i put myself in a big problem

scottalanmiller

@IT-ADMIN said:

i'm sure if i speak with the management about this, they will said to me no since everything is OK why are you looking for trouble,,,for this reason i act by myself and do it without telling them anything
my intention was only to have a backup DC but things goes wrong out of my expectation

Well in this case I'm afraid that they are correct. You did something without authorization that violates best practices somewhat significantly. It's not surprising that it caused problems. Might be best to own up to the mistake, own it and figure out a path forward rather than hiding. It is what it is, people make mistakes. You need to learn from this. Some things that appear to be issues here are:

• Skipped authorization because you misunderstood the scope of your project.
• Taking risk upon yourself, was there actually a reason to do this or you just wanted to? I'm unclear what prompted you to take on such a major change at all?
• Ask the community, as well as management, before making a change like this. Likely we could have headed this off.
• Breaking best practices is never trivial, BPs exist to protect you. There are plenty of times that you need to do something different than standard or best practice, but when doing so it not the time to assume everything is trivial and will "just work."
• Make sure your third party consultants document everything, know what they are doing and that you have full access to the systems.
• Virtualize every system, the more important the system, the more important it is to virtualize.
• Snapshot systems before making changes, even little ones. There are tools to protect you.
• Take backups. If a system is worth paying to have running, it is worth being backed up.

IT-ADMIN

the problem is that the SQL service doesn't want to run, it gives an error

scottalanmiller

@IT-ADMIN said:

actually this server application is very important but we don't backup the system image since it is a physical server , we just backup SQL databases

So there is some conflicting information here:

• Physical means it's not even remotely important. You only run physical when it's so unimportant that no one cares.
• You helped to explain the first point with the second. You don't have backups at all or a way to restore "because" someone decided that the system wasn't important at all. Literally, not at the level many of us treat desktops.
• The issue with not having backups is not because of not being virtualized, we've been backing up full physical systems for decades. Someone just decided not to have backups because, like my first point, they decided that the database is not important.

They can't call something important AND run it as physical AND not take backups. Those things can't go together. Actions speak louder than words, always. At best they don't understand the term "important" because they are defining "important" the same way IT would normally define "trivial or worthless."

Dashrender

@IT-ADMIN said:

the problem is that the SQL service doesn't want to run, it gives an error

that should be easy to fix
go to services and double click SQL and look what account it's using.
then create account on your domain give it a GOOD password

then go back to the service and put the domainname\user for the username and type in your password.. and you should be good to go for starting SQL.

IT-ADMIN

yes you are right Dear Scott in every words you said, i took this risk cuz i want to have a backup DC, the management don't care about backup while everything is running OK,

scottalanmiller

You should be ready to defend the fact that the system was "designated" trivial by whoever made it physical and decided that backups weren't needed. You made two mistakes here yourself, yes, but had this system been treated like a business tool instead of like someone's hobby at home this would not have happened. So the fault is shared. This is a good opportunity to talk to management about how they don't take their business as seriously as most of us would take our desktops or laptops at home. To most of us, they don't consider their business as serious as we would consider a hobby, let alone something personal but important.

scottalanmiller

@IT-ADMIN said:

yes you are right Dear Scott in every words you said, i took this risk cuz i want to have a backup DC, the management don't care about backup while everything is running OK,

So a very important learning situation here for you personally are these:

• Never forget who owns the network. It is not yours, it is theirs. If it isn't important to them, it is not important to you. Never cross that line of feeling that it is your network, it is not. That feeling will cause you to have emotional reactions and make you likely to do very bad things (the AJ scenario). You need to manage it in the way that they want, not in the way that you want.
• Don't take on risks personally to do things. There is not a reason to do this. Most IT pros have the same feelings that you do, it is really hard to not want to do things "right" or "better" but that should be a business decisions, not a personal one, unless the decision is given to you by the business. Do not take on personal risk to try to protect a business that does not want to protect itself.

scottalanmiller

As far as moving forward, check out this link and see if you can make new accounts to access the database.

http://zarez.net/?p=105

IT-ADMIN

thank you guys for your help

i don't have the mood to try anything now cuz really this problem makes me tired and it is 1:16 PM now,
so i have to sleep now and tomorrow i will try what you told me

see you guys tomorrow

have a great night

scottalanmiller

@IT-ADMIN said:

thank you guys for your help

i don't have the mood to try anything now cuz really this problem makes me tired and it is 1:16 PM now,
so i have to sleep now and tomorrow i will try what you told me

see you guys tomorrow

have a great night

Good luck, hit us up when you start working on this tomorrow and we will see what we can do to help.

Reid Cooper

Sounds like you are having a rough day. Get some rest and maybe we can get this fixed tomorrow. Has anyone noticed yet?

shybrsky

u should make a backup before u did this my fren ..

IT-ADMIN

@Dashrender said:

@IT-ADMIN said:

the problem is that the SQL service doesn't want to run, it gives an error

that should be easy to fix
go to services and double click SQL and look what account it's using.
then create account on your domain give it a GOOD password

then go back to the service and put the domainname\user for the username and type in your password.. and you should be good to go for starting SQL.

thank you very much dude, you really saved me, the problem was due to SQL service not running because it was set to run using a local account, off course after this account was deleted the service cannot run, as soon as i changed the service logon account to domain administrator the service start successfully and the connection was successful

ouuuf it was a terrible nightmare but also a lesson

thank you @dashrender and thank you guys

Dashrender

Now that you have that working, don't stop there!

Create a dedicated user account in AD for SQL. Then assign it local admin rights on the SQL server. The replace the domain admin credentials you currently have running SQL.

Reasons for doing this: If you leave the Domain Admin user in there for SQL, if SQL is compromised, the hacker will have Domain Admin level privileges to your entire domain.

IT-ADMIN

@Dashrender said:

Now that you have that working, don't stop there!

Create a dedicated user account in AD for SQL. Then assign it local admin rights on the SQL server. The replace the domain admin credentials you currently have running SQL.

Reasons for doing this: If you leave the Domain Admin user in there for SQL, if SQL is compromised, the hacker will have Domain Admin level privileges to your entire domain.

thank you for your advice, but i no longer care about security since everything is fine lol
as Scott mentioned: why i should care about the business if the owner don't care
i fear if i change something now i may get an issue, so i will just keep everything as it is

Dashrender

@IT-ADMIN said:

thank you for your advice, but i no longer care about security since everything is fine lol
as Scott mentioned: why i should care about the business if the owner don't care
i fear if i change something now i may get an issue, so i will just keep everything as it is

Because you have changed the situation from what it was before. Before you upgraded to AD, the account was local, limiting liability only to that machine. Now if SQL is hacked, they potentially have full access to your entire network.

Making my suggested change will at least get you mostly back to the previous state, but not fully.

IT-ADMIN

ok i do what you told me but i have to restart the SQL service so that the new logon account will take effect, when the HR Dept finish working with the payroll application then i can restart it

Dashrender

@IT-ADMIN said:

ok i do what you told me but i have to restart the SQL service so that the new logon account will take effect, when the HR Dept finish working with the payroll application then i can restart it

Sounds like a good plan

IT-ADMIN

@Dashrender said:

@IT-ADMIN said:

ok i do what you told me but i have to restart the SQL service so that the new logon account will take effect, when the HR Dept finish working with the payroll application then i can restart it

Sounds like a good plan

thank you Sir

scottalanmiller

Glad to hear that everything is back up and working. Did anyone notice very much?