Print | Rate this content

Microsoft Windows Server 2008 - Cluster Network Name Fails to Come Online, Event ID 1207

Issue

Background:

With Microsoft Windows 2008 Failover Clusters, virtual computer objects, such as the Cluster Name object (CNO), are added to Active Directory when the cluster is created. The CNO is also accessed whenever the cluster network name resource is brought online. Having insufficient permissions or rights can affect the cluster’s ability to access the AD CNO and prevent the cluster network name resource from coming online. This may also prevent additional nodes from being added to the cluster.

Windows 2008 Failover Clusters are tightly integrated with the Active Directory. Kerberos is used for authentication and the Cluster Service now runs under the LocalSystem account. These changes have caused many Windows 2008 Failover Cluster installations to fail, despite successfully passing the Validate Cluster tool.

Issues can arise from several places, including the account that is used to create the cluster, the machine accounts of the cluster nodes, and the newly created AD computer objects for the virtual cluster names. Each entity must have sufficient permissions and rights to create and or access the AD objects.

Insufficient permissions or rights can be caused by several reasons. The accounts may not reside in the appropriate security group or be properly established in Active Directory. The Microsoft TechNet article, Failover Cluster Step-by-Step Guide: Configuring Accounts in Active Directory, does an excellent job of describing the AD accounts used by Windows 2008 Failover Clusters.

Click here to go to Microsoft TechNet article "Failover Cluster Step-by-Step Guide: Configuring Accounts in Active Directory" (http://technet.microsoft.com/en-us/library/cc731002.aspx) Non-HPE site .

There is also a known issue with Microsoft Windows 2008 (pre-SP2) that can cause the cluster network name to fail to come online. A hotfix is available to address this particular issue in Microsoft Knowledge Base Article 952247, The Cluster network name resource and the File Share Witness resource may not come online on a Windows Server 2008 failover cluster node if a disjointed namespace is configured.

Click here to go to Microsoft Knowledge Base Article 952247 (http://support.microsoft.com/kb/952247) Non-HPE site .

Finally, there is a Repair function built into the new Failover Cluster Management MMC that allows you to repair the AD object for the network name resource. This functionality is documented in Microsoft Knowledge Base Article 950805, How to recover a deleted computer object that supports a Network Name resource in a Windows Server 2008 failover cluster.

Click here to go to Microsoft Knowledge Base Article 950805 (http://support.microsoft.com/kb/950805) Non-HPE site .

However, the most elusive permission and user rights issues are caused by the propagation of Group Policy Objects (GPOs). These restrictions can be established in any GPO at the domain or Organizational Unit (OU) level, including the Default Domain Policy GPO. The important thing to note is the way user rights are assigned to users or groups. By default, the user rights lists, as viewed in the Group Policy editor, are usually blank. This means the right applies to all users that apply the GPO. However, adding any users or groups explicitly to that right will deny the right to all users and groups not in the list.

The AD CNO object must have the Access this computer from the network right. It is important to note that in an environment where a Microsoft Windows 2008 Failover cluster is installed, if the Access this computer from the network right is modified by adding users or groups explicitly to the right, it can deny access to the object, causing the Cluster Network Name resource to fail to come online. In addition, due to the complex nature of GPO propagation (for example, No override, blocked inheritance, conflicting or combining rights), troubleshooting GPO and Failover Cluster AD issues can be difficult to diagnose.

A good example of a GPO-related cluster installation failure occurred when the User Rights in the Default Domain Policy limited the right to Access this computer from the Network to administrators and certain security groups. Defining this policy prevented all other users and machine accounts from accessing this computer from the network. In our case, it prevented access to the AD CNO, and from allowing the Cluster Network Name to come online.

An event is logged by the FailoverClustering source, Event ID 1207:


"Log Name: System Source: Microsoft-Windows-FailoverClustering
Date: 1/28/2009 8:32:27 AM
Event ID: 1207
Task Category: Network Name Resource
Level: Error
Keywords:
User: SYSTEM
Computer: cluster1.xyz.com
Description: Cluster network name resource 'Cluster Name' cannot be brought online. The computer object associated with the resource could not be updated in domain ‘xyz.com' for the following reason:

Unable to obtain the Primary Cluster Name Identity token.

The text for the associated error code is: An attempt has been made to operate on an impersonation token by a thread that is not currently impersonating a client.

The cluster identity 'CLUSTER1$' may lack permissions required to update the object. Please work with your domain administrator to ensure that the cluster identity can update computer objects in the domain.

The tell-tale sign in the cluster log is status 0x00000569. Keep in mind with Microsoft Windows 2008, the cluster log needs to be generated on the fly (example: Cluster.exe Log /generate):


0000033c.00001568::2009/02/06-21:45:42.774 WARN [RES] Network Name <Cluster Name>: Password for computer account CLUSTER1$ is incorrect (status 0x00000569). LOGONUSER Failed for CNO Incorrect CNO password.

Status 0x00000569 translates to:


ERROR_LOGON_TYPE_NOT_GRANTED winerror.h
# Logon failure: the user has not been granted the requested
# logon type at this computer.

Solution

Adding the security group Authenticated Users to the user right Access this computer from the Network and issuing a gpupdate/force on the cluster nodes allowed the Cluster Network Name resource to come online. Command View for EVA was the product that recommended editing the GPO, but the change should have been limited to the local security policies, not the Default Domain Policies that affected all users and computers.

As a final note, Microsoft maintains a list of recommended hotfixes for clusters. See Microsoft Knowledge Base Article 957311 Recommended hotfixes for Windows 2008-based server clusters.

Click here to go to Microsoft Knowledge Base Article 957311 (http://support.microsoft.com/kb/957311) Non-HPE site .

Legal Disclaimer: Products sold prior to the November 1, 2015 separation of Hewlett-Packard Company into Hewlett Packard Enterprise Company and HP Inc. may have older product names and model numbers that differ from current models.

Provide feedback

Please rate the information on this page to help us improve our content. Thank you!
Document title: Microsoft Windows Server 2008 - Cluster Network Name Fails to Come Online, Event ID 1207
Document ID: emr_na-c01672890-3
How helpful was this document?
How can we improve this document?
Note: Only English language comments can be accepted at this time.
Please wait while we process your request.