i put myself in a big problem
-
@IT-ADMIN said:
the SQL server is installed on the application server, this application server was before a stand alone server and joined to domain also but the company that install the payroll software on the application server didn't use domain account, they created local admin account on the server application because they do remote support for us sometimes and they know the password of this local admin account (in order not to give them a domain admin account for our security they created local admin account to work with)
tomorrow i will contact them to see this issue, i'm sure they will blame me for deleteting those accountWhy would they need a domain admin account? A domain account that only has needed access on that machine would make a lot more sense, IMHO. Making local accounts doesn't seem to make any sense, even for the situation described.
-
@coliver said:
Wouldn't you be able to demote the application server? That should bring the local admin accounts back.
Not if they were deleted.
-
@scottalanmiller said:
@coliver said:
Wouldn't you be able to demote the application server? That should bring the local admin accounts back.
Not if they were deleted.
Exactly, when you promote a server to a DC the local SAM system gets deleted.
-
@scottalanmiller said:
Why would they need a domain admin account? A domain account that only has needed access on that machine would make a lot more sense, IMHO. Making local accounts doesn't seem to make any sense, even for the situation described.
I'm guessing they didn't consider that option - non Windows Admins (in this case AKA SQL admins) probably don't think about how a domain user can have local admin rights.
-
to be honest with you i don't know much about SQL server and its account, but one thing is sure that the SAM accounts were deleted and these accounts has a direct relation with SQL server connection, how this relation i don't know
the proof that these local account have relation with SQL server is that before promoting the sever everything was fine, as soon as i promote the damn server the connection problem occured
after demoting the server, it was too late because all local accout were deleted except administrator and guest accounts -
@IT-ADMIN said:
to be honest with you i don't know much about SQL server and its account, but one thing is sure that the SAM accounts were deleted and these accounts has a direct relation with SQL server connection, how this relation i don't know
Makes sense, they set up non-domain local accounts. Very unprofessional IMHO. Not something I would expect a consultant to be doing. Rather poor.
I'm afraid that you need to make new accounts and set things up new or go to a backup.
-
@IT-ADMIN said:
after demoting the server, it was too late because all local accout were deleted except administrator and guest accounts
Correct, the accounts are deleted, deleted means that they can't come back. THey were not disabled, they were actually deleted.
-
really i'm lost with this now, i will wait the support guy tomorrow to see how we can set this up,
anyway i will be blamed for this, because i do it without any approval from the management because i never thought that this would cause a problem, -
SQL has a special account called the SA account. If you, or your vendor, know this account you will be able to log into SQL again and create new accounts that have access to the SQL system as needed.
When you create the new accounts, make them Domain User accounts, then if needed give those accounts local admin rights on that server.
-
@IT-ADMIN said:
really i'm lost with this now, i will wait the support guy tomorrow to see how we can set this up,
anyway i will be blamed for this, because i do it without any approval from the management because i never thought that this would cause a problem,I've noticed that you are very silent on restoring from backups. Is this server not critical enough to be backed up?
-
i'm sure if i speak with the management about this, they will said to me no since everything is OK why are you looking for trouble,,,for this reason i act by myself and do it without telling them anything
my intention was only to have a backup DC but things goes wrong out of my expectation -
@IT-ADMIN said:
i'm sure if i speak with the management about this, they will said to me no since everything is OK why are you looking for trouble,,,for this reason i act by myself and do it without telling them anything
Why does this sound so familiar?
Nah, it's just in my head.
-
actually this server application is very important but we don't backup the system image since it is a physical server , we just backup SQL databases
-
@IT-ADMIN said:
actually this server application is very important but we don't backup the system image since it is a physical server , we just backup SQL databases
Any reason it's not virtualized?
-
@Dashrender said:
Any reason it's not virtualized?
it is another story, i'm still afraid of this transition especially the P2V step, it is scary
-
@IT-ADMIN said:
actually this server application is very important but we don't backup the system image since it is a physical server , we just backup SQL databases
That's all I ever do, so don't worry.
Are you just having problems RUNNING SQL or is SQL running but you can't get anyone to access it? You should be able to fire it up by giving it a new account, but the systems that connect to it will need to know the new account. That might require lots of netstat searching.
If no one can get access, you will need to do the same thing as above, but by getting into SQL and setting up user accounts. This will require the SA account or dropping into single user mode and jackin' with the info:
https://msdn.microsoft.com/en-us/library/ms188236(v=sql.105).aspx
-
@IT-ADMIN said:
i'm sure if i speak with the management about this, they will said to me no since everything is OK why are you looking for trouble,,,for this reason i act by myself and do it without telling them anything
my intention was only to have a backup DC but things goes wrong out of my expectationWell in this case I'm afraid that they are correct. You did something without authorization that violates best practices somewhat significantly. It's not surprising that it caused problems. Might be best to own up to the mistake, own it and figure out a path forward rather than hiding. It is what it is, people make mistakes. You need to learn from this. Some things that appear to be issues here are:
- Skipped authorization because you misunderstood the scope of your project.
- Taking risk upon yourself, was there actually a reason to do this or you just wanted to? I'm unclear what prompted you to take on such a major change at all?
- Ask the community, as well as management, before making a change like this. Likely we could have headed this off.
- Breaking best practices is never trivial, BPs exist to protect you. There are plenty of times that you need to do something different than standard or best practice, but when doing so it not the time to assume everything is trivial and will "just work."
- Make sure your third party consultants document everything, know what they are doing and that you have full access to the systems.
- Virtualize every system, the more important the system, the more important it is to virtualize.
- Snapshot systems before making changes, even little ones. There are tools to protect you.
- Take backups. If a system is worth paying to have running, it is worth being backed up.
-
the problem is that the SQL service doesn't want to run, it gives an error
-
@IT-ADMIN said:
actually this server application is very important but we don't backup the system image since it is a physical server , we just backup SQL databases
So there is some conflicting information here:
- Physical means it's not even remotely important. You only run physical when it's so unimportant that no one cares.
- You helped to explain the first point with the second. You don't have backups at all or a way to restore "because" someone decided that the system wasn't important at all. Literally, not at the level many of us treat desktops.
- The issue with not having backups is not because of not being virtualized, we've been backing up full physical systems for decades. Someone just decided not to have backups because, like my first point, they decided that the database is not important.
They can't call something important AND run it as physical AND not take backups. Those things can't go together. Actions speak louder than words, always. At best they don't understand the term "important" because they are defining "important" the same way IT would normally define "trivial or worthless."
-
@IT-ADMIN said:
the problem is that the SQL service doesn't want to run, it gives an error
that should be easy to fix
go to services and double click SQL and look what account it's using.
then create account on your domain give it a GOOD passwordthen go back to the service and put the domainname\user for the username and type in your password.. and you should be good to go for starting SQL.