locked
I setup SQL Server TDE using "Domain Administrator". Everything else setup using regular accounts. Can I safely remove Domain Adamin now? RRS feed

  • Question

  • Dear SQL Experts,

    In the recent past, you helped me so much to successfully setup TDE on Windows Server 2016 with SQL Server 2016.  I was logged in as Domain Administrator then.  To create the hierarchy of keys and certs.  The rest was taken over by Devs creating several User DBs.  TDE has been working as intended.  Now, there's a requirement to remove the Domain Admin account from the picture.  Can I safely and easily do this without ramifications?  Anything I should prepare or look out for, or is there no link between the Domain Administrator account and the keys and certs that setup TDE and the first User DB?

    Thank you in advance!

    Wednesday, May 31, 2017 1:07 PM

Answers

  • It doesn't really matter how you were logged into the SQL Server. When you setup TDE, the master database saves the encryption key for the encrypted database. And the master database encrypts that, with the Windows encryption system. The login who actually initiated the encryption, doesn't really matter. So you can remove the domain admin as a login. Of course, I assume you have some other login configured as a member of the sysadmin fixed server role.

    Rick Byham, Microsoft, SQL Server Books Online, Implies no warranty

    • Marked as answer by guesthost Thursday, June 1, 2017 5:58 PM
    Thursday, June 1, 2017 2:54 PM

All replies

  • It doesn't really matter how you were logged into the SQL Server. When you setup TDE, the master database saves the encryption key for the encrypted database. And the master database encrypts that, with the Windows encryption system. The login who actually initiated the encryption, doesn't really matter. So you can remove the domain admin as a login. Of course, I assume you have some other login configured as a member of the sysadmin fixed server role.

    Rick Byham, Microsoft, SQL Server Books Online, Implies no warranty

    • Marked as answer by guesthost Thursday, June 1, 2017 5:58 PM
    Thursday, June 1, 2017 2:54 PM
  • Thank you very much for your reply, Rick.  I truly appreciate it and am now confident enough to create a ticket to remove the domain admin account this weekend to see how things go.  You're the best!  Yes, we have another login configured as a  member of the sysadmin fixed serve role.  Again, thanks so much!

    Thursday, June 1, 2017 5:58 PM