Error 15401 when trying to create a new Windows Login
I was working on a customer scenario on my Virtual machine recently. I have a Windows 2008 Domain controller and a another member server that runs my SQL 2008 instance (all VM’s running on Hyper-V). When I tried to create a new Windows login from SSMS, I got this well-known error 15401
Error Text
Msg 15401, Level 11, State 1
Windows NT user or group ‘DOMAIN\username’ not found. Check the name again.
Msg 15401, Level 11, State 1
Windows NT user or group ‘DOMAIN\username’ not found. Check the name again.
There is already a KB article that talks about some of the known scenarios when you could get Error 15401 in SQL Server. None of these matched my scenario.
How to troubleshoot error 15401
http://support.microsoft.com/kb/324321/en-us
http://support.microsoft.com/kb/324321/en-us
Since these are Virtual Machines running on Hyper-V, I had made sure when I created the VM’s that none of the machine SID’s are duplicates. I had used newSID.exe to ensure that each client machine joined to my DC had a unique machine SID.
Since I was not able to add a new login, I used xp_logininfo to see if I can retrieve
Msg 15404, Level 16, State 11, Procedure xp_logininfo, Line 62
Could not obtain information about Windows NT group/user ‘MyDomain\NewUser’, error code 0x6fd.
Could not obtain information about Windows NT group/user ‘MyDomain\NewUser’, error code 0x6fd.
Pay attention to the Windows Error Code 0x6fd that was returned by xp_logininfo.
0x6fd (hex) translates to Win32 error 1789 –> The trust relationship between this workstation and the primary domain failed.
Now, I have only 1 Domain Controller so there are no cross-domain trusts I need to setup etc. If that is your scenario, you might want to check what the trust level between your different domains are. Anyways, in my case that did not apply. So what could be the issue here?
My SQL Server service account was running under a domain account. This account is what SQL Server uses to query AD and retrieve account info when creating a new login. If your SQL Server is running on Windows 7/2008 R2, there is a hotfix that might fix this issue for you –> http://support.microsoft.com/kb/976494
To resolve this issue I followed these steps. Please note that this worked for me and might not work for your scenario. I am posting this out just as an FYI in case it helps anyone else encountering a similar scenario.
1. Login to the SQL Server machine and open a command prompt with elevated credentials (Run-As Administrator).
2. Run the following command which will reset the password for the machine account
netdom resetpwd /server:<DomainControllerName> /userd:<domain\domainadminuser> /passwordd:<password> E.g. netdom resetpwd /server:CONTOSO-DC /userd:CONTOSO\administrator /passwordd:MyDCPassw0rd
Expected output: The machine account password for the local machine has been successfully reset.
3. Restart the Netlogon service on the SQL Server machine.
4. Clear the Kerberos tickets on the SQL Server machine from command prompt
klist purge
Excepted output: Deleting all tickets: Ticket(s) purged!
5. After this was done, I re-ran the xp_logininfo ‘contoso\newlogin’ and this time it completed and did not give error 15401. [I did notrestart my SQL Server service]
6. Now, I was able to add the login from SSMS or using CREATE LOGIN.
A key point here is step #2, the netdom command needs to be run from the machine whose machine account password you want to reset. To reset a machine account password, you need someone with domain admin credentials. So you need a Domain admin credentials as this is required for netdom.exe. In our scenario, the machine has to be the SQL server machine. More information about what netdom.exe does is available in this KB article –> http://support.microsoft.com/kb/325850