Compartilhar via

SQL MP Run As Accounts – NO LONGER REQUIRED

  • Artigo

<!--[if lt IE 9]>

<![endif]-->

Comments

  • Anonymous
    August 29, 2016
    Finally! Thanks for the article Kevin.
  • Anonymous
    September 06, 2016
    Classy mate.....as always. Thanks for another invaluable contribution.
  • Anonymous
    September 08, 2016
    Very nice article, thanks Kevin! Does the login as low priv have enough rights to read and collect the information needed? In other words, sa account is not necessary?
    • Anonymous
      September 08, 2016
      Yes - low priv is the minimal rights needed to fully monitor SQL with the MP. The only reason I didn't recommend Low Priv in the past, was because it was a main to administer. With these new addendum MP's that makes it simpler.
      • Anonymous
        September 09, 2016
        Great! Thanks Kevin
  • Anonymous
    September 10, 2016
    Thanks for another Excellent contribution Kelvin. When SCOM 2016 will be going to released officially ?
  • Anonymous
    September 14, 2016
    Good afternoon.Following the action SCOM ceased to be friends with the agents on servers with SQL. Detail Error: "System Center Management Health Service Credentials Not Found Alert Message" Alert Monitor: "System Center Management Health Service Credentials Not Found"
  • Anonymous
    September 15, 2016
    Hi all,I'm sorry for this possible stupid question but it's a little confused for me.I've installed this MP without any issue (cool) on my Test Environment and for 2 SQL 2014 instances.Everything work well.But I've also installed the SSRS 2014 MP .... and I want to know if I need to follow the RunAsAccount Procedure dedicated of this MP ? or not ?Thanks for your help
    • Anonymous
      September 15, 2016
      I haven't played with the SSRS MP - so I dont know if this runas account model will work for that or not. Normally to monitor SSRS we just need local administrator, which Local System has - but I'd have to research that first. So for SSRS - I'd keep doing whatever you are doing today.
      • Anonymous
        September 15, 2016
        Tks Kevin.Always helpfull to read you
        • Anonymous
          January 30, 2017
          Hey Kevin,Did you ever get a chance to further explore this with SSRS (any version) to see if it worked or not? We're getting conflicting results in our lab by year 2012 vs 2014 vs 2016.
      • Anonymous
        June 06, 2017
        We are having the same issue with SSRS. Tomorrow with the DBAs help we are going to apply the SID account to the SSRS instance and see if that resolves it.
        • Anonymous
          December 05, 2017
          Would love to hear more detail for how others are addressing SSRS. while the SQL engines seem to be monitored properly after following this article SSRS is erroring on Module: Microsoft.SQLServer2016.ReportingServices.Module.Discovery.DeploymentSeed.
  • Anonymous
    October 11, 2016
    Hello Kevin I got strange error during Always On discovery after deploying your solution with running monitoring agent using ServiceSID, SQL discovery itself is working properly but I got following error in AG environents.Management Group: XXXXXXXXX. Script: ModuleAction Module: DatabaseReplicaAlwaysOnDiscovery.ps1 Version: 6.7.7.0 : Error occurred during Always On Database Replica discovery.Computer: XXXXXXXXXReason: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) Position:210 Offset:26 Instance:DB_PR01Detailed error output: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))--------Property _CreationTime does not exist at path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Modules{597EDA61-F992-03CB-5EAD-95FFE9169439}\S-1-5-18\Script\SQL2014MP\SqlHostNames.--------Property _CreationTime does not exist at path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Modules{597EDA61-F992-03CB-5EAD-95FFE9169439}\S-1-5-18\Script\SQL2014MP\SqlHostNames.Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Modules{597EDA61-F992-03CB-5EAD-95FFE9169439}\S-1-5-18\Script\SQL2014MP\SqlHostNames exists, but value mentioned "Property _CreationTime" is not there but there is something like this "SQLFQDN"_CreationTime is there some more rights needed on OS level to discover proper Registry values or it is problem of SQL MP itself.Same problem with SQL 2012 and SQL 2014. Looking forward to your answer.
    • Anonymous
      November 01, 2016
      I'm investigating a suitable configuration workaround for this now.They changed the MP and added a workflow that does a remote connection to other servers in the AG. This didnt exist in previous versions of the MP.
    • Anonymous
      November 01, 2016
      I documented the fix at the bottom of the article. It's simple
  • Anonymous
    October 20, 2016
    Hi Kevin, has this been tested against SQL Clusters? Does it works the same way?
    • Anonymous
      October 20, 2016
      Yes, and it does for me, no complaints from my customer testing as well.
      • Anonymous
        December 15, 2016
        Thanks. And what are the steps here? Enable SID on each node. Create login on active node. Then?
  • Anonymous
    October 26, 2016
    Hi Kevin,Had hoped your new addendum MP was finally going to resolve my ongoing headache of administering my RunAs account distribution config for monitoring our SQL estate. However I'm having ongoing issues esp Re discovery of SQL 2012 which appears to be a common problem as per a number of posts on https://social.technet.microsoft.com/Forums/systemcenter/en-US/a7d7d4cc-ba08-4263-b08a-6455d75b4e1c/sql-mp-6770-access-denied-for-always-on?forum=operationsmanagermgmtpacksSo was wondering if you could clarify a few queries:1. Does your addenum config using SSID negate the need for the additional steps Dmitriy Kalashnakov mentions in the blog post for all the additional config of WMI security on all other replicas in availability group - or do we still meet to perfom these additional WMI config steps on replica machines. Dimitriy also mentions "While we do not support the ServiceSID for HealthService...." - so not sure how that stacks up?2. If I create the HealthService login as Low Priv, must I then continue to configure the low priv environment on the agent machine - just confused on this as the MP guide describes this in terms of the RunAs config/distribution using the SQLDefaultAction, SQLDiscovery and SQLmonitoring accounts which we are not now using if going with SSID config.3. If I create HealthService Login as SA, is it doing anything different regarding the WMI/registry permission stuff (as per Low Priv) or just giving higher SQL level permissions (apologies for my confusion but I'm def not a SQL guy)4. Should you Addendum MP work OK with SQL MP ver 6.7.7.0, which is the version I upgraded to Just for clarification I'm using Local system as default action account and i have removed the RunAs configuration which was previously used (but was not working particularly well ever since previous upgrade to 6.7.2.0 which I hoped the SSID/Addendum MP was going to resolve).Cheers
    • Anonymous
      November 01, 2016
    1. No - but I documented a simpler solution in the article now.2. The are two privs - OS rights, and SQL rights. No configuration is required for the OS - since Local System has everything needed. For SQL - we are using the Service SID which is more secure and much easier to configure and maintain.3. No, just giving higher level SQL permissions (not necessary, but fewer configuration items to troubleshoot)4. My addendum MP is updated all the time - based on customer feedback and issues I see. It is now 6.7.7.2 at the time of this posting - and works fine with any SQL server MP version from 6.5.1.0 onward.
  • Anonymous
    October 31, 2016
    Kevin,As usual, your mastry of all things SCOM comes to the rescue! (assuming I get it working in my lab first). Do you know if this also works with SQL 2016? I'm having issues getting the RA account to distribute to some new instances.Also, is it possible to do something like this for AD? :D
    • Anonymous
      November 01, 2016
      Yes it works with SQL 2016. But I do away with all that distribution mumbo jumbo. :-)AD??? There is no need for RunAS with the ADMP. The ADMP runs under Local System and local system has rights to do just about anything on the domain controller. I have never configured RunAs with the ADMP.
  • Anonymous
    November 02, 2016
    Question for post deployment of the credential trick above. I've had our DBA run the scripts to change the accounts and then removed the Run As from our SCOM instance. I then received a flood of credentials not found alerts. Not unexpected. We ran a test against an availability group to make sure that we would get alerts, which we did. Is it best practice at this point to disable that rule? Also, you are correct on AD Run As. I had set up the account for an added layer of security. However, I've found that it doesn't work too well cross domain... :)
    • Anonymous
      November 02, 2016
      Absolutely do NOT disable that rule.You should not have seen any alerts. The proper method to remove a previous RunAs configuration - is to remove the ASSOCIATIONS from the PROFILEs first. Then once those association have been removed - the agents no longer try to even use the runas account. Next - you would remove the DISTRIBUTION of the credentials. Lastly - once the agents got updated that they no long need the credential distributed - you delete the credential from SCOM. It is easy - you just got in the exact opposite order as you would when setting up RunAs accounts.
      • Anonymous
        November 04, 2016
        Thanks for the clarification, Kevin.
  • Anonymous
    November 09, 2016
    Hi Kevin,Thanks for answering/resolving an issue I posted on the SCOM forum which your updated MP has largely resolved.Just a couple of additional questions on this Addendum MP1. I have created my HealthService login in SQL login as Sysadmin (by running your MP task). If our SQL team insist I need to use Low Priv instead, can I just run that task from the SCOM console to overwrite existing account, or do I (or SQL team) need to manually delete the account that had been created as SA role first.2. If I need to revert agents that have had SID State Enabled (again from running the console task) to use the 'standard' agent setup of Local System which I may then need to distribute a RunAs profile to, how do I go about this - do I need to change a regkey/value or something. The reason being is that the addendum pack and config has resolved 99% of my agent issues but I have a few machines still with discovery monitoring failures. I think the possible cause of this is that they are running SQL 2008 but have some custom scripted mirroring solution which according to the SQL guys replicates (pardon the pun) an Always On type solution on SQL 2008 with mirroring. One of these pairs was being monitoried OK using the 'old' method but since changing to used SID its now failing discovery and therefore not monitoring - and the SQL team advised the other pair happens to use this custom mirroring scripted solution. So was just gonna try and see what happens if I revert then back to not longer use SID...Thanks again...
  • Anonymous
    November 14, 2016
    Hi Kevin,First of all - thank you for sharing your hard work.I followed one of your posts on the initial scom install, and I used a domain user account as the default run as account. When I manually install scom agent I have the choice to use the "system" account or the domain user account. So far, I have used the domain user account. So, in the context of this post - Does it matter which one I use? Thank you,Martin
    • Anonymous
      January 12, 2017
      I always recommend deploying agents using Local System as the default agent action account.
  • Anonymous
    November 15, 2016
    Hi KevinImplemented this with great success. Thank you! One thing I have noticed is that servers with SSRS DBs are appearing in the Seed view, but not being picked up in the DBEngine view. Does the monitor not see SSRS DBs as 'proper' engines?
    • Anonymous
      November 15, 2016
      The comment has been removed
  • Anonymous
    November 29, 2016
    Hello, how i could fix that/adding Healthservice on SQL which runs on cluster (agentless)? There a nt service\healthservice does not exists
    • Anonymous
      November 29, 2016
      I dont understand your question.
  • Anonymous
    December 06, 2016
    Hi Kevin,As you pointed out, in order to use SCOM Healthservice to be able to access SQL server we need to: 1.Enable the HealthService to be able to use a service SID. 2.Create a login for the HealthService SID to be able to access SQL server.I usually install the Local Agent manually. During the wizard I have two choices for the "Agent Action Account". So far, I have used a Domain Account (which is my default RunAs Account); however, it appears I needed to choose "Local System" instead. Could you confirm it? Thank you Kevin!Martin
    • Anonymous
      December 06, 2016
      Technically - for THIS solution to work - you can use a domain account OR local system - because the whole purpose of using Service SID - is that the SID is used for authentication - it doesnt matter what account is running the service.That said - I never use a domain account for the default agent action account, and always recommend using Local System by default for agents. The only time I'd ever use a domain account for the default agent action account is in a highly secure environment with lowest priv required, and VERY limited monitoring.
      • Anonymous
        December 07, 2016
        Thank you Kevin! I really appreciated your timely response. I am in the middle of adding a good number of Windows Servers to SCOM monitoring, and I was in the dilemma on what to use for the “Agent Action Account".With Respect,Martin
  • Anonymous
    January 04, 2017
    Hi KevinIf you configure a DB Engine to make Healthservice Low Priv only, will this turn the "Heathservice is SA" monitor Healthy?
    • Anonymous
      January 05, 2017
      No - if you are using low priv you should disable the monitor that checks to see if it has SA rights.
      • Anonymous
        March 09, 2017
        Gah, now I have to 'remember' which were done as Low Priv and which simply aren't done at all (other than checking for Discovery Failed alerts). Be great to see a monitor which confirmed that HealthService had been added.We are really finding this has helped us in our environment, previously ASGs just didn't bother configuring this as it was too much hassle. Many Thanks for the solution.
  • Anonymous
    January 05, 2017
    This package works for SCOM 2016 with SQL MP 6.7.15.0?After imorting addendum 6.7.7.2 I didn't see nothing in "Monitoring" section ...
    • Anonymous
      January 05, 2017
      Yes, it does. Did you look under SQL server as shown in the images above??
      • Anonymous
        January 06, 2017
        Yes, same level as "SQL Server database Engines", and "SQL Server Reporting Services".Addendum MP only visible under "Installed management Packs" in "Administration" section.
        • Anonymous
          January 06, 2017
          I understood. For each SQL version, in addition, is necessary to import of individual MP, which is an separate XML file ...
          • Anonymous
            March 23, 2017
            Re: "Yes, same level as “SQL Server database Engines”, and “SQL Server Reporting Services”.Addendum MP only visible under “Installed management Packs” in “Administration” section."I'm having this same issue in SCOM 2012 R2. Is there a resolution?
  • Anonymous
    January 10, 2017
    The comment has been removed
    • Anonymous
      January 12, 2017
      NBM - your issue is that your default discovery runs account is getting access denied. Either you are not using local system (which has access to the registry) or you still have runas accounts in your profile associations which are breaking it..... using an account for discovery that doesn't have enough rights. Using this model I prescribe in this article - you should not use any profile associations for the SQL MP's.
      • Anonymous
        January 19, 2017
        Thanks Kevin!We got this resolved and cleaned up on our end. Since we originally had 4 SQL LowPriv RunAs accounts (we haven't migrated to our Production environment yet) you can imagine we had these scattered across all the different Profiles for SQL.We removed all the RunAs accounts from these and did another double check against the SQL side and everything is now working at intended. We're currently formalizing a plan now to migrate this to Production.Thanks for this great solution!
  • Anonymous
    January 11, 2017
    How do I setup the SID user (NT SERVICE\HealthService) in the Run As Account from the console? When I try to create the Run As account, it requires a password, which the SID doesn't have. So I can't create the Run As account. I'm missing something here?
    • Anonymous
      January 11, 2017
      Ok. Ignore my last question. I just realized that the whole point of this is not to use a defined Run As account. Once the SQL portion is setup correctly, the service will have permissions. So no need to add a run as account at all. Thanks for the great article.
      • Anonymous
        January 12, 2017
        You got it Bob.
  • Anonymous
    January 12, 2017
    Hi Kevin,thank you for your article.I could import your MP, but no folder named "SQL Server RunAs Addendum" under "MONITORING > Microsoft SQL Server".Best RegardsBirdal
    • Anonymous
      January 12, 2017
      Did you import the library? That contains the views.
      • Anonymous
        January 12, 2017
        Hi Kevin,I had only imported Library, but not xml. Now I exported also xml, I can see folders..Thank you.RegardsMustafa
  • Anonymous
    January 16, 2017
    Hi Kevin – Your SQL RunAs addendum MP works great for SQL 2008/2012 but once I try to use it for SQL 2014 I get the SQLCMD.exe error. I have been trying to figure this out on my own and in my case I think it’s due to the fact that the SQL Server 2014 DB Engine (Discovery) seems to be looking at the registry value of SQLPath when actually the path to the SQLCMD.exe is under the registry value ODBCToolsPath. So my for ToolsPath points to (SQLPath) F:\Program Files\Microsoft SQL Server\120\Tools\Binn\ instead of (ODBCToolsPath) F:\Program Files\Microsoft SQL Server\Client SDK\ODBC\110\Tools\Binn\I reviewed the SQL Server 2014 DB Engine Discovery Source for 6.7.15.0 MP from http://systemcentercore.com/?GetElement=Microsoft.SQLServer.2014.DBEngineDiscovery&Type=DataSourceModuleType&ManagementPack=Microsoft.SQLServer.2014.Discovery&Version=6.7.15.0 and searched for ODBCPath (which didn’t return anything) then SQLPath and located Public Property Get ToolsPath()If (m_bIs64Bit) ThenToolsPath = g_oSQL.ReadRegistryStringValue(g_oSQL.SQL_TOOLS_PATH_WOW64, "SQLPath")ElseToolsPath = g_oSQL.ReadRegistryStringValue(g_oSQL.SQL_TOOLS_PATH, "SQLPath")End IfIf (IsNull(ToolsPath)) ThenToolsPath = ""End IfEnd PropertyI am not sure but it really does seem to me that this is why I am getting the sqlcmd.exe error.I haven’t seen any other posts with my issue and at this point I am not even sure if I am looking in the right place or if there is anything that I can do from my side to get this to work outside of having the SQL DBA’s run the HealthService SID task manually.Any guidance/suggestions would be appreciated.Thanks,Wes
    • Anonymous
      January 16, 2017
      Hi Wes,You are right. It looks like SQL 2014 made a change here..... https://msdn.microsoft.com/en-us/library/ms143547(v=sql.120).aspxSQLCMD.exe and BCP.exe are now located at \Client SDK\ODBC\110\Tools\BinnHowever, this all worked in my environment anyway, because the above location is in the PATH environment variable, which makes SQLCMD available from any location. So it looks like you guys are missing that directory from your path environment variable, which is allowing this to break. Your options are to:1. Fix the PATH environment variable to include this location like default installations will.2. Hard code the path (assuming you ALWAYS installed SQL 2014 to the same location)3. COPY SQLCMD.exe to the original path, 4. Write a new task, that is powershell script based, that gathers the location from the registry in the script, then calls SQLcmd.exe in the script.
      • Anonymous
        January 16, 2017
        Thanks Kevin, I appreciate the explanation and the options.
      • Anonymous
        March 08, 2017
        You could update the working directory on the tasks like this.2014:$Target/Property[Type="SQL2014Disc!Microsoft.SQLServer.2014.DBEngine"]/ToolsPath$....\Client SDK\ODBC\110\Tools\Binn2016:$Target/Property[Type="SQL2016Disc!Microsoft.SQLServer.2016.DBEngine"]/ToolsPath$....\Client SDK\ODBC\130\Tools\Binn
        • Anonymous
          August 29, 2017
          Hi Kevin, Thanks for a great management pack and article.Regarding the "“sqlcmd.exe is not recognised as an internal or external command, operable program, or batch file”" error and not being able to find the tools directory. I just found another workaround by copying files located under .\Program Files\Microsoft SQL Server\Client SDK\ODBC\130\Tools\Binn\ to the default tools folder/path and successfully able to run the Create healthservice login task. I currently only have the SQL 2016 addendum imported in to a SCOM 2016 environment , I still have to test the other addendum packs. But it's a workaround.
  • Anonymous
    January 19, 2017
    Low privSQL 2016 MP need rights in Model DB Script: DiscoverSQL2016FileGroups.js. Version: 6.7.15.0.(USE [model] SELECT fg.name as fileGroupName, fg.data_space_id as fileGroupId, fg.is_read_only as fileGroupReadOnly, fg.type as fileGroupType, fg.type_desc as fileGroupTypeDesc FROM sys.filegroups fg' )I added this USE [model]EXEC sp_addrolemember @rolename=db_datareader, @membername=[NT SERVICE\HealthService]Don´t know if it´s right way to go?
    • Anonymous
      January 19, 2017
      Not sure I understand - the script I provided already does this for the model DB.
      • Anonymous
        January 19, 2017
        Perhaps i'm missing something but i can only find Changes on Master and MSDB can´t find anything on model.From your MPUSE [master]GRANT VIEW ANY DATABASE TO [NT SERVICE\HealthService]GRANT VIEW ANY DEFINITION TO [NT SERVICE\HealthService]GRANT VIEW SERVER STATE TO [NT SERVICE\HealthService]GRANT SELECT on sys.database_mirroring_witnesses to [NT SERVICE\HealthService]USE [msdb]EXEC sp_addrolemember @rolename=PolicyAdministratorRole, @membername=[NT SERVICE\HealthService]EXEC sp_addrolemember @rolename=SQLAgentReaderRole, @membername=[NT SERVICE\HealthService]Event ID: 7105.Error Description : [Microsoft][SQL Server Native Client 11.0][SQL Server]The server principal "DOMAIN\COMPUTER$" is not able to access the database "model" under the current security context.I don´t get the error then im using the not so low priv with sysadmin for the HelathService.
      • Anonymous
        January 20, 2017
        Sorry my bad. Account was created in the database in the wrong schema.
  • Anonymous
    January 25, 2017
    Hi Kevin,Thanks for the great mp. Any chance you will make the monitor to check if the healthservice has the appropiate Low Priv rights?
    • Anonymous
      January 27, 2017
      Funny - I was just working on that.... it is a lot more complicated!!!
      • Anonymous
        February 06, 2017
        I was just about to ask about this. If we use the Low Priv task, will the "is SA?" monitor every show healthy? I think not at the moment? Can be tricky to look back and see what's been done and what remains.
  • Anonymous
    February 08, 2017
    Our Domain Accounts with SysAdmin Roles are only with SmartCard-Logins. And it seems that SA Account is not working with your solution.... So basically the only way to use your "Create HealthService Login" Task In the MP is to temporary enable SysAdmin Role to the local System account....It would be great if you could manage to user Domain Accounts with SmardCard and/or SA AccountThank'sAndy
  • Anonymous
    February 08, 2017
    Morning, Quick question please, as I am still learning all of this, as I go...Do I need to undo the Run as Account and Run as Profile associations I have previously done (as well as the MP created to hold changes) in accordance with your earlier articles before implementing and testing the SID solution, as well as??Thanks again!Tony
    • Anonymous
      February 08, 2017
      Yes, that is recommended to ensure service SID auth is working.
  • Anonymous
    February 23, 2017
    Hi Kevin,Maybe I am missing the point here but when will the new account (NT Service\Health Service) become active? Or how am I able to check if the Health Service account is used or not? I get the feeling that it still uses the standard Local System account.
  • Anonymous
    February 27, 2017
    HI all,the MP is great and really facilitates the work of SCOM Admin. Has anyone tried to create an OLE DB check and run it under NT SERVICE\HealthService account? I give HealthService SA rights and create OLE DB to measure some performance in SQL. The Connection Time counter is available and it is showing data but under monitor I'm getting error "Data Source could not be initialized - Login failed for user DOMAIN\COMPUTERNAME$ (the watcher node for OLE DB). So how to configure the OLE DB profile to use HealthService for running query against SQL? Is it possible or we must create another user to use it in OLE DB profile?Thanks,Janez
    • Anonymous
      October 30, 2017
      I think this is impossible unless your watchernode is the SQL server itself. The problem is the watchernode doesn't have the account to run the query and even if you could "distribute" it (similar to the local system account in scom), it's still a local account which isn't available over the network.
  • Anonymous
    March 01, 2017
    Hi Kevin,I imported your pack and provided the NT/Healthservice account low priv rights in sql. Post that I removed the association of the existing sql run as accounts (action, discover and monitor) from the existing run as profiles (action, discover and monitor). How can I now ensure that the SCOm agent uses this newly created NT/Healthservice for monitoring the SQL parameters. Do I have to make any changes to the existing default scom_action accounts?
  • Anonymous
    March 13, 2017
    Kevin, thank you for this great article. I had some trouble getting this to work though. I followed the steps described above, but I kept getting an error on the HealthService can connect to SQL 2014 Monitor. After some troubleshooting I found that the problem was the presence of the local system account in SQL, even though the account login was disabled and there were no roles mapped. It looks like the agent has a preferred order for using accounts. So if the local system account is present in SQL it will try to use this account instead of the HealtService. The moment I deleted the System account, everything worked fine. Do you know if this order of using accounts is the case?
  • Anonymous
    March 22, 2017
    The comment has been removed
    • Anonymous
      March 22, 2017
      Hi Robert,I had all these errors previously. But after resorting to this single run as account approach , all the outstanding errors have now vanished and my scom sql console looks great
    • Anonymous
      June 21, 2017
      HiWe have the same configuration and are seeing the same alerts come through on multiple clusters. Do you manage to find a fix? Everything else seems fine apart from the followingError 1:Cannot connect to database ‘model’Error Number: -2147467259Description: [Microsoft][SQL Server Native Client 11.0][SQL Server]The server principal “NT AUTHORITY\SYSTEM” is not able to access the database “model” under the current security context.Instance: MSSQLSERVER
      • Anonymous
        June 22, 2017
        I keep hearing this - but I cannot repro.What OS is the cluster? How many nodes? What version of SQL? How many instances in the cluster?
  • Anonymous
    March 30, 2017
    What if the SQL Instance comes up as "Not Monitored" in the SQL Seed section ?- for me this seems to be for clustered SQL instances only.
  • Anonymous
    April 05, 2017
    Hi Kevin,As to all the praise you get for this, I just want to say "dito" :) I've made a small adjustment to the queries, making them tidier when the login or user exists.For Command1, instead ofUSE [master]; CREATE LOGIN I put inUSE [master];IF NOT EXISTS(SELECT * FROM sys.server_principals WHERE name = '''+@accountname+''') CREATE LOGIN Similarly, for Command2 I changed:'USE ['+db.name+']; CREATE USERto'USE ['+db.name+'];IF NOT EXISTS(SELECT * FROM sys.database_principals WHERE name = '''+@accountname+''') CREATE USERWorks on my end, makes our rollout tidier, but the usual caveat: no warranties...
  • Anonymous
    June 14, 2017
    The comment has been removed
  • Anonymous
    June 19, 2017
    Any advice for use in a multi-domain (untrusted) environment?
    • Anonymous
      June 19, 2017
      That's the BEAUTY of this solution.It is non-domain dependent. Using traditional runas accounts with multi-domain is a huge pain. This removes all that.
  • Anonymous
    June 28, 2017
    The comment has been removed
  • Anonymous
    August 07, 2017
    Hi Kevin,Firstly, thank you for the great content and taking the time to make the life of OpsMgr administrator that much easier. I have implemented the management pack in our new environment and assigned the Health Service low privilege rights to our SQL servers.However, I am seeing the following errors on 2 of our servers which are passive members of a Always-On Availability Group:Event ID: 7103. Management Group: MANAGEMENTGROUP. Script: DiscoverSQL2012FileGroups.js. Version: 6.7.31.0. Instance: INSTANCENAME: File Groups Discovery script 'DiscoverSQL2012FileGroups.js' for instance 'INSTANCENAME' failed.Inner exception: Error Number : -2146825267Error Code : 3021Win32 Facility : 10Error Description : Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.Call stack:Exception.constructor(File Groups Discovery script 'DiscoverSQL2012FileGroups.js' for instance 'INSTANCENAME' failed.,Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.Error Number : -2146825267Error Code : 3021Win32 Facility : 10Error Description : Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.),Main({D6B26EFE-E183-24E9-DD23-F165CB716A28},{A1DF10C4-4A21-BFCB-B9EE-D999A2B5DA3B},SERVERNAME.domain,SERVERNAME\INSTANCENAME,INSTANCENAME,62232),Running Windows Server 2012 R2 Standard and SQL 2012. Have verified that the correct permissions have been assigned to the HealthService account.
    • Anonymous
      August 07, 2017
      Forgot to mention that there is no issue on the primary member of the Always-On Availability Group
  • Anonymous
    August 16, 2017
    The comment has been removed
    • Anonymous
      August 16, 2017
      You need to ensure that the Windows Server OS is 2008 or later. You get these errors on Windows 2003 which this process does not support.For Windows Server 2003, I'd recommend changing the script for low priv and just granting NT AUTHORITY\SYSTEM to have Low Priv.Ensure you are restarting the Healthservice after enabling the SID.
      • Anonymous
        August 17, 2017
        Hi Kevin,Thanks for the reply, Regarding running Create HealthSerice Login as Low Priv… task and getting error, I checked and found that the Server is indeed Windows Server 2003. I will use NT AUTHORITY\SYSTEM for the accountname to have low priv.Another question: After enabling the HealthService to be able to use a service SID and then creating HealthService login as SA in SQL, I still see SQL Discovery failed and SQL Monitoring failed alerts, even when HealthService login has now SysAdmin rights.This is a Windows Server 2012 R2 server and it is running SQL Server 2012.Could you please assist on this issue.
        • Anonymous
          August 17, 2017
          Every time I have seen that, it was a configuration issue, or the server needed a reboot.
          • Anonymous
            August 18, 2017
            Hi Kevin,Thanks you for the reply.Did you mean configuration issue from the SQL Server side?
          • Anonymous
            September 12, 2017
            The comment has been removed
            • Anonymous
              September 12, 2017
              The comment has been removed
              • Anonymous
                October 11, 2017
                The comment has been removed
                • Anonymous
                  November 10, 2017
                  Hi Kevin,I have few questions: 1: On a particular SQL Server if I enable the HealthService to be able to use a service SID, then create HealthService login as SA role. But later time if I want that SQL Server to use Low Privilege access instead of SA, can I just delete the NT Service\HealthService login from SQL Instance and run the Task “Create HealthService Login as Low Priv ….”. Will this suffice?
  • Anonymous
    August 22, 2017
    Kevin,I'm having a small issue with the MP. In the SQL 2008 DB Engine view, I am getting the warning regarding Low-Priv configuration. SysAdmin remains unmonitored. It appears all is working.When I open up the MP (Microsoft.SQLServer.RunAs.2008.Addendum.xml) I'm only finding one section that seems to probe for the account, and it looks to see if it is sysadmin.Provider=SQLOLEDB;Server=$Config/ConnectionString$;Database=master;Integrated Security=SSPIselect count(*) from syslogins where sysadmin = 1 AND Name = 'NT SERVICE\HealthService'Do you have any ideas why we might be getting this warning? Am I missing something?Thanks,--Scott Brown
    • Anonymous
      August 25, 2017
      This appears to have cleared. You may ignore this.
  • Anonymous
    September 05, 2017
    The comment has been removed
    • Anonymous
      September 05, 2017
      You are getting permissions issues. Either you didn't enable the service SID, or you didn't restart the agent, or you didn't really grant the correct login SA, or something really strange is going on. Every single complaint I have tracked down thus far turned out to always be a user error/fat finger/configuration overlook..... or some kind of severe server hardening.
    • Anonymous
      September 05, 2017
      My case is that I'm monitoring the local SQL server instance on SCOM server. Since OM is setup to run as SYSTEM, "NT AUTHORITY\SYSTEM" is already created and configured in SQL instance. I suspect that "NT SERVICE\HealthService" is not used during HealthService.exe login because of this.
      • Anonymous
        September 05, 2017
        Ahhh that helps. The tip would have been the full event text which would have show what account was being used. In this case - the DEFAULT AGENT ACTION ACCOUNT is not Local System. On a SCOM server, the default agent action account is the Management Server action account. That's a special one off. Either use traditional RunAs account or grant the Management Server action account to have SA on SQL server. In 99% of all deployments, you'd never deploy a SQL server and SCOM management server on the same OS - event our smallest designs in the SCOM sizing helper spreadsheet use separate servers for that. I don't even recommend that for labs/test/dev.
        • Anonymous
          September 05, 2017
          Alright, I am starting it from scratch and follow the recommended setup. See if it helps. :)
  • Anonymous
    September 20, 2017
    Hi Kevin,In my scenario, the SCOM agent runs as local system.We are looking into using SIDs.But I have 2 questions for you:1) How do we setup the SIDs to be the default account instead if NT authority?2) I heard the NT Authority is required for Always On and cannot be removed? Is that the case? Do you know what is the lowest permissions we can give NT Authority?
  • Anonymous
    October 05, 2017
    Kevin... you did it again! thank you sir!I was struggling with this for a long time until I found your post, it all works beautifully! fantastic work thank you so much!
  • Anonymous
    October 09, 2017
    hi, in my environment, a domain admin account (yes, shocking, i know) was used to be the "Run-as account" to monitor the sql instances. i have since tried to use the MP above, did the 2 steps (for all the SQL servers found in SCOM):1. Enable HealthService SidState and Restart HealthService2. Create HealthService Login as Low Priv in SQL ..I then went to do the following in SCOM 2012.Navigate to "Administration -> Run As Configuration -> Accounts -> abc (the domain admin account) -> Properties -> Distribution tab, More secure - I want to manually select ....". Under "Selected computers", I removed all the servers that were monitored.After that, I started receiving Critical alert for all the SQL servers, "System Center Management Health Service Credentials Not Found Alert Message".Description: An account specified in the Run As profile "Microsoft.SQLServer.SQLProbeAccount" cannot be resolved.This condition may have occured because the account is not configured to be distributed to this computer. To resolve ths problem, you need to open the Run As Profile specified below, locate the account entry as specified by its SSID, and either choose to distribute the account to this computer if appropriate, or change the setting in the profile so that the target object does not use the specified account."I have tried to restart the whole server, but the problem persists. May I know how can I resolve this problem?
    • Anonymous
      October 09, 2017
      in addition to my original post, i went to the server's event log and looked for the Operations Manager event log.In the description, the following can be seen other than what I have mentioned above."... Specifically, the account is used in the Secure Reference Override "SecureOverride124234_23423..."
      • Anonymous
        October 09, 2017
        You need to go into the SQL RUNAS Profiles, and delete the associations. This is all covered in the Management Pack guide.
        • Anonymous
          October 09, 2017
          thank you for the reply! correct me if i'm wrong, but the MP does not contain the management pack guide? i suppose deleting the associations in the sql runas profiles mean removing the list of servers from the following window?Navigate to “Administration -> Run As Configuration -> Accounts -> abc (the domain admin account) -> Properties -> Distribution tab, More secure – I want to manually select ….”. Under “Selected computers”, I removed all the servers that were monitored.
          • Anonymous
            October 10, 2017
            i think i figured it out, did the two following steps and it seems to be working now.Navigate to “Administration -> Run As Configuration -> Profiles -> SQL Server Discovery Account -> Properties -> Run As Accounts", delete the existing account.Navigate to “Administration -> Run As Configuration -> Profiles -> SQL Server Monitoring Account -> Properties -> Run As Accounts", delete the existing account.thanks!
  • Anonymous
    October 30, 2017
    For a customer I'm trying to figure out the security impact for this configuration.e.g. could a local admin elevate this account and get more access then he should have? (similar to the reason why you don't give local system rights in SQL).The best i can come up so far is that SQL already uses a servicesid in combination with SA rights, so using the low privilege setup doesn't add any extra security threats.BTW, i like you didn't added the "db task" rights in the scripts.
  • Anonymous
    November 08, 2017
    Hi Kevin,I've managed to provision a server with the first step (SQL 2012 Seed view and the task within).However, that server does not appear in the associated DBEngine view. For now, I'm handing over the script to our SQL admins to get the permissions created in SQL, but was wondering if you could shed some light as to why I have certain servers in the seed view, but not the DBEngine view.. (I've removed all runas accounts from any sql profiles to ensure they are not getting in the way)Any guidance you could provide would be greatly appreciated!Jamie
    • Anonymous
      November 08, 2017
      That's odd - because the DB engine discovery generally works with no runas accounts set up.... Local System will generally have enough rights to discover the instances without an issue. Are you using Local System as the default agent action account for sure?
      • Anonymous
        November 08, 2017
        Confirmed that the Local System Action Account for the server in question is under the Run As Accounts of the Default Action Account profile.I suppose I should check Local System rights on the SQL instance to ensure there is nothing stopping things on that end?
      • Anonymous
        November 08, 2017
        NT Authority\SYSTEM in the access list, and it has full rights on the instance
  • Anonymous
    November 29, 2017
    Hi Kevin,Thanks for the addendum MP and making our life a little easier.Do we still follow this section from MP documentation, "How to Configure Permissions for Always On Discovery and Monitoring"?
    • Anonymous
      November 30, 2017
      Great question. My understanding is that was a requirement for a previous version of the MP and that we no longer have workflows on one node reach out across the network to connect to WMI on the other node, so this would no longer be required. However, I am not 100% that this isnt needed. I have not found any need for this configuration step in my testing thus far.
      • Anonymous
        December 07, 2017
        Thanks for the update, I'll keep an eye and revert if I see any issue for AOAG.
  • Anonymous
    December 03, 2017
    Good day, Kevin.In our company we use one low priv. domain account for all run as profiles. This scenario is suitable for us.This account have OS local admin rights and SQL Server SA rights.Some days ago we updated SQL MPs to the last version 7.0.0.0 and now we are having alerts (SQL 2008/2012/2014/2016):"Event ID: 7105. Management Group: MONT. Script: ModuleAction Module: DatabaseReplicaAlwaysOnDiscovery.ps1 Version: 7.0.0.0 : Error occurred during Always On Database Replica discovery."All work fine before this update. It's not singleton case.Have you any knowledge how solve this problem?
  • Anonymous
    December 13, 2017
    Hi Kevin,We are planning to implement this MP in our Production, but having the following query.Could you please help us with this question:On a particular SQL Server if we enable the HealthService SID, then run the task to create HealthService login as SA role. But later if we want that SQL Server to use Low Privilege access instead of SA, can we just delete the NT Service\HealthService login from SQL Instance and run the Task “Create HealthService Login as Low Priv ….”. Will this suffice?
  • Anonymous
    December 13, 2017
    Hi Kevin,We are planning to import this MP in Production, but we are having a query with this MP.Could you please help with this Query:On a particular SQL Server if we enable the HealthService SID, then run the task to create HealthService login as SA role.But later if we want that SQL Server HealthService to use Low Privilege access instead of SA, can we just delete the NT Service\HealthService login from SQL Instance and run the Task “Create HealthService Login as Low Priv ….”. Will this suffice?Please advice.
  • Anonymous
    December 13, 2017
    Hi Kevin,We are planning to import this MP in Production, but we are having a query with this MP.Could you please help with this Query:On a particular SQL Server if we enable the HealthService SID, then run the task to create HealthService login as SA role.But later if we want that SQL Server HealthService to use Low Privilege access instead of SA, can we just delete the NT Service\HealthService login from SQL Instance and run the Task “Create HealthService Login as Low Priv ….”. Will this suffice?Please advice me.
  • Anonymous
    December 13, 2017
    Hi Kevin,We are planning to import this MP in Production, but we are having a query with this MP.Could you please help with this Query:On a particular SQL Server if we enable the HealthService SID, then run the task to create HealthService login as SA role.But later if we want that SQL Server HealthService to use Low Privilege access instead of SA, can we just delete the NT Service\HealthService login from SQL Instance and run the Task “Create HealthService Login as Low Priv ….”. Will this suffice?Please advice me on this
    • Anonymous
      December 13, 2017
      Yes you can.
      • Anonymous
        December 15, 2017
        Thanks for the update.
  • Anonymous
    December 20, 2017
    It might be a good plan to change your OLEDB provider from SQLOLEDB to SQLNCLI11. That solves issues when you have clients that does not accept TLS 1.0 connections anymore.
  • Anonymous
    December 21, 2017
    Hi Kevin,The SQL scripts mentioned above is creating Health Service Login with Low Priv acces, please confirm if i am correct.Also if we need to have Health Service Login with SA Role, what changes we need to make in the above SQL query?Bijesh NS
  • Anonymous
    February 19, 2018
    Hi Kevin,I implemented this solution last year, thanks to your article everything looks good. But after I imported the SQL replication management packs, I have now started getting many alerts. Does this solution work with replication management packs? An example error is as follows:Module: Microsoft.SQLServer2008.Replication.Module.Discovery.Discoveries.SubscriptionDiscoveryVersion: 6.7.15.0---------- Exception: ----------Task finished with exceptionat Microsoft.SQLServer.Replication.Module.Helper.Threading.WorkItem1.GetResult(Int32 timeout, T&amp; result)at Microsoft.SQLServer.Replication.Module.Helper.Base.ModuleBasePropertyHelper1.GetOutputData(DataItemBase[] inputDataItems)at Microsoft.SQLServer.Replication.Module.Helper.ModuleBaseHelper`1.OnNewDataItems(DataItemBase[] dataItems, Boolean logicallyGrouped, DataItemAcknowledgementCallback acknowledgeCallback, Object acknowledgedState, DataItemProcessingCompleteCallback completionCallback, Object completionState)in Microsoft.SQLServer.2008.Replication.Module.Helper
    • Anonymous
      July 11, 2018
      (The content was deleted per user request)
  • Anonymous
    February 19, 2018
    Anyone got this working with SQL 2017+ MP? It seems clusters are now monitored from new SQL 2017+ Resource Pool and that requires Action account to have permissions on the monitored instance.
    • Anonymous
      May 01, 2018
      What kind of clusters?I tested with SQL AlwaysOn and no issue - the pool was not involved. Are you talking about more traditional Failover Clusters with shared storage and a clustered SQL instance?
      • Anonymous
        May 02, 2018
        Hi Kevin,Window server 2016 with SQL 2017 Clusters with AGs. FYI - we've opened a case with MS for this and here's their comment:Monitoring SQL 2017 Cluster instances using the current SQL 2017+ MP v7.0, is done only through the SQL Resource Pool. The team are doing their best to enable Local Monitoring of SQL 2017 Cluster instances in the next version of the Management pack (which is expected to out before the 15th of July)So unfortunately, currently you can’t use the ServiceSID Method to monitor SQL 2017 cluster instances. You will need to configure permissions on these instances using the old way (Run-As Accounts and Run-As profiles) either with Full Privilege or LowPriv options.However, for sure you can keep on using the ServiceSID method to monitor instances of SQL Server pre-2017 and configure Run As accounts and profiles only for SQL 2017 Cluster instances. One last thing to mention here, if you still don't like to use the Run-As Accounts and Run-As profiles for monitoring your SQL 2017 Cluster instances, then you may think about Mixed Mode Monitoring, where all workflows are run from the pool but DB Engine Seed which is run locally by the agent, however it doesn’t need permissions on SQL Server as it accesses only Windows Registry. Or consider the Agentless monitoring where it is quite similar to the Service SID method as you don’t need to create a new domain account for monitoring. However, then the SQL MP workflows will be run from the pool like in Mixed Monitoring.More details about Mixed Monitoring and Agentless Monitoring can be found in the SQL 2017+ MP guide.
        • Anonymous
          May 02, 2018
          Interesting - I hope they address this. I despise pool based monitoring in concept, because I do not trust that we will scale at an enterprise level, but I dont know of any issues. I will try to find out how many SQL instances they tested like this and their scale testing. In general, loading more workflows on management servers and having them perform agentless monitoring activities can have considerable risk, in my experience. I'll test with a traditional failover cluster.
  • Anonymous
    March 05, 2018
    Excellent blog Kevin. Does HealthService applies to DB engine alone. How do I apply this or have one similar for monitoring SSRS & SSAS?
  • Anonymous
    April 30, 2018
    Hi Kevin,Will the SQL Server RunAs Addendum MP work with SQL Server MP version 7.0.4.0 and SQL Server 2017 MP version 7.0.0.0?Thanks in advance. Bijesh
    • Anonymous
      April 30, 2018
      Yes, there will be an update. I am working on it right now.
    • Anonymous
      May 01, 2018
      Done.
      • Anonymous
        May 02, 2018
        Thanks Kevin.Now i can see the new MP for the same.Bijesh
      • Anonymous
        May 04, 2018
        The comment has been removed
        • Anonymous
          May 04, 2018
        1. Service SID is not enabled.2. The agent was not restarted after service SID was enabled.3. The login does not exist in SQL4. The login was not granted "SysAdmin" role to the instance, OR if using low priv - the login was not created as a user in each database, or granted other needed rights.
          • Anonymous
            May 07, 2018
            Thanks Kevin,I have query on points #3 & #43. The login does not exist in SQL -- which login ? is this NT AUTHORITY\SYSTEM or DomainName\HealthService?4. The login was not granted “SysAdmin” role to the instance, OR if using low priv – the login was not created as a user in each database, or granted other needed rights. ---We are using Low Priv, so which login and what are the rights to be granted.? Does the SQL Script we run did not do all these task ?Thanks Bijesh
            • Anonymous
              May 07, 2018
              The comment has been removed
              • Anonymous
                May 08, 2018
                The comment has been removed
  • Anonymous
    May 16, 2018
    The comment has been removed
    • Anonymous
      May 29, 2018
      Anyone else facing this issue, I have performed all the above described steps again on the SQL servers where we are getting "The server principal "NT AUTHORITY\SYSTEM" is not able to access the database...." alerts, but with no help. Please suggest how to fix this issue.
      • Anonymous
        June 28, 2018
        Hi Kevin, we are still facing the issue with "The server principal “NT AUTHORITY\SYSTEM” is not able to access the database….” alerts.Could you please advice on this.
      • Anonymous
        November 27, 2018
        The comment has been removed
  • Anonymous
    July 11, 2018
    Kevin,we have also implemented this solution last year, and it works great. But after we imported the SQL replication management packs, we start to get many alerts. Most of them I have solved bij giving the "NT SERVICE\HealthService" db_owner permissions to the master, msdb and distribution databases (which I will reduce, once everything works). There is one alert that I cannot solve. I get the message:"The login 'NT AUTHORITY\SYSTEM' does not have access permission on publication 'TestDB1' because it is not in the publication access list."Why does the account "NT AUTHORITY\SYSTEM" need access tot the publication, instead of the "NT SERVICE\HealthService" account? I have given the "NT SERVICE\HealthService" account access, but that doesn't help much.An example error is as follows:Module: Microsoft.SQLServer2012.Replication.Module.Monitoring.Monitors.MonitorDistributorPendingCmdsVersion: 6.7.31.0---------- Exception: ----------Task finished with exceptionat Microsoft.SQLServer.Replication.Module.Helper.Threading.WorkItem1.GetResult(Int32 timeout, T&amp; result)at Microsoft.SQLServer.Replication.Module.Helper.Base.ModuleBasePropertyHelper1.GetOutputData(DataItemBase[] inputDataItems)at Microsoft.SQLServer.Replication.Module.Helper.ModuleBaseHelper1.OnNewDataItems(DataItemBase[] dataItems, Boolean logicallyGrouped, DataItemAcknowledgementCallback acknowledgeCallback, Object acknowledgedState, DataItemProcessingCompleteCallback completionCallback, Object completionState)in Microsoft.SQLServer.2012.Replication.Module.Helper---------- Inner Exception: ----------The login 'NT AUTHORITY\SYSTEM' does not have access permission on publication 'TestDB1' because it is not in the publication access list.The login 'NT AUTHORITY\SYSTEM' does not have access permission on publication 'TestDB2' because it is not in the publication access list.at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action1 wrapCloseInAction)at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)at System.Data.SqlClient.SqlDataReader.TryConsumeMetaData()at System.Data.SqlClient.SqlDataReader.get_MetaData()at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async, Int32 timeout, Task& task, Boolean asyncWrite, SqlDataReader ds)at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, TaskCompletionSource1 completion, Int32 timeout, Task&amp; task, Boolean asyncWrite)at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)at System.Data.SqlClient.SqlCommand.ExecuteReader()at Microsoft.SQLServer.Replication.Module.Helper.ModuleBaseMonitoring.GetModuleData(DataItemBase[] inputDataItems)at Microsoft.SQLServer.Replication.Module.Helper.Threading.WorkItem1.c__DisplayClass6.b__4()at Microsoft.SQLServer.Replication.Module.Helper.Threading.WorkItem.c__DisplayClass2.b__0(Object state)in .Net SqlClient Data ProviderThe configuration properties are :ConnectionString = *********SqlTimeout = 15TimeoutSeconds = 300Publisher = Replication2012
    • Anonymous
      July 18, 2018
      (The content was deleted per user request)
  • Anonymous
    July 25, 2018
    (The content was deleted per user request)
  • Anonymous
    July 25, 2018
    The comment has been removed
  • Anonymous
    August 06, 2018
    Will this SQL Server RunAs Addendum MP work with the latest version of SQL Server (2008/2012/2014/2016) Management Pack 7.0.7.0, released on 7/2/2018.
    • Anonymous
      August 06, 2018
      Yes.
  • Anonymous
    November 12, 2018
    The comment has been removed
  • Anonymous
    November 14, 2018
    The comment has been removed
    • Anonymous
      November 14, 2018
      The comment has been removed
  • Anonymous
    December 06, 2018
    The comment has been removed
  • Anonymous
    December 07, 2018
    The comment has been removed
  • Anonymous
    December 12, 2018
    Hi Kevin, After implementing this Management Pack we are getting multiple Discovery Failed and Monitoring Failed alerts from different SQL Servers. After the Health Service SID is enabled. we ran the script you shared in this blog to grant the HealthService SID with the Minimal Required Rights to SQL Server. But still the alerts (Discovery Failed and Monitoring Failed) are generating. Could you please let us know what are the minimal rights the NT SERVICE\HealthService login will get after we run the script to grant the HealthService SID with the Minimal Required Rights to SQL Server? Are these right same as what is described in the SQL Server Management Pack guide under section "Low-Privilege Environments". Your assistance will be very much helpful. Thanks in advance!
    • Anonymous
      December 18, 2018
      Hi Kevin, do we have any update on the query?
      • Anonymous
        December 18, 2018
        All the information you are asking is published in the article.