Answered by:
SQL 2012 service accounts best practice

Question
-
I'm installing SQL Server 2012 for ConfigMgr 2012 r2 and I wonder what is the best practice for SQL service accounts.
During the installation of SQL Server, in the server configuration/Service accounts menu I'm allowed to configure following service accounts: SQL Server Agent, SQL Server Agent Database Engine, SQL Server Reporting Services, SQL Server Browser.
Do I have to create separate domain user (not admin) accounts for each service and configure service principal name (SPN) for all of them?
For example: Domain user account named SQLSA for SQL Server Agent, another domain user account SQLADBE for SQL Server Agent Database Engine etc.
Sunday, January 25, 2015 1:18 AM
Answers
-
Hi,
Please read following article
https://msdn.microsoft.com/en-us/library/ms143504.aspx
Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it
My Technet Wiki Article
MVP- Proposed as answer by Michelle Li Tuesday, January 27, 2015 1:23 PM
- Marked as answer by Lydia ZhangMicrosoft contingent staff Sunday, February 1, 2015 9:37 AM
Sunday, January 25, 2015 4:55 AM -
In addition to Shanky notes, please take a look at these links:
“The SQL Guy” Post #15: Best Practices For Using SQL Server Service Accounts
Guidelines on choosing Service Accounts for SQL Server Services.
How to Create Secure SQL Server Service Accounts
Cheers,
Saeid Hasani
Database Consultant
Please feel free to contact me at DatabaseConsultant@outlook.com as well as on Twitter and Facebook.
[My Writings on TechNet Wiki] [T-SQL Blog] [Curah!] [Twitter] [Facebook] [Email]- Proposed as answer by Michelle Li Tuesday, January 27, 2015 1:23 PM
- Marked as answer by Lydia ZhangMicrosoft contingent staff Sunday, February 1, 2015 9:37 AM
Sunday, January 25, 2015 6:28 AM -
During the installation of SQL Server 2012, the user is prompted to provide service account
credentials. The default service accounts suggested vary depending on whether SQL Server
2012 is installed on a computer running Windows Vista or Windows Server 2008 or on a computer
running Windows 7 or Windows Server 2008 R2. On computers running Windows Vista
or Windows Server 2008 operating systems, the following default service accounts are used:
- NETWORK SERVICE Database Engine, SQL Server Agent, Analysis Services,
Integration Services, Reporting Services, SQL Server Distributed Replay Controller,
SQL Server Distributed Replay Client
- LOCAL SERVICE SQL Server Browser, FD Launcher (Full-Text Search)
- LOCAL SYSTEM SQL Server VSS Writer
On computers running Windows 7 or Windows Server 2008 R2 operating systems, the following
default accounts are used:
- Virtual Account or Managed Service Account Database Engine, SQL Server Agent,
Analysis Services, Integration Services, Replication Services, SQL Server Distributed
Replay Controller, SQL Server Distributed Replay Client, FD Launcher (Full-Text Search)
- LOCAL SERVICE SQL Server Browser
- LOCAL SYSTEM SQL Server VSS Writer
For Windows 7 and Windows Server 2008 R2, you can use a Managed Service Account
(MSA) or a Managed Local Account. The differences between these account types are as
follows:
- Managed Service Account (MSA) This special kind of domain account managed
by a domain controller is assigned to a single member computer and used for running
services. The MSA password is managed by the domain controller. MSAs can register
a Service Principal Name (SPN) with Active Directory. MSAs use a $ name suffix; for
example, CONTOSO\SQL-A-MSA$. You must create the MSA prior to running SQL
Server Setup if you want to use an MSA with SQL Server services.
- Virtual Accounts or Managed Local Accounts These virtual accounts can access
the network in a domain environment and are used by default for service accounts
during SQL Server 2012 setup when run on Windows 7 or Windows Server 2008 R2.
Such accounts use the NT SERVICE\<SERVICENAME>format. You don’t need to specify
a password when using virtual accounts with SQL Server 2012 because this is handled
automatically by the operating system.You should run SQL Server services, using the minimum possible user rights, and use an
MSA or virtual account when possible. If you are manually configuring service accounts, use
separate accounts for different SQL Server services. If it is necessary to change the properties
of service accounts used for SQL Server 2012, use SQL Server tools such as SQL Server
Configuration Manager. This ensures that all necessary dependencies are
updated, which does not happen if you use only the Services console.
Although you can configure domain accounts as service accounts, this strategy requires
more effort because you must ensure that service account passwords are changed regularly.
You must also manage SPNs, which are required for Kerberos authentication.
Best regadsP.Ceglie
- Edited by Pasquale Ceglie Sunday, January 25, 2015 11:09 AM
- Proposed as answer by Michelle Li Tuesday, January 27, 2015 1:24 PM
- Marked as answer by Lydia ZhangMicrosoft contingent staff Sunday, February 1, 2015 9:37 AM
Sunday, January 25, 2015 11:09 AM
All replies
-
Hi,
Please read following article
https://msdn.microsoft.com/en-us/library/ms143504.aspx
Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it
My Technet Wiki Article
MVP- Proposed as answer by Michelle Li Tuesday, January 27, 2015 1:23 PM
- Marked as answer by Lydia ZhangMicrosoft contingent staff Sunday, February 1, 2015 9:37 AM
Sunday, January 25, 2015 4:55 AM -
In addition to Shanky notes, please take a look at these links:
“The SQL Guy” Post #15: Best Practices For Using SQL Server Service Accounts
Guidelines on choosing Service Accounts for SQL Server Services.
How to Create Secure SQL Server Service Accounts
Cheers,
Saeid Hasani
Database Consultant
Please feel free to contact me at DatabaseConsultant@outlook.com as well as on Twitter and Facebook.
[My Writings on TechNet Wiki] [T-SQL Blog] [Curah!] [Twitter] [Facebook] [Email]- Proposed as answer by Michelle Li Tuesday, January 27, 2015 1:23 PM
- Marked as answer by Lydia ZhangMicrosoft contingent staff Sunday, February 1, 2015 9:37 AM
Sunday, January 25, 2015 6:28 AM -
During the installation of SQL Server 2012, the user is prompted to provide service account
credentials. The default service accounts suggested vary depending on whether SQL Server
2012 is installed on a computer running Windows Vista or Windows Server 2008 or on a computer
running Windows 7 or Windows Server 2008 R2. On computers running Windows Vista
or Windows Server 2008 operating systems, the following default service accounts are used:
- NETWORK SERVICE Database Engine, SQL Server Agent, Analysis Services,
Integration Services, Reporting Services, SQL Server Distributed Replay Controller,
SQL Server Distributed Replay Client
- LOCAL SERVICE SQL Server Browser, FD Launcher (Full-Text Search)
- LOCAL SYSTEM SQL Server VSS Writer
On computers running Windows 7 or Windows Server 2008 R2 operating systems, the following
default accounts are used:
- Virtual Account or Managed Service Account Database Engine, SQL Server Agent,
Analysis Services, Integration Services, Replication Services, SQL Server Distributed
Replay Controller, SQL Server Distributed Replay Client, FD Launcher (Full-Text Search)
- LOCAL SERVICE SQL Server Browser
- LOCAL SYSTEM SQL Server VSS Writer
For Windows 7 and Windows Server 2008 R2, you can use a Managed Service Account
(MSA) or a Managed Local Account. The differences between these account types are as
follows:
- Managed Service Account (MSA) This special kind of domain account managed
by a domain controller is assigned to a single member computer and used for running
services. The MSA password is managed by the domain controller. MSAs can register
a Service Principal Name (SPN) with Active Directory. MSAs use a $ name suffix; for
example, CONTOSO\SQL-A-MSA$. You must create the MSA prior to running SQL
Server Setup if you want to use an MSA with SQL Server services.
- Virtual Accounts or Managed Local Accounts These virtual accounts can access
the network in a domain environment and are used by default for service accounts
during SQL Server 2012 setup when run on Windows 7 or Windows Server 2008 R2.
Such accounts use the NT SERVICE\<SERVICENAME>format. You don’t need to specify
a password when using virtual accounts with SQL Server 2012 because this is handled
automatically by the operating system.You should run SQL Server services, using the minimum possible user rights, and use an
MSA or virtual account when possible. If you are manually configuring service accounts, use
separate accounts for different SQL Server services. If it is necessary to change the properties
of service accounts used for SQL Server 2012, use SQL Server tools such as SQL Server
Configuration Manager. This ensures that all necessary dependencies are
updated, which does not happen if you use only the Services console.
Although you can configure domain accounts as service accounts, this strategy requires
more effort because you must ensure that service account passwords are changed regularly.
You must also manage SPNs, which are required for Kerberos authentication.
Best regadsP.Ceglie
- Edited by Pasquale Ceglie Sunday, January 25, 2015 11:09 AM
- Proposed as answer by Michelle Li Tuesday, January 27, 2015 1:24 PM
- Marked as answer by Lydia ZhangMicrosoft contingent staff Sunday, February 1, 2015 9:37 AM
Sunday, January 25, 2015 11:09 AM