Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

All SQL services stopped with 'Logon Failure'

Posted on 2015-01-19
10
Medium Priority
?
107 Views
Last Modified: 2015-01-30
We have 3 SQL 2012 instances installed on a Hyper-V guest running Server 2012 Datacenter. This server has been in operation for about a month.

This morning when I came in, the 9 services relating to these 3 SQL instances had all stopped, and if I attempted to restart, I got a dialog saying that the service could not be started because of a logon failure.

I suspect that the logon accounts ('NT Service\MCAFEE' being one example) have expired passwords.

I have changed each of the services to logon with the Local System Account, and they have now all started.

That being said, HOW and/or WHERE do I check the password policy for NT Service accounts so that I can make sure that they do not expire (assuming that is indeed the problem)? These accounts were created by the application installers themselves.
0
Comment
Question by:Chris Millard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 52

Expert Comment

by:Vitor Montalvão
ID: 40557366
have changed each of the services to logon with the Local System Account
Be careful with that. If there are process that need to access a network share it won't work because you'll need a domain account for that.
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40557720
these type of service accounts should be in an OU that does not have password policy like that (for expiration) so that these things don't happen

move the account(s) to a different OU that is not configured to require password changes and check the account itself to make sure it's configured for the password never to expire.  change your sql services back to the account it was using before
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 40560353
The problem is, is that these are NT Service accounts, and do NOT (as far as I can tell) appear in an AD anywhere - they are created by the software that was installed (i.e McAfee ePolicy Orchestrator etc).

I have tried searching AD for them and cannot find them.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 52

Expert Comment

by:Vitor Montalvão
ID: 40561413
Nowadays products are using virtual accounts. May be the case.
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 40561443
I think in this case it may be true Vitor. If this is the case though, how would they fall prey to the password policy, and how could I exclude them from the policy?
0
 
LVL 52

Expert Comment

by:Vitor Montalvão
ID: 40561450
That's a good question and it's something that I'm still trying to understand. By what's written in the MSDN article that's possible:
Virtual accounts in Windows Server 2008 R2 and Windows 7 are "managed local accounts" that provide the following features to simplify service administration:
• No password management is required.
• The ability to access the network with a computer identity in a domain environment.
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 40570150
OK, I think I have discovered the root of the problem. When installing WSUS onto a new Server 2012 installation in the domain, we had to modify the group policy to allow "NT SERVICE\MSSQL$MICROSOFT##WID" to have the rights to "Log on as a service". This was done in a domain group policy, and since doing so, other virtual accounts stopped logging on.

I have now added other virtual accounts to the same domain group policy, and since doing so, some services that had stopped (whose logons I had not changed) are now starting again.
0
 
LVL 17

Accepted Solution

by:
Chris Millard earned 0 total points
ID: 40570166
Domain Group Policy for "Log on as a service" was previously not configured. This was modified to allow installation of WSUS on a 2012 Server, and since modifying the domain group policy, other virtual service accounts were stopping.

Adding the other virtual service accounts to the domain group policy worked,
0
 
LVL 52

Expert Comment

by:Vitor Montalvão
ID: 40570168
Thanks for sharing the solution with us.
0
 
LVL 17

Author Closing Comment

by:Chris Millard
ID: 40579380
Domain Group Policy for "Log on as a service" was previously not configured. This was modified to allow installation of WSUS on a 2012 Server, and since modifying the domain group policy, other virtual service accounts were stopping.

 Adding the other virtual service accounts to the domain group policy worked,
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It is possible to export the data of a SQL Table in SSMS and generate INSERT statements. It's neatly tucked away in the generate scripts option of a database.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question