SQL Server Service won’t start after changing service account – service-specific error %%-2146885628

Yesterday I was at a site where they decided to change the service account for the SQL Server services on a set of systems. After changing the service accounts, SQL Server restarted just fine on all machines except one.

I had used the SQL Server Configuration Manager to make the changes (important to not just use the Services applet in Administrative Tools) but I got the typical error telling me that the service wouldn’t start in a timely fashion. The server was running SQL Server 2008 R2 SP2.

Looking in the system event log produced the following errors:

The SQL Server (MSSQLSERVER) service terminated with service-specific error %%-2146885628.

A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.

I spent a while looking for info on the last error and found a site where they discussed that it was generated when the service account could not read the machine keys that were stored in the  C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder. The article then discussed how to add read permissions for the keys one by one.

It suddenly dawned on me that it was probably a problem with the permissions on the folder instead. Checking the permissions on that folder made me realize that the local Administrators account should have the ability to read it. The service account was meant to be a member of the local Administrators account but had not been added to that group on this machine.

Adding the service account to the local Administrators group on the machine (note: not the domain administrators account) fixed the issue and the service started again, until I could get the correct account permissions set in the morning when other staff came back. (In the comments I've added a list of what's actually required).

Hope this helps someone else. (And helps me the next time I see this and have forgotten what it was J)

Huge news: Azure expanding to Australia!!!

I was so glad to hear today that Azure is expanding to Australia. This helps with two remaining areas of concern that I've heard from a variety of customers:

  • Compliance and data sovereignty (not wanting to store data outside Australia)
  • Latency (previously high latency even to our nearest external data centres)

With both these concerns now disappearing, it's time for more Australian customers to get involved with Azure if they've been resisting so far. 

Two Azure sub-regions are to be added. One for New South Wales and another for Victoria. In addition, data geo-replication between the sub-regions will also be available.


Private Cloud and Virtualisation Strategy Event – Brisbane, Sydney, Melbourne

Fellow MVP Alessandro Cardoso sent me information today about a private cloud and virtualisation event that's running later this month.

It's being offered in Brisbane, Sydney, and Melbourne.

If that's of interest, you'll find more details here: http://virtualisationandmanagement.wordpress.com/2013/05/08/private-cloud-virtualisation-strategy-events-in-brisbane-melbourne-sydney-may-and-june-2013/

SQL Down Under Show 59 – Guest Reza Rad now available for download

Hi Folks,

On Thursday night, I got to record a podcast with Reza Rad. I was interested to speak to Reza after reading his SQL Server 2012 Integration Services Cookbook.

In the show, we discuss SQL Server Integration Services (SSIS) extensibility and some aspects of performance tuning for SSIS.

You'll find the show here: http://www.sqldownunder.com/Podcasts