Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Event 2011 Error: 0xc00e0040

454 views
Skip to first unread message

Gene002

unread,
Feb 4, 2008, 10:45:35 AM2/4/08
to
We have MSMQ installed on a 2 node cluster. It was functioning normally
until a few days ago. Fom the access i have I verified that kerberos is
enabled on the Name resource we are dependent on as well as the
Securitty/Advance permissions on the AD object. Full event below, com;uter
name removed for privacy reasons:

Event Type: Error
Event Source: MSMQ Cluster Resource DLL
Event Category: None
Event ID: 2011
Date: 2/1/2008
Time: 11:16:09 AM
User: N/A
Computer:
Description:
Message Queuing objects cannot be created in Active Directory (Error:
0xc00e0040). Please verify your permissions and network connectivity.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Any help would be appreciated. thx

John Breakwell (MSFT)

unread,
Feb 4, 2008, 12:58:56 PM2/4/08
to
Hi

I am interested in the context - did this happen during a failover or
restart of the cluster resource group? I assume so.

On startup MSMQ service will try and create an msmq object in AD for the
network name.
So either:
1 The msmq object has never been created and this event appears every
restart
or
2 The msmq object has been deleted.

Bring up "Active Directory: Users and Computers" and find the Network Name.
Check if there is an msmq object underneath it.
You will need to go to the view menu and select "Users, Groups and Computers
as containers" and "Advanced Features" to make the object appear.
Compare with how the cluster nodes look to see what's missing.

Q1 Does the network name exist as a computer object in AD:U&C?
Q2 Does an msmq object exist underneath it?
Q3 Have your AD people been "cleaning up" recently?

Cheers
John Breakwell (MSFT)


"Gene002" <Gen...@discussions.microsoft.com> wrote in message
news:7720B4F5-30E8-4352...@microsoft.com...

Gene002

unread,
Feb 4, 2008, 2:02:01 PM2/4/08
to
Thanks for the reply John. See answers to your Qs below.

Q1 Does the network name exist as a computer object in AD:U&C? YES
Q2 Does an msmq object exist underneath it? YES
Q3 Have your AD people been "cleaning up" recently? Not that they are
admitting to...

I can't see the MSMQ underneath, even with Advanced checked, but someone
with better credentials sent me a screenshot of ADUC. I'll try to meet with
them so I can run the compare from their desk. Anything that jumps out for
me to check? thx again.

-Gene

John Breakwell (MSFT)

unread,
Feb 5, 2008, 5:54:53 AM2/5/08
to
Hi

I've just checked the error code:
MQ_ERROR_MACHINE_EXISTS = -1072824256 (0xC00E0040)

So what is happening is MSMQ is trying to create an MSMQ object for itself
but there is already an MSMQ object there for a computer object with the
same network name.
Basically the existing computer object in AD is not the one that the
cluster
is expecting to use or it does not have permissions to change it.

You can try to grant full control permission to the computer object for the
cluster service's domain account.
To do this, run AD Users and Computers, locate the computer object for this
cluster server, right click it and select Properties, then go to the
Security tab, grant the domain account (which runs the cluster service)
Full
Control permission to this computer object.
Restarting MSMQ should make the necessary changes.

If you still have no luck then you could try:
1 deleting the network name computer object and let the cluster create a
fresh one. This would delete any MSMQ queues you've defined so you would
have to recreate those.
or
2 deleting the network name and MSMQ resources from the resource group
or
3 both steps 1 and 2

How to troubleshoot the Cluster service account when it modifies computer
objects
http://support.microsoft.com/kb/307532/

Cheers
John Breakwell (MSFT)


"Gene002" <Gen...@discussions.microsoft.com> wrote in message

> news:2408BE13-0399-4874...@microsoft.com...

Gene002

unread,
Feb 5, 2008, 9:36:00 AM2/5/08
to
I'm working with a Data Security team to attempt item #1. Right now the
service account has very specific permissions applied to the AD object based
on this KB- 307532. I'm waiting for the approval from mgmt to be given to
make the change. they are not crazy about anything that mentions "full
permissions"

John Breakwell (MSFT)

unread,
Feb 5, 2008, 10:54:16 AM2/5/08
to
Hi

The "Full Control" is just to demonstrate it is a permissions issue and to
get you back up and running again.
"Full Control" will also only available to anyone logged in with the cluster
service account during this time.

If it works then you know either:

1 KB307532 is wrong (too restrictive) :-)
or
2 KB307532 is correct but the Data Security team haven't implemented
KB307532 correctly.

If you don't make any progress then you may want to post on
microsoft.public.windows.server.clustering to see if they have any advice.

Cheers
John

"Gene002" <Gen...@discussions.microsoft.com> wrote in message

news:C645173C-7E0D-4A26...@microsoft.com...

Gene002

unread,
Feb 6, 2008, 8:55:00 AM2/6/08
to
Just got the ok from Data Sec Management to work with one of their resources.
Understood about the full control for anyone logged in with the service
account. I'm not to concerned as the Service account is already the Cluster
Admin and a local Admin on the acount and the permissions are only to our
unique objects in AD. the account credentials/PW are known only by a very
select group of people.

I'll post an update later with our results.

0 new messages