SQL Server Error 35250 - Causes & Fixes

Error 35250 manifests when the Always On availability group subsystem attempts to establish a database mirroring endpoint connection between replicas but encounters authentication or network connectivity failures. The database mirroring endpoint (typically TCP port 5022) handles all Always On traffic using either Windows Authentication or certificate-based authentication depending on your configuration.

The Always On transport layer requires bidirectional endpoint connectivity. When a secondary replica joins an availability group, it initiates a handshake with the primary replica's endpoint. If this handshake fails due to authentication mismatches, network ACLs, firewall rules, or endpoint state issues, SQL Server generates this error and cannot establish the required data synchronization channel.

SQL Server 2016 introduced enhanced endpoint security validations that can trigger this error more frequently than earlier versions. SQL Server 2019 and later versions provide more granular endpoint monitoring through extended events. The endpoint connection process involves the SQL Server service account authentication, so service account changes or Kerberos delegation issues commonly trigger this error in domain environments.

The Always On transport manager maintains endpoint state information in memory structures that persist until service restart. Endpoint configuration changes sometimes require service restarts to take effect completely, particularly when switching authentication modes or modifying encryption settings.

-- Check endpoint configuration and state on all replicas
SELECT 
    e.name AS endpoint_name,
    e.type_desc,
    e.state_desc,
    e.port,
    e.is_encryption_enabled,
    e.encryption_algorithm_desc,
    e.connection_auth_desc,
    e.role_desc
FROM sys.database_mirroring_endpoints e
WHERE e.type_desc = 'DATABASE_MIRRORING';

-- Verify Always On availability group replica connectivity status
SELECT 
    r.replica_server_name,
    r.endpoint_url,
    rs.connected_state_desc,
    rs.last_connect_error_number,
    rs.last_connect_error_description,
    rs.last_connect_error_timestamp
FROM sys.availability_replicas r
INNER JOIN sys.dm_hadr_availability_replica_states rs 
    ON r.replica_id = rs.replica_id;

-- Check current Always On / mirroring endpoint connections
SELECT 
    c.session_id,
    c.connect_time,
    c.net_transport,
    c.protocol_type,
    c.auth_scheme,
    c.endpoint_id,
    e.name AS endpoint_name,
    e.state_desc AS endpoint_state
FROM sys.dm_exec_connections c
INNER JOIN sys.database_mirroring_endpoints e ON c.endpoint_id = e.endpoint_id
WHERE e.type_desc = 'DATABASE_MIRRORING';

-- Validate service account permissions on database mirroring endpoints
-- The permission is stored as CONNECT with class_desc = ENDPOINT
SELECT 
    p.permission_name,
    p.class_desc,
    p.state_desc,
    e.name AS endpoint_name,
    pr.name AS principal_name,
    pr.type_desc AS principal_type
FROM sys.server_permissions p
INNER JOIN sys.server_principals pr ON p.grantee_principal_id = pr.principal_id
INNER JOIN sys.database_mirroring_endpoints e ON p.major_id = e.endpoint_id
WHERE p.class_desc = 'ENDPOINT'
  AND p.permission_name = 'CONNECT';

-- Check for endpoint-related error log entries
EXEC xp_readerrorlog 0, 1, N'endpoint', N'35250';
EXEC xp_readerrorlog 0, 1, N'DATABASE_MIRRORING', N'authentication';

Recreate Database Mirroring Endpoint with Proper Authentication This script drops and recreates the endpoint with Windows Authentication, resolving most authentication-related connectivity issues.

-- WARNING: This will temporarily disconnect all Always On traffic
-- Execute during maintenance window on all replicas
USE master;
GO

-- Drop existing endpoint if it exists
IF EXISTS (SELECT * FROM sys.database_mirroring_endpoints WHERE name = 'Hadr_endpoint')
    DROP ENDPOINT Hadr_endpoint;
GO

-- Create new endpoint with Windows Authentication
CREATE ENDPOINT Hadr_endpoint
    AS TCP (LISTENER_PORT = 5022, LISTENER_IP = ALL)
    FOR DATA_MIRRORING (
        ROLE = ALL, 
        AUTHENTICATION = WINDOWS NEGOTIATE, 
        ENCRYPTION = REQUIRED ALGORITHM AES
    );
GO

-- Start the endpoint
ALTER ENDPOINT Hadr_endpoint STATE = STARTED;
GO

-- Grant CONNECT permissions to service accounts
GRANT CONNECT ON ENDPOINT::Hadr_endpoint TO [DOMAIN\SQLServiceAccount];
GO

Grant Endpoint CONNECT Permissions to All SQL Service Accounts Service account permission issues frequently cause this error, especially after service account changes.

-- Execute on all replicas to ensure proper permissions
-- Replace DOMAIN\SQLServiceAccount with actual service accounts
USE master;
GO

GRANT CONNECT ON ENDPOINT::Hadr_endpoint TO [DOMAIN\PrimaryReplicaServiceAccount];
GRANT CONNECT ON ENDPOINT::Hadr_endpoint TO [DOMAIN\SecondaryReplica1ServiceAccount];
GRANT CONNECT ON ENDPOINT::Hadr_endpoint TO [DOMAIN\SecondaryReplica2ServiceAccount];

-- Verify permissions granted successfully
SELECT 
    p.permission_name,
    p.class_desc,
    p.state_desc,
    pr.name AS principal_name
FROM sys.server_permissions p
INNER JOIN sys.server_principals pr ON p.grantee_principal_id = pr.principal_id
WHERE p.class_desc = 'ENDPOINT'
    AND p.permission_name = 'CONNECT'
    AND p.major_id = (SELECT endpoint_id FROM sys.database_mirroring_endpoints WHERE name = 'Hadr_endpoint');

Reset Always On Availability Group Database Synchronization When endpoint connectivity is restored but databases remain in NOT SYNCHRONIZING state, this script reinitializes synchronization.

-- Execute on secondary replica after endpoint connectivity is restored
-- Replace 'YourAGName' and 'YourDatabaseName' with actual names
USE master;
GO

-- Remove database from availability group on secondary
ALTER AVAILABILITY GROUP [YourAGName] 
REMOVE DATABASE [YourDatabaseName];
GO

-- Wait 10 seconds for cleanup
WAITFOR DELAY '00:00:10';
GO

-- Rejoin database to availability group
ALTER AVAILABILITY GROUP [YourAGName] 
ADD DATABASE [YourDatabaseName];
GO

-- Verify synchronization state
SELECT 
    db.database_name,
    drs.synchronization_state_desc,
    drs.synchronization_health_desc
FROM sys.dm_hadr_database_replica_states drs
INNER JOIN sys.availability_databases_cluster db ON drs.database_id = db.database_id
WHERE db.database_name = 'YourDatabaseName';

Configure Always On endpoint monitoring through extended events to capture endpoint authentication failures before they impact availability group synchronization. Create alerts on sys.dm_hadr_availability_replica_states for connected_state_desc values other than 'CONNECTED'.

Standardize SQL Server service accounts across all Always On replicas to eliminate authentication complexities. Use managed service accounts (MSA) or group managed service accounts (gMSA) in domain environments to prevent password expiration issues that commonly trigger endpoint authentication failures.

Document and test endpoint firewall rules on all replica servers. Always On requires bidirectional TCP connectivity on the configured endpoint port (default 5022). Network team changes frequently break endpoint connectivity without impacting other SQL Server functions.

Implement certificate-based authentication for cross-domain Always On configurations to eliminate Kerberos delegation requirements. Certificate authentication provides more reliable endpoint connectivity in complex network environments but requires proper certificate lifecycle management.

Schedule periodic validation of endpoint permissions and configuration consistency across all replicas. Service account changes, Windows updates, and security policy modifications can silently break endpoint authentication without generating immediate errors until failover attempts occur.