Код ошибки 0x54b

(Решено!)Потерялся контроллер домена

РЕШЕНИЕ: проблема была в файерволе, блокирующем запросы к контроллерам домена.

Имеется домен win 2008, my.domain.local, с двумя домен контроллерами, один из которых ad1.my.domain.local — по совместительству DNS сервер
Все работало хорошо, пока в один день на всех серверах сети в логах не стали появляться ошибки о невозможности соединения с контролларами домена.
Действительно, на всех серверах команда nltest /dclist:my.domain.local дает результат:
Cannot find DC to get DC list from.Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
При этом если запускать ту же команду на самом контроллере домена, то все находится нормально:
nltest /dclist:my.domain.local
Get list of DCs in domain ‘my.domain.local’ from ‘\\ad1.my.domain.local’.
ad1.my.domain.local [PDC] [DS] Site: mysite
AD2.my.domain.local [DS] Site: mysite
The command completed successfully

dcdiag ошибок не выдает.

DNS для домена, вроде, работает нормально: на всех серверах если запустить nslookup _ldap._tcp.mysite._sites.my.domain.local
То получится

_ldap._tcp.mysite._sites.my.domain.local SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = ad2.my.domain.local
_ldap._tcp.mysite._sites.my.domain.local SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = ad1.my.domain.local
ad2.my.domain.local internet address = xxx.xxx.xxx.xxx
ad2.my.domain.local AAAA IPv6 address = xxxx:xxxx:xxxx::xxxx:xxxx
ad1.my.domain.local internet address = xxx.xxx.xxx.xxx

Как бы еще понять, в чем может быть проблема?

I have run into this issue and I am stuck with it for hours. I have 2 databases one which is publisher and distributor and second which is subscriber I am going to use them as snapshot replication. Installation went without issues but when I look in Replication monitor publication status is ok but a subscription is «uninitialized subscription».

I checked sqlagent errorlog and I get same error

Error: 15404, Could not obtain information about Windows NT group/user‘MicrosoftAccount\MyEmail’, error code 0x54b.

[SQLSTATE 42000] (ConnIsLoginSysAdmin).

This really boggles me since I am being logged to the database through windows authentication but I am being seen as ADMINRG-XXXXXX\YYYYY.

In my security properties on «Specify the domain or machine account under which Distribution/Snapshot Agent will run» I have set it on Run under SQL Server Agent service account, but when I tried using windows account either ADMINRG-XXXXX\YYYYY or MicrosoftAccount\MyEmail It puked out error 3930 which I also couldn’t manage to fix.

I also looked in generated scripts when I was installing publication and subscriptions, they both have parameters @job_login and @job_password set to null could this be source of issue?

Error 0x54b sql server

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Answered by:

Question

I get the error below when I look at the the error log:-

‘Error: 0x54b, state: 3. Failure to register an SPN»

I cannot progress to install the SQL 2012 and would appreciate some advice on how to install SQL 2012.

Answers

The failure to register a Service Principal Name is typically an error you’ll see in the error log when the instance starts up and can’t register the SPN used for Kerberos authentication. Is this really causing the SQL Server install to fail or are you just seeing the error message in the error log? If setup is failing and throwing this error, can you post the screenshot showing the error along with the setup logs?

Here’s an older thread regarding the exact error message:

Thanks,
Sam Lester (MSFT)

This posting is provided «AS IS» with no warranties, and confers no rights. Please remember to click «Mark as Answer» and «Vote as Helpful» on posts that help you. This can be beneficial to other community members reading the thread.

• Marked as answer by Olaf Helper MVP Saturday, November 10, 2018 8:23 AM

SPNs are used by the Kerberos authentication protocol, we will meet the above error message when the service account SQL server does not have sufficient rights to register the SPN.

Which service account did you use? If it is LocalSystem account, SPN is automatically registered as SQL registering with the machine account that has the right to create an SPN default. If it is domain account or a local account, we will need to add permission for them.

Источник

Error 0x54b sql server

Thank you for the reply.

This seems a permission issue.

Now please change it back to ‘Local System account”. Logon a local account with administrator privilege, add a domain account to the local Administrators group. Then logon this domain account and try to start Windows Deployment Services again.

In addition, I am wondering how you installed a boot image and install image from the Server 2008 install CD in Step 4 without starting Windows Deployment Services. Using command lines?

When I set the service back to normal, I continue to get the original error.

I don’t understand what you mean by this:

«Logon a local account with administrator privilege, add a domain account to the local Administrators group. Then logon this domain account and try to start Windows Deployment Services again.»

What I did was this:

1: Log in to the server with my Domain Admin account
2: Went to the Services and set the WDS to log in as the miltonstreetAdministrator account. (miltonstreet is the domain)

This is when I got the error 7000

I just tried the same thing, but this time setting WDS to log in using the account I logged into the machine, miltonstreetsam and I am getting the same error 7000. miltonstreetsam *IS* a member of the server’s local Administrators group.

As far as how I setup the boot image, I simply followed the instructions that are online at MSDN. It seemed to copy the files over even though the service was not running.

Again, if there is a good book that will talk about the in’s and out’s of setting up the WDS, I would really like to get my hands on it. I think there are a number of things go on here that I don’t understand and I would like to. Such as, what exactly is a boot image compared to an install image? I have seen WDS used at a previous job, but never worked with it in detail. I have a feeling a lot of my questions would go away if I could simply find a good source of info on what WDS is and how to setup it up correctly.

Источник

Error 0x54b sql server

Вопрос

I get the error below when I look at the the error log:-

‘Error: 0x54b, state: 3. Failure to register an SPN»

I cannot progress to install the SQL 2012 and would appreciate some advice on how to install SQL 2012.

Ответы

The failure to register a Service Principal Name is typically an error you’ll see in the error log when the instance starts up and can’t register the SPN used for Kerberos authentication. Is this really causing the SQL Server install to fail or are you just seeing the error message in the error log? If setup is failing and throwing this error, can you post the screenshot showing the error along with the setup logs?

Here’s an older thread regarding the exact error message:

Thanks,
Sam Lester (MSFT)

This posting is provided «AS IS» with no warranties, and confers no rights. Please remember to click «Mark as Answer» and «Vote as Helpful» on posts that help you. This can be beneficial to other community members reading the thread.

• Помечено в качестве ответа Olaf Helper MVP 10 ноября 2018 г. 8:23

SPNs are used by the Kerberos authentication protocol, we will meet the above error message when the service account SQL server does not have sufficient rights to register the SPN.

Which service account did you use? If it is LocalSystem account, SPN is automatically registered as SQL registering with the machine account that has the right to create an SPN default. If it is domain account or a local account, we will need to add permission for them.

Источник

Error 0x54b sql server

Вопрос

I get the error below when I look at the the error log:-

‘Error: 0x54b, state: 3. Failure to register an SPN»

I cannot progress to install the SQL 2012 and would appreciate some advice on how to install SQL 2012.

Ответы

The failure to register a Service Principal Name is typically an error you’ll see in the error log when the instance starts up and can’t register the SPN used for Kerberos authentication. Is this really causing the SQL Server install to fail or are you just seeing the error message in the error log? If setup is failing and throwing this error, can you post the screenshot showing the error along with the setup logs?

Here’s an older thread regarding the exact error message:

Thanks,
Sam Lester (MSFT)

This posting is provided «AS IS» with no warranties, and confers no rights. Please remember to click «Mark as Answer» and «Vote as Helpful» on posts that help you. This can be beneficial to other community members reading the thread.

• Помечено в качестве ответа Olaf Helper MVP 10 ноября 2018 г. 8:23

SPNs are used by the Kerberos authentication protocol, we will meet the above error message when the service account SQL server does not have sufficient rights to register the SPN.

Which service account did you use? If it is LocalSystem account, SPN is automatically registered as SQL registering with the machine account that has the right to create an SPN default. If it is domain account or a local account, we will need to add permission for them.

Источник

Error 0x54b sql server

Situation: SQL cluster with instances used by BizTalk (other cluster)

1. this error occurs

2. Authentication falls back to ntlm

3. service account used to start up instances uses delegation to start up sql server agent but can only delegate using Kerberos

4. SQL agent fails to startup with following error :

Message
[298] SQLServer Error: 22022, CryptUnprotectData() returned error -2146892987, ‘The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation.’ [SQLSTATE 42000]

It worked before, stopped working when CU 8 installation was attempted and failed (process hung; no visible changes were made)

Can a failed installation be a reason for this error ?

i have the same problem in SQL Server 2008 when i did the installation on Windows 2008 server SP1 with SQL Server 2008. THe following is the error:

The SQL Server Network Interface library could not register the Service Principal Name (SPN) for the SQL Server service. Error: 0x2098, state: 15. Failure to register an SPN may cause integrated authentication to fall back to NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies.

I did try to change to the sql server account to the local admin ( earlier it was a local account) and then when this doesnt work, i make that account as a domain user.

can u tell me what the problem going on here?

Prashant Thakwani

Here is a solution.

This failure often is caused by a system or domain policy removing the SeDebugPrivelege security privilege from the administrator account running setup. Verify that the account running has this privilege.

The AccessChk tool will print all privleges for an account (http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx) by running:
accesschk.exe -a *

Alternatively, we can check this through your group policy editor as mentioned below:

Open Group Policy.
Start | Run | Type: gpedit.msc | OK |
Navigate to
Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDebug programs

The account through which we are trying to run the setup should be here ( besides the local admin on that machine). I included that here, restarted the server ( this is mandatory, gpupdate /force will not work) and ran the setup and it was successful this time.

SQL Server 2008 setup needs this privilege to start up the SQL Server process and listen to an event that signals back to setup that SQL Server successfully started.

Regards
Prashant Thakwani

This may or may not help, and sounds nuts, but, I ran into this same problem on Server 2008 with SQL 2008. And the problem was caused by ORACLE!
Yes, I said ORACLE!
I installed Oracle, and following their setup directions, added a loop-back adapter AND an entry in my hosts file.

My Host Name is GALAXY and per Oracle, I needed to set a dummy network connection and add an entry in the hosts file similar to:

127.0.0.1 localhost
10.10.10.10 galaxy.domain.home GALAXY #loopback adapater

Because of this, when SQL Server Agent tried to connect to the «local» instance (ie: Galaxy) it wasn’t resolving.
I fixed it by updating the hosts file to read as follows:
127.0.0.1 localhost GALAXY
10.10.10.10 galaxy.domain.home #loopback adapater

Once I did this and rebooted, all was well for SQL!

What lead me to this was the fact that I couldn’t see any of the SQL Server Errorlogs. Open SSMS, connect to the local server, click on Management- SQL Server Logs and you get the error:
Failed to retrieve data for this request.

and you will be unable to see the list of SQL errorlogs. If you open a query window and run the stored proc xp_enumerrorlogs you will get the error/message:
Msg 22004, Level 16, State 1, Line 0
Failed to open loopback connection. Please see event log for more information.
Msg 22004, Level 16, State 1, Line 0
error log location not found

Once I saw «Failed to open loopback conncetion. » Ah ha! Check the hosts file!

So I did. Changed it as stated above, and MS SQL 2008 was up and running.
But, I’m not sure if my Oracle 10g installation will be happy. It’s up, and I can connect with OraEM, but, what else will go wrong?

Maybe someday. Gates & Ellison will learn to play nice together.
Until then, let the DBAs and Network Trolls fight the good fight..

Don’t take any wooden data!
Sincerely, Smm3SQL

Источник

First published on TechNet on Dec 15, 2008

Hi all, Rob Newhouse again, and today I am talking about errors that you may see while running

ADPREP


.

Normally I do not like to create a laundry list of errors, however I believe it should be beneficial and save you some time and (maybe) money by posting these common errors. This is a follow up to my previous post

So You Want to Upgrade to Windows 2008 Domain Controllers (ADPREP)

.

Errors Running Adprep /Forestprep

Adprep Was Unable to Extend the Schema

Adprep was unable to extend the schema.

[Status/Consequence]

The schema master did not complete a replication cycle after the last reboot. The schema master must complete at least one replication cycle before the schema can be extended.

[User Action]

Verify that the schema master is connected to the network and can communicate with other Active Directory Domain Controllers. Use the Sites and Services snap-in to replicate between the schema operations master and at least one replication partner. After replication has succeeded, run adprep again.

Solution

This error indicates that there are AD replication problems in the environment. In order to continue the replication issue must be resolved.

To check what replication problems you are having install your Windows Support tools and run

Repadmin /Showrepl or Repadmin /Showreps

on the Schema Master. This should show you which DC’s you are having problems with.

Once you have determined the DC (s) that has the problem, check to see if you can connect to

\server

(servername) and

\FQDN(servername)

If both are unsuccessful then you may have a networking problem, a broken secure channel or a 5 minute time difference between the two machines.

If one is unsuccessful you have a networking problem involving DNS or Netbios name resolution.

If both are successful:

On both the DC that is not replicating with the Schema Master as well as the Schema Master:

1. In the TCPNic properties point DNS to a single DNS server
2. At a cmd prompt type
3. Netdiag /fix

On the Schema Master

1. Open Active Directory Sites and Services
2. Expand the site that the Schema Master is in
3. Right click on the NTDS settings under the Schema Master and choose All TasksCheck Replication topology.
4. Refresh the view
5. Right click on each replication object and attempt a replication

These are just some basic troubleshooting steps. If you get an error message, go to

Support.Microsoft.com

and in the search type in the error message in quotes.

User Not a Member of Required Groups

Adprep detected that the logon user is not a member of the following groups: Enterprise Admins Group, Schema Admins Group and Contoso.localDomain Admins Group.

[Status/Consequence]

Adprep has stopped without making changes.

[User Action]

Verify the current logged on user is a member of Enterprise Admins group, Schema Admins group and Contoso.localDomain Admins group.

— Or —

Adprep was unable to check the current User’s group membership

[Status/Consequence]

Adprep has stopped without making changes.

[User Action]

Verify the current logged on user is a member of Domain Admins Group, Enterprise Admins group and Schema Admins group if /forestprep is specified, or is a member of Domain Admins group if /domainprep is specified.

Adprep encountered a Win32 error.

Error code: 0x5 Error message: Access is denied

Solution

Check your group membership. If you are a member of many nested groups, you may experience the problem due to your token size. In this case, you may choose to create a new account in Active Directory Users and computers, make the new account a member of the Domain Admins, Enterprise Admins, and Schema Admin groups only, logon to the Schema Master as that account and rerun the Adprep /ForestPrep command.

As an alternative to creating a new account you can

1. Increase Maxtokensize in the registry

a) Open Regedit

b) Navigate to HKLMSystemCurrent Control SetControlLsaKerberosParameters

c) Add a new Dword

d) MaxtokenSize

e) Value 65535

or

2. Remove all unnecessary groups

ADPREP not Running on Schema Master

ADPREP WARNING:

Before running adprep, all Windows 2000 Active Directory Domain Controllers in the forest should be upgraded to Windows 2000 Service Pack 4 (SP4) or later.

[User Action]

If ALL your existing Windows 2000 Active Directory Domain Controllers meet this requirement, type C and then press ENTER to continue. Otherwise, type any other key and press ENTER to quit.

C

Forest-wide information can only be updated on the Active Directory Domain Controller that holds the schema operations master role.

[Status/Consequence]

Adprep has stopped on this Active Directory Domain Controller and must be run on the current schema operations master, which is Rob731.Contoso.local.

Solution

On rare occasions you may experience this message when you are on the schema master. In these cases transfer the schema master to another DC and then transfer it back to the original and run Adprep /Forestprep again. See also

How to view and transfer FSMO roles in the graphical user interface

.

If your schema master was on another machine that was removed from Active Directory then you will have to seize the schema master Role using Ntdsutil. See also

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

.

In your Adprep log you see “Error 0x80070020 (Error_sharing_Violation)”

Solution

This is normally caused by antivirus programs’ on-demand scanning. To resolve the issue, disable the antivirus software on-demand scanning feature.

Adprep /Forestprep Fails Due To OID Conflict On Any Schema Attribute

“OID will not be changed resulting in probable failure to add a new class.”

Solution

This error happens when custom schema changes have been made, or when a third-party software makes schema changes that conflict with Microsoft’s.

What you will see is “OID will not be changed resulting in probable failure to add a new class.”

To resolve this issue, open the

ADPREP

log to see what the failed object is. If you know the third-party software that is using the attribute, contact them and determine if there is a fix. Otherwise I would recommend opening a case with Microsoft for assistance resolving this issue.

Schema update failed: An attribute with the same link identifier already exists.

This error occurs when you are trying to update/add an object in the schema and the link identifier already exists for another attribute. Some third party apps will modify the schema with a link identifier set that is owned by the OS.

You will see the following in the CMD prompt window. The key here is the message about link identifier.

When you look in the ldif.err.XX log you will see the attribute we are trying to add:

Solution

In this instance please contact Microsoft for a resolution.   This error indicates that there is a link identifier that is already in use that shouldn’t be there.

Errors Running Adprep /Domainprep

Forestprep Not Run Or Not Recognized As Having Been Run

Solution

This problem can happen if you haven’t run Adprep /Forestprep yet, or if replication is broken and you are running it on a different DC or Domain than you ran the Adprep /Forestprep on. To resolve this issue either run Adprep /Forestprep or resolve the replication issue depending on the situation.

Not In Windows 2000/2003 Native Mode

Adprep detected that the domain is not in native mode

Unable To Contact Infrastructure Master

Errors Running Adprep /Domainprep

If you have already run Adprep domain prep, there is really only one error that you can get. When you run the Adprep /Domainprep /Gpprep after you have done the normal Domainprep you are only setting permissions on the policies folder. Below is the error that you will receive if they are inaccessible.

Group Policies Missing Or Inaccessible

Solution

Check to make sure that your sysvolsysvolpolicies{6ac…………..} and {31b…………….} folders exist and are accessible. If either or both are missing and you have a backup of these folders, restore the folders. If you do not have a backup and the folders are not in an NTFRS_Policies folder, then contact Microsoft for assistance in recreating the folders.

Errors Running Adprep /Rodcprep

Adprep /Rodcprep Fails Due To Insufficient Permissions

Adprep connected to the domain FSMO: Rob731.Contoso.local.

Adprep found partition DC=ForestDnsZones,DC=Contoso,DC=local, and is about to update the permissions.

Adprep connected to a replica DC Rob731.Contoso.local that holds partition DC=ForestDnsZones,DC=Contoso,DC=local.

Adprep failed the operation on partition DC=ForestDnsZones,DC=Contoso,DC=local. Skipping to next partition.

Solution

You will see other partitions DC=domainDnsZones,DC=Contoso,DC=local as well. To fix this issue make sure you are in the Domain Admins and Enterprise Admins groups.

Adprep /Rodcprep Fails Because It Cannot Connect To Domain Naming Master

Solution

This error indicates that there is a problem with the domain naming master. Verify that you can contact the Domain Naming Master for the forest. You can check the operations master role in Active Directory Users and Computers.

Adprep /Rodcprep Fails Because It Cannot Connect To Infrastructure Master

Adprep completed with errors. Not all partitions are updated. See the ADPrep.log in the C:WINDOWSdebugadpreplogs20080814090356 directory for more information. To successfully update all partititions, the current logged on user needs to be a member of Enterprise Admins group. If that is not the case, please correct the problem, and then restart Adprep.

Solution

On the Schema Master run the following command:

Netdom Query FSMO

You should see the five FSMO roles including the Infrastructure Master. Once you have determined who the Infrastructure master is type

\Server

name and

\FQDN(servername)

. Ensure that you can connect to the Infrastructure master

If you need to transfer or seize the Infrastructure master for any reason follow:

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

Or

How to view and transfer FSMO roles in the graphical user interface

This concludes this post on many of the errors that you may encounter while running

ADPREP

. For those reading this after running into an error, I hope that it helped to resolve the issue.

— Rob Newhouse

Error 0x54b sql server

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Answered by:

Question

I get the error below when I look at the the error log:-

‘Error: 0x54b, state: 3. Failure to register an SPN»

I cannot progress to install the SQL 2012 and would appreciate some advice on how to install SQL 2012.

Answers

The failure to register a Service Principal Name is typically an error you’ll see in the error log when the instance starts up and can’t register the SPN used for Kerberos authentication. Is this really causing the SQL Server install to fail or are you just seeing the error message in the error log? If setup is failing and throwing this error, can you post the screenshot showing the error along with the setup logs?

Here’s an older thread regarding the exact error message:

Thanks,
Sam Lester (MSFT)

This posting is provided «AS IS» with no warranties, and confers no rights. Please remember to click «Mark as Answer» and «Vote as Helpful» on posts that help you. This can be beneficial to other community members reading the thread.

• Marked as answer by Olaf Helper MVP Saturday, November 10, 2018 8:23 AM

SPNs are used by the Kerberos authentication protocol, we will meet the above error message when the service account SQL server does not have sufficient rights to register the SPN.

Which service account did you use? If it is LocalSystem account, SPN is automatically registered as SQL registering with the machine account that has the right to create an SPN default. If it is domain account or a local account, we will need to add permission for them.

Источник

Error 0x54b sql server

Thank you for the reply.

This seems a permission issue.

Now please change it back to ‘Local System account”. Logon a local account with administrator privilege, add a domain account to the local Administrators group. Then logon this domain account and try to start Windows Deployment Services again.

In addition, I am wondering how you installed a boot image and install image from the Server 2008 install CD in Step 4 without starting Windows Deployment Services. Using command lines?

When I set the service back to normal, I continue to get the original error.

I don’t understand what you mean by this:

«Logon a local account with administrator privilege, add a domain account to the local Administrators group. Then logon this domain account and try to start Windows Deployment Services again.»

What I did was this:

1: Log in to the server with my Domain Admin account
2: Went to the Services and set the WDS to log in as the miltonstreetAdministrator account. (miltonstreet is the domain)

This is when I got the error 7000

I just tried the same thing, but this time setting WDS to log in using the account I logged into the machine, miltonstreetsam and I am getting the same error 7000. miltonstreetsam *IS* a member of the server’s local Administrators group.

As far as how I setup the boot image, I simply followed the instructions that are online at MSDN. It seemed to copy the files over even though the service was not running.

Again, if there is a good book that will talk about the in’s and out’s of setting up the WDS, I would really like to get my hands on it. I think there are a number of things go on here that I don’t understand and I would like to. Such as, what exactly is a boot image compared to an install image? I have seen WDS used at a previous job, but never worked with it in detail. I have a feeling a lot of my questions would go away if I could simply find a good source of info on what WDS is and how to setup it up correctly.

Источник

Error 0x54b sql server

Вопрос

I get the error below when I look at the the error log:-

‘Error: 0x54b, state: 3. Failure to register an SPN»

I cannot progress to install the SQL 2012 and would appreciate some advice on how to install SQL 2012.

Ответы

The failure to register a Service Principal Name is typically an error you’ll see in the error log when the instance starts up and can’t register the SPN used for Kerberos authentication. Is this really causing the SQL Server install to fail or are you just seeing the error message in the error log? If setup is failing and throwing this error, can you post the screenshot showing the error along with the setup logs?

Here’s an older thread regarding the exact error message:

Thanks,
Sam Lester (MSFT)

This posting is provided «AS IS» with no warranties, and confers no rights. Please remember to click «Mark as Answer» and «Vote as Helpful» on posts that help you. This can be beneficial to other community members reading the thread.

• Помечено в качестве ответа Olaf Helper MVP 10 ноября 2018 г. 8:23

SPNs are used by the Kerberos authentication protocol, we will meet the above error message when the service account SQL server does not have sufficient rights to register the SPN.

Which service account did you use? If it is LocalSystem account, SPN is automatically registered as SQL registering with the machine account that has the right to create an SPN default. If it is domain account or a local account, we will need to add permission for them.

Источник

Error 0x54b sql server

Вопрос

I get the error below when I look at the the error log:-

‘Error: 0x54b, state: 3. Failure to register an SPN»

I cannot progress to install the SQL 2012 and would appreciate some advice on how to install SQL 2012.

Ответы

The failure to register a Service Principal Name is typically an error you’ll see in the error log when the instance starts up and can’t register the SPN used for Kerberos authentication. Is this really causing the SQL Server install to fail or are you just seeing the error message in the error log? If setup is failing and throwing this error, can you post the screenshot showing the error along with the setup logs?

Here’s an older thread regarding the exact error message:

Thanks,
Sam Lester (MSFT)

This posting is provided «AS IS» with no warranties, and confers no rights. Please remember to click «Mark as Answer» and «Vote as Helpful» on posts that help you. This can be beneficial to other community members reading the thread.

• Помечено в качестве ответа Olaf Helper MVP 10 ноября 2018 г. 8:23

SPNs are used by the Kerberos authentication protocol, we will meet the above error message when the service account SQL server does not have sufficient rights to register the SPN.

Which service account did you use? If it is LocalSystem account, SPN is automatically registered as SQL registering with the machine account that has the right to create an SPN default. If it is domain account or a local account, we will need to add permission for them.

Источник

Error 0x54b sql server

Situation: SQL cluster with instances used by BizTalk (other cluster)

1. this error occurs

2. Authentication falls back to ntlm

3. service account used to start up instances uses delegation to start up sql server agent but can only delegate using Kerberos

4. SQL agent fails to startup with following error :

Message
[298] SQLServer Error: 22022, CryptUnprotectData() returned error -2146892987, ‘The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation.’ [SQLSTATE 42000]

It worked before, stopped working when CU 8 installation was attempted and failed (process hung; no visible changes were made)

Can a failed installation be a reason for this error ?

i have the same problem in SQL Server 2008 when i did the installation on Windows 2008 server SP1 with SQL Server 2008. THe following is the error:

The SQL Server Network Interface library could not register the Service Principal Name (SPN) for the SQL Server service. Error: 0x2098, state: 15. Failure to register an SPN may cause integrated authentication to fall back to NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies.

I did try to change to the sql server account to the local admin ( earlier it was a local account) and then when this doesnt work, i make that account as a domain user.

can u tell me what the problem going on here?

Prashant Thakwani

Here is a solution.

This failure often is caused by a system or domain policy removing the SeDebugPrivelege security privilege from the administrator account running setup. Verify that the account running has this privilege.

The AccessChk tool will print all privleges for an account (http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx) by running:
accesschk.exe -a *

Alternatively, we can check this through your group policy editor as mentioned below:

Open Group Policy.
Start | Run | Type: gpedit.msc | OK |
Navigate to
Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDebug programs

The account through which we are trying to run the setup should be here ( besides the local admin on that machine). I included that here, restarted the server ( this is mandatory, gpupdate /force will not work) and ran the setup and it was successful this time.

SQL Server 2008 setup needs this privilege to start up the SQL Server process and listen to an event that signals back to setup that SQL Server successfully started.

Regards
Prashant Thakwani

This may or may not help, and sounds nuts, but, I ran into this same problem on Server 2008 with SQL 2008. And the problem was caused by ORACLE!
Yes, I said ORACLE!
I installed Oracle, and following their setup directions, added a loop-back adapter AND an entry in my hosts file.

My Host Name is GALAXY and per Oracle, I needed to set a dummy network connection and add an entry in the hosts file similar to:

127.0.0.1 localhost
10.10.10.10 galaxy.domain.home GALAXY #loopback adapater

Because of this, when SQL Server Agent tried to connect to the «local» instance (ie: Galaxy) it wasn’t resolving.
I fixed it by updating the hosts file to read as follows:
127.0.0.1 localhost GALAXY
10.10.10.10 galaxy.domain.home #loopback adapater

Once I did this and rebooted, all was well for SQL!

What lead me to this was the fact that I couldn’t see any of the SQL Server Errorlogs. Open SSMS, connect to the local server, click on Management- SQL Server Logs and you get the error:
Failed to retrieve data for this request.

and you will be unable to see the list of SQL errorlogs. If you open a query window and run the stored proc xp_enumerrorlogs you will get the error/message:
Msg 22004, Level 16, State 1, Line 0
Failed to open loopback connection. Please see event log for more information.
Msg 22004, Level 16, State 1, Line 0
error log location not found

Once I saw «Failed to open loopback conncetion. » Ah ha! Check the hosts file!

So I did. Changed it as stated above, and MS SQL 2008 was up and running.
But, I’m not sure if my Oracle 10g installation will be happy. It’s up, and I can connect with OraEM, but, what else will go wrong?

Maybe someday. Gates & Ellison will learn to play nice together.
Until then, let the DBAs and Network Trolls fight the good fight..

Don’t take any wooden data!
Sincerely, Smm3SQL

Источник

First published on TechNet on Dec 15, 2008

Hi all, Rob Newhouse again, and today I am talking about errors that you may see while running

ADPREP


.

Normally I do not like to create a laundry list of errors, however I believe it should be beneficial and save you some time and (maybe) money by posting these common errors. This is a follow up to my previous post

So You Want to Upgrade to Windows 2008 Domain Controllers (ADPREP)

.

Errors Running Adprep /Forestprep

Adprep Was Unable to Extend the Schema

Adprep was unable to extend the schema.

[Status/Consequence]

The schema master did not complete a replication cycle after the last reboot. The schema master must complete at least one replication cycle before the schema can be extended.

[User Action]

Verify that the schema master is connected to the network and can communicate with other Active Directory Domain Controllers. Use the Sites and Services snap-in to replicate between the schema operations master and at least one replication partner. After replication has succeeded, run adprep again.

Solution

This error indicates that there are AD replication problems in the environment. In order to continue the replication issue must be resolved.

To check what replication problems you are having install your Windows Support tools and run

Repadmin /Showrepl or Repadmin /Showreps

on the Schema Master. This should show you which DC’s you are having problems with.

Once you have determined the DC (s) that has the problem, check to see if you can connect to

server

(servername) and

FQDN(servername)

If both are unsuccessful then you may have a networking problem, a broken secure channel or a 5 minute time difference between the two machines.

If one is unsuccessful you have a networking problem involving DNS or Netbios name resolution.

If both are successful:

On both the DC that is not replicating with the Schema Master as well as the Schema Master:

1. In the TCPNic properties point DNS to a single DNS server
2. At a cmd prompt type
3. Netdiag /fix

On the Schema Master

1. Open Active Directory Sites and Services
2. Expand the site that the Schema Master is in
3. Right click on the NTDS settings under the Schema Master and choose All TasksCheck Replication topology.
4. Refresh the view
5. Right click on each replication object and attempt a replication

These are just some basic troubleshooting steps. If you get an error message, go to

Support.Microsoft.com

and in the search type in the error message in quotes.

User Not a Member of Required Groups

Adprep detected that the logon user is not a member of the following groups: Enterprise Admins Group, Schema Admins Group and Contoso.localDomain Admins Group.

[Status/Consequence]

Adprep has stopped without making changes.

[User Action]

Verify the current logged on user is a member of Enterprise Admins group, Schema Admins group and Contoso.localDomain Admins group.

— Or —

Adprep was unable to check the current User’s group membership

[Status/Consequence]

Adprep has stopped without making changes.

[User Action]

Verify the current logged on user is a member of Domain Admins Group, Enterprise Admins group and Schema Admins group if /forestprep is specified, or is a member of Domain Admins group if /domainprep is specified.

Adprep encountered a Win32 error.

Error code: 0x5 Error message: Access is denied

Solution

Check your group membership. If you are a member of many nested groups, you may experience the problem due to your token size. In this case, you may choose to create a new account in Active Directory Users and computers, make the new account a member of the Domain Admins, Enterprise Admins, and Schema Admin groups only, logon to the Schema Master as that account and rerun the Adprep /ForestPrep command.

As an alternative to creating a new account you can

1. Increase Maxtokensize in the registry

a) Open Regedit

b) Navigate to HKLMSystemCurrent Control SetControlLsaKerberosParameters

c) Add a new Dword

d) MaxtokenSize

e) Value 65535

or

2. Remove all unnecessary groups

ADPREP not Running on Schema Master

ADPREP WARNING:

Before running adprep, all Windows 2000 Active Directory Domain Controllers in the forest should be upgraded to Windows 2000 Service Pack 4 (SP4) or later.

[User Action]

If ALL your existing Windows 2000 Active Directory Domain Controllers meet this requirement, type C and then press ENTER to continue. Otherwise, type any other key and press ENTER to quit.

C

Forest-wide information can only be updated on the Active Directory Domain Controller that holds the schema operations master role.

[Status/Consequence]

Adprep has stopped on this Active Directory Domain Controller and must be run on the current schema operations master, which is Rob731.Contoso.local.

Solution

On rare occasions you may experience this message when you are on the schema master. In these cases transfer the schema master to another DC and then transfer it back to the original and run Adprep /Forestprep again. See also

How to view and transfer FSMO roles in the graphical user interface

.

If your schema master was on another machine that was removed from Active Directory then you will have to seize the schema master Role using Ntdsutil. See also

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

.

In your Adprep log you see “Error 0x80070020 (Error_sharing_Violation)”

Solution

This is normally caused by antivirus programs’ on-demand scanning. To resolve the issue, disable the antivirus software on-demand scanning feature.

Adprep /Forestprep Fails Due To OID Conflict On Any Schema Attribute

“OID will not be changed resulting in probable failure to add a new class.”

Solution

This error happens when custom schema changes have been made, or when a third-party software makes schema changes that conflict with Microsoft’s.

What you will see is “OID will not be changed resulting in probable failure to add a new class.”

To resolve this issue, open the

ADPREP

log to see what the failed object is. If you know the third-party software that is using the attribute, contact them and determine if there is a fix. Otherwise I would recommend opening a case with Microsoft for assistance resolving this issue.

Schema update failed: An attribute with the same link identifier already exists.

This error occurs when you are trying to update/add an object in the schema and the link identifier already exists for another attribute. Some third party apps will modify the schema with a link identifier set that is owned by the OS.

You will see the following in the CMD prompt window. The key here is the message about link identifier.

When you look in the ldif.err.XX log you will see the attribute we are trying to add:

Solution

In this instance please contact Microsoft for a resolution.   This error indicates that there is a link identifier that is already in use that shouldn’t be there.

Errors Running Adprep /Domainprep

Forestprep Not Run Or Not Recognized As Having Been Run

Solution

This problem can happen if you haven’t run Adprep /Forestprep yet, or if replication is broken and you are running it on a different DC or Domain than you ran the Adprep /Forestprep on. To resolve this issue either run Adprep /Forestprep or resolve the replication issue depending on the situation.

Not In Windows 2000/2003 Native Mode

Adprep detected that the domain is not in native mode

Unable To Contact Infrastructure Master

Errors Running Adprep /Domainprep

If you have already run Adprep domain prep, there is really only one error that you can get. When you run the Adprep /Domainprep /Gpprep after you have done the normal Domainprep you are only setting permissions on the policies folder. Below is the error that you will receive if they are inaccessible.

Group Policies Missing Or Inaccessible

Solution

Check to make sure that your sysvolsysvolpolicies{6ac…………..} and {31b…………….} folders exist and are accessible. If either or both are missing and you have a backup of these folders, restore the folders. If you do not have a backup and the folders are not in an NTFRS_Policies folder, then contact Microsoft for assistance in recreating the folders.

Errors Running Adprep /Rodcprep

Adprep /Rodcprep Fails Due To Insufficient Permissions

Adprep connected to the domain FSMO: Rob731.Contoso.local.

Adprep found partition DC=ForestDnsZones,DC=Contoso,DC=local, and is about to update the permissions.

Adprep connected to a replica DC Rob731.Contoso.local that holds partition DC=ForestDnsZones,DC=Contoso,DC=local.

Adprep failed the operation on partition DC=ForestDnsZones,DC=Contoso,DC=local. Skipping to next partition.

Solution

You will see other partitions DC=domainDnsZones,DC=Contoso,DC=local as well. To fix this issue make sure you are in the Domain Admins and Enterprise Admins groups.

Adprep /Rodcprep Fails Because It Cannot Connect To Domain Naming Master

Solution

This error indicates that there is a problem with the domain naming master. Verify that you can contact the Domain Naming Master for the forest. You can check the operations master role in Active Directory Users and Computers.

Adprep /Rodcprep Fails Because It Cannot Connect To Infrastructure Master

Adprep completed with errors. Not all partitions are updated. See the ADPrep.log in the C:WINDOWSdebugadpreplogs20080814090356 directory for more information. To successfully update all partititions, the current logged on user needs to be a member of Enterprise Admins group. If that is not the case, please correct the problem, and then restart Adprep.

Solution

On the Schema Master run the following command:

Netdom Query FSMO

You should see the five FSMO roles including the Infrastructure Master. Once you have determined who the Infrastructure master is type

Server

name and

FQDN(servername)

. Ensure that you can connect to the Infrastructure master

If you need to transfer or seize the Infrastructure master for any reason follow:

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

Or

How to view and transfer FSMO roles in the graphical user interface

This concludes this post on many of the errors that you may encounter while running

ADPREP

. For those reading this after running into an error, I hope that it helped to resolve the issue.

— Rob Newhouse