Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, May 13, 2011 7:42 PM
I am in the process of rebuilding a SQL 2008 Cluster on Windows 2008 Enterprise SP2 x64. This has worked in the past for these exact systems, but now trying to redo it, I am always getting the same error when trying to bring the cluster online.
Event ID 1207:
Cluster network name resource 'Cluster Name' cannot be brought online. The computer object associated with the resource could not be updated in domain 'test.lab' for the following reason:
Unable to find computer account on DC where it was created.
The text for the associated error code is: There is no such object on the server.
The cluster identity 'TESTSQL$' may lack permissions required to update the object. Please work with your domain administrator to ensure that the cluster identity can update computer objects in the domain.
Now, this happened when we tried connecting the two servers back to the original lab domain, but I am getting the same errors when using a brand new domain as well.
I have been researching for two days now, and I have seen many questions on this which link to articles
http://technet.microsoft.com/en-us/library/cc731002%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/cc773451%28WS.10%29.aspx
I have looked at those and I cant seem to figure out why its not working for me. I am logged into the cluster servers as a domain administrator, and I just build the domain on a clean system as well. So the domain is empty save for the users I created in the domain admin group, and for the two servers that I joined to the domain.
Reading through the articles, it states that letting the clustering process create the cluster objects for you in the domain is the easiest way to do to, rather than pre-staging. And thats what I did.
I have tried to "repair AD Object", which also fails.
The thing that is really annoying me, is that when I build this the first time, 12-18 months ago, I didnt have this issue. Perhaps one of the new patches changed something? one of the SPs, or perhaps one of the other updates from Windows Update?
All replies (5)
Monday, May 16, 2011 8:40 PM ✅Answered
Hi Rick,
this text is standard output when tests are passed otherwise you will see this -> http://blogs.technet.com/b/askcore/archive/2010/06/02/rights-needed-for-user-account-to-create-a-cluster-name-object-cno-on-windows-server-2008-r2-failover-cluster.aspx
do you have a multi DC environment in your lab? does DC replication work between your DCs? are your nodes also DCs -> http://social.technet.microsoft.com/Forums/en/winserverClustering/thread/743d6698-fc4a-4e55-95f0-648808e4ab32
Active Directory Permissions for Cluster Accounts
http://technet.microsoft.com/en-us/library/cc756188(WS.10).aspx
The active directory validation test does check here:
Validate Active Directory Configuration: This test validates that each tested server is in the same domain and organizational unit. It also validates that all tested servers are domain controllers or that all are member servers. To change the domain role of a server, use the Active Directory® Domain Services Installation Wizard.
If you can confirm, that lack of permission isn't the case here, an possible next step would be to check event logs and cluster logs.
How to create the cluster.log in Windows Server 2008 Failover Clustering
http://blogs.msdn.com/b/clustering/archive/2008/09/24/8962934.aspx
Ín parallel you could also start with network troubleshooting analyze (netmon trace) to see what is happening when cluster try to locate an DC and can't get one ;-)
Hope that helps :-)
Regards
Ramazan
Ramazan Can [MVP Cluster] http://ramazancan.wordpress.com/
Friday, May 13, 2011 8:02 PM
One more thing I noticed just now... When looking at Cluster Events, is that the User is listed as S-1-5-18. When looking at Event Viewer, it shows SYSTEM. Why the discrepancy? Or is this a red herring type of thing to ignore?
Sunday, May 15, 2011 2:25 PM
I personally would re-run validation here which should tell me what exactly is going wrong with the CNO in your AD:
Use Validation Tests for Troubleshooting a Failover Cluster
http://technet.microsoft.com/en-us/library/cc770807.aspx
Failover Cluster Step-by-Step Guide: Configuring Accounts in Active Directory
http://technet.microsoft.com/en-us/library/cc731002(WS.10).aspx
Following checks will be done with validation:
In Cluster Configuration Tests:
- Validate Service Principal Name: This test validates that a Service Principal Name exists for all resources that have Kerberos enabled.
In System Tests:
- Validate Active Directory Configuration: This test validates that each tested server is in the same domain and organizational unit. It also validates that all tested servers are domain controllers or that all are member servers. To change the domain role of a server, use the Active Directory® Domain Services Installation Wizard.
Hope that helps.
Regards
Ramazan
Ramazan Can [MVP Cluster] http://ramazancan.wordpress.com/
Sunday, May 15, 2011 3:04 PM
It seems that the problem is with the Cluster Account in AD... Make sure that the Computer can connect to DC & that you are not logged in using cached credentials...
If so you might be having Network Issues & not a clustering issue...
MCTS, MCP
Monday, May 16, 2011 3:44 PM
I have checked, and all accounts can login and are not cached.
Also, the validation rules all pass. Every single one. Not a single error or warning.
Specific to the two items called out above:
Validate Service Principal Name: this doesnt exist in my tests...
Validate Active Directory Configuration: