I was repairing an issue with connectivity between a primary vCenter and secondary vCenter site and their SRM Servers when I came across a configuration on both SRM databases which was not ideal. Both SRM users had sysadmin rights on each SQL Server.
I have seen many installations whereby the privilege of sysadmin has been given to a SQL Security login account, this being the case in this instance. Best practices for a secure environment is to limit this activity as much as possible.
According to the installation documentation the database schema must have the same name as the database user account among other things.
- The Site Recovery Manager database schema must have the same name as the database user
- The Site Recovery Manager database user must be the owner of the Site Recovery Manager
- The Site Recovery Manager database schema must be the default schema for the
Site Recovery Manager database user.
I would advise making individual AD accounts during the installation of SRM, the procedure below outlines the database configuration. (Thanks to our DBA for the assistance).
Create your security account as you normally would do, e.g DOMAINNAME\SRMSERVICE
Ensure that the service VMware vCenter Site Recovery Manager Service on the SRM servers are also running as the DOMAINNAME\SRMSERVICE user. I have noticed this gets set back to local system if you run the modify wizard on an existing installation.
Ensure Default Database is set to the SRM Database. Select the SRM Database and select
New Query and type the below command, click execute.
This maps the security login DOMAINSERVICE\SRMSERVICE to the dbo database user account, as seen if you open the SRM database user account “dbo”.
Complete the same on both the SRM primary and secondary databases and on each primary and secondary SRM server restart the VMware vCenter Site Recovery Manager Service.