How to add VPN role on domain controller (2012 R2)?

I have a 2012 R2 relatively fresh build and I want to add VPN capability to it...simple right??  Apparently not.  The server is 2012 R2 and is a domain controller (one of 3) and is running as a virtual machine.  I go to add the role for Remote Access and then select the "VPN" option and after about 2 minutes it always errors out saying a pending restart is required.  It's neverending, I restart and get the error again.  I've tried switching users and still no luck.  Is there some trick the Microsoft team is getting a big laugh out of while IT Administrators try to figure out how to add a simple role to a server???
tphelps19IT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tphelps19IT ManagerAuthor Commented:
Wow, unbelievable.  Went through and added "Domain Admins" to everything under Local Security Policy > User Rights Assignment and then also added the ones listed here and that seemed to work.  This was supposedly a fresh build from an OEM Microsoft 2012 R2 disc so not sure why there is so many problems.
Cris HannaCommented:
I'm working from my phone so I can't find the specific links, but typically domain controllers don't do well with routing and remote access installed.

And I'm not trying to be the software police, but using a oem disc to create a VMware probably wouldn't pass audit
tphelps19IT ManagerAuthor Commented:
Well it's not VMware, it's hyper-v so I figured OEM discs would be ok as long as we kept them tied to that machine?

I just can't figure out why everything only works when done under the Administrator user?  Or why "Domain Admins" wasn't added to all those groups?  A little Google searching and apparently I'm not the only one who has the issue so that's good at least.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Well it's not VMware, it's hyper-v so I figured OEM discs would be ok as long as we kept them tied to that machine?
You're correct; this is allowed. (It's even allowed under VMware.) Like you said, though, those VMs have to remain on that particular host. If that host is in a cluster and the VMs are ever migrated to a different node, that's technically a violation of the OEM license agreement. The VM in question may even inform you that it needs to be re-activated at that point.

Back to your original issue, though: I've seen this happen numerous times when installing roles that require the use of Windows Internal Database. In my experience, WSUS is the most common role affected by this issue, but there are others. On a domain controller, the user account that the WID service runs under doesn't have the "Log on as a service" user right by default, so that service can't start. This interferes with the installation of any role that requires that service, but the error you get in the Add Roles and Features wizard isn't helpful at all. If you look through the System log, however, you'll find an event saying that the WID service couldn't start due to a logon failure.

The fix is exactly as you would expect: determine which user account runs the Windows Internal Database service and give that account the "Log on as a service" user right.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tphelps19IT ManagerAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for tphelps19's comment #a40967624

for the following reason:

For anyone out there who is having this trouble it looks like typical Microsoft went overboard on security and locked everything down so if you use Windows Update Service it completely disables the ability for regular domain admins to manually install features.
tphelps19IT ManagerAuthor Commented:
I'm not 100% sure if WSUS was the culprit but from what you're saying and what I read on that article I posted it looks very likely.  I swear, Microsoft will still be dishing out these kinds of issues in 100 years mark my words.  If they wanted to they could make an operating system as easy as an iPhone but we all know they never will.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.