Solved

All SQL services stopped with 'Logon Failure'

Posted on 2015-01-19
10
102 Views
Last Modified: 2015-01-30
We have 3 SQL 2012 instances installed on a Hyper-V guest running Server 2012 Datacenter. This server has been in operation for about a month.

This morning when I came in, the 9 services relating to these 3 SQL instances had all stopped, and if I attempted to restart, I got a dialog saying that the service could not be started because of a logon failure.

I suspect that the logon accounts ('NT Service\MCAFEE' being one example) have expired passwords.

I have changed each of the services to logon with the Local System Account, and they have now all started.

That being said, HOW and/or WHERE do I check the password policy for NT Service accounts so that I can make sure that they do not expire (assuming that is indeed the problem)? These accounts were created by the application installers themselves.
0
Comment
Question by:Chris Millard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 50

Expert Comment

by:Vitor Montalvão
ID: 40557366
have changed each of the services to logon with the Local System Account
Be careful with that. If there are process that need to access a network share it won't work because you'll need a domain account for that.
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40557720
these type of service accounts should be in an OU that does not have password policy like that (for expiration) so that these things don't happen

move the account(s) to a different OU that is not configured to require password changes and check the account itself to make sure it's configured for the password never to expire.  change your sql services back to the account it was using before
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 40560353
The problem is, is that these are NT Service accounts, and do NOT (as far as I can tell) appear in an AD anywhere - they are created by the software that was installed (i.e McAfee ePolicy Orchestrator etc).

I have tried searching AD for them and cannot find them.
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 50

Expert Comment

by:Vitor Montalvão
ID: 40561413
Nowadays products are using virtual accounts. May be the case.
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 40561443
I think in this case it may be true Vitor. If this is the case though, how would they fall prey to the password policy, and how could I exclude them from the policy?
0
 
LVL 50

Expert Comment

by:Vitor Montalvão
ID: 40561450
That's a good question and it's something that I'm still trying to understand. By what's written in the MSDN article that's possible:
Virtual accounts in Windows Server 2008 R2 and Windows 7 are "managed local accounts" that provide the following features to simplify service administration:
• No password management is required.
• The ability to access the network with a computer identity in a domain environment.
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 40570150
OK, I think I have discovered the root of the problem. When installing WSUS onto a new Server 2012 installation in the domain, we had to modify the group policy to allow "NT SERVICE\MSSQL$MICROSOFT##WID" to have the rights to "Log on as a service". This was done in a domain group policy, and since doing so, other virtual accounts stopped logging on.

I have now added other virtual accounts to the same domain group policy, and since doing so, some services that had stopped (whose logons I had not changed) are now starting again.
0
 
LVL 17

Accepted Solution

by:
Chris Millard earned 0 total points
ID: 40570166
Domain Group Policy for "Log on as a service" was previously not configured. This was modified to allow installation of WSUS on a 2012 Server, and since modifying the domain group policy, other virtual service accounts were stopping.

Adding the other virtual service accounts to the domain group policy worked,
0
 
LVL 50

Expert Comment

by:Vitor Montalvão
ID: 40570168
Thanks for sharing the solution with us.
0
 
LVL 17

Author Closing Comment

by:Chris Millard
ID: 40579380
Domain Group Policy for "Log on as a service" was previously not configured. This was modified to allow installation of WSUS on a 2012 Server, and since modifying the domain group policy, other virtual service accounts were stopping.

 Adding the other virtual service accounts to the domain group policy worked,
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Via a live example, show how to backup a database, simulate a failure backup the tail of the database transaction log and perform the restore.
Via a live example, show how to shrink a transaction log file down to a reasonable size.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question