Solved

All SQL services stopped with 'Logon Failure'

Posted on 2015-01-19
10
96 Views
Last Modified: 2015-01-30
We have 3 SQL 2012 instances installed on a Hyper-V guest running Server 2012 Datacenter. This server has been in operation for about a month.

This morning when I came in, the 9 services relating to these 3 SQL instances had all stopped, and if I attempted to restart, I got a dialog saying that the service could not be started because of a logon failure.

I suspect that the logon accounts ('NT Service\MCAFEE' being one example) have expired passwords.

I have changed each of the services to logon with the Local System Account, and they have now all started.

That being said, HOW and/or WHERE do I check the password policy for NT Service accounts so that I can make sure that they do not expire (assuming that is indeed the problem)? These accounts were created by the application installers themselves.
0
Comment
Question by:Chris Millard
  • 5
  • 4
10 Comments
 
LVL 47

Expert Comment

by:Vitor Montalvão
ID: 40557366
have changed each of the services to logon with the Local System Account
Be careful with that. If there are process that need to access a network share it won't work because you'll need a domain account for that.
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40557720
these type of service accounts should be in an OU that does not have password policy like that (for expiration) so that these things don't happen

move the account(s) to a different OU that is not configured to require password changes and check the account itself to make sure it's configured for the password never to expire.  change your sql services back to the account it was using before
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 40560353
The problem is, is that these are NT Service accounts, and do NOT (as far as I can tell) appear in an AD anywhere - they are created by the software that was installed (i.e McAfee ePolicy Orchestrator etc).

I have tried searching AD for them and cannot find them.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 47

Expert Comment

by:Vitor Montalvão
ID: 40561413
Nowadays products are using virtual accounts. May be the case.
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 40561443
I think in this case it may be true Vitor. If this is the case though, how would they fall prey to the password policy, and how could I exclude them from the policy?
0
 
LVL 47

Expert Comment

by:Vitor Montalvão
ID: 40561450
That's a good question and it's something that I'm still trying to understand. By what's written in the MSDN article that's possible:
Virtual accounts in Windows Server 2008 R2 and Windows 7 are "managed local accounts" that provide the following features to simplify service administration:
• No password management is required.
• The ability to access the network with a computer identity in a domain environment.
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 40570150
OK, I think I have discovered the root of the problem. When installing WSUS onto a new Server 2012 installation in the domain, we had to modify the group policy to allow "NT SERVICE\MSSQL$MICROSOFT##WID" to have the rights to "Log on as a service". This was done in a domain group policy, and since doing so, other virtual accounts stopped logging on.

I have now added other virtual accounts to the same domain group policy, and since doing so, some services that had stopped (whose logons I had not changed) are now starting again.
0
 
LVL 17

Accepted Solution

by:
Chris Millard earned 0 total points
ID: 40570166
Domain Group Policy for "Log on as a service" was previously not configured. This was modified to allow installation of WSUS on a 2012 Server, and since modifying the domain group policy, other virtual service accounts were stopping.

Adding the other virtual service accounts to the domain group policy worked,
0
 
LVL 47

Expert Comment

by:Vitor Montalvão
ID: 40570168
Thanks for sharing the solution with us.
0
 
LVL 17

Author Closing Comment

by:Chris Millard
ID: 40579380
Domain Group Policy for "Log on as a service" was previously not configured. This was modified to allow installation of WSUS on a 2012 Server, and since modifying the domain group policy, other virtual service accounts were stopping.

 Adding the other virtual service accounts to the domain group policy worked,
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Using examples as well as descriptions, and references to Books Online, show the documentation available for datatypes, explain the available data types and show how data can be passed into and out of variables.
Viewers will learn how the fundamental information of how to create a table.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question