Saturday, January 4, 2020

Windows Internal Database Service: Will Not Start and Fails with Error Code 1297

Windows Internal Database Fails to Start or Fails to Install from Server Manager

Greetings, y'all.  Recently, I started building a WSUS server on Windows Server 2012 R2. While trying to install Windows Internal Database from the Server Manager, it fails to install, yet leaves the services.msc control panel with a non-starting service called "Windows Internal Database." It refuses to start, that's why the installer refuses to finish.  I was using "Add Roles and Features" to add this service.  Curiously enough, after a reboot, the service will be removed. But, If you try to start the service before the reboot, you will see this message dialog.
Service Fails to Start

How to Fix It

In your group policy for your AD domain, make sure that "NT SERVICE\ALL SERVICES" and "everyone" is granted rights for.  Adding "Everyone" is foolish and dangerous thing to do.  Just to be safe, add a separate group policy object just for this server, so that these changes don't contaminate other servers.
  • Bypass Traverse Checking
  • Generate Security Audits
  • Logon As A Service
You can find these in:
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment

Group Policy Object
Group Policy Object in rsop

How Do We Know This

By looking at the definition of this service in the registry, you can see this "SeChangeNotifyPriviledge" which means Bypass Traverse Checking.

No comments:

Post a Comment