ApsaraDB RDS for SQL Server maintains several built-in system accounts to support instance management, high availability, and data migration. These accounts are managed by Alibaba Cloud and are not available for general use.
Instance management accounts
| Account | Purpose |
|---|---|
<Hostname>\Administrator | Local management. Used to reconfigure parameters related to the minor engine version and query instance status. |
aurora | Remote management. Alibaba Cloud engineers use this account to log in to a faulty instance and perform operations such as a primary/secondary switchover and instance monitoring. |
rds_service | Remote management. Used together with aurora to manage the instance remotely when a fault is reported. |
If your instance is faulty, provide theauroraandrds_serviceaccount names to an Alibaba Cloud engineer so they can diagnose and recover the instance.
Default SQL Server accounts (disabled)
| Account | Status |
|---|---|
sqlsa | Disabled to prevent security risks. |
sa | Disabled to prevent security risks. |
These accounts ship with SQL Server by default. They are disabled on ApsaraDB RDS for SQL Server instances.
High availability replication accounts
| Account | Editions |
|---|---|
rds_ha_sec_user | RDS High-availability Edition, RDS Cluster Edition |
rds_ag_sec_user | RDS High-availability Edition, RDS Cluster Edition |
These accounts replicate data from the primary RDS instance to its secondary RDS instance. They are created and managed automatically by the system.
DTS migration account
The rdsdt_dtsacct account is created automatically when you set up a data migration or synchronization task using Data Transmission Service (DTS). DTS requires system admin account permissions to read all instance data, including binary log files, to ensure data integrity and consistency during the task.
Do not delete rdsdt_dtsacct or change its password while a migration or synchronization task is running. Doing so causes the task to fail. After the task completes, delete the account for security purposes.
Key details about this account:
Scope: Created only on the source RDS instance (the instance from which data is migrated or synchronized).
Permissions: System admin account permissions, required for DTS to access all instance data.
SLA impact: Account creation does not affect instance stability, security, service-level agreement (SLA), or performance.
Visibility: Not displayed in the ApsaraDB RDS console. To query or delete the account, connect to the instance and run a SQL statement.