SQL Server升級安全性群組SID（安全性識別碼）檢查規則失敗

今天在論壇看到有使用者出現Security Group upgrade rule失敗 錯誤：rule "Security Group SID(Security Identifier)" failed。發生這個錯誤的原因是SQL Server建立的Windows本機群組SID資訊與註冊表中的SID不匹配，需要用 WHOAMI /GROUPS查出正確的SID然後替換註冊表中的錯誤SID，問題可以解決。

 

具體步驟參考：

 

Problem

Last month I was working on a SQL Server 2005 to SQL Server 2008 R2
upgrade.  Unfortunately, we were not able to complete our upgrade because of a failing a upgrade rule named "Security Group SID (Security Identifier)".  The SQL Server Upgrade Setup Wizard did not enable the 'Next' button in order to proceed with the upgrade
until this failure was resolve.  In this tip, I will describe the reason for this failure and how I fixed the issue in order to have a successful upgrade.

Solution

As I described in the problem statement, we were not able to upgrade our SQL Server because one of the upgrade rules i.e. "Security Group SID (Security Identifier)" failed during the setup process.  The SQL Server 2008 R2 Upgrade Setup Wizard would not allow
us to proceed and disabled the "Upgrade Rules" page as shown below.

For the detailed error message, I clicked on "Failed" hyperlink in the status column to read more about the error, but this was not enough to help me understand the issue.  Here is the screen shot:

So I decided to check the upgrade log files to find out the main reason why this rule failed. The upgrade and installation log files are save in the setup bootstrap folder.  As such, my log files are stored in the C:\Program Files\Microsoft SQL Server\100\Setup
Bootstrap\Log\' folder.

In the log file, I found the following detailed error messages:

As per the above error log messages highlighted in red, you can see SQL Server setup is trying to read account information from the Windows registry. What the upgrade wizard is doing is reading account information  i.e. SIDs from the registry and then searching
for the correct account based on the exact SID (Security Identifiers) for the groups in the local Computer Management. As such, the SIDs should be the same in Computer Management and the Windows registry hive for all groups.  Unfortunately in this circumstance
SQL Server setup is not able to find the account information for three accounts.

Those account SIDs are the SQL Server service groups account that were created during the SQL Server 2005 installation. The error message indicates that SQL Server is not able to map the SIDs to the names of the service group accounts.  All three accounts
can be found in SQL Server as logins and in Computer Management.  The SQLGroup account is used for the SQL Server Database Engine, AGTGroup is used for SQL Server Agent and FTSGroup is used for Full Text Search,  SQL Server creates a system account for all
its features when you install it.  If you have SQL Server Reporting Services and SQL Server Analysis Services installed then a additional accounts would be created and assigned SIDs.  Below are the SQL Server 2005 group account names:

• SQLServer2005DTSUser$SERVERNAME
• SQLServer2005MSFTEUser$SERVERNAME$MSSQLSERVER
• SQLServer2005MSSQLServerADHelperUser$SERVERNAME
• SQLServer2005MSSQLUser$SERVERNAME$MSSQLSERVER
• SQLServer2005NotificationServicesUser$SERVERNAME
• SQLServer2005SQLAgentUser$SERVERNAME$MSSQLSERVER
• SQLServer2005SQLBrowserUser$SERVERNAME

Resolving the Upgrade SQL Server 2008 R2 Security Group SID (Security Identifier) Issue

Below outlines the step by step process which I followed to resolve this issue.

Step 1 - After reading log file I decided to look into registry location which is mentioned in error log file:

My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Setup

Here are the applicable parameters from the registry location:

As you can see in the above screenshot, the SIDs are the same as in error log. As such, our next step is to find out the SIDs for all these system accounts in Computer Management.

Step 2 - At the DOS prompt, I used the "WHOAMI" command to find out the system accounts in Computer Management.  This utility can be used to get the user name and group information along with the respective security identifiers (SID), privileges,
logon identifier (logon ID) for the current user on the local system. i.e. who is the current logged on. If you are not part of these accounts then add yourself in all of the group accounts.  Normally the SQL Server Service Account would be part of all the
group accounts.

WHOAMI /GROUPS

Now you can see the issue. The SID for same account in above screenshot is different than the SID in registry or error log. So now our next step will be copy to the SID from the above screenshot for each group which is causing the upgrade failure and replace
this value in the registry hive. Make sure you backup your registry before making any changes.

Step 3 - To replace the registry value double click on the group which is highlighted in red from step 1 and replace the SID with the value from the WHOAMI command in the above screenshot. Follow this process for all three groups and replace
the appropriate values.

Step 4 - Now reboot the server and start your upgrade again. This time the Upgrade to SQL Server 2008 R2 wizard should recognize the correct SID values enable you to proceed past the "Upgrade Rules" interface.

 文章來源：http://www.mssqltips.com/sqlservertip/2569/sql-server-2008-r2-upgrade-failure-due-to-security-group-upgrade-rule/