Categories
blog howto windows

Windows 2012 Server Manager refresh failed, requires a restart

The request to add or remove features on the specified server failed. the operation cannot be completed because the server that you specified requires a restart.

Role and feature refresh failed with the following error: The Request to list features available on the specific server failed. The operation cannot be completed, because the server that you specified requires a restart.

Restarting the server does not help.

Check the eventlog for an error from Service Control Manager ID 7041 that reads:

The MSSQL$MICROSOFT##WID service was unable to log on as NT SERVICE\MSSQL$MICROSOFT##WID with the currently configured password due to the following error:
Logon failure: the user has not been granted the requested logon type at this computer.

Service: MSSQL$MICROSOFT##WID
Domain and account: NT SERVICE\MSSQL$MICROSOFT##WID

This service account does not have the required user right “Log on as a service.”

Check the “Windows Internal Database” service is running, it probably is not and can’t start.

If this is a domain controller you can assign the logon as service right for the account using the “Default Domain Controllers Policy” GPO.

  1. Open gpmc.msc
  2. Select the “Default Domain Controllers Policy” under the “Domain Controllers” OU in the left tree.
  3. Right click on it and select edit.
  4. In the editor navigate to “Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, User Rights Assignments”.
  5. Open the properties of the “Log on as a service” item.
  6. Add the user “NT SERVICE\MSSQL$MICROSOFT##WID” (without quotes) using the Add User or Group button.
  7. Close the window with OK. Close the GPO editor.
  8. Run gpupdate and restart the computer.

If this is a normal member or standalone server you can assign the logon as service right for the account using the “Local Security Policy”.

  1. Open secpol.msc
  2. Navigate to” Local Policies, User Rights Assignments”.
  3. Open the properties of the “Log on as a service” item.
  4. Add the user “NT SERVICE\MSSQL$MICROSOFT##WID” (without quotes) using the Add User or Group button. If this is greyed out, than the item is set using Domain Group Policies (see above).
  5. Close the window with OK. Close the local security policy editor.
  6. Run gpupdate and restart the computer.
Categories
blog server windows

Windows 7 profile SID wrong mstsc can’t login

This is a very strange problem I came across on a windows 7 Embedded thin client. I don’t quite understand what went wrong but I’ll give you a detailed description.

CASE:
The user has a thin client with Windows 7 Embedded that’s been entered in to the Active Directory domain. On the public desktop of the thin client there is a RDP file to connect to a Remote Desktop Server (a.k.a. Terminal Server). The user logs on to the thin client using their AD credentials. The user was able to log on to the server using the RDP file without problems until today.

SYMPTOMS:
– User can’t log on to the Remote Desktop Server, the error received is:

The connection was denied because the user account is not authorized for remote login

TROUBLESHOOTING:
Normally this just means that the user is not a member of the “Remote Desktop Users” local group on the server.
– I verified the user was a member of the correct groups to log on to the server.
– I then tried to log on the server with the same credentials from a different workstation. This worked without a problem. Which led me to conclude at the server-side everything was OK.
– On the troublesome workstation (thin client with WIN 7 E in my case) I launched remote desktop with the “Run As Administrator” option and supplied credentials for an admin account. I tried to connect to the Remote Desktop server using the credentials of the troublesome user account. This worked without a problem.
– I tried again without the run as, and it failed again with the same error.

This led me to my conclusion that something was very wrong with the user profile on the workstation for this domain user.

SOLUTION:
I decided to delete the user profile on the local workstation since nothing is stored in it (they don’t work locally). However when I opened Explorer and went to see in “C:\Users” I saw 2 identical folders with the same name (the username of the troublesome user). It seems there were 2 identical profile folders. I didn’t think it was possible for 2 folders to have the same name.
I deleted both folders!
I then opened REGEDIT and went to HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PROFILELIST
I saw multiple user SID’s and checked them all. To my surprise there were 2 different user SID’s that both had a value c:\users\problem.username underneath it. So 2 different user SID’s for the same username. I thought that was impossible. I deleted both registry keys.
After deleting the profiles and the keys I logged back in with the user and profile was recreated and the remote desktop worked perfectly.

So it seems that the remote desktop client was sending the wrong SID to the server and that was the reason for the unauthorized error message.