Article ID: 272129
Article Last Modified on 11/1/2006
APPLIES TO
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Service Pack 2
This article was previously published under Q272129
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
SYMPTOMS
The Cluster service starts on the first node on a Windows 2000-based cluster, but may not start on a joining node, or a node may not join an existing cluster on the initial installation. The following events may be logged in the system log in sequential order:
CAUSE
This problem may occur after you apply a security template through a domain policy or by manually setting the LAN Manager Authentication Level Local Security Policy option to anything other than Send LM and NTLM responses on the nodes in a Windows 2000-based cluster.
The Cluster service does not function properly using NTLM 2. All cluster authentication is handled internally to the Cluster service after using RPC datagrams to form a cluster. The only time the Cluster service contacts a domain controller for authentication is when the cluster is first formed to validate the Cluster service account. Every node that requests to join a cluster is validated by using RPC communication over the private network by the node that owns the quorum resource. Only LM or NTLM authentication is used.
LmCompatibility settings range from 0 to 5. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
239869 How to Enable NTLM 2 Authentication
Any entry other than "LmCompatibilityLevel=0" allows for the negotiation of NTLM 2 among Windows 2000-based clients and servers. Specifically, the "LmCompatibilityLevel=0" setting equates to "Send LM and NTLM response; never use NTLM 2 session security. Clients use LM and NTLM authentication, and never use NTLM 2 session security; domain controllers accept LM, NTLM, and NTLM 2 authentication."
If you permit or force NTLM 2 by using either a local security policy or by using a domain security policy, a cluster can be formed, but a cluster node cannot be joined. When you install the Cluster service on nodes other than the first and the LmCompatibilityLevel setting is set to something other than 0 (zero), the installation stops working when you are prompted to enter the name of the cluster to join. The error message is:
If you start a command prompt and ping the cluster name, the cluster IP address is returned. You can then use Registry Editor to change the LmCompatibilityLevel setting to 0 (zero), which allows the Cluster service installation on the node to be completed. However, the LmCompatibilityLevel setting will be different among the nodes; the Cluster service will not start and the following events will be registered in the System log:
RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
The English version of this fix should have the following file attributes or later:
Date Time Version Size File name ----------------------------------------------------------------- 5/31/2001 11:13p 5.0.2195.3663 501,520 Lsasrv.dll (56-bit) 5/31/2001 03:31p 5.0.2195.3649 130,320 Adsldpc.dll 5/31/2001 03:30p 5.0.2195.3649 354,576 Advapi32.dll 5/31/2001 03:37p 5.0.2195.3649 519,440 Instlsa5.dll 5/31/2001 03:31p 5.0.2195.3649 142,608 Kdcsvc.dll 5/30/2001 02:55p 5.0.2195.3649 209,008 Kerberos.dll 5/29/2001 09:26a 5.0.2195.3649 69,456 Ksecdd.sys 5/29/2001 09:26a 5.0.2195.3649 501,520 Lsasrv.dll 5/29/2001 09:26a 5.0.2195.3649 33,552 Lsass.exe 5/30/2001 02:54p 5.0.2195.3649 111,616 Msv1_0.dll 5/31/2001 03:31p 5.0.2195.3652 908,560 Ntdsa.dll 5/31/2001 03:31p 5.0.2195.3649 382,736 Samsrv.dll 5/31/2001 03:31p 5.0.2195.3649 123,664 Wldap32.dll
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
To resolve this problem, return the NTLM authentication level to its default level of Send LM and NTLM responses. Follow these steps on each node in your Windows 2000-based cluster:
- In Control Panel, double-click Administrative Tools.
- Start the Local Security Policy tool.
- Expand Local Policies, and then click Security Options.
- Double-click Lan Manager Authentication Level, and then click Send LM and NTLM responses.
- Click OK, and then quit Local Security Policy Editor.
- Restart the server.
You can also resolve this issue by editing the registry:
- Start Registry Editor.
- Locate, and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- Double-click lmcompatibilitylevel.
- Change the Radix setting to Decimal, and then type 0 (the number zero) in the Data box, and then click OK.
- Quit Registry Editor.
- Restart the server.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.
MORE INFORMATION
If your Windows 2000-based cluster is part of a Windows NT 4.0 Service Pack 6a-based domain, click on the article number below to view the article in the Microsoft Knowledge Base for additional information:
305379 Authentication Problems in Windows 2000 with NTLM2 Level Above 2
For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:
265173 The Datacenter Program and Windows 2000 Datacenter Server Product
For additional information about how to install multiple hotfixes with only one reboot, click the article number below to view the article in the Microsoft Knowledge Base:
296861 Use QChain.exe to Install Multiple Hotfixes with One Reboot
For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:
249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes
Additional query words: mscs
Keywords: kberrmsg kbbug kbfix kbwin2000presp3fix kbqfe kbwin2000sp3fix kbsecurity kbclustering kbhotfixserver KB272129