SQL Server 2008 Cluster installation

To build a SQL Server 2008 Cluster on Windows 2008 Server, is it mandatory to create the SPNs for the SQL Service account if I don't want to use the Kerberos authentication? Or, SPNs need to be created only if we use Kerberos authentication?

Do we get the error given at the below link if we don't create SPNs before the installation irrespective of whether we are going to use Kerberos or not?
http://blogs.msdn.com/karthick_pk/archive/2009/03/27/installation-of-sqlserver2008-cluster-fails-on-windows2008-the-group-or-resource-is-not-in-the-correct-state-to-perform-the-requested-operation-exception-from-hresult-0x8007139f.aspx.
Srinivas_VengalaAsked:
Who is Participating?
 
gtworekCommented:
I've installed SQL2008 in a cluster some times and never manually created SPNs...
So probably this will work in your case too ;)
0
 
St3veMaxCommented:
From what I'm aware of; if you are in a kerberos environment, when SQL is installed, it should create a SPN for you for the Cluster Name, not the individual node names, so you should be OK.

HTH
0
 
rk_india1Commented:
As a SQL Server Preparation for SQL 2008 cluster Setup it is mandatory to create the SPNs for the SQL Service account if you don't want to use the Kerberos authentication also

If you configure a domain user account to run the SQL Server service instead of the local system account (SQL Server best practice), a Service Principal Name (SPN) must be configured for the domain user account in Active Directory Domain Services. For more information about configuring a SQL Server service account SPN in Active Directory Domain Services, See the link: http://technet.microsoft.com/en-us/library/bb735885.aspx:
How to Configure an SPN for SQL Server Site Database Servers
Running the SQL Server service using the local system account of the SQL Server computer is not a SQL Server best practice. For the most secure operation of SQL Server site database servers, a low rights domain user account should be configured to run the SQL Server service.
A Service Principal Name (SPN) must be registered for the SQL Server service account (when the local system account will not be used) to allow clients to identify and authenticate the service using Kerberos authentication. The SetSPN utility can be used to register an SPN for the site database server SQL Server service account. The SetSPN utility must be run on a computer that resides in the SQL Server's domain and it must be run using Domain Administrator credentials. To properly configure an SPN for the SQL Server service account using the SetSPN utility, follow the steps in these procedures.
 Note
To use the SetSPN utility, or to open an ADSIEdit MMC console, you must first install the Microsoft Windows Server support tools. These tools are included in the support tools folder on both Windows 2000 Server and Windows Server 2003 CDs. To install the Windows Server support tools, navigate to \SUPPORT\TOOLS\ on the server's installation CD and run suptools.msi.
To manually create a domain user Service Principle Name (SPN) for the SQL Server service account
1.      Click Start, click Run and then enter cmd in the Run dialog box.
2.      From the command line, navigate to Windows Server support tools installation directory. By default, these tools are located in the C:\Program Files\Support Tools directory.
3.      Enter a valid command to create the SPN. The command should be in the form of: setspn A MSSQLSvc/<SQL Server computer name>:1433 <Domain\Account>.
 Note
The command to register an SPN for a SQL Server named instance is the same as that used when registering an SPN for a default instance except that the port number should match the port used by the named instance.
4.      Verify that the command completed successfully by reviewing the commands output for the updated object line.
To verify the domain user SPN is registered correctly using the ADSIEdit MMC console
1.      Click Start, click Run, and enter adsiedit.msc to launch the ADSIEdit MMC console.
2.      If necessary, connect to the site server's domain.
3.      In the console pane, expand the site server's domain, expand DC=<server distinguished name>, expand CN=Users, and right-click CN=<Service Account User>. On the context menu, click Properties.
4.      In the CN=<Service Account User> Properties dialog box, review the servicePrincipalName value to ensure that a valid SPN has been created and associated with the correct SQL Server.
To change the SQL Server service account from local system to a domain user account
1.      Create or select a domain or local system user account that will be used as the SQL Server service account.
2.      Open SQL Server Configuration Manager.
3.      Click SQL Server 2005 Services and then double click SQL Server<INSTANCE NAME>.
4.      On the Log on tab, select This account and enter the user name and password for the domain user account created in step 1 or click Browse to find the user account in Active Directory and then click Apply.
5.      Click Yes on the Confirm Account Change dialog box to confirm the service account change and restart the SQL Server Service.
6.      Click OK after the service account has been successfully changed.

0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Srinivas_VengalaAuthor Commented:
rk_india1: I was able to install SQL Server 2008 cluster without manually creating the SPNs. After the installation I have checked in the Active Directory whether SQL cluster installation has created the SPNs automatically by using the ADSIEdit. There were no SPNs created for the SQL Server service domain account. All the connections to that SQL Cluster are using NTLM authentication. So, does it mean that if we don't want Kerberos for the SQL Cluster, we do not need to create the SPNs?
0
 
rk_india1Commented:
yes if we want to use the Karberos authentication that time Valid SPN creation is must either Kerberos authentication is not performed. At that point, the SSPI layer switches to an NTLM authentication mode and the logon uses NTLM authentication and typically succeeds.

If the SQL Server driver forms an SPN that is valid but is not assigned to the appropriate container, it tries to use the SPN but cannot, causing a "Cannot generate SSPI context" error message.

Please have a look on the link which give you the clear idea about the SPN used:http://support.microsoft.com/kb/811889
0
 
Srinivas_VengalaAuthor Commented:
Expected an article which confirms the statement.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.