Microsoft KB Archive/915846

= Best practices that you can use to set up domain groups and solutions to problems that may occur when you set up a domain group when you install a SQL Server 2005 failover cluster =

Article ID: 915846

Article Last Modified on 5/10/2007

-

APPLIES TO


 * Microsoft SQL Server 2005 Standard Edition
 * Microsoft SQL Server 2005 Developer Edition
 * Microsoft SQL Server 2005 Enterprise Edition

-



Bug #: 436652 (SQLBUDT)



Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



INTRODUCTION
This article includes information about the following topics when you install a Microsoft SQL Server 2005 failover cluster:
 * Reasons to set up domain groups
 * Best practices that you can use to set up domain groups
 * Solutions to problems when you set up a domain group



Reasons to set up domain groups
When you install a SQL Server 2005 failover cluster, SQL Server 2005 requires domain accounts to start the clustered services. The domain accounts must be added to a domain group.

When you perform a stand-alone installation of SQL Server 2005, SQL Server Setup creates local user groups and then adds the service accounts that you specify to these groups. The Setup program grants permissions for files and folders to these local user groups. Although the Setup program can create local user groups, the local user groups are not visible to another computer in the failover cluster. When the current computer fails over to another computer, permissions that you grant to the local user groups on the current computer is not visible to another computer. Therefore, the Setup program requires that you provide a domain group that is accessible to all computers in the failover cluster. Then you must add the service account to the domain group when you install a SQL Server 2005 cluster. The Domain Groups for Clustered Services page of the SQL Server Installation Wizard will prompt you to enter the domain name and the group name for each clustered service that you are installing. The Setup program will not create local domain groups in the failover cluster. The Setup program only uses the domain group that you specify.

If you want to change your service account on a SQL Server 2005 cluster, make sure that your new service account is in the related domain group.

Guidelines for setting up domain groups
For each clustered service on the instance of SQL Server that you want to install, you have to set the domain name and the group name by using the following format:

\

You must consider the following guidelines when you set the domain name and the group name:
 * The domain name and the group name must already exist. Ask your domain administrator for the names of existing domain names and domain groups, or ask your domain administrator to create domain groups for your failover cluster.
 * The account under which the Setup program is running must have permissions to add accounts to the domain groups. When the service account domain differs from the domain group domain, you must add the account to the domain group before you run the Setup program. You may have to ask a domain administrator to add the account.
 * Each service should have a different domain group assigned to it. You can assign the same domain group to all services. However, the domain group will be less secure.
 * The SQL Server domain groups should not be shared with any other application.
 * Subgroups or child domain groups are not supported. The service account must be in the group that is selected in the SQL Server 2005 Setup program.
 * The domain groups must be within the same domain as the computer accounts.
 * The domain groups can be global domain groups or local domain groups.
 * The following clustered services require one or more domain groups:
 * SQL Server
 * SQL Server Agent
 * Microsoft Full-Text Engine for SQL Server (MSFTESQL)
 * SQL Server Analysis Services

After you install a SQL Server 2005 failover cluster, you can change the service accounts.

Note SQL Server accounts are not removed from the groups if SQL Server 2005 is uninstalled or if the accounts are changed. A domain administrator must make sure that all unwanted accounts are removed after SQL Server 2005 is uninstalled.

How to change the service account for a clustered service
To change the service account for a clustered service of SQL Server 2005, follow these steps:
 * 1) Add the new service account to the domain group of the clustered service.
 * 2) On one of the cluster nodes, use SQL Server Configuration Manager to change the service account to the new account.

After you install a SQL Server 2005 failover cluster, you cannot directly change the domain groups.

How to change the domain group for a clustered service
To change the domain group for a clustered service, you can uninstall and then reinstall SQL Server 2005. If you do not want to uninstall SQL Server 2005 and you want to keep the system databases, use one of the following methods:

Method 1
 Restore the SQL Server 2005 Setup media. This example assumes that the Setup program is located in the D:\Servers folder. Locate the D:\Servers folder, and then uninstall SQL Server 2005 by using a Command Prompt window. Set the SAVESYSDB parameter to 1. For example, run a command that resembles the following in a Command Prompt window:

Start /wait D:\Servers\setup.exe /qb VS= INSTANCENAME=  REMOVE=ALL ADMINPASSWORD=  SAVESYSDB=1

Notes  The /qb command-line switch enables basic Setup program dialog boxes to appear. Error messages also appear. The VS parameter specifies the name of the virtual server in the cluster environment. The name cannot exceed 15 characters, and it must follow the same naming rules as computer names. The SAVESYSDB parameter instructs the Setup program not to remove the system databases. </li> After you uninstall SQL Server 2005, create new domain groups that you want to use for the new installation in the domain. If you want to change the domain for the new installation, change the domain. Then, create the new domain groups.</li> At the command prompt, install a new SQL Server 2005 cluster by setting the USESYSDB parameter to the root path of the previous SQL Server installation. The root path is defined as the parent folder of the \Data folder. For example, the system databases may be installed to the following location:

D:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf

In this example, the USESYSDB parameter would be set to the following value:

USESYSDB=&quot;D:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\&quot;

For example, run a command that resembles the following at the Command Prompt window to reinstall SQL Server 2005:

Start /wait D:\Servers\Setup.exe /qb VS= INSTANCENAME=  USESYSDB=&quot;D:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\&quot;

Additionally, you can use the following command to specify domain groups when you use the /qn command-line switch to install SQL Server 2005:

Start /wait D:\Servers\Setup.exe /qn VS= INSTANCENAME=  INSTALLVS=SQL_Engine ADDLOCAL=SQL_Engine ADDNODE=  GROUP=  IP=  ADMINPASSWORD=  SAPWD=  INSTALLSQLDIR=  INSTALLSQLDATADIR=  SQLACCOUNT= \  SQLPASSWORD=  AGTACCOUNT= \  AGTPASSWORD=  SQLBROWSERACCOUNT= \  SQLBROWSERPASSWORD=  SQLCLUSTERGROUP= \  AGTCLUSTERGROUP= \  USESYSDB=&quot;D:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\&quot;

Note The /qn command-line switch suppresses all Setup program dialog boxes and error messages. If you use the /qn command-line switch, all Setup program messages that include error messages are written to the SQL Server Setup log files.</li></ol>

Method 2
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. <ol> Install SQL Server 2005 Service Pack 2 (SP2).</li> In Registry Editor, locate the following registry subkey:

Note  represents the corresponding value for the system. To determine the corresponding value for the system, examine the following registry subkey:

</li> Delete the value of the following registry entries if you want to use new domain groups:  AGTGroup</li> SQLGroup</li> FTSGroup</li></ul>

Note In step 8, you specify the new domain groups for these groups in the command.</li> Set the value of the Resume registry entry to 1.</li> In Registry Editor, locate the following registry subkey:

Note  represents the corresponding value for the system. To determine the corresponding value for the system, examine the following registry subkey:

</li> Delete the value of the ASGroup registry entry if you want to use a new domain group.

Note In step 8, you specify the new domain group for the Analysis Services cluster group in the command.</li> Repeat steps 1-6 on all cluster nodes.</li> At a command prompt, run the following command:

start /wait D:\Servers\setup.exe /qb INSTANCENAME= REINSTALL=ALL REINSTALLMODE=omus SAPWD=  VS=  ADMINPASSWORD=  IP=  GROUP=  SQLCLUSTERGROUP= \  ASCLUSTERGROUP=  \  AGTCLUSTERGROUP=  \  FTSCLUSTERGROUP= \

</li></ol>

Additional considerations

 * If you try to install SQL Server 2005 on a Microsoft Windows 2000 Server-based computer, make sure that you create the domain group and add the service account user to the domain group before you run the Setup program.
 * Installing SQL Server 2005 cluster on a domain controller is not supported.
 * Running SQL Server 2005 cluster Setup in repair mode does not enable a user to change domain groups.

Symptoms
When you specify a domain group for the clustered services on the Domain Groups for Clustered Services page of the Microsoft SQL Server 2005 Installation Wizard, you receive the following error message:

You do not have privileges to add accounts to the domain groups specified for this failover cluster. Ask your domain administrator for privileges to add new accounts to the domain groups, or log on using an account that does have permission.

The domain group cannot be validated for the service <ServiceName> Search.

This problem occurs if the following conditions are true:
 * There are two domains from different forests. Suppose the names of the domains are  and , respectively.
 * There is a mutual trust relationship between these domains.
 * You are a user that is created in.
 * You are a member of the Administrators group in.
 * You are not a member in the domain group in.

Note The domain group is the one that you specify for the clustered services on the Domain Groups for Clustered Services page.
 * You install SQL Server 2005 on a cluster node in.

Workaround
To work around this problem, follow these steps:
 * 1) On the cluster node where you installed SQL Server 2005, click Start, click Run, type dsa.msc, and then click OK.
 * 2) In the Active Directory Users and Computers window, add the user account that you use to log on to Microsoft Windows to the domain group.

Note The domain group that is mentioned in this step is the one that you want to specify for the clustered services on the Domain Groups for Clustered Services page.
 * 1) Start the installation of SQL Server 2005.

<div class="references_section">