Microsoft KB Archive/247720

From BetaArchive Wiki
Knowledge Base


PSS ID Number: 247720

Article Last Modified on 10/29/2003



The information in this article applies to:

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server



This article was previously published under Q247720


SYMPTOMS

If you change a member server to a Domain Controller or vice versa after you install the Cluster service, the service may not start and you receive the following error messages in the system event log:

Event ID:7013
Source:Service Control Manager
Description: Logon attempt with current password failed with the following error: Logon failure: the user has not been granted the requested logon type at this computer.


Event ID:7000
Source:Service Control Manager
Description: The Cluster service failed to start due to the following error: The service did not start due to a logon failure.

CAUSE

This problem can occur if the account used to install the Cluster service does not have explicit rights that are needed to run the Cluster service.

RESOLUTION

To resolve this problem, follow these steps:

  1. Add the cluster service account to the local administrators group. If the node was demoted to a member server, this can be set in Local Users and Groups with the Computer Management tool.
    If the node was promoted to a domain controller, this can be set by using the Active Directory Users and Computers tool.
  2. Grant that user account the rights to lock pages in memory, log on as a service, and act as part of the operating system. If the node was demoted to a member server, this can be set in Local Policies with the Local Security Policy tool.
    If the node was promoted to a domain controller, this can be set in Domain Controllers with the Active Directory Users and Computers tool.

    1. Right-click the computer, click Properties, and then click the Group Policy tab.
    2. Click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click User Rights Assignments.
    3. Add the Cluster service account to each of the User Rights you want.
  3. Restart the cluster service and check the system event log for any other error messages.

    NOTE: If these User Rights Assignments and Administrator's group membership have been set for one domain controller in a domain, they are set for all domain controllers in the domain. No need to rerun these steps on additional domain controllers.


STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

The Cluster Service account requires the following privileges on all nodes in the cluster to function properly:

  • Lock pages in memory
  • Log on as a service
  • Act as part of the operating system
  • Back up files and directories
  • Increase quotas
  • Increase scheduling priority
  • Load and unload device drivers
  • Restore files and directories

By default all of the above rights are granted to the local Administrators group except the rights to Lock pages in memory, Log on as a service, and Act as part of the operating system. These are exclusively granted to the user account specified as the service account for Cluster service.
Check to make sure all other rights needed for the cluster service are granted to the administrators group or at lease the service account.

When a domain controller is demoted to a member server, the Domain local Administrators group that is shared between all DCs in the domain is removed from the system and a default Administrators group is created. This group does not contain the user account that cluster service uses for authentication. Also the user account's exclusively granted rights to log on as a service, act as part of the operating system, and lock pages in memory are removed from the computer's configuration.

When a member server is promoted to a Domain Controller, the local Administrators group is replaced by the Domain Local Administrators group that is shared between all DCs in the domain. This Domain group does not contain this Domain Local Administrators group. The user account's local rights, that were granted during Cluster service configuration, to log on as a server and lock pages in memory, are removed.


Additional query words: mscs cluster service account domain member dcpromo

Keywords: kbenv kberrmsg kbprb KB247720
Technology: kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000DataServ kbwin2000DataServSearch kbwin2000Search kbWinAdvServSearch kbWinDataServSearch