Upravit

Sdílet prostřednictvím


You can't install SQL Server by using a service account when only an RODC is reachable

This article discusses an issue in which you can't install SQL Server when only a read-only domain controller (RODC) is available.

Original product version:   SQL Server
Original KB number:   2962968

Symptoms

Consider the following scenario:

  • You have a perimeter network (also known as a demilitarized zone (DMZ), and a screened subnet) that only has an RODC available.
  • You have a member server in the perimeter network. You try to install SQL Server on the member server and use an Active Directory service account for the SQL Server service.

In this scenario, the installation wizard fails when the installation program validates your account.

Cause

When you log on to a computer for the first time and try to encrypt data, the operating system creates a preferred Data Protection Application Programming Interface (DPAPI) MasterKey, which is based on your current password. During the creation of the DPAPI MasterKey, an attempt is made to back up this master key by contacting a Read Write Domain Controller (RWDC). If the backup fails, the MasterKey can't be created, and this results in failure.

Workaround

To work around this issue, perform the following:

  1. Use the built-in account to install SQL Server.
  2. Change the account that is used for the services to an Active Directory service account.

For other resolutions and additional information, see DPAPI MasterKey backup failures.

References

Installing SQL Server on a domain controller