Clustering problems - Network Name offline
Allyn
getting the cluster back on line. It has been running for some time. There
are 3 errors in the event viewer:
Event ID: 1205; The Cluster service failed to bring clustered service or
application 'printserver' completely online or offline. One or more resources
may be in a failed state. This may impact the availability of the clustered
service or application.
==========
Event ID: 1207; Cluster network name resource 'printserver' cannot be
brought online. The computer object associated with the resource could not be
updated in domain 'domain.com' for the following reason:
Unable to obtain the Primary Cluster Name Identity token.
The text for the associated error code is: An attempt has been made to
operate on an impersonation token by a thread that is not currently
impersonating a client.
The cluster identity 'PRINTSERVERCLUS$' may lack permissions required to
update the object. Please work with your domain administrator to ensure that
the cluster identity can update computer objects in the domain.
=========
Event ID: 1069: Cluster resource 'printserver' in clustered service or
application 'printserver' failed.
==========
A possible related error is on the domain controller:
Event ID 4: The Kerberos client received a KRB_AP_ERR_MODIFIED error from
the server . The target name used was host/PRINTSERVERCLUSTER.DOMAIN.COM.
This indicates that the target server failed to decrypt the ticket provided
by the client. This can occur when the target server principal name (SPN) is
registered on an account other than the account the target service is using.
Please ensure that the target SPN is registered on, and only registered on,
the account used by the server. This error can also happen when the target
service is using a different password for the target service account than
what the Kerberos Key Distribution Center (KDC) has for the target service
account. Please ensure that the service on the server and the KDC are both
updated to use the current password. If the server name is not fully
qualified, and the target domain () is different from the client domain
(DOMAIN.COM), check if there are identically named server accounts in these
two domains, or use the fully-qualified name to identify the server.
========
I apologize if the previous post eventually shows up and there are duplicate
posts, but we urgently need to get this running.
The PRINTSERVERCLUSTER$ account was never deleted from the domain, and per a
couple of similar hits, I added this account to "Access this computer from
the network" under the User Rights Assignement in the Local Security Policy.
I would be very grateful for any thoughts and directions.
frankm
Try this............clusterrecovery, the name is a little deceiving.
http://www.microsoft.com/downloads/details.aspx?familyid=2be7ebf0-a408-4232-9353-64aafd65306d&displaylang=en
frankm
Russ Kaufmann
news:DAD28B59-24F0-469A...@microsoft.com...
> We had a SAN that went belly up over the weekend, and we're having
> problems
> getting the cluster back on line. It has been running for some time. There
> are 3 errors in the event viewer:
Just based on the SAN failure, I am betting that you have some disk
signature issues. So, the previous post about using the clusterrecovery.exe
tool is a good first step. Does the quorum disk come online?
Since the SAN failed, it is likely that the SAN configurations for the HBA
WWNs have been lost and not properly reconfigured. Make sure that you reset
the LUN masks.
If the SAN has been reconfigured, you should be able to at least see the
cluster disk from each node. Can you do that? You will also need to be able
to see the disk used for the printer spool with any shared drivers that you
might have installed there, too.
> Event ID: 1205; The Cluster service failed to bring clustered service or
> application 'printserver' completely online or offline. One or more
> resources
> may be in a failed state. This may impact the availability of the
> clustered
> service or application.
So, the name itself isn't coming online? Well, that is completely different
from a disk error. Does the name still map to the cluster's virtual IP in
DNS? Is the name still valid in AD?
> ==========
> Event ID: 1207; Cluster network name resource 'printserver' cannot be
> brought online. The computer object associated with the resource could not
> be
> updated in domain 'domain.com' for the following reason:
> Unable to obtain the Primary Cluster Name Identity token.
This again points to the name resource being the problem here. Can you
create a new name resource dependent on the IP and see if it comes online?
If so, then you might want to delete the AD computer account and recreate
it. If there is a problem with creating a new name resource, then you may
have to take other steps. Of course, you can always create another IP
resource and name resource to verify that they will come online. This will
at least tell you if there is a problem with the cluster services.
> The text for the associated error code is: An attempt has been made to
> operate on an impersonation token by a thread that is not currently
> impersonating a client.
>
> The cluster identity 'PRINTSERVERCLUS$' may lack permissions required to
> update the object. Please work with your domain administrator to ensure
> that
> the cluster identity can update computer objects in the domain.
> =========
This sounds like a Cluster Name Object (CNO) issue.
> Event ID: 1069: Cluster resource 'printserver' in clustered service or
> application 'printserver' failed.
With everything else failing, this is fully expected to also fail. <G>
> ==========
>
> A possible related error is on the domain controller:
>
> Event ID 4: The Kerberos client received a KRB_AP_ERR_MODIFIED error from
> the server . The target name used was host/PRINTSERVERCLUSTER.DOMAIN.COM.
> This indicates that the target server failed to decrypt the ticket
> provided
> by the client. This can occur when the target server principal name (SPN)
> is
> registered on an account other than the account the target service is
> using.
> Please ensure that the target SPN is registered on, and only registered
> on,
> the account used by the server. This error can also happen when the target
> service is using a different password for the target service account than
> what the Kerberos Key Distribution Center (KDC) has for the target service
> account. Please ensure that the service on the server and the KDC are both
> updated to use the current password. If the server name is not fully
> qualified, and the target domain () is different from the client domain
> (DOMAIN.COM), check if there are identically named server accounts in
> these
> two domains, or use the fully-qualified name to identify the server.
Have you run setspn with the name?
Good luck.
--
Russ Kaufmann
MVP, MCT, MCITP x7, MCTS x9, MCSE x4, CTT+
ClusterHelp.com, a Microsoft Gold Certified Partner
Email:ru...@clusterhelp.com
http://www.clusterhelp.com
Blog: http://msmvps.com/clusterhelp
RCan
I would also bet at "CNO" issues :-)
Check this out to "repair" the CNO in your active directory :
Failover Cluster Step-by-Step Guide: Configuring Accounts in Active
Directory
http://technet.microsoft.com/en-us/library/cc731002(WS.10).aspx
especially section "Steps for troubleshooting problems related to accounts
used by the cluster"
Hope that helps
Regards
Ramazan
"Russ Kaufmann" <ru...@clusterhelp.com> wrote in message
news:BAA88A25-8BA1-4DA2...@microsoft.com...