The generic problem is as listed here SQL Maintenance Cleanup Task Working but Not Deleting but no solutions applicable. Environment: Windows Server 2012R2, AD DS (with policies of course), RDSH/TS Licensing, 1C-server. The primary problem is SQL Server generating insane amount of events per backup plan run, recording a pair of 18456+17052 errors per file to delete. Errors are as follows:
17052: [Microsoft][SQL Server Native Client 11.0][SQL Server]Login failed for user 'DOMAIN\mssql_srv'
18456: Reason: Could not find a login matching the name provided. [CLIENT: 192.168.x.x] (matches localhost)
Given that each pair of errors appears once per file to delete (there are about 6000 files already!), the algorithm looks like this:
First, backup plan task runs xp_delete_file, it enumerates all the files in target folder;
Second, each file is deleted by creating a separate connection to machine with service's credentials;
Each connection fails due to whatever restrictions default DC policy applies, generating the pair of events. Of course the file remains in place.
The workaround is of course assign file delete task to a local script run as system, for example, but the very reason of why does SQL server fail to delete a file remains unknown. Permissions have been checked and verified that both SQL Server Agent and SQL Server service accounts have full control to the folder.
It turned out that this "login missing" is not a Windows login, but rather SQL "login" which was not present for the service account. So I needed to create a "DOMAIN\mssql_srv" login in SSMS, give it "public" access rights and voila, files started to get deleted properly. The reason is explained in comment:
If it's T-SQL step and job owner is member of sysadmin server role, the step is executed under service account.
Related
We are running an SSIS Package from a SQL Server 2014 instance which connects to a remote SQL 2016 Server through an SMO connection in a Transfer Objects Task. This task retrieves schemas, tables and SP's. The SSIS package has three of these tasks running in parallel which connect to three different Db's on the same SQL server.
Things had been running fine until a day last week the owners of the remote SQL Server decided to create a new user/password combo to give to us. No permissions changed or anything else, only the u/p.
After they did that the package has been failing with various connection type errors. The errors happen randomly on the three parallel tracks. Here are the errors:
Failed to retrieve data for this request.
Invalid Operation: The connection is closed.
There is already an open DataReader associated with this Command which must be closed first.
Property TextHeader is not available for StoredProcedure '[Sp Name]'. This property may not exist for this object, or may not be retrievable due to insufficient access rights. The text is encrypted.
But on the DB side the error the profiler was showing was the password was invalid. This is not true.
After some extensive troubleshooting we tried giving he user SA rights, which did not help. On further work we tried changing the password to 123 (while keeping SA rights,) the prior password had been a 10+ char non-alpha-numeric (had the ! char) password, for example aBc12dEF3!!!. We tried removing the ! chars and various other iterations, but that didn't work then we finally got it down to the password being 123.
This final password change worked. But obviously this is not normal, we cannot have user with SA rights and 123 as password.
Does anyone have any ideas, advice, direction on what could be going on here?
Thanks!
Please find the diagram as below for my issue:
I have 3 servers in the same domain, there is a SQL Server instance A (it's windows service run under domain\User1), In this instance, we have a Stored Procedure used for BULK INSERT a text file from a network shared folder in server C, the domain\User1 has full permissions on this folder.
My issue is: The Stored Procedure runs ok (green arrow) when connecting by SSMS in its (server A). But it failed when I change to SSMS in server B (log in by the same domain\User1 to the same Instance A). The error is "Access denied" to the text file (red arrow). Does the client have a role in this? I think the client does not matter, the file reading is done from the server (by the user that run Instance A service)
Note: If I connect Instance A from SSMS B with SQL Logon User (not windows account), the stored procedure works fine.
Could anyone give me some advice and sorry for my bad English
This is just a link answer but hopefully it helps.
BTW I commend you for taking the time to analyse the issue to the extent of drawing a diagram. This is far higher quality than most questions on here.
I believe you are running into a double hop issue. I searched everywhere for the BULK INSERT permission model and finally found this https://dba.stackexchange.com/questions/189676/why-is-bulk-insert-considered-dangerous
which says this about using BULK INSERT:
When accessing SQL Server via a Windows Login, that Windows account
will be impersonated (even if you switch the security context using
EXECUTE AS LOGIN='...') for doing the file system access
and this
when accessing SQL Server via a SQL Server Login, then the external
access is done in the context of the SQL Server service account
When you have issues with windows authentication and there is three servers and impersonation, it's often a double hop issue.
This may help you with that:
https://dba.stackexchange.com/questions/44524/bulk-insert-through-network
Which in turn references this:
https://thesqldude.com/2011/12/30/how-to-sql-server-bulk-insert-with-constrained-delegation-access-is-denied/
My backup job in Maintenance Plans has an error (Please check error encountered below) which already 3 days straight.
Job configured as follows:
(Step 1): Backup the DBs to a shared folder of Server A
(Step 2): If Step 1 Success, It will copy the backups from Server A to the shared folder of Server B.
As per error from event viewer the error stopped at Step 1. I still don't know where the error came from but as per checking the backup created in Server A are all complete which is weird.
Here are my isolation:
The shared folder of Server A and Server B are accessible (tried also the account of SQL services job as a user in windows)
Here is the error found in event viewer:
1. BackupIoRequest::ReportIoError: read failure on backup device '\\\Server_A\Shared Folder\Database.bak'. Operating system error 64(The specified network name is no longer available.)."
2. "Package "Backup Databases Directly to Server_A Shared Folder" failed."
3. "SQL Server Scheduled Job 'Backup Databases Directly to Server_A Shared Folder.Subplan_1' (0xD20650B4C8A10F41A130C734D053DB63) - Status: Failed - Invoked on: 2019-08-24 00:00:00 - Message: The job failed. The Job was invoked by Schedule 89 (Backup Databases Directly to Server_A Shared Folder.Subplan_1). The last step to run was step 1 (Subplan_1).
As per error from event viewer the error stopped at Step 1. I still don't know where the error came from
Usually, when you checking it form SQL Agent history, expand the job and select step 1 so that we can see what causing the that error, information must be printed in message section (bottom):
"BackupIoRequest::ReportIoError: read failure on backup device '\Server_A\Shared Folder\Database.bak'. Operating system error 64(The specified network name is no longer available.)
In this case, there must be something wrong with path (wrong spelled), or the SQL Server service account (not only SQL Agent service account) doesn't have permissions on the shared folder.
When you say SERVER-A and SERVER-B can access shared folder, you might have verified logging in at the server with particular user, so that logged-in user got the permissions on the shared folder, as long as same user is service account user of SQL Server then we can assume, SQL Server really have access to shared folder.
Hope, fixing permission issues would resolve the error caused.
However, do you have any issues to directly create a backup on SERVER-B shared folder as i feel like we are doing unnecessary additional step.
P.s: I personally, recommend to use custom script for maintenance tasks, especially for backups. My answer at DBA.SE might helpful in your case for better backup strategy
I'm facing a strange behavior of SQL Server Agent when executing SSIS packages.
I have a job that includes many steps (mainly SSIS packages). Some steps fail mostly every day even the configuration is the same for all the steps.
I tried to delete/create the job, delete/create the SQL Server Agent Proxy but with no sucess.
I can't find any difference between the steps that fail and the ones that succeed.
This is the error returned by SQL Server Agent :
The package failed to load due to error 0xC0011008 "Error loading from XML. No further detailed error information can be specified for this problem because no Events object was passed where detailed error information
SQL Server version : 2014
SSIS version : 2014
EDIT :
In the Event Log I found an Information Message from User Profile Service that says :
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards
Process 5924 (\Device\HarddiskVolume2\Program Files\Microsoft SQL Server\120\DTS\Binn\DTExec.exe) has opened key \REGISTRY\USER\S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX\Control Panel\International
Process 5924 (\Device\HarddiskVolume2\Program Files\Microsoft SQL Server\120\DTS\Binn\DTExec.exe) has opened key \REGISTRY\USER\S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX\Software\Microsoft\Windows\CurrentVersion
The SID corresponds to the Proxy User used to execute the SQL Job steps. And the timestamp corresponds is the same when the error occures in SQL Agent.
I think this is what causes the steps to fail.
Could we prevent Windows unloading this registry ?
The error was indeed caused by the fact that the User Profile Service forces the unloading of the Registry.
The solution that worked for me was to change the policy setting Do not forcefully unload the user registry at user logoff from "Not Configured" to Enabled.
Start the Local Group Policy Editor (gpedit.msc)
Go to Computer Configuration > Administrative Templates > System > User Profiles
Set "Do not forcefully unload the user registry at user logoff" to Enabled
Run gpupdate command.
Details can be found here : https://support.microsoft.com/en-us/help/2287297/a-com-application-may-stop-working-on-windows-server-2008-when-a-user
I am using msdeploy (version 2) to transfer a database from machine A to machine B.
On in the database on machine A there are some users that do not exist on machine B, thus the transfer (partially) fails with the message:
Error Code: ERROR_SQL_EXECUTION_FAILURE
More Information: An error occurred during execution of the database script.
The error occurred between the following lines of the script: "3" and "5".
The verbose log might have more information about the error.
The command started with the following: "CREATE USER [someDomain\someUser] FOR LOGIN [someDomain"
Windows NT user or group 'someDomain\someUser' not found.
Check the name again. http://go.microsoft.com/fwlink/?LinkId=178587
The database seems to be transfered, except for the user creation. Does anyone know what state the database is in after this failure?
Is there any way I can transfer the database without the users (or better without specific users) using msdeploy?
Web Deploy uses SMO (SQL Management Objects) to script out and apply the scripts for SQL databases, and exposes most of the SMO settings with the dbfullsql provider (so, most of these options: http://msdn.microsoft.com/en-us/library/microsoft.sqlserver.management.smo.transfer_properties.aspx). If you want to skip the users due to this kind of login-not-exists or user-not-found error, you should be able to do this by adding the scripting option: copyAllUsers=false to the source of the sync. For example:
msdeploy.exe -verb:sync -source:dbfullsql="Data Source=.\SQLExpress;Initial Catalog=MySourceDb;User Id=localUser;Password=LocalPass",copyAllUsers=false -dest:dbfullsql="Data Source=RemoteSQLServer;Initial Catalog=MyDestDb;User Id=remoteUser;Password=RemotePass"
Incidentally, I am surprised you note the db appears to have been sync'd - I would expect this is not actually the case. If you have the permissions for it, Web Deploy will create the database if it did not already exist when it initially tries to make the connection, but your failure occurred very early in the script execution, and I believe Web Deploy dbfullsql syncs are transacted by default (the db creation is separate from the script execution and is not transacted). Thus the db may exist where it did not pre-sync, but I wouldn't expect the data to be present in it.