March 13, 2008 at 4:13 am
Hello,
I have set up a new SQL 2005 server and work, and wanted to ask a couple of questions, but here is what I have done so far.
I have loaded it up on a logical D: on the server (this is mirrored), but changed the default directorys for databases and logs to go onto two separate drives on my locally attached SAN unit. Its all on a 2003 member server.
I have created a separate domain account for every service, named after the service, and configured the accounts and passwords in SQL configuration manager, all are running but I have left the browser service stopped.
Now I was going to create a global security group with all the accounts in and assign it full control to both the drives that will contain the DB's and logs. Do I need to actually do that, or will just adding the SQL server service account and agent account be enough, and is Full control ok, or too much?
And should I bother creating a group for the services to go in in the first place? I was going to name the group after the SQL instance and server name.
Is there any reason why I should leave the browser service stopped?
Thanks in advance for any help or advice. I'm going to apply service pack 2 later on.
Kind regards,
D.
March 14, 2008 at 11:01 am
Duran (3/13/2008)
Hello,Now I was going to create a global security group with all the accounts in and assign it full control to both the drives that will contain the DB's and logs. Do I need to actually do that, or will just adding the SQL server service account and agent account be enough, and is Full control ok, or too much?
Only the SQL Server service would need file system access.
Duran (3/13/2008)
And should I bother creating a group for the services to go in in the first place? I was going to name the group after the SQL instance and server name.
Doesn't matter, depends on what your IT group has deemed appropriate.
Duran (3/13/2008)
Is there any reason why I should leave the browser service stopped?
Are you running more than one instance on this server? I've never had a problem with a computer/server's default instance showing up in AD, but when running multiple instances, I've always had to use the broswer server for them to register.
Thanks in advance for any help or advice. I'm going to apply service pack 2 later on.
March 14, 2008 at 12:14 pm
I think you need the browser service for multiple or non-default instances, and it also helps with non-standard TCP/IP ports.
For SQL clusters, I like what you're planning to do with the global groups. But the needs of the different services are quite different, I think it would be overkill for most if you lumped them all in the same group. Might be good idea to model after the non-clustered local groups approach?
For non-clustered SQL servers, I think you might be better off sticking with the SQLServer2005xxxx local groups that were installed with SQL, and which are maintained by the configuration manager. These offer more granular approach to security.
Viewing 3 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply