Solved

All SQL services stopped with 'Logon Failure'

Posted on 2015-01-19
10
94 Views
Last Modified: 2015-01-30
We have 3 SQL 2012 instances installed on a Hyper-V guest running Server 2012 Datacenter. This server has been in operation for about a month.

This morning when I came in, the 9 services relating to these 3 SQL instances had all stopped, and if I attempted to restart, I got a dialog saying that the service could not be started because of a logon failure.

I suspect that the logon accounts ('NT Service\MCAFEE' being one example) have expired passwords.

I have changed each of the services to logon with the Local System Account, and they have now all started.

That being said, HOW and/or WHERE do I check the password policy for NT Service accounts so that I can make sure that they do not expire (assuming that is indeed the problem)? These accounts were created by the application installers themselves.
0
Comment
Question by:Chris Millard
  • 5
  • 4
10 Comments
 
LVL 46

Expert Comment

by:Vitor Montalvão
ID: 40557366
have changed each of the services to logon with the Local System Account
Be careful with that. If there are process that need to access a network share it won't work because you'll need a domain account for that.
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40557720
these type of service accounts should be in an OU that does not have password policy like that (for expiration) so that these things don't happen

move the account(s) to a different OU that is not configured to require password changes and check the account itself to make sure it's configured for the password never to expire.  change your sql services back to the account it was using before
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 40560353
The problem is, is that these are NT Service accounts, and do NOT (as far as I can tell) appear in an AD anywhere - they are created by the software that was installed (i.e McAfee ePolicy Orchestrator etc).

I have tried searching AD for them and cannot find them.
0
 
LVL 46

Expert Comment

by:Vitor Montalvão
ID: 40561413
Nowadays products are using virtual accounts. May be the case.
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 40561443
I think in this case it may be true Vitor. If this is the case though, how would they fall prey to the password policy, and how could I exclude them from the policy?
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 46

Expert Comment

by:Vitor Montalvão
ID: 40561450
That's a good question and it's something that I'm still trying to understand. By what's written in the MSDN article that's possible:
Virtual accounts in Windows Server 2008 R2 and Windows 7 are "managed local accounts" that provide the following features to simplify service administration:
• No password management is required.
• The ability to access the network with a computer identity in a domain environment.
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 40570150
OK, I think I have discovered the root of the problem. When installing WSUS onto a new Server 2012 installation in the domain, we had to modify the group policy to allow "NT SERVICE\MSSQL$MICROSOFT##WID" to have the rights to "Log on as a service". This was done in a domain group policy, and since doing so, other virtual accounts stopped logging on.

I have now added other virtual accounts to the same domain group policy, and since doing so, some services that had stopped (whose logons I had not changed) are now starting again.
0
 
LVL 17

Accepted Solution

by:
Chris Millard earned 0 total points
ID: 40570166
Domain Group Policy for "Log on as a service" was previously not configured. This was modified to allow installation of WSUS on a 2012 Server, and since modifying the domain group policy, other virtual service accounts were stopping.

Adding the other virtual service accounts to the domain group policy worked,
0
 
LVL 46

Expert Comment

by:Vitor Montalvão
ID: 40570168
Thanks for sharing the solution with us.
0
 
LVL 17

Author Closing Comment

by:Chris Millard
ID: 40579380
Domain Group Policy for "Log on as a service" was previously not configured. This was modified to allow installation of WSUS on a 2012 Server, and since modifying the domain group policy, other virtual service accounts were stopping.

 Adding the other virtual service accounts to the domain group policy worked,
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Synchronize a new Active Directory domain with an existing Office 365 tenant
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Using examples as well as descriptions, and references to Books Online, show the documentation available for date manipulation functions and by using a select few of these functions, show how date based data can be manipulated with these functions.
Via a live example, show how to extract insert data into a SQL Server database table using the Import/Export option and Bulk Insert.

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now