SQL SERVER installation failed. “Access is denied” when validating SQL Service account password
Published Jan 24 2021 01:45 AM 7,411 Views
Microsoft

 

  1. We failed to install SQL cluster instance and encountered below error.

 

Bob_Cai_1-1611481364939.jpeg

 

Bob_Cai_2-1611481364973.png

 

 

  1. We checked SQL setup logs. Issue happened when SQL setup was trying to check if SQL service account exists in AD.

 

(05) 2021-01-18 15:36:44 Slp: Sco: Attempting to check if user account xxxx\xxxx exists

(05) 2021-01-18 15:36:44 Slp: Sco: Attempting to look up AD entry for user xxxx\xxxx

(05) 2021-01-18 15:36:44 Slp: Sco.User.OpenRoot - root DirectoryEntry object already opened for this computer for this object

(05) 2021-01-18 15:36:44 Slp: Sco.User.LookupADEntry - Attempting to find user account xxxx\xxxx

(05) 2021-01-18 15:36:44 Slp: Sco: Attempting to check if container 'WinNT://xxxx' of user account exists

(05) 2021-01-18 15:36:44 Slp: Prompting user if they want to retry this action due to the following failure:

(05) 2021-01-18 15:36:44 Slp: ----------------------------------------

(05) 2021-01-18 15:36:44 Slp: The following is an exception stack listing the exceptions in outermost to innermost order

(05) 2021-01-18 15:36:44 Slp: Inner exceptions are being indented

(05) 2021-01-18 15:36:44 Slp:

(05) 2021-01-18 15:36:44 Slp: Exception type: Microsoft.SqlServer.Configuration.Sco.ScoException

(05) 2021-01-18 15:36:44 Slp:     Message:

(05) 2021-01-18 15:36:44 Slp:         Access is denied.

(05) 2021-01-18 15:36:44 Slp:        

(05) 2021-01-18 15:36:44 Slp:     HResult : 0x84bb0001

(05) 2021-01-18 15:36:44 Slp:         FacilityCode : 1211 (4bb)

(05) 2021-01-18 15:36:44 Slp:         ErrorCode : 1 (0001)

(05) 2021-01-18 15:36:44 Slp:     Data:

(05) 2021-01-18 15:36:44 Slp:       WatsonData = Domain

(05) 2021-01-18 15:36:44 Slp:       DisableRetry = true

(05) 2021-01-18 15:36:44 Slp:     Inner exception type: System.UnauthorizedAccessException

(05) 2021-01-18 15:36:44 Slp:         Message:

(05) 2021-01-18 15:36:44 Slp:                 Access is denied.

(05) 2021-01-18 15:36:44 Slp:                

(05) 2021-01-18 15:36:44 Slp:         HResult : 0x80070005

(05) 2021-01-18 15:36:44 Slp:         Stack:

(05) 2021-01-18 15:36:44 Slp:                 at System.DirectoryServices.Interop.UnsafeNativeMethods.IAdsContainer.GetObject(String className, String relativeName)

(05) 2021-01-18 15:36:44 Slp:                 at System.DirectoryServices.DirectoryEntries.Find(String name, String schemaClassName)

(05) 2021-01-18 15:36:44 Slp:                 at Microsoft.SqlServer.Configuration.Sco.User.LookupADEntry()

 

  1. I captured Process Monitor trace. But we don't find any 'Access Denied' error in process monitor trace.

 

  1. I also analyzed Network monitor trace and found below error message sat 13:14:16.AD engineer confirmed it's  “RPC Access denied”

 

Bob_Cai_3-1611481364967.jpeg

 

 

  1. According to the analysis of AD engineer, we found “RPC Access denied” is because of AuthLength =0 .

Bob_Cai_4-1611481364970.jpeg

 

Root Cause:

=========

Incorrect GPO setting: Customer configured RPC restriction permission to two groups in GPO: Default Domain Controller Policy, but GPO security filtering is empty hence every DC will be rejected to apply settings in this GPO, and finally used default policy value: Administrators group only, caused user SAMR query “Access is denied” error, and SQL installation failed with same error.

 

Bob_Cai_5-1611481364979.png

 

Solution:

=======

Add back “Authentication Users” group under Default Domain Controller Policy – Security Filtering, run: gpupdate /force on DCs and issue resolved.

 

 

Version history
Last update:
‎Jan 24 2021 01:45 AM
Updated by: