WSUS Database NT AUTHORITY/ANONYMOUS issue on Core 2012R2 installation RRS feed

  • Question

  • Hi All

    I'm installing a new WSUS server on 2012R2 core with a remote database. I'm getting some strange issues.
    If I run the following command ([FQDN] is a placeholder for our fully qualified internal domain name, both WSUS01 and MGMTSQL01 are on the same domain/subnet):

    .\wsusutil.exe postinstall SQL_INSTANCE_NAME="MGMTSQL01.[FQDN]\MSSQLSERVER" CONTENT_DIR=W:\Update-Data

    I get the response:

    Fatal Error: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 25 - Connection string is not valid)
    If I run the command like this:
    .\wsusutil.exe postinstall SQL_INSTANCE_NAME="MGMTSQL01.[FQDN]" CONTENT_DIR=W:\Update-Data
    ..without the instance name, I get:
    fatal error: login failed for user 'nt authority\anonymous logon'.

    Here's the connection screen on the MGMTSQL01 server: http://imgur.com/UNphyEB
    So from that I can gather that it was set up with no instance name and that the second command above should work! Any idea how I can force it to use specific credentials?


    • Edited by Jarrod Levet Tuesday, August 18, 2015 12:45 AM Spelling
    Monday, August 17, 2015 9:12 PM

All replies

  • It's easy, if both Windows servers are members of the same AD Doman - just add the WSUS computer account into the relevant local group on the SQL.

    If your servers aren't domain members, it gets tricky to do remote SQL, because WSUS runs as a service, and will need high privileges on the SQL

    If you are installing WSUS to use SQL Server, the account that is used to install WSUS must have administrative privileges on SQL Server. This account must include the roles that are required to set up the WSUS database. The roles are dbcreator plus diskadmin, or sysadmin. By default, accounts that belong to the local Administrators group have the sysadmin role. For more information about SQL Server accounts and roles, see Principals (Database Engine) and Database-Level Roles.

    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    • Edited by DonPick Monday, August 17, 2015 9:39 PM
    Monday, August 17, 2015 9:36 PM
  • No joy unfortuantely. I tried:

    - Adding the WSUS01 computer account to an SQL Admins domain group that had required rights on MGMTSQL01, rerun postinstall
    - (Removing that and..) Adding the WSUS01 computer account to the local admins group on MGMTSQL01, rerun postinstall
    - (Removing that and..) Adding '[domain]\WSUS01$' directly to the SQL server logins, rerun postinstall

    I'm still getting the same error message.

    Previously I'd also tried setting the WSUS role up again (remove/reinstall) using server manager from a different server using a process similar to this.
    I'm currently in the process of installing the GUI (Nooooooo) so I can check the wsus.msc step that he mentions about half-way down the page.

    Any further thoughts? or logs I can look in for further troubleshooting?

    Thanks for your help

    Tuesday, August 18, 2015 2:25 AM
  • After you added the computer account into the security group, did you restart the WSUS (front-end) computer? (to get a fresh token)

    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Tuesday, August 18, 2015 8:27 AM
  • I'm pretty sure I had, but I just restarted it and retired the command in case. Still no joy.

    I got sidetracked yesterday on a different job so I'm just working thru installing the GUI now. Fingers still crossed

    Tuesday, August 18, 2015 10:24 PM
  • I'm still having no joy with this and have gone for a full GUI install.

    I did try adding NTAUTH\ANON to the sql users as a dbadmin (Yup, I know it's a really. bad. idea. Test Environment, just wanted to make to go!) and that allowed me to create the SUSDB database! But I then get an fatal error further down the postinstall log just after it tries to fetch the machine account info:

    2015-08-20 13:36:30  Fetching machine account info
    2015-08-20 13:36:30  System.DirectoryServices.DirectoryServicesCOMException (0x80072020): An operations error occurred.
       at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
       at System.DirectoryServices.DirectoryEntry.Bind()
       at System.DirectoryServices.DirectoryEntry.get_AdsObject()
       at System.DirectoryServices.PropertyValueCollection.PopulateList()
       at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
       at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
       at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer()
       at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
       at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
       at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
       at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principa
    lType, Nullable`1 identityType, String identityValue, DateTime refDate)
       at System.DirectoryServices.AccountManagement.ComputerPrincipal.FindByIdentity(PrincipalContext context, String identityValu
       at Microsoft.UpdateServices.Administration.ConfigureDB.GetMachineAccountInfo(Byte[]& binarySid, String& accountName)
       at Microsoft.UpdateServices.Administration.ConfigureDB.Configure()
       at Microsoft.UpdateServices.Administration.PostInstall.Run()
       at Microsoft.UpdateServices.Administration.PostInstall.Execute(String[] arguments)

    So I don't know what's going on here.
    Unfortunately I've run out of time to do this job properly now, so it has to be a GUI server.

    Thanks for your help Don

    Thursday, August 20, 2015 1:46 AM
  • I know this is way old, but I had the same issue and resolved it by using the good old-fashioned command line (not powershell). As soon as I exited powershell and ran the command, it worked, and my sql logs showed the connection was made under my currently logged in windows account and not the anonymous logon.
    Thursday, July 27, 2017 6:21 PM