Problem:
I'm having an annoying issue with Managed Service Accounts where they do not start the services they're assigned to on boot up. This is because they cannot find the domain controllers. When I assign local accunts (local system, local service, network service) the services start without any problems. Same goes for AD accounts, they start just fine. I'm also able to start the services with the MSA's after boot up.
My Setup:
This is a lab on VMWare running Win2008R2Ent. These servers have various SQL Server 2012 roles installed and each SQL service has its own MSA. I've configured the MSA's correctly and used a configuration file for the SQL Server installations where the accounts are specified. The accounts have their own OU in AD. Account setup/configurations are done via SQL Server Configuration Manager and not the Services mmc.
Workarounds:
So far, the simplest workaround is to set these accounts to Automatic (Delayed start).
I've also read various forums which suggest tweaking the registry to delay the start up of the network, however given that non MSA accounts start just fine, it leads me to believe the problem is specific to MSA's.
Errors:
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 2/28/2013 7:06:37 PM
Event ID: 1058
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: xxxx
Description:
The processing of Group Policy failed. Windows attempted to read the file \\xxxx\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.Log Name: System Source: Service Control Manager Date: 2/28/2013 7:06:30 PM Event ID: 7001 Task Category: None Level: Error Keywords: Classic User: N/A Computer: xxxxxx Description: The SQL Server Agent (MSSQLSERVER) service depends on the SQL Server (MSSQLSERVER) service which failed to start because of the following error: The specified domain either does not exist or could not be contacted.
Log Name: System Source: NETLOGON Date: 2/28/2013 2:09:47 PM Event ID: 5719 Task Category: None Level: Error Keywords: Classic User: N/A Computer: xxxxx Description: This computer was not able to set up a secure session with a domain controller in domain xxxxx due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
Even though there's a workaround, I'd like to get to the root of this issue so i can understand this clearly.