I inherited an installation of TFS 2015 Update 3 and checked permissions on the Team Foundation Background Job Agent service account are db_owner and TFSExecRole on the TFS collection databases. Are both permissions necessary or db_owner is overkill and just TFSExecRole is needed?
Thank you,
TFS Background Job Agent service uses the TFS Service account. The permissions of db_owner is default assigned when we configure TFS. It is not recommended to alter permissions of these service accounts from defaults.
The Team Foundation Background Job Agent service uses the same service account as TFS does, TFSService. To operate correctly, this account requires the following permissions:
Log on as a service
Farm Administrators group for any SharePoint Web applications that
Team Foundation Server uses
TFSExecRole or both of the following for any databases that Team
Foundation Server uses:
db_owner
db_create
I've tested an account with only TFSExecRole to run TFS Background Job Agent service, it works.
Related
We have TFS 2013 & TFS 2017 environments. For increased stability is it advisable to restart the Windows TFS Services (i.e. Visual Studio Team Foundation Background Job Agent, Team Foundation SSH Service) on periodic basis i.e. every weekend (to recycle the processes and memory threads)
My understanding is that this is not needed, however wanted to confirm it.
No, it's not needed to restart TFS Services periodically. But if there is some change, or problem, you could try to restart the service. For example.
After you install new software on a build agent machine, you must
restart the build agent service for the new capability to show up in
the pool so that the build can run.
If you change the password of the account that running the service, you need to update the logon information of the service and restart it.
We are migrating from Azure Devops Server on prem to Azure Devops Services. On prem we had two servers, the first for production and the second - the same - for test purposes. Since we had access to db, we were able to update test server whenever we want to production data using backup.
The question is: is it possible to manage somehow the same on Azure Devops Services? We want to have test organization that we will be able to update with new prod data later.
In the azure devops Service, We can create up to 5 different organizations. So you can try to migrate your test organization to the Azure Devops Service, and this will help you have the test organziation.
Trying to make my CI/CD work using TFS. Have to overcome some of this user role setup. Also not really getting my head around the terminology and the workflow (kinda different with how Jenkins works) and at the same time I have to figure the myriad of TFS versions(2010/2012/2013/2015/2017) and the online Visual Studio team services. I have to unlearn what I already know somehow, thus my basic questions:
What are agent queue? What are pools? (when i click create queue, it will ask me to create new pool)
What does "Download Agent" means? I thought this agent will be installed on the server side like a plugin that you install in Jenkins.
I think this might help clarify:
An agent pool defines the sharing boundary for all agents in that
pool. In TFS, pools are scoped across all of your Team Foundation
Server (TFS); so you can share an agent pool across team project
collections and team projects. In Team Services, agent pools are
scoped to the Team Services account; so you can share an agent pool
across team projects.
An agent queue provides access to an agent pool. When you create a
build or release definition, you specify which queue it uses. Queues
are scoped to your team project in TFS 2017 and in Team Services, so
you can only use them across build and release definitions within a
team project.
An agent in TFS / VSTS does work (like a build or a release). Microsoft offers agents they host if you are using VSTS. Alternatively, you can setup your own agents. For example, if you need to run your build on a particular machine because it has some needed items to do compilation or you're using TFS and can't use the hosted, you'd need to download the agent and configure it on a machine. You can have multiple agents on one machine. I'd recommend not installing an agent on the same machine as the TFS application tier if you're working with an on premise installation.
The official tutorial which involves a lot of aspects about Team Services and TFS. Most of the concepts is the same in /2013/2015/2017 and Team service. You just need pay attention to the support version under the topic such as below screenshot:
An agent queue provides access to an agent pool. When you create a
build or release definition, you specify which queue it uses. Queues
are scoped to your team project in TFS 2017 and in Team Services, so
you can only use them across build and release definitions within a
team project.
More details about agent queue and agent pool, you could refer this link: Agent pools and queues
each queue can use only one agent pool.
This is why when you click create queue, it will ask you to create new pool.
For TFS2015, you are using the private agent.
An agent that you set up and manage on your own to run build and
deployment jobs is a private agent. You can use private agents in Team
Services or Team Foundation Server (TFS). Private agents give you more
control to install dependent software needed for your builds and
deployments.
You could use the download agent to Deploy an agent on Windows. And one of the most commonly used scenes of the "Download Agent" is when you are installing multiple private agents on the same machine.
I have already created the TFS Build Agent pool windows service that is running periodically and tries to connect to TFS,
It seems it tries to run with its own credentials and the windows service is installed on a Server that is not in the same domain as TFS (but I can access the TFS from this sever), so It fails with the below error
Error in the service log file:
Microsoft.VisualStudio.Services.Common.VssUnauthorizedException:
VS30063: You are not authorized to access https://tfsURL.
How to impersonate or making the agent Pool Windows service connected as "NT AUTHORITY\Network" or with another credentials from server in a domain to the TFS which in another domain
You can either re-configure the build agent to enter a name of the user account to use for the service like the screenshot below:
Or open the Services, right click the agent service, and then select Log On tab to change the account that runs the agent:
I'm trying to set-up a new build server for my TFS 2013 installation.
On a new machine, I've configured a build user:
On test, this approved the user fine; however, running the readiness checks reports:
My interpretation of this error is that build.user does not have access to TFS; which is correct. My question is: can I run the build server using a domain user, but with a separate user for TFS access?
Can I run the build server using a domain user, but with a separate user for TFS access? Yes, you can and the build service account do not need to have the access to TFS.
Suggest you use TFSBuild as the build service account as MSDN recommend.
TFSBuild, which can be a local account, a domain account, or Local
Service in a workgroup
This service account is used when builds are configured and when build
status information is communicated between the build controller and
the build agents. More info for you
reference:https://msdn.microsoft.com/en-us/library/ms253149(v=vs.120).aspx