Running SQL Server as a DOMAIN user account.It is a single, two-edged sword. If SQL Server authenticates to the domain, it can have access to the resources of the domain. That is both a blessing and a curse.
It means that (given the proper permissions), the SQL Server can "see" other resources such as disk, printers, etc. The server can then send mail and other forms of messages (that rely on domain authentication).
In general, I usually have one "intereface" server that uses a domain account, but has no end user connections. It does all of the "cross server" work for the whole farm. The other servers use Local System unless some particular reason forces another choice.
-PatP|||Search for MS Best Practices on SQL Server and SQL Agent service accounts.|||with a domain user account the sqlserver and sql server agent accounts can access the local machine and can be audited through the os.
the mssqlserver service can communicate more efficiently with other servers that are domain members.
you can use sqlmail directly(no workarounds) because you will have an exchange mailbox created for your mssqlserver user account.
you can make the accounts [domain users] but give them admin rights on the local sql server machine to control access and use.
you can avoid having to create a cmdexec proxy account for running activex scripts ..
the accounts allow you the ability to perform active directory delegeation and impersonation.
the domain accounts provide for mutal authentication services through kerberos in active directory.sql
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment