You can't install SQL Server by using a service account when only an RODC is reachable
This article discusses an issue in which you can't install SQL Server when only a read-only domain controller (RODC) is available.
Original product version: SQL Server
Original KB number: 2962968
Symptoms
Consider the following scenario:
- You have a perimeter network (also known as a demilitarized zone (DMZ), and a screened subnet) that only has an RODC available.
- You have a member server in the perimeter network. You try to install SQL Server on the member server and use an Active Directory service account for the SQL Server service.
In this scenario, the installation wizard fails when the installation program validates your account.
Cause
When you log on to a computer for the first time and try to encrypt data, the operating system creates a preferred Data Protection Application Programming Interface (DPAPI) MasterKey, which is based on your current password. During the creation of the DPAPI MasterKey, an attempt is made to back up this master key by contacting a Read Write Domain Controller (RWDC). If the backup fails, the MasterKey can't be created, and this results in failure.
Workaround
To work around this issue, perform the following:
- Use the built-in account to install SQL Server.
- Change the account that is used for the services to an Active Directory service account.
For other resolutions and additional information, see DPAPI MasterKey backup failures.
References
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for