I have a merge replication set up, with a publication on our dev server (SQL Server 2008 R2 SP2) and a subscription on my local machine. The publisher is acting as its own distributor. The publisher and distributor connections in the subscription properties on my local machine are using a login (from the dev server) that is in the publication access list (PAL) of the publication. If I add this login to the sysadmin server role on the publisher, everything works fine when I sync the subscription. But if I remove the login from the sysadmin server role, the sync does not work -- I get a timeout ("The operation timed out").
My understanding was that I just needed to add the login to the PAL, but I must be missing something with the necessary permissions.
Another question I have is whether it's possible to create a database role whose members would automatically be added to the PAL. I read somewhere that this is possible with SQL Server 2008 SP3; I'm wondering if it's possible with SP2. Or is there a way to create a database role that would have all necessary permissions, so that its members (users) could be used in a subscription (as the publisher and distributor connections) ?
The background of all this is that we have users who will subscribe to our publication, but we only want to replicate data based on their login. So we have filter rows on our articles that use SUSER_SNAME().
Thanks in advance.
Brad
If this is a push subscription then the Merge Agent process account used to make connections to the Publisher and Distributor must be db_owner in the distribution database, be a member of the PAL, a login associated with a user in the publication database, and have read permissions on the snapshot share.
If this is a pull subscription then the Merge Agent process account used to make connections to the Subscriber must be db_owner in the subscription database. The account used to connect to the Publisher and Distributor must be a member of the PAL, a login associated with a user in the publication and distribution databases, and have read permissions on the snapshot share.
This is all covered in the section Permissions That Are Required by Agents in Replication Agent Security Model.
Related
Can I create a credential in SQL Server 2012 for a group? Not an individual user.
I am trying to give a group of users access to execute SSIS packages using the SQL Server Agent. which requires a proxy account on a credential.
Instead of creating a credential for every single user, I just want to create one credential. I do not know the password for the group, is there a password which exists that the DBAs might know of?
These are two different things.
On the SSIS side, your SSIS package has to run in a security context that gives it rights to do what it needs - connect to databases, open remote files etc. This has nothing to do with the user that starts the package.
On the user side, users need to have rights to execute the package. The user does not need the same file and database rights as the package. So hopefully you can understand these are two different security items.
Your SQL Agent proxy needs to be granted all rights required by the package. This is a single credential (windows account). It isn't a group. A group doesn't have a password, it just contains a bunch of logins
Your users on other hand can be belong to a windows group. Then you add that group to the SQL Server as a SQL Server login. Then you give that windows group access to the msdb or SSISCatalog database and add them to appropriate roles.
Here are the list of roles:
https://msdn.microsoft.com/en-us/library/ms141053.aspx
and here is a guide on granting access at the individual package level
https://blogs.msdn.microsoft.com/mattm/2012/03/19/ssis-catalog-access-control-tips/
I know that links for answers are frowned on but the main concept is that the package execution security and user rights to execute packages are two separate things
I'm having trouble configuring merge replication over untrusted domains.
I have a remote serverA which has a real IP and I configured this server to be his own distributor and publisher and also a ftp-server for the snapshot folder to be shared. I created a windows login which has the sysadmin permission and has users having the db_owner role on both the replicated Database and distribution database and the merge PAL role and the sql-server agent is log on as this windows login and also this login is the job owner for all the jobs that is on the distribution.
And my local serverB is the subscriber server doesn't have a static IP. I configured this server to be the subscriber and to get the snapshot folder from ftp server.
At the distributor, the jobs are running with success, but at the subscriber the job always failing.
When i view the job history, it says job failed. When i view synchronization status it says the process can't connect to the distributor.
When i launched the replication monitor, I found two messages:
Schema script couldn't be propagated to the subscriber
The process couldn't connect to ftpsite using port 2015.
Could someone please help me with this?
DBA needs to remove some TFS 2013 permissions from SQL Server 2012. Which permissions TFS should contain on SQL Server after your first installation? FULL TFS has been installed
SQL Server permissions to first TFS installation I've found but daily permission I couldn't
Another specifics questions are:
Can we remove Optimize Database Job (Release Management)?
This TFS job basically executes Update Statistics and as we are working with shared SQL Server, this routing already exists on our DB
What is impact for TFS to remove "Agent User Role" from MSDB database?
You can check these two links for the details about Database Permissions requirements for TFS: https://msdn.microsoft.com/en-us/library/bb552341.aspx http://blogs.msdn.com/b/bharry/archive/2010/08/20/database-permissions-required-to-configure-tfs.aspx
The followings are some highlight points for your quick reference:
sysadmin and serveradmin for all databases that TFS uses.
CREATE DATABASE - We need this permission to be able to create configuration, collection, and warehouse database.
Reporting Services: Team Foundation Content Manager and either sysadmin or the db_owner group membership for the configuration database, the reporting and analysis databases, and the databases for team project collections.
If you want the user to have sufficient permissions to create a database as part of creating a team project collection, you must grant that user membership in the sysadmin role in SQL Server
To install, upgrade, and configure TFS, the user running the Team Foundation Administration console requires the following permissions and role memberships.
-Membership in the serveradmin server role
-ALTER ANY LOGIN, CREATE ANY DATABASE, and VIEW ANY DEFINITION server scoped permissions
-CONTROL permission on the master database
In addition, I don't it is a good idea to remove the Optimize Database job; and I think it is OK to remove the SQLAgentUserRole, but why do you want to do that?
Ok, I am running SQL Server 2008 R2 on a small environment. I currently have the data on the same drive as the backups (I know, bad idea, but I just inherited this challenge). I have several jobs setup to notify me if they fail.
My boss is good with SQL and knows how to maintain the system, but is not a dedicated DBA, which is why they hired me. Well I was just going thru their setup for the AM jobs and they had several fail last night. Wondering why this did not generate any emails, I decided to do a little digging.
One thing I found was that the SQL Server Agent service was running under a domain login that really isn't used anymore except for SQL. I changed the agent to start under the "local system account" and restarted the service and the emails started coming in. The problem is, that the agent needs to run under the domain credentials due to some of the jobs that run.
How can I set the user account to have the privileges as the local system, to be able to run the emails? As soon as I set the agent back to the domain login, then the emails stopped working.
I can't comment until my reputation is higher so forgive me if this "answer" is off the mark. But the first thing I would check is whether the domain account has permissions to the MSDB database.
http://technet.microsoft.com/en-us/library/ms188719(v=sql.105).aspx
"To send Database mail, users must be a user in the msdb database and a member of the DatabaseMailUserRole database role in the msdb database."
I am trying to replicate a database from SQL server 2000 to 2005 they are located on two different servers both running Windows Server 2003 R2. Im am using SERVER1(SQL2000) as the Transactional publisher and distributor and SERVER2(SQL2005) is the subscriber. I can set up the publication and subscription but when I try to syncronize them I get the following error:
SERVER1-TestReplication-TestReplication-IBSCNVII-ReplicationCNVII_2-99956FE2-402A-48D5-B801-2CBADF12BD3E has server access (reason: Could not obtain information about Windows NT group/user '', error code 0x5. [SQLSTATE 42000] (Error 15404)).
Do I need to add my domain user to a certain user group on server? Any ideas?
0x5 means "access denied" and that you're not allowed to query active directory user information. Likely, the sql server service account does not have proper domain privileges to perform look ups in AD. This could be caused by an account password simply being expired and therefore not enabling SQL to validate against AD or some other issue like services running as local system and not a domain account.
I would recommend confirming that both SQL servers are using a valid domain account and not something like local system. Then check that that domain account isn't locked up or expired.
make sure that the service account you are using to execute the replication has the appropriate rights to both your SQL servers
Aye, check your SqlAgent account in services.msc. Make sure it is a user with rights (in the domain and in SQL). If that fixes it, make sure you lookup the minimum rights required before you go into production.