Microsoft Enterprise Platforms Support: Windows Server Core Team
EPS Team Blogs
Product Team Blogs
I recently encountered an issue involving the failure of a new Network Name resource to come online. Doing some investigation I found a number of instances where this has been encountered, with different resolutions provided. Since no root cause was defined, fellow Directory Services Engineer Robert Williams and I set out to determine the cause.
You’ll know you’ve encountered this issue if you create a new Network Name resource and it fails to online with the following errors:
In the System Event log you will see a Failover Cluster event 1194:
Log Name: System
Date: 3/27/2013 1:19:07 PM
Event ID: 1194
Task Category: Network Name Resource
Cluster network name resource 'ComputerName' failed to create its associated computer object in domain 'DomainName' for the following reason: Unable to obtain access to Computer Object in DS.
The text for the associated error code is: Access is denied.
Please work with your domain administrator to ensure that:
In the Cluster log you will see the following entries:
00000ea4.000012b0::2013/03/25-16:55:04.113 ERR [RES] Network Name < NetworkName>: Failed to obtain access to computer account < AccountName>, status 80070005
00000ea4.000012b0::2013/03/25-16:55:04.128 ERR [RHS] Online for resource <NetworkName> failed.
Note: To generate a Cluster log, run the following command from an administrators command prompt. The Cluster.log file will be generated in the c:\windows\cluster\reports directory. The entry will be in the Cluster log on the Node where the online attempt failed.
Cluster log /gen
We determined that the root cause of the issue is due to the removal of NT AUTHORITY\Authenticated Users from the local Users group. Note below that it is present by default:
The best solution is to add back NT AUTHORITY\Authenticated to the local Users Group. This will require a reboot for the change to take effect. If your security team is unwilling to do this, you can disable the following two Security policies and refresh the policy by running gpupdate /force:
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and shares
You will have to determine which of these two options best fits the security requirements for your environment. It may be a good option to create a separate Organizational Unit (OU) for your Cluster servers. This will allow you to affect the preferred change to the limited subset of servers.
Senior Support Escalation Engineer
Microsoft Customer Support & Services
<a href=" adsonlineindia.com/">Online Business Directory</a>
Great thought is a big cause of a big change so keep showing your thoughts in your blogs.
Your blogs are admirable and full of knowledge. Thanks for giving us such kind of matter to study. Adopting new ideas is a good thing about your blog and I just want that please give more updates like this.
Adsonlineindia is a leading Online Business Directory site which covers almost all top cities of India. Anyone can post here without any cost. So start posting your business for better user experience. if you want to free add visit this website:- <a href=" adsonlineindia.com/.../a>
This is an excellent article, however it assumes a level of familiarity with windows that an admin may not have.
The command "cluster log /gen" is not possible on my Windows 2012 R2. Cluster.exe does not exist.
I had this exact same problem, but had to resort to creating a new CNO because I didn't know how to deal with the details in your explanation.