none
Create Failover Cluster/New-Cluster fails to complete on Windows Server 2016 RRS feed

  • Question

  • Good afternoon,

    Need help with what seems to be a simple task, but continues to fails.  We’re trying to build a Windows 2016 Failover Cluster, which continues to fail.  Windows 2012 R2 Failover Cluster is successful, same domain, accounts.  Here are the details on each configuration.  Will be glad to provide additional information that could help.

    Thanks,  -jim

    Windows 2016 Failover Cluster

    AD – Windows 2016 domain

    FFL – Windows 2012 R2 Forest Functional Level

    DFL – Windows 2016 Domain Functional Level

    2 servers, Windows 2016 Datacenter

    Event Viewer – FailoverClustering DiagnosticVerbose log enabled

    Results: Cluster Validation passes, select build cluster from test details.  Build immediately fails, very little details in the cluster.log (see details below)

    Same results via GUI or with PS New-cluster cmdlet

    Windows 2012 R2 Failover Cluster

    AD – Windows 2016 domain

    FFL – Windows 2012 R2 Forest Functional Level

    DFL – Windows 2016 Domain Functional Level

    2 server, Windows 2012 R2 Standard

    Results: Build completes successfully, ton of details in the cluster.log

    Some additional points/details…

    - Create Cluster Wizard report shows the 'bind to domain controller . more data is available.' Error (see details below).

    - Prestaged the CNO, no difference with or without.

    - We've also tried the build with and without the 'Deny Access to this computer from the Network' policy set.  Still fails.

    - Cluster DiagnosticsVerbose logs are not showing much details/errors.

    - Tried alternate pair of Win2016 servers in two domains of forest, same error.

    - Seems to be a permissions error in AD since the failure happens right after the cluster build dialog that states 'Find a suitable domain controller for node <nodename>'

    Cluster.log from failed Windows 2016 build…

    00002a78.00002b2c::2018/03/20-14:54:06.249 DBG   Cluster node cleanup thread started.

    00002a78.00002b2c::2018/03/20-14:54:06.249 DBG   Starting cluster node cleanup...

    00002a78.00002b2c::2018/03/20-14:54:06.249 DBG   Disabling the cluster service...

    00002a78.00002b2c::2018/03/20-14:54:06.251 DBG   Releasing clustered storages...

    00002a78.00002b2c::2018/03/20-14:54:06.252 DBG   Getting clustered disks...

    00002a78.00002b2c::2018/03/20-14:54:06.252 DBG   Waiting for clusdsk to finish its cleanup...

    00002a78.00002b2c::2018/03/20-14:54:06.253 DBG   Clearing the clusdisk database...

    00002a78.00002b2c::2018/03/20-14:54:06.254 DBG   Waiting for clusdsk to finish its cleanup...

    00002a78.00002b2c::2018/03/20-14:54:06.255 DBG   Relinquishing clustered disks...

    00002a78.00002b2c::2018/03/20-14:54:06.255 DBG   Opening disk handle by index...

    00002a78.00002b2c::2018/03/20-14:54:06.258 DBG   Getting disk ID from layout...

    00002a78.00002b2c::2018/03/20-14:54:06.258 DBG   Reset CSV state ...

    00002a78.00002b2c::2018/03/20-14:54:06.259 DBG   Relinquish disk if clustered...

    00002a78.00002b2c::2018/03/20-14:54:06.261 DBG   Opening disk handle by index...

    00002a78.00002b2c::2018/03/20-14:54:06.263 DBG   Getting disk ID from layout...

    00002a78.00002b2c::2018/03/20-14:54:06.264 DBG   Reset CSV state ...

    00002a78.00002b2c::2018/03/20-14:54:06.264 DBG   Relinquish disk if clustered...

    00002a78.00002b2c::2018/03/20-14:54:06.266 DBG   Opening disk handle by index...

    00002a78.00002b2c::2018/03/20-14:54:06.271 DBG   Resetting cluster registry entries...

    00002a78.00002b2c::2018/03/20-14:54:06.273 DBG   Resetting NLBSFlags value ...

    00002a78.00002b2c::2018/03/20-14:54:06.278 DBG   Unloading the cluster Windows registry hive...

    00002a78.00002b2c::2018/03/20-14:54:06.279 DBG   Getting the cluster Windows registry hive file path...

    00002a78.00002b2c::2018/03/20-14:54:06.280 DBG   Getting the cluster Windows registry hive file path...

    00002a78.00002b2c::2018/03/20-14:54:06.281 DBG   Getting the cluster Windows registry hive file path...

    Tuesday, March 20, 2018 7:58 PM

Answers

  • Hi  ,

    > With only one DC running (the one with the certificate), we’re able to successfully create the failover cluster

    Thanks for your feedback..

    Based on my experience, there’s no direct relationship between the certificate and cluster creation. While in order to create a cluster successfully, we need a well-functional domain control, according to your description, seems the other two DCs have some issues, as mentioned above, we may run dc /diag on the two DC to check if they are in health status.

    If you need further help about active directory related issues, you may turn to DS forum for more professional help, here is the link:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverds

    Welcome to feedback if you have any other concerns.

    Best Regards,

    Frank


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, March 26, 2018 7:44 AM
    Moderator

All replies

  • Hi, 

    As I understand, the issue you are experiencing is: failed to create Server 2016 cluster.
    If I misunderstood your concern, please don’t hesitate to let me know.
    According to the information you provide, please check the CNO permissions in the DC.
    In DC, open ADUC, in the OU the cluster object register in, please check if the CNO is registered, and add the CNO in the OU with full control: (By default, the CNO locates in “Computer” OU)
    Right click the OU>Properties>Security, add the CNO, add give full control permission, then, create the cluster again, check if it could work.

    Best Regards,
    Frank


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, March 21, 2018 9:57 AM
    Moderator
  • Thanks for the reply, Frank.  We’ve tried the following…

    • Manually created the CNO in a specific OU and well as in the default Computers OU – no luck. 
    • Added the <cluster-name>$ computer account to have Full Control on the OUs – no difference. 
    • Tried it without any CNO preloaded –  same errors. 
    • Changed from specific service accounts for the cluster, but with the failures we’re moved to using the Domain Admin account – still no success. 
    • Used the distinguished name format CN=<clustername>,OU=Servers,DC=<domain>,DC=net notation in New-cluster cmdlet – still no success.
    • Also to note, we still have no new information in the Cluster.log to go on.  Seems to me that when the DiagnosticVerbose log is enabled, we should be seeing more details in the Cluster.log.

    On the topic of DFL, we have been successful creating a Windows 2016 cluster in a child domain that is running with Windows 2016 DCs, but in Windows 2012 R2 Domain Functional Level.  Seem once we go to Windows 2016 for DFL, that’s when the failures happen with the Windows 2016 clusters.

    Thanks again,  -jim

    Wednesday, March 21, 2018 5:42 PM
  • Hi,

    Could you provide the detailed information of the cluster validation report, is there any error or warning? What do you mean “Cluster Validation passes, select build cluster from test details.  Build immediately fails, very little details in the cluster.log”.

    When you create the cluster, please ensure the pervious failure objects are removed completely in AD.

    Besides, on DC, please run dc/diag to check if the DC is in health state.

    Best Regards,
    Frank



    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Thursday, March 22, 2018 9:05 AM
    Moderator
  • Hi,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    Appreciate for your feedback.

    Best Regards,

    Frank

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, March 23, 2018 7:21 AM
    Moderator
  • Thanks for checking in, Frank.  As typical, working multiple issues going on at the same time.  Interesting development…

    Does the cluster build process rely on certificates issued from the CA?  We’ve discovered that of three DCs in this domain, only one DC has a certificate assigned from the Forest CA.  As a test, we stopped the AD services on the two DC without certificates.  With only one DC running (the one with the certificate), we’re able to successfully create the failover cluster.

    Based on these results, I’m curious if the successful cluster build is a result of the single DC with a valid certificate or is it related to some other benefit of the single DC with a valid certificate, like KCC, replication, etc.

    We’re looking into why the two DC do not have a certificate when autoenrollment is enabled for DC.  Any thoughts on the relationship of DCs, certificates and creating failover cluster?

    Thanks again,  -jim

    Saturday, March 24, 2018 2:47 AM
  • Hi  ,

    > With only one DC running (the one with the certificate), we’re able to successfully create the failover cluster

    Thanks for your feedback..

    Based on my experience, there’s no direct relationship between the certificate and cluster creation. While in order to create a cluster successfully, we need a well-functional domain control, according to your description, seems the other two DCs have some issues, as mentioned above, we may run dc /diag on the two DC to check if they are in health status.

    If you need further help about active directory related issues, you may turn to DS forum for more professional help, here is the link:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverds

    Welcome to feedback if you have any other concerns.

    Best Regards,

    Frank


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, March 26, 2018 7:44 AM
    Moderator
  • Hi,
    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Frank

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, March 28, 2018 8:48 AM
    Moderator
  • Thanks for checking in, Frank.  As typical, working multiple issues going on at the same time.  Interesting development…

    Does the cluster build process rely on certificates issued from the CA?  We’ve discovered that of three DCs in this domain, only one DC has a certificate assigned from the Forest CA.  As a test, we stopped the AD services on the two DC without certificates.  With only one DC running (the one with the certificate), we’re able to successfully create the failover cluster.

    Based on these results, I’m curious if the successful cluster build is a result of the single DC with a valid certificate or is it related to some other benefit of the single DC with a valid certificate, like KCC, replication, etc.

    We’re looking into why the two DC do not have a certificate when autoenrollment is enabled for DC.  Any thoughts on the relationship of DCs, certificates and creating failover cluster?

    Thanks again,  -jim

    We have exactly the same problem and error.

    But all our DC have the root certificate. We try to stop AD services on 2 of 3 DC, but we have always the same error "More Data is available"...

    So, we did differently. We have created a 2012 R2 cluster, and updrage node and cluster to 2016.

    It's OK but after the creation, when i want to validate the cluster, it's failed with the same error "More data is available".

    Tuesday, April 17, 2018 1:18 PM
  • Getting the EXACT same error.  
    Thursday, March 28, 2019 12:04 PM
  • I have the same problem, with the same setup in a test enviroment. All test systems are running on the same physical Windows 2016 standard with KB4493470 and KB4509091. 

    By comparing logs between the Test enviroment and a Second Test with reveals that Event 4100 is not on the faulty system, it should have read 

    [NETFTAPI] received NsiInitialNotification

    ---- Further study into the error shows that the initial logs for starting the process to create a cluster is not logged in "FailoveroverClustering/Diagnostic and Operational.

    ----

    It misses event 1133 - it cannot create Cluster Network 1.

    -----

    I ran a SFC /SCANNOW - everything is perfect.

    So what is closest to the error, and I see the following.

    1. Investigate local issue with folder permission on the files where clusteradmin is, no luck, as both powershell and the gui fails. Though still worth investigating even more.

    2. Understand the lack of reply from AD server, or transmitting the request from the Server to the AD, this needs to be looked at.

    2.1 A hypothesis is that a Buildin security principle is deleted/obscurred/malfunctioning, because when you delete an AD object, it might prompt you for other objects to be deleted as well and I choose yes to do this.

    I cannot let my test system go to waste, I have to fix this.

    Wednesday, August 28, 2019 1:58 PM
  • I found a work-around 

    The problem is not Active Directory, and asking in the AD forum will not produce any good result.

    In this particular setup, I added a new domain controller, on Windows 2016 standard and installed all updates, and demoted the 2012 R2 controller and removed the DNS, AD DC roles.

    I then upgraded Domain Forrest and Schema to 2016 and during this upgrade I believe this problem is fixed, and now my Powershell scripts perfectly adds the cluster and everything looks fine.

    The real error must be on "System" user, is somehow corrupted on the Windows 2012 R2 Domain and therefor it fails.

    • Proposed as answer by SysadminEU Thursday, August 29, 2019 7:18 AM
    Thursday, August 29, 2019 7:18 AM