i put myself in a big problem
-
@scottalanmiller said:
Why would they need a domain admin account? A domain account that only has needed access on that machine would make a lot more sense, IMHO. Making local accounts doesn't seem to make any sense, even for the situation described.
I'm guessing they didn't consider that option - non Windows Admins (in this case AKA SQL admins) probably don't think about how a domain user can have local admin rights.
-
to be honest with you i don't know much about SQL server and its account, but one thing is sure that the SAM accounts were deleted and these accounts has a direct relation with SQL server connection, how this relation i don't know
the proof that these local account have relation with SQL server is that before promoting the sever everything was fine, as soon as i promote the damn server the connection problem occured
after demoting the server, it was too late because all local accout were deleted except administrator and guest accounts -
@IT-ADMIN said:
to be honest with you i don't know much about SQL server and its account, but one thing is sure that the SAM accounts were deleted and these accounts has a direct relation with SQL server connection, how this relation i don't know
Makes sense, they set up non-domain local accounts. Very unprofessional IMHO. Not something I would expect a consultant to be doing. Rather poor.
I'm afraid that you need to make new accounts and set things up new or go to a backup.
-
@IT-ADMIN said:
after demoting the server, it was too late because all local accout were deleted except administrator and guest accounts
Correct, the accounts are deleted, deleted means that they can't come back. THey were not disabled, they were actually deleted.
-
really i'm lost with this now, i will wait the support guy tomorrow to see how we can set this up,
anyway i will be blamed for this, because i do it without any approval from the management because i never thought that this would cause a problem, -
SQL has a special account called the SA account. If you, or your vendor, know this account you will be able to log into SQL again and create new accounts that have access to the SQL system as needed.
When you create the new accounts, make them Domain User accounts, then if needed give those accounts local admin rights on that server.
-
@IT-ADMIN said:
really i'm lost with this now, i will wait the support guy tomorrow to see how we can set this up,
anyway i will be blamed for this, because i do it without any approval from the management because i never thought that this would cause a problem,I've noticed that you are very silent on restoring from backups. Is this server not critical enough to be backed up?
-
i'm sure if i speak with the management about this, they will said to me no since everything is OK why are you looking for trouble,,,for this reason i act by myself and do it without telling them anything
my intention was only to have a backup DC but things goes wrong out of my expectation -
@IT-ADMIN said:
i'm sure if i speak with the management about this, they will said to me no since everything is OK why are you looking for trouble,,,for this reason i act by myself and do it without telling them anything
Why does this sound so familiar?
Nah, it's just in my head.
-
actually this server application is very important but we don't backup the system image since it is a physical server , we just backup SQL databases
-
@IT-ADMIN said:
actually this server application is very important but we don't backup the system image since it is a physical server , we just backup SQL databases
Any reason it's not virtualized?
-
@Dashrender said:
Any reason it's not virtualized?
it is another story, i'm still afraid of this transition especially the P2V step, it is scary
-
@IT-ADMIN said:
actually this server application is very important but we don't backup the system image since it is a physical server , we just backup SQL databases
That's all I ever do, so don't worry.
Are you just having problems RUNNING SQL or is SQL running but you can't get anyone to access it? You should be able to fire it up by giving it a new account, but the systems that connect to it will need to know the new account. That might require lots of netstat searching.
If no one can get access, you will need to do the same thing as above, but by getting into SQL and setting up user accounts. This will require the SA account or dropping into single user mode and jackin' with the info:
https://msdn.microsoft.com/en-us/library/ms188236(v=sql.105).aspx
-
@IT-ADMIN said:
i'm sure if i speak with the management about this, they will said to me no since everything is OK why are you looking for trouble,,,for this reason i act by myself and do it without telling them anything
my intention was only to have a backup DC but things goes wrong out of my expectationWell in this case I'm afraid that they are correct. You did something without authorization that violates best practices somewhat significantly. It's not surprising that it caused problems. Might be best to own up to the mistake, own it and figure out a path forward rather than hiding. It is what it is, people make mistakes. You need to learn from this. Some things that appear to be issues here are:
- Skipped authorization because you misunderstood the scope of your project.
- Taking risk upon yourself, was there actually a reason to do this or you just wanted to? I'm unclear what prompted you to take on such a major change at all?
- Ask the community, as well as management, before making a change like this. Likely we could have headed this off.
- Breaking best practices is never trivial, BPs exist to protect you. There are plenty of times that you need to do something different than standard or best practice, but when doing so it not the time to assume everything is trivial and will "just work."
- Make sure your third party consultants document everything, know what they are doing and that you have full access to the systems.
- Virtualize every system, the more important the system, the more important it is to virtualize.
- Snapshot systems before making changes, even little ones. There are tools to protect you.
- Take backups. If a system is worth paying to have running, it is worth being backed up.
-
the problem is that the SQL service doesn't want to run, it gives an error
-
@IT-ADMIN said:
actually this server application is very important but we don't backup the system image since it is a physical server , we just backup SQL databases
So there is some conflicting information here:
- Physical means it's not even remotely important. You only run physical when it's so unimportant that no one cares.
- You helped to explain the first point with the second. You don't have backups at all or a way to restore "because" someone decided that the system wasn't important at all. Literally, not at the level many of us treat desktops.
- The issue with not having backups is not because of not being virtualized, we've been backing up full physical systems for decades. Someone just decided not to have backups because, like my first point, they decided that the database is not important.
They can't call something important AND run it as physical AND not take backups. Those things can't go together. Actions speak louder than words, always. At best they don't understand the term "important" because they are defining "important" the same way IT would normally define "trivial or worthless."
-
@IT-ADMIN said:
the problem is that the SQL service doesn't want to run, it gives an error
that should be easy to fix
go to services and double click SQL and look what account it's using.
then create account on your domain give it a GOOD passwordthen go back to the service and put the domainname\user for the username and type in your password.. and you should be good to go for starting SQL.
-
yes you are right Dear Scott in every words you said, i took this risk cuz i want to have a backup DC, the management don't care about backup while everything is running OK,
-
You should be ready to defend the fact that the system was "designated" trivial by whoever made it physical and decided that backups weren't needed. You made two mistakes here yourself, yes, but had this system been treated like a business tool instead of like someone's hobby at home this would not have happened. So the fault is shared. This is a good opportunity to talk to management about how they don't take their business as seriously as most of us would take our desktops or laptops at home. To most of us, they don't consider their business as serious as we would consider a hobby, let alone something personal but important.
-
@IT-ADMIN said:
yes you are right Dear Scott in every words you said, i took this risk cuz i want to have a backup DC, the management don't care about backup while everything is running OK,
So a very important learning situation here for you personally are these:
- Never forget who owns the network. It is not yours, it is theirs. If it isn't important to them, it is not important to you. Never cross that line of feeling that it is your network, it is not. That feeling will cause you to have emotional reactions and make you likely to do very bad things (the AJ scenario). You need to manage it in the way that they want, not in the way that you want.
- Don't take on risks personally to do things. There is not a reason to do this. Most IT pros have the same feelings that you do, it is really hard to not want to do things "right" or "better" but that should be a business decisions, not a personal one, unless the decision is given to you by the business. Do not take on personal risk to try to protect a business that does not want to protect itself.