Do not install the SQL Server Database Engine on a domain controller or on the same box as IIS. Reporting Services in SQL Server 2008 no longer requires IIS. If you’re using Reporting Services often and you’re exposing it to the Internet, Microsoft recommends that you move it to its own machine.

While you can get the details about service accounts on MSDN (look for ‘‘Setting Up Windows Service Accounts’’), this solution provides only the points that you need to know. Up to 10 services are part of SQL Server 2008, depending on what you install. If you install more than one instance, that is up to 10 per instance. For maximum security, use a different local Windows login for each account, instead of sharing a single account locally. Local Windows logins are safer than domain logins, but they are more trouble because you have to keep up with more logins.

Although Microsoft’s suggestion is to use separate local accounts for each service, most companies use a single domain login account for all services, using the minimum security settings. Some things can only be done when the service is running under a domain account, for example:

1. Remote procedure calls

2. Replication

3. Backing up to network drives

4. Heterogeneous joins that involve remote data sources

5. SQL Server Agent mail features and SQL Server Mail

As mentioned earlier, most companies use a single domain account for all services on all production servers. This makes maintenance easier; for instance, you have to set up only a single file share with permissions for backing up to a network drive. There are several kinds of service accounts you can choose from:

a. Domain account: This is an active directory domain account that you create and is the preferred account type for SQL Server services needing network access.

b. Local System account: This is a highly privileged account you should not use for services.

c. Local Service account: This is a special, preconfigured account that has the same permissions as members of the Users group. Network access is done as a null session with no credentials.

d. Network Service account: This account is the same as the Local Service Account, except that network access is allowed, credentialed as the computer account. Do not use this account for SQL Server or SQL Agent Service accounts.

e. Local Server account: This is a local Windows account that you create. This is the most secure method you can use for services that do not need network access.

If you are making any changes to properties related to a SQL Server Service, do not use Windows Services dialogs.

For example, suppose the password for a domain Windows account for your SQL Service has been changed. You need to change the stored password for the SQL Service. Although this can be done via Windows Administrative Tools, you should always use SQL Server Configuration Manager to manage the services associated with SQL Server.