locked
SQL_services_running_under_dedicated_AD_ID_not_AD_Admin_ID RRS feed

  • Question

  • hello

    we recently had a security scan and was identified that the SQL 2005 server running under win2003 r2 x32 was using SYSTEM to run the SQL services and was told to run the services under a domain ID instead.  i was able to get SQL services to run using a domain ID instead and the server and databases all start up fine, but the clients trying to connect to this SQL server have experienced issues. 

    after doing some research, it appears that the SPN that was created for this SQL server in Active Directory needs to be removed and a NEW SPN needs to be created tying this SQL server to the new domain ID that the SQL services are running under.  the problem is the new domain ID that the SQL services are running under is NOT a AD Domain Admin ID, so the new SPN cannot be created.  this appears to be a catch-22?  any suggestions?  thanks in advance!

    Friday, December 17, 2010 3:54 PM

Answers

  • Hi,

    Only Local System, Network Service or domain administrator account that SQL Server is running under has privilege to automatically register SPN for SQL Server in Active Direcorty; otherwise, the domain administrator must register an SPN for SQL Server manually. To resolve your issue, please log on to domain under a domain administrator account, delete existing SPN and add a new SPN. For more information, please refer to Registering a Service Principal Name (http://msdn.microsoft.com/en-us/library/ms191153.aspx).

    Please let me know if you need more help.

    Hope this helps.

    Thanks,
    Chunsong


    Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, December 22, 2010 8:44 AM

All replies

  • Lance,

     

    SQL Server doesn't need a AD domain Admin ID to run the services. however depending upon the configuration settings you might have to add the domain ID to security policies in certain situations.

    Ex: - "Lock Pages in Memory" if you are extending memory limits in 32-Bit servers. Try adding to this and let me know.

     

    Regards,

    Venu S.


    Venu
    Friday, December 17, 2010 10:27 PM
  • apparently from what i am reading you need a domain AD ID to create the SPN (service principal name) in AD to associate the SQL server.  am in incorrect in my understanding?  there already is a SPN in AD created when the SQL server services was running under SYSTEM and needs to be deleted.
    Monday, December 20, 2010 4:11 PM
  • Hi,

    Only Local System, Network Service or domain administrator account that SQL Server is running under has privilege to automatically register SPN for SQL Server in Active Direcorty; otherwise, the domain administrator must register an SPN for SQL Server manually. To resolve your issue, please log on to domain under a domain administrator account, delete existing SPN and add a new SPN. For more information, please refer to Registering a Service Principal Name (http://msdn.microsoft.com/en-us/library/ms191153.aspx).

    Please let me know if you need more help.

    Hope this helps.

    Thanks,
    Chunsong


    Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, December 22, 2010 8:44 AM