January 13, 2002 at 7:47 pm
I have a domain user account that I used to run sql server services. But I don't know how to give that account an administrator's right on my sql server machine. My sql server install on a different server with the domain controller and both of them use windows 2000. Could somebody help me please ??????
January 13, 2002 at 8:17 pm
For your system:
From Computer Management (Start >> Settings >> Control Panel >> Administrative Tools >> Computer Management):
The problem with a Domain Controller is that under AD you only have the option of putting someone in the Domain Admins group. If you were running an NT 4 Domain Controller, it's the same issue. But if you don't have the option of using a member server, here's how you do it.
Start >> Programs >> Administrative Tools >> Active Directory Computers and Users
With respect to SQL Server on a DC, if you have the option, move SQL Server to a member server (or if you have enough DCs, demote the DC). The reason being the DC side will compete for resources with SQL Server. The DC will be trying to validate accounts, replicate domain information with other DCs, and probably act as a Computer Browser while SQL Server will be trying to do its own thing.
K. Brian Kelley
http://www.sqlservercentral.com/columnists/bkelley/
K. Brian Kelley
@kbriankelley
January 13, 2002 at 9:50 pm
Thanks Bryan. I add the domain user account to domain admins group, and it works very well.
But the policy in my company doesn't allowed this condition. Can I make that domain user account to have administrator's right only in my sql server machine, and just a user on other machine that side on the same windows 2000 domain ?
January 13, 2002 at 9:55 pm
Not that I am aware. This is the case with an NT 4 Domain Controller and I don't believe it has changed in Windows 2000 with Active Directory.
K. Brian Kelley
http://www.sqlservercentral.com/columnists/bkelley/
K. Brian Kelley
@kbriankelley
January 13, 2002 at 10:27 pm
I see. So the only way is to add the domain user account to domain admin group and add domain admin group to local administrators group on my database machine.
I already removed a domain admin group from my local administrators group. 🙁
But thanks anyway
PS: I tried with windows NT domain and it works.
January 14, 2002 at 2:58 am
You may want to take a look at the following article:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q199162
It's been a while since I've had to use this type of knowledge (two years), so I'm a bit rusty. But if I remember right, this is how everything works...
There are two types of groups: Global Groups and Local Groups. Global Groups can be added to a Local Group. No Group can be added to a Global Group. The problem with Domain Admins is that it is a Global Group.
Therefore, when we set up a trust relationship where a resource domain trusts a master (user) domain, we can't simply take the Domain Admins group from the master domain and put it into the Domain Admins group for the resource domain (Global Group into Global Group which isn't allowed). We also can't add users from a different domain into a global group for a given domain. That means user accounts from the master domain can't be added individually to the Domains Admins group of the resource domain. Therefore, we must add the Domain Admins from the master domain into the local Administrators group for the resource domain at a domain controller for the resource domain. They then have Domain Admin rights. Because of this workaround, adding a user account to the Administrators group on a domain controller is the same as giving that user domain admin rights over that domain.
K. Brian Kelley
http://www.sqlservercentral.com/columnists/bkelley/
Edited by - bkelley on 01/14/2002 02:58:26 AM
K. Brian Kelley
@kbriankelley
January 21, 2002 at 11:59 am
Brian is right. Once you have a server that is a domain controller, it no longer has a "local" SAM. Therefore there is no local administrator.
Steve Jones
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply