none
SCCM 2012 won't install due to SQL Server Certificate.

    Question

  • First I will vent:  SCCM 2012 so far has been a GIGANTIC P.I.T.A. P.O.S. to install. So much for it being an improvement over SCCM 2007 - I guess it is an improvement in one manner, such as being shot in just one leg instead of being shot in both legs.  

    I cannot get SCCM 2012 server to install.  It keeps stalling on "Generating public key and SQL Server certificate" and "Fail to create SQL Server Certificate, ConfigMgr installation cannot be completed. Click the View Log button for more information."

    When I view the log I get the following:  "WARNING: Failed to configure SQL Server Trace on SCCMDB2012.ad.uvu.edu.  $$<Configuration Manager Setup><06-25-2012 14:29:59.539+360><thread=2860 (0xB2C)>

    INFO: Creating SQL Server machine certificate for Server [SCCMDB2012.ad.uvu.edu]...  $$<Configuration Manager Setup><06-25-2012 14:29:59.539+360><thread=2860 (0xB2C)>
    INFO: 'SCCMDB2012.ad.uvu.edu' is a valid FQDN.  $$<Configuration Manager Setup><06-25-2012 14:29:59.539+360><thread=2860 (0xB2C)>
    Cannot write CertBootStrap\SMS_SQL_SERVER\ registry key on server SCCMDB2012.ad.uvu.edu.  The operating system reported error 1  $$<Configuration Manager Setup><06-25-2012 14:29:59.554+360><thread=2860 (0xB2C)>
    ERROR: Failed to write certificate configuration to registry on server SCCMDB2012.ad.uvu.edu  $$<Configuration Manager Setup><06-25-2012 14:29:59.554+360><thread=2860 (0xB2C)>
    ERROR: Failed to create SQL Server [SCCMDB2012.ad.uvu.edu] certificate remotely.  $$<Configuration Manager Setup><06-25-2012 14:29:59.554+360><thread=2860 (0xB2C)>
    ~~===================== Completed Configuration Manager 2012 Server Setup =====================  $$<Configuration Manager Setup><06-25-2012 14:29:59.570+360><thread=2860 (0xB2C)>" 

    I have tried every method I can find on the internet to fix this issue and so far nothing has worked.  I have found articles indicating this is a known issue and will be resolved in SP1. How LOVELY to have a known bug that prevents even a basic installation and it won't be fixed by MS until SP1 comes out in several months!

    During the troubleshooting process I have tried giving full permissions on the cert folder on the SQL server to multiple accounts (local account, domain admin account, network service account, SMSAdmin account, etc.) and nothing helped.  I have run SQL under all of those accounts and nothing has created the necessary cert for SCCM.  I made sure the SCCM server was a local admin on the SQL box and also that SMSAdmin was an admin.  I checked and double-checked the SPN and reran setspn with the -S flag to check the SPN again before creating a new one.  I even created the PKI cert manually and associated it the SQL Server network configuration protocols.  That actually made it worse temporarily until I the logon account access to the cert folder.  This problem is driving me NUTS and seriously makes me want to find a Microsoft engineer and punch him in the face!  Any ideas? Thank you in advance.

    Monday, June 25, 2012 10:39 PM

Answers

  • Well, I would like to thank all of you who tried to help me.  I really do appreciate it.  However after it looked like everyone was stumped I decided to just burn it down and start over.  I did the SQL install myself this time following an SCCM guide from Windows Noob.  I'm not sure what was done differently in the SQL install this time but it seemed to do the trick.  Everything went through just fine this time and the server is installed. 


    Über Random

    Thursday, July 12, 2012 4:38 PM

All replies

  • What version of SQL (plus SP and CU level) are you using?

    Torsten Meringer | http://www.mssccmfaq.de

    Tuesday, June 26, 2012 6:53 AM
  • Hi Uber,

    in most cases, we find this is due to the site server machine account not being in the SQL machine and/or doesn't have write permissions to the registry on the remote SQL server.

    Hope that helps, sorry you're having such a bad experience, keep that feedback coming!


    Bob Edwards SDET, Microsoft Corporation SCCM PVT, STRESS, and Performance consultant

    Tuesday, June 26, 2012 6:40 PM
  • Make sure that you are running your SQL Server on Windows Server 2008 or Windows Server 2008 R2..
    Tuesday, June 26, 2012 10:47 PM
  • Sorry, I was in a hurry before so I forgot to list that.  We're using SQL Server 2008 R2 SP1 CU6 (10.50.2811).  Thank you for your assistance.
    Wednesday, June 27, 2012 6:54 PM
  • We are running Windows Server 2008 R2.  Thank you for taking time to look at this.
    Wednesday, June 27, 2012 6:55 PM
  • Thank you for your assistance in this matter.  The site server, named SCCM2012, is in the admins group on the SQL Server, named SCCMDB2012.  The SMSAdmin account that I am using to install the Primary server is also in the admins group on SCCMDB2012.  Is there anywhere else on the SQL server that permissions need to be granted?
    Wednesday, June 27, 2012 7:11 PM
  • The account used for the installation and the computer account of SCCM2012 have to be members of the local admins group on SCCMDB2012 and need also sysadmin rights in SQL.

    Torsten Meringer | http://www.mssccmfaq.de

    Thursday, June 28, 2012 7:38 AM
  • The install account (SMSadmin) and the computer account (SCCM2012) are both members of the local admins group on SCCMDB2012.  The SMSadmin account does have sysadmin rights in SQL but I don't think you can give computers sysadmin rights inside SQL.  You can only add Built-in security principles, users and groups.  Any other ideas?  Thank you again for assisting.
    Thursday, June 28, 2012 4:51 PM
  • Any more suggestions? Please, anyone?

    Über Random

    Monday, July 02, 2012 7:21 PM
  • I'm interested as well.  I'm having the same exact issue.   I am doing a pretty vanilla install with just a primary stand alone site.  I'm using Windows 2008 R2 and SQL Server 2012.

    I went into the SQL server configuration manager, under the protocols for the SQL network configuration and can see that the ConfigMgr SQL Server Identification Certificate is in there and was just automatically generated, but according to the SCCM installer it fails on this step with the same exact message the OP of this forum thread received.  

    I'm also using a service account which right now is part of the domain administrators group, and is local admin on both the DB server and the SCCM server.  This account is what I'm running the install from as well.   It is also a SQL user set as sysadmin.   The SCCM server is also added to the admin group of the SQL server.  On top of all this, I also tried disabling UAC on both servers.

    If anyone knows of a fix for this, please share!

    Thanks,

    -Nick 

    Monday, July 02, 2012 11:00 PM
  •  I'm using Windows 2008 R2 and SQL Server 2012. 


    SQL 2012 is not yet supported: http://technet.microsoft.com/en-us/library/gg682077.aspx#BKMK_SupConfigSQLDBconfig

    Torsten Meringer | http://www.mssccmfaq.de

    Tuesday, July 03, 2012 7:12 AM
  • That would definitely explain it, thanks for the reply!
    Tuesday, July 03, 2012 6:47 PM
  • Well, I would like to thank all of you who tried to help me.  I really do appreciate it.  However after it looked like everyone was stumped I decided to just burn it down and start over.  I did the SQL install myself this time following an SCCM guide from Windows Noob.  I'm not sure what was done differently in the SQL install this time but it seemed to do the trick.  Everything went through just fine this time and the server is installed. 


    Über Random

    Thursday, July 12, 2012 4:38 PM
  • this problem is resolved if you login in SQL Server and SQL Server Agent as domain administrator . you can change login account through sql server configuration manager. after changing login account , services must be restarted . If you already face a failure in installation then delete the registry key which generated during installation of SCCM( HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS ) . 

    now you can re-install SCCM 2012. best of luck 

    regards

    sunil kumar

    • Proposed as answer by Fild.NET Tuesday, September 25, 2012 5:07 PM
    Monday, September 10, 2012 1:48 PM
  • The account doesnt have to be a domain admin. Just make sure you configure the SQL services to run under a domain user account rather than as local system or network service.

    If you have already installed SQL 2012 CU2 using a local system or network service account, use SQL Server Configuration Manager to change the services to run under the nominated domain account. Running SQL under a domain user follows MS best practices.

    This did the trick for me and SCCM 2012 installed fine.

    Saturday, October 27, 2012 4:09 AM
  • This configuration tweak did the trick for me.  Thanks.

    Steve Meggeson A+, MCSA, MCSE, MCITP, MCT steve@teksource.ca

    Monday, November 26, 2012 3:56 PM
  • this problem is resolved if you login in SQL Server and SQL Server Agent as domain administrator . you can change login account through sql server configuration manager. after changing login account , services must be restarted . If you already face a failure in installation then delete the registry key which generated during installation of SCCM( HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS ) . 

    now you can re-install SCCM 2012. best of luck 

    regards

    sunil kumar


    Thanks for the tip, I was able to change just the SQL Server account to the Domain Admin account using Configuration Manager.  I then restarted the SQL Server service with the new account and the SCCM installer was able to proceed past the Certificate creation step.
    Wednesday, December 19, 2012 6:25 PM
  • Thanks , it s  working after all the changes

    Friday, December 21, 2012 11:54 AM
  • this problem is resolved if you login in SQL Server and SQL Server Agent as domain administrator . you can change login account through sql server configuration manager. after changing login account , services must be restarted . If you already face a failure in installation then delete the registry key which generated during installation of SCCM( HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS ) . 

    now you can re-install SCCM 2012. best of luck 

    regards

    sunil kumar

    Add this procedure:

    I had the same problem and didn't want to re-install everything. The solution is simple:
    Go to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
    Delete (or move for backup purposes) any files that were created/modified on the days where you installed/stuffed up/Uninstalled SCCM 2012.
    Go to C:\ProgramData\Microsoft\Crypto\RSA and browse the other sub directories that exist (if any) and perform the same procedure of deleting (or moving) the files.
    Re-run the installation and it should work properly.

    http://www.windows-noob.com/forums/index.php?/topic/4518-fail-to-create-sql-server-certificate/


    Thiago Carvalho Freitas MCP | MCTS

    • Proposed as answer by deployzilla Saturday, February 08, 2014 11:17 PM
    Friday, April 12, 2013 5:32 PM
  • Hi

    I am having the same problem. I went through the steps as discussed above but didn't get the result. here is the error that I am getting.

    Monday, May 29, 2017 2:49 PM
  • Hi

    I am having the same problem. I went through the steps as discussed above but didn't get the result. here is the error that I am getting.

    Did you check the items listed within the error message? You error message say nothing for SQL certificate s anywhere so why do you think this post applies?

    Garth Jones

    Blog: http://www.enhansoft.com/blog Old Blog: http://smsug.ca/blogs/garth_jones/default.aspx

    Twitter: @GarthMJ Book: System Center Configuration Manager Reporting Unleased

    Monday, May 29, 2017 5:09 PM