Hi, I am using SQL Server 2k SP3a on Win 2k Advance Server. Cluster with 2 nodes. I am updating the SQL Server service account via the EM, everything works fine with the new service account, I can move the group from one node to the other both ways, no problem, but after a while when I try to do it again the SQL Server services are failing with an error something like "Account doesn't have enough permissions on the server". Any idea?
Ensure to set Full Control for the startup account for the MSSQLServer service and the SQLServerAgent service on the registry and NTFS Permissions on the Disk. It must be granted the following policies: -Act as part of the operating system. -Logon as a service. -Replace a process-level token. The service account for the Cluster service must have the right to log in to SQL Server. If you accept the default, the account [NT AuthoritySystem] must have login rights to SQL Server so that the SQL Server resource DLL can run the isAlive query against SQL Server. If the service account for SQL Server is not an administrator in a cluster, the administrative shares cannot be deleted on any nodes of the cluster. The administrative shares must be available in a cluster for SQL Server to function. KBAhttp://support.microsoft.com/default.aspx?scid=kb;EN-US;254321 for information about Cluster Do's and Dont's. HTH Satya SKJ Moderator http://www.SQL-Server-Performance.Com/forum This posting is provided “AS IS†with no rights for the sake of knowledge sharing.
I check the cluster account. Is admin on the nodes and via the Admin login account in SQL Server has access to SQL Server, plus if I reset the SQL Server services account with the same account, same password it is working for a while.
Any issues on the network or information from event log? Satya SKJ Moderator http://www.SQL-Server-Performance.Com/forum This posting is provided “AS IS†with no rights for the sake of knowledge sharing.
Nothing that I can releate to this. In the Security I got this Logon Failure: Reason:The user has not been granted the requested logon type at this machine User Name:[user] Domain:[domain] Logon Type:5 Logon Process:SCMgr Authentication Package:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name:[workstation] but that just confirm the fact.
Ah... security policy: Check the Local security policy on the server: From Start --> Controlpanel->Administrative tools->Local security policy You need to fint the keys in there under localpolicies->user rights assignment "access this computer from the network" and "log on locally" ->set them to allow a specified account Satya SKJ Moderator http://www.SQL-Server-Performance.Com/forum This posting is provided “AS IS†with no rights for the sake of knowledge sharing.
I doubt that is the permissions the "access this computer from the network" has assigned permissions for everybody plus Admins and the other one has permissions assign for Admins and the service account is part of the Admins
Verify that the account has "logon as service" rights a well. Also verify that you've typed in the accounts in the format "DOMAINmyaccount" and not "yaccount@domain.com"
It seems that it is the AD Group Policy that is overwriting the Local security policy. Thank you very much guys.
Then try to include the above policy steps on the AD group policy to take affect. Satya SKJ Moderator http://www.SQL-Server-Performance.Com/forum This posting is provided “AS IS†with no rights for the sake of knowledge sharing.
