SQL SERVER installation failed. “Access is denied” when validating SQL Service account password

1. We failed to install SQL cluster instance and encountered below error.

2. We checked SQL setup logs. Issue happened when SQL setup was trying to check if SQL service account exists in AD.

(05) 2021-01-18 15:36:44 Slp: Sco: Attempting to check if user account xxxx\xxxx exists

(05) 2021-01-18 15:36:44 Slp: Sco: Attempting to look up AD entry for user xxxx\xxxx

(05) 2021-01-18 15:36:44 Slp: Sco.User.OpenRoot - root DirectoryEntry object already opened for this computer for this object

(05) 2021-01-18 15:36:44 Slp: Sco.User.LookupADEntry - Attempting to find user account xxxx\xxxx

(05) 2021-01-18 15:36:44 Slp: Sco: Attempting to check if container 'WinNT://xxxx' of user account exists

(05) 2021-01-18 15:36:44 Slp: Prompting user if they want to retry this action due to the following failure:

(05) 2021-01-18 15:36:44 Slp: ----------------------------------------

(05) 2021-01-18 15:36:44 Slp: The following is an exception stack listing the exceptions in outermost to innermost order

(05) 2021-01-18 15:36:44 Slp: Inner exceptions are being indented

(05) 2021-01-18 15:36:44 Slp:

(05) 2021-01-18 15:36:44 Slp: Exception type: Microsoft.SqlServer.Configuration.Sco.ScoException

(05) 2021-01-18 15:36:44 Slp:     Message:

(05) 2021-01-18 15:36:44 Slp:         Access is denied.

(05) 2021-01-18 15:36:44 Slp:        

(05) 2021-01-18 15:36:44 Slp:     HResult : 0x84bb0001

(05) 2021-01-18 15:36:44 Slp:         FacilityCode : 1211 (4bb)

(05) 2021-01-18 15:36:44 Slp:         ErrorCode : 1 (0001)

(05) 2021-01-18 15:36:44 Slp:     Data:

(05) 2021-01-18 15:36:44 Slp:       WatsonData = Domain

(05) 2021-01-18 15:36:44 Slp:       DisableRetry = true

(05) 2021-01-18 15:36:44 Slp:     Inner exception type: System.UnauthorizedAccessException

(05) 2021-01-18 15:36:44 Slp:         Message:

(05) 2021-01-18 15:36:44 Slp:                 Access is denied.

(05) 2021-01-18 15:36:44 Slp:                

(05) 2021-01-18 15:36:44 Slp:         HResult : 0x80070005

(05) 2021-01-18 15:36:44 Slp:         Stack:

(05) 2021-01-18 15:36:44 Slp:                 at System.DirectoryServices.Interop.UnsafeNativeMethods.IAdsContainer.GetObject(String className, String relativeName)

(05) 2021-01-18 15:36:44 Slp:                 at System.DirectoryServices.DirectoryEntries.Find(String name, String schemaClassName)

(05) 2021-01-18 15:36:44 Slp:                 at Microsoft.SqlServer.Configuration.Sco.User.LookupADEntry()

3. I captured Process Monitor trace. But we don't find any 'Access Denied' error in process monitor trace.

4. I also analyzed Network monitor trace and found below error message sat 13:14:16.AD engineer confirmed it's  “RPC Access denied”

5. According to the analysis of AD engineer, we found “RPC Access denied” is because of AuthLength =0 .

Root Cause:

=========

Incorrect GPO setting: Customer configured RPC restriction permission to two groups in GPO: Default Domain Controller Policy, but GPO security filtering is empty hence every DC will be rejected to apply settings in this GPO, and finally used default policy value: Administrators group only, caused user SAMR query “Access is denied” error, and SQL installation failed with same error.

Solution:

=======

Add back “Authentication Users” group under Default Domain Controller Policy – Security Filtering, run: gpupdate /force on DCs and issue resolved.