I’ve recently configured VMM in the restricted environment where you always need to ask IT staff to delegate rights for service and install accounts in order to make SQL Server and VMM Server working. The requirements for DKM container or SPN registration are described at many sites, blogs including official Microsoft docs, but I faced with a new problem just after VMM installation.
I couldn’t start VMM service. Checked SQL Server services and communication from VMM Server, VMM database properties and etc…and did not find any unusual or wrong in my configuration. I went then to the VMMLogs and reviewed the report generated after the VMM service start attempt and found interesting strings:
System.AggregateException: One or more errors occurred.—> Microsoft.VirtualManager.DB.CarmineSqlException: The SQL Server service account does not have permission to access Active Directory Domain Services (AD DS).
Ensure that the SQL Server service is running under a domain account or a computer account that has permission to access AD DS.
The following steps helped me to resolve the error:
- Open Active Directory Users and Computers
- Expand Builtin container and locate Windows Authorization Access Group
- Add SQL Service account to the Windows Authorization Access Group
- Start SCVMMService
or use PowerShell (RSAT-AD-Tools are required):
Add-ADGroupMember sqlsvc -Members “Windows Authorization Access” Start-Service scvmmservice