SID service accounts

Question

Post reply

SID service accounts

SQLEngine

SSCommitted

Points: 1633
More actions
August 17, 2009 at 7:34 pm

#213561

Hi,
I am wondering if I need to have Windows 2008 DC and Active Directory to have my SQL 2008 servers running under SID service accounts?
Any help is appreciated.

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply

Elliott Whitlow SSC Guru Points: 102402 More actions · Answer 1

I'm not familiar with SID service accounts.

Are you talking about windows integrated security?

If so then you will need your users on an AD domain or a AD domain trusted by the AD domain that the server is in..

Could you elaborate..

CEWII

SQLEngine SSCommitted Points: 1633 More actions · Answer 2

No, not NT groups.

in SQL 2008 you no longer need password for the service account, and you don't need the service account to exist in NT group before install. This is possible in Win 2008/SQL 2008 installation. I am wondering if the whole infrastructure needs to be Win 2008.

Steve Jones - SSC Editor SSC Guru Points: 734498 More actions · Answer 3

The functions of service accounts work with or without an AD domain. The difference is without they are limited to accessing the local machine only. I haven't seen anything about the Service SIDs, but I found it here: http://msdn.microsoft.com/en-us/library/ms143504.aspx#Service_SID. No mention of AD. This KB (http://support.microsoft.com/kb/955401) mentions AD, but I don't see anything else on MS.

My guess is that you don't need AD, but that if not, you are essentially running a local account that is limited in scope.

I'd be curious to know if you run this and how it works. Or what additional security it provides over a limited scope user account or a service account.

K. Brian Kelley SSC Guru Points: 114562 More actions · Answer 4

This is not available yet. You're thinking of Managed Service Accounts which isn't available until Windows Server 2008 R2 (which isn't RTM yet). In that case, your Active Directory infrastructure has to have the following setup changes done (which require schema extensions):

- Windows Server 2008 R2 Forestprep done.

- Windows Server 2008 R2 domainprep done on the domain(s) in question.

- At least one Windows Server 2008 R2 domain controller.

More here:

Service Accounts Step-by-Step Guide

K. Brian Kelley
@kbriankelley