SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


SQL Server Agent won't start with new domain logon account


SQL Server Agent won't start with new domain logon account

Author
Message
Gift Peddie
Gift Peddie
SSCoach
SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)

Group: General Forum Members
Points: 17300 Visits: 14456
Jeffrey Williams-493691 (8/7/2011)
Gift Peddie (8/7/2011)
The only time you need to have the agent service account as part of the local administrators group is IF YOU REQUIRE the autostart functionality to be enabled. In almost all cases, that additional funtionality is neither required or needed.


The ACL was an error but I would rather you explain how autostart is not needed in automation operation processing gigs of data in almost real time.


What do you think the autostart functionality provides for? It has nothing to do with automation processing gigs of data in almost real time.

Again, if YOUR system needs that functionality - then, yes the agent service account must be a local administrator. However, that is not a normal configuration and is not something that is required is most instances.

So, again - what is it that you believe that functionality provides that is essential for normal SQL Server Agent operation?



What is normal in a place where users query data and what is normal when many different pieces work together for user experience outside the company Domain are not related, I am talking about the later and you are talking about the former. The later saves the cost of Informatica and DataStage while the former just keeps the business running both are not related.

And as to the previous posters comment about integrated security with Oracle and DB2, there is no integrated security in web use because it does not scale beyond company intranet use. You notice I didnot add Winform because as of .NET 3.5 the client services can pipe both permissions through the web.config with few lines of code.

Kind regards,
Gift Peddie
Jeffrey Williams 3188
Jeffrey Williams 3188
SSCoach
SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)

Group: General Forum Members
Points: 19305 Visits: 10042
I have absolutely no idea what you are talking about - nor do I think you do.

Care to explain in further detail how your environment differs from most normal installations of SQL Server and why you have a special setup and configuration?

Also, how does this relate to the original question and why would you recommend that setup for somebody elses system?

Jeffrey Williams
Problems are opportunities brilliantly disguised as insurmountable obstacles.

How to post questions to get better answers faster
Managing Transaction Logs

Gift Peddie
Gift Peddie
SSCoach
SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)

Group: General Forum Members
Points: 17300 Visits: 14456
Jeffrey Williams-493691 (8/7/2011)
I have absolutely no idea what you are talking about - nor do I think you do.

Care to explain in further detail how your environment differs from most normal installations of SQL Server and why you have a special setup and configuration?

Also, how does this relate to the original question and why would you recommend that setup for somebody elses system?


The question is who decides what normal use of the Agent because what you and the poster described is corporate internal use and where I work now we don’t have such setup. But we run a system fully integrated with Oracle 10g which is located in Michigan and the SQL Server in Florida. Another thing to consider saying your use is the required use when it will not meet the needs of 90 percent or more web operations is not practical.

Kind regards,
Gift Peddie
Jeffrey Williams 3188
Jeffrey Williams 3188
SSCoach
SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)

Group: General Forum Members
Points: 19305 Visits: 10042
Gift Peddie (8/7/2011)
The question is who decides what normal use of the Agent because what you and the poster described is corporate internal use and where I work now we don’t have such setup. But we run a system fully integrated with Oracle 10g which is located in Michigan and the SQL Server in Florida. Another thing to consider saying your use is the required use when it will not meet the needs of 90 percent or more web operations is not practical.


So, you give advice that doesn't match recommended practices because that is what you believe is needed in your environment. Got it...

I don't see how integrating with Oracle has anything to do with this. Integrating with Oracle does not require that SQL Server Agent be a part of the local administrator's group on a Windows Server. I don't know where you get that information - but would really like to understand how you came up with that as a requirement.

Again - based on the documentation you referenced, which states that for the additional functionality of autorestart the agent service account needs to be a local administrator. So, I will ask again:

What functionality does that provide in your environment? Why is it required to 'integrate' with Oracle?

Jeffrey Williams
Problems are opportunities brilliantly disguised as insurmountable obstacles.

How to post questions to get better answers faster
Managing Transaction Logs

Gift Peddie
Gift Peddie
SSCoach
SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)

Group: General Forum Members
Points: 17300 Visits: 14456
So, you give advice that doesn't match recommended practices because that is what you believe is needed in your environment. Got it...

I don't see how integrating with Oracle has anything to do with this. Integrating with Oracle does not require that SQL Server Agent be a part of the local administrator's group on a Windows Server. I don't know where you get that information - but would really like to understand how you came up with that as a requirement.

Again - based on the documentation you referenced, which states that for the additional functionality of autorestart the agent service account needs to be a local administrator. So, I will ask again:

What functionality does that provide in your environment? Why is it required to 'integrate' with Oracle?




The above says you have decided Relational engine use which is just about 20 percent or less use of the Agent should dictate what is the standard use. These issues come up generally in Microsoft platform, admin limiting development uses of features and Microsoft generally resolves it so I will let Microsoft address the many uses of the Agent issue in the next version code named Denali.

Kind regards,
Gift Peddie
Ron Sexton
Ron Sexton
Valued Member
Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)

Group: General Forum Members
Points: 50 Visits: 95
So far I see the same issue myself. It is a bit comical and sad that no one from Microsoft seems to be addressing it. You can look through their articles and no solution in sight. This is what i have seen that may help.

If you enable the SQL Server Service for Kerberos then you seem to have a much easier time using a domain account for the agent, no local admin privledges needed:

http://blogs.technet.com/b/askds/archive/2009/04/30/sql-bulk-insert-access-is-denied.aspx

Also if you specify the accounts during the install it seems to work fine as far as i can tell. It did on my Windows 2008 cluster with SQL Server 2008 R2 SP1. So it must do some special magic, i suspect dcom permissions and such, to get it working as i don't even see the recommended windows permissions afterwards on the SQL Server Agent account, yet it stops and starts just fine. I also enabled my clustered SQL for kerberos as this is also now a recommended best practice from Microsoft.

http://technet.microsoft.com/en-us/library/cc280744(v=sql.105).aspx

I was going nuts trying to get SQL Server to read a share off of another server for bulk insert until i read these article and got it working.

Hope this helps someone. And no i still don't have an answer for just directly assigning the needed permissions to get SQL Server agent running under a domain account independently of these other things without making it local admin.

Ron S.
lenrigby
lenrigby
Old Hand
Old Hand (302 reputation)Old Hand (302 reputation)Old Hand (302 reputation)Old Hand (302 reputation)Old Hand (302 reputation)Old Hand (302 reputation)Old Hand (302 reputation)Old Hand (302 reputation)

Group: General Forum Members
Points: 302 Visits: 165
Hi to all respondents

I'm flattered that I'm still getting responses to threads associated with my original post from December 31, 2009!

This is a great forum - thanks!
Ron Sexton
Ron Sexton
Valued Member
Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)

Group: General Forum Members
Points: 50 Visits: 95
Well evidently this issue still exists! LOL!
paulmconnors
paulmconnors
Grasshopper
Grasshopper (18 reputation)Grasshopper (18 reputation)Grasshopper (18 reputation)Grasshopper (18 reputation)Grasshopper (18 reputation)Grasshopper (18 reputation)Grasshopper (18 reputation)Grasshopper (18 reputation)

Group: General Forum Members
Points: 18 Visits: 35
FIXED! For me anyway.....

If anyone is still interested, I had a nightmare resolving this issue only yesterday.. Tried everything I could think of, no small amount of head scratching and then finally I stumbled upon the solution.

I noticed that the Folder/File permissions were absolutely trashed when installing SQL Server to the root of a drive. I simply created a folder on the root of the particular drive and set that folder as the install directory for SQL... Reeling back in shock as I realised that this worked. SQL Agent started automatically after install using the credentials NT Service\SQLAgent$InstanceName to start the service. :-) HAPPY DAYS!


Hope that helps someone !


Paul
Ron Sexton
Ron Sexton
Valued Member
Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)

Group: General Forum Members
Points: 50 Visits: 95
For me this was inconsistent.
I have 2 2008 r2 clusters installed exactly the same way to subfolders. On one it works fine and on the other it doesn't. I have even had where it was working fine for months where it suddenly after a node failover wouldn't start. Very frustrating.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search