SQL Server security: why should we use network path for snapshot folder?

JK 1 Reputation point
2022-11-08T02:51:53.213+00:00

Hi,

<Our setup>
We're using SQL Server 2019 and transactional replication.
Our publisher, distributor and subscriber are all on the same machine.

<Question 1>
In this link, Microsoft advises to use "a network share rather than a local path for the snapshot folder", as a security best practice.

But it doesn't tell us why that is required.
We tried to find an answer online, but we're not able to find it yet.
Would anyone know the reason behind the recommendation?

<Question 2>
This link mentions that:
If the replication agent runs on the Distributor, use the Security tab of the Properties dialog box for the folder to grant permissions to the Windows account used to run the agent. Do this even when a network share is used. This applies to the Merge Agent and Distribution Agent for a push subscription and to the Snapshot Agent when the Publisher and Distributor are on the same computer.

So we need to give permissions in both Share and Security
EVEN when we are using a network share,
when the distributor and the publisher are on the same computer.

Does anyone know why? What is happening behind the scene?

Thanks for your help in advance.

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
13,351 questions
{count} votes

1 answer

Sort by: Most helpful
  1. YufeiShao-msft 7,081 Reputation points
    2022-11-08T09:45:06.913+00:00

    Hi @JK

    a network share rather than a local path for the snapshot folder

    For simple, it is for security, when you use a local service account for your SQL Server service, your server will not automatically have permissions to access to other network resources like UNC paths, such as when you want to perform backups directly to a network share, this is needed to be able, if you want to access to network shares from SQL Server, you need to make some settings.

    For permission, you can see this doc:
    Replication Agent Security Model

    -------------

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.