Attempting to perform any DB2 commands may result in error SQL1092N when running it as a domain id and using IBM DB2 for Windows.
If your running any DB2 commands that need SYSADM, SYSCTRL, SYSMAINT or SYMON authorities, (for example:BACKUP DATABASE command) as a domain id in a local group and DB2_GRP_LOOKUP is set to LOCAL, you may end up seeing the following error in your db2diag.log:
2011-01-24-18.104.22.1687000-300 E125202182F551 LEVEL: Error (OS)
PID : 5756 TID : 6996 PROC : db2syscs.exe
INSTANCE: DB2 NODE : 000 DB : BLDEV
APPHDL : 0-16 APPID: *LOCAL.DB2.110124181531
AUTHID : DB2SERVICE
EDUID : 6996 EDUNAME: db2agent (BLDEV) 0
FUNCTION: DB2 UDB, oper system services, sqloAuthzGetInformationFromSid, probe:10 MESSAGE : ZRC=0x83000005=-2097151995
CALLED : OS, -, AuthzInitializeContextFromSid
OSERR : 5 "Access is denied."
This indicates that the DB2 service account does not have the privilege to query the Domain Controller.
Diagnosing the problem
In order to verify what user is running the DB2 service please perform the following steps:
1.) Look in the Services area selecting; Start->Control Panel->Administration Tools->Services.
2.) Or if you know what the DB2 service name is using , use the Windows command sc qc
<db2_service_name> > scqc.txt
sc qc DB2-0 > scqc.txt
C:\>sc qc db2inst1
[SC] GetServiceConfig SUCCESS
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\PROGRA~1\IBM\SQLLIB\bin\db2syscs.exe
TAG : 0
DISPLAY_NAME : DB2 - DB2INST1
DEPENDENCIES : LanmanServer
SERVICE_START_NAME : .\user1
Resolving the problem
To resolve this issue you need to have the DB2 services started as Domain account, not a local account. In order to change the DB2 services to a Domain account do the following:
1.) Go to Start->Control Panel->Administration Tools->Services.
2.) Find the DB2-0 process right click on it and pick "Properties".
3.) Pick the "Log On" tab.
4.) Then choose "This account" radial button, then "Browse".
5.) A window will pop up called Select User click the Advanced button, then click "Find Now".
6.) A list of all users on the machine will be shown, choose the domain user and select "OK".
7.) To save the change click "Apply" then "OK".
8.) Restart the service/instance.
BACKUP DATABASE command
System administration authority (SYSADM)
System control authority (SYSCTRL)
System maintenance authority (SYSMAINT)
System monitor authority (SYSMON)
Authentication with groups and domain security (Windows