none
SQL AG Resources cannot be brought online after changing sql service account from Normal AD Account to GMSA RRS feed

  • Question

  • Hi ,

    We had a Setup of Three SQL 2016 SP2 running 2 AG with Multiple databases in AG on windows 2016 server.Previously SQL Service was running under the context of Active directory account.We created a GMSA(Group Managed Service Account) in AD and installed this GMSA on all the 3 SQL Servers.SQL AG Resources are not coming online after changing the Service Account to GMSA.

    MSSQL Service is Started and running with GMSA ,But AG Resources are not online.If we change back to the previous account the resources are back online.

    Are there any additional steps that we need to perform when changing service account from normal AD Account to GMSA.

    We followed the below link but still no luck

    https://www.sqlservercentral.com/articles/group-managed-service-accounts-gmsas-in-sql2016

    Appreciate if someone can help us with this issue.

    Thanks and Regards

    Monday, November 18, 2019 6:06 PM

Answers

  • Hi, after granting connect rights GRANT CONNECT ON ENDPOINT::Hadr_Endpoint TO [SQLServerAccount$] we were able to make the resource online on one node.but when we switch to other node it was not coming online automatically.We had to manually start the service and move AG Resources.

    We had to follow the below article which resolved our problem.Now the resources are moving manually and automatically between the nodes.

    https://blog.sqlauthority.com/2019/02/27/sql-server-sql-service-not-getting-started-automatically-after-server-reboot-while-using-gmsa-account/

    Thanks all for your support.

    Regards

    • Marked as answer by Najmulhasan Tuesday, November 26, 2019 10:31 AM
    Tuesday, November 26, 2019 10:31 AM

All replies

  • Look in your SQL Server error log. You will probably see references to logon failures. You will need to grant these accounts connect access to your SQL Server.

    Something like this

    Grant connect to SQLServerAccount$

    GRANT CONNECT ON ENDPOINT::Hadr_Endpoint TO [SQLServerAccount$]


    Monday, November 18, 2019 6:18 PM
  • Hi Najmulhasan,

    Could you share  the error message from failover cluster manager ?  Or please check if you can get some useful error message from event log?
    Did you restart your SQL server service after changing SQL server service account?  When configuration gMSA for the SQL database engine service of a server that participates in an Always On Availability Group, you need grant the connect permission on the HADR endpoint. Did you change your SQL server agent account to gMSA? Did you perform the account update on each server which is SQL AG replica.

    Best regards,
    Cathy 

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to  MSDN Support, feel free to contact MSDNFSF@microsoft.com

    Tuesday, November 19, 2019 8:06 AM
  • You need to grant the permission of endpoint connection to the new account.

    https://sqlserver.code.blog/

    Tuesday, November 26, 2019 12:32 AM
  • Hi, after granting connect rights GRANT CONNECT ON ENDPOINT::Hadr_Endpoint TO [SQLServerAccount$] we were able to make the resource online on one node.but when we switch to other node it was not coming online automatically.We had to manually start the service and move AG Resources.

    We had to follow the below article which resolved our problem.Now the resources are moving manually and automatically between the nodes.

    https://blog.sqlauthority.com/2019/02/27/sql-server-sql-service-not-getting-started-automatically-after-server-reboot-while-using-gmsa-account/

    Thanks all for your support.

    Regards

    • Marked as answer by Najmulhasan Tuesday, November 26, 2019 10:31 AM
    Tuesday, November 26, 2019 10:31 AM