I’m setting up an instance of Virtual Machine Manager 2012 R2 in our multitenant environment. The MT domain is separate from the CORP domain. Most of our initial users will be in CORP, but over time we will bring on more and more users who use ADFS to log in to the MT domain.
There is a one-way trust between MT and CORP–MT trusts CORP but not the other way around. When we set up SQL, we used an account on MT to run SQL Server and VMM. Users in MT can log in to VMM just fine, but users in CORP get the following error:
The SQL Server service account does not have permission to access Active Directory Domain Services (AD DS).
Ensure that the SQL Server service is running under a domain account or a computer account that has permission to access AD DS. For more information, see “Some applications and APIs require access to authorization information on account objects” in the Microsoft Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=121054.
ID: 2607
What this error means is that the SQL Server Service Account cannot authenticate the user on CORP, because the CORP Active Directory server is telling it “I don’t trust you, go away!”
Since MT trusts CORP, and easy way to fix this is to change the SQL Server Service Account to one that is on the CORP domain, but that’s ugly and makes me uncomfortable.
I’m not actually sure what the answer is here. We are also deploying federation, so perhaps I will try to federate an MT account to CORP and try that.