Requirements for a SQL Server Windows standalone source environment

This section covers the requirements for a SQL Server Windows standalone source environment.

Source host requirements

Windows servers that will be added as Source Environments must meet the following requirements:

Source Host Requirement	Explanation
To allow Delphix-initiated backups, the service account running each SQL Server instance (the Instance Owner) should be one of: A domain user (e.g. `MYDOMAIN\accountname`) (RECOMMENDED) A Managed Service Account or Group Managed Service Account ( `MYDOMAIN\accountnameundefined`) (requires Windows 2012 and later, and SQL Server 2008R2 or later) The LOCAL SYSTEM account (`NT AUTHORITY\SYSTEM`) The NETWORK SERVICE account (`NT AUTHORITY\NETWORK SERVICE`)	Backups initiated by the Delphix Engine (Delphix Managed Backups or manual snapshots which request a backup) will fail if the service account cannot access backups created by the Source database instance
The source host, proxy and staging environments must have appropriate cross-domain trust relationships	For more information on these requirements, see the document Delphix in Multi-domain Windows Environments.

Source Host Requirement

Explanation

To allow Delphix-initiated backups, the service account running each SQL Server instance (the Instance Owner) should be one of:

A domain user (e.g. MYDOMAIN\accountname) (RECOMMENDED)
A Managed Service Account or Group Managed Service Account ( MYDOMAIN\accountnameundefined)
(requires Windows 2012 and later, and SQL Server 2008R2 or later)
The LOCAL SYSTEM account (NT AUTHORITY\SYSTEM)
The NETWORK SERVICE account (NT AUTHORITY\NETWORK SERVICE)

Backups initiated by the Delphix Engine (Delphix Managed Backups or manual snapshots which request a backup) will fail if the service account cannot access backups created by the Source database instance

The source host, proxy and staging environments must have appropriate cross-domain trust relationships

For more information on these requirements, see the document Delphix in Multi-domain Windows Environments.

Source Windows user requirements

Aligning to our zero-trust approach, “Delphix OS” user permissions on the Source can now be configured with the least privilege necessary from previous super-user “Backup Operator” requirements.

Source Windows User Requirements	Explanation
Have the "Log on as batch" privilege on the source host	This permission is required for remote PowerShell execution. This privilege can be assigned through the Local Security Policy (Local Policies → User Rights Assignment → Log on
Have read permission for `"Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurePipeServers\winreg"`on the source host	This permission is required to have access to the remote registry. Delphix uses this privilege to discover SQL Server instances and gather system details, using Windows remote registry access.
Be a member of the Users group on the Staging Host	In order to discover and query SQL Server instances as the Source Windows User, scripts are run on that user at the Staging Host.
Have the "Log on as batch" privilege on the Staging host	This permission is required for remote PowerShell execution. This privilege can be assigned through the Local Security Policy (Local Policies → User Rights Assignment → Log on as batch job).
Be able to log in to each SQL Server instance that the Delphix Engine will communicate with	These requirements are described in the Source Database Login Requirements section below.

Deprecated source Windows user requirements

Source Windows User Requirement	Explanation
Be a member of the Backup Operators group on the Source Host	Delphix uses this privilege to discover SQL Server instances and gather system details, using Windows remote registry access.
Be a member of the Users group on the Staging Host	In order to discover and query SQL Server instances as the Source Windows User, scripts are run on that user at the Staging Host.
Be able to log in to each SQL Server instance that the Delphix Engine will communicate with	These requirements are described in the Source Database Login Requirements section below.

Login requirements for source databases

The Delphix Engine requires SQL Server logins to be created on each SQL Server instance that the Delphix Engine will communicate with:

A database login for Environment discovery and monitoring, specified when Adding an Environment. This must be a Windows Authentication login for the Source Windows User configured in the previous section.
A database login for dSource (Source Database) monitoring and interaction, specified when Linking a dSource. This user can be:
- The same as the Source Windows User;
- A different Windows Authentication login (this user must also have Log on as a Batch Job privileges on the Staging host); or
- An SQL Authentication login(also known as a Database User).

These users must have the following permissions on each instance:

Object	Privileges Required	dSource User	Environment User	Purpose
Server	`CONNECT SQL`	Y	Y	Access to the SQL Server instance
Database: `master`	`db_datareader`	Y	Y	Access to information about attached databases
Database: `msdb`	`db_datareader`	Y		Access to the backup history
Each user database to be linked	`PUBLIC`	Y		Delphix will periodically run queries to check the current size of the database
Each user database to be linked	`db_backupoperator`	Y		Optional: Required for backups to be initiated by Delphix (using Delphix Managed Backups, or when Delphix initiates a backup during a manual Snapshot)
Server	`VIEW ANY DEFINITION`	Y	Y	Optional: Required for the discovery of databases in Availability Groups
Server	`VIEW SERVER STATE`	Y	Y	Optional: Required for the SnapSync and discovery of Availability Groups
Object: `master.dbo.sqbutility`	`EXECUTE`	Y		Optional: Required when using backups created by Red Gate SQL Backup
Object: `master.dbo.xp_sqllightspeed_version`	`EXECUTE`	Y		Optional: Required when using backups created by Quest LiteSpeed for SQL Server

List of source tables accessed by the Delphix engine

Using the db_datareader permission, the Delphix Engine accesses the following system tables in the master and msdb databases on the source host:

System table	Justification
master.sys.databases	Used to determine the name and recovery model of databases within discover SQL Server instances
master.sys.availability_groups (Only for source cluster)	Used for discovering all the availability groups within an Availability Group source environment.
master.sys.availability_group_listeners (Only for source cluster)	Used for discovering all the availability group listeners within an Availability Group source environment. A requirement for dSource linking of SQL Server clustered databases (replicas) is to provide an AG (Availability Group) listener for AG cluster source discovery. This is implemented on AG cluster source discovery as a failsafe if AG cluster source database authentication configuration change down the line, ensuring the Delphix engine has a way to reach the cluster and continue certain operations.
master.sys.availability_databases_cluster (Only for source cluster)	Used for discovering all the availability group clusters within an Availability Group source environment.
master.sys.availability_replicas (Only for source cluster)	Used for discovering all the availability group replicas within an Availability Group source environment.
master.sys.database_files	Used to determine the size of databases and whether filestream is enabled for a database
master.sys.dm_exec_requests	Used to enable Delphix to report backup operation progress
master.sys.master_files	Used to determine the primary file of a database
master.sys.filegroups	Used to determine the filegroups of a database so that Delphix can configure VDBs with the same filegroups
msdb.dbo.backupset	Used to determine new backups that have been taken. This table is regularly queried to find out if a new backup image has been taken and needs to be synchronized with Delphix.
msdb.dbo.backupmediafamily	Used to determine the physical device names of the backup files comprising a backup.