Article ID: 295091
Article Last Modified on 2/28/2007
APPLIES TO
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server
This article was previously published under Q295091
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
SYMPTOMS
After you run the Hisecdc template on one of your domain controllers that are also your clustered nodes, you cannot restart the cluster service on either node.
The following events are logged in the System log in sequential order:
You may also receive the following error message:
NOTE: You may receive this error message if the format of the account with which the cluster starts (at Services\Cluster Service Properties\Log ON) is in the format clusteraccount@domain-name (such as clustersvc@microsoft.com). If the accounts is in this format, change it to DOMAIN\account (for example: MICROSOFT\clustersvc). After this change, the service should start automatically.
If you try to change the account through a terminal server connection, the option to change is not available. You have to change the account information while you are physically at the server.
CAUSE
This problem occurs because computers that you configure by using Hisecdc can only communicate with other Windows 2000 computers. Hisecdc sets the default Domain security profile to use Ntlm2. Hisecdc is a highly secure template that defines security settings for Windows 2000 network communications. The security areas are set to require maximum protection for network traffic and protocols used between computer running Windows 2000.
RESOLUTION
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
To resolve this problem, return the NTLM authentication level to its default level of "Send LM and NTLM responses". Follow these steps on each node in your Windows 2000-based cluster:
- In Control Panel, double-click Administrative Tools.
- Start the Local Security Policy tool, or if both nodes are the only domain controllers, use the Domain Security Policy tool.
- Expand Local Policies, and then click Security Options.
- Double-click Lan Manager Authentication Level, and then click Send LM and NTLM responses.
- Click OK, and then quit Local Security Policy Editor.
- Restart the server.
You can also resolve this issue by editing the registry:
- Start Registry Editor (Regedt32.exe).
- Locate and click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- Double-click lmcompatibilitylevel.
- Change the Radix setting to Decimal, and then type the number "0" in the Data box. Click OK.
- Quit Registry Editor.
- Restart the server.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
MORE INFORMATION
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
171390 Cluster Service May Not Start if DC Is Unavailable
272129 Cluster Service Does Not Start on 'Joining' Node in Windows 2000
Additional query words: Mscs ntlm ntlmv2 authentication
Keywords: kbclustering kbprb KB295091