April 1, 2004 at 2:43 pm
Hi,
I am using SQL Server 2k SP3a on Win 2k Advance Server. Cluster with 2 nodes.
I am updating the SQL Server service account via the EM, everything works fine with the new service account, I can move the group from one node to the other both ways, no problem, but after a while when I try to do it again the SQL Server services are failing with an error something like "Account doesn't have enough permissions on the server". The service account that I am using is admin on both nodes. Any idea?
April 1, 2004 at 2:50 pm
I have heard of a few cases where EM didn't get everything, but it sounds like initially you are fine but something later changes. Do you have to go in and reset the accounts to get the error to go away once it crops up? If you want to check permissions, here's the article for a default SQL Server install:
HOW TO: Change the SQL Server or SQL Server Agent Service Account Without Using SQL Enterprise Manager in SQL Server 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;283811
There's also this one:
INF: How to Change Service Accounts on a SQL Virtual Server
http://support.microsoft.com/default.aspx?scid=kb;EN-US;239885
Per chance, do you have any OS level security auditing turned on for the cluster?
K. Brian Kelley
@kbriankelley
April 2, 2004 at 7:12 am
If I put the same user with the same password in EM will work again for a period of time.
On the server I have enabled auditing for success and failure for logon events, object access and system events.
I will check the KB283811 to see if I get the proper permisions.
Thanks
April 2, 2004 at 7:34 am
Have you seen any unusual audit failure errors in the security log when the fail-overs stop working?
K. Brian Kelley
@kbriankelley
April 2, 2004 at 7:40 am
No unusual, just this one that I was expecting
Logon Failure:
Reason: The user has not been granted the requested
logon type at this machine
User Name:
Domain: [domain]
Logon Type: 5
Logon Process: SCMgr
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: [workstation]
April 2, 2004 at 8:23 am
Are these servers in an Active Directory domain? If so, do your administrators have a group policy set that applies to these servers?
K. Brian Kelley
@kbriankelley
April 2, 2004 at 8:28 am
Yes, they are on AD and I there is a group policy.
For what should I look in that policy?
April 2, 2004 at 8:34 am
See if they have explicitly defined:
- Log on as a service
- Act as part of the operating system
- Replace a process level token
If they have defined those values in their group policy, they will overwrite whatever is set locally. Meaning everything is okay for a while and then they suddenly stop working. Once you reset the service account, SQL Server EM will set those to the proper values so you'll start working again and are back in the cycle.
K. Brian Kelley
@kbriankelley
April 13, 2004 at 9:35 am
It seems that it is the AD Group Policy that is overwriting the Local security policy.
Thank you very much guys.
April 13, 2004 at 9:43 am
They can set a policy that supercedes the default group policy they may have set on all servers... so all is not lost. They'll need to do this on any SQL Server system you have unless the account is running as LocalSystem (the local System account),which isn't generally advised.
K. Brian Kelley
@kbriankelley
Viewing 10 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply