none
MBAM inital setup issues with SQL Cluster server

    Question

  • I'm trying to setup our MBAM server so we can finally deploy bitlocker with some management.  We have an SQL 2008 R2 cluster server that I'd like to make the database server for Recovery, Compliance and Audits databases.  I've tried to run the setup on one of the nodes for SQL, I'm logged in as an Administrator of the SQL server and i keep getting this error.

    User lacks sufficient permissions on this instance of SQL Server
    Resolution: The user who is attempting to install the Key Recovery Database feature lacks the necessary permissions (that is, connection permissions) to access any of the server's instances of SQL Server.
    More information on SQL Server is available at: http://go.microsoft.com/fwlink/?LinkId=217251

    We aren't using any instances other than the default SQL instance.  Is it supported to run the MBAM database components on a clustered SQL server and is there something special i need to do to get past the prerequisites?

    Tuesday, September 20, 2011 6:34 PM

All replies

  • You cannot install MBAM directly on a SQL cluster.

    If you want to move DB to a SQL cluster, then you install  MBAM on non-cluster and move DB to a SQL cluster.

    http://onlinehelp.microsoft.com/it-it/mdop/hh285651.aspx

     

    Hope this helps.

    Manoj (MSFT)


    Manoj Sehgal
    Wednesday, September 21, 2011 9:46 PM
  • manojsehgal, I understand the option you mention to move the MBAM DBs to a SQL cluster, however, those instructions mention (after moving the DB) to "Run MBAM setup on Server B" - which in this case "Server B" is the SQL cluster. We can't run a setup on the cluster, so is just moving the DB to the cluster and configuring it on the Administration and Monitoring server sufficient?

    Friday, October 14, 2011 10:23 PM
  • I'm facing same problem.  What's the solution ?
    Thursday, October 20, 2011 1:14 PM
  • My organization is utilizing a SQL Enterprise 2008 cluster for most of our SQL needs, so when I read the system requirements I thought MBAM would be a good direction for us. Interesting enough, I cannot find any documentation regarding this prereq, but I cannot make it work in a cluster either. Is there any more information available?

    Why would an organization not want to harden the backend for an important service like desktop encryption?

     



    • Edited by DaveGermano Wednesday, December 28, 2011 8:50 PM
    Wednesday, December 28, 2011 8:47 PM
  • Same question here, any answers?
    Friday, January 20, 2012 1:58 PM
  • Hi,

    I'm just about to implement MBAM and want to put the DB on a SQL cluster.

    Anyone successfully implemented this...?

    • Proposed as answer by pirate8216 Tuesday, February 21, 2012 1:24 AM
    • Unproposed as answer by pirate8216 Tuesday, February 21, 2012 1:24 AM
    Friday, February 17, 2012 7:42 AM
  • I used the following procedure to install the MBAM databases on a SQL cluster.

    Install the MBAM databases on a standalone SQL server, then follow the instructions in http://onlinehelp.microsoft.com/it-it/mdop/hh285651.aspx to backup the DB's and certificates.

    Create two domain groups to use for the hardware and recovery db and compliance status db access.

    On your sql cluster create a new database called MBAM Compliance Status and another new database MBAM Recovery and Hardware.

    Make sure you have created a master key certificate on your sql cluster, then restore the MBAM certificate and DB's you backed up earlier. Again, instructions for this are in the link above.

    Create two SQL logins using the domain groups. For the compliance and status db access group, create a user mapping to the MBAM Compliance status DB, grant the login Public and Compliance WriteRole. For the Recovery and Hardware group login, create a user mapping granting Public, RocoveryandHardwareRead Role and RocoveryandHardwareWrite Role

    If it isnt already present, create a sql login for the NT AUTHORITY\NETWORK SERVICE account. Create user mappings to both the compliance status and recovery and hardware DB's granting db_owner role.

    Make sure your Administration and monitoring server is a member of the two domain groups you created.

    In theory that should be it. I also had an issue with the hardware compatability page giving me an error about the data store request not found. Solution for this was to edit the sites connection strings to point directly to the FQDN of the SQL cluster. I got this from the following post http://social.technet.microsoft.com/Forums/ar/w7itprosecurity/thread/80b6af5e-4048-44e6-abe3-03f0ef33cd24?prof=required

    • Proposed as answer by pirate8216 Tuesday, February 21, 2012 1:40 AM
    Tuesday, February 21, 2012 1:40 AM
  • Thanks a lot!

    Followed your description, and it worked like a charm.

    Tuesday, February 21, 2012 2:46 PM
  • Hello guys.

    I followed the pirate´s how to and it worked.

    But theres only one more thing: if you migrate the MBAM databases to a cluster, the MBAM site (actually, the reports) wont be updated.

    It´s because the installer create a job in the SQL Server to update the compliante report.

    But it´s easy to fix: just create a job called by default "CreateCache" with one step:

    NAME: Copy Data

    TYPE: Transct-SQL

    DATABASE: MBAM Compliance Database

    COMMAND: EXEC [ComplianceCore].UpdateCache

    ON SUCCESS: Quit the job (5 retries)

    The original schedule is to run at 1:00AM / 7:00AM / 1:00PM / 7:00PM

    Hadouuuuuken! Now the reports are updated :D

    Friday, December 14, 2012 12:22 PM
  • Instead of creating two domain group, the purpose can be served with a single domain group. Following is the appropriate steps:-

      - Create a global domain account "MBAM System Administrators".

    On the SQL server:-


      - Create a login for the global group "MBAM System Administrators" on the SQL server and provide the following rights on the MBAM DBs:-        

    • ComplainceWriteRoleand ComplainceReadRole on the MBAM Compliance Status database
    • RecoveryandHardwareReadRole” and “RecoveryandHardwareRightRole” on the Database MBAM Recovery and Hardware.


      - Create a login for the MBAM Server (machine account) on the SQL server with the following command :-

             create login (DOMAIN_NAME\SERVERNAME$) from windows


    -              -  Provide rights to the MBAM machine account (MBAM Server):-

    • ComplainceWriteRoleon the MBAM Compliance Status database
    • RecoveryandHardwareReadRole” and “RecoveryandHardwareRightRole” on the Database MBAM Recovery and Hardware.

    On the Reporting Server:-

    -          Connect the Reporting Service through the SQL management Studio (It should be running as admin otherwise we will not get the option to create a new role)

    -          Create a new role “MBAM System Administrators” with the following tasks:-

    • View Reports
    • View Resources
    • View Folders
    • Manage Individual Subscription
    • View Models

    -          Open the Report Services Configuration manager and browse to the Report manager URL.

    -          Open the Security for the "Microsoft Bitlocker administration and Monitoring" folder at the Reporting Service Point.

    -          Create a new role assignment.

    -          Provide the Group or user name as “MBAM System Administrators” and select the role “MBAM System Administrators”.

    t





    Gaurav Ranjan

    Friday, January 04, 2013 6:41 AM
  • Damn it, it will be pain-in-the ass do try to upgrade MBAM 1.0 versions to 2.5 because of this. Most likely today everyone wants MBAM 2.5 DBs to a cluster.
    Wednesday, June 18, 2014 4:34 PM