locked
Domain user account RRS feed

  • Question

  • New to SQL Server. Plan to install SQL Server 2005 standard edition on Windows 2k3.  After searched a lot of places, still don't understand what exactly "domain user account" is. Could someone explain it to me?
    1. Is this a OS account where SQL Server is running?
    2. Or, is this an account under domain controller on other machine? Is this an account on DNS srver? How do I create it?
    3. Or, is this an account in SQL Server?

    Where is this account located? How do I manage it?

    TIA.
    Friday, November 3, 2006 11:19 PM

Answers

  • A domain account in the Windows world is a user account in a shared security database. The current domain system is called Active Directory. It does not only store user accounts but a wide range of data used in a networking system (groups, computers, printers, software packages...). Those entities are stored on domain controllers, i.e. Windows Server with some services implementing the server side of a domain. You can have multiple domain controllers which replicate the domain data like user accounts with each other. Computers and users which are part of the domain can be authenticated by those domain controllers, so they can get authorized to execute tasks on their or other computers in the domain.

    So:

    1) Typically not, only if your SQL Server is running on a Windows Server which is also domain controller.

    2) Yes, the account is from a domain controller, or from the security database of a domain which is hosted on its domain controllers. A DNS server plays no specific role here, except that Active Directory does need a DNS server. You create those account with Start->Programs->Administrative Templates->Active Directory Users And Computers. This management console is installed on domain contollers. You can manually install it from adminpak.msi which exists on Servers under windows\system32.

    3) No. You can "import" a domain account to give it login rights and assign database roles.

    The nice part about domain accounts is, that you have a centralized place for user authentication, once authenticated on a system that authentication can be used agains other computers of the same domain and be authorized to do things on those computers. In contrast, in a workgroup you would need to log on to every computer indivually, except when you manage to have your user account and password synchronized manually on all machines you want to access.

    --
    SvenC

    Friday, November 3, 2006 11:42 PM

All replies

  • A domain account in the Windows world is a user account in a shared security database. The current domain system is called Active Directory. It does not only store user accounts but a wide range of data used in a networking system (groups, computers, printers, software packages...). Those entities are stored on domain controllers, i.e. Windows Server with some services implementing the server side of a domain. You can have multiple domain controllers which replicate the domain data like user accounts with each other. Computers and users which are part of the domain can be authenticated by those domain controllers, so they can get authorized to execute tasks on their or other computers in the domain.

    So:

    1) Typically not, only if your SQL Server is running on a Windows Server which is also domain controller.

    2) Yes, the account is from a domain controller, or from the security database of a domain which is hosted on its domain controllers. A DNS server plays no specific role here, except that Active Directory does need a DNS server. You create those account with Start->Programs->Administrative Templates->Active Directory Users And Computers. This management console is installed on domain contollers. You can manually install it from adminpak.msi which exists on Servers under windows\system32.

    3) No. You can "import" a domain account to give it login rights and assign database roles.

    The nice part about domain accounts is, that you have a centralized place for user authentication, once authenticated on a system that authentication can be used agains other computers of the same domain and be authorized to do things on those computers. In contrast, in a workgroup you would need to log on to every computer indivually, except when you manage to have your user account and password synchronized manually on all machines you want to access.

    --
    SvenC

    Friday, November 3, 2006 11:42 PM
  • Thank you for your response.

    I should state my situation more clearly. Three MS 2003 servers. Plan to install sql server 2005 on them. One as principle, one as mirror, and one as witness. Don't have any control on domain controller.

    I can see my computers on my MS Windows Network. I guess that I only have computer account on domain controller. Is it true only the administrator on domain controller can add a domain user account? If a domain user account has been added, how do I use this account in my local 2003 server to run sql server services? Where to put domain user name and password? How do I know this domain user is in trusted domains? In order to setup mirroring, should I use this account on all three machines?

    My database will only be used to accept client requests from IIS on another machine. If running sql services under domain user account is too much trouble, create same local user account on all the machine and run service under this same user account, will this work for mirroring. Do I need to create certificate?

    Just try to find an easy way to setup mirroring. MS BOL is not much helpful.

    Tuesday, November 7, 2006 6:14 PM
  • You can set a domain account as your service account, using the SQL Server Configuration Manager tool. The SQL Server 2005 setup program will also allow you to select a domain account as the service account. For questions on setting up database mirroring, you should however post on the Database Mirroring forum instead of this one.

    Thanks
    Laurentiu

    Tuesday, November 7, 2006 7:40 PM