SQL Server will not start on VMWare (5.1) hosted 2012 (sp1) server.

Question

I built a brand new Standard Server 2012 SP1 virtual machine in a VMWare 5.1 clustered environment.  No problems with the server itself.  No errors, no issues.  I patched to SP1 with all the latest KB's.  I start the installation of SQL 2012 Standard.  Install goes fine.  I set up domain service accounts to run the server and agent on, set them up as administrators on the box.  At the end of the installation it can't start the services.  SQL Server Agent wont start.  SQL Server wont start...  I am logged in as a domain admin.

There is NOTHING else installed on this server, not even antivirus.

"Windows could not start the SQL Server (MSSQLSERVER) service on local computer.  Error 5: Access is denied."

I found a posting about someone having a similar issue Here.   There was something about permissions of the guest in VMWare.  The fix for them was "changing all of the sql server services to log on as local system" which is NOT an option for me.  I did change permissions on the SQL install folder, and that didn't help.

So I wrapped up the installation....

Tried to start the service and got the above error.  Here is the event: (Sanitized for your protection)

Log Name:      System
Source:        Service Control Manager
Date:          3/4/2013 4:16:34 PM
Event ID:      7000
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      ComputerName.Domain
Description:
The SQL Server (MSSQLSERVER) service failed to start due to the following error: 
Access is denied.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="49152">7000</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2013-03-04T22:16:34.412450700Z" />
    <EventRecordID>1921</EventRecordID>
    <Correlation />
    <Execution ProcessID="508" ThreadID="2348" />
    <Channel>System</Channel>
    <Computer>ComputerName.Domain</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">SQL Server (MSSQLSERVER)</Data>
    <Data Name="param2">%%5</Data>
    <Binary>4D005300530051004C005300450052005600450052000000</Binary>
  </EventData>
</Event>

Just before this in the security logs (When I tried to start the service:)

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          3/4/2013 4:15:19 PM
Event ID:      4656
Task Category: File System
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      ComputerName.Domain
Description:
A handle to an object was requested.

Subject:
Security ID: DOMAIN\MyUserID
Account Name: MyUserID
Account Domain: FNTS
Logon ID: 0xC86050

Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\System32\services.msc
Handle ID: 0x0
Resource Attributes: -

Process Information:
Process ID: 0xfdc
Process Name: C:\Windows\System32\mmc.exe

Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: READ_CONTROL
SYNCHRONIZE
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
ReadAttributes
WriteAttributes

Access Reasons: READ_CONTROL: Granted by D:(A;;0x1200a9;;;BA)
SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BA)
WriteData (or AddFile): Not granted
AppendData (or AddSubdirectory or CreatePipeInstance): Not granted
WriteEA: Not granted
ReadAttributes: Granted by ACE on parent folder D:(A;;0x1301bf;;;BA)
WriteAttributes: Not granted

Access Mask: 0x120196
Privileges Used for Access Check: -
Restricted SID Count: 0
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4656</EventID>
    <Version>1</Version>
    <Level>0</Level>
    <Task>12800</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2013-03-04T22:15:19.640384100Z" />
    <EventRecordID>1730094</EventRecordID>
    <Correlation />
    <Execution ProcessID="516" ThreadID="524" />
    <Channel>Security</Channel>
    <Computer>ComputerName.Domain</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-1724424548-855808307-1441089987-1194</Data>
    <Data Name="SubjectUserName">MyUserID</Data>
    <Data Name="SubjectDomainName">DOMAIN</Data>
    <Data Name="SubjectLogonId">0xc86050</Data>
    <Data Name="ObjectServer">Security</Data>
    <Data Name="ObjectType">File</Data>
    <Data Name="ObjectName">C:\Windows\System32\services.msc</Data>
    <Data Name="HandleId">0x0</Data>
    <Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
    <Data Name="AccessList">%%1538
%%1541
%%4417
%%4418
%%4420
%%4423
%%4424
</Data>
    <Data Name="AccessReason">%%1538: %%1801 D:(A;;0x1200a9;;;BA)
%%1541: %%1801 D:(A;;0x1200a9;;;BA)
%%4417: %%1805
%%4418: %%1805
%%4420: %%1805
%%4423: %%1811 D:(A;;0x1301bf;;;BA)
%%4424: %%1805
</Data>
    <Data Name="AccessMask">0x120196</Data>
    <Data Name="PrivilegeList">-</Data>
    <Data Name="RestrictedSidCount">0</Data>
    <Data Name="ProcessId">0xfdc</Data>
    <Data Name="ProcessName">C:\Windows\System32\mmc.exe</Data>
    <Data Name="ResourceAttributes">-</Data>
  </EventData>
</Event>

---

"If at first you don't succeed, get a bigger hammer."

Answer 1

Hello,

It’s an error related to accessing the C:\Windows\System32\services.msc MMC.

Please read the following resources for a workaround:

http://social.technet.microsoft.com/Forums/en/winserverGP/thread/fa15d891-a3bc-4977-a610-e8dfebd08147

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4656

http://support.microsoft.com/kb/947226

This seems an issue at the operating system level.

Hope this helps.

Regards,

Alberto Morillo
SQLCoffee.com

Answer 2

Hi,

I had some issues also installing SQL Server 2012 in a VMWare 5.x environment with domain accounts detailed  here.

I also had a look at the link you provided here. In this case of that issue, I had a similar error around "Attempted to perform an unauthorized application", but related to SqlRSConfigAction_Install_Startup_Cpu64 (not SqlEngineDBstartConfigAction_install_configrc_Cpu64). 

What I found is that a number of permissions were not granted to the per service SID as detailed in my post. NT SERVICE\MSSQLSERVER was OK, but NT SERVICE\ReportServer for example was not granted the 'Log an as a service' right, and therefore gave an error during installation and was unable to start. I went and manually granted NT SERVICE\ReportServer the 'Log and as a service' right, and then retried the operation, and the installation continued successfully.

Post-installation can you check the rights granted to your per service SIDs against http://msdn.microsoft.com/en-us/library/ms143504(v=sql.110) with gpedit.msc? (in particular check NT SERVICE\MSSQLSERVER has the 'Log an as a service' right).

It does seem from other similar issues that VMWare is a common factor, but I'm not sure why that would be. I didn't check to see if all the correct permissions were granted to the folders/files.

Regards,

Anthony Duff

Answer 3

It’s an error related to accessing the C:\Windows\System32\services.msc MMC.

I reviewed the entries for that and your response only dealt with the MMC.  I applied the fixes associated with the articles, and it didn't help.  Checking the next response.  

Thanks though!

~Z

---

"If at first you don't succeed, get a bigger hammer."

Answer 4

I went through and checked permissions.  I looked through the articles that you sent.  I tried to re-associate the accounts to NT Services... that didn't help.. I am going to try a repair on the install.  If that doesn't work, I am going to completely uninstall and start over...

After re-associating the NT Service\MSSQLSERVER, this is the error now when I try to start the service:

Log Name:      System
Source:        Service Control Manager
Date:          3/5/2013 2:06:31 PM
Event ID:      7024
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      ComputerName.Domain
Description:
The SQL Server (MSSQLSERVER) service terminated with the following service-specific error: 
%%945
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="49152">7024</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2013-03-05T20:06:31.720436600Z" />
    <EventRecordID>1941</EventRecordID>
    <Correlation />
    <Execution ProcessID="508" ThreadID="1384" />
    <Channel>System</Channel>
    <Computer>ComputerName.Domain</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">SQL Server (MSSQLSERVER)</Data>
    <Data Name="param2">%%945</Data>
    <Binary>4D005300530051004C005300450052005600450052000000</Binary>
  </EventData>
</Event>

---

"If at first you don't succeed, get a bigger hammer."

Answer 5

I ended up reinstalling.  I installed as local administrator, running as administrator.  I used no domain accounts, and used all default local accounts, thinking that it might be something with my user account.  Exact same error.  

Log Name:      System
Source:        Service Control Manager
Date:          3/7/2013 8:55:20 AM
Event ID:      7000
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      ServerName.Domain
Description:
The SQL Server (MSSQLSERVER) service failed to start due to the following error: 
Access is denied.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="49152">7000</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2013-03-07T14:55:20.315674300Z" />
    <EventRecordID>2473</EventRecordID>
    <Correlation />
    <Execution ProcessID="544" ThreadID="3060" />
    <Channel>System</Channel>
    <Computer>ServerName.Domain</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">SQL Server (MSSQLSERVER)</Data>
    <Data Name="param2">%%5</Data>
    <Binary>4D005300530051004C005300450052005600450052000000</Binary>
  </EventData>
</Event>

So then, thinking that it may be something with the OS, so I built a new 2012 Standard server.  Tried it there...

Log Name:      System
Source:        Service Control Manager
Date:          3/7/2013 9:09:03 AM
Event ID:      7000
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      ComputerName2.Domain
Description:
The SQL Server (MSSQLSERVER) service failed to start due to the following error: 
Access is denied.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="49152">7000</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2013-03-07T15:09:03.859451200Z" />
    <EventRecordID>1650</EventRecordID>
    <Correlation />
    <Execution ProcessID="512" ThreadID="2104" />
    <Channel>System</Channel>
    <Computer>ComputerName2.Domain</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">SQL Server (MSSQLSERVER)</Data>
    <Data Name="param2">%%5</Data>
    <Binary>4D005300530051004C005300450052005600450052000000</Binary>
  </EventData>
</Event>

---

"If at first you don't succeed, get a bigger hammer."

Answer 6

I also went into group policy management to check there.  There is nothing in our policy that would affect this...

Default domain Policy:

Group Policy Management

body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; } .head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding- height:24px; } .path { margin- margin- margin-bottom:5px;width:100%; } .info { padding-width:100%; } table { font-size:100%; width:100%; border:1px solid #999999; } th { border-bottom:1px solid #999999; text-align:left; padding- height:24px; } td { background:#FFFFFF; padding- padding-bottom:10px; padding- } .btn { width:100%; text-align:right; margin- } .hdr { font-weight:bold; border:1px solid #999999; text-align:left; padding- padding- height:24px; margin-bottom:-1px; width:100%; } .bdy { width:100%; height:182px; display:block; background:#FFFFFF; padding- padding-bottom:10px; padding- border:1px solid #999999; } button { width:6.9em; height:2.1em; font-size:100%; font-family:MS Shell Dlg; margin-right:15px; } @media print { .bdy { display:block; } button { display:none; } .head { color:#000000; background:#FFFFFF; border:1px solid #000000; } }

Setting Path:

Explanation

<button accesskey="P" name="Print">Print</button>

<button accesskey="C" name="Close">Close</button>

No explanation is available for this setting.

Supported On:

Not available

Data collected on: 3/7/2013 9:21:31 AM	hide all

General

Details

Domain	Domain
Owner	Domain\Domain Admins
Created	2/4/2011 3:57:30 PM
Modified	7/10/2012 8:38:46 AM
User Revisions	0 (AD), 0 (sysvol)
Computer Revisions	117 (AD), 117 (sysvol)
Unique ID	{31B2F340-016D-11D2-945F-00C04FB984F9}
GPO Status	Enabled

Links---

Location	Enforced	Link Status	Path
DOMAIN	No	Enabled	DOMAIN PATH

This list only includes links in the domain of the GPO.

Security Filtering---

The settings in this GPO can only apply to the following groups, users, and computers:

Name
NT AUTHORITY\Authenticated Users

Delegation---

These groups and users have the specified permission for this GPO

Name	Allowed Permissions	Inherited
NT AUTHORITY\Authenticated Users	Read (from Security Filtering)	No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS	Read	No
NT AUTHORITY\SYSTEM	Edit settings, delete, modify security	No

Computer Configuration (Enabled)---

Policies---

Windows Settings---

Security Settings---

Account Policies/Password Policy---

Policy	Setting
Enforce password history	4 passwords remembered
Maximum password age	35 days
Minimum password age	0 days
Minimum password length	8 characters
Password must meet complexity requirements	Enabled
Store passwords using reversible encryption	Disabled

Account Policies/Account Lockout Policy---

Policy	Setting
Account lockout duration	30 minutes
Account lockout threshold	6 invalid logon attempts
Reset account lockout counter after	30 minutes

Account Policies/Kerberos Policy---

Policy	Setting
Enforce user logon restrictions	Enabled
Maximum lifetime for service ticket	600 minutes
Maximum lifetime for user ticket	10 hours
Maximum lifetime for user ticket renewal	7 days
Maximum tolerance for computer clock synchronization	5 minutes

Local Policies/Audit Policy---

Policy	Setting
Audit account logon events	Success, Failure
Audit account management	Success, Failure
Audit directory service access	Success, Failure
Audit logon events	Success, Failure
Audit object access	Success, Failure
Audit policy change	Success, Failure
Audit privilege use	Success, Failure
Audit process tracking	Success, Failure
Audit system events	Success, Failure

Local Policies/Security Options---

Accounts---

Policy	Setting
Accounts: Administrator account status	Enabled
Accounts: Guest account status	Disabled
Accounts: Rename guest account	"DOMAINDISABLED"

Audit---

Policy	Setting
Audit: Audit the access of global system objects	Disabled
Audit: Audit the use of Backup and Restore privilege	Enabled
Audit: Shut down system immediately if unable to log security audits	Disabled

Devices---

Policy	Setting
Devices: Allowed to format and eject removable media	Administrators and Interactive Users
Devices: Prevent users from installing printer drivers	Disabled
Devices: Restrict CD-ROM access to locally logged-on user only	Disabled
Devices: Restrict floppy access to locally logged-on user only	Disabled

Interactive Logon---

Policy	Setting
Interactive logon: Do not display last user name	Enabled
Interactive logon: Do not require CTRL+ALT+DEL	Disabled
Interactive logon: Message text for users attempting to log on	Unauthorized use of this information, access by unauthorized persons, or exceeding authorized access is computer fraud and a violation of Federal Law (18 USC 1030). Anyone using this system expressly consents to the computer activity monitoring, and is advised that if such monitoring reveals possible criminal activity, system personnel may provide evidence of such monitoring to Law Enforcement Officials.
Interactive logon: Message title for users attempting to log on	"Access to This Computer's Information is Restricted to Authorized Persons Only"
Interactive logon: Number of previous logons to cache (in case domain controller is not available)	3 logons
Interactive logon: Prompt user to change password before expiration	7 days

Network Accesshide

Policy	Setting
Network access: Allow anonymous SID/Name translation	Disabled

Network Security---

Policy	Setting
Network security: Do not store LAN Manager hash value on next password change	Enabled
Network security: Force logoff when logon hours expire	Disabled

Event Log---

Policy	Setting
Maximum application log size	51200 kilobytes
Maximum security log size	102400 kilobytes
Maximum system log size	51200 kilobytes
Prevent local guests group from accessing application log	Enabled
Prevent local guests group from accessing security log	Enabled
Prevent local guests group from accessing system log	Enabled
Retention method for application log	As needed
Retention method for security log	As needed
Retention method for system log	As needed

Public Key Policies/Encrypting File System---

Certificates---

Issued To	Issued By	Expiration Date	Intended Purposes
Administrator	Administrator	1/11/2111 4:49:37 PM	File Recovery

For additional information about individual settings, launch Group Policy Object Editor.

Public Key Policies/Trusted Root Certification Authorities---

Properties---

Policy	Setting
Allow users to select new root certification authorities (CAs) to trust	Enabled
Client computers can trust the following certificate stores	Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteria	Registered in Active Directory only

Administrative Templates---

Policy definitions (ADMX files) retrieved from the local machine.

Windows Components/Windows Updatehide

Policy	Setting	Comment
If the status is set to Enabled, Windows will check for available updates at the specified interval. If the status is set to Disabled or Not Configured, Windows will check for available updates at the default interval of 22 hours. Note: The "Specify intranet Microsoft update service location" setting must be enabled for this policy to have effect. Note: If the "Configure Automatic Updates" policy is disabled, this policy has no effect." gpmc_settingname="Automatic Updates detection frequency" gpmc_settingpath="Computer Configuration/Administrative Templates/Windows Components/Windows Update" gpmc_supported="At least Windows 2000 Service Pack 3 or Windows XP Professional Service Pack 1" href="">Automatic Updates detection frequency	Disabled
User Configuration (Enabled)hide No settings defined. Group Policy Management body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; } .head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding- height:24px; } .path { margin- margin- margin-bottom:5px;width:100%; } .info { padding-width:100%; } table { font-size:100%; width:100%; border:1px solid #999999; } th { border-bottom:1px solid #999999; text-align:left; padding- height:24px; } td { background:#FFFFFF; padding- padding-bottom:10px; padding- } .btn { width:100%; text-align:right; margin- } .hdr { font-weight:bold; border:1px solid #999999; text-align:left; padding- padding- height:24px; margin-bottom:-1px; width:100%; } .bdy { width:100%; height:182px; display:block; background:#FFFFFF; padding- padding-bottom:10px; padding- border:1px solid #999999; } button { width:6.9em; height:2.1em; font-size:100%; font-family:MS Shell Dlg; margin-right:15px; } @media print { .bdy { display:block; } button { display:none; } .head { color:#000000; background:#FFFFFF; border:1px solid #000000; } } Setting Path: Explanation <button accesskey="P" name="Print">Print</button> <button accesskey="C" name="Close">Close</button> No explanation is available for this setting. Supported On: Not available (C) Servers Data collected on: 3/7/2013 9:18:02 AM General Details Domain DOMAIN Owner DOMAIN\Domain Admins Created 5/3/2012 5:15:48 PM Modified 7/1/2012 7:32:08 AM User Revisions 1 (AD), 1 (sysvol) Computer Revisions 8 (AD), 8 (sysvol) Unique ID {F3855C46-B6C5-4690-9DB6-B606BC1CA61E} GPO Status User settings disabled Links Location Enforced Link Status Path Servers No Enabled DOMAIN PATH This list only includes links in the domain of the GPO. Security Filtering The settings in this GPO can only apply to the following groups, users, and computers: Name NT AUTHORITY\Authenticated Users Delegation These groups and users have the specified permission for this GPO Name Allowed Permissions Inherited DOMAIN\Domain Admins Edit settings, delete, modify security No NT AUTHORITY\Authenticated Users Read (from Security Filtering) No NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No NT AUTHORITY\SYSTEM Edit settings, delete, modify security No ROOT\Enterprise Admins Edit settings, delete, modify security No Computer Configuration (Enabled) Policies Windows Settings Security Settings Local Policies/User Rights Assignment Policy Setting Access this computer from the network NT AUTHORITY\Authenticated Users, BUILTIN\Administrators Allow log on locally BUILTIN\Administrators Back up files and directories BUILTIN\Administrators Bypass traverse checking NT AUTHORITY\Authenticated Users Change the system time BUILTIN\Administrators Create a pagefile BUILTIN\Administrators Debug programs BUILTIN\Administrators Force shutdown from a remote system BUILTIN\Administrators Increase scheduling priority BUILTIN\Administrators Load and unload device drivers BUILTIN\Administrators Log on as a batch job NT AUTHORITY\SYSTEM, BUILTIN\Administrators Log on as a service DOMAIN\SQL_SERVER_SVC_ACCT, DOMAIN\SQL_AGENT_SVC_ACCT, (Other accounts removed) Manage auditing and security log BUILTIN\Administrators Modify firmware environment values BUILTIN\Administrators Profile single process BUILTIN\Administrators Profile system performance BUILTIN\Administrators Restore files and directories BUILTIN\Administrators Shut down the system BUILTIN\Administrators Take ownership of files or other objects BUILTIN\Administrators Local Policies/Security Options Domain Member Policy Setting Domain member: Digitally encrypt or sign secure channel data (always) Disabled Domain member: Digitally encrypt secure channel data (when possible) Enabled Domain member: Digitally sign secure channel data (when possible) Enabled Domain member: Disable machine account password changes Disabled Domain member: Require strong (Windows 2000 or later) session key Disabled Microsoft Network Client Policy Setting Microsoft network client: Digitally sign communications (always) Disabled Microsoft network client: Digitally sign communications (if server agrees) Enabled Microsoft network client: Send unencrypted password to third-party SMB servers Disabled Microsoft Network Server Policy Setting Microsoft network server: Amount of idle time required before suspending session 15 minutes Microsoft network server: Digitally sign communications (always) Disabled Microsoft network server: Digitally sign communications (if client agrees) Disabled Microsoft network server: Disconnect clients when logon hours expire Enabled Network Access Policy Setting Network access: Do not allow anonymous enumeration of SAM accounts and shares Enabled Network Security Policy Setting Network security: LAN Manager authentication level Send LM & NTLM responses Recovery Console Policy Setting Recovery console: Allow automatic administrative logon Disabled Shutdown Policy Setting Shutdown: Allow system to be shut down without having to log on Disabled Shutdown: Clear virtual memory pagefile Disabled System Objects Policy Setting System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) Enabled Registry Values Policy Setting MACHINE\Software\Microsoft\Driver Signing\Policy 0 Administrative Templates Policy definitions (ADMX files) retrieved from the local machine. System/Group Policy Policy Setting Comment Mode: Merge Windows Components/Windows Update Policy Setting Comment User Configuration (Disabled) No settings defined.

---

"If at first you don't succeed, get a bigger hammer."

Answer 7

I just found that if you switch it to run under the "Local Administrator" it fires right up.

Please explain this to me.

When I try to run the service as the domain service account, it will not start.  That account has administrator priv's on the the machine.  My domain admin account will not let the service start.  The default NT SERVICE\MSSQLSERVER account will not start the service.

I can't run it this way... It's against policy.

Please help!

~Zack Wagner

---

"If at first you don't succeed, get a bigger hammer."

Answer 8

Hello,

Please confirm the domain account has the  following rights and permissions:

http://msdn.microsoft.com/en-us/library/ms143504.aspx#Windows

Hope this helps.

Regards,

Alberto Morillo
SQLCoffee.com

Answer 9

I followed that article, created managed service accounts, made sure they were admin on the box, made sure that they were assigned to the box through the PowerShell AD plugin... made sure they had permissions in the Group Policy to run as a service.  Nadda... I'm 0 for 10 here.  Only runs on local admin credentials.

---

"If at first you don't succeed, get a bigger hammer."

Answer 10

Just to see if this helps, I tracked it down to the GPO settings for Sucess and Failure in Audit. Without this GPO it worked.

Paul

omputer Configuration (Enabled)

Policies

Windows Settings

Security Settings

Local Policies/Audit Policy

Policy	Setting
Audit account logon events	Success, Failure
Audit account management	Success, Failure
Audit directory service access	Success, Failure
Audit logon events	Success, Failure
Audit object access	Success, Failure
Audit policy change	Success, Failure
Audit privilege use	Success, Failure
Audit process tracking	Success, Failure
Audit system events	Success, Failure