November 4, 2003 at 6:05 pm
When I attempt to change the Startup Service Account of SQL 2000 through the security tab of Enterprise Manager I receive the following error.
Error 22042: xp_SetSQLSecurity() returned error -2147024690, 'The handle is invalid.'
Microsoft KB recommends installing the latest service pack for SQL. I have performed this numerous times with no luck. I have also applied the latest hotfix rollup for SQL 2000 to no avail.
The server is a Windows 2000 Domain Controller running as a GC. I have an almost identical server where this change worked.
If anyone out there can help a battling bushranger in Australia it would be greatly appreciated 🙂
Thanks,
November 4, 2003 at 10:22 pm
If you are not sure why something is not working on NT/2000, reboot few times. Always works for me. May be its being nice to me.
:-))) Sorry making this funny.
Frankly, I have not had this situation with PDC.
.
November 5, 2003 at 2:39 am
We must be from parallel universes 🙂 If there’s a windows problem I’ve had it.
It’s freaking me out… I don’t know what to do. I need it fixed in a few weeks for the security audit. I can see myself getting nailed for not fixing it a second time round.
Thanks anyway mate,
Uko
November 5, 2003 at 6:57 am
Make sure the account has sufficient privilege to run SQL Server and SQL Server is configured in mixed authentication mode.
From BOL.
"Using a Domain User Account
A domain user account uses Windows Authentication, that is, the same user name and password used to connect to the operating system is also used to connect to SQL Server. A domain user account is typically used because many server-to-server activities can be performed only with a domain user account, for example:
Remote procedure calls.
Replication.
Backing up to network drives.
Heterogeneous joins that involve remote data sources.
SQL Server Agent mail features and SQL Mail. This restriction applies if using Microsoft Exchange. Most other mail systems also require clients (the SQL Server and SQL Server Agent services) to be run on accounts with network access.
Note Several servers running SQL Server can share the same user account. When setting up replication, it is recommended that a Publisher and all its Subscribers share the same service account for the SQL Server service.
Requirements for Domain User Account
All domain user accounts must have permission to:
Access and change the SQL Server directory (\Program Files\Microsoft SQL Server\Mssql).
Access and change the .mdf, .ndf, and .ldf database files.
Log on as a service.
Read and write registry keys at and under:
HKEY_LOCAL_MACHINE\Software\Microsoft\MSSQLServer.
-or- for any named instance: HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server.
HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\MSSQLServer.
-or- for any named instance: HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\MSSQL$Instancename.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Perflib.
In addition, a domain user account must be able to read and write corresponding registry keys for these services: SQLAgent$InstanceName, MSSearch, and MSDTC.
This table shows additional permissions required for certain functionality.
Service Permission Functionality
SQL Server Network write privileges Write to a mail slot using xp_sendmail.
SQL Server Act as part of operating system and replace a process level token Run xp_cmdshell for a user other than a SQL Server administrator.
SQL Server Agent Member of the Administrators local group Create CmdExec and ActiveScript jobs belonging to someone other than a SQL Server administrator.
Use the autorestart feature.
Use run-when-idle jobs.
SQL Server Member of local Power Users or local Administrators group Add and delete SQL Server objects in the Windows 2000 Active Directory."
If you really need to fix it in very short time, contact Microsoft support for help.
By the way, it is not recommended to have SQL Server in Domain Controller.
November 5, 2003 at 4:31 pm
Thanks for your feed back guys,
I'm so relieved and so happy right now. After many months I've just found the cause of my pain and fixed it. The SQL Service is now running as an ordinary user account.
I performed everything that was mention in the above post but with no joy. I found the solution in KB article Q283811. (Extract below)
Note: If the default NTFS permissions on your computer have been changed, make sure that the SQL Server startup account has List Folder permission enabled on the root drive where the SQL Server database data and the log files are located.
I’ve read other Microsoft articles similar to the one above but they never had that above piece of information. I would have never thought of setting that permission on the root drive since I had ‘Bypass Traverse Checking’ enable in the policies and correct permission on down-level folders.
Now I still get the error when I change the startup account. But all I have to do is make the change in the Services MMC and all is fine. Previously if I performed this action in Services the SQLService would start and stop immediately… but no longer.
Thanks Guys,
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply