Installing SQL Server on a Domain Controller

INSTALLING SQL SERVER ON A DOMAIN CONTROLLER
You may encounter problems when installing SQL Server on a domain controller – https://support.microsoft.com/en-us/kb/2032911
Summary
It is not recommended to install SQL Server on a domain controller. There are specific security restrictions when running SQL Server in this configuration and given the resource demands of a domain controller, SQL Server performance may be degraded. Furthermore, SQL Server is not supported on a read-only domain controller. Setup will normally fail. Even if you find methods to work around the problem with setup, SQL Server is not supported on a read-only domain controller. In addition, SQL Server failover clustering is not supported to install on a domain controller.

WHY THEN?
Not all customers have a huge budget for IT to have dedicated servers and resources to handle multiple processes and applications. You would see small business where one server plays multiple roles as the DC, SQL Server, Application Server, and etc.
We do not recommend this type of infrastructure since there is a single point of failure for the entire system. Also security restrictions can be breached or conflicts can occur in the setup/implementation of all these applications on the same server.

support-rule

Installing SQL Server on a Domain Controller
For security reasons, Microsoft recommends that you do not install SQL Server on a domain controller. SQL Server Setup will not block installation on a computer that is a domain controller, but the following limitations apply:
• ONLY on Windows Server 2003 (which we do not support anymore), SQL Server services can run under a domain account or a local system account.
• You cannot run SQL Server services on a domain controller under a local service account or a network service account.
• After SQL Server is installed on a computer, you cannot change the computer from a domain member to a domain controller. You must uninstall SQL Server before you change the host computer to a domain controller.
• After SQL Server is installed on a computer, you cannot change the computer from a domain controller to a domain member. You must uninstall SQL Server before you change the host computer to a domain member.
• SQL Server failover cluster instances are not supported where cluster nodes are domain controllers.
• SQL Server Setup cannot create security groups or provision SQL Server service accounts on a read-only domain controller. In this scenario, Setup will fail.

setup-error

WHERE DO I GO FROM HERE?
+To find more details and pin point exactly where setup failed – These files would help you.
*Detail.txt
*Summary.txt
FilePath Location: C:\Program Files\Microsoft SQL Server\110\Setup Bootstrap\Log\20160517_142927
NOTE: This location could vary based on what drive that you are installing SQL Server on. However, the highlighted portion of the file path would most likely be the same except that the SQL version would change. For example; in my demonstration, SQL 2012 would be in a folder named 110. The table lists the version of SQL at the RTM level for reference purposes.

 Version RTM (Gold, no SP)
 SQL Server 2016
codename ?
13.0.1601.5 13.0.1601.5
 SQL Server 2014
codename SQL14
12.0.2000.8 12.00.2000.8
 SQL Server 2012
codename Denali
11.0.2100.60 11.00.2100.60
 SQL Server 2008 R2
codename Kilimanjaro
10.50.1600.1
 SQL Server 2008
codename Katmai
10.0.1600.22 10.00.1600.22
 SQL Server 2005
codename Yukon
9.0.1399.06 9.00.1399.06
 SQL Server 2000
codename Shiloh
8.0.194 8.00.194
 SQL Server 7.0
codename Sphinx
7.0.623

>>Below is a sample Detail.txt and Summary.txt files and the errors associated with the failed setup. You would mostly find the same error log entries in your files.
Detail.txt
(01) 2016-05-17 22:01:18 Slp: Configuration action failed for feature SQL_Engine_Core_Inst during timing ConfigRC and scenario ConfigRC.
(01) 2016-05-17 22:01:18 Slp: Wait on the Database Engine recovery handle failed. Check the SQL Server error log for potential causes.
(01) 2016-05-17 22:01:18 Slp: The configuration failure category of current exception is ConfigurationFailure
(01) 2016-05-17 22:01:18 Slp: Configuration action failed for feature SQL_Engine_Core_Inst during timing ConfigRC and scenario ConfigRC.
(01) 2016-05-17 22:01:18 Slp: Microsoft.SqlServer.Configuration.SqlEngine.SqlEngineConfigException: Wait on the Database Engine recovery handle failed. Check the SQL Server error log for potential causes.
(01) 2016-05-17 22:01:18 Slp: at Microsoft.SqlServer.Configuration.SqlEngine.SqlServerServiceBase.WaitSqlServerStart(Process processSql)
(01) 2016-05-17 22:01:18 Slp: at Microsoft.SqlServer.Configuration.SqlEngine.SqlServerServiceSCM.StartSqlServer(String[] parameters)
(01) 2016-05-17 22:01:18 Slp: at Microsoft.SqlServer.Configuration.SqlEngine.SqlEngineDBStartConfig.ConfigSQLServerSystemDatabases(EffectiveProperties properties, Boolean isConfiguringTemplateDBs, Boolean useInstallInputs)
(01) 2016-05-17 22:01:18 Slp: at Microsoft.SqlServer.Configuration.SqlEngine.SqlEngineDBStartConfig.DoCommonDBStartConfig(ConfigActionTiming timing)
(01) 2016-05-17 22:01:18 Slp: at Microsoft.SqlServer.Configuration.SqlConfigBase.SlpConfigAction.ExecuteAction(String actionId)
(01) 2016-05-17 22:01:18 Slp: at Microsoft.SqlServer.Configuration.SqlConfigBase.SlpConfigAction.Execute(String actionId, TextWriter errorStream)
(01) 2016-05-17 22:01:18 Slp: The following is an exception stack listing the exceptions in outermost to innermost order
(01) 2016-05-17 22:01:18 Slp: Inner exceptions are being indented
(01) 2016-05-17 22:01:18 Slp:
(01) 2016-05-17 22:01:18 Slp: Exception type: Microsoft.SqlServer.Configuration.SqlEngine.SqlEngineConfigException
(01) 2016-05-17 22:01:18 Slp: Message:
(01) 2016-05-17 22:01:18 Slp: Wait on the Database Engine recovery handle failed. Check the SQL Server error log for potential causes.
(01) 2016-05-17 22:01:18 Slp: HResult : 0x851a001a
(01) 2016-05-17 22:01:18 Slp: FacilityCode : 1306 (51a)
(01) 2016-05-17 22:01:18 Slp: ErrorCode : 26 (001a)
(01) 2016-05-17 22:01:18 Slp: Data:
(01) 2016-05-17 22:01:18 Slp: SQL.Setup.FailureCategory = ConfigurationFailure
(01) 2016-05-17 22:01:18 Slp: WatsonConfigActionData = INSTALL@CONFIGRC@SQL_ENGINE_CORE_INST
(01) 2016-05-17 22:01:18 Slp: WatsonExceptionFeatureIdsActionData = System.String[]
(01) 2016-05-17 22:01:18 Slp: Stack:
(01) 2016-05-17 22:01:18 Slp: at Microsoft.SqlServer.Configuration.SqlEngine.SqlServerServiceBase.WaitSqlServerStart(Process processSql)
(01) 2016-05-17 22:01:18 Slp: at Microsoft.SqlServer.Configuration.SqlEngine.SqlServerServiceSCM.StartSqlServer(String[] parameters)
(01) 2016-05-17 22:01:18 Slp: at Microsoft.SqlServer.Configuration.SqlEngine.SqlEngineDBStartConfig.ConfigSQLServerSystemDatabases(EffectiveProperties properties, Boolean isConfiguringTemplateDBs, Boolean useInstallInputs)
(01) 2016-05-17 22:01:18 Slp: at Microsoft.SqlServer.Configuration.SqlEngine.SqlEngineDBStartConfig.DoCommonDBStartConfig(ConfigActionTiming timing)
(01) 2016-05-17 22:01:18 Slp: at Microsoft.SqlServer.Configuration.SqlConfigBase.SlpConfigAction.ExecuteAction(String actionId)
(01) 2016-05-17 22:01:18 Slp: at Microsoft.SqlServer.Configuration.SqlConfigBase.SlpConfigAction.Execute(String actionId, TextWriter errorStream)
(01) 2016-05-17 22:01:18 Slp: Watson Bucket 1
Original Parameter Values

(01) 2016-05-17 22:03:30 Slp: Error result: -2061893606
(01) 2016-05-17 22:03:30 Slp: Result facility code: 1306
(01) 2016-05-17 22:03:30 Slp: Result error code: 26

Summary.txt
Overall summary:
Final result: Failed: see details below
Exit code (Decimal): -2061893606
Start time: 2016-05-17 21:47:29
End time: 2016-05-17 22:03:24
Requested action: Install

Setup completed with required actions for features.
Troubleshooting information for those features:
Next step for RS: Use the following information to resolve the error, uninstall this feature, and then run the setup process again.
Next step for SQLEngine: Use the following information to resolve the error, uninstall this feature, and then run the setup process again.

Feature: Reporting Services – Native
Status: Failed: see logs for details
Reason for failure: An error occurred for a dependency of the feature causing the setup process for the feature to fail.
Next Step: Use the following information to resolve the error, uninstall this feature, and then run the setup process again.
Component name: SQL Server Database Engine Services Instance Features
Component error code: 0x851A001A
Error description: Wait on the Database Engine recovery handle failed. Check the SQL Server error log for potential causes.
Error help link: http://go.microsoft.com/fwlink?LinkId=20476&ProdName=Microsoft+SQL+Server&EvtSrc=setup.rll&EvtID=50000&ProdVer=11.0.6020.0&EvtType=0xD15B4EB2%400x4BDAF9BA%401306%4026&EvtType=0xD15B4EB2%400x4BDAF9BA%401306%4026

Feature: Database Engine Services
Status: Failed: see logs for details
Reason for failure: An error occurred during the setup process of the feature.
Next Step: Use the following information to resolve the error, uninstall this feature, and then run the setup process again.
Component name: SQL Server Database Engine Services Instance Features
Component error code: 0x851A001A
Error description: Wait on the Database Engine recovery handle failed. Check the SQL Server error log for potential causes.
Error help link: http://go.microsoft.com/fwlink?LinkId=20476&ProdName=Microsoft+SQL+Server&EvtSrc=setup.rll&EvtID=50000&ProdVer=11.0.6020.0&EvtType=0xD15B4EB2%400x4BDAF9BA%401306%4026&EvtType=0xD15B4EB2%400x4BDAF9BA%401306%4026

Feature: Integration Services
Status: Passed
Feature: Data Quality Client
Status: Passed

Feature: SQL Writer
Status: Passed

Feature: SQL Browser
Status: Passed

THE FIX
+As noted for why we do the recommend this type of setup; you should by now know that the resolution for the encountered error would have to do with PERMISSIONS.
++Setup user account: Domain Account and its part local admin group
+check whoami /all for privileges

whoami1 whoami2

>>Go to Local Security Policies – Local Policies – User Rights Assignment

>>Check to make sure privileges listed below are assigned SQL Setup user or the group it belongs to.
1. Act as Part of the Operating System
2. Bypass Traverse Checking
3. Log on as Batch Job
4. Log on as Service
5. Replace a Process Level Token
6. Debug Programs
7. Backup files and directories
8. Restore files and directories
>>Turn off UAC
>>Check to see Default domain policies are defined
Opened Group policy Management > Edit Default Domain controller Policies.

domaingpo

>Under the Edit Dialog Box -Expand Policies > Windows Settings > Security Settings > User Rights Assignment and define the SQL Setup account to the same policies:
1. Act as Part of the Operating System**
2. Bypass Traverse Checking**
3. Log on as Batch Job
4. Log on as Service
5. Replace a Process Level Token
6. Debug Programs
7. Backup files and directories
8. Restore files and directories

NOTE: ** Once you completed the installation successfully, you might want to remove the SQL setup account from the policies  indicated above. This is for security reasons and prevent issues like defining traverse checking on the domain.

>>Run a gpupdate /force from CMD using elevated privileges

gpupdate>>Uninstall the previous version of the failed Setup. No need to repair and try to troubleshoot to fix error.
>>Reboot the Server (HIGHLY RECOMMENDED)
>>Log on to the Server with the SQL Setup user account
>>Run a new installation of media using elevated privileges
>>Set SQL Server Service account as Windows domain user accounts during the Server Configuration step.
SQL Server service accounts should run as Windows domain user accounts. It is also possible to install SQL Server service accounts to run as Local System, but this option is NOT recommended.
NOTE: You cannot run SQL Server services on a domain controller under a local service account or a network service account.

serviceacct

>SQL Server Setup should complete successfully with no issues
completesetup

ADDITIONAL LINKS AND REFERENCES

https://msdn.microsoft.com/en-us/library/ms143506(v=sql.100).aspx#DC_Support – Hardware and Software Requirements for Installing SQL Server 2008
https://msdn.microsoft.com/en-us/library/ms143506(v=sql.110).aspx – Hardware and Software Requirements for Installing SQL Server 2012
https://blogs.technet.microsoft.com/mdegre/2011/06/25/can-i-install-sql-server-on-a-domain-controller/ – Can I install SQL Server on a domain controller?

13 thoughts on “Installing SQL Server on a Domain Controller

Add yours

    1. Hi Nick,
      Unfortunately, there is no way to improve the performance. What we mean here is that SQL server and Windows Active directory will share server resources all together. if you have a busy Domain controller with a DNS role for example which handle multiple connection requests as SQL server, you could face connection timeout in this case. And don’t forget the security risk. This is why it is always good to have dedicated servers : 1 server for your DC, 1 server for application ,1 server for databases.
      Gaoussou Bagate.

      Like

  1. Hello,

    I installed SQL Server 2016 Standard on the domain controller Windows Server 2012 R2.
    Services Engine and Agent now I run as Local System.

    It is possible to use your manual tip after installing SQL Server?
    So create user SQLEngine and add them permissions and then assign this user to login service ?

    Will it be enough or do I even set file permissions to folders, SQL SERVER
    (Which is created during classic installation).

    Thank you very much for your answer !

    Vaclav

    Like

    1. Hi Kyssling,

      I tried and tested your scenario on Windows Server 2012 R2 and it worked successfully. You just need to make sure the SQL Service account you are using is part of the administrators group and assign the necessary privileges in the post. Your SQL Service would restart and run successfully with this new account.
      NOTE: Giving the service account admin privileges would provide it read/write permissions to the default SQL folders. In some rare scenarios, you would have to explicitly provide permissions to drive/network share folders that the SQL instance uses. This part is per your environment setup.

      Thanks and HTH

      Like

  2. Hello,

    thank you very much for your answer !
    I would avoid adding User SQLEngine to the Administrator group.
    I want add this service user only to group USERS\Domain.

    You have you tried it before? If I want it I’ll have to adjust
    manually file permissions to the SQL Server ?

    Like

    1. Sorry for the late response 😦 I was caught up with some consultation work. I just tested out your request and YES it worked as well as long as you set the permissions right to access the required files and services.
      I have SQL Server Service on my DC running under an account I called (SAMOSQL\Nonadmin) in my test lab who is only part of the Domain Users Group. Please let me know if you have questions or suggestions.
      Thank you and HTH

      Like

      1. Hello, I tried and works perfectly. Thank you for your help.
        Can I please have to ask two more questions (last i promise 🙂 )
        Is standard (or necessary for small company) deploy for authentication using SQL – SSL for better security ?
        If I had understood correctly Kerberos is used only if used Windows Authentication …

        Like

      2. I am glad it worked and you are welcome! Your question about security is very interesting and a good topic to blog on. I am currently writing up a blog which would address your questions and even more. I will update you once I publish the blog. In the meantime, SQL by default creates SSL encryption (128 bit) which is overall secured. When you want to implement Kerberos then you would be looking into setting up SPN’s. Note however if the Kerberos handshake fails, Windows will automatically fallback to the default NTLM. I will elaborate more in my blog i promise. Finally feel free to ask more questions.. I always appreciate great discussions like this. Cheers!

        Like

  3. Did something change with SQL 2016 SP1? I tried installing it on Server 2016 (maybe that’s why?) DC, but there were no errors, and all services are running.

    The various services run under a variety of account types: NT Service\MSSQLSERVER, NT Service\SQLSERVERAGENT, Local Service, NT Service\SQLTELEMETRY, NT Service\ReportServer.

    Liked by 1 person

    1. Great finding with the new Windows Server 2016. Check out this official documentation on Microsoft’s BOL for SQL Server 2016 – https://docs.microsoft.com/en-us/sql/sql-server/install/hardware-and-software-requirements-for-installing-sql-server

      It mentions that as long as the SQL Server Service account is not running under Local Service then it should work. Looks like yours is running under the default Service Account that is created during the installation.

      This should work even for SQL Server 2016 RTM on Windows Server 2016 Writable DC. I will test it out myself with different scenarios and update you with my findings.

      Like

      1. That part of the documentation though is just a copy and paste of 2012’s (and maybe 2012’s of 2008’s, I didn’t check), so what they’re saying hasn’t changed.

        But the default install of 2016 does have SQL Server Browser (and maybe more in a fuller install) under Local Service. No complaints from Setup, and it works.

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: