none
Cannot start MSSQLSERVER with service account

    Question

  • I'm running SQL Server 2008 R2 a Windows 2008 Enterprise Hyper-V virtual. The MSSQLSERVER service will start using the NetworkService account. I've configured and want to use a domain service account to run the SQL Server process. When I login to the machine with the domain service account and set the "Log on as" to the service account, the SQL service starts up fine.

    When I logon on to the machine as any other domain user, set the "Log on as" to the domain service account I want to use, the service does not start.

    I have the SPN correctly  MSSQLsvc/<machine name>:1433 and with FQDN.

    The service account has been granted "log on as service" and some other local policy privilages.

    The Force Protocol Encryption is set to NO.

    The VIA protocal is disabled.


    I've done on this in a 2003 environment with SQL Server 2005 with no problems for years now. But this is throwing me for a loop.

    The following is from the System Event log when the service fails to start

    The LoadUserProfile call failed with the following error: Access is denied.

    The SQL Server (MSSQLSERVER) service terminated with service-specific error 2148081668 (0x80092004).

    This is from the Application Event Log:

    Initializing the FallBack certificate failed with error code: 1, state: 1, error number: -2146893802.

    TDSSNIClient initialization failed with error 0x80092004, status code 0x80. Reason: Unable to initialize SSL support. Cannot find object or property.

    TDSSNIClient initialization failed with error 0x80092004, status code 0x1. Reason: Initialization failed with an infrastructure error. Check for previous errors. Cannot find object or property.

    One wierd thing I have noticed is when I've added the service account to either a security group or granting it privilages in the machines local policy, after I save the changes, the account turns from domain\service account name to  *S-1-5-21- 

    I'm lost....  Any thoughts/help would be greatly appreciated.

     

    Monday, October 18, 2010 12:26 AM

Answers

All replies

  • Please post complete ErrorLog in next post. I would like to see series of events.
    Balmukund Lakhani | Please mark solved if I've answered your question
    --------------------------------------------------------------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------------------------------------------------------------------
    My Blog: http://blogs.msdn.com/blakhani
    Team Blog: http://blogs.msdn.com/sqlserverfaq
    Monday, October 18, 2010 3:16 AM
    Moderator
  • Hi,

    After you configure a domain account for SQL Server service, which should need get confirmation from Activity Directory (AD). However, if you log on Windows using a local Windows account other than a domain account, you probably do not have such permission.

    You may trying the following steps to see if it works:

    1.     Open SQL Server properties dialog, switch to Log On tab.

    2.     Check This account radio box and select Browse button behind Account Name text box.

    3.     In the Select User or Group dialog box, click location (the defaults to local computer) which will open Windows Security dialog box, input you domain account, select Entrie Directory and click OK button.

    4.     In the Select user or Group, Enter your domain account which you want to use as SQL Server service account in Enter the object name to select text box, click the Check Names to confirm and click OK button.

    5.     Input the password of domain account you used in the Password and Confirm Password text boxes and click Apply button to apply settings.

    6.     Start the SQL Server service in the Configuration Manager.

    >>One wierd thing I have noticed is when I've added the service account to either a security group or granting it privilages in the machines local policy, after I save the changes, the account turns from domain\service account name to  *S-1-5-21

    This is a security identifier (SID) is a unique value of variable length that is used to identity a security principal or security group in Windows operating system. For more information, you can see http://en.wikipedia.org/wiki/Security_Identifier.

    Hope this helps.

    Thanks,
    Chunsong


    Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by turfnsurf Monday, October 18, 2010 9:08 AM
    • Unmarked as answer by turfnsurf Monday, October 18, 2010 1:15 PM
    • Marked as answer by turfnsurf Wednesday, October 20, 2010 1:40 AM
    • Unmarked as answer by turfnsurf Wednesday, October 20, 2010 1:40 AM
    Monday, October 18, 2010 4:24 AM
    Moderator
  • I've already done this...... as I explained in my original post. Perhaps not so clear.  When I do what you say providing the domain service account, the SQL service does not start. When I use Network Serice, it works. If I use the Built-in "Administrators" for the domain it does work. 

    It has to be something with the domain service account.  I noticed when I gave the built-in Administrator permissions in the local policy, it's SID didn't get changed. It's ID stayed as domain\administrator when I granted permissions as

    Log on as service
    Replace token level process
    Allow log on locally

    As a comparison...in various 2003 environments I've used in the past, the SID doesn't get changed when I grant permissions to service accounts. I just think it has to do with some domain/network configuration or the service. It's as though the SQL service process doesn't know or can't figure out who or what this domain serivice account I created is.

    When I provide the serivce account credentials in the "Log on as" tab and start the process, I get the following pop up error message

    WMI Provider Error

    "Can't find object or property" [0x80092004]

     

     

     

     

    Monday, October 18, 2010 9:22 AM
  • Please post complete ErrorLog in next post. I would like to see series of events.
    Balmukund Lakhani | Please mark solved if I've answered your question
    --------------------------------------------------------------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------------------------------------------------------------------
    My Blog: http://blogs.msdn.com/blakhani
    Team Blog: http://blogs.msdn.com/sqlserverfaq

    The error messages from the Event logs are from bottom up if that makes sense. In other words, I copied the messsages from the first entry up to the last message generated...

    From the system messages, it appears as there some permission problem somplace.

     


    From Application Event Log...

    Initializing the FallBack certificate failed with error code: 1, state: 1, error number: -2146893802.

    Unable to initialize SSL encryption because a valid certificate could not be found, and it is not possible to create a self-signed certificate.

    Server name is 'SQ01'. This is an informational message only. No user action is required.

    TDSSNIClient initialization failed with error 0x80092004, status code 0x80. Reason: Unable to initialize SSL support. Cannot find object or property.

    TDSSNIClient initialization failed with error 0x80092004, status code 0x1. Reason: Initialization failed with an infrastructure error. Check for previous errors. Cannot find object or property.

    Could not start the network library because of an internal error in the network library. To determine the cause, review the errors immediately preceding this one in the error log.

    SQL Server could not spawn FRunCM thread. Check the SQL Server error log and the Windows event logs for information about possible related problems.

    From System Event Log..

    The LoadUserProfile call failed with the following error: Access is denied.

    The SQL Server (MSSQLSERVER) service entered the stopped state.

    The SQL Server (MSSQLSERVER) service terminated with service-specific error 2148081668 (0x80092004).

     

     

     

    Monday, October 18, 2010 9:44 AM
  • Problem solved! By me..yeah!

     

    Turns out it was the way I sysprep'ed ( or lack there of ) the SQL machine. Have to check the "Generalize’.  check box.  It's unchecked by default.  Geez...there was waste of day or two. 

    http://macraem.wordpress.com/2010/02/25/no-mapping-between-account-names-and-security-ids-sql-server-install-and-sysprep-generalize/

    SQL Server is installing right now all happy..... Thanks for your help.

    • Marked as answer by turfnsurf Wednesday, October 20, 2010 1:42 AM
    Wednesday, October 20, 2010 1:42 AM
  • It is glad to hear the problem was resolve, and thanks to your sharing which will benefit to other community members.

    Have a nice day.


    Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, October 20, 2010 2:07 AM
    Moderator
  • Machine was sysprep'ed after installing SQL?

    Balmukund Lakhani | Please mark solved if I've answered your question
    --------------------------------------------------------------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------------------------------------------------------------------
    My Blog: http://blogs.msdn.com/blakhani
    Team Blog: http://blogs.msdn.com/sqlserverfaq
    Wednesday, October 20, 2010 2:07 AM
    Moderator
  • Machine was sysprep'ed after installing SQL?

    Balmukund Lakhani | Please mark solved if I've answered your question
    --------------------------------------------------------------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------------------------------------------------------------------
    My Blog: http://blogs.msdn.com/blakhani
    Team Blog: http://blogs.msdn.com/sqlserverfaq

    Well..that was the kicker. I had unistalled SQL server, did another sysprep, re-installed SQL.  Kind of drastic but I wanted a clean slate so to speak.
    Wednesday, October 20, 2010 8:51 AM