Recently i faced an issue where the SQL server 2012 being hosted in a 2 node failover cluster failed to start. And since the cluster and windows event log didn't help much, i started checking the SQL server error log, which had the below error every time i tried to start the SQL server role in failover cluster manager
Login failed for user 'NT AUTHORITY\SYSTEM'. Reason: Could not find a login matching the name provided. [CLIENT: ]
so i went ahead created the login NT AUTHORITY\SYSTEM and also added it to the Sysadmin role. and it worked!,
Now i'm skeptical whether what i did is right or not security wise.
- I've heard that creating NT AUTHORITY\SYSTEM within SQL server is not safe, If that is the case, Should i change my cluster service to a domain account?, Will this affect anything?
- I added NT AUTHORITY\SYSTEM to Sysadmin role – Is this really required or can i provide only the required permission explicitly to the login
Best Answer
Yes, it failing is expected. It is documented here.
To answer now:
I'm assuming you're talking about the actual cluster service. If that's the case, then no do not change it. You could change it in WS2003 when domain accounts were used but since 2008 this is not possible. If you do this most likely your cluster will break.
Sysadmins is not required. Per the link/quote above, VIEW SERVER STATE is required.