Re: SMS Backup Task


No, it is not a local administrator. By making the SQL Service Account a
domain user, it is more supposed to be more secure. It appears from the
testing here that SMS does not support SQL running as a domain user account
that is not an administrator. The fact that a directory can be deleted and
re-created without inheritence is also bad karma.

In the MS SMS Security Guide it does recommend making SQL run as domain
user. Bit of a inconsistency here!


"Steve Thompson" <stevethompson@xxxxxxxxxxxxx> wrote in message
news:%23egOHef5FHA.3544@xxxxxxxxxxxxxxxxxxxxxxx
> Is your SQL Server service account a local administrator on the server?
>
> "Tony Gardner" <tgardner100@xxxxxxxxxxx> wrote in message
> news:uCJhHPV5FHA.1148@xxxxxxxxxxxxxxxxxxxxxxx
>> Yes, but note when it runs the task it deletes the subdirectory and
>> recreates it with administrators with full permissions (no inheritence).
> So
>> it doesn't matter what permissions I add, it still doesn't add them to
>> the
>> newly created folders.
>>
>>
>>
>>
>> "Steve Thompson" <stevethompson@xxxxxxxxxxxxx> wrote in message
>> news:uvtUekU5FHA.2040@xxxxxxxxxxxxxxxxxxxxxxx
>> > "Tony Gardner" <tgardner100@xxxxxxxxxxx> wrote in message
>> > news:Ot5v40P5FHA.3496@xxxxxxxxxxxxxxxxxxxxxxx
>> >
>> >> I have configured the SMS backup task to backup SMS. The SQL server
>> >> is
>> >> running as a domain user. W2K3, SMS2003SP1, SQL2000SP4
>> >>
>> >> When the job runs, SQL reports that it cannot write to the SMS backup
>> >> location (D:\backup). 4 errors appear in the Application log saying
>> >> it
>> >> cannot write files.
>> >>
>> >> What appears to happen is that as the task runs, it deletes the
>> >> D:\backup\<sitebackupname> directory and recreates it. It recreates
> the
>> >> directory with administrators full control (no inheritence), the SQL
>> > backup
>> >> job cannot write to this directory.
>> >>
>> >> Now I could give the account administrator rights, or change to a
>> >> local
>> >> system but that defeats the purpose of changing to a local user.
>> >>
>> >> I have modified the sitebackup file to dump the files to a different
>> >> directory then copy the files into their proper location. Its a
>> >> temporary
>> >> workaround but I am after something more permanent.
>> >>
>> >> I was wondering if this issue is an anomoly, a "feature", documented
>> >> fault
>> > ?
>> >> and whether there is a solution for this?
>> >
>> > Have you tried granting both SYSTEM & the account that SQL server runs
>> > under
>> > full control to the "D:\backup" folder level?
>> >
>> > Steve
>> >
>> >
>>
>>
>
>


.

Relevant Pages

  • Re: SMS Backup Task
    ... > domain user, it is more supposed to be more secure. ... > testing here that SMS does not support SQL running as a domain user ... >> Is your SQL Server service account a local administrator on the server? ...
    (microsoft.public.sms.admin)
  • Re: SPN creation
    ... will i need to create an spn for the live sql server service account in order ... front end website to get Kerb delegation to the backend if your AD is 2003 ... form port-specific SPNs for HTTP, ...
    (microsoft.public.windows.server.active_directory)
  • Re: SPN for SSL over common name
    ... you can't register those SPNs under the SQL Server's ... service account is the MSSQL SPN. ... That SPN should be registered under ... Lastly, since the SQL Server is not being used for delegation anywhere, ...
    (microsoft.public.inetserver.iis.security)
  • Cannot Use Non-Administrator Account to Start SQL Server and Force Encryption
    ... I changed the service account of a named instance (product ... a certificate from a Microsft Certificate Server ... the SQL Service. ... SQL Server could not spawn FRunCM thread. ...
    (microsoft.public.sqlserver.security)
  • Re: kerberos SQL service accounts
    ... Also, on the delegation question, you only need to enable delegation on the SQL service account if SQL will be making a call to a remote system on behalf of a remote user it is impersonating. ...
    (microsoft.public.windows.server.active_directory)