Microsoft Enterprise Platforms Support: Windows Server Core Team
EPS Team Blogs
Product Team Blogs
I recently encountered an issue involving the failure of a new Network Name resource to come online. Doing some investigation I found a number of instances where this has been encountered, with different resolutions provided. Since no root cause was defined, fellow Directory Services Engineer Robert Williams and I set out to determine the cause.
You’ll know you’ve encountered this issue if you create a new Network Name resource and it fails to online with the following errors:
In the System Event log you will see a Failover Cluster event 1194:
Log Name: System
Date: 3/27/2013 1:19:07 PM
Event ID: 1194
Task Category: Network Name Resource
Cluster network name resource 'ComputerName' failed to create its associated computer object in domain 'DomainName' for the following reason: Unable to obtain access to Computer Object in DS.
The text for the associated error code is: Access is denied.
Please work with your domain administrator to ensure that:
In the Cluster log you will see the following entries:
00000ea4.000012b0::2013/03/25-16:55:04.113 ERR [RES] Network Name < NetworkName>: Failed to obtain access to computer account < AccountName>, status 80070005
00000ea4.000012b0::2013/03/25-16:55:04.128 ERR [RHS] Online for resource <NetworkName> failed.
Note: To generate a Cluster log, run the following command from an administrators command prompt. The Cluster.log file will be generated in the c:\windows\cluster\reports directory. The entry will be in the Cluster log on the Node where the online attempt failed.
Cluster log /gen
We determined that the root cause of the issue is due to the removal of NT AUTHORITY\Authenticated Users from the local Users group. Note below that it is present by default:
The best solution is to add back NT AUTHORITY\Authenticated to the local Users Group. This will require a reboot for the change to take effect. If your security team is unwilling to do this, you can disable the following two Security policies and refresh the policy by running gpupdate /force:
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and shares
You will have to determine which of these two options best fits the security requirements for your environment. It may be a good option to create a separate Organizational Unit (OU) for your Cluster servers. This will allow you to affect the preferred change to the limited subset of servers.
Senior Support Escalation Engineer
Microsoft Customer Support & Services
adsonlineindia.com/">Online Business Directory</a>
Great thought is a big cause of a big change so keep showing your thoughts in your blogs.
Your blogs are admirable and full of knowledge. Thanks for giving us such kind of matter to study. Adopting new ideas is a good thing about your blog and I just want that please give more updates like this.
Adsonlineindia is a leading Online Business Directory site which covers almost all top cities of India. Anyone can post here without any cost. So start posting your business for better user experience. if you want to free add visit this website:- <a href="
This is an excellent article, however it assumes a level of familiarity with windows that an admin may not have.
The command "cluster log /gen" is not possible on my Windows 2012 R2. Cluster.exe does not exist.
I had this exact same problem, but had to resort to creating a new CNO because I didn't know how to deal with the details in your explanation.
This is an excellent and useful article, however it assumes a level of familiarity with windows that an admin may not have. http://marotravel.com/pulau-tidung-murah
This is an excellent and useful article, however it assumes a level of familiarity with windows that an admin may not have. www.marotravel.com/pulau-tidung-murah
I have this exact same problem. However, my local Users group contains the Authenticated Users. This is preventing me from putting Windows 2012R2 into our production environment. I may have to open a ticket with Microsoft.
Mr. Steven Andress,
YOU FOUND THE ANSWER TO HE PROBLEM!!!!!!
It is the "Do not allow anonymous enumeration of SAM accounts". It's not the group association. At least, this is the fix for Windows 2012R2. And you're right, don't forget to reboot to make it take effect.
Thank you so much!!!! I've spent the last 16 hours looking for this answer. I'm going over to the Microsoft TechNet forum where someone else asked this exact question and Vincent Hu gave his usual crappy answer and marked himself as the correct answer.
Steven Andress, you sir, are awesome.
After setting both Network access to disabled
"Do not allow anonymous enumeration of SAM accounts "
"Network access: Do not allow anonymous enumeration of SAM accounts and shares"
And running gpupdate /force on all my servers in the Windows 2012 R2 cluster I took the cluster name off line and repaired it. After that the password for the cluster name show to be updated. Thank you for your help.