Microsoft KB Archive/295091

= Hisecdc Causes Problems with Cluster Domain Controllers =

Article ID: 295091

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q295091



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SYMPTOMS
After you run the Hisecdc template on one of your domain controllers that are also your clustered nodes, you cannot restart the cluster service on either node.

The following events are logged in the System log in sequential order:

Event ID 9

The device, Device Scsi Scsi Fibre Controller, did not respond

within the timeout period.

Event ID 1009

The Clustering Service could not join an existing cluster and

could not form a new cluster. The Clustering Service has terminated.

Event ID 7031

The Cluster Service service terminated unexpectedly. It has done

this X time(s). The following corrective action will be taken in

XXXXXX milliseconds. Restart the service.

You may also receive the following error message:

Either the specified account is not valid or the domain cannot be contacted

NOTE: You may receive this error message if the format of the account with which the cluster starts (at Services\Cluster Service Properties\Log ON) is in the format clusteraccount@domain-name (such as clustersvc@microsoft.com). If the accounts is in this format, change it to DOMAIN\account (for example: MICROSOFT\clustersvc). After this change, the service should start automatically.

If you try to change the account through a terminal server connection, the option to change is not available. You have to change the account information while you are physically at the server.



CAUSE
This problem occurs because computers that you configure by using Hisecdc can only communicate with other Windows 2000 computers. Hisecdc sets the default Domain security profile to use Ntlm2. Hisecdc is a highly secure template that defines security settings for Windows 2000 network communications. The security areas are set to require maximum protection for network traffic and protocols used between computer running Windows 2000.



RESOLUTION
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To resolve this problem, return the NTLM authentication level to its default level of &quot;Send LM and NTLM responses&quot;. Follow these steps on each node in your Windows 2000-based cluster:
 * 1) In Control Panel, double-click Administrative Tools.
 * 2) Start the Local Security Policy tool, or if both nodes are the only domain controllers, use the Domain Security Policy tool.
 * 3) Expand Local Policies, and then click Security Options.
 * 4) Double-click Lan Manager Authentication Level, and then click Send LM and NTLM responses.
 * 5) Click OK, and then quit Local Security Policy Editor.
 * 6) Restart the server.

You can also resolve this issue by editing the registry:  Start Registry Editor (Regedt32.exe). Locate and click the following registry key:

'''HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

'''

 Double-click lmcompatibilitylevel. Change the Radix setting to Decimal, and then type the number &quot;0&quot; in the Data box. Click OK. Quit Registry Editor. Restart the server.</li></ol>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

<div class="moreinformation_section">

MORE INFORMATION
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

171390 Cluster Service May Not Start if DC Is Unavailable

272129 Cluster Service Does Not Start on 'Joining' Node in Windows 2000

Additional query words: Mscs ntlm ntlmv2 authentication

Keywords: kbclustering kbprb KB295091

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.