I'm getting the following event log entry from Sql Server 2012:
SQL Server Scheduled Job 'Replication agents checkup' - Status: Failed - Invoked on: 2012-08-04 10:00:00 - Message: The job failed. Unable to determine if the owner (AD\Administrator) of job Replication agents checkup has server access (reason: Could not obtain information about Windows NT group/user 'AD\Administrator', error code 0x6e. [SQLSTATE 42000] (Error 15404)).
I assume this is happening because Sql Server 2012 is using a Virtual Account that can't retrieve the active directory information it needs. From the Sql Server 2012 documentation:
Virtual accounts in Windows Server 2008 R2 and Windows 7 are managed local accounts that provide the following features to simplify service administration. The virtual account is auto-managed, and the virtual account can access the network in a domain environment. If the default value is used for the service accounts during SQL Server setup on Windows Server 2008 R2 or Windows 7, a virtual account using the instance name as the service name is used, in the format NT SERVICE\(SERVICENAME). Services that run as virtual accounts access network resources by using the credentials of the computer account in the format (domain_name)\(computer_name)$.
So, the question is: How do I create permissions in my domain controller for the (domain_name)\(computer_name)$ user, and which permissions do I need to grant for Sql Server 2012 to be able to retrieve the information it requires? Or, do I need to switch to a Managed Service Account for this to work properly? Or, should I change the owner of the job to something else?
By default the service account will be able to see the domain and query it as needed.
This is a problem that comes up every once and a while. Change the job owner to sa and click OK. Then change it back to AD\Administrator and click ok. The next time the job runs it should run fine.
I tried the other two answers given but neither of them helped my situation. Ultimately the only way I was able to get this to work was to switch from a Virtual Account (VA) to a Managed Service Account (MSA) as described here and here.
Also, I was unable to get transactional replication to work with either a VA or an MSA--in both cases the Job History log always showed an authentication error. Eventually I reverted to using a normal domain user for the various replication agents and it worked.
Verify that the computers network service account has permissions to read AD groups. I think in an AD environment it would be better to use a MSA account rather than a virtual account.