6/17/2018 Installing SQL Server on a Domain Controller – SAMOSQL

SAMOSQL

SQL Server Blogs and more…

Installing SQL Server on a Domain Controller

INSTALLING SQL SERVER ON A DOMAIN CONTROLLER

You may encounter problems when installing SQL Server on a domain controller –
h!ps://support.microsoft.com/en-us/kb/2032911
Summary
It is not recommended to install SQL Server on a domain controller. There are specific security
restrictions when running SQL Server in this configuration and given the resource demands of a
domain controller, SQL Server performance may be degraded. Furthermore, SQL Server is not
supported on a read-only domain controller. Setup will normally fail. Even if you find methods
to work around the problem with setup, SQL Server is not supported on a read-only domain
controller. In addition, SQL Server failover clustering is not supported to install on a domain
controller.

https://samosql.com/2016/09/21/install-sql-dc/ 1/13
6/17/2018 Installing SQL Server on a Domain Controller – SAMOSQL

WHY THEN?
Not all customers have a huge budget for IT to have dedicated servers and resources to handle
multiple processes and applications. You would see small business where one server plays
multiple roles as the DC, SQL Server, Application Server, and etc.
We do not recommend this type of infrastructure since there is a single point of failure for the
entire system. Also security restrictions can be breached or conflicts can occur in the
setup/implementation of all these applications on the same server.

Installing SQL Server on a Domain Controller

For security reasons, Microsoft recommends that you do not install SQL Server on a domain
controller. SQL Server Setup will not block installation on a computer that is a domain
controller, but the following limitations apply:
• ONLY on Windows Server 2003 (which we do not support anymore), SQL Server services can
run under a domain account or a local system account.
• You cannot run SQL Server services on a domain controller under a local service account or a
network service account.
• After SQL Server is installed on a computer, you cannot change the computer from a domain
member to a domain controller. You must uninstall SQL Server before you change the host
computer to a domain controller.
• After SQL Server is installed on a computer, you cannot change the computer from a domain
controller to a domain member. You must uninstall SQL Server before you change the host
computer to a domain member.
• SQL Server failover cluster instances are not supported where cluster nodes are domain
controllers.
• SQL Server Setup cannot create security groups or provision SQL Server service accounts on a
read-only domain controller. In this scenario, Setup will fail.

https://samosql.com/2016/09/21/install-sql-dc/ 2/13
6/17/2018 Installing SQL Server on a Domain Controller – SAMOSQL

WHERE DO I GO FROM HERE?

+To find more details and pin point exactly where setup failed – These files would help you.
*Detail.txt
*Summary.txt
FilePath Location: C:\Program Files\Microsoft SQL Server\110\Setup
Bootstrap\Log\20160517_142927
NOTE: This location could vary based on what drive that you are installing SQL Server on.
However, the highlighted portion of the file path would most likely be the same except that the
SQL version would change. For example; in my demonstration, SQL 2012 would be in a folder
named 110. The table lists the version of SQL at the RTM level for reference purposes.

Version RTM (Gold, no SP)

SQL Server 2016
13.0.1601.5 13.0.1601.5
codename ?
SQL Server 2014
12.0.2000.8 12.00.2000.8
codename SQL14
SQL Server 2012
11.0.2100.60 11.00.2100.60
codename Denali
SQL Server 2008 R2
10.50.1600.1
codename Kilimanjaro
SQL Server 2008
10.0.1600.22 10.00.1600.22
codename Katmai
SQL Server 2005
9.0.1399.06 9.00.1399.06
codename Yukon

https://samosql.com/2016/09/21/install-sql-dc/ 3/13
6/17/2018 Installing SQL Server on a Domain Controller – SAMOSQL

SQL Server 2000

8.0.194 8.00.194
codename Shiloh
SQL Server 7.0
7.0.623
codename Sphinx
>>Below is a sample Detail.txt and Summary.txt files and the errors associated with the failed
setup. You would mostly find the same error log entries in your files.
Detail.txt
(01) 2016-05-17 22:01:18 Slp: Configuration action failed for feature SQL_Engine_Core_Inst
during timing ConfigRC and scenario ConfigRC.
(01) 2016-05-17 22:01:18 Slp: Wait on the Database Engine recovery handle failed. Check the SQL
Server error log for potential causes.
(01) 2016-05-17 22:01:18 Slp: The configuration failure category of current exception is
ConfigurationFailure
(01) 2016-05-17 22:01:18 Slp: Configuration action failed for feature SQL_Engine_Core_Inst
during timing ConfigRC and scenario ConfigRC.
(01) 2016-05-17 22:01:18 Slp:
Microsoft.SqlServer.Configuration.SqlEngine.SqlEngineConfigException: Wait on the Database
Engine recovery handle failed. Check the SQL Server error log for potential causes.
(01) 2016-05-17 22:01:18 Slp: at
Microsoft.SqlServer.Configuration.SqlEngine.SqlServerServiceBase.WaitSqlServerStart(Process
processSql)
(01) 2016-05-17 22:01:18 Slp: at
Microsoft.SqlServer.Configuration.SqlEngine.SqlServerServiceSCM.StartSqlServer(String[]
parameters)
(01) 2016-05-17 22:01:18 Slp: at
Microsoft.SqlServer.Configuration.SqlEngine.SqlEngineDBStartConfig.ConfigSQLServerSystem
Databases(EffectiveProperties properties, Boolean isConfiguringTemplateDBs, Boolean
useInstallInputs)
(01) 2016-05-17 22:01:18 Slp: at
Microsoft.SqlServer.Configuration.SqlEngine.SqlEngineDBStartConfig.DoCommonDBStartCon
fig(ConfigActionTiming timing)
(01) 2016-05-17 22:01:18 Slp: at
Microsoft.SqlServer.Configuration.SqlConfigBase.SlpConfigAction.ExecuteAction(String
actionId)
(01) 2016-05-17 22:01:18 Slp: at
Microsoft.SqlServer.Configuration.SqlConfigBase.SlpConfigAction.Execute(String actionId,
TextWriter errorStream)
(01) 2016-05-17 22:01:18 Slp: The following is an exception stack listing the exceptions in
outermost to innermost order
(01) 2016-05-17 22:01:18 Slp: Inner exceptions are being indented
(01) 2016-05-17 22:01:18 Slp:
(01) 2016-05-17 22:01:18 Slp: Exception type:
Microsoft.SqlServer.Configuration.SqlEngine.SqlEngineConfigException
(01) 2016-05-17 22:01:18 Slp: Message:
(01) 2016-05-17 22:01:18 Slp: Wait on the Database Engine recovery handle failed. Check the SQL
Server error log for potential causes.
(01) 2016-05-17 22:01:18 Slp: HResult : 0x851a001a
(01) 2016-05-17 22:01:18 Slp: FacilityCode : 1306 (51a)
https://samosql.com/2016/09/21/install-sql-dc/ 4/13
6/17/2018 Installing SQL Server on a Domain Controller – SAMOSQL

(01) 2016-05-17 22:01:18 Slp: ErrorCode : 26 (001a)

(01) 2016-05-17 22:01:18 Slp: Data:
(01) 2016-05-17 22:01:18 Slp: SQL.Setup.FailureCategory = ConfigurationFailure
(01) 2016-05-17 22:01:18 Slp: WatsonConfigActionData =
INSTALL@CONFIGRC@SQL_ENGINE_CORE_INST
(01) 2016-05-17 22:01:18 Slp: WatsonExceptionFeatureIdsActionData = System.String[]
(01) 2016-05-17 22:01:18 Slp: Stack:
(01) 2016-05-17 22:01:18 Slp: at
Microsoft.SqlServer.Configuration.SqlEngine.SqlServerServiceBase.WaitSqlServerStart(Process
processSql)
(01) 2016-05-17 22:01:18 Slp: at
Microsoft.SqlServer.Configuration.SqlEngine.SqlServerServiceSCM.StartSqlServer(String[]
parameters)
(01) 2016-05-17 22:01:18 Slp: at
Microsoft.SqlServer.Configuration.SqlEngine.SqlEngineDBStartConfig.ConfigSQLServerSystem
Databases(EffectiveProperties properties, Boolean isConfiguringTemplateDBs, Boolean
useInstallInputs)
(01) 2016-05-17 22:01:18 Slp: at
Microsoft.SqlServer.Configuration.SqlEngine.SqlEngineDBStartConfig.DoCommonDBStartCon
fig(ConfigActionTiming timing)
(01) 2016-05-17 22:01:18 Slp: at
Microsoft.SqlServer.Configuration.SqlConfigBase.SlpConfigAction.ExecuteAction(String
actionId)
(01) 2016-05-17 22:01:18 Slp: at
Microsoft.SqlServer.Configuration.SqlConfigBase.SlpConfigAction.Execute(String actionId,
TextWriter errorStream)
(01) 2016-05-17 22:01:18 Slp: Watson Bucket 1
Original Parameter Values

(01) 2016-05-17 22:03:30 Slp: Error result: -2061893606

(01) 2016-05-17 22:03:30 Slp: Result facility code: 1306
(01) 2016-05-17 22:03:30 Slp: Result error code: 26

Summary.txt
Overall summary:
Final result: Failed: see details below
Exit code (Decimal): -2061893606
Start time: 2016-05-17 21:47:29
End time: 2016-05-17 22:03:24
Requested action: Install

Setup completed with required actions for features.

Troubleshooting information for those features:
Next step for RS: Use the following information to resolve the error, uninstall this feature, and
then run the setup process again.
Next step for SQLEngine: Use the following information to resolve the error, uninstall this
feature, and then run the setup process again.

https://samosql.com/2016/09/21/install-sql-dc/ 5/13
6/17/2018 Installing SQL Server on a Domain Controller – SAMOSQL

Feature: Reporting Services – Native

Status: Failed: see logs for details
Reason for failure: An error occurred for a dependency of the feature causing the setup process
for the feature to fail.
Next Step: Use the following information to resolve the error, uninstall this feature, and then
run the setup process again.
Component name: SQL Server Database Engine Services Instance Features
Component error code: 0x851A001A
Error description: Wait on the Database Engine recovery handle failed. Check the SQL Server
error log for potential causes.
Error help link: h!p://go.microsoft.com/fwlink?
LinkId=20476&ProdName=Microsoft+SQL+Server&EvtSrc=setup.rll&EvtID=50000&ProdVer=11.
0.6020.0&EvtType=0xD15B4EB2%400x4BDAF9BA%401306%4026&EvtType=0xD15B4EB2%400x
4BDAF9BA%401306%4026

Feature: Database Engine Services

Status: Failed: see logs for details
Reason for failure: An error occurred during the setup process of the feature.
Next Step: Use the following information to resolve the error, uninstall this feature, and then
run the setup process again.
Component name: SQL Server Database Engine Services Instance Features
Component error code: 0x851A001A
Error description: Wait on the Database Engine recovery handle failed. Check the SQL Server
error log for potential causes.
Error help link: h!p://go.microsoft.com/fwlink?
LinkId=20476&ProdName=Microsoft+SQL+Server&EvtSrc=setup.rll&EvtID=50000&ProdVer=11.
0.6020.0&EvtType=0xD15B4EB2%400x4BDAF9BA%401306%4026&EvtType=0xD15B4EB2%400x
4BDAF9BA%401306%4026

Feature: Integration Services

Status: Passed
Feature: Data Quality Client
Status: Passed

Feature: SQL Writer

Status: Passed

Feature: SQL Browser

Status: Passed

THE FIX
+As noted for why we do the recommend this type of setup; you should by now know that the
resolution for the encountered error would have to do with PERMISSIONS.
++Setup user account: Domain Account and its part local admin group
+check whoami /all for privileges

https://samosql.com/2016/09/21/install-sql-dc/ 6/13
6/17/2018 Installing SQL Server on a Domain Controller – SAMOSQL

>>Go to Local Security Policies – Local Policies – User Rights Assignment

>>Check to make sure privileges listed below are assigned SQL Setup user or the group it
belongs to.
1. Act as Part of the Operating System
2. Bypass Traverse Checking
3. Log on as Batch Job
4. Log on as Service
5. Replace a Process Level Token
6. Debug Programs
7. Backup files and directories
8. Restore files and directories
>>Turn off UAC
>>Check to see Default domain policies are defined
Opened Group policy Management > Edit Default Domain controller Policies.

https://samosql.com/2016/09/21/install-sql-dc/ 7/13
6/17/2018 Installing SQL Server on a Domain Controller – SAMOSQL

>Under the Edit Dialog Box -Expand Policies > Windows Se!ings > Security Se!ings > User
Rights Assignment and define the SQL Setup account to the same policies:
1. Act as Part of the Operating System**
2. Bypass Traverse Checking**
3. Log on as Batch Job
4. Log on as Service
5. Replace a Process Level Token
6. Debug Programs
7. Backup files and directories
8. Restore files and directories

NOTE: ** Once you completed the installation successfully, you might want to remove the SQL
setup account from the policies indicated above. This is for security reasons and prevent issues
like defining traverse checking on the domain.

>>Run a gpupdate /force from CMD using elevated privileges

>>Uninstall the
previous version of the failed Setup. No need to repair and try to troubleshoot to fix error.
>>Reboot the Server (HIGHLY RECOMMENDED)
>>Log on to the Server with the SQL Setup user account
>>Run a new installation of media using elevated privileges
>>Set SQL Server Service account as Windows domain user accounts during the Server
Configuration step.
SQL Server service accounts should run as Windows domain user accounts. It is also possible to
install SQL Server service accounts to run as Local System, but this option is NOT
recommended.
NOTE: You cannot run SQL Server services on a domain controller under a local service account
or a network service account.

https://samosql.com/2016/09/21/install-sql-dc/ 8/13
6/17/2018 Installing SQL Server on a Domain Controller – SAMOSQL

>SQL Server Setup should complete successfully with no issues

ADDITIONAL LINKS AND REFERENCES

h!ps://msdn.microsoft.com/en-us/library/ms143506(v=sql.100).aspx#DC_Support – Hardware
and Software Requirements for Installing SQL Server 2008
h!ps://msdn.microsoft.com/en-us/library/ms143506(v=sql.110).aspx – Hardware and Software
Requirements for Installing SQL Server 2012
h!ps://blogs.technet.microsoft.com/mdegre/2011/06/25/can-i-install-sql-server-on-a-domain-
controller/ – Can I install SQL Server on a domain controller?

https://samosql.com/2016/09/21/install-sql-dc/ 9/13
6/17/2018 Installing SQL Server on a Domain Controller – SAMOSQL

Published by samosql

• View all posts by samosql

• September 21, 2016

SQL Setup

13 thoughts on “Installing SQL Server on a

Domain Controller”

1. Onye Somi
says:
October 21, 2016 at 1:52 pm
Very informative. Thank you sir

2. Nick
says:
October 29, 2016 at 9:37 pm
You mention performance issues if installing on a DC. Are there any recommendations for
improving performance for a SQL Server installed on a DC?

1. gaoussou bagate
says:
November 24, 2016 at 1:48 pm
Hi Nick,
Unfortunately, there is no way to improve the performance. What we mean here is that
SQL server and Windows Active directory will share server resources all together. if you
have a busy Domain controller with a DNS role for example which handle multiple
connection requests as SQL server, you could face connection timeout in this case. And
don’t forget the security risk. This is why it is always good to have dedicated servers : 1
server for your DC, 1 server for application ,1 server for databases.
Gaoussou Bagate.

https://samosql.com/2016/09/21/install-sql-dc/ 10/13
6/17/2018 Installing SQL Server on a Domain Controller – SAMOSQL

3. Marcel Stolle
says:
November 16, 2016 at 5:03 am
Not bad

4. Kyssling
says:
February 13, 2017 at 9:07 am
Hello,

I installed SQL Server 2016 Standard on the domain controller Windows Server 2012 R2.
Services Engine and Agent now I run as Local System.

It is possible to use your manual tip after installing SQL Server?

So create user SQLEngine and add them permissions and then assign this user to login
service ?

Will it be enough or do I even set file permissions to folders, SQL SERVER

(Which is created during classic installation).

Thank you very much for your answer !

Vaclav

1. samosql
says:
February 13, 2017 at 6:37 pm
Hi Kyssling,

I tried and tested your scenario on Windows Server 2012 R2 and it worked successfully.
You just need to make sure the SQL Service account you are using is part of the
administrators group and assign the necessary privileges in the post. Your SQL Service
would restart and run successfully with this new account.
NOTE: Giving the service account admin privileges would provide it read/write
permissions to the default SQL folders. In some rare scenarios, you would have to
explicitly provide permissions to drive/network share folders that the SQL instance uses.
This part is per your environment setup.

Thanks and HTH

5. Kyssling
says:
February 14, 2017 at 7:29 am
Hello,

thank you very much for your answer !

I would avoid adding User SQLEngine to the Administrator group.
I want add this service user only to group USERS\Domain.

https://samosql.com/2016/09/21/install-sql-dc/ 11/13
6/17/2018 Installing SQL Server on a Domain Controller – SAMOSQL

You have you tried it before? If I want it I’ll have to adjust

manually file permissions to the SQL Server ?

1. samosql
says:
February 20, 2017 at 12:58 pm
Sorry for the late response I was caught up with some consultation work. I just tested
out your request and YES it worked as well as long as you set the permissions right to
access the required files and services.
I have SQL Server Service on my DC running under an account I called
(SAMOSQL\Nonadmin) in my test lab who is only part of the Domain Users Group.
Please let me know if you have questions or suggestions.
Thank you and HTH

1. kyssling
says:
February 24, 2017 at 9:29 am
Hello, I tried and works perfectly. Thank you for your help.
Can I please have to ask two more questions (last i promise )
Is standard (or necessary for small company) deploy for authentication using SQL –
SSL for be!er security ?
If I had understood correctly Kerberos is used only if used Windows Authentication
…

2. samosql
says:
February 28, 2017 at 3:42 pm
I am glad it worked and you are welcome! Your question about security is very
interesting and a good topic to blog on. I am currently writing up a blog which would
address your questions and even more. I will update you once I publish the blog. In
the meantime, SQL by default creates SSL encryption (128 bit) which is overall
secured. When you want to implement Kerberos then you would be looking into
se!ing up SPN’s. Note however if the Kerberos handshake fails, Windows will
automatically fallback to the default NTLM. I will elaborate more in my blog i
promise. Finally feel free to ask more questions.. I always appreciate great discussions
like this. Cheers!

6. Rick
says:
May 3, 2017 at 9:27 pm
Did something change with SQL 2016 SP1? I tried installing it on Server 2016 (maybe that’s
why?) DC, but there were no errors, and all services are running.

The various services run under a variety of account types: NT Service\MSSQLSERVER, NT

Service\SQLSERVERAGENT, Local Service, NT Service\SQLTELEMETRY, NT
Service\ReportServer.

1. samosql

https://samosql.com/2016/09/21/install-sql-dc/ 12/13
6/17/2018 Installing SQL Server on a Domain Controller – SAMOSQL

says:
May 12, 2017 at 4:25 pm
Great finding with the new Windows Server 2016. Check out this official documentation
on Microsoft’s BOL for SQL Server 2016 – h!ps://docs.microsoft.com/en-us/sql/sql-
server/install/hardware-and-software-requirements-for-installing-sql-server

It mentions that as long as the SQL Server Service account is not running under Local
Service then it should work. Looks like yours is running under the default Service
Account that is created during the installation.

This should work even for SQL Server 2016 RTM on Windows Server 2016 Writable DC. I
will test it out myself with different scenarios and update you with my findings.

1. Rick
says:
May 15, 2017 at 9:20 am
That part of the documentation though is just a copy and paste of 2012’s (and maybe
2012’s of 2008’s, I didn’t check), so what they’re saying hasn’t changed.

But the default install of 2016 does have SQL Server Browser (and maybe more in a
fuller install) under Local Service. No complaints from Setup, and it works.

UP ↑

https://samosql.com/2016/09/21/install-sql-dc/ 13/13