locked
Service Accounts - Your Ideas RRS feed

  • Question

  • I have been tasked to install SQL 2012 on a new machine(2012 R2) which we will move all current 2008 R2 databases over too (approx. 26).
    This machine will also hold a new instance of SharePoint (not sure if this makes any difference).

    I have gone through the setup.exe process, up to Service Accounts tab to see what accounts are needed: (They are:)

    1. SQL Server Agent
    2. SQL Server Database Engine
    3. SQL Server Reporting Services
    4. SQL Server Integration Services 11.0
    5. SQL Server Browser

    I have read that you should at least create two basic AD accounts (like domain\sqluser1, domain\sqluser2) with sqluser1 being a Local Admin
    on the box? Setting #2 as sqluser1 (refer to above list) and the rest as being sqluser2


    I have also read I should have at least two as above but - use sqluser1 to log into the machine and do the install, then after the install to disable, but not delete the AD account?

    I have also read that you need one AD account per Service Accounts?


    Here are my thoughts and please Advise is this will not work or if there is a security issue:
    (I understand that every install is different, but any info will help - Thanks)

    I will create two regular BASIC AD accounts domain\SQLAdmin and domain\SQLWorker
    I will set domain\SQLAdmin up as a Local Admin to the machine
    I will set up the following:

    1. SQL Server Agent    domain\SQLAdmin
    2. SQL Server Database Engine   domain\SQLAdmin
    3. SQL Server Reporting Services  NETWORKSERVICE
    4. SQL Server Integration Services 11.0  domain\SQLWorker
    5. SQL Server Browser    domain\SQLWorker

    Thanks for any advice,
    (An Accidental DBA)

    Friday, August 15, 2014 5:38 PM

Answers

  • In SQL 2012 the default is to use virtual accounts for all services.  Unless you're installing a Failover Cluster Instance or an AlwaysOn AG using with Kerberos Authentication you should probably just use the defaults.

    David


    David http://blogs.msdn.com/b/dbrowne/

    • Proposed as answer by Saeid Hasani Sunday, August 17, 2014 3:15 PM
    • Marked as answer by ssimon Monday, August 18, 2014 2:30 PM
    Friday, August 15, 2014 7:48 PM

All replies

  • Hi,

    Its not advised and not considered as good security practice to run SQL Server service with account having admin privileges on machine. In your case account  domain\SQLAdmin, you are adding this as local admin which is not a good practice as per security.

    I strongly suggest you to spend some time on below Microsoft Link

    http://msdn.microsoft.com/en-gb/library/ms143504.aspx

    You are correct with creating separate account just rights should be minimum and above link will guide you


    Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it.

    My TechNet Wiki Articles


    Friday, August 15, 2014 6:43 PM
  • Thank you for your reply

    Not sure if the link is the correct one - this is for Windows Service and Dynamics Nav 2009

    I have read through multiple msdn libraries (including ones that have info on 2014/2008/2008 r2 but not 2012).

    So basically are you stating that I need to create the 5 basic AD accounts (none being in the Domain Admin account) and none should be added to the Windows Admin group for the local computer?

    Thanks 

    Friday, August 15, 2014 7:10 PM
  • Thank you for your reply

    Not sure if the link is the correct one - this is for Windows Service and Dynamics Nav 2009


    Apologies for posting incorrect link this one is correct one

    http://msdn.microsoft.com/en-gb/library/ms143504.aspx


    Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it.

    My TechNet Wiki Articles

    Friday, August 15, 2014 7:42 PM
  • In SQL 2012 the default is to use virtual accounts for all services.  Unless you're installing a Failover Cluster Instance or an AlwaysOn AG using with Kerberos Authentication you should probably just use the defaults.

    David


    David http://blogs.msdn.com/b/dbrowne/

    • Proposed as answer by Saeid Hasani Sunday, August 17, 2014 3:15 PM
    • Marked as answer by ssimon Monday, August 18, 2014 2:30 PM
    Friday, August 15, 2014 7:48 PM
  • Would the easiest thing to do just for me to ask for 5 domain accounts to be created and let the SQL Install do all the backend work?

    "The account assigned to start a service needs the Start, stop and pause permission for the service. The SQL Server Setup program automatically assigns this. "

    Friday, August 15, 2014 7:59 PM
  • >Would the easiest thing to do just for me to ask for 5 domain accounts to be created and let the SQL Install do all the backend work?

    No the easiest thing to do is to not ask for any domain accounts, and use the default virtual accounts.  But if you use domain accounts, then create them ahead of time and configure them in the installer.

    David


    David http://blogs.msdn.com/b/dbrowne/

    Friday, August 15, 2014 8:19 PM
  • Its good to have dedicated service account for sql service and other sql engine services..

    http://msdn.microsoft.com/en-us/library/ms143504.aspx

    http://msdn.microsoft.com/en-us/library/ms144228.aspx

    when we have to use dedicated service account ?

    http://blogs.technet.com/b/canitpro/archive/2012/02/08/the-sql-guy-post-15-best-practices-for-using-sql-server-service-accounts.aspx


    Raju Rasagounder Sr MSSQL DBA


    • Edited by RAJU RG Sunday, August 17, 2014 3:25 AM
    • Proposed as answer by Saeid Hasani Sunday, August 17, 2014 3:16 PM
    Sunday, August 17, 2014 3:25 AM