PSS ID Number: 247720
Article Last Modified on 10/29/2003
The information in this article applies to:
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server
This article was previously published under Q247720
SYMPTOMS
If you change a member server to a Domain Controller or vice versa after you install the Cluster service, the service may not start and you receive the following error messages in the system event log:
CAUSE
This problem can occur if the account used to install the Cluster service does not have explicit rights that are needed to run the Cluster service.
RESOLUTION
To resolve this problem, follow these steps:
- Add the cluster service account to the local administrators group. If the node was demoted to a member server, this can be set in Local Users and Groups with the Computer Management tool.
If the node was promoted to a domain controller, this can be set by using the Active Directory Users and Computers tool. - Grant that user account the rights to lock pages in memory, log on as a service, and act as part of the operating system. If the node was demoted to a member server, this can be set in Local Policies with the Local Security Policy tool.
If the node was promoted to a domain controller, this can be set in Domain Controllers with the Active Directory Users and Computers tool.
- Right-click the computer, click Properties, and then click the Group Policy tab.
- Click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click User Rights Assignments.
- Add the Cluster service account to each of the User Rights you want.
- Restart the cluster service and check the system event log for any other error messages.
NOTE: If these User Rights Assignments and Administrator's group membership have been set for one domain controller in a domain, they are set for all domain controllers in the domain. No need to rerun these steps on additional domain controllers.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
MORE INFORMATION
The Cluster Service account requires the following privileges on all nodes in the cluster to function properly:
- Lock pages in memory
- Log on as a service
- Act as part of the operating system
- Back up files and directories
- Increase quotas
- Increase scheduling priority
- Load and unload device drivers
- Restore files and directories
By default all of the above rights are granted to the local Administrators group except the rights to Lock pages in memory, Log on as a service, and Act as part of the operating system. These are exclusively granted to the user account specified as the service account for Cluster service.
Check to make sure all other rights needed for the cluster service are granted to the administrators group or at lease the service account.
When a domain controller is demoted to a member server, the Domain local Administrators group that is shared between all DCs in the domain is removed from the system and a default Administrators group is created. This group does not contain the user account that cluster service uses for authentication. Also the user account's exclusively granted rights to log on as a service, act as part of the operating system, and lock pages in memory are removed from the computer's configuration.
When a member server is promoted to a Domain Controller, the local Administrators group is replaced by the Domain Local Administrators group that is shared between all DCs in the domain. This Domain group does not contain this Domain Local Administrators group. The user account's local rights, that were granted during Cluster service configuration, to log on as a server and lock pages in memory, are removed.
Additional query words: mscs cluster service account domain member dcpromo
Keywords: kbenv kberrmsg kbprb KB247720
Technology: kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000DataServ kbwin2000DataServSearch kbwin2000Search kbWinAdvServSearch kbWinDataServSearch