locked
Sql 2008 on Windows 2008 domain error: windows nt user or group not found RRS feed

  • Question

  • I am running sql 2008 R2 and win 2008 R2 and simply trying to add a new domain user into sql, but I get the error above. What's weird is that when I do a check names from the add user or group window it finds the account I want to use. I've tried adding a different account, but I get the same issue--so its not the account. I've also tried running the create login t-sql command but it gives the same error. I've also tried disabling, via the gpedit.msc tool, the digitally encrypt or sign secure channel keys. But that did not work either.
    Sunday, October 31, 2010 5:43 AM

Answers

  •   Also consider that for this operation to succeed, the service account for SQL Server must have the proper rights to query the AD for the account you are trying to add. If your particular scenario is a cross-domain one, it may be possible that the SQL Server account (i.e. domain_1\sql_srv_account) doesn’t have query privileges on the AD for the Windows account you are trying to add (i.e. domain_2\some_Windows_account).

      If you are indeed in a cross-domain scenario, besides the error message, please provide us with the information regarding SQL Server account, windows account, trust relationships between the two domains, etc.  NOTE: Please, do not provide real domain or account names, we simply want to see if the most likely root cause is a lack of permissions for the service account.

      BTW. If the error code you get is 0x5, this means it is an explicit “access denied”, and the most likely root cause would be that SQL Server service account indeed does not have query permissions on the AD servicing the Windows account you are trying to add.

        -Raul Garcia
       SDE/T
       SQL Server Engine


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, November 1, 2010 10:42 PM

All replies

  • Please run xp_logininfo and i am sure there would be some hexcode coming as output along with error, please post that.
    Balmukund Lakhani | Please mark solved if I've answered your question, vote for it as helpful to help other user's find a solution quicker
    --------------------------------------------------------------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------------------------------------------------------------------
    My Blog: http://blogs.msdn.com/blakhani
    Team Blog: http://blogs.msdn.com/sqlserverfaq
    Sunday, October 31, 2010 6:05 AM
  •   Also consider that for this operation to succeed, the service account for SQL Server must have the proper rights to query the AD for the account you are trying to add. If your particular scenario is a cross-domain one, it may be possible that the SQL Server account (i.e. domain_1\sql_srv_account) doesn’t have query privileges on the AD for the Windows account you are trying to add (i.e. domain_2\some_Windows_account).

      If you are indeed in a cross-domain scenario, besides the error message, please provide us with the information regarding SQL Server account, windows account, trust relationships between the two domains, etc.  NOTE: Please, do not provide real domain or account names, we simply want to see if the most likely root cause is a lack of permissions for the service account.

      BTW. If the error code you get is 0x5, this means it is an explicit “access denied”, and the most likely root cause would be that SQL Server service account indeed does not have query permissions on the AD servicing the Windows account you are trying to add.

        -Raul Garcia
       SDE/T
       SQL Server Engine


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, November 1, 2010 10:42 PM
  • Check if the sql serevr startup account has below process level permissions -

    Log on as a service (SeServiceLogonRight)

    Replace a process-level token (SeAssignPrimaryTokenPrivilege)

    Bypass traverse checking (SeChangeNotifyPrivilege)

    Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)

    btw since you are on win2k8... teh above permissions should be granted to the SQL server SID.

    ref - http://msdn.microsoft.com/en-us/library/ms143504.aspx

     


    Thanks - Vijay Sirohi
    Wednesday, November 3, 2010 3:10 AM
    Answerer