Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 SQL Server 2005 Forums
 High Availability (2005)
 Log Shipping Security Problem

Author  Topic 

Stamey
Starting Member

14 Posts
Posted - 2009-02-17 : 09:07:49
I am new at this customer site and have taken over the SQL adminstration. I have set up log shipping between a local SQL box and a box at a remote data center.
All boxes are Win2003, SP2.
ServerA, the principal, build 3042, backs up the DB to \\ServerB\Share.
ServerB, the secondary, build 3042, runs the job to copy the backup to another location and the job to restore the backup to the secondary DB, which is in read-only mode.
There is a second instance of SQL Server installed on the Principal box and it is used as the Monitor. This is ServerA\Develop, build 1399.
All SQL Server services on all instances/boxes are running as the "Local System account", with the exception of "SQL Integration Services" on ServerA, which is running as "Network Service".

Here's my question. Why does this work?
All docs I have seen state that the SQL Server services involved in a log shipping scenario must be running under accounts that have access to the network resources they must access. This makes sense to me, and has always been this way in every other log shipping setup I have done, but this one is working without using network accounts for the SQL services and I don't know why.
I have wondered if it could be because the "NT Authority\System" account has the same SID for all Win 2003 installations.
Does anyone know why this LS setup could bypass security?

Thanks,
Chris

saurabhsrivastava
Posting Yak Master

216 Posts
Posted - 2009-02-24 : 13:50:23
I think it works if you have same password on standby server.
Local system account - Local system account presents the local computers credentials to the remote servers. Service running under this account cannot establish an authenticated session because local system account does not belong to EVERYONE group in the domain. As a result, a service that uses this account can only access network resources using a NULL session.
Go to Top of Page
   

Subscribe to SQLTeam.com

SQLTeam.com Articles via RSS

SQLTeam.com Weblog via RSS

- Advertisement -

Resources

Articles

Forums

Blogs

Contact Us

About the Site