September 9, 2014 at 8:58 am
Good afternoon!
I've been carrying out some clean installs of SQL Server 2012 SP2 today, but having some issues with the permissions for the SQL Server Agent Service Account. Windows is Windows Server 2012 R2 Standard.
I'm using a domain account specifically set up for each install as the service account for the SQL Server agent; however when trying to start the account I receive the following messages:-
The SQL Server Agent ([instance name]) service failed to start due to the following error:
Access is denied.
A timeout was reached (30000 milliseconds) while waiting for the SQL Server Agent ([instance name]) service to connect.
The SQL Server Agent ([instance name]) service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.
I've read the security requirements at http://technet.microsoft.com/en-us/library/ms143504(v=sql.110).aspx and gone through applying each one; however still can't get the agent to start. The security policy settings are set, the NTFS settings, and the account has been created as a member of sysadmin role on the SQL instance.
Placing the domain account in the local administrators group resolves the issue, so it's definitely permissions.
Does anyone know of any other permissions that are required for the account in order to get this working without having it as an administrator?
Cheers
Matthew
Follow me on twitter @EvoDBACheck out my blog Natural Selection DBA[/url]
September 9, 2014 at 9:19 am
what other errors do you see in the windows app event log?
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
September 9, 2014 at 9:27 am
The only other messages in there are the successful start/stops when I add the account back to the administrator group and restart, along with the change in Agent XPs option.
Follow me on twitter @EvoDBACheck out my blog Natural Selection DBA[/url]
September 9, 2014 at 1:44 pm
did you install sql server with this account or did you change it after the fact? if it was after, did you use SQL Server Configuration manager or the services window?
If you didnt use SQL Server Configuration Manager, go back and do so. It will grant all the required permissions.
September 10, 2014 at 4:54 am
Hi Bob,
Yes I installed with that account.
As a test I've also tried changing to the local system account and back to the account using SQL Configuration Manager; at the end of this I received the following error:-
WMI Provider Error
The service did not respond to the start or control request in a timely fashion. [0x8007041d]
My account is a local administrator on the server, and I'm also running the Configuration Manager as administrator account, just in case it's the horrible UAC getting in the way.
I thought this would add the permissions, but it doesn't seem to be doing so; I even went through and cleared the permissions I manually added, and then tried this method again but to no avail - the permissions weren't added to any of the required objects.
The same behaviour has now happened on all three servers I'm trying to install.
Windows build is 9600; SQL Server build is 11.0.5058.
Thanks for suggestions so far!
Matthew
Follow me on twitter @EvoDBACheck out my blog Natural Selection DBA[/url]
September 10, 2014 at 5:21 am
The only other thing to check is that the SQL Server agent is granted login in the sql instance as sysadmin. Its usually done through the system account like so
NT SERVICE\SQLSERVERAGENT
NT SERVICE\SQLAgent$instancename
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
September 10, 2014 at 5:29 am
Yes, I've manually added the account as sysadmin role.
It seems like the permissions that should be applied when adding the account to run the agent in the Configuration Manager aren't being set.
I'm really not sure why this is, or what to try next to resolve it.
Follow me on twitter @EvoDBACheck out my blog Natural Selection DBA[/url]
August 6, 2015 at 9:24 am
Hmm, got this again on another server in a totally different environment and workplace.
Would be interested if anyone else has the same issue at all?
I can see after install that the domain account specified for the Agent is granted the log on as a service user rights assignment. However, still won't start the service.
Stick the account in local admin, and bob's your uncle the agent starts, with way more permissions than I want that account to have.
Follow me on twitter @EvoDBACheck out my blog Natural Selection DBA[/url]
August 6, 2015 at 10:14 am
Sounds like an issue I ran into with some new installs on Windows 2012 (not R2) last year. Config Manager and many other things could write to the registry but not read from it. We never could figure out the root cause (and neither could Microsoft) and ended up just wiping the machines and reinstalling the OS. It happened on 3 servers at the same time and never happened again.
August 6, 2015 at 10:28 am
Hm, that's a bit weird. Wonder if it might be to do with some policy somewhere getting in the way? Was there literally no other changes other than reinstalling?
Follow me on twitter @EvoDBACheck out my blog Natural Selection DBA[/url]
August 6, 2015 at 10:30 am
Yes, no other change, and it only ever affected those 3 installs. Have heard of others that have experienced it once and fixed by reinstalling.
August 6, 2015 at 10:34 am
OK cheers. Will see if I can get that done (installs by another department) and see if it fixes it.
Follow me on twitter @EvoDBACheck out my blog Natural Selection DBA[/url]
August 6, 2015 at 10:51 am
Have you granted SeServiceLogonRight?
https://msdn.microsoft.com/en-us/library/ms191543.aspx
Updated: I just noticed that you already answered my question in the affirmative. Please disregard.
Derik Hammer
@SQLHammer
www.sqlhammer.com
August 7, 2015 at 3:19 am
From further digging, it looks like it may actually be a VMWare issue. Currently testing the following, but have high hopes for this:-
https://support.microsoft.com/en-us/kb/2811670#/en-us/kb/2811670
There's a patch on there that I'm about to test, reinstalling the instance currently with a non sysadmin service account also, to see if it fully matches all the errors listed on the links below.
References on these links:-
https://support.microsoft.com/en-us/kb/2799534#/en-us/kb/2799534
http://jonmorisissqlblog.blogspot.co.uk/2013/04/event-id-7000-sql-serverservice-failed.html
Follow me on twitter @EvoDBACheck out my blog Natural Selection DBA[/url]
August 7, 2015 at 5:49 am
Still waiting for the hot swapping functionality to be disabled, but in the meantime noticed that if you try and change the account in the SQL Server Configuration Manager to a non sysadmin get a WMI error.
In the application log at the same time get the following two messages under the User Profile Service:-
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. No user action is required.
DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-XXXX-XXXX-XXXX-22509:
Process 840 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-XXXX-XXXX-XXXX-22509
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. No user action is required.
DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-XXXX-XXXX-XXXX-22509_Classes:
Process 840 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-XXXX-XXXX-XXXX-22509_CLASSES
There's also some failed audits in the security log where the ip address is the server itself.
The Windows Filtering Platform has blocked a packet.
Application Information:
Process ID:940
Application Name:\device\harddiskvolume2\windows\system32\svchost.exe
Network Information:
Direction:Inbound
Source Address:xx.xx.xx.xx
Source Port:57620
Destination Address:xx.xx.xx.xx
Destination Port:5355
Protocol:17
Filter Information:
Filter Run-Time ID:69739
Layer Name:Receive/Accept
Layer Run-Time ID:44
So, is it something like windows firewall is blocking access to the registry?
Follow me on twitter @EvoDBACheck out my blog Natural Selection DBA[/url]
Viewing 15 posts - 1 through 14 (of 14 total)
You must be logged in to reply to this topic. Login to reply