Re: 2005 Cluster Install Error
- From: "Geoff N. Hiten" <sqlcraftsman@xxxxxxxxx>
- Date: Fri, 18 Nov 2005 05:30:23 -0500
You aren't the only one to notice the documentation is less than stellar.
And you are also correct in that domain-level security groups is the correct
way to manage security for SQL service accounts, clustered or not. And
finally, you aren't the first "expert" to make a mistake in public. That is
what makes a community forum so great. If you screw up, you will get called
on it. :)
--
Geoff N. Hiten
Senior Database Administrator
Microsoft SQL Server MVP
"Anthony Thomas" <ALThomas@xxxxxxxxx> wrote in message
news:umeUHd$6FHA.1188@xxxxxxxxxxxxxxxxxxxxxxx
> Fine. Time to bite the bullet on that one.
>
> I dug around on my own and the both of you are absolutely right. God, I
> hate that, but how else do you learn.
>
> Thanks for bringing it to everyone's attention, and for helping me see
> through my own pig-headedness.
>
> For what it is worth, I've been trying to follow the "Best Practices"
> solution of creating machine local groups to which I add Domain Global
> Groups for years to provide as much resource isolation as possible, but
> for
> clusters, that's a bit tricky and redundant. With the use of Domain Local
> Groups, this makes it easier.
>
> So, in short, I'm glad for the change; however, you are both absolutely
> right in that the documentation totally sucks in this case. It makes
> sense,
> given they do document the machine local groups as SQL Server security
> groups and promoting them for clustered installations, but it sure would
> have been nice to have noted that somewhere else other than the very last
> paragraph in the template.ini.
>
> Thanks again.
>
> Sincerely,
>
>
> Anthony Thomas
>
>
> --
>
> "Anthony Thomas" <ALThomas@xxxxxxxxx> wrote in message
> news:euSltp36FHA.1020@xxxxxxxxxxxxxxxxxxxxxxx
>> Ok, there is a difference between Universal, Global, and Local Domain
>> Groups. However, if you have a Single Forest, Single Domain model, they
> are
>> equivalent.
>>
>> But, then, the installer would also need AD permission to create these
>> Domain Local Groups in addition to the membership in the Machine Local
>> Administrators Group and Act as part of the Operating System User Access
>> Right.
>>
>> I am still suspect on whether or not this is a Security Group or Cluster
>> Resource Group requirement.
>>
>> I can see the need to promote Machine Local Groups to Domain Local Groups
>> when we are talking about clusters because the level of scope. But then
>> again that would require a higher level of privilege.
>>
>> If true, then I would most certainly agree that the documentation is
> Grossly
>> lacking.
>>
>> Sincerely,
>>
>>
>> Anthony Thomas
>>
>> --
>>
>> "Andy Ball" <ng@xxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:eN8B5k06FHA.1724@xxxxxxxxxxxxxxxxxxxxxxx
>> > Domain Local Groups were introduced in Windows 2000 Active Directory
>> >
>> > cheers
>> > Andy.
>> >
>> > "Anthony Thomas" <ALThomas@xxxxxxxxx> wrote in message
>> > news:exXVCFx6FHA.3276@xxxxxxxxxxxxxxxxxxxxxxx
>> > > Yea, I saw that and it didn't make sense. There is no such thing as
>> > > "DOMAIN
>> > > local groups." There are DOMAIN Global groups, LOCAL groups, Cluster
>> > > Resource groups, and, apparently, SQL Server 2005 security groups.
>> > >
>> > > However, there is a new requirement that not only does the
> Installation
>> > > Administrator need Local Administrators group membership but also the
>> ACT
>> > > AS
>> > > PART OF THE OPERATING SYSTEM User Security rights assignment for
>> clustered
>> > > installations that probably caused the initial issue to begin with.
>> > >
>> > > Sincerely,
>> > >
>> > >
>> > > Anthony Thomas
>> > >
>> > >
>> > > --
>> > >
>> > > "Andy Ball" <ng@xxxxxxxxxxxxxxxxxxxxx> wrote in message
>> > > news:O$aRRzw6FHA.808@xxxxxxxxxxxxxxxxxxxxxxx
>> > >> and the portion I presume is talking about the Local Groups that
>> created
>> > > on
>> > >> the Server where SQL is installed. Simon's original post is about
>> > >> the
>> > > DOMAIN
>> > >> local groups that are required for Clustering.
>> > >>
>> > >> cheers,
>> > >> Andy.
>> > >> "Anthony Thomas" <ALThomas@xxxxxxxxx> wrote in message
>> > >> news:eETZ86g6FHA.1000@xxxxxxxxxxxxxxxxxxxxxxx
>> > >> > At the time, this seemed clearer, but it appears you are speaking
> of
>> > >> > something else. There is also the Setupsql9.chm file that is
>> seperate
>> > >> > from
>> > >> > the BOL. You are right; it is unclear.
>> > >> >
>> > >> > Microsoft SQL Server September 2005 Community Technology Preview
>> > >> >
>> > >
>>
> http://download.microsoft.com/download/1/f/8/1f8af9ba-751e-440d-ba2c-006d680b7c81/ReadmeSQL2005.htm#_3461_accessing_setup_documentation_cuy1
>> > >> >
>> > >> > 3.5.15 Corrections to the Names of Security Groups Created During
>> Setup
>> > >> > During setup, SQL Server 2005 adds the following security groups
>> > >> > to
>> > >> > Windows:
>> > >> > SQLServer2005DTSUser$ComputerName
>> > >> >
>> > >> > SQLServer2005MSFTEUser$ComputerName$InstanceName
>> > >> >
>> > >> > SQLServer2005MSOLAPUser$ComputerName$InstanceName
>> > >> >
>> > >> > SQLServer2005MSSQLServerADHelperUser$ComputerName
>> > >> >
>> > >> > SQLServer2005MSSQLUser$ComputerName$InstanceName
>> > >> >
>> > >> > SQLServer2005NotificationServicesUser$ComputerName
>> > >> >
>> > >> >
>> SQLServer2005ReportingServicesWebServiceUser$ComputerName$InstanceName
>> > >> >
>> > >> > SQLServer2005ReportServerUser$ComputerName$InstanceName
>> > >> >
>> > >> > SQLServer2005SQLAgentUser$ComputerName$InstanceName
>> > >> >
>> > >> > SQLServer2005SQLBrowserUser$ComputerName
>> > >> >
>> > >> > These groups simplify granting permissions required to run SQL
> Server
>> > >> > Windows services and other executables. They also help secure SQL
>> > >> > Server
>> > >> > files.
>> > >> > In SQL Server Books Online, $ComputerName was omitted from the
> names.
>> > > The
>> > >> > computer name has since been added to the group names to uniquely
>> > > identify
>> > >> > each group. Unique group names are necessary if SQL Server 2005 is
>> > >> > installed
>> > >> > on domain controllers. For all references to security groups that
>> start
>> > >> > with
>> > >> > "SQLServer2005," substitute the appropriate group name listed
> above.
>> > >> >
>> > >> > 3.5.17 Restrictions for Service Accounts on a Failover Cluster
>> > >> > SQL Server service, SQL Server Agent service, Analysis Services
>> > >> > service,
>> > >> > and
>> > >> > Full-Text Search service must run as domain accounts that are
> members
>> > >> > of
>> > >> > the
>> > >> > built-in Administrators group on each node of the cluster.
>> > >> >
>> > >> >
>> > >> > Sincerely,
>> > >> >
>> > >> >
>> > >> > Anthony Thomas
>> > >> >
>> > >> > --
>> > >> >
>> > >> > "Andy Ball" <ng@xxxxxxxxxxxxxxxxxxxxx> wrote in message
>> > >> > news:uEuMBdV6FHA.1000@xxxxxxxxxxxxxxxxxxxxxxx
>> > >> >> must be going blind - i'm looking @ ReadmeSQL2005.htm from the
>> > >> >> Dev
> \
>> > > MSDN
>> > >> >> edition and Q907284 I can't see it
>> > >> >>
>> > >> >> Andy.
>> > >> >>
>> > >> >> "Anthony Thomas" <ALThomas@xxxxxxxxx> wrote in message
>> > >> >> news:OaT56MI6FHA.1184@xxxxxxxxxxxxxxxxxxxxxxx
>> > >> >> > That information is in the Readme notes as well as the Readme
>> errata
>> > >> >> > posted
>> > >> >> > online.
>> > >> >> >
>> > >> >> > ALWAYS READ THE README.
>> > >> >> >
>> > >> >> >
>> > >> >> > Anthony Thomas
>> > >> >> >
>> > >> >> >
>> > >> >> > --
>> > >> >> >
>> > >> >> > "Andy Ball" <ng@xxxxxxxxxxxxxxxxxxxxx> wrote in message
>> > >> >> > news:u%23k3gf05FHA.3976@xxxxxxxxxxxxxxxxxxxxxxx
>> > >> >> >> Simon,
>> > >> >> >>
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >> >> yep I noticed that too. Just an omission in BOL. I sent
> feedback
>> > >> >> >> via
>> > >> > the
>> > >> >> > BOL
>> > >> >> >> entry for installing a Cluster from template/unattend, suggest
>> you
>> > > do
>> > >> > the
>> > >> >> >> same.
>> > >> >> >>
>> > >> >> >> Andy.
>> > >> >> >> "Simon" <Simon@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> > >> >> >> news:ECC70F54-2E3D-43BE-AE8B-5B91EFC74E60@xxxxxxxxxxxxxxxx
>> > >> >> >> >I figured out the problem to the command line - why the GUI
>> > >> >> >> >crashed
>> > > I
>> > >> > do
>> > >> >> >> >not
>> > >> >> >> > know.
>> > >> >> >> >
>> > >> >> >> > BOL does not document any of these parameters for the
>> > >> >> >> > command
>> > >> >> >> > line
>> > >> >> >> > which
>> > >> >> >> > are
>> > >> >> >> > REQUIRED for a cluster install:
>> > >> >> >> >
>> > >> >> >> > SQLBROWSERACCOUNT="DOMAIN\USER"
>> > >> >> >> > SQLBROWSERPASSWORD="PASSWORD"
>> > >> >> >> >
>> > >> >> >> > SQLCLUSTERGROUP="DOMAIN\GROUP"
>> > >> >> >> > AGTCLUSTERGROUP="DOMAIN\GROUP"
>> > >> >> >> > FTSCLUSTERGROUP="DOMAIN\GROUP"
>> > >> >> >> >
>> > >> >> >> > However if you look in the template.ini file on your install
> cd
>> > > you
>> > >> >> >> > will
>> > >> >> >> > find details of how and when to use them.
>> > >> >> >> >
>> > >> >> >> > A very dissapointed customer.
>> > >> >> >> >
>> > >> >> >> >
>> > >> >> >> >
>> > >> >> >> >
>> > >> >> >> > "Simon" wrote:
>> > >> >> >> >
>> > >> >> >> >> I'm having problems installing 2005 Ent on my Win 2003 SP1
>> > >> >> >> >> 2
>> > >> >> >> >> node
>> > >> >> >> >> cluster.
>> > >> >> >> >> Please note this cluster has a SQL 2000 (SP4) virtual
>> > >> > server/instance
>> > >> >> >> >> already
>> > >> >> >> >> installed. I would like to run them side by side.
>> > >> >> >> >>
>> > >> >> >> >> installing using the setup wizard I get error about the
>> schedule
>> > >> > task
>> > >> >> >> >> failing to start on the 2nd node. Looking through the log
>> files
>> > > the
>> > >> >> > setup
>> > >> >> >> >> program on the 2nd node has thrown an exception error,
>> core.log
>> > >> > shows
>> > >> >> >> >> this:
>> > >> >> >> >>
>> > >> >> >> >> Complete: ParseBootstrapOptionsAction at: 2005/10/7
>> > >> >> >> >> 13:25:6,
>> > >> > returned
>> > >> >> >> >> false
>> > >> >> >> >> Error: Action "ParseBootstrapOptionsAction" failed during
>> > >> >> >> >> execution.
>> > >> >> >> >> Error
>> > >> >> >> >> information reported during run:
>> > >> >> >> >> Could not decrypt command line due to WinException.
>> > >> >> >> >> Error Code: -2146893822
>> > >> >> >> >> Windows Error Text: Bad Hash.
>> > >> >> >> >>
>> > >> >> >> >> Source File Name: cryptohelper\cryptpassword.cpp
>> > >> >> >> >> Compiler Timestamp: Mon Jul 18 01:10:20 2005
>> > >> >> >> >> Function Name: sqls::CryptPassword::UnprotectString
>> > >> >> >> >> Source Line Number: 311
>> > >> >> >> >>
>> > >> >> >> >> Running: ValidateWinNTAction at: 2005/10/7 13:25:6
>> > >> >> >> >> Complete: ValidateWinNTAction at: 2005/10/7 13:25:6,
> returned
>> > > true
>> > >> >> >> >> Running: ValidateMinOSAction at: 2005/10/7 13:25:6
>> > >> >> >> >> Complete: ValidateMinOSAction at: 2005/10/7 13:25:6,
> returned
>> > > true
>> > >> >> >> >> Running: PerformSCCAction at: 2005/10/7 13:25:6
>> > >> >> >> >> Complete: PerformSCCAction at: 2005/10/7 13:25:6, returned
>> true
>> > >> >> >> >> Running: ActivateLoggingAction at: 2005/10/7 13:25:6
>> > >> >> >> >> Error: Action "ActivateLoggingAction" threw an exception
>> during
>> > >> >> >> >> execution.
>> > >> >> >> >> Error information reported during run:
>> > >> >> >> >> 00D7CFC8Unable to proceed with setup, there was a command
> line
>> > >> > parsing
>> > >> >> >> >> error. : -2146893822
>> > >> >> >> >> Error Code: -2146893822
>> > >> >> >> >> Windows Error Text: Bad Hash.
>> > >> >> >> >>
>> > >> >> >> >> Source File Name: cryptohelper\cryptpassword.cpp
>> > >> >> >> >> Compiler Timestamp: Mon Jul 18 01:10:20 2005
>> > >> >> >> >> Function Name: sqls::CryptPassword::UnprotectString
>> > >> >> >> >> Source Line Number: 311
>> > >> >> >> >>
>> > >> >> >> >> Delay load of action "UploadDrWatsonLogAction" returned
>> nothing.
>> > > No
>> > >> >> >> >> action
>> > >> >> >> >> will occur as a result.
>> > >> >> >> >> Message pump returning: 2148073474
>> > >> >> >> >>
>> > >> >> >> >>
>> > >> >> >> >> -------- END OF OUTPUT ---------------------
>> > >> >> >> >>
>> > >> >> >> >>
>> > >> >> >> >> I've trying to work around it I have tried installing from
> the
>> > >> > command
>> > >> >> >> >> line.
>> > >> >> >> >> This gets much further with setup starting correctly on
>> > >> >> >> >> both
>> > > nodes.
>> > >> > I
>> > >> >> > get
>> > >> >> >> >> as
>> > >> >> >> >> far as installing the actual SQL Server Service instance
> then
>> > >> >> >> >> I'm
>> > >> >> > thrown
>> > >> >> >> >> an
>> > >> >> >> >> error. Summary.log shows:
>> > >> >> >> >>
>> > >> >> >> >>
>> > >> >> >> >> Machine : SERVERA
>> > >> >> >> >> Product : SQL Server Database Services
>> > >> >> >> >> Error : A domain group is missing for one or more
>> > >> > services.
>> > >> >> > To
>> > >> >> >> >> install SQL Server 2005 as a failover cluster, domain
>> > >> >> >> >> groups
>> > >> >> >> >> must
>> > >> >> >> >> be
>> > >> >> >> >> specified for all the clustered services being installed
>> > >> >> >> >> .To
>> > >> > proceed,
>> > >> >> >> >> enter
>> > >> >> >> >> the missing domain group information.
>> > >> >> >> >> The domain group cannot be validated for the service SQL
>> Server.
>> > >> >> >>
>> > >> >>
>> > >>
>> >
>>
>>>>>> ----------------------------------------------------------------------
>> -
>> > > -
>> > >> > -
>> > >> >> > -------
>> > >> >> >> >> Machine : SERVERA
>> > >> >> >> >> Product : SQL Server Database Services
>> > >> >> >> >> Error : A domain group is missing for one or more
>> > >> > services.
>> > >> >> > To
>> > >> >> >> >> install SQL Server 2005 as a failover cluster, domain
>> > >> >> >> >> groups
>> > >> >> >> >> must
>> > >> >> >> >> be
>> > >> >> >> >> specified for all the clustered services being installed
>> > >> >> >> >> .To
>> > >> > proceed,
>> > >> >> >> >> enter
>> > >> >> >> >> the missing domain group information.
>> > >> >> >> >> The domain group cannot be validated for the service SQL
>> Server.
>> > >> >> >>
>> > >> >>
>> > >>
>> >
>>
>>>>>> ----------------------------------------------------------------------
>> -
>> > > -
>> > >> > -
>> > >> >> > -------
>> > >> >> >> >> Machine : SERVERA
>> > >> >> >> >> Product : Microsoft SQL Server 2005
>> > >> >> >> >> Product Version : 9.00.1399.06
>> > >> >> >> >> Install : Failed
>> > >> >> >> >> Log File : C:\Program Files\Microsoft SQL
>> Server\90\Setup
>> > >> >> >> >> Bootstrap\LOG\Files\SQLSetup0014_LON-IMS01A_SQL.log
>> > >> >> >> >> Last Action : Validate_ServiceAccounts
>> > >> >> >> >> Error String : A domain group is missing for one or more
>> > >> > services.
>> > >> >> > To
>> > >> >> >> >> install SQL Server 2005 as a failover cluster, domain
>> > >> >> >> >> groups
>> > >> >> >> >> must
>> > >> >> >> >> be
>> > >> >> >> >> specified for all the clustered services being installed
>> > >> >> >> >> .To
>> > >> > proceed,
>> > >> >> >> >> enter
>> > >> >> >> >> the missing domain group information.
>> > >> >> >> >> The domain group cannot be validated for the service SQL
>> Server.
>> > >> >> >> >> Error Number : 28130
>> > >> >> >> >>
>> > >> >> >> >>
>> > >> >> >> >> --- END OF OUTPUT
>> > >> >> >> >>
>> > >> >> >> >>
>> > >> >> >> >> In the GUI you get asked for Domain Groups for each
>> > >> >> >> >> service,
>> the
>> > >> >> >> >> documentation for the command line installer doesn't tell
>> > >> >> >> >> me
>> > >> >> >> >> what
>> > >> > the
>> > >> >> >> >> parameters are for this. Do I need them, is the
> documentation
>> > >> > missing
>> > >> >> >> >> something?? Also I'm not too sure what the ADMINPASSWORD=
>> > >> >> >> >> paramater
>> > >> >> >> >> is
>> > >> >> >> >> for -
>> > >> >> >> >> I'm putting in my domain password currently - again teh
>> > >> > documentation
>> > >> >> >> >> isn't
>> > >> >> >> >> too hot for this.
>> > >> >> >> >>
>> > >> >> >> >> I'm running out of ideas. If anyone has any suggestions
> please
>> > > let
>> > >> > me
>> > >> >> >> >> know!
>> > >> >> >> >>
>> > >> >> >> >> Thanks
>> > >> >> >> >>
>> > >> >> >>
>> > >> >> >>
>> > >> >> >
>> > >> >> >
>> > >> >>
>> > >> >>
>> > >> >
>> > >> >
>> > >>
>> > >>
>> > >
>> > >
>> >
>> >
>>
>>
>
>
.
- References:
- 2005 Cluster Install Error
- From: Simon
- RE: 2005 Cluster Install Error
- From: Simon
- Re: 2005 Cluster Install Error
- From: Andy Ball
- Re: 2005 Cluster Install Error
- From: Anthony Thomas
- Re: 2005 Cluster Install Error
- From: Andy Ball
- Re: 2005 Cluster Install Error
- From: Anthony Thomas
- Re: 2005 Cluster Install Error
- From: Andy Ball
- Re: 2005 Cluster Install Error
- From: Anthony Thomas
- Re: 2005 Cluster Install Error
- From: Andy Ball
- Re: 2005 Cluster Install Error
- From: Anthony Thomas
- Re: 2005 Cluster Install Error
- From: Anthony Thomas
- 2005 Cluster Install Error
- Prev by Date: Re: SQL Server 2005 setup failed to start on remote machine
- Next by Date: Re: MSDTC doesn't work on SQL 2k in W2k3 cluster environment
- Previous by thread: Re: 2005 Cluster Install Error
- Next by thread: Re: 2005 Cluster Install Error
- Index(es):
Relevant Pages
|
Loading
