SPN Registration Failure Issue

While I was configuring my lab machine, I observed the SPN registration was failed on one of my server with the below error.

The SQL Server Network Interface library could not register the Service Principal Name (SPN) [ MSSQLSvc/KRISHNA02.SKGLAB.LOCAL ] for the SQL Server service. Windows return code: 0x2098, state: 15. Failure to register a SPN might cause integrated authentication to use NTLM instead of Kerberos.

Over the last one year, I had worked multiple times on this issue. So when this occurs on my lab machine, I thought of documenting the same. Prior installing SQL Server on my machine, I had created the SPN using the SETSPN tool; however it seems the registration didn’t work as expected. To begin with, I wanted to check the SPN’s currently registered with the SQL Server service account, by executing the command: setspn -l “SKGLAB\SQLSvc-KRISHNA02″


From the above screenshot, I found the SPN are registered with the service account. As a next step, I need to check whether the SQL Server service account is allowed to register & un-register the SPN’s in active directory, which is not a default behaviour.

Steps to Follow

Follow the steps mentioned below to allow the SQL Server service account to register the SPN automatically.

  • Open Active Directory Users and Computers, clicks on Views, select Advanced Features.
  • Open the properties of the service account, & go to Security tab.


  • Click on Advanced tab, click on Add. On the new permission page, select Principal as “Self”, and set Type as “Allow” & Applies to “This object only”, as shown in the below screenshot.


  • From the list of properties available below, select the two properties high lighted below & click Ok twice of apply these properties.

a. Read msDS-PrincipalName
b. Write msDS-PrincipalName

  • Stop the SQL Server service & start it again. Open the SQL Server error log, & verify the status of SPN Registration.

2015-03-26 21:58:27.170    Server    SQL Server is attempting to register a Service Principal Name (SPN) for the SQL Server service. Kerberos authentication will not be possible until a SPN is registered for the SQL Server service. This is an informational message. No user action is required.
2015-03-26 21:58:27.190    Server   
The SQL Server Network Interface library successfully registered the Service Principal Name (SPN) [ MSSQLSvc/KRISHNA02.SKGLAB.LOCAL ] for the SQL Server service.
2015-03-26 21:58:27.190    Server    The SQL Server Network Interface library successfully registered the Service Principal Name (SPN) [ MSSQLSvc/KRISHNA02.SKGLAB.LOCAL:1433 ] for the SQL Server service.

SPN registration is successful now.

Happy Learning Smile !!!

Posted in Deployment, How To, Security in SQL Server, Setup LAB, SPN, SQL Server | Tagged , , , , | Leave a comment

Setup LAB: 03 Installation of SQL Server 2012

In this post, I will start with the SQL Server 2012 installation. Prior to that, I will create an OU named TestLAB in AD, which will contains all the service accounts, lab users, servers. Apart from that I will also install the management tools for active directory. The below set of scripts will install the AD management tools & create all the OU & sub-OUs.

# Install the Active Directory Tools
Install-WindowsFeature RSAT-ADDS -IncludeAllSubFeature -IncludeManagementTools
# Import Module Active Directory
Import-Module ActiveDirectory
# Create a new OU named TestLAB
New-ADOrganizationalUnit -Name "TestLAB" -Server "Win12DC01" -Verbose
# Create sub-OU ServiceAccounts inside the TestLAB OU
New-ADOrganizationalUnit "ServiceAccounts" -Path "OU=TestLAB,DC=SKGLAB,DC=LOCAL" -Description "Lists all Service Accounts" -Verbose
# Create sub-OU TestServers inside the TestLAB OU
New-ADOrganizationalUnit "TestServers" -Path "OU=TestLAB,DC=SKGLAB,DC=LOCAL" -Description "Lists Test Servers" -Verbose
# Create sub-OU LABUsers inside the TestLAB OU
New-ADOrganizationalUnit "LABUsers" -Path "OU=TestLAB,DC=SKGLAB,DC=LOCAL" -Description "Lists LAB Users" -Verbose

Now that, I have created all the OUs, I am going to create the service accounts for SQL Server installation, along with a group for DBAs & an user account for the SQL Server installation.

# Create a Windows group for the LAB administrators
New-ADGroup -Name "BLRDBA" -Path "OU=LABUsers,OU=TestLAB,DC=SKGLAB,DC=LOCAL" -Description "Members of SQL DBAs" `
-GroupScope DomainLocal -GroupCategory Security -Verbose
# Create a Windows User account
$password = Read-Host ("Enter the password") -AsSecureString
New-ADUser -Name skganguly -GivenName Sudeepta -Surname Ganguly -DisplayName "Sudeepta Ganguly" -SamAccountName "skganguly" `
-Path "OU=LABUsers,OU=TestLAB,DC=SKGLAB,DC=LOCAL" -ChangePasswordAtLogon $false -CannotChangePassword $true `
-Description "MS SQL Server DBA" -PasswordNeverExpires $true -AccountPassword $password -enabled $true -Verbose
# Create a service account for SQL Server 2012 installation
$password = Read-Host ("Enter the password") -AsSecureString
New-ADUser -Name SQLSvc-SQL2012 -GivenName SQLSvc-SQL2012 -Surname SQLSvc-SQL2012 -DisplayName "SQLSvc-SQL2012" -SamAccountName "SQLSvc-SQL2012" `
-Path "OU=ServiceAccounts,OU=TestLAB,DC=SKGLAB,DC=LOCAL" -ChangePasswordAtLogon $false -CannotChangePassword $true `
-Description "SQL Server 2012 Service account" -PasswordNeverExpires $true -AccountPassword $password -enabled $true -Verbose

Configure the VM for SQL Server Installation

Once the VM is started, I have added an additional VHD to the VM, where the SQL binaries will be installed. Added the newly created VM to the SKGLAB domain & added SKGLAB\BLRDBA group as a member of the local administrator group on the server. The user account SKGLAB\skganguly is a member of BLRDBA group. I am going to use this user account to install the SQL Server 2012 on this server.

Configure Local Policies

Open Server Manager, Go to Tools, click on Local Security Policy. Expand Local Policies, select User Rights Assignments. From the list of available policies, add the SQL Server service account to the below two policies as shown in the screenshot.

  • Lock pages in memory
  • Perform Volume Maintenance tasks


Configure SPN for SQL Service Account

Once the local policies are configured, next we are going to configure the SPN for the SQL Server service account. I am going to create the below two SPNs on this server.  



Once the SPN is configured, I can verify it by executing the below command. The desired result is shown in the below screenshot.



Now, I will start the SQL Server 2012 installation.

Installing SQL Server 2012

I am going to use the below script to complete the SQL Server 2012 installation. I have modified a existing configuration file to complete this installation. The SQL Server Media is mounted on the CD-ROM drive of the VM. Update the password for sa & service accounts, and run the below script to start the SQL Server installation.

#  SQL Server 2012 Setup Command  #

# During the installation, the SQL Server media is mounted on Drive D:

# The Base Command for unattended installation of SQL Server 2012

# Define Variables
$SetupLocation = "D:\Setup.exe"
# Provide the Database Engine Service Account Password
$SQLSVCPASSWORD = "xxxxxxxx"
# Provide the SQL Agent Service Account Password
$AGTSVCPASSWORD = "xxxxxxxx"
# Provide the SA Password
$SAPWD = "xxxxxxxx"
$ConfigFileLocation = "c:\TEMP\SQLConfig.ini"

# Change the current folder location to C:\Temp
Set-Location "c:\TEMP"

# To start the SQL Server Installation

The configuration file used during this installation can be found here. The installation of SQL Server 2012 completed successfully. I am going to build two more servers with the same configuration and complete the SQL Server installation.

Happy Learning Smile !!!

Posted in Automation in SQL Server, How To, PowerShell, Setup LAB, SQL Server, SQL2012, TestLab | Tagged , , , , , | Leave a comment

Setup LAB: 02 Install & Configure a Domain Controller

In the previous post, I had installed Windows Server 2012 evaluation on a virtual machine & added Dot Net Framework 3.5. In this post, let’s start with the domain controller installation from a copy of the pre-installed VHD. I had created a VM from the copy of the VHD file, which I created earlier. I have attached a network adapter to the virtual machine & assign it the IP address (with Subnet mask as

Install the Active Directory Domain Services

We can use Add Roles and Features option from Server Manager to add Active Directory Domain Services on this server; however, to simplify the installation process, I am going to use the Windows PowerShell script to complete this installation. This script can be generated as part of AD DS deployment using Add Roles and Features tool.

Right-click on the PowerShell icon, and select Run ISE as Administrator to start the PowerShell ISE.


Copy the below script to a new script window & modify the parameters as required. Once all the required parameters are modified, execute the script by pressing the F5 button on your keyboard.

# To set the script execution as RemoteSigned
Set-ExecutionPolicy RemoteSigned
# Install the Server Role Active Directory Domain Services
Install-WindowsFeature -Name AD-Domain-Services -IncludeAllSubFeature -Restart

# Windows PowerShell script for AD DS Deployment

# Enter your Domain Name
$domainName = "SKGLAB.LOCAL"
# Enter your Domain Netbios Name
$domainNetbiosName = "SKGLAB"

# Domain Functional Level
$domainMode = "Win2012"
# Forest Functional Level
$forestMode = "Win2012"

# Location of AD database file
$databasePath = "C:\Windows\NTDS"
# Location of Log file
$logPath = "C:\Windows\NTDS"
# Location of SysVol
$sysvolPath = "C:\Windows\SYSVOL"

Import-Module ADDSDeployment

Install-ADDSForest -CreateDnsDelegation:$false -DatabasePath $dbLocation `
-DomainMode $domainMode -DomainName $domainName -DomainNetbiosName $domainNetbiosName `
-ForestMode $forestMode -InstallDns:$true -LogPath $logPath -NoRebootOnCompletion:$false `
-SysvolPath $sysvolPath -Force:$true

Once the script is executed, you will prompted to provide the recovery password. The installation will continue & you may see the below screen during the installation.


The server will restart to complete the directory service installation. Once the server is back online, login to the server to configure the DNS server.

Configure the DNS Server

Once the domain controller is installed, we need to configure the DNS server. Open Server Manager & start DNS Manager from the drop down list of tools. We are going to configure the Reverse LookUp Zone, which will provide the resolutions from IP Address to the respective Host name. Once the DNS Manager opens, right click on Reverse LookUp Zone tab, & select New Zone.


Select the zone type as Primary Zone & click Next to continue. On the Active Directory Zone Replication Scope, select the option as shown in the below screenshot.


Select IPv4 Reverse Lookup Zone from the list of Reverse Lookup Zone Name and provide the Network ID as shown in the below screenshot.


On the next page, select the Dynamic Update option & click on finish to complete the DNS configuration.

Create a Pointer Record

Once the reverse lookup zone is configured, let’s create a pointer record (PTR) for the domain controller. Expand the reverse lookup zone node in DNS Manager & select the newly configured zone. Right-click on the zone node & select New Pointer (PTR) as shown in the below screenshot.


Provide the IP Address & browse the Host Name of the domain controller, as shown in the below screenshot.


To check, whether the DNS server is function as required, launch nslookup as shown in the below screenshot. The utility will check the name resolution between hostname & IP address for the domain controller.


In the next post, we will configure the rest of the virtual machines & start with SQL Server 2012 installation.

Happy Learning :) !!!

Posted in How To, PowerShell, Setup LAB, SQL2012, TestLab | Tagged , , , | Leave a comment

Setup LAB: 01 Generalize the Operating System Installation

This was the topic of discussion during last week, while a colleague of mine said that he faced some challenges while setting of his lab. After few additional queries, I figured out that he didn’t configure the domain controller correctly on his lab. As I am setting up a lab to learn about SQL Server 2012/2014, let me share the steps I follow to setup this lab.

Download Evaluation Software

I always prefer to use virtual machine to setup my own lab. Some of the available virtualization software, you may want to use, are:

For this lab, I am going to use Windows Server 2012 evaluation edition. You can download an evaluation copy of Windows Server 2012 from here. You can also download an evaluation copy of SQL Server 2012 from here.

Installing The Operating System

I created a VM with 1 CPU & 2GB of RAM, along with 40GB of Hard disk drive(HDD). As part of the HDD configuration, I choose to dynamically expand the disk, instead of allocating all the space at the beginning. I didn’t add any Network Adapter to the VM as part of the initial setup. Mount the Windows Server 2012 ISO image to the VM and powered it on, to start the Operating System installation. Restart the VM when prompted to complete the Operating System installation.


Configuring The Operating System

To simply this lab setup, I have disabled the Firewall Setting & Enabled Remote Management on this server. Next, I will add Dot Net Framework 3.5.

  • Open Server Manager, click on Manage & select Add Roles and Features to start adding new feature to the server.


  • Select Role-based or feature-based installation, as the type of installation


  • Select the name of the server from the available server pools, where I want to install the Dot Net Framework 3.5
  • Select .Net Framework 3.5 features, from the list of available features


  • We need to specify the alternate location of the installation source files, as prompted below.


  • Since Dot Net Framework 3.5 files were not installed by default, please specify the location to the SxS folder on the Windows server 2012 evaluation iso file, as mentioned in the below screenshot.


  • Click on the Install button to start the Dot Net Framework 3.5 Installation.


Once the Dot Net Framework 3.5 installation is completed, I will run sysperp utility on this server to generalize the VHD. Start the sysprep utility from C:\Windows\System32\Sysprep, & shutdown the server upon completion. Copy the VHD file, & reuse it to build the other servers required for this lab.


I am going to create four virtual machine from this VHD file. Out of this four VMs, one will be used as a domain controller & the rest three will be used for AlwaysOn setup. More on this later.

Happy Learning :) !!!

Posted in How To, Setup LAB, SQL Server, SQL2012, TestLab | Tagged , , , | 1 Comment

Checklist for Database File Movement

Below are the steps, which I usually follow as part of any database file movement activity.

  • Check the last full database backup completed successfully. If your change windows allows, prefer to take a latest full backup of the database. If the database is not in simple recovery model, initiate a transaction log backup as well.
  • Make sure there is no connections to the database. If there is an existing connection to the database from the Application, reach out the Application team to stop there application. Since these activities are mostly performed during a planned change window, you should ask your application’s contact to stop the application. I don’t prefer to kill the connections by myself, I rather asked to stop the application.
  • Take a note of the database files, which you are planning to move. For example, to know the details about the data file & transaction log file for the database Northwind, execute the below command:


  • Once you have the details about the database files location, take the database offline by executing the below command:


  • I had faced few challenges while moving the databases hosted on a SQL Server 2005 instance. As a standard process, once the database is offline, I grant full access to the windows local administrators group on the data & transaction log file for the database.
  • On the newer drive, make sure we have the required folder structures in place. The SQL Server Service account should have read & write permissions on the folders, where the data & transaction log file should reside. The SQL Agent service account should have read permission on the files.
  • Modify the location of the data & transaction log file in the system catalog of the SQL Server, by executing the below command:


  • Now that we have modified the file location in the system catalog, time to move the actual physical files. I prefer to use ROBOCOPY.EXE to move the files from one drive/mount point to another. The command to copy one file from one location to another is:


  • Once all the files are copied to the new location, time to bring the database online, by running the below command:


  • Congratulations!! The database is online from the new location. Now time to remove the additional permission, which we have added in step-5. Remove the permission granted to the windows local administrator earlier from the physical database files.
  • Inform your Application user to test their application. Once they confirm that the application is working as expected, initiate a full database backup.

This complete the steps requires to move a database file. Added the script used in this post.

 -- to check location of the data file
use [master];
exec sp_helpdb 'Northwind';

-- to take the database offline
use [master];
alter database [Northwind]
	set offline;

-- to modify the location of data and tlog file in the system catalog
use [master];
alter database [Northwind]
	modify file(name = 'Northwind', filename = 'C:\UserDB\SQL2012\Data\Northwnd.mdf');
alter database [Northwind]
	Modify file(name = 'Northwind', filename = 'C:\UserDB\SQL2012\TLog\Northwnd.ldf');

-- Once the files are copied using Robocopy, use the below command to bring the database online
use [master];
alter database [Northwind]
	set online;

Hope, this will help someone, Happy Learning :)

Posted in How To, RoboCopy, SQL Server | Tagged , , | 2 Comments

Running SQLDiag as Agent Job

This was the discussion of last evening, which was started after we receive a similar request from a specific team. The team wanted to start this trace by themselves without involving the DBAs. One of the possibility was to run SQLDiag as a Windows service; however the requirement in hand is to run it as a SQL Agent  job.

In case you wanted to read about this utility & it’s additional parameters, please refer the below page from SQL Server Books Online. The following parameter helps in the initial setup of SQLDiag.

SQLDiag.exe /E +00:20:00 /N 2 /Q /O E:\temp\SQLDiag_Output

As I tested the above script, SQLDiag utility was started & collected data for 20 minutes before stopping. Since the script was running successfully, the next step was to run it as a SQL Agent job.

I created a job on my lab instance to run SQLDiag & provided Read & Write permission to the SQL Server Agent account on the SQLDiag output folder. On the Job Step properties page, select Operating system (CmdExec) as the type & add the below script. In case of my lab environment, the SQLDiag output will be saved in E:\temp\SQLDiag_Output folder.


The default traces, system configuration files are available in the output folder. There will be an additional folder named internal present inside the output folder. The internal folder contains all the output & log files generated by SQLDiag.


Hope, this will suffice the need. Happy Learning !!

Posted in Automation in SQL Server, How To, Just Learned, SQL Server Tools | Tagged , , | 1 Comment

PowerShell Journey: with 3 Cmdlets !!!

Believe me or not, but that’s true! The time was already passed and we have to run!! I am talking about Learning PowerShell. Although, I am using PowerShell Scripts for quite sometimes, I didn’t pay a lot more attention to learn in details (probably, it was not required that time Winking smile). You probably thinking, “Wait a minute, you said, you are using PowerShell scripts, but you didn’t know PowerShell?” Correct, I learned three command-lets (cmdlet), after which I was able to understand few scripts, which I am using at work. This post, is all about learning three PowerShell cmdlet, which will help you to learn the rest of them.

Things you should do as you begin your journey with PowerShell

Although, I believe it’s our individual interest, whether we want to learn PowerShell or not, here are the few things, which can boost our learning.

  1. Stop using cmd.exe !! Yes, this is the biggest obstacle in your learning. I am sure, most of us (including me Winking smile) run this tool more than once in a day, since last few years. The good news is, most of the commands, which we run in cmd.exe (e.g. ping/ipconfig/robocopy/mstsc, etc.), is also available in PowerShell (or a better updated version with more features)
  2. List down the activities, we repeat everyday and try to automate it. As we are updating SQL Server 2008 R2 Service Pack2, we had to check all the servers to make sure, we have the enough free space available to complete the SP2 update. Believe me or not, with the help of PowerShell, we extracted the information in a few minutes !!! Last time, when we did it manually, I think, we spent nearly 12 hours to collect that information Sad smile
  3. When in doubt, ask for help! A quick way is the twitter hash tag #help #PowerShell. Apart from that,  you will find several online forums, where you can post your query and someone from the community will come forward to help you (it’s normally nice, if you tell them not only about the task you want to automate; but also the way you had already tried Smile).
  4. Build a test lab. Create a virtual machine on your personal laptop/desktop, for your learning. Since PowerShell is a very powerful tool, it’s possible, that you can unknowingly commit some mistakes, which may result in loss of data Sad smile. However, if you are using a VM, you don’t have that fear. ( I know, how it feels, if your old photos got deleted Winking smile). Please … Please.. Please, Don’t use the Production environment for your learning.

Enough of the talks !!! Let’s proceed with, the three cmdlets.

Three Cmdlets to Start

1. Get-Help

The first command, I learnt to run on cmd.exe was help. As with most other Get-Helpcommands, help is also available in PowerShell. You can type help/Get-Help/man, to start the help subsystem. If you are running PowerShell v1/v2, when you run Get-Help, you will get the complete help subsystem. However, if you are running PowerShell V3 or above, the help subsystem is not available by default, you have to install it manually. To install the help file on a system running PowerShell v3, run the following command (make sure, you have opened the PowerShell console as an administrator Winking smile)

# Update & Install the Help files for all the modules, with language as EN-US
Update-Help -Module * -UICulture "en-us" -Force

The Help subsystem is our friend & mentor in our journey with PowerShell. Spend some time with Get-Help, so that you can go well together.

2. Get-Command

In most of the cases, a PowerShell cmdlet is a combination of a verb & Noun (you missed the grammar class in school, time to learn it again Winking smile). There is a list of approved verbs (98 in PowerShell v3), which can be used in PowerShell. As you might think of, Get-command gives us a list of all the cmdlets available in PowerShell along with Aliases & Functions. To learn more about the Get-Command cmdlet, we are going to ask the mentor by executing the cmdlets:

# To Lean more about the Get-Command
Get-Help Get-Command

3. Get-Member

As we learn about the new cmdlets, we need to find out more options available with a particular command, and Get-Member, will help us to find all the properties & methods available with a command. For example, if I want to know all the methods & Properties available with the Get-Command, I will execute the following cmdlets:

# Using Get-Member
Get-Command | Get-Member

4. Set-ExecutionPolicy

Although I said three cmdlets, this one will be useful, when you execute a script. PowerShell is secure by default; it will not allow you to run any script, unless, you said it to do so. The default execution policy (or script execution policy) is Restricted; however, you can change it. You can set your execution policy as Remote Signed, although, later you will learn that the best possible option should be AllSigned. To learn more about all the available option or set it to remote signed , ask your mentor, as shown below:

# To verify the current execution policy of the system

# To lean all about the Set-ExecutionPolicy
Get-Help Set-ExecutionPolicy -Full

# To Set the execution policy to RemoteSigned
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned


Now I’m more Confused Confused smile

In case I confused you (sometimes, I do confuse myselfWinking smile), here are two superb courses on PowerShell on Microsoft Virtual Academy, presented by, none other than, the inventor of PowerShell: “Jeffery Snover” (b|t), Distinguished Engineer & Lead Architect for Windows Server Division.

  1. Getting Started With PowerShell 3.0 JumpStart
  2. Advanced Tools & Scripting with PowerShell 3.0 JumpStart

A few other online resources, which you may want to visit:

1. Windows PowerShell Blog
2. Hey, Scripting Guy! Blog
3. PowerShell Magazine
4. Ravikanth’s Blog
5. Bangalore PowerShell User Group

Hope, you will start using PowerShell, Happy Learning Smile

Posted in PowerShell | Tagged | Leave a comment