Recently, one of my clients encountered an error while trying to start the SQL Server service under a domain account on a Read Only Domain Controller (RODC). They initially installed SQL Server using the LocalSystem account due to an issue with the service account, but now they need to adhere to company standards and use a domain account as the service account.
Upon investigating the issue, I asked the client to share the ERRORLOG with me. The ERRORLOG contains valuable information about the error and its cause. In this case, the error log revealed the following errors:
2017-06-12 11:55:21.46 spid10s Unable to initialize SSL encryption because a valid certificate could not be found, and it is not possible to create a self-signed certificate. 2017-06-12 11:55:21.46 spid10s Error: 17182, Severity: 16, State: 1. 2017-06-12 11:55:21.46 spid10s TDSSNIClient initialization failed with error 0x80092004, status code 0x80. Reason: Unable to initialize SSL support. Cannot find object or property. 2017-06-12 11:55:21.46 spid10s Error: 17182, Severity: 16, State: 1. 2017-06-12 11:55:21.46 spid10s TDSSNIClient initialization failed with error 0x80092004, status code 0x1. Reason: Initialization failed with an infrastructure error. Check for previous errors. Cannot find object or property. 2017-06-12 11:55:21.46 spid10s Error: 17826, Severity: 18, State: 3. 2017-06-12 11:55:21.46 spid10s Could not start the network library because of an internal error in the network library. To determine the cause, review the errors immediately preceding this one in the error log. 2017-06-12 11:55:21.46 spid10s Error: 17120, Severity: 16, State: 1. 2017-06-12 11:55:21.46 spid10s SQL Server could not spawn FRunCommunicationsManager thread. Check the SQL Server error log and the Windows event logs for information about possible related problems.
After researching this issue, I discovered that many clients have reported similar errors on various forums. It seems that this error started occurring after the installation of KB 2992611 or KB 3000850. To resolve this issue, a workaround involving registry key changes is required.
Here are the steps to implement the workaround:
- Open the Registry Editor.
- Navigate to the following path: HKLM\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb
- Create a new DWORD value named [ProtectionPolicy] (without the square brackets).
- Set the value of [ProtectionPolicy] to 1.
By making these registry key changes, you should be able to resolve the SQL Server service start error on the Read Only Domain Controller.
If you have encountered the same error on a Read Only Domain Controller, please share your experience in the comments section below.