locked
WSUS Error -- Worked Yesterday, Not Today -- WID SQL Access Denied Errors RRS feed

  • Question

  • WSUS 3.0 SP2 on Win2K8R2 (virtual) was working yesterday (and has been for about two years).  Came in today and the console is erroring out indicating problems connecting to the database.  BITS, WID (MSSQL$MICROSOFT##SSEE), and Update Services* all running.

    * Update Services keeps terminating unexectedly but will restart just fine.

    I have SSMS installed and can connect to the SQL Instance just fine over the named pipe using an account with Admin rights.  However, I can't expand the SUSDB (no plus sign).  When I click on it, I don't get any errors or any expansion -- just nothing.  

    Looking at the MSSQL C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\LOG\ERRORLOG file, I think I see the root of the problem but don't know how to fix it:

    2014-06-12 10:10:48.17 Server      (c) 2005 Microsoft Corporation.
    2014-06-12 10:10:48.17 Server      All rights reserved.
    2014-06-12 10:10:48.17 Server      Server process ID is 1728.
    2014-06-12 10:10:48.17 Server      Authentication mode is WINDOWS-ONLY.
    2014-06-12 10:10:48.17 Server      Logging SQL Server messages in file 'C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\LOG\ERRORLOG'.
    2014-06-12 10:10:48.17 Server      This instance of SQL Server last reported using a process ID of 1720 at 6/12/2014 10:09:44 AM (local) 6/12/2014 1:09:44 AM (UTC). This is an informational message only; no user action is required.
    2014-06-12 10:10:48.17 Server      Registry startup parameters:
    2014-06-12 10:10:48.20 Server       -d C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\DATA\master.mdf
    2014-06-12 10:10:48.20 Server       -e C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\LOG\ERRORLOG
    2014-06-12 10:10:48.20 Server       -l C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\DATA\mastlog.ldf
    2014-06-12 10:10:48.25 Server      SQL Server is starting at normal priority base (=7). This is an informational message only. No user action is required.
    2014-06-12 10:10:48.25 Server      Detected 2 CPUs. This is an informational message; no user action is required.
    2014-06-12 10:10:48.94 Server      Using dynamic lock allocation.  Initial allocation of 2500 Lock blocks and 5000 Lock Owner blocks per node.  This is an informational message only.  No user action is required.
    2014-06-12 10:10:48.98 Server      Database mirroring has been enabled on this instance of SQL Server.
    2014-06-12 10:10:48.98 spid5s      Starting up database 'master'.
    2014-06-12 10:10:49.08 spid5s      Recovery is writing a checkpoint in database 'master' (1). This is an informational message only. No user action is required.
    2014-06-12 10:10:49.16 spid5s      SQL Trace ID 1 was started by login "sa".
    2014-06-12 10:10:49.16 spid5s      Starting up database 'mssqlsystemresource'.
    2014-06-12 10:10:49.17 spid5s      Error: 958, Severity: 10, State: 1. (Params:). The error is printed in terse mode because there was error during formatting. Tracing, ETW, notifications etc are skipped.
    2014-06-12 10:10:49.51 spid8s      Starting up database 'model'.
    2014-06-12 10:10:49.51 Server      Server local connection provider is ready to accept connection on [ \\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query ].
    2014-06-12 10:10:49.51 spid5s      Server name is 'localhost\MICROSOFT##SSEE'. This is an informational message only. No user action is required.
    2014-06-12 10:10:49.51 Server      Dedicated administrator connection support was not started because it is not available on this edition of SQL Server. This is an informational message only. No user action is required.
    2014-06-12 10:10:49.53 spid5s      Starting up database 'msdb'.
    2014-06-12 10:10:49.53 Server      SQL Server is now ready for client connections. This is an informational message; no user action is required.
    2014-06-12 10:10:49.59 spid8s      Clearing tempdb database.
    2014-06-12 10:10:49.67 spid8s      Starting up database 'tempdb'.
    2014-06-12 10:10:49.69 spid11s     The Service Broker protocol transport is disabled or not configured.
    2014-06-12 10:10:49.69 spid5s      Recovery is complete. This is an informational message only. No user action is required.
    2014-06-12 10:10:49.69 spid11s     The Database Mirroring protocol transport is disabled or not configured.
    2014-06-12 10:10:49.70 spid11s     Service Broker manager has started.
    2014-06-12 10:10:53.74 spid51      Starting up database 'SUSDB'.
    2014-06-12 10:10:53.81 spid51      Error: 17207, Severity: 16, State: 1.
    2014-06-12 10:10:53.81 spid51      FCB::Open: Operating system error 5(Access is denied.) occurred while creating or opening file 'E:\WSUS\\UpdateServicesDbFiles\SUSDB.mdf'. Diagnose and correct the operating system error, and retry the operation.
    2014-06-12 10:10:54.09 spid51      Error: 17204, Severity: 16, State: 1.
    2014-06-12 10:10:54.09 spid51      FCB::Open failed: Could not open file E:\WSUS\\UpdateServicesDbFiles\SUSDB.mdf for file number 1.  OS error: 5(Access is denied.).
    2014-06-12 10:10:54.11 spid51      Error: 17207, Severity: 16, State: 1.
    2014-06-12 10:10:54.11 spid51      FCB::Open: Operating system error 5(Access is denied.) occurred while creating or opening file 'E:\WSUS\\UpdateServicesDbFiles\SUSDB_log.ldf'. Diagnose and correct the operating system error, and retry the operation.
    2014-06-12 10:10:54.11 spid51      Error: 17204, Severity: 16, State: 1.
    2014-06-12 10:10:54.11 spid51      FCB::Open failed: Could not open file E:\WSUS\\UpdateServicesDbFiles\SUSDB_log.ldf for file number 2.  OS error: 5(Access is denied.).
    2014-06-12 10:10:54.41 Logon       Error: 18456, Severity: 14, State: 16.
    2014-06-12 10:10:54.41 Logon       Login failed for user 'NT AUTHORITY\NETWORK SERVICE'. [CLIENT: <named pipe>]
    2014-06-12 10:10:58.84 Logon       Error: 18456, Severity: 14, State: 16.
    2014-06-12 10:10:58.84 Logon       Login failed for user 'NT AUTHORITY\NETWORK SERVICE'. [CLIENT: <named pipe>]
    2014-06-12 10:11:08.22 Logon       Error: 18456, Severity: 14, State: 16.
    2014-06-12 10:11:08.22 Logon       Login failed for user 'NT AUTHORITY\NETWORK SERVICE'. [CLIENT: <named pipe>]
    2014-06-12 10:11:18.60 Logon       Error: 18456, Severity: 14, State: 16.
    ...
    ...

    ...with those last entries repeated about 20 more times.  The problem appears to be that when it tries to access the SUSDB, there is an ACL problem throwing Access Denied.  Doing some research on this specifically, the only thing I could find on this type of issue was where the NT Authority\NETWORK SERVICE account didn't have read access to the SUS MDF file or the root of the drive.  In my case, NETWORK SERVICE didn't have any explicit access access to the root of the E:\ drive (where the SUSDB.mdf file is actually located).  So... I granted it Full Control (overkill I know but just testing stuff out).  I ran an effective permissions check on the .mdf for the Network Service account and it was appropriately showing Full Control but I'm still getting the same errors.  

    Any help would be greatly appreciated.



    • Edited by thepip3r Thursday, June 12, 2014 3:15 AM
    Thursday, June 12, 2014 1:49 AM

Answers

  • Disregard, I figured it out.  It was our McAfee Host-Based Intrusion Prevention System (HIPS) that decided to start blocking access to the file.  I turned off that module, cycled the WSUS services and database, and log started showing successful connections to SUSDB and the WSUS mmc started connecting and displaying statistics and client could again start getting updates.

    So... this thread should be titled McAfee Failboat instead of WSUS... my apologies to any offended evangelists.  ;)

    • Marked as answer by thepip3r Thursday, June 12, 2014 3:13 AM
    Thursday, June 12, 2014 3:10 AM

All replies

  • Give ‘NETWORK SERVICE' account full access to the %temp% folder (usually C:\Windows\Temp) and see if that resolves the error. 

    :) Shyjo

    Thursday, June 12, 2014 2:07 AM
  • Disregard, I figured it out.  It was our McAfee Host-Based Intrusion Prevention System (HIPS) that decided to start blocking access to the file.  I turned off that module, cycled the WSUS services and database, and log started showing successful connections to SUSDB and the WSUS mmc started connecting and displaying statistics and client could again start getting updates.

    So... this thread should be titled McAfee Failboat instead of WSUS... my apologies to any offended evangelists.  ;)

    • Marked as answer by thepip3r Thursday, June 12, 2014 3:13 AM
    Thursday, June 12, 2014 3:10 AM