Search This Blog

Active Directory Objects & Local Policies summary - SQL Server


One of the most important prerequisite for successful implementation of SQL Server failover cluster is the configuration of Active Directory Objects (ADO) & Local Policies (GPO).


Here is a summary of AD objects I created for the installation demo. You can watch the video demonstrating SQL Server 2005 failover cluster installation to see it in action. Click here.


Also, for a list of prerequisite for SQL Server 2005 failover cluster installation. Click here.


AD Cluster service account for Microsoft Cluster Service (MSCS)
Eg:'ClusterServiceAcc'
This is AD domain account used to start the Cluster Service.
It should be a member of the Operating System's Local Administrator group.


Edit Local Policies (GPO) and add cluster service account to the following:
1. Adjust memory quotas for a process
2. Back up files and directories
3. Debug programs
4. Increase scheduling priority
5. Log on as a service
6. Restore files and directories


AD account for SQL Server 2000 services (One per SQL instance)
Eg:'LabSQL2K0Account'
This is AD domain account used to SQL Server 2000 services
It should be member of the Operating System's Local Administrator group.


Edit Local Policies (GPO) and add SQL Server 2000 services account to the following:
1. Adjust memory quotas for a process
2. Bypass traverse checking
3. Lock pages in memory
4. Log on as a batch job
5. Log on as a service
6. Replace a process level token


AD account for SQL Server 2005 services (One per SQL instance)
Eg: 'LabSQLAccount'
This is AD domain account used to SQL Server 2005 services. You can have one account for all services or an individual account for each of SQL Server services.
It is NOT a member of the Operating System's Local Administrator group.
This account is added to AD group Eg: 'Lab_SQLGroup'
It is NOT a member of the OS Local Administrators group.
The members are: The service account created above. 


Edit Local Policies (GPO) and add SQL Server 2005 services account to the following:
1. Adjust memory quotas for a process
2. Bypass traverse checking
3. Create global objects
4. Impersonate a client after authentication
5. Lock pages in memory (Only if AWE is used)
6. Log on as a batch job
7. Log on as a service
8. Perform volume maintenance tasks
9. Replace a process level token

AD Objects summary for the installation videos you find on this blog: