Microsoft KB Archive/307532

= How to troubleshoot the Cluster service account when it modifies computer objects =

Article ID: 307532

Article Last Modified on 3/2/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)

-



This article was previously published under Q307532





SUMMARY
This article describes how to troubleshoot the Cluster service when it creates or modifies a computer object in Active Directory for a server cluster (virtual server). For additional information about computer objects with regard to the Cluster service, click the following article number to view the article in the Microsoft Knowledge Base:

302389 Description of the properties of the Cluster network name resource in Windows Server 2003



Active Directory access rights for creating a computer object
By default, members of the Domain Users group are granted the user right to add workstations to a domain. By default, this user right is set to a maximum quota of ten computer objects in Active Directory. If you exceed this quota, the following event ID message is logged: Event Source: ClusSvc

Event Category: Network Name Resource

Event ID: 1194

Description:

The computer account for Cluster resource 'Network Name Resource' in domain microsoft.com could not be created for the following reason: Unable to create computer account.

The text for error code is: Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased.

This failure may be due to the cluster service account not having proper access to Active Directory. The domain administrator should be contacted to assist with resolving this issue.

If several clusters are using the same domain account as their Cluster service account, you may receive this error message before you create ten computer objects in a given cluster. One way to resolve this issue is to grant the Cluster service account the Create Computer Objects permission on the Computers container. This permission overrides the Add Workstations to a Domain user right, which has a default quota of ten. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

251335 Domain users cannot join workstation or server to a domain

To verify that the Cluster service account has the Add Workstations to a Domain user right:  Log on to the domain controller on which the Cluster service account is stored. Start the Domain Controller Security Policy program from Administrative Tools. Click to expand Local Policies, and then click to expand User Rights Assignments. Double-click Add Workstations to a Domain and note the accounts that are listed. The Authenticated Users group (the default group) should be listed. If it is not listed, you must grant this user right to either the Cluster service account or a group that contains the Cluster service account on the domain controllers.

Note You must grant this user right to the domain controllers because computer objects are created on the domain controllers. If you explicitly add the Cluster service account to this user right, run gpupdate on the domain controller (or run secedit for Windows 2000) so that the new user right is replicated to all domain controllers.</li> Verify that the policy will not be overwritten by another policy. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

250842 Troubleshooting Group Policy application problems

</li></ol>

Cluster Service account does not have proper user rights on local node
Verify that the Cluster Service account has the appropriate user rights on each node of the cluster. The Cluster Service account must be in the local administrators group and should have the rights listed below. These rights are given to the Cluster Service account during the configuration of the Cluster node. It is possible that a higher level policy is over-writing the local policy or that an upgrade from a previous operating system does not add all of the required rights. To verify that these rights are given on the local node, follow these procedures: <ol> Start the Local Security Settings console from the Administrative Tools group.</li> Navigate to User Rights Assignments under Local Policies.</li> Verify that the Cluster Service account has explicitly been given the following rights: <ul> Log on as a service</li> Act as part of the operating system</li> Back up files and directories</li> Adjust memory quotas for a process</li> Increase scheduling priority</li> Restore files and directories</li></ul>

Note If the Cluster Service account has been removed from the local Administrators Group, manually re-create the Cluster service account and give the Cluster Service the required rights. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

269229 How to manually re-create the Cluster service account

</li></ol>

If any of the rights are missing, give the Cluster Service account explicit rights for it, then stop and restart the Cluster Service. The added rights do not take effect until you restart the Cluster Service. If the Cluster Service account still cannot create a Computer Object, verify that a Group Policy is not over-writing the Local Policy. To do this, you can either type gpresult at the Command Prompt if you are in a Windows 2000 Domain or Resultant Set of Policy (RSOP) from a MMC Snap-in if you are on a Windows Server 2003 domain. For additional information about Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:

250842 Troubleshooting Group Policy application problems

If you are in a Windows Server 2003 domain, search in Help and Support on &quot;RSOP&quot; for instructions on using Resultant Set of Policy.

If the Cluster Service account does not have the &quot;Act as part of the operating system&quot; right, the Network Name resource will fail and the Cluster.log will register the following: Failed to enable TCB privilege, status C0000061

ERR Network Name Cluster Name: Failed to add credentials

to LSA for computer account Cluster status 1314

Use the above steps to verify that the Cluster Service account has all the required rights. If the local security policies are being over-written by a Domain or Organizational Unit (OU) Group policy, then there are several options. You can place the Cluster nodes into their own OU that has the &quot;Allow inheritable permissions from parent to propagate to this object&quot; de-deselected.

Required access rights when using a pre-created computer object
If members of the Authenticated Users group or the Cluster service account are blocked from creating a computer object, if you are the domain administrator, you must pre-create the virtual server computer object. You must grant certain access rights to the Cluster service account on the pre-created computer object. The Cluster service tries to update the computer object that matches the NetBIOS name of the virtual server. One of the following event ID messages may be logged in the system log if there is a problem with the permissions:

Event message 1
Event Source: ClusSvc

Event Category: Network Name Resource

Event ID: 1194

Description:

The computer account for Cluster resource 'Network Name Resource' in domain microsoft.com could not be created for the following reason: Unable to update password.

The text for error code is: Access is denied.

Event message 2
Event Source: ClusSvc

Event Category: Network Name Resource

Event ID: 1194

Description:

The computer account for Cluster resource 'Network Name Resource' in domain microsoft.com could not be created for the following reason: Unable to set ServicePrincipalName attribute.

The text for error code is: Insufficient access rights to perform the operation.

Event message 3
Event Source: ClusSvc

Event Category: Network Name Resource

Event ID: 1194

Description:

The computer account for Cluster resource 'Network Name Resource' in domain microsoft.com could not be created for the following reason: Unable to set DnsHostName attribute.

The text for error code is: Access is denied.

To verify that the Cluster service account has the proper permissions on the computer object:
 * 1) Start the Active Directory Users and Computers snap-in from Administrative Tools.
 * 2) On the View menu, click Advanced Features.
 * 3) Locate the computer object that you want the Cluster service account to use.
 * 4) Right-click the computer object, and then click Properties.
 * 5) Click the Security tab, and then click Add.
 * 6) Add the Cluster service account or a group that the Cluster Service account is a member of.
 * 7) Grant the user or the group the following permissions:
 * 8) * Reset Password
 * 9) * Validated Write to DNS Host Name
 * 10) * Validated Write to Service Principal Name
 * 11) Click OK.

If there are multiple domain controllers, you may need to wait for the permission change to be replicated to the other domain controllers (by default, a replication cycle occurs every 15 minutes).

Network name resource does not come online when kerberos is disabled
A Network Name resource does not come online if a computer object exists but you do not select the Enable Kerberos Authentication option. To resolve the issue, use either of the following procedures:
 * Delete the corresponding computer object in Active Directory.
 * Click Enable Kerberos Authentication on the Network Name resource.

If you do not select the Enable Kerberos Authentication option on the Network Name resource and a computer object does not exist in Active Directory, refer to the following Microsoft Knowledge Base article for information about how to troubleshoot the Network Name resource:

257903 Cluster network name may not come online with event ID 1052

Additional query words: mscs eventid 1191 1192 1193 1194 1206 1207 1210 1211 1212

Keywords: kbenv kberrmsg kbinfo KB307532

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.