Sql-server – Changing startup accounts on alwayson setup

availability-groupsservice-accountssql server 2014

I have a 2 node Always On Availability Group cluster where we are planning to take backups to a file share which will then be moved to Azure cloud. We have a service account from the Windows team for the backup job, but the startup account of the database engine and the SQL Server Agent are local accounts. Using proxies did not help me with the situation so I am now thinking of providing the service account credentials in the SQL Server Configuration Manager.

What I want to know is how do I proceed?

This is what I have planned. Please let me know if I have missed something in the flow

  1. Change service account on the Node2 (secondary) – both SQL Server (InstanceName) (database engine) and SQL Server Agent (InstanceName) (job engine)
  2. Pause synchronization
  3. Restart the SQL Server (InstanceName) service and the SQL Server Agent (InstanceName)
  4. Failover the AOAG to the secondary, then change the account details of the primary (now the seconday)
  5. repeat step 2. and 3.
  6. Fail back to the primary again

Please let me know if I am missing any step here

Thanks!

Best Answer

If you have local accounts and an AG then you must be using mirroring certificates - is this correct? If so then your switchover plan is likely going to be fine because nothing is going to change from the AG's point of view.

I have done something similar just recently to replace local accounts and expiring AG mirroring certificates with service accounts and using that Windows authentication. After the local accounts were in place I ran Alter Endpoint Hadr_Endpoint For Database_Mirroring (Authentication = Negotiate) on both sides, followed by Alter Endpoint Hadr_Endpoint State = Stopped on each, and then started them again. I monitored the endpoint status from their DMVs to make sure they started and checking the ERRORLOG for issues, and confirmed that the AG dashboard was healthy. The final test to confirm it is a failover.

When you say using agent proxies didn't help though - are you sure you used one properly? What happened? I really would have thought it would work.

Related Question