Service Credentials to use in AlwaysOn Availability Groups?
https://dba.stackexchange.com/questions/106263
-
28-09-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
When using AlwaysOn Availability Groups does each SQL Instance need to use the same service credentials?
We are setting up a new SQL2014 deployment and will be using AlwaysOn. If I have 2 SQL servers (call them ServerA and ServerB) then can I use 2 active directory accounts called Domain\ServerA_SQLServerService and Domain\ServerB_SQLServerService (one on each server)?
Or do they need to use the same account so I should just create Domain\SQLServerService
The accounts would be in the same domain and can have access to both servers. Previously we've had the SQL Server Service account locked out which has obviously caused problems. What I'd like to do is have 2 accounts so that the likelihood of both being locked out is reduced.
Is there a requirement and/or what is Microsoft's best practice?
Solution
When using AlwaysOn Availability Groups does each SQL Instance need to use the same service credentials?
No, SQL Server service accounts can be different. We have a 3 node cluster running AlwaysON and on all the servers SQL Server is running with a different account.
e.g. If you have one server in NY and other in LD, then
Active Directory Accounts to be created (Below will be sql server service accounts)
NYDB1_sql
LDDB1_sql
Add both these accounts to the group DB1-SQL (below)
Active Directory Group to be created : DB1-SQL (Both the above accounts to be members of this group).
One important thing to note, from BOL :
If two server instances run as different accounts, the system administrator must use the CREATE LOGIN Transact-SQL statement to create a login for the startup service account of the remote instance in the syslogins table of the master database of each server instance.
Also, grant the CONNECT permission on the endpoint to the service accounts.
Previously we've had the SQL Server Service account locked out which has obviously caused problems.
You can use group managed service account - which are new in Windows Server 2012. The only requirement is you need at least one Windows 2012 domain controller, and use 2012 or 2012 R2 member servers.
OTHER TIPS
If you use differente Service Accounts for the Engine on each replica, you will not be able configure the SPN and you will not be able to use Kerberos
