none
AD RMS Logging Can't be Enabled

    Question

  • I configure my Windows Server 2012 R2 AD RMS with SQL mirroing solution following this document. http://social.technet.microsoft.com/wiki/contents/articles/14977.test-lab-guide-configuring-ad-rms-with-sql-mirroring-in-windows-server-2012.aspx

    Logging configuration shown in below:

    Logging Server: data source=Server01;failover partner=Server02;initial catalog=DRMS_Logging_adrms_dc1_dc2_dc3_dc4_443

    Logging Database: DRMS_Logging_adrms_dc1_dc2_dc3_dc4_443

    When SQL principle server is set on Server02, everything is working fine, but once the SQL principle set to Server01, new user is not able to create/open encrypted email. Event Viewer shows:

    SQL server log shows AD RMS is trying to write log to mirroring Database Server - Server02 with below error:

    Database mirroring is active with database 'DRMS_Logging_adrms_dc1_dc2_dc3_dc4_443' as the mirror copy. This is an informational message only. No user action is required.
    Login failed for user 'domain\admin'. Reason: Failed to open the explicitly specified database 'DRMS_Logging_adrms_dc1_dc2_dc3_dc4_443'. [CLIENT: 10.78.110.40]

    Can any RMS/SQL expert tell me why my AD RMS did not keep trying when saving log to mirroring server Server02 failed?  


    Jason


    • Edited by Jason2804 Tuesday, September 02, 2014 11:19 AM
    Tuesday, September 02, 2014 11:16 AM

All replies

  • Hi Jason,

    1. Have you followed this section:

    In the mirror server, SQL2, create a login for ADRMSSVC. (This will be the AD RMS service user account if you re following the procedure that was provided in the AD RMS base TLG This link is external to TechNet Wiki. It will open in a new window. . Note that AD RMS installation will create this login on SQL1, but it needs to be created manually for SQL2.)

    2.  BTW: did you remember about creating SPNs? 

    Setspn –A MSSQLsvc/<SQL1 FQDN> <domain>\SQLSVC
    Setspn –A MSSQLsvc/<SQL2 FQDN> <domain>\SQLSVC
    Setspn –A MSSQLsvc/<SQL1 common name> <domain>\ SQLSVC
    Setspn –A MSSQLsvc/<SQL2 common name> <domain>\ SQLSVC


    Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

    Tuesday, September 02, 2014 10:56 PM
  • Thanks Predica, Both are done. The only difference of my setting with the ref link is that I changed below the database name to DRMS_DirectoryServices_ for Directory cluster policy as I believe it's a typo in that document. UPDATE dbo.DRMS_ClusterPolicies SET PolicyData='data source=<SQL1>;failover partner=<SQL2>;integrated security=SSPI;persist security info=False;packet size=4096;database=DRMS_Config_<cluster>_<port>' WHERE PolicyName='DirectoryServicesCacheDatabase' Other than that, I am using witness server for an auto failover

    Jason


    • Edited by Jason2804 Wednesday, September 03, 2014 1:30 AM
    Wednesday, September 03, 2014 1:28 AM
  • Please compare logins that can access SQL for SQL1 and SQL2 in terms of access permissions and priviliges. What ADRMS stated is that sf\sfrmssvcprd doesn't have access to login to DRMS_Logging_ DB.


    Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

    Wednesday, September 03, 2014 7:36 AM
  • Thanks for that. 

    As I mentioned, the service account can't access to login DRMS_Logging_DB on DB Server02 is because that is mirroring at that moment. once I manually swing DRMS_Logging_DB to DB Server02, issue won't happened. I don't understand why my RMS doesn't try to write data to DB Server01 which is the principal server at that moment. 


    Jason

    Wednesday, September 03, 2014 10:48 AM
  • Ok, I get it. Have you read this http://blogs.msdn.com/b/spike/archive/2010/12/15/running-a-database-mirror-setup-with-the-sqlbrowser-service-off-may-produce-unexpected-results.aspx ?

    Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

    Wednesday, September 03, 2014 12:21 PM
  • Thanks again. the SQL browser service are both started. 

    just wanna confirm if your mirroring configuration  is exactly follow that document (log db has no "integrated security=SSPI;persist security info=False;packet size=4096" setting)

    USE DRMS_Config_<cluster>_<port>
    GO
    UPDATE dbo.DRMS_ClusterPolicies
    SET PolicyData='data source=<SQL1>;failover partner=<SQL2>;integrated security=SSPI;persist security info=False;packet size=4096;database=DRMS_Config_<cluster>_<port>'
    WHERE PolicyName='CertificationUserKeyStorageConnectionString'
    GO
    UPDATE dbo.DRMS_ClusterPolicies
    SET PolicyData='data source=<SQL1>;failover partner=<SQL2>;integrated security=SSPI;persist security info=False;packet size=4096;database=DRMS_Config_<cluster>_<port>'
    WHERE PolicyName='DirectoryServicesCacheDatabase'
    GO
    UPDATE dbo.DRMS_ClusterPolicies
    SET PolicyData=<SQL1>;failover partner=<SQL2>;initial catalog=DRMS_Logging_<cluster>_<port>'
    WHERE PolicyName='LoggingDatabaseServer'
    GO


    Jason

    Thursday, September 04, 2014 2:10 AM