I was trying to setup new Configuration Manager 2012 SP1 build on Windows server 2012 with SQL Server 2012 SP1 installed .Everything went fine except Windows server update services .It keeps saying error with restart needed.Here is what i got every time when i install WSUS after restart the server.
Update: You can also refer the solution posted here : http://blogs.technet.com/b/heyscriptingguy/archive/2013/04/15/installing-wsus-on-windows-server-2012.aspx
The request to add or remove features on the specified server failed. the operation cannot be completed because the server that you specified requires a restart.
Why does it fail every time though server is restarted several times after the error appear in the above screen ?
How do we troubleshoot this ?
Go to event viewer ,windows logs->system ,you see below error message:
The MSSQL$MICROSOFT##WID service was unable to log on as NT SERVICE\MSSQL$MICROSOFT##WID with the currently configured password due to the following error:
Logon failure: the user has not been granted the requested logon type at this computer.
Service: MSSQL$MICROSOFT##WID
Domain and account: NT SERVICE\MSSQL$MICROSOFT##WID
This service account does not have the required user right "Log on as a service."
User Action
Assign "Log on as a service" to the service account on this computer. You can use Local Security Settings (Secpol.msc) to do this. If this computer is a node in a cluster, check that this user right is assigned to the Cluster service account on all nodes in the cluster.
If you have already assigned this user right to the service account, and the user right appears to be removed, check with your domain administrator to find out if a Group Policy object associated with this node might be removing the right.
How do i fix this ?
There are 2 possible solutions to fix this issue :
- By adding the account (NT SERVICE\MSSQL$MICROSOFT##WID) to log on as service using gpedit.msc 2) implement the same solution using GPO.
1.Add account NT SERVICE\MSSQL$MICROSOFT##WID as log on as service using GPEDIT.MSC on local server
Open gpedit.msc using administrator account ,Computer Configuration—>Windows Settings—>Security Settings—>Local Policies—>User Rights Assignment
Go to properties of Logon as Service,click on Add user or Group,Enter NT SERVICE\MSSQL$MICROSOFT##WID ,click ok.
Restart the server and start installing WSUS role .
2) Implementing using GPO :
Go to your group policy management console,edit default domain policy
Computer Configuration—>Policies—>Windows Settings—>Security Settings—>Local Policies—>User Rights Assignment
Note: It is not mandatory to edit the default domain Policy to enable this setting.You can also create new GPO and ensure to have Enforced (running on Server 2012) option is selected which can not be overwritten by Default Domain Controller.
Go to properties of Logon as Service,click on Add user or Group,Enter NT SERVICE\ALL SERVICES ,click ok.
Now move onto the server,open command prompt and type gpupdate /Force to apply the GPO settings.
To check if the settings are applied or not,you can run rsop.msc from the run command and see the changes applied or not.
Once you confirmed the settings are applied,Start the installation of WSUS role again,this time It should be okay.
Hope it Helps!
30 Comments
im unable to export metadata from old wsus server , its throwing fatal error, error in the application
Kindly guide me
any reason to export the metadata from old wsus server? what is scenario here?
Thanks,
Eswar
Thank you very much.
Kindly I want to understand why this error appears, I haven't even used WID database in installation I have chosen SQL database, Is there an explanation for this?
Hi,
can you check the logs and event viewer for further troubleshooting? Did you check if windows internal database is not enabled in the server roles and features?
Thanks,
Eswar
Pingback: Die WSUS-Rolle lässt sich unter Windows Server 2012 R2 nicht erfolgreich installieren | Andys Blog – Linux & Windows
FYI: I tried for weeks to install WSUS on a 2012 R2 DC using the information here and other placed but it did not work. That is when I found out that, even if I could install it, it would cause serious problems: https://social.technet.microsoft.com/wiki/contents/articles/4236.guidance-about-wsus-on-a-domain-controller.aspx
I would never recommend to install WSUS on domain controller and always have WSUS server either on SCCM or remote.
Regards,
Eswar
WSUS has always run perfectly on DCs without any performance or security issues until the introduction of Server 2012. It is sad that it is no longer supported on DCs and businesses have to purchase a dedicated server for a simple service like WSUS. That said, I appreciate your post and your quick response to my concern.
Simply install from powershell
Hey, thanks a lot for this helpful post, was having the same issue on a freshly installed Windows Server 2012 R2 box. Your GPO fix worked flawlessly!
Hi Dominik,
Glad it helped.
Regards,
Eswar
I had the same issue and your post helps me fix it. Thank you very much!
Unfortunately it did not work for me. Moreover, there was no AD group policy which was conflicting or overwriting 'Logon as a service' policy setting. Installation used to fail and system rolls back after reboot.
Finally, We had to add everyone to logon as a service. Started Installation - Installation Successful.
Reboot server (optional)
Edit the policy, Add NT SERVICE\MSSQL$MICROSOFT##WID
Remove Everyone
Proceed with Post Installation configuration.
Thank you so much for this! I really, really appreciate folks like yourself who take the time to publish things like this to help others who do not have this knowledge yet. This fix worked for me.
thanks for your kind words, happy to help.
You can add the NT SERVICE\MSSQL$MICROSOFT##WID instead of ALL SERVICES on server 2012r2 and it works fine.
yep, but haven't tried that ,thanks Naz.
What are the security risks (if any) to adding "NT SERVICE\ALL SERVICES" to "Log In As Service" right?
AFAIK,i dont see any kind of security risks or may be there would be some but i may not aware about what it is. You can better contact the AD guys who manages this using GPO or have a read this post on this account https://social.technet.microsoft.com/Forums/office/en-US/422a4672-a713-47ef-b228-1563861931e8/gpo-and-service-sid?forum=winserverGP and https://stephenhirst.azurewebsites.net/?p=6042
+1 for Chris K's comment, works perfectly for me and my environment whereas I could not add the accounts to the GPO due to company policies.
In my environment I wished to install WSUS using SQL server, no need for WID. However, the add roles wizard insisted on installing WID, even after I unchecked WID and selected SQL. I attempted to add NT SERVICE\ALL SERVICES to GPO but as Jason mentioned, I was unable to do so. I followed the instructions below to install WSUS specifying SQL server using powershell without the need for WID or adding virtual accounts to logon as service. Just thought I would share what I found to work around this issue.
http://blogs.technet.com/b/heyscriptingguy/archive/2013/04/15/installing-wsus-on-windows-server-2012.aspx
thanks for contributing your solution to the public. I have updated the blog post with your link.
You missed one point that is important. The reason You need to Assign the Log on as a service user right to NT SERVICE\ALL SERVICES. A lot of companies have the ‘Log on as a service GPO’ right locked down to prevent ‘Domain Service & Domain User Accounts from being automatically added. But isn’t “NT SERVICE\MSSQL$MICROSOFT##WID” the actual account in question? Yes, it is but it’s a ‘Virtual Account’ and unfortunately you cannot add virtual accounts in a GPO because well – they’re virtual. When the ‘Log on as a Service’ GPO is not enabled, all services are allowed to ‘Log on as a Service’ and thus the Feature can be added without error.
I do agreee but there is another fix for this issue --you just need to uncheck the feature of installing Windows internal database .You really do not require the windows internal Database for wsus here.
Not installing windows internal database and use SQL database did not work for me either. System still installed Windows internal Database service.
Have you tried the settings what is suggested? Did you uncheck wid database
Have you tried the settings what is suggested? Did you uncheck wid database and select no during the prompt.
Regards
Eswar
Did you de selecting the internal database as shown the blog and select No during the prompt?
Regards
Eswar
Pingback: Server 2012 R2 Wsus Kurulum hatası.
Pingback: WSUS Role Installation Fails on Windows Server 2012 R2 | MacGyverIT