Troubleshooting SQL Server Assessment

Docs

How To

DMC

Overview

When running DMC Database Assessment to scan SQL Server instances, you may encounter access issues, authentication failures, or configuration problems that prevent successful assessment.
This guide provides secure, streamlined steps to troubleshoot and resolve connectivity, credential, and configuration problems specific to SQL Server assessment.

Related Documentation: For general SQL Server requirements and setup, see the MS SQL Requirements documentation. For step-by-step instructions on running Database Assessment, see the Scan MS SQL guide.

Common Access Issues

SQL Server assessment typically fails due to one of these categories:

Network connectivity problems – Ports blocked, firewalls, SQL Server Browser service not running
Authentication failures – Invalid credentials, incorrect authentication mode, insufficient permissions
SQL Server configuration issues – Remote connections disabled, TCP/IP not enabled, Mixed Mode not configured
DMC configuration issues – .NET Runtime not installed, DMC not running as Administrator, credential format errors
System state problems – SQL Server service not running, SQL Server Browser service stopped

Troubleshooting Navigation

Use the cards below to navigate to specific troubleshooting areas:

Network Connectivity

Test ports, firewalls, and SQL Server Browser service

SQL Server Configuration

Remote connections, TCP/IP, authentication mode

Authentication Issues

Windows Auth, SQL Auth, credential format

Credential Issues

Permissions, account setup, credential mapping

DMC Configuration

.NET Runtime, Administrator privileges, credential format

Error Messages

Quick reference for common error solutions

Network Connectivity Issues

Verify Network Access

Test Basic Connectivity

ping <server-ip-or-hostname>

If ping fails, check:

Jumpbox network configuration
Target SQL Server NIC/IP settings
Firewall rules blocking ICMP

Test Required Ports

SQL Server Default Instance (Port 1433):

Test-NetConnection -ComputerName <server-ip> -Port 1433

SQL Server Browser Service (Port 1434 UDP):

Test-NetConnection -ComputerName <server-ip> -Port 1434 -Udp

For Named Instances: Named instances use dynamic ports. The SQL Server Browser service (port 1434 UDP) is required to discover the correct port.

# Test SQL Server Browser
Test-NetConnection -ComputerName <server-ip> -Port 1434 -Udp

# Test connection to named instance (browser will resolve port)
sqlcmd -S SERVERNAME\INSTANCENAME -E -Q "SELECT @@VERSION"

Check Firewall Rules

Windows Firewall (for SQL Server on Windows):

Port 1433 (TCP) – SQL Server default port
Port 1434 (UDP) – SQL Server Browser service (required for named instances)

Linux Firewall (for SQL Server on Linux):

Port 1433 (TCP) – SQL Server default port
Port 1434 (UDP) – SQL Server Browser service

Configure Windows Firewall:

# For Default Instance (Port 1433)
New-NetFirewallRule -DisplayName "SQL Server" -Direction Inbound -Protocol TCP -LocalPort 1433 -Action Allow

# For SQL Server Browser (Port 1434)
New-NetFirewallRule -DisplayName "SQL Server Browser" -Direction Inbound -Protocol UDP -LocalPort 1434 -Action Allow

Configure Linux Firewall:

For firewalld (RHEL/CentOS/Fedora):

sudo firewall-cmd --permanent --add-port=1433/tcp
sudo firewall-cmd --permanent --add-port=1434/udp
sudo firewall-cmd --reload

For ufw (Ubuntu/Debian):

sudo ufw allow 1433/tcp
sudo ufw allow 1434/udp
sudo ufw reload

SQL Server Configuration

Enable Remote Connections

Remote connections must be enabled on SQL Server instances to allow DMC to connect and assess databases.

Check Remote Access Configuration

Open SQL Server Management Studio (SSMS)
Connect to the SQL Server instance
Right-click the server instance → Properties
Navigate to Connections page
Verify Allow remote connections to this server is checked

Enable Remote Access via T-SQL

If remote connections are disabled, run the following command:

EXEC sp_configure 'remote access', 1;
RECONFIGURE;

Enable TCP/IP Protocol

TCP/IP must be enabled on SQL Server instances to allow remote connections.

Enable TCP/IP via SQL Server Configuration Manager

Open SQL Server Configuration Manager
Navigate to SQL Server Network Configuration → Protocols for [INSTANCE_NAME]
Right-click TCP/IP → Enable
Right-click TCP/IP → Properties
Navigate to IP Addresses tab
Ensure IPAll section has TCP Dynamic Ports or TCP Port configured
Click OK
Restart the SQL Server service for changes to take effect

Verify TCP/IP is Enabled

Run the following PowerShell command to verify TCP/IP is enabled:

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\*\MSSQLServer\SuperSocketNetLib\Tcp" -Name Enabled

The value should be 1 if TCP/IP is enabled.

SQL Server Browser Service

The SQL Server Browser service must be running for named instance discovery and connection.

Start SQL Server Browser Service

Open Services (services.msc)
Locate SQL Server Browser service
Right-click → Properties
Set Startup type to Automatic
Click Start to start the service
Click OK

Start SQL Server Browser via PowerShell

Run the following command to start and configure SQL Server Browser:

Set-Service -Name SQLBrowser -StartupType Automatic
Start-Service -Name SQLBrowser

Verify SQL Server Browser is Running

Run the following command to verify the service is running:

Get-Service -Name SQLBrowser

The Status should show Running.

Important: The SQL Server Browser service is required for connecting to named instances. Without it, DMC cannot discover or connect to SQL Server instances that use named instances (e.g., SERVER\SQLEXPRESS). The service must be running and accessible on port 1434 (UDP).

SQL Server Authentication Mode Configuration

For SQL Server Authentication:

SQL Server must be configured to allow SQL Server authentication (Mixed Mode).

Configure Mixed Mode Authentication

Open SQL Server Management Studio
Connect to the SQL Server instance
Right-click the server instance → Properties
Navigate to Security page
Under Server authentication, select SQL Server and Windows Authentication mode
Click OK
Restart the SQL Server service for changes to take effect

Configure Mixed Mode via T-SQL

Run the following command to enable Mixed Mode authentication:

EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', 
    N'Software\Microsoft\MSSQLServer\MSSQLServer', 
    N'LoginMode', REG_DWORD, 2;

Then restart the SQL Server service.

Service Restart Required: Changing authentication mode requires restarting the SQL Server service. Plan for a maintenance window if changing authentication mode on production servers.

Authentication Issues

Windows Integrated Authentication

DMC supports Windows Integrated Authentication using domain or local Windows accounts.

Platform Limitation: Windows Integrated Authentication is only supported for SQL Server instances running on Windows. SQL Server instances running on Linux must use SQL Server Authentication.

Issue: “Access is denied” when using Windows credentials

Cause: DMC not running as Administrator or Windows impersonation failed

Solution:

Verify DMC is running as Administrator (check window title or Task Manager)
If not running as admin:
- Close DMC
- Right-click DMC icon → Run as administrator
- Re-enter license key if prompted
- Retry the assessment

Verify Administrator Privileges:

# Check if running as admin
([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

Issue: “Login failed” with Windows Authentication

Possible Causes:

Windows account doesn’t exist on the machine running DMC
Account doesn’t have SQL Server permissions
Incorrect username format

Solution:

Verify Username Format:
- Domain account: DOMAIN\username (e.g., CONTOSO\sqladmin)
- Local account: .\username (e.g., .\Administrator) or SERVERNAME\username

Verify Account Exists:

# For domain accounts
Get-ADUser -Identity sqladmin -Server CONTOSO

# For local accounts
Get-LocalUser -Name Administrator

Verify SQL Server Permissions:

-- Check if account has sysadmin role
SELECT name, type_desc, is_disabled
FROM sys.server_principals
WHERE name = 'DOMAIN\username' OR name = '.\username';

Grant Permissions if Needed:

-- Grant sysadmin role (recommended)
ALTER SERVER ROLE sysadmin ADD MEMBER [DOMAIN\username];

-- Or grant minimum permissions
GRANT VIEW SERVER STATE TO [DOMAIN\username];
GRANT VIEW ANY DATABASE TO [DOMAIN\username];
GRANT CONNECT SQL TO [DOMAIN\username];

Issue: “The directory name is invalid” with Windows credentials

Cause: Impersonated user doesn’t have access to DMC’s temp directories

Solution:

This should be automatically handled by DMC
If persists, try SQL Server Authentication instead
Or ensure the Windows account has broad filesystem permissions on the DMC machine

SQL Server Authentication

DMC supports SQL Server Authentication using SQL Server logins (username and password).

Critical Requirement for SQL Server Authentication: When using SQL Server Authentication (local SQL authentication), the SQL Server login account must exist on the jump box (the machine running DMC) as a local Windows user account with the same username and password. DMC requires this local account to be present on the jump box for SQL Server Authentication to work properly.

Issue: “Login failed” or “Authentication failed” with SQL Server Authentication

Possible Causes:

SQL Server not configured for Mixed Mode authentication
SQL Server login account doesn’t exist on the jump box as a local Windows user with the same password
Invalid credentials
SQL login doesn’t exist or is disabled
Incorrect username format (should not include backslash)

Solution:

Verify SQL Server is in Mixed Mode:

-- Check authentication mode
EXEC xp_instance_regread N'HKEY_LOCAL_MACHINE', 
    N'Software\Microsoft\MSSQLServer\MSSQLServer', 
    N'LoginMode';

Value 2 = Mixed Mode, Value 1 = Windows Only

Test Credentials Manually:

sqlcmd -S SERVERNAME\INSTANCENAME -U username -P password -Q "SELECT @@VERSION"

Verify SQL Login Exists:

SELECT name, type_desc, is_disabled, create_date
FROM sys.server_principals
WHERE type = 'S' AND name = 'username';

Enable SQL Login if Disabled:
```
ALTER LOGIN [username] ENABLE;
```

Reset Password if Needed:

ALTER LOGIN [username] WITH PASSWORD = 'NewPassword123!';

Verify Local Account Exists on Jump Box:
- The SQL Server login account must exist on the jump box as a local Windows user
- Username must match exactly (case-sensitive)
- Password must match exactly
- Create the local account if it doesn’t exist:
  # Create local user account on jump box New-LocalUser -Name "sqluser" -Password (ConvertTo-SecureString "Password123" -AsPlainText -Force) -Description "SQL Server Authentication Account"
Verify Username Format:
- Correct: sa, sqluser, dmauser (no backslash)
- Incorrect: DOMAIN\username, .\username (these indicate Windows Auth)

Issue: “SQL Server Authentication requires Mixed Mode”

Cause: SQL Server is configured for Windows Authentication only

Solution:

Enable Mixed Mode authentication (see SQL Server Authentication Mode Configuration above)
Restart SQL Server service
Retry the assessment

Credential Issues

Credential Format Errors

Issue: Incorrect username format in credentials

Windows Authentication Format:

Domain account: DOMAIN\username (e.g., CONTOSO\sqladmin, MYDOMAIN\dbuser)
Local account: .\username (e.g., .\Administrator, .\SQLAdmin) or SERVERNAME\username

SQL Server Authentication Format:

Username only: sa, sqluser, dmauser (no backslash, no domain prefix)

Critical Requirement: When using SQL Server Authentication, the SQL Server login account must exist on the jump box (the machine running DMC) as a local Windows user account with the same username and password. For example, if your SQL Server login is sqluser with password Password123, you must create a local Windows user account on the jump box named sqluser with the same password Password123.

Tip: The presence of a backslash (\) in the username automatically indicates Windows Authentication. If there’s no backslash, DMC uses SQL Server Authentication.

Common Format Errors:

Using DOMAIN\username format for SQL Server Authentication (should be username only)
Using username format for Windows Authentication (should include DOMAIN\ or .\)
Including spaces or special characters incorrectly

Solution:

Review the credential format in the Database Credentials screen
Verify the authentication type tag matches your intended authentication method
Edit the credential if the format is incorrect
Re-map credentials to SQL Server instances if needed

Permission Issues

Issue: “Permission denied” or “Insufficient permissions”

Cause: Account doesn’t have sufficient SQL Server permissions

Solution:

Verify Current Permissions:

-- Check server role membership
SELECT r.name AS RoleName, m.name AS MemberName
FROM sys.server_role_members rm
JOIN sys.server_principals r ON rm.role_principal_id = r.principal_id
JOIN sys.server_principals m ON rm.member_principal_id = m.principal_id
WHERE m.name = 'username' OR m.name = 'DOMAIN\username';

-- Check explicit permissions
SELECT permission_name, state_desc
FROM sys.server_permissions
WHERE grantee_principal_id = USER_ID('username');

Grant sysadmin Role (Recommended):

-- For Windows account
ALTER SERVER ROLE sysadmin ADD MEMBER [DOMAIN\username];

-- For SQL Server login
ALTER SERVER ROLE sysadmin ADD MEMBER [username];

Grant Minimum Permissions (Least Privilege):

-- For Windows account
GRANT VIEW SERVER STATE TO [DOMAIN\username];
GRANT VIEW ANY DATABASE TO [DOMAIN\username];
GRANT CONNECT SQL TO [DOMAIN\username];

-- For SQL Server login
GRANT VIEW SERVER STATE TO [username];
GRANT VIEW ANY DATABASE TO [username];
GRANT CONNECT SQL TO [username];

Permission Levels: The sysadmin role provides complete assessment coverage. Minimum permissions (VIEW SERVER STATE, VIEW ANY DATABASE, CONNECT SQL) allow basic assessment but may not capture all migration readiness factors. See the MS SQL Requirements documentation for details.

Credential Mapping Issues

Issue: “No credential assigned” or credential mapping errors

Cause: SQL Server instance doesn’t have a credential mapped in the Credential Mapping screen

Solution:

Navigate to the Credential Mapping screen in DMC
Review the status indicator (e.g., “0/2 mapped”)
Use “Apply to all servers” dropdown to assign a credential to all instances
Or assign credentials individually using the dropdown in each server row
Verify all instances show a checkmark (✓) indicating credential assignment
Click Next only when all instances have credentials assigned

DMC Configuration Issues

.NET Runtime Issues

Issue: “.NET Runtime Required” modal appears

Cause: .NET Runtime 8.0 or above is not installed on the DMC machine

Solution:

Option 1: Install via DMC UI
- Click “Download .NET Runtime” button in the modal
- Run the downloaded installer
- Click “Retry” in the modal
- Restart DMC if still not detected
Option 2: Install Manually
- Download .NET Runtime 8.0 or later from the official .NET download page
- Run the installer
- Restart DMC
- The modal will not appear once .NET Runtime is installed

Verify .NET Runtime Installation:

# Check installed .NET Runtime versions
dotnet --list-runtimes

# Should show .NET Runtime 8.0 or higher

Version Compatibility: .NET Runtime 8.0, 9.0, or 10.0 (latest) all satisfy the requirement. The DMC UI download button installs the latest version (.NET 10.0), which is fully compatible.

Administrator Privileges

Issue: Assessment fails with “Access is denied” or impersonation errors

Cause: DMC is not running as Administrator

Solution:

Close DMC completely
Right-click DMC.exe → Run as administrator
Re-enter license key if prompted
Retry the assessment

Why Administrator is Required:

Windows Integrated Authentication: DMC must impersonate the specified Windows user, which requires Administrator privileges
SQL Server Authentication: Assessment operations require elevated privileges even though no impersonation occurs

Credential Format in DMC

Issue: Console output shows “Failed to parse connection string”

Cause: Special characters in password not handled correctly (rare, usually fixed in latest versions)

Solution:

Verify you’re using the latest version of DMC
Try re-entering the password in the credential
If persists, try using a password without special characters temporarily to test
Contact support if issue persists

Common Error Messages and Solutions

Based on the code flow and assessment reports, here are common error messages you may encounter:

Error Message / ErrorID	Likely Cause	Solution
“LoginFailure_RemoteConnectionNotAllowed”	Remote connections disabled on SQL Server	Enable remote connections in SQL Server Configuration Manager or SSMS
“Connection failed”	Network/firewall issues, SQL Server not accessible	Test port connectivity, check firewall rules, verify SQL Server service is running
“Authentication failed”	Invalid credentials, wrong authentication mode	Verify credentials, test with `sqlcmd`, check Mixed Mode for SQL Auth
“Permission denied”	Insufficient SQL Server permissions	Grant `sysadmin` role or minimum permissions (`VIEW SERVER STATE`, `VIEW ANY DATABASE`, `CONNECT SQL`)
“SQL Server Browser service is not running”	SQL Server Browser service stopped	Start SQL Server Browser service, set to Automatic startup
“TCP/IP protocol not enabled”	TCP/IP disabled in SQL Server Configuration Manager	Enable TCP/IP protocol, restart SQL Server service
“Access is denied” (Windows Auth)	DMC not running as Administrator	Run DMC as Administrator
“Login failed” (Windows Auth)	Account doesn’t exist on DMC machine or wrong format	Verify account exists, check username format (`DOMAIN\username` or `.\username`)
“Login failed” (SQL Auth)	SQL Server not in Mixed Mode, invalid credentials, or local account missing on jump box	Enable Mixed Mode authentication, verify credentials with `sqlcmd`, ensure SQL Server login account exists on jump box as local Windows user with same password
“Assessment returned error status”	Connection succeeded but assessment encountered errors	Review assessment report JSON file, check `Errors[]` array for specific error details
“The directory name is invalid”	Impersonated user lacks filesystem permissions	Try SQL Server Authentication instead, or grant filesystem permissions
".NET Runtime Required"	.NET Runtime 8.0+ not installed	Install .NET Runtime 8.0 or later, restart DMC

Understanding Assessment Report Errors

When an assessment completes with errors, the assessment report JSON file contains detailed error information:

Location: Assessment reports are saved in the output directory under each server’s folder:

C:\temp\scans\databaseassessments\<run-id>\<server-name>\SqlAssessmentReport-*.json

Error Structure:

{
  "Errors": [
    {
      "ErrorID": "LoginFailure_RemoteConnectionNotAllowed",
      "ErrorSummary": "SQL connection failed to server instance...",
      "Message": "Detailed error message...",
      "Guidance": "To resolve this error, try one of the following..."
    }
  ]
}

How to Review Errors:

Navigate to the assessment output directory
Open the SqlAssessmentReport-*.json file for the failed server
Look for the Errors[] array
Review ErrorID, ErrorSummary, and Guidance fields
Follow the guidance provided for each error

Connection Testing

Before running Database Assessment, verify connectivity to SQL Server instances manually.

Test Network Connectivity

Test Port Connectivity:

# Test SQL Server port (1433)
Test-NetConnection -ComputerName SERVERNAME -Port 1433

# Test SQL Server Browser (1434 UDP)
Test-NetConnection -ComputerName SERVERNAME -Port 1434 -Udp

Test SQL Server Connection

Windows Integrated Authentication:

# Test connection
sqlcmd -S SERVERNAME\INSTANCENAME -E -Q "SELECT @@VERSION"

# Test with specific Windows account (if available)
runas /user:DOMAIN\username "sqlcmd -S SERVERNAME\INSTANCENAME -E -Q \"SELECT @@VERSION\""

SQL Server Authentication:

# Test connection
sqlcmd -S SERVERNAME\INSTANCENAME -U username -P password -Q "SELECT @@VERSION"

Verify SQL Server Service Status

Check SQL Server Service:

# Check SQL Server service status
Get-Service -Name MSSQLSERVER
Get-Service -Name MSSQL$INSTANCENAME

# Check SQL Server Browser service
Get-Service -Name SQLBrowser

Start Services if Needed:

# Start SQL Server service
Start-Service -Name MSSQLSERVER

# Start SQL Server Browser service
Start-Service -Name SQLBrowser

Single Instance Assessment for Troubleshooting

When a SQL Server instance shows issues during batch assessment, it’s recommended to assess that specific instance individually to isolate the problem.

When to Use Single Instance Assessment

Use this approach when:

An instance shows as “Failed” in batch assessments
An instance appears in console output with specific errors
You want to test configuration changes on a specific instance
You want to verify credentials work for a single instance

Steps for Single Instance Assessment

Create Single Instance Entry

In the DMC UI, navigate to Database Assessment → SQL Server Discovery
Click Add Server Manually
Enter the exact hostname and instance name that failed
Click Add Server
Select only this instance using the checkbox

Configure Credentials

Navigate to Database Credentials step
Ensure you have a credential configured (or add one)
Use the exact same credential that failed in the batch assessment

Map Credential

Navigate to Credential Mapping step
Assign the credential to the single instance
Verify the status shows “1/1 mapped”

Run Single Instance Assessment

Navigate to Scan step
Review the summary (should show “1” SQL Server instance)
Click Run Scan
Monitor the console output for detailed error messages
Review the assessment results

Compare Results

Compare the single instance assessment results with the batch assessment results
If the single instance assessment succeeds, the issue may be related to:
- Batch processing limitations
- Resource contention during batch operations
- Network timing issues during concurrent assessments
If the single instance assessment fails, focus on the specific error messages and apply targeted fixes

Single instance assessment helps isolate whether issues are instance-specific or related to batch processing. This approach often reveals configuration problems that are masked during batch operations.

Reviewing Assessment Console Output

The DMC console output provides detailed information about each assessment attempt. Understanding the output helps identify issues quickly.

Successful Assessment Output

[1/3] WIN2019SRV3\SQLEXPRESS
Starting SQL assessment using Windows Integrated Authentication
Assessment completed successfully
Success: Issues: 4, Objects: 690/690, Time: 00:02:00, Status: Completed
  Databases assessed: 2

What This Shows:

Instance name and number in sequence
Authentication method used
Success status
Number of issues found
Objects assessed
Time taken
Number of databases assessed

Failed Assessment Output

[2/3] WIN2019SRV2\SQLEXPRESS
Starting SQL assessment using Windows Integrated Authentication
Failed: Assessment returned error status
  Error: LoginFailure_RemoteConnectionNotAllowed
  Error -1 - SQL connection failed...

What This Shows:

Instance name and number in sequence
Authentication method used
Failure status
Error ID (e.g., LoginFailure_RemoteConnectionNotAllowed)
Error message details

Exporting Console Log

You can export the console output for detailed analysis:

During or after assessment, click Export Log button
Save the log file
Review the log file for detailed error messages and timestamps
Use the log file to identify patterns or recurring issues

Next Steps

After troubleshooting and resolving issues:

Re-test Connectivity – Verify ports, firewall, and SQL Server services
Re-validate Credentials – Test credentials manually with sqlcmd
Re-run Assessment – Start with a single instance to verify fixes
Monitor Console Output – Watch for any new error messages
Review Assessment Reports – Check JSON reports for detailed error information
Run Full Assessment – Once single instance succeeds, run full batch assessment

Still Having Issues? If you’ve followed all troubleshooting steps and issues persist, review the assessment report JSON files for detailed error information. The Errors[] array in each report contains specific error IDs and guidance for resolution.