sql server peer to peer replication - have the agents running as NT AUTHORITY\NETWORK SERVICE?

Question

On a test rig, I'm trying to get SQL Server 2005 peer to peer (transactional) replication working, with the replication agents running under the NT AUTHORITY\NETWORK SERVICE account.

Before this I setup a peer to peer replication with the agents running under the SQL Server agent service account (i.e. SYSTEM account) and I created a security group in AD containing the machine accounts. I gave this group the neccessary permissions on the dbs, PAL, distributor. This worked fine.

If I try to do the exact same setup with the agents running as NT AUTHORITY\NETWORK SERVICE (or NT AUTHORITY\NETWORKSERVICE - no space, I tried both), I see the following error in replication monitor:

Unable to start execution (reason: Error authenticating proxy Nt Authority\Network Service, system error: Logon Failure: unknown username or bad password)

I have also tried making Network Service a sql login on each server, and giving it the sysadmin role. This made no difference. Is it simply not possible to run a replication agent as network service?

(note - I am aware I can use an AD account with a username/password. For various reasons we don't want to do that in this instance)

Answer 1

For the benefit of Duffman and anyone else, we did find a non-standard solution to this.

If you look at the SQL Server agent jobs for each replication agent, the properties of the jobs show the command line options required for the distributor (distrib.exe), Log reader (logread.exe) and snapshot (snapshot.exe) agents.

I wrote a small windows service in c# that launches these agents with those command line parameters, and set that service to run under the Network Service account. This works fine.

For this to work, you have to delete the jobs from SQL the server agent which launch the replication agents. Also when the agents are launched in this way, the GUI tools which control the agents (such as start synchronising from replication monitor) no longer work, so I added some functionality to the windows service to replace these.

But everything else (alerts, reporting etc) seems ok. We had this configuration under test for several months, and found no problems with it.

Note if you don't want to write a windows service, you can do the same thing with a batch file, and have that launched by a scheduled task or srvany (this is how we first tested it).