SQL SERVER – Cluster Install Failure – Code 0x84cf0003 – Updating Permission Setting for Folder Failed

SQL
No Comments

SQL SERVER - Cluster Install Failure - Code 0x84cf0003 - Updating Permission Setting for Folder Failed SQL-Cluster There are various issues which I have seen SQL installation and most of the time they are intuitive. The error message is mostly helpful and provides the right direction. In this blog we would discuss error Updating permission setting for folder failed:

Here is the exact error which we could see in setup logs under the BootStrap folder.

Updating permission setting for folder ‘C:\ClusterStorage\FIN_Data\MSSQL\MSSQL13.MSSQLSERVER\MSSQL\DATA’ failed. The folder permission setting were supposed to be set to ‘D:P(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;CO)(A;OICI;FA;;;S-1-5-80-1715010018-2870266783-3050454056-335720097-2195381415)’.

Permission error occurs when you use a volume mount point in SQL Server Setup

My client was not installing it on “root” of the mountpoint. The complete message from the Detail.txt is shown below. (I have added line number and remove DateTime for better visibility)

  1. SQLEngine: : Checking Engine checkpoint ‘SetSecurityDataDir’
  2. SQLEngine: –SqlEngineSetupPrivate: Setting Security Descriptor D:P(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;CO)(A;OICI;FA;;;S-1-5-80-1715010018-2870266784-3050454057-335720098-2195381926) on Directory C:\ClusterStorage\FIN_Data\MSSQL\MSSQL13.MSSQLSERVER\MSSQL\DATA
  3. Slp: Sco: Attempting to set security descriptor for directory C:\ClusterStorage\FIN_Data\MSSQL\MSSQL13.MSSQLSERVER\MSSQL\DATA, security descriptor D:P(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;CO)(A;OICI;FA;;;S-1-5-80-1715010018-2870266784-3050454057-335720098-2195381926)
  4. Slp: Sco: Attempting to normalize security descriptor D:P(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;CO)(A;OICI;FA;;;S-1-5-80-1715010018-2870266784-3050454057-335720098-2195381926)
  5. Slp: Sco: Attempting to replace account with sid in security descriptor D:P(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;CO)(A;OICI;FA;;;S-1-5-80-1715010018-2870266784-3050454057-335720098-2195381926)
  6. Slp: ReplaceAccountWithSidInSddl — SDDL to be processed: D:P(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;CO)(A;OICI;FA;;;S-1-5-80-1715010018-2870266784-3050454057-335720098-2195381926)
  7. Slp: ReplaceAccountWithSidInSddl — SDDL to be returned: D:P(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;CO)(A;OICI;FA;;;S-1-5-80-1715010018-2870266784-3050454057-335720098-2195381926)
  8. Slp: Prompting user if they want to retry this action due to the following failure:
  9. Slp: The following is an exception stack listing the exceptions in outermost to innermost order
  10. Slp: Inner exceptions are being indented
  11. Slp:
  12. Slp: Exception type: Microsoft.SqlServer.Configuration.Sco.SqlDirectoryException
  13. Slp: Message:
  14. Slp: Updating permission setting for folder ‘C:\ClusterStorage\FIN_Data\MSSQL\MSSQL13.MSSQLSERVER\MSSQL\DATA’ failed. The folder permission setting were supposed to be set to ‘D:P(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FA;;;CO)(A;OICI;FA;;;S-1-5-80-1715010018-2870266784-3050454057-335720098-2195381926)’.
  15. Slp: HResult : 0x84cf0003
  16. Slp: FacilityCode : 1231 (4cf)
  17. Slp: ErrorCode : 3 (0003)

WORKAROUND/SOLUTION

We checked and made sure that service account was having below permission in security policy:

  • Act as Part of the Operating System
  • Bypass Traverse Checking
  • Lock Pages In Memory
  • Log on as a Batch Job
  • Log on as a Service
  • Replace a Process Level Token
  • Backup files and directories
  • Debug Programs
  • Manage auditing and security log

I gave all the possible permissions to the various account on the folders including “Full Control” to “Everyone”.

At last, we found that this was due to “Audit Object Access” policy, which was enabled from domain controller via GPO. Once we disabled it, the installation went fine.

Reference: Pinal Dave (https://blog.sqlauthority.com)

, , , , ,
Previous Post
SQL SERVER – Cannot Shrink Log File Because Total Number of Logical Log Files Cannot be Fewer than 2
Next Post
SQL SERVER – Installation Failure – Specified Instance Via Transform is Already Installed. MSINEWINSTANCE Requires a New Instance that is not Installed

Related Posts

Leave a Reply

Menu