none
Issues with NT SERVICE\MSSQL$MICROSOFT##WID RRS feed

  • Question

  • Hello

    I've been at war with WSUS, getting it to install on a 2012 R2 member server in a 2008 domain.

    The first stage of the role installation was fine, but the post installation tasks failed. First of all the security on the ..\webservices folders was not set correctly but I found a solution to that where iCACLS was used to grant permissions. Next, the NT SERVICE\MSSQL$MICROSOFT##WID account could not be used to start the WID service because it did not have the Log on as a service right.

    It's this last bit that I'm having continuing problems with. I ended up using services.msc to change the WID logon to use the local system account which worked fine and the post installation tasks completed successfully. 

    >>Note that WSUS is now up and running - updates are being downloaded and clients are reporting to the server.<<

    However, when using Group Policy to grant the NT SERVICE\MSSQL$MICROSOFT##WID account the log on as a service right in User Rights Assignment I am unable to get the account recognised. I have tried using the full form NT SERVICE\MSSQL$MICROSOFT##WID and just the account itself and then using Check names to validate it, but it fails to validate.

    I left the account name in the Log on as a service settings and rebooted the WSUS server in the hope that the service would be properly installed and registered on the system. Since then,as mentioned above, I abandoned the use of the account to start WID and chose the option to use the Local system account because NT SERVICE\MSSQL$MICROSOFT##WID has never been recognised. I also saw many SceCli 1202 events in the Application event logs stating an account cannot be resolved to a SID. Running the Find command against winlogon.log, MSSQL$MICROSOFT##WID is the culprit. I have now removed the account from the Group Policy setting.

    My question is: can I leave the system account 'in charge' of WID? It seems clear that NT SERVICE\MSSQL$MICROSOFT##WID does not exist and is not affecting the performance of the WSUS installation.

    Many thanks

    Mark

    Friday, November 3, 2017 11:38 AM

All replies

  • Hello

    I've been at war with WSUS, getting it to install on a 2012 R2 member server in a 2008 domain.

    The first stage of the role installation was fine, but the post installation tasks failed. First of all the security on the ..\webservices folders was not set correctly but I found a solution to that where iCACLS was used to grant permissions. Next, the NT SERVICE\MSSQL$MICROSOFT##WID account could not be used to start the WID service because it did not have the Log on as a service right.

    It's this last bit that I'm having continuing problems with. I ended up using services.msc to change the WID logon to use the local system account which worked fine and the post installation tasks completed successfully. 

    >>Note that WSUS is now up and running - updates are being downloaded and clients are reporting to the server.<<

    However, when using Group Policy to grant the NT SERVICE\MSSQL$MICROSOFT##WID account the log on as a service right in User Rights Assignment I am unable to get the account recognised. I have tried using the full form NT SERVICE\MSSQL$MICROSOFT##WID and just the account itself and then using Check names to validate it, but it fails to validate.

    I left the account name in the Log on as a service settings and rebooted the WSUS server in the hope that the service would be properly installed and registered on the system. Since then,as mentioned above, I abandoned the use of the account to start WID and chose the option to use the Local system account because NT SERVICE\MSSQL$MICROSOFT##WID has never been recognised. I also saw many SceCli 1202 events in the Application event logs stating an account cannot be resolved to a SID. Running the Find command against winlogon.log, MSSQL$MICROSOFT##WID is the culprit. I have now removed the account from the Group Policy setting.

    My question is: can I leave the system account 'in charge' of WID? It seems clear that NT SERVICE\MSSQL$MICROSOFT##WID does not exist and is not affecting the performance of the WSUS installation.

    Many thanks

    Mark

    Check gpedit.msc on the WID server for anything in 'deny log on as a service' as that would take precedence over everything - it probably and should be blank.

    Check 'log on as a service' and it should contain the following among other items:

    NT SERVICE\ALL SERVICES


    I'm not sure about granting the right through GPO - it depends on how your network is setup but this may give you hints with the user account to try.


    Also, since you have WSUS up and running, don't forget to setup my script. Don't forget, a new WSUS Server does not mean that it's a clean or optimized server...

    Have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need!

    http://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus

    What it does:

    1. Add WSUS Index Optimization to the database to increase the speed of many database operations in WSUS by approximately 1000-1500 times faster.
    2. Remove all Drivers from the WSUS Database (Default; Optional).
    3. Shrink your WSUSContent folder's size by declining multiple types of updates including by default any superseded updates, preview updates, expired updates, Itanium updates, and beta updates. Optional extras: Language Packs, IE7, IE8, IE9, IE10, Embedded, NonEnglishUpdates, ComputerUpdates32bit, WinXP.
    4. Remove declined updates from the WSUS Database.
    5. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    6. Compress Update Revisions.
    7. Remove Obsolete Updates.
    8. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    9. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. This is a manual execution only.
    10. Checks to see if you have a dirty database, and if you do, fixes it. This is primarily for Server 2012 WSUS, and is a manual execution only.
    11. Run the Recommended SQL database Maintenance script on the actual SQL database.
    12. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use so don't over think it. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment (email settings only if you are accepting all the defaults), simply run:

    .\Clean-WSUS.ps1 -FirstRun

    If you wish to view or increase the Application Pool Memory Configuration, or run the Dirty Database Check, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Saturday, November 4, 2017 4:43 AM
  • Hi Mark,

    >>My question is: can I leave the system account 'in charge' of WID? It seems clear that NT SERVICE\MSSQL$MICROSOFT##WID does not exist and is not affecting the performance of the WSUS installation.

    Yes , you can use  "local system" such a powerful account to run a service (even though the security standard requires a low-privilege account for service running ).

     

    I'd suggest you check the following article which pointed out the possible cause and a solution :

    (Please check domain group policy which applied to that WSUS server , or , "block inheritance" GPO to see if the issue is GPO related )

    "

    To work around the issue, use one of the following methods:
    • Assign the Log on as a service user right to NT SERVICE\ALL SERVICES in the GPO that defines the user right.
    • Exclude the computer from the GPO that defines the user right.


    "

    https://support.microsoft.com/en-sg/help/2832204/-mssql-microsoft-wid-service-was-unable-to-log-on-as-nt-service-mssql

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 6, 2017 4:59 AM
    Moderator
  • Hi, Adam

    Many thanks for your reply.

    The Deny log on as a service setting is not defined. I will have a look at your batch file. The reason WSUS was installed on this server was because it ate all the available disk space on the server it used to be installed on - the database exceeded 400GB even after running the Server Cleanup Wizard (which seems to be a misnomer...).


    Hi, Elton

    Thanks to you, too, for replying.

    @both: I am unable to add the NT SERVICE\ALL SERVICES entry to the Log on as a service policy setting. I see exactly the same as I saw before - Active Directory is unable to validate it. Selecting Entire Directory and the local server when browsing also result in the account not being recognised.

    Our network is simple - single domain, single subnet, one Default Domain Policy and one Domain Controllers Policy. I'm using the Default Domain Policy to make the changes. 
    Tuesday, November 7, 2017 4:00 PM
  • Hi, Adam

    Many thanks for your reply.

    The Deny log on as a service setting is not defined. I will have a look at your batch file. The reason WSUS was installed on this server was because it ate all the available disk space on the server it used to be installed on - the database exceeded 400GB even after running the Server Cleanup Wizard (which seems to be a misnomer...).

    Although the Server cleanup wizard (SCW) has it's place (I use it in my script to actually clean out the physical files), it FAILS in comparison to my script for 'cleaning' up WSUS.

    A recent user sent me their log as they've cleaned up

    2017.10.18 - DiskSpaceFreed: 796.61 GB or 815727.73 MB

    by using my script.... Yes, almost 800GB... and they used to run the Server Cleanup Wizard regularly :) They now hold the top spot of most garbage data removed by my script.


    Adam Marshall, MCSE: Security
    http://www.adamj.org


    • Edited by AJTek.caMVP Tuesday, November 7, 2017 4:19 PM
    Tuesday, November 7, 2017 4:18 PM
  • Hi, Adam

    Many thanks for your reply.

    The Deny log on as a service setting is not defined. I will have a look at your batch file. The reason WSUS was installed on this server was because it ate all the available disk space on the server it used to be installed on - the database exceeded 400GB even after running the Server Cleanup Wizard (which seems to be a misnomer...).

    Although the Server cleanup wizard (SCW) has it's place (I use it in my script to actually clean out the physical files), it FAILS in comparison to my script for 'cleaning' up WSUS.

    A recent user sent me their log as they've cleaned up

    2017.10.18 - DiskSpaceFreed: 796.61 GB or 815727.73 MB

    by using my script.... Yes, almost 800GB... and they used to run the Server Cleanup Wizard regularly :) They now hold the top spot of most garbage data removed by my script.


    Adam Marshall, MCSE: Security
    http://www.adamj.org


    Thanks again, Adam.
    Friday, November 10, 2017 9:43 AM
  • Does anyone have any idea why I am unable to add the accounts, please?

    Thanks.

    Monday, November 13, 2017 3:57 PM