Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Entering Service Account Details During Install


Entering Service Account Details During Install

Author
Message
UncleBoris
UncleBoris
SSC-Enthusiastic
SSC-Enthusiastic (107 reputation)SSC-Enthusiastic (107 reputation)SSC-Enthusiastic (107 reputation)SSC-Enthusiastic (107 reputation)SSC-Enthusiastic (107 reputation)SSC-Enthusiastic (107 reputation)SSC-Enthusiastic (107 reputation)SSC-Enthusiastic (107 reputation)

Group: General Forum Members
Points: 107 Visits: 698
I read an article posted by GilaMonster about remedies for some errors preventing SQL from starting.
One section was on the Service Account being locked out.

This reminded me of a time when the Service Account got locked out during a new SQL installation here.
The incorrect password was entered for the respective services and the Service Account got locked out during the authentication attempts (depends on the password policy of course) -- so all all the production SQL services would now have a locked account and would not be able to be restarted.

So when you perform new installs of SQL do you enter the main prod service account at this point in the installation or do you just use the local system account to get SQL installed, and then use SQL Configuration Manager to change the service accounts post install? This way you can at least do one at a time therefore reducing the chances of a locked account!

Just curious.

thanks
Michael Valentine Jones
Michael Valentine Jones
Hall of Fame
Hall of Fame (3.3K reputation)Hall of Fame (3.3K reputation)Hall of Fame (3.3K reputation)Hall of Fame (3.3K reputation)Hall of Fame (3.3K reputation)Hall of Fame (3.3K reputation)Hall of Fame (3.3K reputation)Hall of Fame (3.3K reputation)

Group: General Forum Members
Points: 3264 Visits: 11771
Why would the service account get locked out? Are you using the same service account on more than one server?

To answer your question, we setup new service accounts for each new server, generate a strong password (15+ characters with upper, lower, numbers and special characters), store the account and password info in a password safe (KeePass), set the new account to that password, and use that password during the installation.
UncleBoris
UncleBoris
SSC-Enthusiastic
SSC-Enthusiastic (107 reputation)SSC-Enthusiastic (107 reputation)SSC-Enthusiastic (107 reputation)SSC-Enthusiastic (107 reputation)SSC-Enthusiastic (107 reputation)SSC-Enthusiastic (107 reputation)SSC-Enthusiastic (107 reputation)SSC-Enthusiastic (107 reputation)

Group: General Forum Members
Points: 107 Visits: 698
That is correct. We have one service account for each service type (SSIS, SQL etc) but the same account is used for multiple production servers.

No excuse but legacy and small company mentality I suppose!!!
Michael Valentine Jones
Michael Valentine Jones
Hall of Fame
Hall of Fame (3.3K reputation)Hall of Fame (3.3K reputation)Hall of Fame (3.3K reputation)Hall of Fame (3.3K reputation)Hall of Fame (3.3K reputation)Hall of Fame (3.3K reputation)Hall of Fame (3.3K reputation)Hall of Fame (3.3K reputation)

Group: General Forum Members
Points: 3264 Visits: 11771
UncleBoris (4/2/2013)
That is correct. We have one service account for each service type (SSIS, SQL etc) but the same account is used for multiple production servers.

No excuse but legacy and small company mentality I suppose!!!



That is just asking for trouble. Sad

If the account gets locked out, all your servers will go down, and it makes it impossible to change the password without major downtime.
Perry Whittle
Perry Whittle
SSCrazy Eights
SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)

Group: General Forum Members
Points: 8839 Visits: 16579
i find it absurd that you're able to consistently type the password wrong that many times lol

-----------------------------------------------------------------------------------------------------------

"Ya can't make an omelette without breaking just a few eggs" ;-)
Jeffrey Williams 3188
Jeffrey Williams 3188
SSCarpal Tunnel
SSCarpal Tunnel (4.5K reputation)SSCarpal Tunnel (4.5K reputation)SSCarpal Tunnel (4.5K reputation)SSCarpal Tunnel (4.5K reputation)SSCarpal Tunnel (4.5K reputation)SSCarpal Tunnel (4.5K reputation)SSCarpal Tunnel (4.5K reputation)SSCarpal Tunnel (4.5K reputation)

Group: General Forum Members
Points: 4468 Visits: 9836
Michael Valentine Jones (4/2/2013)
Why would the service account get locked out? Are you using the same service account on more than one server?

To answer your question, we setup new service accounts for each new server, generate a strong password (15+ characters with upper, lower, numbers and special characters), store the account and password info in a password safe (KeePass), set the new account to that password, and use that password during the installation.


I thought I was the only one who did this...

I also use KeePass to generate a 20 character strong password for the sa account. For those systems that I need to setup mixed-mode, I use that password during the installation.

Both the service account and sa account passwords are never shared with anyone - and the accounts are only used to run the services and setup SQL Server.

Jeffrey Williams
Problems are opportunities brilliantly disguised as insurmountable obstacles.

How to post questions to get better answers faster
Managing Transaction Logs

UncleBoris
UncleBoris
SSC-Enthusiastic
SSC-Enthusiastic (107 reputation)SSC-Enthusiastic (107 reputation)SSC-Enthusiastic (107 reputation)SSC-Enthusiastic (107 reputation)SSC-Enthusiastic (107 reputation)SSC-Enthusiastic (107 reputation)SSC-Enthusiastic (107 reputation)SSC-Enthusiastic (107 reputation)

Group: General Forum Members
Points: 107 Visits: 698
So to clarify, you guys use a separate Service Account for each Service on each Server? So as an example if you have ten SQL Instances each with four Services you would have forty separate Domain Service Accounts?

thanks
tafountain
tafountain
SSC-Enthusiastic
SSC-Enthusiastic (104 reputation)SSC-Enthusiastic (104 reputation)SSC-Enthusiastic (104 reputation)SSC-Enthusiastic (104 reputation)SSC-Enthusiastic (104 reputation)SSC-Enthusiastic (104 reputation)SSC-Enthusiastic (104 reputation)SSC-Enthusiastic (104 reputation)

Group: General Forum Members
Points: 104 Visits: 389
I'd also suggest following best practice and using different domain accounts for each sql server instance at a minimum. I use different accounts for each service (sql server, sql agent, reporting services, etc).

I'd also recommend Keepass. Not only do you never even have to know the password, you simply copy and paste it from Keepass into the dialog.
UncleBoris
UncleBoris
SSC-Enthusiastic
SSC-Enthusiastic (107 reputation)SSC-Enthusiastic (107 reputation)SSC-Enthusiastic (107 reputation)SSC-Enthusiastic (107 reputation)SSC-Enthusiastic (107 reputation)SSC-Enthusiastic (107 reputation)SSC-Enthusiastic (107 reputation)SSC-Enthusiastic (107 reputation)

Group: General Forum Members
Points: 107 Visits: 698
tafountain (4/4/2013)
I'd also suggest following best practice and using different domain accounts for each sql server instance at a minimum. I use different accounts for each service (sql server, sql agent, reporting services, etc).



Yes I do what you mention above already although I do not use KeePass which I will have a look at.

I might be struggling to get the Network Admin to create separate account per service, per server though!!!
Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: Administrators
Points: 36316 Visits: 18752
keepass or password safe will work.

I would not use the same account for multiple instances, or services. Think about this. If this gets compromised, or you do need to change it, how many machines are you rebooting?

Especially in a small company, I'd use one account per instance per service, so in general, 2-3 per instance (Agent, SSRS, SSIS, etc)

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search