Changed Administrator P/W, MSSQLServer service won't startup 1

[ShawnF]

After discovering a possible internal security problem on our network, I changed the domain administrator password and rebooted our 2 Win2k servers, one being a Terminal Server (application mode)/Exchange Server/File/Print, and the other being SQL 2000 Server. After rebooting and logging in on both machines (and I got to the desktop), I got an error on both machines that said:

"An error 1069 -- (the service did not start due to a logon failure). occurred while performing this service operation on the MSSQLServer service."

Since this service did not start, no one was able to get into our SQL database with an Access frontend. I could ping, browse, and otherwise appear to be able to anything else just fine on both servers, however, SQL wouldn't startup. So, I changed the admin password back to the original and rebooted--now the SQL service starts just fine. I think the error may have appeared on the Exchange/Terminal server because I set it up to log successful and unsuccessful logons.

What's going on? Is MSSQLServer holding a password somewher that I need to update when I change the admin password?

Thanks!

Shawn F.

 

[tlbroadbent]

You can look in the Services and see what login is used to start SQL Server. If it is the Domain Administrator, you'll need to change the password when you change change the admin passsword.

I recommend that you (or your network admin) create another login to start SQL Server. I never setup the SQL server account to be the Network Administrator login. The SQL Server account must be a local administrator and perhaps, if need be, a domain user but not a domain administrator. Terry L. Broadbent
FAQ183-874 contains tips for posting questions in these forums.
NOTE: Reference to the FAQ is not directed at any individual.

 

[ShawnF]

Thanks for the info. I actually am the network administrator (I'm a newbie, and my company is small enough to not require a regular fully certified network admin), and I handle what I can myself. What I can't handle I have the vendor that built and installed our servers do.

This issue is something I normally would ask them to take care of, but I'd rather start learning this stuff for myself so I can understand what is going on.

 

[ShawnF]

A couple thoughts based on your response.

We currently do not have a user created specifically for using to "Log On As" for services. Do the services set up in this fashion require that this user literally log on, or does it merely require that the user be in Active Directory and that the passwords match in AD and in the services properties?

Second, what is the reasoning for not starting these services up with the network admin logon? Is it to prevent access to these rights to malicious users who try to gain access as the admin?

Thanks!

 

[tlbroadbent]

We are not using Win 2K yet so I'm not familiar with Active directory and so forth. I'm sure you can translate NT info.

SQL Server logs on as a service and we don't use that login account for any other purpose. We usually set it up as a local adminstrator and domain user. We set it as a domain user but with limited access to a handful of shares for import/export purposes. It doesn't need to be a domain user if no access to other servers is required.

We start the SQL Agent with the same account. Some may use a different account for the agent.

You want to prevent someone from using SQL Server to manipulate your Network. I'm not sure about security problems with SQL 2000 on Win 2K. There are some noted security holes. If you're interested, visit one of the following sites for SQL security info.

http://www.sqlsecurity.com/

or

http://www.sans.org/infosecFAQ/win/SQL_sec.htm

We don't want to use the network admin logon for SQL server because the Network and SQL admnin are handled by different people. We want to keep the network people out of SQL server as much as possible. Terry L. Broadbent
FAQ183-874 contains tips for posting questions in these forums.
NOTE: Reference to the FAQ is not directed at any individual.