SQL Server Performance Forum – Threads Archive
Cluster – SQL Service account
Hi, I am using SQL Server 2k SP3a on Win 2k Advance Server. Cluster with 2 nodes.I am updating the SQL Server service account via the EM, everything works fine with the new service account, I can move the group from one node to the other both ways, no problem, but after a while when I try to do it again the SQL Server services are failing with an error something like "Account doesn’t have enough permissions on the server". Any idea?
The account that I am using to start the SQL Server services is admin on both nodes.
Ensure to set Full Control for the startup account for the MSSQLServer service and the SQLServerAgent service on the registry and NTFS Permissions on the Disk. It must be granted the following policies:
-Act as part of the operating system.
-Logon as a service.
-Replace a process-level token. The service account for the Cluster service must have the right to log in to SQL Server. If you accept the default, the account [NT AuthoritySystem] must have login rights to SQL Server so that the SQL Server resource DLL can run the isAlive query against SQL Server. If the service account for SQL Server is not an administrator in a cluster, the administrative shares cannot be deleted on any nodes of the cluster. The administrative shares must be available in a cluster for SQL Server to function. KBAhttp://support.microsoft.com/default.aspx?scid=kb;EN-US;254321 for information about Cluster Do’s and Dont’s. HTH Satya SKJ
Moderator
http://www.SQL-Server-Performance.Com/forum
This posting is provided “AS IS†with no rights for the sake of knowledge sharing.
I check the cluster account. Is admin on the nodes and via the Admin login account in SQL Server has access to SQL Server, plus if I reset the SQL Server services account with the same account, same password it is working for a while.
Any issues on the network or information from event log? Satya SKJ
Moderator
http://www.SQL-Server-Performance.Com/forum
This posting is provided “AS IS†with no rights for the sake of knowledge sharing.
Nothing that I can releate to this. In the Security I got this Logon Failure:
Reason:The user has not been granted the requested
logon type at this machine
User Name:[user]
Domain:[domain]
Logon Type:5
Logon Process:SCMgr
Authentication Package:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name:[workstation] but that just confirm the fact.
Ah… security policy: Check the Local security policy on the server:
From Start –> Controlpanel->Administrative tools->Local security policy
You need to fint the keys in there under localpolicies->user rights assignment "access this computer from the network" and "log on locally"
->set them to allow a specified account Satya SKJ
Moderator
http://www.SQL-Server-Performance.Com/forum
This posting is provided “AS IS†with no rights for the sake of knowledge sharing.
I doubt that is the permissions the "access this computer from the network" has assigned permissions for everybody plus Admins and the other one has permissions assign for Admins and the service account is part of the Admins
Verify that the account has "logon as service" rights a well. Also verify that you’ve typed in the accounts in the format "DOMAINmyaccount" and not "[email protected]"
It seems that it is the AD Group Policy that is overwriting the Local security policy.
Thank you very much guys.
Then try to include the above policy steps on the AD group policy to take affect. Satya SKJ
Moderator
http://www.SQL-Server-Performance.Com/forum
This posting is provided “AS IS†with no rights for the sake of knowledge sharing.
]]>