none
SQL 2012 install with configuration file fails with Managed Service Accounts

    Question

  • Hello, I'm having trouble with installing SQL using Managed Service Accounts while using a configuration file for the installation.

    The following error occurred:
    Managed Service Account 'MyDomain\userSQLAgent' provided for 'SQLSERVERAGENT' is either not valid, not linked to this machine or cannot be used for this setup scenario.

    This is a Windows 2008 R2 Enterprise server running on VMWare on a domain. Using SQL Server 2012 Enterprise.

    I created the service accounts on AD using Powershell and confirmed that they exist in the OU. I also linked these MSA's with their respective servers and verified this as well. I made sure to install KB 2494158 per MS documentation. I verified that i can assign these accounts to services on the server.

    I ran the PowerShell commands from my workstation. Is it necessary to run the Add-ADComputerServiceAccount on the actual server? It doesn't seem to be necessary as when I query the account it shows the server its assigned to. Any ideas? I could not find any answers on the forums.

    This is the line in the config file for one of the accounts:
    AGTSVCACCOUNT="MyDomain\UserSQLAgent"

    • Edited by PolishPaul Friday, February 15, 2013 9:44 PM fixed for eadability
    Friday, February 15, 2013 9:41 PM

Answers

  • OK, i think i figured out my problem - reading!.

    When messing with these accounts, i failed to "install" them on local compuers. I was under the assumption that associating them with a computer was enough since when i ran Get-ADServiceAccount it showed the HostComputer property set. <facepalm>

    • Marked as answer by PolishPaul Tuesday, February 19, 2013 9:36 PM
    Tuesday, February 19, 2013 8:41 PM

All replies

  • I recommend reading below blog post

    http://blogs.technet.com/b/askds/archive/2009/09/10/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting.aspx?wa=wsignin1.0

    especailly

    Limitations sections


    FAQ
    ----
    Regards,
    Ahmed Ibrahim
    SQL Server Setup Team
    My Blog
    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" and "Vote as Helpful" on posts that help you.
    This can be beneficial to other community members reading the thread.
    View Ahmed Ibrahim's profile on LinkedIn

    Saturday, February 16, 2013 4:58 AM
    Moderator
  • Hello Paul,

    There are four access related dependencies for this to work:

    1. The user running the Install-ADServiceAccount command must be a member of the “Server Operators”, “Account Operators”, or “Domain Administrators” groups in Active Directory in order to make the SAMR call to Active Directory to open the service account

    2. The user must be a local administrator on the machine where you are are installing the managed service account.

    3. The user needs to launch PowerShell “as administrator” for UAC to elevate their token

    4. The user and computer account need read access to the managed service account object in AD. 

    Monday, February 18, 2013 6:06 PM
    1. My user doing the work is a member of the domain admins
    2. The domain admins group is a member of the local administrators on the server the accounts are being installed to
    3. I ran PS as admin on my workstation to do the work
    4. I added the computer that the service accounts are being installed to the permission to read that OU.

    I'm not sure if i did something different last week, but i'm able to assign the service account to a service but starting it i get:

    Error 1069: The Service did not start due to a logon failure.

    I tried from the scratch again and here are my detailed steps:

    I start PS as administrator under the context of my domain admin user, then run these commands

    1. New-ADServiceAccount -Name testmsa -Path "OU=DataReporting Test Managed Service Accounts,OU=Users: Service Accounts,DC=aaa,DC=bbb,DC=ccc"
    2. Add-ADComputerServiceAccount -identity MyServerName -ServiceAccount testmsa

    I then set this account to the print spooler and get the same error as above:

    Error 1069: The Service did not start due to a logon failure.

    Tuesday, February 19, 2013 7:43 PM
  • OK, i think i figured out my problem - reading!.

    When messing with these accounts, i failed to "install" them on local compuers. I was under the assumption that associating them with a computer was enough since when i ran Get-ADServiceAccount it showed the HostComputer property set. <facepalm>

    • Marked as answer by PolishPaul Tuesday, February 19, 2013 9:36 PM
    Tuesday, February 19, 2013 8:41 PM