Article ID: 871236
Article Last Modified on 10/30/2006
APPLIES TO
- Microsoft Windows Server 2003 Service Pack 1, when used with:
- Microsoft Windows Server 2003, 64-Bit Datacenter Edition
- Microsoft Windows Server 2003, Enterprise x64 Edition
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows 2000 Service Pack 4, when used with:
- Microsoft Windows 2000 Advanced Server
INTRODUCTION
This article describes some of the changes that have been made to Cluster service-related event log messages in Microsoft Windows Server 2003 Service Pack 1 (SP1) and Update Rollup 1 for Microsoft Windows 2000 Service Pack 4 (SP4).
MORE INFORMATION
The Cluster service is a service that requires a domain user account. The server cluster Setup program changes the local security policy for this account by granting a set of user rights to the account. Additionally, this account is made a member of the local Administrators group. If one or more of these user rights are missing, the Cluster service may stop immediately during startup or later, depending on when the Cluster service requires the particular user right. In Windows Server 2003 and Windows 2000 Server, you receive notification that a user right that was not granted to the Cluster service account was required for cluster operation. However, this notification does not indicate which required user right is missing.
Windows Server 2003 SP1 and Update Rollup 1 for Windows 2000 SP4 include changes that help resolve this issue. These changes are in the Service Control Manager (SCM) program and in the Cluster service.
Changes to Service Control Manager
The Cluster service now detects when the Cluster service account is not a member of the local Administrators group. In this scenario, the following error is logged:
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Type: Error
User: N/A
Computer: Computer_Name
Description: The Service_Name service terminated with the following error. The specified user account is not a member of the specified group account.
In this scenario, if you try to start the Cluster service at a command prompt, you receive the following error:
Additionally, the SCM has been modified to detect when the Cluster service account does not have the “Log on as a Service” user right assigned. In this scenario, a new event, Event ID 7041, appears in the system event log. Event ID 7041 appears as follows:
Event Source: Service Control Manager
Event Category: None
Event ID: 7041
Type: Error
User: N/A
Computer: Computer_Name
Description: The Service_Name service was unable to log on as domain\account with the currently configured password due to the following error:
Logon failure: the user has not been granted the requested logon type at this computer.
This account is missing the “Log on as a Service” user right. This right must be granted to the service account in order to run this service. The Local Security Policy editor (secpol.msc) can be used to grant this privilege to the account on this machine. If this node is a member of a cluster, check that this user right is granted to the service account on all nodes in this cluster.
If this user right continues to be revoked from the service account, it might be the result of a Group Policy object removing the privilege. Check with your domain administrator to determine if this is the cause of the revocation.
Changes to the Cluster service
When the Cluster service starts, it now checks the user rights that are granted to the Cluster service account together with the Cluster service account's group membership. If an incorrect configuration is detected, the Cluster service stops, and an appropriate message is either displayed on the computer or logged in the system event log. In this scenario, the Cluster service starts and continues to run only after the appropriate corrections are made to the Cluster service account. Therefore, the server cluster administrator is quickly alerted that a problem exists with the Cluster service account configuration.
In this scenario, the Cluster service logs Event ID 1234 in the system event log. Event ID 1234 appears as follows:
The Cluster Service Account (CSA) is missing the following required user rights (privileges) in order to correctly operate:
list of missing privilege display names
These privileges, which were granted to the CSA during Cluster setup, must be present before running the Cluster Service. You can grant these privileges via the Local Security Policy editor (secpol.msc) or through a Group Policy object that is associated with the CSA's user object in the DS.
If the privileges continue to be removed from the CSA, check with your domain administrator that a Group Policy Object is in place that is stripping the privileges from the CSA. If so, this GPO must not be applied to the CSA.
In this scenario, when you try to start the Cluster service at a command prompt, you receive the following system error:
For more information about the rights that are required for a Windows 2000 and Windows Server 2003 server cluster, click the following article number to view the article in the Microsoft Knowledge Base:
269229 How to manually re-create the Cluster service account
For more information about how to configure and secure a server cluster, visit the following Microsoft Web site:
Additional query words: MSCS
Keywords: kbclustering kbinfo KB871236
