Recently, one of my client was trying to troubleshoot the below error which they were getting while trying to start the SQL Server service under the domain account. The interesting thing which they told me was that they are using Read Only Domain Controller (RODC) which I have heard earlier as well. Initially they told that they had an issue with installation when service account was used so they used LocalSystem account and installed SQL Server. But now, as per company standards, they need to use a domain account as the service account.
I asked them to share ERRORLOG with me. Here is the link how you can find the error log location: SQL SERVER – Where is ERRORLOG? Various Ways to Find ERRORLOG Location
Here are the errors which I found in Error Log.
2017-06-12 11:55:21.46 spid10s Unable to initialize SSL encryption because a valid certificate could not be found, and it is not possible to create a self-signed certificate.
2017-06-12 11:55:21.46 spid10s Error: 17182, Severity: 16, State: 1.
2017-06-12 11:55:21.46 spid10s TDSSNIClient initialization failed with error 0x80092004, status code 0x80. Reason: Unable to initialize SSL support. Cannot find object or property.
2017-06-12 11:55:21.46 spid10s Error: 17182, Severity: 16, State: 1.
2017-06-12 11:55:21.46 spid10s TDSSNIClient initialization failed with error 0x80092004, status code 0x1. Reason: Initialization failed with an infrastructure error. Check for previous errors. Cannot find object or property.
2017-06-12 11:55:21.46 spid10s Error: 17826, Severity: 18, State: 3.
2017-06-12 11:55:21.46 spid10s Could not start the network library because of an internal error in the network library. To determine the cause, review the errors immediately preceding this one in the error log.
2017-06-12 11:55:21.46 spid10s Error: 17120, Severity: 16, State: 1.
2017-06-12 11:55:21.46 spid10s SQL Server could not spawn FRunCommunicationsManager thread. Check the SQL Server error log and the Windows event logs for information about possible related problems.
WORKAROUND/SOLUTION
Based on my research with SQL Server, RODC and encryption, I found that this is reported by many clients on various forums and as per them it started after installation of KB 2992611 or KB 3000850. To work around this issue, you will need to perform the following registry key changes.
We need to create the following key:
- Path : HKLM\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb
- Name: [ProtectionPolicy] (without square brackets !)
- Value : 1 (DWORD)
When I searched my own blog history, I found that I another blog which talks about the setup issue SQL SERVER – System. Security. Cryptography. CryptographicException – There Was an Error Generating the XML Document
The solution in that blog is also same.
Have you encountered same error on RODC? Please comment and let me know.
Reference: Pinal Dave (https://blog.sqlauthority.com)
First appeared on SQL SERVER – Startup Issue – Unable to Use Domain Account as Service Account When Read Only Domain Controller (RODC) is Involved