How can the local built in account NT AUTHORITY\SYSTEM be getting permission denied with the sysadmin server role set when performing backup operations? The following system logs are generated - and pasted at the end.
-------
Configuration:
SQL 2012 SP1 11.0.3000 -- installed on a physical host running Windows Server 2012. All media is locally attached.
SQL VSS Writer service running as Local System - per SQL 2012 documentation.
NT AUTHORITY\SYSTEM -- has been granted the sysadmin server role for 3 instances. In total 2 DBs per instance. Per Data Protection Manager (DPM) documentation.
DPM 2010 - running on physical hosts can backup file structure just fine.
For reference, I can backup my test 2012 box with the same version of SQL 2012 just fine. Really, all it takes is adding the SysAdmin server role to NT AUTHORITY\SYSTEM for each instance. ((Yes, I know the db_backupoperator will allow for Full backups, but the sysadmin is needed for DPMs incremental operations to run))
However, when any backup function from DPM is performed against the SQL DB server in question, it calls on the SQL VSS writer, and the SQL VSS Writer is getting blocked at a permission level to the SQLVDI. Which shouldn't be possible, and has been documented over the years from a number of technet and third party forums as an ongoing problem that plagues the use of the SQL VSS Writer. Solutions include re-registering the .dll files, checking the version of the registered VDI registration, rebooting, -- changing the account that the SQL VSS writer service runs as -- which is not a solution, and many of the threads I found were abandoned.
Again, if the SQL VSS writer is running as local system, and local system is a sysadmin to each SQL instance, how is it getting access denied from VSS and the SQLVDI subsystem?
----------
Event ID - 1, SQLVDI --
SQLVDI: Loc=SVDS::Open. Desc=Open(Control). ErrorCode=(5)Access is denied.
. Process=1788. Thread=8844. Server. Instance=DW. VD=Global\{C49FD3D9-F417-4EB1-A713-25ADF5CEB237}1_SQLVDIMemoryName_0.
--------
Event ID - 8229, VSS
A VSS writer has rejected an event with error 0x800423f4, The writer experienced a non-transient error. If the backup process is retried,the error is likely to reoccur.
Changes that the writer made to the writer components while handling the event will not be available to the requester. Check the event log for related events from the application hosting the VSS writer.
Operation:
PrepareForSnapshot Event
Context:
Execution Context: Writer
Writer Class Id: {a65faa63-5ea8-4ebc-9dbd-a0c4db26912a}
Writer Name: SqlServerWriter
Writer Instance Name: SQL Server Code-Named 'Denali' CTP2:SQLWriter
Writer Instance ID: {f07785c1-4c66-4f49-8128-a3519c620a0d}
Command Line: "C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
Process ID: 5388
--------
Event ID - 3041, Backup -- sample event - there is one for every database.
BACKUP failed to complete the command BACKUP DATABASE master. Check the backup application log for detailed messages.
<Security UserID="S-1-5-18" /> --
----