After installing the FIM Password Reset Extensions on a Windows 7 x86 client I started seeing massive amounts of the event 7000 on the client in the system application log:
The Diagnostic Service Host service failed to start due to the following error:
A privilege that the service requires to function properly does not exist in the service account configuration. You may use the Services Microsoft Management Console (MMC) snap-in (services.msc) and the Local Security Settings MMC snap-in (secpol.msc) to view the service configuration and the account configuration.
Opening services.msc I could see the service in question:
On a client without the Password Reset Extensions:
A quick bing didn’t got me much, a lot of unrelated stuff. Because we are in an environment with the Windows 2008 Security guidelines implemented (the Enterprise Client model, http://technet.microsoft.com/en-us/library/cc264463.aspx ) I started suspecting the EC model. After a lot of reboots and an unhealthy amount of coffee I got the GPO pinpointed which seemed to block the service from starting: Win7 EC Desktop Policy. Finally I got to the setting which caused all my grief, it looked like this:
But it should look like this:
There is a known issue with the GPMC client when you copy/restore GPO’s which have a reference to NT Service\WdiServiceHost: Event 1202 with status 0x534 logged on Windows Server 2008 R2 domain controllers after modifying security policy It should have thrown those evens on the clients as well, perhaps I missed them because of the massive event 7000 entries. In fact we do have the hotfix installed, but because we can’t work with some dedicated management stations to manage the server infrastructure it’s hard to get all endpoints patched with this specific hotfix. I Prefer some dedicated terminal servers with all management tools on them. The reason we copy GPO’s around is because we got several lab environments and we have to keep them in sync from time to time.
So all in all this was not an issue caused by FIM, but other people might suffer from the same problem.
2 Response to FIM 2010: SSPR: Diagnostic Service Host Service Failed To Start
So what is the fix. I have an exchange server that is having issues and I can't monitor it without that service.
I'd say just add "NT Service\WdiServiceHost" either manually (on the server) or by GPO for that privilege (Profile System Performance". You do this by clicking add user or group and then copy paste "NT Service\WdiServiceHost" and click check names.
Good luck!
Add Your Comment