i put myself in a big problem
-
hello everybody
i put myself in trouble when i decided to have an additional DC in my Domain, before this catastrophy i had 2 windows server 2008 R2, one of them is DC and the second one is an application server with multiple SQL server instances and databases,
i decided to promote the application server so that i have a backup DC, after promoting it some of the application installed on it stop working cuz the connection btw the app and database is failed,
i never thought that such transition from stand alone server to DC will cause this trouble, because the SAM account were deleted and i think the databases were configured with these local admin account,
now i demote the server application but the SAM accounts were all deleted, only i have 2 account : administrator and guest, the other account were all deleted.
now i don't know what to do to recover this,
is there any way to restore SAM accounts ??? -
@IT-ADMIN said:
i decided to promote the application server so that i have a backup DC, after promoting it some of the application installed on it stop working cuz the connection btw the app and database is failed,
i never thought that such transition from stand alone server to DC will cause this trouble, because the SAM account were deleted and i think the databases were configured with these local admin account,DCs are always supposed to be on their own, combining roles is against best practices. There are times that it needs to happen but there is always risk involved and when possibly you want to avoid this. You should always snapshot before doing something huge like this, then you can just roll back when done. Having a second DC is not normally a big deal, I'd be wary of trying to have one in a poor way rather than running from just one - with good backups a DC takes no time to restore in case it fails.
-
I'm not clear on the damage that was done, the new DC killed the existing one? Or only the application server is having a problem.
-
His Application server was using local user accounts on the non DC server. When he promoted it, those accounts where lost.
-
You're only solution that I can think of is if you have a backup of the system for that server. You could restore the system and recover the accounts.
If you don't, do you have a full image backup of that server? It might be possible to stand that image up somewhere else, and pull the accounts out and import them - but I have no clue if that's even possible.
-
@Dashrender said:
His Application server was using local user accounts on the non DC server. When he promoted it, those accounts where lost.
Okay, that makes sense then. Thanks for clearing that up.
-
yes, as @Dashrender said, the application server after he was a DC, the local account were deleted, now there is a problem in database connection btw applications and SQL server
-
unfortunately i have no snapshot, simply because it is a physical server
-
What is the authentication mechanism being used? Are you using AD Authentication to SQL Server or are you using SQL Server authentication?
-
since i have a connection error, it means that the connection use local account, because all local acconts were deleted (when i go to users and groups i found only 2 account : administrator and guest)
-
@IT-ADMIN said:
since i have a connection error, it means that the connection use local account, because all local acconts were deleted (when i go to users and groups i found only 2 account : administrator and guest)
I am not aware of using local accounts for SQL Server. The SQL Server runs on the box that you put the Domain Controller on or on a separate server?
-
the SQL server is installed on the application server, this application server was before a stand alone server and joined to domain also but the company that install the payroll software on the application server didn't use domain account, they created local admin account on the server application because they do remote support for us sometimes and they know the password of this local admin account (in order not to give them a domain admin account for our security they created local admin account to work with)
tomorrow i will contact them to see this issue, i'm sure they will blame me for deleteting those account -
@scottalanmiller said:
@IT-ADMIN said:
since i have a connection error, it means that the connection use local account, because all local acconts were deleted (when i go to users and groups i found only 2 account : administrator and guest)
I am not aware of using local accounts for SQL Server. The SQL Server runs on the box that you put the Domain Controller on or on a separate server?
There are two, very misleading types of accounts with SQL. Local and Windows Authentication. Local means SQL only, stored in the master security table. Windows authentication means that it's setup to read the GUIDs of IDs within Windows, be it local or domain. You have to add them in separately.
IT-ADMIN, if you have the sa account, you might be able to pull yourself out of the fire. Get the logs, find out what needs to be recreated, then you will have to rebuild the accounts by hand and reset everyone who might have been accessing it. Certainly better than the current hands in the air pants on fire situation.
-
Wouldn't you be able to demote the application server? That should bring the local admin accounts back.
-
@IT-ADMIN said:
the SQL server is installed on the application server, this application server was before a stand alone server and joined to domain also but the company that install the payroll software on the application server didn't use domain account, they created local admin account on the server application because they do remote support for us sometimes and they know the password of this local admin account (in order not to give them a domain admin account for our security they created local admin account to work with)
tomorrow i will contact them to see this issue, i'm sure they will blame me for deleteting those accountWhy would they need a domain admin account? A domain account that only has needed access on that machine would make a lot more sense, IMHO. Making local accounts doesn't seem to make any sense, even for the situation described.
-
@coliver said:
Wouldn't you be able to demote the application server? That should bring the local admin accounts back.
Not if they were deleted.
-
@scottalanmiller said:
@coliver said:
Wouldn't you be able to demote the application server? That should bring the local admin accounts back.
Not if they were deleted.
Exactly, when you promote a server to a DC the local SAM system gets deleted.
-
@scottalanmiller said:
Why would they need a domain admin account? A domain account that only has needed access on that machine would make a lot more sense, IMHO. Making local accounts doesn't seem to make any sense, even for the situation described.
I'm guessing they didn't consider that option - non Windows Admins (in this case AKA SQL admins) probably don't think about how a domain user can have local admin rights.
-
to be honest with you i don't know much about SQL server and its account, but one thing is sure that the SAM accounts were deleted and these accounts has a direct relation with SQL server connection, how this relation i don't know
the proof that these local account have relation with SQL server is that before promoting the sever everything was fine, as soon as i promote the damn server the connection problem occured
after demoting the server, it was too late because all local accout were deleted except administrator and guest accounts -
@IT-ADMIN said:
to be honest with you i don't know much about SQL server and its account, but one thing is sure that the SAM accounts were deleted and these accounts has a direct relation with SQL server connection, how this relation i don't know
Makes sense, they set up non-domain local accounts. Very unprofessional IMHO. Not something I would expect a consultant to be doing. Rather poor.
I'm afraid that you need to make new accounts and set things up new or go to a backup.