Saturday, August 25, 2007

How to change service accounts for a clustered SQL Server computer

(SQL Server 2000 and SQL Server 2005)
Although the account used is automatically assigned the appropriate privileges during the installation process, if the account is changed, it (or the Administrator group) must have the following attributes:

  • It must be a domain account.
  • It must be a member of the local Administrators group (Windows NT 4.0 only).
  • It must be granted the following policies:

a. Act as part of the operating system.
b. Logon as a service.
c. Replace a process-level token.
d. Lock Pages in memory

  • The service account for the Cluster service must have the right to log in to SQL Server. If you accept the default, the account [NT Authority\System] must have login rights to SQL Server so that the SQL Server resource DLL can run the isAlive query against SQL Server.
  • If the service account for SQL Server is not an administrator in a cluster, the administrative shares cannot be deleted on any nodes of the cluster. The administrative shares must be available in a cluster for SQL Server to function.

WARNING: If you need to change the account under which the SQL Server virtual server runs, you must use SQL Server Enterprise Manager. Using this tool to change the service password will make the change on all the nodes and grant the necessary permissions to the selected user account.
If you do not use SQL Server Enterprise Manager to change passwords, full-text search may not function properly and you may be unable to start SQL Server.
If you are using Kerberos Security Support Provider Interface (SSPI) authentication in a SQL Server 2000 and Windows 2000 environment, you must drop your old service principal name (SPN), and then create a new one with the new account information. See the "Security Account Delegation" topic in SQL Server 2000 Books Online for details about using SETSPN to do this.

No comments: