Solved

Various services not starting

Posted on 2016-11-16
7
22 Views
Last Modified: 2016-11-18
Various services are not starting on numerous servers upon reboot.  The error is "windows could not start the service on local computer. error 1069:  the service did not start due to logon failure.  

**It never was an issue since recently.  I've had these servers with these services running fine with no problems for the longest time.
**  if I blank out the password under the log on tab and start the service, the service runs fine.  For some services, I put in the known password and the service starts up fine.  But why is it doing that in the first place?  
**seems like any service that is a ntservice\user or a service with the log on as, as a local user won't start
**running windows 2012 R2 Standard
**called Microsoft and they said the services are a third party service so they can't help
**called various vendors and they said something in windows isn't allowing those services to start so call Microsoft.
**looked under local account policy and the log on as a service.  Only domain\administrator is showing and the add users or groups is grayed out.  But this was always the setting and never caused us any issues before.  

Antivirus server- the below service won't start
nt service\sqlanys_sem5
nt service\semwebsrv
nt service\semsrv
nt service\msql$veeam
**blanking the password fixes the issue

OCR server-the below service wont' start
.\ktserviceuser  
**ktserviceuser is a local user
**putting in the known password for this account fixes the issue.
nt service\msql$sqlexpress
nt service\reportserver$sqlexpress

OCR server 2- the below service won't start
nt service\mssql$sqlexpress

VMware (vcenter) server- the below services won't start
nt service\various VMware services

Please help!
0
Comment
Question by:meredithadams
  • 4
  • 2
7 Comments
 
LVL 7

Expert Comment

by:Senior IT System Engineer
ID: 41890714
meredithadams,

I had this problem before due to the someone in my IT team changed the Group policy at the domain level which denies everything or anly allowing specific group / AD users to Log on as service.

Since the service account cannot login to the server (test it wirh simple RDP session), hence the service account cannot start the services required.
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 41890972
The issue is definitely this: "looked under local account policy and the log on as a service.  Only domain\administrator is showing and the add users or groups is grayed out."
You have a domain GPO eradicating the "Logon as a Service" user right required for your service accounts.
When you update the logon using the MMC, the MMC automatically sets the "Logon as a Service" right for the account in question. This right will remain in place until the next time the policies are refreshed. Once the service is started while the account is allowed to do so, it will keep running, even if the user right is removed in the meantime.
Easy test: update the logon information for a service. Open secpol.msc, check the "Logon as a service" user right, and you'll see the account in question.
Open an administrative command prompt, enter gpupdate.exe /target:computer /force.
Reload the Security Settings in secpol.msc, and the permission will be gone.
To resolve, make sure that besides any local or domain account you need, "NT SERVICE\ALL SERVICES" has this permission as well.
It would be best to create a local group "LogonAsServiceUserRight" or whatever, add the required user accounts to that group, and give the permission (through the GPO) to that group, so you won't have to change the GPO whenever you change a service.
0
 

Author Comment

by:meredithadams
ID: 41892090
oBDa,  that was the problem.  A preexisting GPO I didn't know about all was edited and only allowed domain\administrator in the log on as a service.  So, what I've done is just create a new gpo with all the service accounts that all the servers use and applied it to the servers OU.

However, I am running into a problem.  One of my servers uses a local account as its log on as service.  when I tried to add the local user to the gpo, it says "the following accounts could not be validated, computername\localaccountuser."

I can't seem to find anything on the web that shows me how to do this.
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 83

Expert Comment

by:oBdA
ID: 41892102
Don't use the object picker; just type (only) the user name (no computername) into the field.
But as I said: the better solution is to assign the user right to a local group, add all the accounts to that group, and add the group to the GPO.
0
 

Author Comment

by:meredithadams
ID: 41892892
that worked for the localuser, thanks.  But running into another problem.  The services are not starting by itself even though its set to automatic.  I have to manually start it now.   Is there a fix to this?

Yes, I will look into the local group soon but doing this now as it is the quickest way to fix.
0
 

Author Comment

by:meredithadams
ID: 41893062
Please disregard my last question.  The services started automatically upon 2nd reboot.
0
 

Author Closing Comment

by:meredithadams
ID: 41893065
thanks oBdA on your detailed descriptions.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now