Reporting Database Synchronization job fails

Article:TECH131603  |  Created: 2010-01-09  |  Updated: 2012-03-05  |  Article URL http://www.symantec.com/docs/TECH131603
Article Type
Technical Solution


Issue



Reporting Database Synchronization job fails in CCS Reporting and Analytics with multiple failures

Symptoms
SSIS MS errors.

This is pre CCS SP1 as prerequisite for installing SP1 state that all modules must function including Report Database Synch jobs.
SA is assigned the GPO per AD (logon as a service is restricted by GPO but when viewing lists of enforcement in the GPO, SA is listed as having rights to logon and run a service.

Attempts to launch scripts but the run fails due to privilege error
SA seems to have read /write privileges on csm db and msbd db all according to the doc attach

 


Cause



Logon as a service restricted by GPO in Security Settings Local Policy Logon a s Service - Replace process level token


Solution



Remove this restriction



Technical Information
Verify the account running the SQL Agent service has the following permissions in Local Security Policy. See bullets below:


Windows user rights -

Typically, the default installation of the operating system gives the Local Administrators Group all the user rights that SQL Server requires to function correctly. Therefore, local Windows NT accounts or domain accounts that have been added to the Local Administrators Group, with the intent of being the startup account for the SQL Server service, have all the user rights that they require. However, we do not recommend that you run SQL Server under such high user rights.

For SQL Server 2005, if you do not want the SQL Server or the SQL Server Agent startup account to be a member of the Local Administrators Group, see the "Reviewing Windows NT Rights and Privileges Granted for SQL Server Service Accounts" section in the "Setting Up Windows Service Accounts" topic in SQL Server 2005 Books Online.

For SQL Server 2000, if you do not want the SQL Server or the SQL Server Agent startup account to be a member of the Local Administrators Group, then the startup account for the MSSQLServer service and the SQLServerAgent service (either a local Windows NT account, or a domain Windows NT account) must have these user rights:
• Act as Part of the Operating System = SeTcbPrivilege
• Bypass Traverse Checking = SeChangeNotify
• Lock Pages In Memory = SeLockMemory
• Log on as a Batch Job = SeBatchLogonRight
• Log on as a Service = SeServiceLogonRight
• Replace a Process Level Token = SeAssignPrimaryTokenPrivilege

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q283811


 



Legacy ID



2010040913392853


Article URL http://www.symantec.com/docs/TECH131603


Terms of use for this information are found in Legal Notices