locked
Local system account and Mirroring. RRS feed

  • Question

  •  

    Hi,

     

    Is it possible to set up database mirroring between two servers that have SQL Service running under Local system? I tried to setup mirroring between two servers running under Local system but was running into the following error:

     

    Server or Network address cannot be reached or does not exist.

     

    What are the pre-requisites for setting up database mirroring if the service runs under Local system? Do I have to configure certificates? Is that mandatory? Can anyone please let me know. Any other gotchas?

     

    Thanks

     

    AK

    Wednesday, September 26, 2007 3:37 AM

Answers

  • You can not use local system to span machines.  Local system, as the name describes, is LOCAL to the machine it is on.  Local system has no security context outside of the local machine.  Therefore, it does not have a valid SID on any other machine and can not be resolved.  Since it can not be resolved, you can not use it to gain access to any resource external to the machine it exists on.  Every Windows machine has an account named local system, but every single one of them is a different account with a SID only valid on its own machine.

     

    You have to be using either local, named accounts or domain accounts.

     

    Saturday, September 29, 2007 10:15 AM
  • Mirroring is done in pairs.  You can have exactly 1 Mirror for exactly 1 Principal.  It is not possible to have more than 1 mirror to a principal, so what you are wanting to do is impossible.

    Monday, October 15, 2007 4:15 AM

All replies

  • Hi Ankith,
             You can setup mirroring with local system account if there are two instances of sql server in the same machine !
    you can refer the below link for settingup mirroring using local system account with 3 instances of sql server in the same machine,
    Certificates is not required !
    http://www.sql-articles.com/articles/dbmrr.htm

    Thanxx
    Deepak

    Wednesday, September 26, 2007 3:48 AM
  • Hi Deepak,

     

    Thanks for your reply. My scenario is not the same as you have mentioned. I have two different servers in the same domain but in different continents and running under local system. They are not instances on the same machine. They are two servers geographically apart. Can I still configure them without certificates?

     

    Thanks again

     

    AK

     

    Wednesday, September 26, 2007 6:08 AM
  • Is there some reason why you can't run the SQL Server services using a domain account?  That is, after all, what Microsoft recommends.  You would have to configure the endpoints to use windows authentication.
    Wednesday, September 26, 2007 2:46 PM
  • Hi Bob,

     

    Thanks for your reply. I configured the endpoints using windows authentication but no luck. It still failed. we will use domain accounts.

     

    Thanks

     

    AK

    Thursday, September 27, 2007 4:49 AM
  • You can not use local system to span machines.  Local system, as the name describes, is LOCAL to the machine it is on.  Local system has no security context outside of the local machine.  Therefore, it does not have a valid SID on any other machine and can not be resolved.  Since it can not be resolved, you can not use it to gain access to any resource external to the machine it exists on.  Every Windows machine has an account named local system, but every single one of them is a different account with a SID only valid on its own machine.

     

    You have to be using either local, named accounts or domain accounts.

     

    Saturday, September 29, 2007 10:15 AM
  • Hi Michael,

     

    Thanks a lot for your explanation. I used domain accounts and mirrroring now works fine. A follow up question. Say If I have mirroring setup as follows:

     

    Server1 --> Principal

    Server2--> Mirror

     

    Now I want to bring Server3 into the equation and set it up as Mirror for Server1 which means

     

    Server1 --> Principal

    Server2 --> Mirror1

    Server3 --> Mirror2

     

    Can I set up Mirroring between Server1 and Server3 without completly breaking mirror between Server1 and Server2 or disturb anything. What I am looking is to setup Mirroring between Server1 and Server3 and then break mirroring between Server1 and Server2 after mirroring has been established between Server1 and Server3. I dont want to break it before.

     

    Did anyone ran into this kind of situation and if so any recommendations?

     

    Thanks a lot to everyone

     

    AK

    Sunday, October 14, 2007 5:53 PM
  • Mirroring is done in pairs.  You can have exactly 1 Mirror for exactly 1 Principal.  It is not possible to have more than 1 mirror to a principal, so what you are wanting to do is impossible.

    Monday, October 15, 2007 4:15 AM
  • There are no restriction in running as LocalSystem. The other responses seem to confuse LocalSystem account with

    LOCAL SERVICE, which is indeed not supported.

    When running as LocalSystem the two SQL Server instances will authenticate as the computer domain account (domain\machinename$) and this account has to be granted CONNECT permission on the peer's endpoint.

    Wednesday, October 17, 2007 7:06 AM
  • http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/sspgch02.mspx

     Technet wrote:

     

    Local System account

    The Local System account is a predefined local account that can start a service and provide the security context for that service. It is a powerful account that has full access to the computer, including the directory service when used for services running on domain controllers. The account acts as the host computer account on the network and as such has access to network resources just like any other domain account. On the network, this account appears as DOMAIN\<machine name>$. If a service logs on using the Local System account on a domain controller, it has Local System access on the domain controller itself, which, if compromised, could allow malicious users to change anything in the domain they wanted. Windows Server 2003 configures some services to log on as the Local System account by default. The actual name of the account is NT AUTHORITY\System, and it does not have a password that an administrator needs to manage.

     

    Local Service account

    The Local Service account is a special built-in account that has reduced privileges similar to an authenticated local user account. This limited access helps safeguard the computer if an attacker compromises individual services or processes. A service that runs as the Local Service account accesses network resources as a null session; that is, it uses anonymous credentials. The actual name of the account is NT AUTHORITY\LocalService, and it does not have a password that an administrator needs to manage.

     

    Network Service account

    The Network Service account is a special built-in account that has reduced privileges similar to an authenticated user account. This limited access helps safeguard the computer if an attacker compromises individual services or processes. A service that runs as the Network Service account accesses network resources using the credentials of the computer account in the same manner as a Local System service does. The actual name of the account is NT AUTHORITY\NetworkService, and it does not have a password that an administrator needs to manage.

    Wednesday, October 17, 2007 7:15 AM
  • Remus

     

    I tried with domain\machinename$ and it still did not work. I tried everything to make it work but mirroring could not be setup. Finally only switching domain accounts made it work.

     

    Thanks

     

    Ankith

    Wednesday, December 12, 2007 3:44 AM
  • Hi Ankith

    please tell me how to configure that database mirroring in same domain pleaseeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee

    Monday, September 13, 2010 8:47 AM
  • Hi Ankith

    how to switching that domain accounts im facing 1418 problem please

    Thanks&Regards

    Srinath.A

    Monday, September 13, 2010 8:50 AM
  • HI Srinath,

     Pls check that you have restored the database on the mirrorserver  properly.   Make sure you use the "NO RECOVERY" option.   And the database should appear in the "restoring" state in the GUI on the mirror server. 
    Error:1418  normally points to this error

    Tuesday, September 14, 2010 3:43 AM
  • http://blogs.msdn.com/b/suhde/archive/2009/07/13/step-by-step-guide-to-configure-database-mirroring-between-sql-server-instances-in-a-workgroup.aspx
    Balmukund Lakhani | Please mark solved if I've answered your question
    --------------------------------------------------------------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------------------------------------------------------------------
    My Blog: http://blogs.msdn.com/blakhani
    Team Blog: http://blogs.msdn.com/sqlserverfaq
    Tuesday, September 14, 2010 4:23 AM
  • Hello Srinath,

    Here is a step-by-step guide on how to configure Database Mirroring in a domain environment.

    Hope, this may help


    SKG: Please Marked as Answered, if it resolves your issue.
    Wednesday, September 15, 2010 6:52 AM