Article ID: 305813
Article Last Modified on 3/2/2007
APPLIES TO
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
This article was previously published under Q305813
SUMMARY
In Windows Clustering for Windows Server 2003, you can change the Cluster service account password on the domain as well as on each local node without having to take the cluster offline. If multiple clusters use the same Cluster service account, you can change them simultaneously. In Microsoft Windows NT 4.0 and Microsoft Windows 2000, to change the Cluster service account password, you have to stop the Cluster service on all nodes before you can make the password change.
To change the password for a Cluster service account in a Windows Server 2003 cluster, the following requirements must be met:
- Mixed clusters with Windows 2000 are not supported; All nodes must be running Windows Server 2003 or later.
- All nodes must be using the same domain account for the Cluster service.
- All nodes must be online or in a paused state.
- The update mechanism is not transactional; If the password change is not completed on all nodes, there may be a partial downtime in getting the passwords updated.
- You must be logged on to an account that has domain access to change the Cluster service account password on the domain controller. You must have local administrator rights to each node to change the Local Service account passwords. This account must also have the ability to traverse directories in the cluster domain. (Note: This privilege is given to every user in the domain by default.)
- This article applies only to the changing of the Cluster service account. If other services are running under the same Cluster service account, you have to change them manually.
MORE INFORMATION
Changing the Cluster service account password
To change the Cluster service account password with Cluster.exe, type the following command from a command prompt to list all of the available parameters:
CLUSTER /changepass /?
Samples
Note: In the following samples:
- EASTCLUSTER is a cluster name.
- WESTCLUSTER is a cluster name.
NEWpasswordis the new password.OLDpasswordis the old password.
To change the Cluster service account password for a single cluster, use the following syntax in which the password for EASTCLUSTER would be changed to NEWpassword from OLDpassword:
cluster /cluster:EASTCLUSTER /changepassword:NEWpassword,OLDpassword
Note: If you do not specify NEWpassword and OLDpassword, you are prompted to enter them after you press ENTER.
To change the Cluster service account password on multiple clusters, you need to reference the additional cluster. For example, to change the password for WESTCLUSTER in addition to EASTCLUSTER, you would use the following syntax:
cluster /cluster:EASTCLUSTER,WESTCLUSTER /changepassword:NEWpassword,OLDpassword
When you use some special characters for the password, you may receive an error that is a bit misleading. For example, when you change the password by using the cluster /cluster:testcluster /changepass:Password&1234567890,Password1 command , you receive the following error message:
The special character "&" is truncating the rest of the line. This means that the first error is true because you are changing the password to only "Password" which does not follow the password restrictions correctly. Because the "&" is an old MSDOS command that combined commands together, it is trying to run the command "1234567890" which is invalid. The correct command to change the password for this must have the password enclosed in quotation marks. The following command will change the password correctly:
cluster /cluster:testcluster /changepass:"Password&1234567890",Password1
Using additional switches
You can also use the following additional switches with the /changepassword parameter:
| Switch | Description |
|---|---|
| /skipdc | Use this switch to change the password on the cluster nodes but not on the domain controller. This is useful if the domain administrator manually changed the account on the domain controller. When using this switch, you do not need to supply the old password. |
| /force | Typically, the /changepassword command detects if all nodes in the cluster are online. If one of the nodes in a cluster is offline, the password change fails and an error is displayed. To force a password change on all available nodes, use the /force switch. Any node that is not available during the password change will require manual intervention. |
| /test | You can use this parameter to test if the password can make the password change to the domain and to all nodes in the cluster before it actually makes any changes. Using this switch before making the change is highly recommended because Cluster.exe is not transactional and cannot roll back the old password if it is not properly written to all nodes of the domain controller. |
Troubleshooting
The following table lists all the errors and possible solutions that may occur when using Cluster.exe if there is a problem changing the password for the Cluster service account on the nodes or domain.
| Error Code | Error Message | Suggested Action |
|---|---|---|
| Failure status from OpenCluster | Failed to query cluster name.
|
Verify that the specified cluster is available, that the specified name on the command line is correct, and that the cluster resource that is backing that name (such as Network Name) is online. |
| Failure status from OpenSCManager, OpenService, QueryServiceConfig, OpenClusterNode, GetClusterNodeId, or GetClusterNodeState | Failed to query node node name of cluster cluster name.
|
Verify that all nodes in the specified cluster are up, joined to the cluster, and are responding to network queries. |
| ERROR_INVALID_SERVICE_ACCOUNT | All of the clusters are not using the same domain account. | Change passwords for clusters that are using separate domain accounts in separate invocations of the cluster command. |
| ERROR_ALL_NODES_NOT_AVAILABLE | Not all clusters are available (at least one node is neither UP nor PAUSED). | For each specified cluster, verify that all nodes in the cluster are up and joined to the cluster. |
| Failure status from DsGetDcName | No domain controllers are available. | Verify connectivity between the client computer on which the cluster command is being executed, and a domain controller for the domain of the cluster account. |
| Failure status from NetUserChangePassword | Failed to change password on the domain controller. | Verify connectivity with the domain controller and permissions to change the password (including correctness of old password). |
| ERROR_MORE_DATA | Aborting the password change on cluster name after number attempts because the number of nodes in the cluster is not stable.
|
Verify that nodes are not joining the cluster as the password change command is operating. |
| ERROR_CLUSTER_INCOMPATIBLE_VERSIONS | The password change was not issued on cluster name since it contains at least one Windows NT 4.0 or Windows 2000 node.
|
Evict or upgrade any cluster nodes that are running Windows NT 4.0 or Windows 2000. |
| ERROR_FILE_CORRUPT | The password change was not issued on cluster name because the cluster service detected data corruption in a message received from the network.
|
Verify cluster network integrity and/or security. In the case of the node-specific error, it is necessary to manually change the Cluster service account password on the failed node before that node can rejoin the cluster. |
| CRYPT_E_HASH_VALUE | The password change was not issued on cluster %1!ws! because the cluster service was unable to establish a secure network connection between nodes.
|
Verify cluster network integrity and/or security. In the case of the node-specific error, it is necessary to manually change the Cluster service account password on the failed node before that node can rejoin the cluster. |
| Other cluster-specific error status | The password change on cluster cluster name failed. The error code was number (hex number): system error message
|
Appropriate action depends on the error code. |
| Other node-specific error status | The password change on node node name of cluster cluster name failed. The error code was number (hex number): system error message
|
Appropriate action depends on the error code. It is necessary to manually change the Cluster service account password on the failed node before that node can rejoin the cluster. |
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
827486 You receive an "Either the specified account is not valid or the account's domain could not be contacted" error message when you try to add a node to a server cluster in Windows 2000
Additional query words: mscs
Keywords: kbclustering kbhowto KB305813
