i put myself in a big problem
-
yes, as @Dashrender said, the application server after he was a DC, the local account were deleted, now there is a problem in database connection btw applications and SQL server
-
unfortunately i have no snapshot, simply because it is a physical server
-
What is the authentication mechanism being used? Are you using AD Authentication to SQL Server or are you using SQL Server authentication?
-
since i have a connection error, it means that the connection use local account, because all local acconts were deleted (when i go to users and groups i found only 2 account : administrator and guest)
-
@IT-ADMIN said:
since i have a connection error, it means that the connection use local account, because all local acconts were deleted (when i go to users and groups i found only 2 account : administrator and guest)
I am not aware of using local accounts for SQL Server. The SQL Server runs on the box that you put the Domain Controller on or on a separate server?
-
the SQL server is installed on the application server, this application server was before a stand alone server and joined to domain also but the company that install the payroll software on the application server didn't use domain account, they created local admin account on the server application because they do remote support for us sometimes and they know the password of this local admin account (in order not to give them a domain admin account for our security they created local admin account to work with)
tomorrow i will contact them to see this issue, i'm sure they will blame me for deleteting those account
-
@scottalanmiller said:
@IT-ADMIN said:
since i have a connection error, it means that the connection use local account, because all local acconts were deleted (when i go to users and groups i found only 2 account : administrator and guest)
I am not aware of using local accounts for SQL Server. The SQL Server runs on the box that you put the Domain Controller on or on a separate server?
There are two, very misleading types of accounts with SQL. Local and Windows Authentication. Local means SQL only, stored in the master security table. Windows authentication means that it's setup to read the GUIDs of IDs within Windows, be it local or domain. You have to add them in separately.
IT-ADMIN, if you have the sa account, you might be able to pull yourself out of the fire. Get the logs, find out what needs to be recreated, then you will have to rebuild the accounts by hand and reset everyone who might have been accessing it. Certainly better than the current hands in the air pants on fire situation.
-
Wouldn't you be able to demote the application server? That should bring the local admin accounts back.
-
@IT-ADMIN said:
the SQL server is installed on the application server, this application server was before a stand alone server and joined to domain also but the company that install the payroll software on the application server didn't use domain account, they created local admin account on the server application because they do remote support for us sometimes and they know the password of this local admin account (in order not to give them a domain admin account for our security they created local admin account to work with)
tomorrow i will contact them to see this issue, i'm sure they will blame me for deleteting those accountWhy would they need a domain admin account? A domain account that only has needed access on that machine would make a lot more sense, IMHO. Making local accounts doesn't seem to make any sense, even for the situation described.
-
@coliver said:
Wouldn't you be able to demote the application server? That should bring the local admin accounts back.
Not if they were deleted.
-
@scottalanmiller said:
@coliver said:
Wouldn't you be able to demote the application server? That should bring the local admin accounts back.
Not if they were deleted.
Exactly, when you promote a server to a DC the local SAM system gets deleted.
-
@scottalanmiller said:
Why would they need a domain admin account? A domain account that only has needed access on that machine would make a lot more sense, IMHO. Making local accounts doesn't seem to make any sense, even for the situation described.
I'm guessing they didn't consider that option - non Windows Admins (in this case AKA SQL admins) probably don't think about how a domain user can have local admin rights.
-
to be honest with you i don't know much about SQL server and its account, but one thing is sure that the SAM accounts were deleted and these accounts has a direct relation with SQL server connection, how this relation i don't know
the proof that these local account have relation with SQL server is that before promoting the sever everything was fine, as soon as i promote the damn server the connection problem occured
after demoting the server, it was too late because all local accout were deleted except administrator and guest accounts -
@IT-ADMIN said:
to be honest with you i don't know much about SQL server and its account, but one thing is sure that the SAM accounts were deleted and these accounts has a direct relation with SQL server connection, how this relation i don't know
Makes sense, they set up non-domain local accounts. Very unprofessional IMHO. Not something I would expect a consultant to be doing. Rather poor.
I'm afraid that you need to make new accounts and set things up new or go to a backup.
-
@IT-ADMIN said:
after demoting the server, it was too late because all local accout were deleted except administrator and guest accounts
Correct, the accounts are deleted, deleted means that they can't come back. THey were not disabled, they were actually deleted.
-
really i'm lost with this now, i will wait the support guy tomorrow to see how we can set this up,
anyway i will be blamed for this, because i do it without any approval from the management because i never thought that this would cause a problem, -
SQL has a special account called the SA account. If you, or your vendor, know this account you will be able to log into SQL again and create new accounts that have access to the SQL system as needed.
When you create the new accounts, make them Domain User accounts, then if needed give those accounts local admin rights on that server.
-
@IT-ADMIN said:
really i'm lost with this now, i will wait the support guy tomorrow to see how we can set this up,
anyway i will be blamed for this, because i do it without any approval from the management because i never thought that this would cause a problem,I've noticed that you are very silent on restoring from backups. Is this server not critical enough to be backed up?
-
i'm sure if i speak with the management about this, they will said to me no since everything is OK why are you looking for trouble,,,for this reason i act by myself and do it without telling them anything
my intention was only to have a backup DC but things goes wrong out of my expectation -
@IT-ADMIN said:
i'm sure if i speak with the management about this, they will said to me no since everything is OK why are you looking for trouble,,,for this reason i act by myself and do it without telling them anything
Why does this sound so familiar?
Nah, it's just in my head.
