Wednesday, January 9, 2008

How to run Oracle Windows services in a multi-home environment PROPERLY.

By default Oracle installs all windows products using a local administrator account. Any Oracle services are setup to run as LOCAL SYSTEM, and all path entries are added to the SYSTEM PATH. This means that the last Oracle product that gets installed is first in the system PATH.

You can change the order the homes appear in the path, and if some homes are even in the path by manually running the Oracle Installer after the last installation, and using the path options in the Installed Products section.

This is fine for a single Oracle home, but completely HOPELESS in a multi-home environment.

The Oracle binaries in different homes, and services, should run as different windows users – each home should have its own user, each with local Administrator privilege.

Each user then has the PATH (and possibly other environment variables like JRE_HOME or PERL5LIB) crafted specifically for the product in that home.

Services that are based in that home should run as that Oracle Home user.

Basically, treat the products as if they are running in a UNIX environment J

There are numerous benefits such as

1. Products using the correct support libraries, java, perl

2. LOCAL SYSTEM does not have certain network privileges, which prevents Oracle from using UNC path names. Running as an OS user allows RMAN and other processes to use UNC path names to connect to file systems on other servers

So, after installing a product, remove the oracle entries from the SYSTEM PATH, and add them to the USER PATH for the OS user that has been created to run the products in that Oracle Home.

The only variable that may make sense to leave in the system path is invPtr which point to the Oracle Installer inventory location.

With a shared inventory, you should use the latest version of the installer installed on the server. Of course you could go one step further and run multiple product inventories, and add invPtr as user-level environment variable, with invPtr pointing to the appropriate inventory.

When running services with local user accounts, grant the following local security policies, to the user. Use the Local Security Policy Manager in the Control Panel, administrative tools, or run: %SystemRoot%\system32\secpol.msc /s

In "User Rights Assignment" add the OS users to the following rights groups:

"logon as batch job"

"Run as a service"

"Replace a Process Level Token"

Follow up: There is a good discussion about this here: dizwells "NFS for Windows" post.

1 comment:

  1. I have read your blog its very attractive and impressive. I like it your blog.

    Java Training in Chennai Core Java Training in Chennai Core Java Training in Chennai

    Java Online Training Java Online Training JavaEE Training in Chennai Java EE Training in Chennai

    ReplyDelete