locked
Monitoring a Windows Cluster using a Run as account with elevated permissions RRS feed

  • Question

  • I am getting the following event logged on a Win 2008 cluster I am monitoring. 

    -------------------------------

    Log Name:      Application
    Source:        Microsoft-Windows-WMI
    Date:          4/8/2013 11:34:21 PM
    Event ID:      5605
    Task Category: None
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:     computername

    Description:
    The ROOT\MSClUSTER namespace is marked with the RequiresEncryption flag. Access to this namespace might be denied if the script or application does not have the appropriate authentication level. Change the authentication level to Pkt_Privacy and run the script or application again.

    -----------------------------------------

    It appears that this started to happen after the SQL instances were encrypted. 

    Can someone confirm the following:

    1) This is related to the Windows cluster mp running with the default local system account on an instance that requires elevated privelages?

    2) If I add an account that has administrative privelages to the "Windows Cluster Action Account" Run As profile this would address this issue?                  


    Added bonus:

    We have 50 clusters and we have only encrypted three of them.  What if I wanted to apply this elevated set of permissions for only these three clusters. 

    Would I accomplish this by doing the following? 

    1) Create a Run as account for cluster admin
    2) Edit the "Windows Cluster Action Account" Run As profile and add the previously created "Cluster admin" run as account and target to a custom group of the
    Cluster objects for the 3 clusters?

    Thanks,
    Keith

    Monday, April 15, 2013 3:21 AM

All replies

  • Hi,

    You can try workaround described here:

    http://support.microsoft.com/kb/2590230


    NewSCOMer Natalya

    Tuesday, April 16, 2013 2:41 AM
  • I don't think that is going to work for me.  It is going to stop the events from being logged, however the real effectual problem is that I am getting a ton of state changes and subsequent alerts from related resource groups going offline and online on these instances. 
    Wednesday, April 17, 2013 1:02 PM
  • I am thinking that I need to setup a run as account, but I am also thinking that I am not sure that setting one up with higher level permissions to execute the SCOM SQL/Cluster workloads on these encrypted instances would address this issue.

    The reason is that the the 5605 eventid suggests that the resolution has to do with changing the authentication level to Pkt_Privacy and I don't think a higher privelaged account will necessarily do that.  Would apreciate any thoughts.

    Keith

    Friday, April 19, 2013 10:08 PM