SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Unable to start SQL agent with domain account


Unable to start SQL agent with domain account

Author
Message
mjwlufc
mjwlufc
SSC-Enthusiastic
SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)

Group: General Forum Members
Points: 144 Visits: 43
Hi,

I've recently changed our SQL services to run under domain account instead of the local account they used to use. Since doing this i'm unable to start the agent. I got the follwing error in event viewer

SQLServerAgent could not be started (reason: SQLServerAgent must be able to connect to SQLServer as SysAdmin, but '(Unknown)' is not a member of the SysAdmin role).

The account we are trying to start the agent with is both a local admin and has sysadmin role.

One thing i find strange is that when we connect to the instance using the service account and sql managent i can't see the properties of the agent as it's greyed out when i right click on it.

Any ideas on this - i've tried going back and running the agent as local but thet now returns the same error !

Thanks in advance,
Mike.
learning_sql
learning_sql
SSC-Enthusiastic
SSC-Enthusiastic (103 reputation)SSC-Enthusiastic (103 reputation)SSC-Enthusiastic (103 reputation)SSC-Enthusiastic (103 reputation)SSC-Enthusiastic (103 reputation)SSC-Enthusiastic (103 reputation)SSC-Enthusiastic (103 reputation)SSC-Enthusiastic (103 reputation)

Group: General Forum Members
Points: 103 Visits: 183
mike.whorley (11/26/2012)
Hi,

I've recently changed our SQL services to run under domain account instead of the local account they used to use. Since doing this i'm unable to start the agent. I got the follwing error in event viewer

SQLServerAgent could not be started (reason: SQLServerAgent must be able to connect to SQLServer as SysAdmin, but '(Unknown)' is not a member of the SysAdmin role).

The account we are trying to start the agent with is both a local admin and has sysadmin role.

One thing i find strange is that when we connect to the instance using the service account and sql managent i can't see the properties of the agent as it's greyed out when i right click on it.

Any ideas on this - i've tried going back and running the agent as local but thet now returns the same error !

Thanks in advance,
Mike.


Does the domain account have "permission to logon as a service" rights on the server?
John Mitchell-245523
John Mitchell-245523
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: General Forum Members
Points: 36050 Visits: 16701
Mike

It sounds as if you didn't use SQL Server Configuration Manager to make the change. Maybe you used the Services applet instead? Try using SQL Server Configuration Manager to change to Local System or something like that, then change back to your domain account.

John
mjwlufc
mjwlufc
SSC-Enthusiastic
SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)

Group: General Forum Members
Points: 144 Visits: 43
learning_sql (11/26/2012)

Does the domain account have "permission to logon as a service" rights on the server?



Yes it does - just double checked it in user rights assignment in local policies on the server.
mjwlufc
mjwlufc
SSC-Enthusiastic
SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)

Group: General Forum Members
Points: 144 Visits: 43
John Mitchell-245523 (11/26/2012)
Mike

It sounds as if you didn't use SQL Server Configuration Manager to make the change. Maybe you used the Services applet instead? Try using SQL Server Configuration Manager to change to Local System or something like that, then change back to your domain account.

John


Thanks John - i didn't use the config manager, however I've tried your suggestions but sadly just the same, local user or domain user return exactly the same error as previous.
John Mitchell-245523
John Mitchell-245523
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: General Forum Members
Points: 36050 Visits: 16701
Sounds like you might have to do it manually, then. Try creating a login for your domain account and adding it to sysadmin. Then use SQL Server Configuration Manager to change the service to start under that account.

John
mjwlufc
mjwlufc
SSC-Enthusiastic
SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)

Group: General Forum Members
Points: 144 Visits: 43
Sorry John i'm not quite sure what you are saying there ?

The service account does have a login to the instance already with sysadmin role.
John Mitchell-245523
John Mitchell-245523
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: General Forum Members
Points: 36050 Visits: 16701
Ah yes, so it does. I'm running out of ideas now. How about creating a named local Windows account and seeing if you can start SQL Server Agent as that?

John
learning_sql
learning_sql
SSC-Enthusiastic
SSC-Enthusiastic (103 reputation)SSC-Enthusiastic (103 reputation)SSC-Enthusiastic (103 reputation)SSC-Enthusiastic (103 reputation)SSC-Enthusiastic (103 reputation)SSC-Enthusiastic (103 reputation)SSC-Enthusiastic (103 reputation)SSC-Enthusiastic (103 reputation)

Group: General Forum Members
Points: 103 Visits: 183
Is the domain service account a member of the local group "SQLserveragentusers$SERVERNAME$INSTANCE" or similar

EDIT - this maybe useful but we may have covered it:http://www.mssqltips.com/sqlservertip/2317/running-sql-server-agent-with-a-least-privilege-service-account/
mjwlufc
mjwlufc
SSC-Enthusiastic
SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)SSC-Enthusiastic (144 reputation)

Group: General Forum Members
Points: 144 Visits: 43
John Mitchell-245523 (11/26/2012)
Ah yes, so it does. I'm running out of ideas now. How about creating a named local Windows account and seeing if you can start SQL Server Agent as that?

John


Created a new account and just made it a member for the SQLAGENT group as detailed above but still no joy.

My hunch is something in group policy is revoking the privs we are giving the domain account on this server.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search