I installed SSAS in a SQL Server 2016 SP2 CU15 Developer Edition server. At the last step, it prompted out this message
error message after installation
And the SSAS stopped running, when I tried to start it in SSCM manually, failed, the error message is like this:
I patched it with the latest CU17 and tried to start the service again, still failed, the same error.
I changed the service account to "build-in, local service" in SSCM, it worked, the SSAS can be brought online.
Then I changed the service account back to domain\account, it failed again, the error message is like this.error message of applying service account
I added the service account to the Windows Administrators group, tried to apply it in the SSCM, it worked.
I guess it must be some Windows-level permission issues.
Then I found this:
https://learn.microsoft.com/en-us/previous-versions/sql/sql-server-2012/ms143504(v=sql.110)?redirectedfrom=MSDN#Windows%20Configure%20Windows%20Service%20Accounts%20and%20Permissions
SSAS should be granted the following permission on local security policies
Log on as a service (SeServiceLogonRight)
For tabular only--(mine is tabular, not sure for cube):
Increase a process working set (SeIncreaseWorkingSetPrivilege)
Adjust memory quotas for a process (SeIncreaseQuotaSizePrivilege)
Lock pages in memory (SeLockMemoryPrivilege) – this is needed only when paging is turned off entirely.
For failover cluster installations only:
Increase scheduling priority (SeIncreaseBasePriorityPrivilege)
It works.
Related
I'm new to using DPA - while monitoring some alerts, I found that we had repeated attempts for a "login failed for user 'domain\User': attempting to use an NT account name with SQL Server Authentication [CLIENT: local machine]"
After doing a bit of research, we have identified that the attempted logins were coming from a Task Manager Detail with a PID associated to SWJobEngineWorker2.exe that runs every 5 minutes, and everything I've found seems to be that this is related to NPM.
There are also 3 other Detail/Services that are constant: SWJobEngineSvc2.exe, and 2 instances of SWJobEngineWorker2x64.exe
We do not have any stored credentials in Solarwinds for this particular domain\User, and it doesn't appear that we're using AppInsights to monitor, and nothing seems to be failing, as DPA is monitoring the SQL server just fine.
How can I remove/change this process or adjust the credentials/connection settings it is using?
NOTE: There are NO services on this particular server that use this domain\User account and the only SW service running is 'SolarWinds Agent' using LogOnAs Local System, and there is nothing to uninstall from Control Panel.
SOLVED!
In Solarwinds, under the "Product Specific Settings > SAM Settings", the account 'domain\User' was attempting to use an incorrect Authentication Type and likely an incorrect password (not sure how long ago this was set up in our environment).
After changing the account and authentication type, we were able to quiet the false alerts.
whilst 'hardening' the accounts - namely removing or toning down accounts with editor permissions on the projects I removed editor from what appears to be the kubernetes account that container engine uses on the back end of gcloud commands.
Once you remove the last role from an account it vanishes - hard lesson to learn!
Removed editor
serviceAccount:386242358897#cloudservices.gserviceaccount.com
It meant I initially couldn't deploy because it couldn't access container registry.
So I deleted the cluster and recreated expecting the account to get recreated. That failed due to insufficient permissions.
so I manually removed the compute instances (it wouldn't have permissions to recreate them), then templates and then the cluster.
As the UI now thinks you have no clusters it looks like you are back to the beginning. So I ran my scripts and they failed.
ERROR: (gcloud.container.clusters.create) Opetion [https://container.googleapis.com/v1/projects/xxxx/zones/europe-west2-b/operations/operation-xxxx'
startTime: u'2017-10-17T17:59:41.515667863Z'
status: StatusValueValuesEnum(DONE, 3)
statusMessage: u'Deploy error: "Not all instances running in IGM. Expect 1. Current actions &{Abandoning:0 Creating:0 CreatingWithoutRetries:0 Deleting:0 None:0 Recreating:1 Refreshing:0 Restarting:0 Verifying:0 ForceSendFields:[] NullFields:[]}. Errors [https://www.googleapis.com/compute/beta/projects/xxxx/zones/europe-west2-b/instances/gke-xxxx-default-pool-xxxx:PERMISSIONS_ERROR]".'
targetLink: u'https://container.googleapis.com/v1/projects/xxxx/zones/europe-west2-b/clusters/xxxx'
zone: u'europe-west2-b'>] finished with error: Deploy error: "Not all instances running in IGM. Expect 1. Current actions &{Abandoning:0 Creating:0 CreatingWithoutRetries:0 Deleting:0 None:0 Recreating:1 Refreshing:0 Restarting:0 Verifying:0 ForceSendFields:[] NullFields:[]}. Errors [https://www.googleapis.com/compute/beta/projects/xxxx/zones/europe-west2-b/instances/xxxx:PERMISSIONS_ERROR]".
Updated property [container/cluster].
when I try to create through UI I get this
Permission denied (HTTP 403): Google Compute Engine: Required 'compute.zones.get' permission for 'projects/xxxx/zones/us-central1-a'
Have done a number on it!
My problem is that I don't see a way of giving permissions back to whatever account it is trying to use (as I cannot see that account if it exists) nor can I see how to attach a new service account with permissions that are needed to whatever is doing the work under the hood.
UPDATE:
So ...
I recreated the account at the organisation level. Gave it service account role there because you cannot modify the domain of the accounts at project level.
I have then modified that at the project level to have editor permissions.
This means i can deploy a cluster but ... still cannot create load balancer - insufficient permissions
Error creating load balancer (will retry): Error getting LB for service default/bot: googleapi: Error 403: Required
'compute.forwardingRules.get' permission for 'projects/xxxx/regions/europe-west2/forwardingRules/xxxx', forbidden
the user having the problem this time is:
service-xxx#container-engine-robot.iam.gserviceaccount.com
So ...
I played with recreating accounts etc. Eventually got Kubernetes working again.
A week later tried to use datastore and discovered that AppEngine was dead beyond dead.
The only recourse was to start a new project from scratch.
The answer to this question is (some may laugh at its self evidence, but we are all in a rush at some point).
DO NOT CREATE USER ACCOUNTS OR GIVE THEM PERMISSIONS BEYOND WHAT THEY NEED BECAUSE DELETING THEM LATER IS REALLY NOT WORTH THE RISK.
Thankyou for listening :D
In a SQL server in my environment, couple of days after patch(Not immediately after), syspolicy purge job started failing at step 3 executing powershell. When I created a test job with a simple print statement that is not working as well. If i create a Proxy with my account and run the job it suceeds. The agent account is a domain account with both local admin and sysadmin permissions on SQL server. I'm not sure why it crashes with the below error message everytime it calls powershell.
Application popup error - SQLPS.exe The application was unable to start correctly (0xc0000142). Click OK to close the application.
Reboot it is!! Whew! There aint anything wrong with the Agent account. Something with the agent account was broke! Glad the issue is resolved.
Note:: The server was rebooted after the patch and there was no pending reboot. Also, after patching the job ran successfully 2 days. So just a weird failure! I'm unable to find what broke the account.
In my organization we are deploying our components using Microsoft TFS. The NServiceBus components are deployed as Windows Service by the BuildPortal.It typically creates the automated MSI packages and deploys it on the target servers. To deploy the MSI packages, the build portal uses the Service account (the Administrator/SuperUser). The NServiceBusHost will not run with the same service account, either it will use the System account or different Service account, which has restricted permission on the server and the account will not be part of the Administrator group.
In short, the Host /install command runs with different account than the actual NServiceBusHost execution. During the install, all the required queues are created by the installer (by using NServiceBus.Integration profile). Now, the problem is, since the queue created by different account than the original service account, it throws the following error.
Message:Could not create queue error#xxxxxxx01 or check its existence. Processing will still continue.
NServiceBus.Utils.MsmqUtilities.CreateQueueIfNecessary(:0)
System.Messaging.MessageQueueException (0x80004005): Access to Message Queuing system is denied.
at System.Messaging.MessageQueue.SetPermissions(AccessControlList dacl)
at NServiceBus.Utils.MsmqUtilities.SetPermissionsForQueue(String queue, String account)
at NServiceBus.Utils.MsmqUtilities.CreateQueueIfNecessary(Address address, String account)
To resolve the above error, we tried to use the INeedToInstallSomething. But, there are no proper documentation/sample on how to use or what to use inside the Install() method. When we call the Configure.Instance.ForInstallationOn().Install() the installer is not creating the queues as expected. All we wanted is, to get the list of dependent queues of current installer & set the permission something like this >> messageQueue.SetPermissions(serviceAccount, MessageQueueAccessRights.FullControl)
Is this possible to get all the dependent queues for the current Host and assign the permission during the Host install only.
NOTE:
We dont want to move this logic outside of the host for now. Yes,
having a simple PSS may help to reslove this issue.
We have to use the restricted account to run the Host which can't be a Administrator.
I would try either INeedToInstallInfrastructure<T> and set the permissions there, or this may be like the perf counters which uses IWantToRunBeforeConfigurationIsFinalized. You may need the latter and I'm not sure what order if any is used for INeedToInstallInfrastructure<T>.
I'm getting this message (on the log) when trying to start a SSAS Tabular Instance on SQL Server 2012. I already have a Multidimensional instance running so this would be a second one. I also tried with the default instance stopped but got the same error.
Message: The service cannot be started: The following system error
occurred: Insufficient system resources exist to complete the
requested service.
I know the message seems obvious but its a DEV server with a lot of free resources (file size, CPU, RAM..)
Did anyone have this error before?
I know this might seem obvious, but just to verify, did you install at least one instance in the tabular mode? The interface (icons) do not always accurately reflect the mode - in particular the SQL Server Configuration Manager shows the icon for the UDM (OLAP) for any type of SSAS instance.
If you are certain that you did install a SSAS instance of type tabular, then are you able to verify (see) that instance in the SSCM? If so, what is the service state, i.e. is it started?
If not, can you manually start the service there? Does the service account have adequate permissions to run the service?
Give me a bit more information if none of these solutions work.