Ping a Specific Port

Question

BoxerBucks

Asked: 2010-06-02 13:07:49 +0800 CST2010-06-02 13:07:49 +0800 CST 2010-06-02 13:07:49 +0800 CST

Recommended service account setup for MS SQL Server 2005/2008

772

We have a number of MS SQL servers in our environment running either SQL Server 2005 standard/enterprise or SQL server 2008 enterprise. Currently the SQL services are running as local service or network service and the MS recommended best practice is to run as a domain account which is what we are trying to move towards.

Is the best practice with regards to domain accounts to have a separate domain account per service per server? So if we have 4 SQL services we want to run per server and we have 50 servers, we would create 50 * 4 = 200 accounts in AD? This seems excessive to me and I was wondering if anyone has any real experience with this type of setup and its management.

3 Answers

Voted

joeqwerty · Answer 1 · 2010-06-02T14:46:28+08:00

Best Answer

joeqwerty

2010-06-02T14:46:28+08:002010-06-02T14:46:28+08:00

I generally create a single domain service account and use that for all of the services on all of the servers. My suggestion would be to do one of two things:

Create a single domain service account that is used for all services on all servers.
Create a domain service account for all of the services on each server, so you'll have a separate service account for each server instead of four service accounts for each server.

4

Kara Marfia · Answer 2 · 2010-08-24T11:19:38+08:00

Kara Marfia

2010-08-24T11:19:38+08:002010-08-24T11:19:38+08:00

If your AD schema is at 2008 R2 and the SQL servers are also R2, you may want to investigate Managed Service Accounts. (it looks like this can be used if you're on earlier versions, but it sounds like more of a pain than it's worth)

You can set up scheduled & automatic password changes, convert existing service accounts to be managed, set account expiration, create them on the domain or locally... It looks like the accounts will then have new passwords generated for them according to the domain policy Domain Member: Maximum machine account password age under Local Policy\Security Options.

1

Praveen · Answer 3 · 2010-08-14T04:28:13+08:00

Praveen

2010-08-14T04:28:13+08:002010-08-14T04:28:13+08:00

we run all our SQL Services under domain administrator account, our network security policy is such a way that we need to change domain admin password often, one alternative i have is that to create a domain user with admin privileges, is this advisable or should i use admin account only or are there any alternatives with better security. please give your feedback.

Regards Praveen

-1

Recommended service account setup for MS SQL Server 2005/2008

Ping a Specific Port

How do I tell Git for Windows where to find my private RSA key?

How do you restart php-fpm?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

How can I sort du -h output by size

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?