Solved

All SQL services stopped with 'Logon Failure'

Posted on 2015-01-19
10
90 Views
Last Modified: 2015-01-30
We have 3 SQL 2012 instances installed on a Hyper-V guest running Server 2012 Datacenter. This server has been in operation for about a month.

This morning when I came in, the 9 services relating to these 3 SQL instances had all stopped, and if I attempted to restart, I got a dialog saying that the service could not be started because of a logon failure.

I suspect that the logon accounts ('NT Service\MCAFEE' being one example) have expired passwords.

I have changed each of the services to logon with the Local System Account, and they have now all started.

That being said, HOW and/or WHERE do I check the password policy for NT Service accounts so that I can make sure that they do not expire (assuming that is indeed the problem)? These accounts were created by the application installers themselves.
0
Comment
Question by:Chris Millard
  • 5
  • 4
10 Comments
 
LVL 45

Expert Comment

by:Vitor Montalvão
Comment Utility
have changed each of the services to logon with the Local System Account
Be careful with that. If there are process that need to access a network share it won't work because you'll need a domain account for that.
0
 
LVL 34

Expert Comment

by:Seth Simmons
Comment Utility
these type of service accounts should be in an OU that does not have password policy like that (for expiration) so that these things don't happen

move the account(s) to a different OU that is not configured to require password changes and check the account itself to make sure it's configured for the password never to expire.  change your sql services back to the account it was using before
0
 
LVL 17

Author Comment

by:Chris Millard
Comment Utility
The problem is, is that these are NT Service accounts, and do NOT (as far as I can tell) appear in an AD anywhere - they are created by the software that was installed (i.e McAfee ePolicy Orchestrator etc).

I have tried searching AD for them and cannot find them.
0
 
LVL 45

Expert Comment

by:Vitor Montalvão
Comment Utility
Nowadays products are using virtual accounts. May be the case.
0
 
LVL 17

Author Comment

by:Chris Millard
Comment Utility
I think in this case it may be true Vitor. If this is the case though, how would they fall prey to the password policy, and how could I exclude them from the policy?
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 45

Expert Comment

by:Vitor Montalvão
Comment Utility
That's a good question and it's something that I'm still trying to understand. By what's written in the MSDN article that's possible:
Virtual accounts in Windows Server 2008 R2 and Windows 7 are "managed local accounts" that provide the following features to simplify service administration:
• No password management is required.
• The ability to access the network with a computer identity in a domain environment.
0
 
LVL 17

Author Comment

by:Chris Millard
Comment Utility
OK, I think I have discovered the root of the problem. When installing WSUS onto a new Server 2012 installation in the domain, we had to modify the group policy to allow "NT SERVICE\MSSQL$MICROSOFT##WID" to have the rights to "Log on as a service". This was done in a domain group policy, and since doing so, other virtual accounts stopped logging on.

I have now added other virtual accounts to the same domain group policy, and since doing so, some services that had stopped (whose logons I had not changed) are now starting again.
0
 
LVL 17

Accepted Solution

by:
Chris Millard earned 0 total points
Comment Utility
Domain Group Policy for "Log on as a service" was previously not configured. This was modified to allow installation of WSUS on a 2012 Server, and since modifying the domain group policy, other virtual service accounts were stopping.

Adding the other virtual service accounts to the domain group policy worked,
0
 
LVL 45

Expert Comment

by:Vitor Montalvão
Comment Utility
Thanks for sharing the solution with us.
0
 
LVL 17

Author Closing Comment

by:Chris Millard
Comment Utility
Domain Group Policy for "Log on as a service" was previously not configured. This was modified to allow installation of WSUS on a 2012 Server, and since modifying the domain group policy, other virtual service accounts were stopping.

 Adding the other virtual service accounts to the domain group policy worked,
0

Featured Post

Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

Join & Write a Comment

The Delta outage: 650 cancelled flights, more than 1200 delayed flights, thousands of frustrated customers, tens of millions of dollars in damages – plus untold reputational damage to one of the world’s most trusted airlines. All due to a catastroph…
Ever wondered why sometimes your SQL Server is slow or unresponsive with connections spiking up but by the time you go in, all is well? The following article will show you how to install and configure a SQL job that will send you email alerts includ…
Using examples as well as descriptions, and references to Books Online, show the documentation available for date manipulation functions and by using a select few of these functions, show how date based data can be manipulated with these functions.
Via a live example combined with referencing Books Online, show some of the information that can be extracted from the Catalog Views in SQL Server.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now