14 Aug 2012

Resume Content DB upgrade

I’m going to start this post with a couple of little issues when upgrading your SharePoint environment, but there are several great references for you


If your SharePoint 2010 upgrade is stuck and you get the following in Central Administration “database is up to date, but some sites are not completely upgraded”. Note, there is a whole lot of misinformation out there about performing/reinitializing an upgrade by using the psconfig -cmd upgrade -inplace v2v (or b2b) commands. However, this is for upgrading your Farm and if it is failing on the content databases, it will continue to fail. The below is all about resuming the content database upgrade.
 The first thing you will need to do is get the Site ID for the Database that is problematic
Get-SPContentDatabase -Identity Name_of_Database
 That should return something that looks like this…



Once you have the ID, you’ll want to execute the Update-SPContentDatabase command
upgrade-spcontentdatabase -id f7f9907c-71e8-494d-8f2b-4ce6a5b934ea


References:
 http://www.shareesblog.com/?p=560



Diagnose MissingWebPart and MissingAssembly issues from the SharePoint Health Analyzer using PowerShell


In this article I am going to focus on MissingWebPart and MissingAssembly errors. As stated in previous articles, there is no silver bullet to solving these errors in all cases, but the scripts offered here will allow you troubleshoot the errors further to find exactly where they are happening in the content database. Once you know this, you have a fighting chance of being able to solve the problem.
MissingWebPart Error
In this example, I have received the following error whilst running a Test-SPContentDatabase operation after a content database migration from SharePoint 2007 to 2010. It also appears in the SharePoint Health Analyzer under the “Configuration” category with the title “Missing server side dependencies”:
Category        : MissingWebPart
Error           : True
UpgradeBlocking : False
Message         : WebPart class [4575ceaf-0d5e-4174-a3a1-1a623faa919a] is referenced [2] times in the database [SP2010_Content], but is not installed on the current farm. Please install any feature/solution which contains this web part.
Remedy          : One or more web parts are referenced in the database [SP2010_Content], but are not installed on the current farm. Please install any feature or solution which contains these web  parts.

As you can see, the error gives you a “WebPart class” GUID, the name of the content database, and how many times it is referenced in the database, but little else. What we need to find out here is either the name of the web part or on which pages it is referenced in the database.
For this I am going to reuse the Run-SQLQuery PowerShell script that I introduced in my article on MissingSetupFile errors:
function Run-SQLQuery ($SqlServer, $SqlDatabase, $SqlQuery)
{
$SqlConnection = New-Object System.Data.SqlClient.SqlConnection
$SqlConnection.ConnectionString = "Server =" + $SqlServer + "; Database =" + $SqlDatabase + "; Integrated Security = True"
$SqlCmd = New-Object System.Data.SqlClient.SqlCommand
$SqlCmd.CommandText = $SqlQuery
$SqlCmd.Connection = $SqlConnection
$SqlAdapter = New-Object System.Data.SqlClient.SqlDataAdapter
$SqlAdapter.SelectCommand = $SqlCmd
$DataSet = New-Object System.Data.DataSet
$SqlAdapter.Fill($DataSet)
$SqlConnection.Close()
$DataSet.Tables[0]
}
Once you have loaded the function in a PowerShell console, you can run it by using the Run-SQLQuery command with the options relevant to your deployment. For [MissingWebPart] errors, you need to run a SQL SELECT query on the “AllDocs” table in the content database exhibiting the problem, joining to the “AllWebParts” table in order to find details about the missing web part. For example, you would type the following command to find details of the web part with the class ID “4575ceaf-0d5e-4174-a3a1-1a623faa919a”, as reported in the error above:
Run-SQLQuery -SqlServer "SQLSERVER" -SqlDatabase "SP2010_Content" -SqlQuery "SELECT * from AllDocs inner join AllWebParts on AllDocs.Id = AllWebParts.tp_PageUrlID where AllWebParts.tp_WebPartTypeID = '4575ceaf-0d5e-4174-a3a1-1a623faa919a'" | select Id, SiteId, DirName, LeafName, WebId, ListId, tp_ZoneID, tp_DisplayName | Format-List
Yes, it is a pretty long command, but it will produce a very useful output, as shown in this example:
Id             : 6ab5e70b-60d8-4ddf-93cb-6a93fbc410be
SiteId         : 337c5721-5050-46ce-b112-083ac52f7f26
DirName        : News/Pages
LeafName       : ArticleList.aspx
WebId          : dcc93f3e-437a-4fae-acea-bb15d5c4ea7d
ListId         : 7e13fe6c-3670-4d46-9601-832e3eb6a1e4
tp_ZoneID      : Body
tp_DisplayName :

Id             : b3fcfcd2-2f02-4fe9-93e4-9c9b5ecddf5b
SiteId         : 337c5721-5050-46ce-b112-083ac52f7f26
DirName        : Pages
LeafName       : Welcome.aspx
WebId          : 2ae0de59-a008-4244-aa66-d8f76c79f1ad
ListId         : d8f083f0-16b9-43d0-9aaf-4e9fffecd6cc
tp_ZoneID      : RightColumnZone
tp_DisplayName :

This tells us that the web part has been found on two pages (the references mentioned in the MissingWebPart error). SiteId tells us the site collection and WebId the site where the pages are located. We also have a DirName showing the relative path and the page name itself against the LeafName property. If you’re lucky, you might get the display name of the web part against the tp_DisplayName property, but if not, you should at least be able to tell which zone the web part has been added to by looking at the tp_ZoneID property.
Easily the best way of resolving these issues is to do as the error suggests and install the missing feature or solution containing the web part, but if this is not possible or feasible to do in your scenario, we can discover the site collection URL from the GUIDs using PowerShell and then remove the offending web parts from the pages specified.
To find the site collection URL using the information output from the query, type the following command:
$site = Get-SPSite -Limit all | where {$_.Id -eq "337c5721-5050-46ce-b112-083ac52f7f26"}
$site.Url
One you have the site collection URL, you can use the relative path specified by the DirName property to find the location of the file. To remove the web part from the page, type the page URL in the browser and add ?contents=1 to the end of it. For example, to open the web part maintenance page for the ArticleList.aspx page specified in the output, type the following URL in the browser:
http://portal/news/pages/articlelist.aspx?contents=1
You can then highlight the offending web part (normally called ErrorWebPart for MissingWebPart errors) by ticking the box and clicking Delete. The screenshot below shows a web part maintenance page to give you an idea of the UI, but not an example of an ErrorWebPart as I had already removed them!
image
Note: If you remove an ErrorWebPart from a publishing page with versioning switched on, you may have to delete all earlier versions of the page before the error disappears from the SharePoint Health Analyzer or Test-SPContentDatabase report. This is because the web part will still be referenced from these versions, even though you removed it from the currently published page.
MissingAssembly Error
MissingAssembly errors look similar to this one:
Category        : MissingAssembly
Error           : True
UpgradeBlocking : False
Message         : Assembly [PAC.SharePoint.Tagging, Version=1.0.0.0, Culture=neutral, PublicKeyToken=b504d4b6c1e1a6e5] is referenced in the database [SP2010_Content], but is not installed on the current farm. Please install any feature/solution which contains this assembly.
Remedy          : One or more assemblies are referenced in the database [SP2010_Content], but are not installed on the current farm. Please install any feature or solution which contains these assemblies.

I normally find MissingAssembly errors appear as the result of an event receiver, which is still registered on a list or library but part of a feature/solution no longer present on the farm.
In most cases, you may be able to look at the assembly name reported in this error and know what the problem is straight away. As before, the best way of resolving this is to reinstall the missing solution file. However, if you are not able to install the solution (e.g., maybe it only works in SharePoint 2007 and not 2010), then you may want to find the lists where the event receiver is installed and either remove the event receiver from the lists or delete the lists themselves.
To troubleshoot this issue we can re-use the Run-SQLQuery function used to help find missing web parts above. The table we need to look at this time though is called “EventReceivers”. For example, you would type the following command to find details of the assembly called “PAC.SharePoint.Tagging, Version=1.0.0.0, Culture=neutral, PublicKeyToken=b504d4b6c1e1a6e5”, as reported in the error above:
Run-SQLQuery -SqlServer "SQLSERVER" -SqlDatabase "SP2010_Content" -SqlQuery "SELECT * from EventReceivers where Assembly = ‘PAC.SharePoint.Tagging, Version=1.0.0.0, Culture=neutral, PublicKeyToken=b504d4b6c1e1a6e5'" | select Id, Name, SiteId, WebId, HostId, HostType | Format-List
This will produce an output similar to the following:
Id       : 657a472f-e51d-428c-ab98-502358d87612
Name     :
SiteId   : 337c5721-5050-46ce-b112-083ac52f7f26
WebId    : 2ae0de59-a008-4244-aa66-d8f76c79f1ad
HostId   : 09308020-45a8-41e4-bbc0-7c8d8cd54132
HostType : 2

Id       : 0f660612-6be0-401e-aa1d-0ede7a9af8da
Name     :
SiteId   : 337c5721-5050-46ce-b112-083ac52f7f26
WebId    : 2ae0de59-a008-4244-aa66-d8f76c79f1ad
HostId   : 09308020-45a8-41e4-bbc0-7c8d8cd54132
HostType : 2

As with the MissingWebPart error before, we can use these GUIDs to get the site collection and site hosting the list with the missing event receiver, as follows:
$site = Get-SPSite -Limit all | where {$_.Id -eq "337c5721-5050-46ce-b112-083ac52f7f26"}
$web = $site | Get-SPWeb -Limit all | where {$_.Id -eq "2ae0de59-a008-4244-aa66-d8f76c79f1ad"}
$web.Url
The HostId property is the GUID of the object containing the event receiver. The HostType is the object type – in this case, HostType “2” means the event receiver host is a list. You can look at the other host types by checking this article on MSDN: http://msdn.microsoft.com/en-us/library/ee394866(v=prot.13).aspx.
Now we know the GUID refers to a list, we can get it using PowerShell with this command:
$list = $web.Lists | where {$_.Id -eq "09308020-45a8-41e4-bbc0-7c8d8cd54132"}
To remove the list completely, type the following command:
$list.Delete()
To keep the list intact and just remove the offending event receiver, copy the Id property from the Run-SQLQuery output into this command:
$er = $list.EventReceivers | where {$_.Id -eq "657a472f-e51d-428c-ab98-502358d87612"}
$er.Delete()
If you do decide to delete the list completely, ensure you also remove it from the site Recycle Bin and Site Collection Recycle Bin to ensure the file is removed from the content database. If not, the error may not disappear from the Health Analyzer or Test-SPContentDatabase operation.

http://get-spscripts.com/2011/08/diagnose-missingwebpart-and.html

Removing features from a content database in SharePoint 2010 using PowerShell

The great thing about the Health Analyzer in SharePoint 2010 is that it will report on a number of potential issues with the server farm, which may cause a problem later whilst applying a cumulative update or service pack. Resolving these issues in advance will help to prevent an update failing when you run the SharePoint Configuration Wizard.
One of these problems may occur when a solution is removed from the farm before the corresponding features were deactivated from site collections and sites. The Health Analyzer will place this issue in the “Configuration” category with the title “Missing server side dependencies”.
Missing server side dependencies
The error message reported will look similar to this one:
[MissingFeature] Database [SharePoint_Content_Portal] has reference(s) to a missing feature: Id = [8096285f-1463-42c7-82b7-f745e5bacf29], Name = [My Feature], Description = [], Install Location = [Test-MyFeature]. The feature with Id 8096285f-1463-42c7-82b7-f745e5bacf29 is referenced in the database [SharePoint_Content_Portal], but is not installed on the current farm. The missing feature may cause upgrade to fail. Please install any solution which contains the feature and restart upgrade if necessary.
As shown above, this message reports a content database name (SharePoint_Content_Portal) and feature ID (8096285f-1463-42c7-82b7-f745e5bacf29), but not the sites or site collections where the feature exists. In addition to this, even if you did know where the feature was activated, it will not appear anywhere in the UI for you to deactivate because the solution has been removed from the farm.
The following PowerShell script will interrogate a specified content database and feature ID and do two things:
  1. Produce a report in the PowerShell console showing which sites or site collections contain the offending feature.
  2. Forcibly deactivate the feature from the applicable sites or site collections.
Note: Whilst this article applies specifically to the scenario of deactivating features from removed solutions reported by the Health Analyzer, I have decided to write the script so that it deactivates any specified feature from sites and site collections – not just those missing from the farm. This allows the script to be used in other scenarios, too.
To use the script, run these functions in a PowerShell console with the SharePoint 2010 add-ons loaded:
function Remove-SPFeatureFromContentDB($ContentDb, $FeatureId, [switch]$ReportOnly)
{
    $db = Get-SPDatabase | where { $_.Name -eq $ContentDb }
    [bool]$report = $false
    if ($ReportOnly) { $report = $true }
   
    $db.Sites | ForEach-Object {
       
        Remove-SPFeature -obj $_ -objName "site collection" -featId $FeatureId -report $report
               
        $_ | Get-SPWeb -Limit all | ForEach-Object {
           
            Remove-SPFeature -obj $_ -objName "site" -featId $FeatureId -report $report
        }
    }
}
function Remove-SPFeature($obj, $objName, $featId, [bool]$report)
{
    $feature = $obj.Features[$featId]
   
    if ($feature -ne $null) {
        if ($report) {
            write-host "Feature found in" $objName ":" $obj.Url -foregroundcolor Red
        }
        else
        {
            try {
                $obj.Features.Remove($feature.DefinitionId, $true)
                write-host "Feature successfully removed from" $objName ":" $obj.Url -foregroundcolor Red
            }
            catch {
                write-host "There has been an error trying to remove the feature:" $_
            }
        }
    }
    else {
        #write-host "Feature ID specified does not exist in" $objName ":" $obj.Url
    }
}
You now have two options for using these functions. If you just want to produce a report in the console showing which sites and site collections contain the feature, type the following (note the ReportOnly switch on the end):
Remove-SPFeatureFromContentDB -ContentDB "SharePoint_Content_Portal" -FeatureId "8096285f-1463-42c7-82b7-f745e5bacf29" –ReportOnly
This command will step through all sites and site collections and display the following message whenever it finds the feature specified:
Feature found in site : http://portal/site
If you want to go ahead and remove the feature from all sites and site collections in the content database, type the same command without the ReportOnly switch on the end:
Remove-SPFeatureFromContentDB -ContentDB "SharePoint_Content_Portal" -FeatureId "8096285f-1463-42c7-82b7-f745e5bacf29"
Running this command will step through all sites and site collections, remove the feature specified, and display the following output:
Feature successfully removed from site : http://portal/site
You should now be able to reanalyse the “Missing server side dependencies” issue in the Health Analyzer to clear the problem (providing there are no other issues reported under that title, of course!).
http://get-spscripts.com/2011/06/removing-features-from-content-database.html.

7 Aug 2012

Permissions to make User Profile Synchronization "Start"?

http://social.technet.microsoft.com/Forums/en-AU/sharepoint2010setup/thread/aa36b4a1-6d06-45af-9d31-612ef69855f9

http://www.harbar.net/articles/sp2010ups2.aspx#ups14

http://blogs.msdn.com/b/opal/archive/2009/11/19/user-profile-sync-setup-in-sharepoint-server-2010-beta.aspx

SharePoint displays users as Domain\Username instead of Display Name

Login to sharepoint by farm account and launch powershell
1. If the problem only appears with a single user, you can update a single account like so:

Set-SPUser -Identity ‘domain\Username’ –Web http:// –SyncFromAD

2. If all (or a lot) of the uesrs you can do it by the following:

Get-SPUser –Web http:// | Set-SPUser –SyncFromADS

18 Jul 2012

Move SQL database

http://msdn.microsoft.com/en-us/library/ms345408.aspx

HyperV tips

  • Never save state on a Domain Controller doing so can cause domain synchronisation issues.
  • Never pause a Domain Controller, this can cause replication issues.
  • Do not take Snapshots of Domain Controllers.
  • Use Fixed size disks, this will improve performance, and help reduce disk fragmentation.
  • Always defragment a physical disk before creating a virtual hard disk.
  • Be mindful of the integration services affect on a Domain Controller. If you provide the time synchronisation service to a Domain Controller, you can cause time synchronisation issues in your domain.
  • Don't expand the Virtual Hard Disk if you have snapshots which haven't merged with the main VHD. This will make it impossible to remerge them.
  • If you cannot merge your snapshot (avhd) files back into the main VHD. You can attempt to use WinImage (http://www.winimage.com) to retrieve the data from within the snapshot file. To do this simply rename the snapshot file from string.avhd to string.vhd then open with winimage.
  • Remember to uninstall the VM Additions before migrating Virtual Machines from Virtual PC or Virtual Server 2005 R2, otherwise you will receive the following error when you try to uninstall them from inside Hyper-V:
  • You can install Virtual Machine Additions only on a virtual machine that is running a supported guest operating system

Merge avhd to vhd in HyperV by manual

Hyper-V brings to life several additional disaster recovery scenarios that can be leveraged to our advantage when the need arises. One of the features that really comes into play are VM snapshots. A Snapshot is basically a spot in time where the current running configuration of the Virtual Machines is saved to a Snapshot Differencing Disk file (AVHD), from which you can return to from the future. This tip will show you how to manually merge hyper-v snapshots into a single VM for point in time restores.

When you create a differencing disk the original VHD is no longer modified and the snapshots are merged with the original vhd only when it is powered off. In disaster recovery scenarios, There may be cases where we want to manually merge snapshots ( avhd )

In order to do this, You must first change the extension of the Youngest AVHD file to VHD. 
Any VHD differencing disk(avhd) will always go to its parent, not the root parent.

So if you have a bunch of AVHDs, Each depends on the one before it - like the rungs of a ladder - they are sequential.  Most folks have a very simple linear chain of snapshots. Example : VHD - AVHD1 - AVHD2 - AVHD3 - AVHD4. ( Here AVHD4 is the Youngest and AVHD1 is the Oldest)

The parent of AVHD4 is AVHD3.  The parent of AVHD3 is AVHD2  The parent of AVHDn would simply be the one before it.

You need to Start Merge From Young AVHD to Old AVHD to complete the Merge Operation.

To Start Merge follow the below steps
  • First Identify the Youngest AVHD ( In Our Ex : AVHD4)
  1. Rename the Youngest AVHD (AVHD4)  to VHD ( Should not rename all the AVHDs at a time, Need to Rename only Youngest Avhd First) 
  2. You can choose the Edit Disk option from the Actions menu in the Hyper-V Management Console.
  3. Click Next through the first screen and select the snapshot file on the following screen.
  4. Select Merge on the next screen and choose the To parent virtual disk option and click Finish.
  5. After Successfully Completing Merge, Now Automatically AVHD4 will be deleted.
  • Now Rename the Second Youngest Avhd (AVHD3) to Vhd. and Repeats the Steps from 1 to 4 until Oldest AVHD ( AVHD1) Get Merge with Parent VHD.
Once this has completed you should create a new virtual machine with the default options you would normally use, selecting to use an existing virtual disk on the hard disk screen. You should select the newly merged VHD file.

Now you have Successfully Completed Manually Merge avhd to vhd in Hyper-V

http://social.technet.microsoft.com/wiki/contents/articles/6257.manually-merge-avhd-to-vhd-in-hyper-v.aspx

13 Jul 2012

Configure SQL Server 2008 for Sharepoint 2010 and Project Server 2010 installation

Configure SQL Network Settings for SQL Server 2008
To configure the network settings for SQL Server 2008 complete the following steps:
1. From the computer console click the Start button  >> All Programs  >> Microsoft SQL Server 2008 2.  2. Expand Configuration Tools and select SQL Server Configuration
The system displays the SQL Server Configuration Manager.
3. In the left pane, expand SQL Server Network Configuration, and then select the target SQL Server instance for your Project Server databases.
4. Verify that the TCP/IP option is enabled in the right frame.

Add a SQL Server Login for the Farm Administrator Account
 Project Server 2010 requires that the Farm Administrator Role Account have a SQL Server login with public, dbcerator, securityadmin and sysadmin roles in SQL Server. To create a SQL Server login and add the roles for the login, complete the following steps:
1.       Open SQL Server Management Studio.
2.         Connect to the database engine for your Project Server 2010 target instance
3.         Expand the Security node, then right-click on Logins and select the New Login option



4. The system displays the New Login dialog
5. Enter the domain account you created for the Farm Administrator in the Login Name field. From the Select a page list on the left, select Server Roles.

6. In the Server roles list, select the dbcreator, securityadmin, and sysadmin check boxes. The public roles checkbox is selected by default. Leave this setting selected.
7. Click the OK button to continue.


Enable the Common Language Runtime 
Enabling the Common Language Runtime (CLR) for SQL Server improves Project Server 2010 performance by 30% on average, according to Microsoft. To enable the common language runtime, click on the New Query button in the SQL Server Management Studio window and copy the following query into the SQL Query pane

sp_configure ‘clr enabled’, 1; 
go 
reconfigure; 
go





Click the Execute button to execute the query and enable the CLR. After executing the query the output section should report a success message like the one shown in Code Sample below. Note that the Query includes the RECONFIGURE statement, and it is not necessary to run this again.  

Configuration option 'clr enabled' changed from 0 to 1. Run the RECONFIGURE statement to install.  

Set SQL Server Database Collation 
Your SQL Server collation must be configured for case-insensitive. In a default English language version, the default collation (SQL_Latin1_General_CP1_CI_AS) is compliant with this requirement. If you are not working with a default English SQL Server installation, you may need to change your SQL Server database collation to case-insensitive, accent-sensitive, Kana-sensitive, and width-sensitive.

Prepare SQL Server Analysis Services for Project Server
You must complete two simple configuration steps to prepare your instance of SQL Server Analysis Services for Project Server 2010:
1) Add the Farm Administrator Role account to the OLAP Users Local Group on the server, and
2) Configure the Farm Administrator Role account permissions in SQL Server Analysis services. To add the Farm Administrator account to the OLAP Users Local Group, complete the following steps:  1. Log in to the computer running Analysis Services and select
Administrative Tools from the Start menu and select Computer Management from the submenu.
2. On the Computer Management page, in the left pane under System Tools, expand the Local Users and Groups item. Click to expand the Groups folder and locate the OLAP Users Local Group for your Analysis Services instance as shown for SQL Analysis Services 2008
3. Double-click on the group name to open the group Properties dialog

4. In the Properties dialog, click the Add button. The system displays the Select Users, Computers, or Groups dialog
5. In the Select Users, Computers, or Groups dialog, enter the name of your Farm Administrator account. You may click the Check Names button to verify your entry, or click the OK button to accept your entry. The account now appears in the Members section of the Group Properties dialog shown previously. Click the OK button to close the Group Properties dialog and then close the Computer Management page to continue.

To add the Farm Administrator as an Analysis Services server administrator complete the following steps: 
1. Open SQL Server Management Studio. In the Connect to Server window, select or browse to connect to the SQL Server Analysis Services instance for your Project Sever 2010 deployment.
2. In Microsoft SQL Server Management Studio Object Explorer, right-click on your SQL Server 2005 Analysis Services instance name, and then click Properties from the pop-up menu. The system displays the Analysis Services Properties dialog. From the Select a page pane, click the Security item. Your Analysis Server Properties dialog should look like the
3. Click the Add button. The system displays the Select Users or Groups dialog
4. On the Select Users or Groups dialog, type the name of the Farm Administrator account.
5. Click the OK button to add the Farm Administrator account to the Server Administrators list
6. Click the OK button on the Analysis Server Properties page to exit the operation.

11 Jul 2012

Managed Service Account–SQL Server 2012

As you know there are so many security measures are taken during every release of SQL Server. This version of SQL Server will be using Managed Service account to run SQL server related services. In other terms earlier versions we used Local system account as service account for all SQL Server related services however in this version we be will using individual local accounts for all SQL server related services. In this case whatever application runs on local system are allowed to access SQL Server. So to overcome this MS team has started using managed service accounts in SQL Server.

Let me give you a brief about Manage service account then we will discuss about the new changes related to service account in SQL Server 2012.

What is Managed Service Account?

Managed Service Account (MSA) is a new type of account that’s supported in Windows 7 & Windows 2008 R2. Main reason for this new account type is to isolate one service from another. In earlier operating systems we will run the services either in Localsystem or Domain accounts. Let’s assume you run SQL Server using Local system that means any other service running in Local system can connect to SQL Server and retrieve the data, this seems to be a loop hole when you run it in localsystem. We can use domain account to avoid this scenario however maintaining these domain accounts will take considerable time. In addition to this most of the organizations won’t change domain service account password in a period of time that means if someone knows the password he will be able to connect to SQL Server anytime as the password remains the same forever.
Considering all these things in mind they have added the new account feature in Windows 7 & Windows 2008 R2. Below are the advantages of Managed service account
  • Automatic password management. Password for MSA will be automatically changed every 30 days. However there is a known issue when the password gets changed it can cause a failed authentication attempt using old password, to overcome this you need to install a patch, refer KB article http://support.microsoft.com/kb/2494158 for more details.
  • SPN management is made simpler (domain need to be in Windows 2008 R2 functional level) for these accounts, which allows service administrators to set SPN’s for these accounts. For windows 2003 and windows 2008 functional level, you can update the schema to support this.
You can also create MSA for your own application service. Crucial part is that you don’t have a GUI to create \ configure a MSA for your service, you need to work with powershell cmdlets. For further information on MSA check the KB articles below
http://technet.microsoft.com/en-us/library/dd548356.aspx
http://technet.microsoft.com/en-us/library/ff641729%28v=ws.10%29.aspx

What’s added in SQL Server 2012

In earlier versions (from SQL 2005) of SQL Server, as part of Service account security standards they created local groups in the computer and granted necessary permission for the groups where ever applicable. However in SQL Server 2012 that’s not applicable, they will create individual managed service account for each SQL Server service. This means all SQL Server related services will run on their own service account there by isolating each services. You can see from the image below each service have different service account and each of these account have their own SID
service_account_sql_2012_1
Naming convention for the service accounts is as below
Service Name
Instance
Service Account Naming Convention
Database Engine Default MSSQLServer
Agent Service Default SQLSERVERAgent
Reporting Server Default ReportServer
Analysis Service Default MSSQLServerOLAPService
Fulltext Service Default MSSQLFDLauncher
Database Engine InstanceName MSSQL$InstanceName
Agent Service InstanceName SQLAgent$InstanceName
Reporting Server InstanceName ReportServer$InstanceName
Analysis Service InstanceName MSOLAP$InstanceName
Fulltext Service InstanceName MSSQLFDLauncher$InstanceName
Integration Service Not applicable MSDtsServer110
I have a curiosity to check admin permission associated to these accounts, I could see SA access granted only to SQL agent service account and not to database engine, that’s a classic example how they grant only required permission
service_account_sql_2012_2
Finally I’ve checked the administrators group in computer to check is any SQL related groups got created. Yes there are couple of groups still get created in computer for Browser service and analysis services. Analysis service account and browser service account are part of  analysis group & browser group respectively.
service_account_sql_2012_3
From the screenshot above it’s clear that analysis groups are created per instance. Thus MSA is a added security hardening step in SQL Server 2012 to isolate all SQL server related services, thus no more access using local system account.

Total Pageviews