BUG: Unable to Grant Logins from Global Group with SQL Security

 Last reviewed: December 15, 1997
Article ID: Q178111
The information in this article applies to:
  • Microsoft SQL Server version 6.5
BUG #: 17507 (6.50)

SYMPTOMS

Granting logins to members of global groups or expanding a global group in SQL Security Manager may cause an error message if either of the following conditions is true:

  • The MSSQLServer service account is not a member of the domain that the global group belongs to.

    -or-

  • The MSSQLServer service account is not a member of a domain that is trusted by the global group's domain.

The error message that you receive is: 

   Msg No 0,  Severity 1,  State 1
   Unable to successfully query domain controller

WORKAROUND

To work around this problem, do any one of the following:

  • Start the MSSQLServer service as the local system account.
  • Start the MSSQLServer service as a domain user account from the global group's domain, making sure that the domain user account is also a member of the local Administrators group on the SQL Server. However, if there are other global groups from other trusted domains, you will not be able to see those users unless the domain of the service account is trusted by the domains of the other global groups.
  • Instead of adding global groups to the local group on the SQL Server, add the users from the trusted domain directly to the local group on the SQL Server.

STATUS

Microsoft has confirmed this to be a problem in SQL Server version 6.5. A supported fix is now available, but has not been fully regression-tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this fix. Contact Microsoft Technical Support for more information.

MORE INFORMATION

The error occurs when xp_logininfo is called by Security Manager on the global group. The following is an example of a case where xp_logininfo fails:

  • SQL Server is installed in a resource domain named DomR.
  • On the SQL Server, a local group is created named SLocal.
  • A global group named SGlobal from a trusted domain named DomT is added to SLocal.
  • In Security Manager, login permissions are granted for SLocal.

When you expand the local group, Security Manager calls xp_logininfo: 

   master.dbo.xp_logininfo 'SLocal','members'
When you expand the global group, Security Manager again calls xp_logininfo: 

   master.dbo.xp_logininfo 'DomT\SGlobal','members'
At this point, you will receive the following error message: 

   Unable to successfully query domain controller

Additional query words:
Keywords : kbbug6.50 SSrvStProc
Version : WINNT:6.5
Platform : winnt
Issue type : kbbug
Solution Type : kbfix

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: December 15, 1997
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.