I hope someone can assist with my question:
Production Environment running:
SQL Server 2005 – 9.00.2153.00 (Intel X86) Standard Edition
Windows NT 5.2 (Build 3790: Service Pack 1)
Using a domain service account.
The problem that was encountered:
I have a two node cluster; I will call the nodes – node1 and node2.
– SQL Server has been running on node1 since I started DBA support for the SQL Cluster.
– Recently an incident occurred which caused SQL to failover onto node2.
– When SQL started up the following errors were displayed in the error log.
2009-02-21 11:06:59.90 spid5s Error: 15466, Severity: 16, State: 1.
2009-02-21 11:06:59.90 spid5s An error occurred during decryption.
2009-02-21 11:07:00.13 Server Error: 17190, Severity: 16, State: 1.
2009-02-21 11:07:00.13 Server FallBack certificate initialization failed with error code: 4.
2009-02-21 11:07:00.13 Server Warning:Encryption is not available, could not find a valid certificate to load.
– In addition to this I noticed that the existing full text indexes could not be used.
After a lot of investigation I ended up failing it back onto node1 again …… and the errors / warning disappeared and fti works. When SQL server starts up now, I receive the following message in the logs:
2009-02-23 19:06:12.87 Server A self-generated certificate was successfully loaded for encryption.
Is that if it ever fails over again …… the same problem will occur again.
Backup of SMK
Now that it is running on node 1 I have backed up the SMK using the command:
BACKUP SERVICE MASTER KEY TO FILE = ‘H:\smk_20090224.smk’ ENCRYPTION BY PASSWORD = ‘aspecificpassword’
What I would like to do:
1. I would like to schedule some down time of the system and fail it over onto node2 (where the decryption error occurs) and try to restore the SMK using the backup taken from node 1 ie :
RESTORE SERVICE MASTER KEY FROM FILE = ‘H:\smk_20090224.smk’ DECRYPTION BY PASSWORD = ‘aspecificpassword’;
Does this sound plausible; is this the right thing to do?
2. Does any one know how can I recreate this error, so I can test it out?