WSUS Role failed on Windows server 2012 with error “the operation cannot be completed because the server that you specified requires a restart”

I was trying to setup new Configuration Manager 2012 SP1 build on Windows server 2012 with SQL Server 2012 SP1 installed .Everything went fine except Windows server update services .It keeps saying error with restart needed.Here is what i got every time when i install WSUS after restart the server.

Update: You can also refer the solution posted here : http://blogs.technet.com/b/heyscriptingguy/archive/2013/04/15/installing-wsus-on-windows-server-2012.aspx

The request to add or remove features on the specified server failed. the operation cannot be completed because the server that you specified requires a restart.

 

image

Why does it fail every time though server is restarted several times after the error appear in the above screen ?

How do we troubleshoot this ?

Go to event viewer ,windows logs->system ,you see below error message:

The MSSQL$MICROSOFT##WID service was unable to log on as NT SERVICE\MSSQL$MICROSOFT##WID with the currently configured password due to the following error:
Logon failure: the user has not been granted the requested logon type at this computer.
Service: MSSQL$MICROSOFT##WID
Domain and account: NT SERVICE\MSSQL$MICROSOFT##WID
This service account does not have the required user right "Log on as a service."

User Action
Assign "Log on as a service" to the service account on this computer. You can use Local Security Settings (Secpol.msc) to do this. If this computer is a node in a cluster, check that this user right is assigned to the Cluster service account on all nodes in the cluster.
If you have already assigned this user right to the service account, and the user right appears to be removed, check with your domain administrator to find out if a Group Policy object associated with this node might be removing the right.

How do i fix this ?

There are 2 possible solutions to fix this issue :

  1. By adding the account (NT SERVICE\MSSQL$MICROSOFT##WID) to log on as service using gpedit.msc 2)  implement the same solution using GPO.

1.Add account NT SERVICE\MSSQL$MICROSOFT##WID as log on as service using GPEDIT.MSC on local server

Open gpedit.msc using administrator account ,Computer Configuration—>Windows Settings—>Security Settings—>Local Policies—>User Rights Assignment

Go to properties of Logon as Service,click on Add user or Group,Enter NT SERVICE\MSSQL$MICROSOFT##WID ,click ok.

Restart the server and start installing WSUS role .

2) Implementing using GPO :

Go to your group policy management console,edit default domain policy

Computer Configuration—>Policies—>Windows Settings—>Security Settings—>Local Policies—>User Rights Assignment

Note: It is not mandatory to edit the default domain Policy to enable this setting.You can also create new GPO and ensure to have Enforced (running on Server 2012) option is selected which can not be overwritten by Default Domain Controller.

image

Go to properties of Logon as Service,click on Add user or Group,Enter NT SERVICE\ALL SERVICES ,click ok.

image

Now move onto the server,open command prompt and type gpupdate /Force to apply the GPO settings.

To check if the settings are applied or not,you can run rsop.msc from the run command and see the changes applied or not.

Once you confirmed the settings are applied,Start the installation of WSUS role again,this time It should be okay.

Hope it Helps!

30 Responses to "WSUS Role failed on Windows server 2012 with error “the operation cannot be completed because the server that you specified requires a restart”"

  1. im unable to export metadata from old wsus server , its throwing fatal error, error in the application

    Kindly guide me

    Reply
  2. Thank you very much.
    Kindly I want to understand why this error appears, I haven't even used WID database in installation I have chosen SQL database, Is there an explanation for this?

    Reply
    1. Hi,
      can you check the logs and event viewer for further troubleshooting? Did you check if windows internal database is not enabled in the server roles and features?

      Thanks,
      Eswar

      Reply
    1. I would never recommend to install WSUS on domain controller and always have WSUS server either on SCCM or remote.

      Regards,
      Eswar

      Reply
      1. WSUS has always run perfectly on DCs without any performance or security issues until the introduction of Server 2012. It is sad that it is no longer supported on DCs and businesses have to purchase a dedicated server for a simple service like WSUS. That said, I appreciate your post and your quick response to my concern.

        Reply
  3. Hey, thanks a lot for this helpful post, was having the same issue on a freshly installed Windows Server 2012 R2 box. Your GPO fix worked flawlessly!

    Reply
  4. Unfortunately it did not work for me. Moreover, there was no AD group policy which was conflicting or overwriting 'Logon as a service' policy setting. Installation used to fail and system rolls back after reboot.

    Finally, We had to add everyone to logon as a service. Started Installation - Installation Successful.
    Reboot server (optional)
    Edit the policy, Add NT SERVICE\MSSQL$MICROSOFT##WID
    Remove Everyone

    Proceed with Post Installation configuration.

    Reply
  5. Thank you so much for this! I really, really appreciate folks like yourself who take the time to publish things like this to help others who do not have this knowledge yet. This fix worked for me.

    Reply
  6. In my environment I wished to install WSUS using SQL server, no need for WID. However, the add roles wizard insisted on installing WID, even after I unchecked WID and selected SQL. I attempted to add NT SERVICE\ALL SERVICES to GPO but as Jason mentioned, I was unable to do so. I followed the instructions below to install WSUS specifying SQL server using powershell without the need for WID or adding virtual accounts to logon as service. Just thought I would share what I found to work around this issue.

    http://blogs.technet.com/b/heyscriptingguy/archive/2013/04/15/installing-wsus-on-windows-server-2012.aspx

    Reply
  7. You missed one point that is important. The reason You need to Assign the Log on as a service user right to NT SERVICE\ALL SERVICES. A lot of companies have the ‘Log on as a service GPO’ right locked down to prevent ‘Domain Service & Domain User Accounts from being automatically added. But isn’t “NT SERVICE\MSSQL$MICROSOFT##WID” the actual account in question? Yes, it is but it’s a ‘Virtual Account’ and unfortunately you cannot add virtual accounts in a GPO because well – they’re virtual. When the ‘Log on as a Service’ GPO is not enabled, all services are allowed to ‘Log on as a Service’ and thus the Feature can be added without error.

    Reply
    1. I do agreee but there is another fix for this issue --you just need to uncheck the feature of installing Windows internal database .You really do not require the windows internal Database for wsus here.

      Reply
      1. Not installing windows internal database and use SQL database did not work for me either. System still installed Windows internal Database service.

        Reply

Post Comment