Latest Patch broke transaction log truncation

[briguyiu]

We have a case open for this, 00728221, but wanted to see if anyone else is seeing this. We are on Version 8, patch 1.

In the documentation for using application aware processing on SQL, there is nowhere that states that the guest account (svc.veeam in our case) has to have any kind of special rights inside SQL whatsoever. I am under the impression that the network service or NT Authority\System account handles that on the SQL side via VSS.

On some of our SQL servers, that account, does in fact have a login and role in SQL, and everything is working on them just fine, even after patch. On the ones that don't, the backup portion still works, but the Log backup/truncation does not.

Here's the day before I applied the patch, and as you can see, the login error for svc.veeam still exists, however both backup of DB and Logs happen just fine.



Here's the day after, and as you can see, the login error for svc.veeam still exists, however ONLY the backup of the DB happens.



What in the code changed that would make it a requirement for this account to have this kind of access, and why did/does it work for the db backup just fine even after giving the same message?

[briguyiu]

Also, I should add....yes, application aware processing is still enabled on these jobs, yes truncate SQL is still checked, and yes NT Authority\System has the correct rights in SQL on 2012 servers.

[Vitaliy S.]

Can you verify if applying these permissions help in your situation?

[briguyiu]

I'm 100% sure that would work, as a couple of our instances that are being truncated, have the guest account as a sysadmin (god rights in SQL). My concern is, what changed during this update to require this, when before it was not a requirement. I also think if this is a requirement now, there should be some better documentation as to what is needed SQL permission wise for the OS guest account...

[Vitaliy S.]

Let me find out the difference between how SQL Server backup was handled in the previous version and in the latest patch. I will let you know once I hear more details from the devs.

[briguyiu]

Vitality, Just as an FYI, I did make the permissions changes, and truncation started working again as I suspected. That being said, it appears that something definitely changed...just not sure what.

[jim3cantos]

I'm 100% sure that would work, as a couple of our instances that are being truncated, have the guest account as a sysadmin (god rights in SQL). My concern is, what changed during this update to require this, when before it was not a requirement. I also think if this is a requirement now, there should be some better documentation as to what is needed SQL permission wise for the OS guest account...

Same issue here. Solved with the above in bold.

[Vitaliy S.]

Yes, sorry for the late reply, but we've been discussing this behavior with the devs and found out the reason for this change.

Basically, there are three main reasons for that:

1. New Explorers functionality required extra permissions on the database
2. Starting from SQL Server 2012 BUILTIN\administrators and Local System (NT AUTHORITY\SYSTEM) are not automatically provisioned in the sysadmin fixed server role
3. NT Authority\System account was used to handle logs truncation in v7

In the next minor update we will bring previous method of logs handling, and if it fails (due to insufficient permissions on the SQL Server 2012 and above), we will use the account specified in the AAIP option.

Thanks guys for bringing this to our attention.

[Gostev]

Just to follow up, what Vitaly has described was included in 8.0 Update 2. Thanks!

[Izudin]

Just started getting SQL warnings after an update to 8.0 with the Update 2 applied.
Any help would be appreciated.

Thank you!

[foggy]

Izudin, please review this thread for details.

[Izudin]

Thank you Foggy!
I appreciate the help.