Setting up the appropriate user accounts and establishing the necessary security is one of the easiest steps when creating a cluster. It is also one of the easiest to forget. What I like to do in this step is not only set up the domain service account for the cluster service, but also to set up all of the security I need for my SQL Server cluster all at one time. This way, I won’t forget later on.
Don’t forget that you will need to set up security on both nodes of your cluster. Ensure that security is set up identically on both. And was mentioned on the previous section, be sure only one server node is turned on at the time time when configuring security. If both nodes are turned on before Cluster Services is installed, you could corrupt the shared array.
The first step I always take when setting up security on clustered servers is to set up the security to allow DBA’s to be local administrators on the clustered nodes. Since our company already has a global domain group for this purpose, all I have to do is to add this domain group to the local administrator’s group to each node in the cluster.
SQL Server Service Security
Although this step is not required now (I could wait until I install SQL Server), I like to do it now so that I don’t later forget. As you know, the mssqlserver and the sqlserveragent services need to have accounts to run under. In the case of a cluster, it is mandatory that the account used for this purpose be a domain account. At our company, we have a single domain account we use for this purpose. So all I have to do is to add this domain account to the local administrator’s group to each node in the cluster. Be sure you don’t use different domain accounts for each node, as this would cause you many heartaches later on.
Cluster Service Security
The Cluster Service, which will be installed in the next step, also requires a domain account to run. As part of the Cluster Service setup procedure, you must specify the name of the account and the password. If you currently do not have a Cluster Service domain account, you must set one up in your domain, then add it to the local administrator’s group of each node of the cluster.
Creating Service Accounts
Just in case you are not familiar with creating service accounts, such as the one necessary for the Cluster Service, you need to keep the following in mind when creating one:
- The accounts must be domain accounts, not local accounts.
- Be sure that the option, “User must change password at next logon” is not selected.
- Be sure the option, “Password never expires” is selected.
- Ensure that the account can logon 24 hours a day.
- Select a hard to break password.
Once you have security properly set up, you are now ready to proceed to the next step, which is to install the Cluster Service itself.]]>