SQL SERVER installation failed. “Access is denied” when validating SQL Service account password

Published 01-24-2021 01:45 AM 1,981 Views
Microsoft

 

  1. We failed to install SQL cluster instance and encountered below error.

 

Bob_Cai_1-1611481364939.jpeg

 

Bob_Cai_2-1611481364973.png

 

 

  1. We checked SQL setup logs. Issue happened when SQL setup was trying to check if SQL service account exists in AD.

 

(05) 2021-01-18 15:36:44 Slp: Sco: Attempting to check if user account xxxx\xxxx exists

(05) 2021-01-18 15:36:44 Slp: Sco: Attempting to look up AD entry for user xxxx\xxxx

(05) 2021-01-18 15:36:44 Slp: Sco.User.OpenRoot - root DirectoryEntry object already opened for this computer for this object

(05) 2021-01-18 15:36:44 Slp: Sco.User.LookupADEntry - Attempting to find user account xxxx\xxxx

(05) 2021-01-18 15:36:44 Slp: Sco: Attempting to check if container 'WinNT://xxxx' of user account exists

(05) 2021-01-18 15:36:44 Slp: Prompting user if they want to retry this action due to the following failure:

(05) 2021-01-18 15:36:44 Slp: ----------------------------------------

(05) 2021-01-18 15:36:44 Slp: The following is an exception stack listing the exceptions in outermost to innermost order

(05) 2021-01-18 15:36:44 Slp: Inner exceptions are being indented

(05) 2021-01-18 15:36:44 Slp:

(05) 2021-01-18 15:36:44 Slp: Exception type: Microsoft.SqlServer.Configuration.Sco.ScoException

(05) 2021-01-18 15:36:44 Slp:     Message:

(05) 2021-01-18 15:36:44 Slp:         Access is denied.

(05) 2021-01-18 15:36:44 Slp:        

(05) 2021-01-18 15:36:44 Slp:     HResult : 0x84bb0001

(05) 2021-01-18 15:36:44 Slp:         FacilityCode : 1211 (4bb)

(05) 2021-01-18 15:36:44 Slp:         ErrorCode : 1 (0001)

(05) 2021-01-18 15:36:44 Slp:     Data:

(05) 2021-01-18 15:36:44 Slp:       WatsonData = Domain

(05) 2021-01-18 15:36:44 Slp:       DisableRetry = true

(05) 2021-01-18 15:36:44 Slp:     Inner exception type: System.UnauthorizedAccessException

(05) 2021-01-18 15:36:44 Slp:         Message:

(05) 2021-01-18 15:36:44 Slp:                 Access is denied.

(05) 2021-01-18 15:36:44 Slp:                

(05) 2021-01-18 15:36:44 Slp:         HResult : 0x80070005

(05) 2021-01-18 15:36:44 Slp:         Stack:

(05) 2021-01-18 15:36:44 Slp:                 at System.DirectoryServices.Interop.UnsafeNativeMethods.IAdsContainer.GetObject(String className, String relativeName)

(05) 2021-01-18 15:36:44 Slp:                 at System.DirectoryServices.DirectoryEntries.Find(String name, String schemaClassName)

(05) 2021-01-18 15:36:44 Slp:                 at Microsoft.SqlServer.Configuration.Sco.User.LookupADEntry()

 

  1. I captured Process Monitor trace. But we don't find any 'Access Denied' error in process monitor trace.

 

  1. I also analyzed Network monitor trace and found below error message sat 13:14:16.AD engineer confirmed it's  “RPC Access denied”

 

Bob_Cai_3-1611481364967.jpeg

 

 

  1. According to the analysis of AD engineer, we found “RPC Access denied” is because of AuthLength =0 .

Bob_Cai_4-1611481364970.jpeg

 

Root Cause:

=========

Incorrect GPO setting: Customer configured RPC restriction permission to two groups in GPO: Default Domain Controller Policy, but GPO security filtering is empty hence every DC will be rejected to apply settings in this GPO, and finally used default policy value: Administrators group only, caused user SAMR query “Access is denied” error, and SQL installation failed with same error.

 

Bob_Cai_5-1611481364979.png

 

Solution:

=======

Add back “Authentication Users” group under Default Domain Controller Policy – Security Filtering, run: gpupdate /force on DCs and issue resolved.

 

 

%3CLINGO-SUB%20id%3D%22lingo-sub-2091066%22%20slang%3D%22en-US%22%3ESQL%20SERVER%20installation%20failed.%20%E2%80%9CAccess%20is%20denied%E2%80%9D%20when%20validating%20SQL%20Service%20account%20password%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2091066%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EWe%20failed%20to%20install%20SQL%20cluster%20instance%20and%20encountered%20below%20error.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Bob_Cai_1-1611481364939.jpeg%22%20style%3D%22width%3A%20616px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F248986iE4F0B70C09A568DE%2Fimage-dimensions%2F616x186%3Fv%3D1.0%22%20width%3D%22616%22%20height%3D%22186%22%20role%3D%22button%22%20title%3D%22Bob_Cai_1-1611481364939.jpeg%22%20alt%3D%22Bob_Cai_1-1611481364939.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Bob_Cai_2-1611481364973.png%22%20style%3D%22width%3A%20663px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F248988iE3E9101A3A0B1AEC%2Fimage-dimensions%2F663x374%3Fv%3D1.0%22%20width%3D%22663%22%20height%3D%22374%22%20role%3D%22button%22%20title%3D%22Bob_Cai_2-1611481364973.png%22%20alt%3D%22Bob_Cai_2-1611481364973.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%222%22%3E%0A%3CLI%3EWe%20checked%20SQL%20setup%20logs.%20Issue%20happened%20when%20SQL%20setup%20was%20trying%20to%20check%20if%20SQL%20service%20account%20exists%20in%20AD.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%20Sco%3A%20Attempting%20to%3CSTRONG%3E%20check%20if%20user%20account%20xxxx%5Cxxxx%20exists%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%20Sco%3A%20Attempting%20to%20look%20up%20AD%20entry%20for%20user%20xxxx%5Cxxxx%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%20Sco.User.OpenRoot%20-%20root%20DirectoryEntry%20object%20already%20opened%20for%20this%20computer%20for%20this%20object%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%20Sco.User.LookupADEntry%20-%20Attempting%20to%20find%20user%20account%20xxxx%5Cxxxx%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%20Sco%3A%20Attempting%20to%20check%20if%20container%20'WinNT%3A%2F%2Fxxxx'%20of%20user%20account%20exists%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%20Prompting%20user%20if%20they%20want%20to%20retry%20this%20action%20due%20to%20the%20following%20failure%3A%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%20----------------------------------------%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%20The%20following%20is%20an%20exception%20stack%20listing%20the%20exceptions%20in%20outermost%20to%20innermost%20order%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%20Inner%20exceptions%20are%20being%20indented%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%20Exception%20type%3A%20Microsoft.SqlServer.Configuration.Sco.ScoException%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Message%3A%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3CSTRONG%3E%20Access%20is%20denied.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20HResult%20%3A%200x84bb0001%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20FacilityCode%20%3A%201211%20(4bb)%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20ErrorCode%20%3A%201%20(0001)%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Data%3A%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20WatsonData%20%3D%20Domain%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20DisableRetry%20%3D%20true%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Inner%20exception%20type%3A%20System.UnauthorizedAccessException%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Message%3A%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Access%20is%20denied.%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20HResult%20%3A%20%3CSTRONG%3E0x80070005%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Stack%3A%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20at%20System.DirectoryServices.Interop.UnsafeNativeMethods.IAdsContainer.GetObject(String%20className%2C%20String%20relativeName)%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20at%20System.DirectoryServices.DirectoryEntries.Find(String%20name%2C%20String%20schemaClassName)%3C%2FP%3E%0A%3CP%3E(05)%202021-01-18%2015%3A36%3A44%20Slp%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20at%20Microsoft.SqlServer.Configuration.Sco.User.LookupADEntry()%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%223%22%3E%0A%3CLI%3EI%20captured%20Process%20Monitor%20trace.%20But%20we%20don't%20find%20any%20'Access%20Denied'%20error%20in%20process%20monitor%20trace.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%224%22%3E%0A%3CLI%3EI%20also%20analyzed%20Network%20monitor%20trace%20and%20found%20below%20error%20message%20sat%2013%3A14%3A16.AD%20engineer%20confirmed%20it's%26nbsp%3B%20%E2%80%9CRPC%20Access%20denied%E2%80%9D%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Bob_Cai_3-1611481364967.jpeg%22%20style%3D%22width%3A%20864px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F248987iA0111B24CDEDFA58%2Fimage-dimensions%2F864x264%3Fv%3D1.0%22%20width%3D%22864%22%20height%3D%22264%22%20role%3D%22button%22%20title%3D%22Bob_Cai_3-1611481364967.jpeg%22%20alt%3D%22Bob_Cai_3-1611481364967.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%225%22%3E%0A%3CLI%3EAccording%20to%20the%20analysis%20of%20AD%20engineer%2C%20we%20found%20%E2%80%9CRPC%20Access%20denied%E2%80%9D%20is%20because%20of%20AuthLength%20%3D0%20.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Bob_Cai_4-1611481364970.jpeg%22%20style%3D%22width%3A%20938px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F248989iA066A9232B519675%2Fimage-dimensions%2F938x213%3Fv%3D1.0%22%20width%3D%22938%22%20height%3D%22213%22%20role%3D%22button%22%20title%3D%22Bob_Cai_4-1611481364970.jpeg%22%20alt%3D%22Bob_Cai_4-1611481364970.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ERoot%20Cause%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EIncorrect%20GPO%20setting%3A%20Customer%20configured%20RPC%20restriction%20permission%20to%20two%20groups%20in%20GPO%3A%20Default%20Domain%20Controller%20Policy%2C%20but%20GPO%20security%20filtering%20is%20empty%20hence%20every%20DC%20will%20be%20rejected%20to%20apply%20settings%20in%20this%20GPO%2C%20and%20finally%20used%20default%20policy%20value%3A%20Administrators%20group%20only%2C%20caused%20user%20SAMR%20query%20%E2%80%9CAccess%20is%20denied%E2%80%9D%20error%2C%20and%20SQL%20installation%20failed%20with%20same%20error.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Bob_Cai_5-1611481364979.png%22%20style%3D%22width%3A%20663px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F248990iBA1A9DCB96030A47%2Fimage-dimensions%2F663x556%3Fv%3D1.0%22%20width%3D%22663%22%20height%3D%22556%22%20role%3D%22button%22%20title%3D%22Bob_Cai_5-1611481364979.png%22%20alt%3D%22Bob_Cai_5-1611481364979.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESolution%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3D%3D%3D%3D%3D%3D%3D%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EAdd%20back%20%E2%80%9CAuthentication%20Users%E2%80%9D%20group%20under%20Default%20Domain%20Controller%20Policy%20%E2%80%93%20Security%20Filtering%2C%20run%3A%20gpupdate%20%2Fforce%20on%20DCs%20and%20issue%20resolved.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2091066%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Bob_Cai_0-1611481202384.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F248985i0DFC8470F3876C28%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Bob_Cai_0-1611481202384.png%22%20alt%3D%22Bob_Cai_0-1611481202384.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECancel%20%22%20width%3D%221054%22%20height%3D%22693%22%20border%3D%220%22%26gt%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Version history
Last update:
‎Jan 24 2021 01:45 AM
Updated by: