"No mapping between account names and security IDs was done" error when adding a node to a SQL Server 2008 Failover Cluster

Symptoms

Consider the following scenario:
  • You configure a Microsoft SQL Server 2008 Failover Cluster by using domain local group option in the "Cluster security policy" dialog box. 
  • After the installation is complete, the domain local groups are dropped and re-created in the Active Directory by having the same name or a different name.

In this scenario, if you try to add a new node to an existing instance, the SQL Server Setup program fails, and you receive the following error message:

SQL Server Setup has encountered the following error:
"No mapping between account names and security IDs was done."
"Error code 0x84BB0001."

Cause

The security ID (SID) that was originally assigned to the domain group is no longer valid. Changing the domain groups that are used for SQL Server 2008 Failover cluster installation is not supported. This is because the security configuration information is set by using the SID of the domain groups that are used during the original setup. An example of such security configuration information is an access control list on files and folders that are used by the SQL Server Failover instance. Even though you re-create the domain group by using the same name, the SID will be different. Therefore, the permission set of the original SID is no longer valid.

Note: Domain migration for SQL Server 2008 Failover Cluster instance is also not supported.

Resolution

Reinstallthe SQL Server Failover instance.

NoteThis issue was first fixed in SQL Server 2008 Service Pack 2. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

968382 How to obtain the latest service pack for SQL Server 2008

 

More Information

If the domain local groups are deleted and re-created, you might receive the following error message when you try to start the SQL Server service:

initerrlog: Could not open error log file ''. Operating system error = 3(The system cannot find the path specified.).

References:

SQL Server 2008 Failover Clustering White Paper

Microsoft Internal Support Information

Apparently, many customers are unaware of this problem. Here is an example of how to validate global domain security groups. 
 
Locate the SID in the following registry subkey:
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Setup
    AGTGroup    REG_SZ    S-1-5-21-2182389897-1197567953-1666118933-1154
    SQLGroup    REG_SZ    S-1-5-21-2182389897-1197567953-1666118933-1154
    FTSGroup    REG_SZ    S-1-5-21-2182389897-1197567953-1666118933-1154
 
Download PsTools Suite (1.31 MB) from the following website:http://download.sysinternals.com/Files/PsTools.zip. Extract the file to a local folder.
At a command prompt, open the extracted file location, and then run psgetsid.exe by using the following syntax for the three SIDs that are associated with the SQL Server instance with which you are working:
 
    psgetsid S-1-5-21-2182389897-1197567953-1666118933-1154
 
If the SID is not resolvable, and if you cannot complete the upgrade, escalate for possible options.
 
Here are examples of resolvable and unresolvable SID:
 
Resolvable:
 
x:\PSTools\psgetsid S-1-1-0
 
PsGetSid v1.43 - Translates SIDs to names and vice versa
 
Copyright (C) 1999-2006 Mark Russinovich
Sysinternals -www.sysinternals.com
 
Account for MYSERVERNAME\S-1-1-0:
Well Known Group: \Everyone
 
Unresolvable:
 
x:\PSTools\psgetsid S-1-0-0
 
PsGetSid v1.43: Translates SIDs to names and vice-versa
 
Copyright (C) 1999-2006 Mark Russinovich
Sysinternals -www.sysinternals.com
  
Account for Computername\S-1-0-0:
Well Known Group: \NULL SID
 
Product Bug Number: 402438
Author: vijaysir
Writer: ramakoni
Tech Reviewer: dsdpipe1
Editor: v-jesits
Proprietà

ID articolo: 2019402 - Ultima revisione: 25 ago 2010 - Revisione: 1

Feedback