2008 R2 Failover Cluster Repeated Event 1207, Kerberos Status: Access Denied


  • If I could, I would pay the person who comes up with a solution to this problem, as so far it has bested both levels of Premier support.  This email may be long, so bear with me.



    2003 R2 functional level Active Directory forest with supported disjoint namespace configuration (msDS-AllowedDNSSuffixes configured)

    2008 R2 two-node failover cluster running SQL 2008 R2

                    -cluster nodes, cluster name object, and all virtual computer objects registered correctly in disjoint namespace (

                    -cluster nodes, cluster name object, and all virtual computer objects belong to Active Directory (

                    -cluster name object and all virtual computer objects have the correct permissions set according to TechNet instructions.

                    -cluster configuration validation passed, with no errors or warnings.




    Repeated 1207 errors in the event log of the cluster.  The specific text of the error is:

    Cluster network name resource ' cannot be brought online. The computer object associated with the resource could not be updated in domain '' for the following reason:

    Unable to update password for computer account.

    The text for the associated error code is: Access is denied.

    The cluster identity ‘$' may lack permissions required to update the object. Please work with your domain administrator to ensure that the cluster identity can update computer objects in the domain.


    Here’s the first mystery:  All of the virtual computer objects are online according to the GUI.  The only visible issue is that the Kerberos status for every VCO is listed as “Access denied”.  Which means that Kerberos authentication is broken.  Part b) of this first mystery is in the event text itself:  The domain that the cluster or the cluster computer account is trying to update isn’t an Active Directory Domain.  It’s the DNS domain in which all the A records for the nodes, CNO and VCOs are registered. 


    And yes, there is a hotfix  for this issue, but it’s for 2008, not 2008 R2.  I even tried installing the hotfix anyway, and it errors out.


    Here’s the second mystery:  The first time this error showed up, about a month ago, I was able to resolve it by repeatedly running the “simulate failure of this resource” command on the cluster name until it failed and then running the “Repair Active Directory Object” command.  This time, doing so does NOT work.


    The only reasons I can think of involve the fact that the Active Directory DCs are 2003 R2, at 2003 functional level for both domain and forest, and the nodes of the cluster are running 2008 R2…and I can’t find anything to support this.  Otherwise, I’m completely stumped, and so is everyone else I’ve spoken with.

    Monday, April 25, 2011 2:24 PM



    <!-- /* Font Definitions */ @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-alt:"Century Gothic"; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-520092929 1073786111 9 0 415 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin;} span.EmailStyle15 {mso-style-type:personal; mso-style-noshow:yes; mso-style-unhide:no; mso-ansi-font-size:11.0pt; mso-bidi-font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; color:#1F497D; mso-themecolor:dark2;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-size:10.0pt; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt;} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.WordSection1 {page:WordSection1;} -->


    We don’t have Authenticated Users in the Pre-Windows 2000 Compatibility Access group, as our Active Directory authenticates users that should not automatically have read access to the directory.  Ran a network trace yesterday and saw the node attempt an OpenDomain request for the SID S-1-5-32.  Seeing the S-1-5-32 in that  network trace…and reading that it was the SID for the BUILTIN_DOMAIN made me wonder if this was the cause; we have a number of accounts that are in the Pre-Windows 2000 Compatibility group because of application requirements.


    I added the primary node and the CNO to that group, ran klist purge on the primary node, for good measure refreshed group policy, and went for coffee.  20 minutes later when I got back, no errors.  The Kerberos Status for the VCO network name resource…in the properties of the network name…was still listed as “Access Denied” but taking the resource offline and bringing back online fixed it.

    • Marked as answer by chaselton Wednesday, April 27, 2011 3:43 PM
    Wednesday, April 27, 2011 3:43 PM