Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, September 29, 2011 12:17 AM
I migrated a fully functioning physical Windows Server 2003-R2, 3-node cluster into Hyper-V, setup the iSCSI Target/Initiator software, used 'cluster node cleanup', re-established the cluster and added two nodes.
When adding Node-3 from Node-1, however, I get 'Access Denied' 0x80070005 error on Node-3.
When adding Node-3 from Node-3, I get 'Access Denied' 0x80070005 error on Node-2. ?
The domain cluster-service account is a member of Local Admins on Node-3.
Any suggestions? Thanks for any ideas.
All replies (12)
Wednesday, October 19, 2011 10:28 PM ✅Answered
Finally! After disabling the Windows Firewall again (it had been previously disabled but then re-enabled at some point in the process), the other Nodes could join the Cluster.
Here is a summary of the steps taken:
-User Rights clean up (from migrating into Hyper-V) using KB269229.
-Cluster node <hostname> /forcecleanup on all nodes.
-Getting DCOM functional by using 'MSDTC -unintall', -install, -resetlog, and renaming the 'windows\system32\msdtc\msdtc.log' file (DTC service stopped) and rebooting.
-Getting WMIMGMT.msc functional by updating OS kernel using KB979128-x86-ENU.exe.
-Allowing Port 135 through the firewall.
-There are some additional ports for the cluster service, however, so those will need to be added before re-enabling the firewall.
Coming to a close on this one!
Thursday, September 29, 2011 9:22 AM
Hi,
Can you try validation tool before this operation with node-3 ? I think it give some info for this.
Regards
Hakan YÜKSEL
“Please click "Vote As Helpful" if it is helpful for you and Proposed As Answer”
Blog | LinkedIn
Thursday, September 29, 2011 10:38 AM | 1 vote
Couple things to check: (Reading that this is still Windows 2003??)
Logon to another machine and validate the cluster service account and password. Then goto service control manager and reset the cluster service password to enusre it's correct on all nodes.
Create a new service account and ensure it has all the user rights as defined in
How to manually re-create the Cluster service account
http://support.microsoft.com/kb/269229
Check to ensure that lmcompatibility is the same on the cluster nodes and the DC they have a sessio with:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
lmcompatibilitylevel.
Dave Guenthner [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. http://blogs.technet.com/b/davguents_blog
Thursday, September 29, 2011 2:44 PM
When I run the validation tool, it errors out with 'unexpected error occurred preparing the servers for testing' which only presents a 'Cancel' option.
Thursday, September 29, 2011 3:52 PM
Thanks.
Windows Server 2003 - yes.
The cluster service does not appear on Node-3.
I created a new Cluster service account, applied to Node-1 and got this message: "The account has been granted the Log On As A Service Right".
I then added the new Cluster service account to Local Admin Group on Node-1, attempted to restart the Cluster Service and got this dialog: "Error 1314: A required privledge is not held by the client."
It looks like the User Rights area needs some clean up - there are several User SID's in the Local Security Settings access control lists - must be a remnant from migrating into Hyper-V.
I'll go through KB269229 and report back.
Thursday, September 29, 2011 6:12 PM
After updating the User Rights using KB269229 and rebooting the servers, I am getting an error on all three Nodes saying "The cluster service on node 'EVSPPCLS1' cannot be started. The network path was not found. Error ID -2147024843 (80070035)."
EVSPPCLS1 is the name I gave the cluster itself originally on Node-1.
Do I need to remove the reference to EVSPPCLS1 and create a brand new cluster?
Thanks for the help.
Thursday, September 29, 2011 9:43 PM
Confirmed LMCompatibilityLevel is the same on all 3 nodes and the DC.
Used 'cluster node <hostname> /forcecleanup on all 3 nodes, rebooted servers, and could re-establish the EVSPPCLS1 cluster on Node-1.
Added Node-2 to the cluster from Node-2 (access denied when attempted to add it from Node-1).
Node-3 fails with 'access denied' - but the 'access denied' is coming from Node-2 - ???
Why would Node-2 deny access to Node-3?
Thanks for any ideas.
Friday, September 30, 2011 12:39 AM
Just want to verify.. the user right requirements have been added to all nodes. The same domain service account and password is being used on all three nodes and the service account is in the local Administrator group on all three servers?
Is the firewall turned on?
Do you have any 3rd party software which could interfere with networking etc?
I forget the name of the log in C:\windows\cluster which logs the add node transation, perhaps sort by modified date and see if anything interesting is in there.
Move the cluster resources to Node 1 and try the add node wizard again and share results.
Dave Guenthner [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. http://blogs.technet.com/b/davguents_blog
Friday, September 30, 2011 10:46 PM
Yes to the User Rights, domain service account, password, and local admin group membership.
Firewall is disabled; McAfee has been temporarily disabled.
Working on the call w/ MS Support, and one problem was resolved: DCOM was not functioning (Component Services showed the Computer w/ a RED down arrow.)
This was addressed by using 'MSDTC -unintall', -install, -resetlog, and then RENAMING the 'windows\system32\msdtc\msdtc.log' file (DTC service stopped) and rebooting.
Component Services then was up and functional.
Unfortunately, still have an 'access denied' when trying to add Node or when trying to connect from node-to-node using WMImgmt.msc.
Saturday, October 1, 2011 1:20 AM
Also,
Make sure distributed COM is enabled, if not check box on both nodes and reboot. Also, consider creating OU and block inheritance, move nodes in the OU and reboot for troubleshooting.
http://technet.microsoft.com/en-us/library/cc771387.aspx
Dave Guenthner [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. http://blogs.technet.com/b/davguents_blog
Saturday, October 1, 2011 2:30 AM
DCOM is enabled; investigating WMI connection issues w/ MS using WMIDiag and resulting logs.
Calling a time out for now; will resume mid-Oct.
Wednesday, October 19, 2011 8:58 PM
WMIMGMT.msc was not allowing connections to the other nodes of the cluster, failing with
error "RPC Server unavailable".
To correct this problem, these steps were taken:
-NTOSKRNL update using "WindowsServer2003-KB979128-x86-ENU.exe".
(This updated the OS kernal of the virtual servers.)
-netsh firewall set service RemoteAdmin enable
-netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135
-netsh firewall add allowedprogram program=%windir%\system32\wbem\unsecapp.exe name=UNSECAPP
(This allowed DCOM to operate on Port 135 through Windows Firewall.)
> These steps allowed WMIMGMT.msc to establish connections among all 3 nodes.
However, joining the Node from Cluster Administrator still failing with an 'Access Denied' error.
To be continued.