Microsoft KB Archive/247720

= Changing Server Status on a Server Cluster Node Affects Security Permissions =

PSS ID Number: 247720

Article Last Modified on 10/29/2003

-

The information in this article applies to:


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q247720





SYMPTOMS
If you change a member server to a Domain Controller or vice versa after you install the Cluster service, the service may not start and you receive the following error messages in the system event log:

Event ID:7013

Source:Service Control Manager

Description: Logon attempt with current password failed with the following error: Logon failure: the user has not been granted the requested logon type at this computer.

Event ID:7000

Source:Service Control Manager

Description: The Cluster service failed to start due to the following error: The service did not start due to a logon failure.



CAUSE
This problem can occur if the account used to install the Cluster service does not have explicit rights that are needed to run the Cluster service.



RESOLUTION
To resolve this problem, follow these steps:  Add the cluster service account to the local administrators group. If the node was demoted to a member server, this can be set in Local Users and Groups with the Computer Management tool.

If the node was promoted to a domain controller, this can be set by using the Active Directory Users and Computers tool. Grant that user account the rights to lock pages in memory, log on as a service, and act as part of the operating system. If the node was demoted to a member server, this can be set in Local Policies with the Local Security Policy tool.

If the node was promoted to a domain controller, this can be set in Domain Controllers with the Active Directory Users and Computers tool.

 Right-click the computer, click Properties, and then click the Group Policy tab. Click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click User Rights Assignments. Add the Cluster service account to each of the User Rights you want.</ol> </li> Restart the cluster service and check the system event log for any other error messages.

NOTE: If these User Rights Assignments and Administrator's group membership have been set for one domain controller in a domain, they are set for all domain controllers in the domain. No need to rerun these steps on additional domain controllers.</li></ol>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

<div class="moreinformation_section">

MORE INFORMATION
The Cluster Service account requires the following privileges on all nodes in the cluster to function properly:


 * Lock pages in memory
 * Log on as a service
 * Act as part of the operating system
 * Back up files and directories
 * Increase quotas
 * Increase scheduling priority
 * Load and unload device drivers
 * Restore files and directories

By default all of the above rights are granted to the local Administrators group except the rights to Lock pages in memory, Log on as a service, and Act as part of the operating system. These are exclusively granted to the user account specified as the service account for Cluster service.

Check to make sure all other rights needed for the cluster service are granted to the administrators group or at lease the service account.

When a domain controller is demoted to a member server, the Domain local Administrators group that is shared between all DCs in the domain is removed from the system and a default Administrators group is created. This group does not contain the user account that cluster service uses for authentication. Also the user account's exclusively granted rights to log on as a service, act as part of the operating system, and lock pages in memory are removed from the computer's configuration.

When a member server is promoted to a Domain Controller, the local Administrators group is replaced by the Domain Local Administrators group that is shared between all DCs in the domain. This Domain group does not contain this Domain Local Administrators group. The user account's local rights, that were granted during Cluster service configuration, to log on as a server and lock pages in memory, are removed.

Additional query words: mscs cluster service account domain member dcpromo

Keywords: kbenv kberrmsg kbprb KB247720

Technology: kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000DataServ kbwin2000DataServSearch kbwin2000Search kbWinAdvServSearch kbWinDataServSearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.