SQL 2019 Basic Availability Group Cannot create listeners

Lachlan Follett 21 Reputation points
2020-11-19T21:36:42.793+00:00

2x SQL 2019 Standard severs on Windows Server 2019 Standard.

One in PROD site and one in DR site. The two sites have large bandwidth (>400Mbps) and <2ms between them.

These have been built with the intention of hosting Basic Availability Groups (BAG) for all our compatible databases.
BAGs require one IP in each subnet for the listener.

We created the first Database BAG fine and it works well.

When we try to create further BAGs, we fail when we try to add the listeners (IPs in each subnet). The proposed IPs are not in use by any other system.

So current state:
1st BAG Listener 'AG-Database1' IPs 10.1.1.5/24 (prod) and 10.2.1.5/24 (DR) port 1433

Try to create 2nd listener:
'AG-Database2' IPs 10.1.1.6/24 and 10.2.1.6/24 port 1433
The BAG builds fine but listener add fails with:

The WSFC cluster could not bring the Network Name resource with DNS name 'AG-Database2' online. The DNS name may have been taken or have a conflict with >existing name services, or the WSFC cluster service may not be running or may be inaccessible. Use a different DNS name to resolve name conflicts, or check the WSFC >cluster log for more information.
The attempt to create the network name and IP address for the listener failed. If this is a WSFC availability group, the WSFC service may not be running or may be >inaccessible in its current state, or the values provided for the network name and IP address may be incorrect. Check the state of the WSFC cluster and validate the >network name and IP address with the network administrator. Otherwise, contact your primary support provider. (Microsoft SQL Server, Error: 19471)

The cluster and services are fine. The cluster validates OK. The proposed additional IPs are not in use (not in DNS and don't respond to ping).

We pre-stage the listener computer object and the cluster CNO "sqlcluser" has full control on the listener computer object in ADDS. This is the bit that most articles point to as the usual cause but it's not in our case.
41187-sqlcl.png

The only relevant errors I can find in the cluster log talk about crypto errors and I haven't found much about them.

INFO [RES] Network Name: [NNLIB] FindSuitableDCNew - objectName AG-Database2, username - SQLCLUSTER$, firstChoiceDCName - \THEDC01.domain.com
INFO [RES] Network Name: [NNLIB] Found first choice DC that has the object AG-atabase2 DCName - \THEDC01.domain.com.
ERR [RES] Network Name: [NNLIB] Could not acquire crypto context, status 2148073487
ERR [RES] Network Name: [NN] Encrypting password using crypto access failed, error 2148073487

I'm stuck as to why I can't create further BAG listeners.

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
13,784 questions
Windows Server Clustering
Windows Server Clustering
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Clustering: The grouping of multiple servers in a way that allows them to appear to be a single unit to client computers on a network. Clustering is a means of increasing network capacity, providing live backup in case one of the servers fails, and improving data security.
996 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sean Gallardy - MSFT 1,886 Reputation points Microsoft Employee
    2020-11-20T01:17:49.22+00:00

    Could not acquire crypto context, status 2148073487

    Converting that to a HRESULT = NTE_EXISTS (0x8009000F)

    The key container already exists, but you are attempting to create it. If a previous attempt to open the key failed with NTE_BAD_KEYSET, it implies that access to the key container is denied.

    Given the above, I'd run a procmon when attempting to create the network name to see if there are other access denied items in the crypto registry locations or filesystem.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Lachlan Follett 21 Reputation points
    2020-11-20T01:47:26.14+00:00

    Hi @SeanGallardy-1365

    Thanks for that!

    Procmon showed access denied on C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

    Some further searching indicates that changing SQL server service account through services.mmc instead of SQL Configuration Manager can mean that some ACLs are not populated correctly. This combined with a recent event where the SQL server ssl cert was changed and then the services refused to start may have contributed.

    Resetting inheritance on that folder solved it. The server now creates the listeners.

    (The process that accesses that folder is the RHS.exe (Resource Host for Windows Cluster running as Local System))


  2. Lachlan Follett 21 Reputation points
    2020-11-20T01:49:18.347+00:00

    Random Question: What technique did you use to convert "2148073487" to "HRESULT = NTE_EXISTS (0x8009000F)" ?


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.