Search This Blog

Tuesday, September 9, 2014

Windows Server Update Services (WSUS) installation fails

When you try to install Windows Server Update Services (WSUS) on Windows server 2012 R2 you might get the error

The request to add or remove features on the specified server failed. The operation cannot be completed, because the server that you specified requires a restart.

image

Restarting the server does not change anything.

Looking at the event log will give us a good idea about the cause of the problem:

The MSSQL$MICROSOFT##WID service was unable to log on as NT SERVICE\MSSQL$MICROSOFT##WID with the currently configured password due to the following error:

Logon failure: the user has not been granted the requested logon type at this computer.

Service: MSSQL$MICROSOFT##WID

Domain and account: NT SERVICE\MSSQL$MICROSOFT##WID

This service account does not have the required user right "Log on as a service."

User Action

Assign "Log on as a service" to the service account on this computer. You can use Local Security Settings (Secpol.msc) to do this. If this computer is a node in a cluster, check that this user right is assigned to the Cluster service account on all nodes in the cluster.

If you have already assigned this user right to the service account, and the user right appears to be removed, check with your domain administrator to find out if a Group Policy object associated with this node might be removing the right.

image

One typical reason could be a Group policy in Active Directory restricting the Log on as a Service right to something other than expected by Windows, as shown below:

Removing this policy or configuring it with the rights expected by Windows would be a good place to start.

image

image

Default Local security Setting on Windows Server 2012 R2 would normally be:

image

When you successfully install WSUS on a Windows 2012 R2 server with no GPO’s, the local Security Setting would change to:

image

No comments:

Post a Comment