This is one of the most common errors which is seen my most DBA when they are using a domain account as the service account. In this blog, we would learn about the cause and solution of error The service did not start due to a logon failure while using gMSA.
Log Name: System
Source: Service Control Manager
Event ID: 7000
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: node1.sqlauthority.com
Description:
The SQL Server (MSSQLSERVER) service failed to start due to the following error:
The service did not start due to a logon failure.
Some of you might run into the same error where the password is really expired. I have blogged about that earlier.
SQL SERVER – Event ID 7000 – The service did not start due to a logon failure
SQL SERVER – FIX – ERROR – Service Logon Failure (ObjectExplorer)
Interestingly, this time the situation was little different. My client was using group managed service account (gMSA) for SQL Server service account. In such account, the password is auto-managed by the domain controller. Here are some documentation which talks about how to configure it
SQL Server 2014; Click here and check “Group Managed Service Accounts”.
SQL Server 2016; Click here and see the section under “Managed Service Accounts, Group Managed Service Accounts, and Virtual Accounts.”
While using gMSA, you don’t provide a password in configuration manager so earlier blogs won’t help.
WORKAROUND/SOLUTION
When we setup gMSA, you need to allow machines to retrieve the latest password from the domain controller. This setting is called “PrincipalsAllowedToRetrieveManagedPassword”. My client had two nodes AlwaysOn availability group. Here are the commands we have to execute in PowerShell on the domain controller.
Import-Module ActiveDirectory Set-ADServiceAccount -Identity sqlsvcacct -PrincipalsAllowedToRetrieveManagedPassword Node1$ Set-ADServiceAccount -Identity sqlsvcacct -PrincipalsAllowedToRetrieveManagedPassword Node2$
After running above command, we were able to start SQL Service on both the nodes.
Reference: Pinal Dave (https://blog.sqlauthority.com)
5 Comments. Leave new
The commands in the workaround are incorrect. The second Set-ADServiceAccount command will overwrite the first and only one machine will have access. (I speak from experience.) Instead, put both (all) machines in one command separated by commas: Set-ADServiceAccount -Identity sqlsvcacct -PrincipalsAllowedToRetrieveManagedPassword Node1$, Nodes$
I came here to say that.
Guideness is wrong. Either set a security group, make SQL nodes member of it, and set this group as principalsAllowedToRetrieveManagedPaswords
Or specify each computer object comma separated as seem above.
Note that using security groups, would require nodes to be restarted to obtain membership status in the group.
I believe this solution is not correct. You will setPrincipalsAllowedToRetrieveManagedPassword with node2$ only!! Its better todo: -PrincipalsAllowedToRetrieveManagedPassword node1$, node2$
confirm :)
Being SQL DBA and reading multiple vlogs I got solution.
Simple solution explained in few words.
WOW.