, Visits: 483
So to clarify, you guys use a separate Service Account for each Service on each Server? So as an example if you have ten SQL Instances each with four Services you would have forty separate Domain Service Accounts?

thanks
Post #1438950
Posted Thursday, April 4, 2013 1:32 PM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Wednesday, April 23, 2014 6:45 AM
Points: 104, Visits: 389
I'd also suggest following best practice and using different domain accounts for each sql server instance at a minimum. I use different accounts for each service (sql server, sql agent, reporting services, etc).

I'd also recommend Keepass. Not only do you never even have to know the password, you simply copy and paste it from Keepass into the dialog.
Post #1439000
Posted Thursday, April 4, 2013 2:49 PM
SSC Journeyman

SSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC Journeyman

Group: General Forum Members
Last Login: 2 days ago @ 4:02 PM
Points: 94, Visits: 483
tafountain (4/4/2013)
I'd also suggest following best practice and using different domain accounts for each sql server instance at a minimum. I use different accounts for each service (sql server, sql agent, reporting services, etc).



Yes I do what you mention above already although I do not use KeePass which I will have a look at.

I might be struggling to get the Network Admin to create separate account per service, per server though!!!




Post #1439020
Posted Thursday, April 4, 2013 3:29 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 2:28 PM
Points: 33,062, Visits: 15,174
keepass or password safe will work.

I would not use the same account for multiple instances, or services. Think about this. If this gets compromised, or you do need to change it, how many machines are you rebooting?

Especially in a small company, I'd use one account per instance per service, so in general, 2-3 per instance (Agent, SSRS, SSIS, etc)







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1439029
« Prev Topic | Next Topic »

Add to briefcase 12»»

Permissions Expand / Collapse