Yesterday I was at a site
where they decided to change the service account for the SQL Server services on
a set of systems. After changing the service accounts, SQL Server restarted
just fine on all machines except one.
I had used the SQL Server
Configuration Manager to make the changes (important to not just use the
Services applet in Administrative Tools) but I got the typical error telling me
that the service wouldn’t start in a timely fashion. The server was running SQL
Server 2008 R2 SP2.
Looking in the system
event log produced the following errors:
The SQL Server (MSSQLSERVER) service terminated with
service-specific error %%-2146885628.
A fatal error occurred when attempting to access the
SSL server credential private key. The error code returned from the
cryptographic module is 0x8009030d. The internal error state is 10001.
I spent a while looking
for info on the last error and found a site where they discussed that it was
generated when the service account could not read the machine keys that were
stored in the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
folder. The article then discussed how to add read permissions for the keys one
It suddenly dawned on me
that it was probably a problem with the permissions on the folder instead.
Checking the permissions on that folder made me realize that the local Administrators
account should have the ability to read it. The service account was meant to be
a member of the local Administrators account but had not been added to that
group on this machine.
Adding the service
account to the local Administrators group on the machine (note: not the domain
administrators account) fixed the issue and the service started again, until I could get the correct account permissions set in the morning when other staff came back. (In the comments I've added a list of what's actually required).
Hope this helps someone
else. (And helps me the next time I see this and have forgotten what it was J)