Embedded Files
See later in the document for SQL Server Evaluation links for earlier versions
Service Accounts
Service Accounts
"Always run SQL Server services by using the lowest possible user rights. Use a MSA, gMSA or virtual account when possible. When MSA, gMSA and virtual accounts aren't possible, use a specific low-privilege user account or domain account instead of a shared account for SQL Server services. Use separate accounts for different SQL Server services. Don't grant additional permissions to the SQL Server service account or the service groups. Permissions are granted through group membership or granted directly to a service SID, where a service SID is supported." (4)
"When resources external to the SQL Server computer are needed, Microsoft recommends using a managed service account (MSA), configured with the minimum privileges necessary." (2)"Resources external to the SQL Server" would be things like INSERT BULK loading from a file location on a different computer (3)
Virtual Account
Virtual Account
MSA
MSA
gMSA
gMSA
Low Privilege Domain Account
Low Privilege Domain Account
MSSQL Service Account
MSSQL Service Account
The MSSQL Service Account name should own the MS-SQL Service
The service account (in case of a local or AD account) and service SID should not be members of the Windows Administrators group.
SQL2008
(TODO Needs additional info)
New-ADUser -Name "SQL01_SVC" -Enabled $True -AccountPassword (ConvertTo-SecureString -AsPlainText "InitialPassword!!!" -Force)
SQL2012
(TODO Needs additional info)
New-ADServiceAccount -Name "SQL01_SVC" -DNSHostName "SQL01.mydomain.local" -Enabled $True
MSSQL Agent Service Account
MSSQL Agent Service Account
The MSSQL Agent Service Account name should own the MS-SQL Agent Service
The service account (in case of a local or AD account) and service SID should not be members of the Windows Administrators group.
SQL2008
(TODO Needs additional info)
New-ADUser -Name "SQL01_Agent_SVC" -Enabled $True -AccountPassword (ConvertTo-SecureString -AsPlainText "InitPass!!!" -Force)
SQL2012
(TODO Needs additional info)
New-ADServiceAccount -Name "SQL01_Agent_SVC" -DNSHostName "SQL01.mydomain.local" -Enabled $True
Database Administrator Accounts
Database Administrator Accounts
It is recommended to create a "DBA" AD Group and allocate users to that group as appropriate.
The example below creates a user, a group, and allocates the user to the group...
Group Scope
UniversalAccounts from any domain in the same forestGlobal groups from any domain in the same forestOther Universal groups from any domain in the same forestGroup Scope
GlobalAccounts from the same domainOther Global groups from the same domain
Domain LocalAccounts from any domain or any trusted domainGlobal groups from any domain or any trusted domainUniversal groups from any domain in the same forestOther Domain Local groups from the same domainAccounts, Global groups, and Universal groups from other forests and from external domains
Group Type
Security Groups enable assignment of rights and permissions to members of the groupDistribution groups can be used only with email applications to send email to collections of users. Group Type
You can also use New-ADUser in Powershell
Instance Stacking
Instance Stacking
TL/DR; Don't do it. Use Virtualization instead.
Pros
Lower SQL Licesning Costs
Lower Windows Licensing Costs
Easier Windows Patching
https://www.brentozar.com/archive/2016/12/install-multiple-instances-sql-server/
Cons
Much harder performance tuning
Much harder reboot planning
Security challenges
On Linux, you can only have one instance per server.
On Windows you can have up to 50 standalone instances (reduced to 25 for Always On Failover Cluster Instances).
https://blogs.vmware.com/apps/2020/07/licensing-microsoft-sql-server-for-vmware-vsphere-part-one.html
Evaluation Edition Download Links
Evaluation Edition Download Links
Bibliography & References
Bibliography & References
https://docs.microsoft.com/en-us/sql/database-engine/install-windows/install-sql-serverhttps://docs.microsoft.com/en-us/sql/database-engine/install-windows/install-sql-server-from-the-command-prompthttps://docs.microsoft.com/en-us/sql/database-engine/install-windows/install-sql-server-on-server-core
https://docs.microsoft.com/en-gb/archive/blogs/psssql/sql-server-2012-setup-just-got-smarterhttps://learn.microsoft.com/en-us/previous-versions/sql/sql-server-2012/ms143504(v=sql.110)https://www.brentozar.com/archive/2008/03/sql-server-2005-setup-checklist-part-1-before-the-install/https://www.brentozar.com/archive/2008/03/sql-server-2005-setup-checklist-part-2-after-the-install/
Service & Other Accountshttps://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions(2) https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions?view=sql-server-ver16#stand-alone-server-or-domain-controller(4) https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions?view=sql-server-ver16#New_Accounts(3) https://dba.stackexchange.com/questions/276454/whats-the-meaning-of-resources-external-to-the-sql-server-computer-are-neededhttps://www.sqlservercentral.com/articles/configuring-service-account-privileges-for-sql-serverhttps://dba.stackexchange.com/questions/315980/sql-service-account-group-policy-permissionshttps://dba.stackexchange.com/questions/89701/sql-server-service-account-windows-privileges-and-rights
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups
Setup Logshttps://learn.microsoft.com/en-us/sql/database-engine/install-windows/view-and-read-sql-server-setup-log-files
Virtualisation(1) https://blogs.vmware.com/apps/2020/07/licensing-microsoft-sql-server-for-vmware-vsphere-part-one.htmlhttps://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/solutions/sql-server-on-vmware-best-practices-guide.pdf
Instance Stackinghttps://www.brentozar.com/archive/2016/12/install-multiple-instances-sql-server/
SQL2012Microsoft® SQL Server® 2008 Enterprise Evaluation: Trial Experience for IT Professionals
https://docs.microsoft.com/en-gb/archive/blogs/psssql/sql-server-2012-setup-just-got-smarterhttps://learn.microsoft.com/en-us/previous-versions/sql/sql-server-2012/ms143504(v=sql.110)https://www.brentozar.com/archive/2008/03/sql-server-2005-setup-checklist-part-1-before-the-install/https://www.brentozar.com/archive/2008/03/sql-server-2005-setup-checklist-part-2-after-the-install/
Service & Other Accountshttps://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions(2) https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions?view=sql-server-ver16#stand-alone-server-or-domain-controller(4) https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions?view=sql-server-ver16#New_Accounts(3) https://dba.stackexchange.com/questions/276454/whats-the-meaning-of-resources-external-to-the-sql-server-computer-are-neededhttps://www.sqlservercentral.com/articles/configuring-service-account-privileges-for-sql-serverhttps://dba.stackexchange.com/questions/315980/sql-service-account-group-policy-permissionshttps://dba.stackexchange.com/questions/89701/sql-server-service-account-windows-privileges-and-rights
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups
Setup Logshttps://learn.microsoft.com/en-us/sql/database-engine/install-windows/view-and-read-sql-server-setup-log-files
Virtualisation(1) https://blogs.vmware.com/apps/2020/07/licensing-microsoft-sql-server-for-vmware-vsphere-part-one.htmlhttps://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/solutions/sql-server-on-vmware-best-practices-guide.pdf
Instance Stackinghttps://www.brentozar.com/archive/2016/12/install-multiple-instances-sql-server/
SQL2012Microsoft® SQL Server® 2008 Enterprise Evaluation: Trial Experience for IT Professionals
Page updated
Google Sites
Report abuse