none
Cluster Name/Permissions Issue

    Question

  • I'm having a permissions issue with the CNO, and I can't pin down the exact problem. I am pretty sure the issue started when we moved the computer objects into a new OU, but even moving them back hasn't helped, and I've been staring at the issue so
    long I need a fresh perspective.

    Backstory: we have a 4 node Server 2012 cluster that has been in production for a little over a year.  Recently I've seen some event 1206's showing up in the failover manager:

    The computer object associated with the cluster network name resource 'Cluster Name' could not be updated in domain '<domain name>. The error code was 'Resource post online'. The cluster identity 'cluster101$' may lack permissions required to update the object. Please work with your domain administrator to ensure that the cluster identity can update computer objects in the domain.

    The node that is throwing those errors is the current host server for the cluster.  The cluster name object is showing as Online. I can mark it as offline, but when I try and repair the name, I get the error "0x800713b8 The cluster request is not valid for this object."  However, I can still successfully bring the CNO back online.   Re-running cluster validation tests still pass the cluster.

    When trying to change the cluster permissions from within the FCM, I'm getting an access denied error.

    The account I'm using is in the Domain Admins group, and I've confirmed that the account has full control to the CNO and the nodes via ADUC. Each node also has full control to the CNO, and the CNO has full control over each node.

    I've done a bunch of reading on things, and I think I've got everything correct, but clearly something is still missing. If anyone has more suggestions that would be great.



    Wednesday, April 2, 2014 2:49 PM

Answers

  • Hi,

    I didn’t find out the similar issue, but the 1206 error often is the CNO permission issue, please check the following options was correct configured, you must be a member of the local Administrators group on each clustered server, and the account you use must be a domain account, or you must have been delegated the equivalent authority. If the options is correct base on my experience the 1206 error some times cause by the firewall or AV soft, please disable them then monitor the status.

    •Check whether there is a computer object for the new clustered service or application. If there is, check the permissions associated with that object, and make sure that the computer object for the cluster itself has Full control permission. Also, when viewing the properties for the computer object for the new clustered service or application, confirm that the Account is disabled box is cleared (the account must be enabled, not disabled).

    •Check the permissions assigned to the computer object (computer account) for the cluster itself. This computer object has the same name as the cluster. It must have the Create Computer Objects permission in the domain.

    •Check that the domain settings are not preventing a new computer object from being created. By default all computer objects are created in the Computers container. Consult with the domain administrator if this location has been changed.

    •Check that the domain-wide quota for creating computer objects (by default, 10) has not been reached. If it has, it might be appropriate to consult with the domain administrator about increasing the quota, although this is a domain-wide setting and should be changed only after careful consideration, and only after trying the previous items in this list.

    To change the quota, run ADSIEdit.msc, click ADSI Edit, click Action, click Connect to, and then click OK. The Default naming context is added to the console tree. Double-click Default naming context, right-click the domain object underneath it, and then click Properties. Scroll to ms-DS-MachineAccountQuota, click Edit, change the value, and then click OK.

    More information:

    CNO Blog Series: Increasing Awareness around the Cluster Name Object (CNO)

    http://blogs.technet.com/b/askcore/archive/2012/09/25/cno-blog-series-increasing-awareness-around-the-cluster-name-object-cno.aspx

    Event ID 1206 — Active Directory Permissions for Cluster Accounts

    http://technet.microsoft.com/en-us/library/cc773457(v=ws.10).aspx

    Hope this helps.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

    Friday, April 4, 2014 6:00 AM
    Moderator

All replies