Tim McMichael

Navigating the world of high availability...and occasionally sticking my head in the cloud...

Permissions recommended for the CNO (Cluster Name Object) in Windows 2008 for Exchange 2007 SP1 setup operations.

Permissions recommended for the CNO (Cluster Name Object) in Windows 2008 for Exchange 2007 SP1 setup operations.

  • Comments 4
  • Likes

In Windows 2003 when cluster would attempt to create or modify Kerberos enabled machine accounts it would do so by leveraging the rights assigned to the cluster service account.  The Windows 2003 cluster service would use this domain account for the logon right at service startup.

In Windows 2008 when the cluster attempts to create or modify Kerberos enable machine accounts it does so by leveraging the machine account associated with the name of the cluster (this is the Cluster Name Object (CNO) ).  The Windows 2008 cluster service now starts under “Local System”.

When the CNO does not have rights to join machine accounts to the domain, or modify existing machine accounts, the Exchange setup will fail after programmatically creating the network name resources and attempting to bring it online.

This situation most commonly occurs when running:

1)  Setup.com /newCMS /cmsName:<NAME> /cmsIPv4Address:<IP>

2)  Setup.com /recoverCMS /cmsName:<NAME> /cmsIPv4Address:<IP>

3)  Enable-ContinuousReplicationHostName

The following errors may be noted during setup where the network name failed to come online due to this issue:

"Cluster Common Failure Exception: Failed to bring cluster resource Network name (<NAME>) in cluster group <NAME> online.The group or resource is not in the correct state to perform the requested operation. (Exception from HRESULT:0x8007139f)"

Error 0x8007139f translates to:

ERROR_INVALID_STATE
# The group or resource is not in the correct state to
# perform the requested operation.

In the application and system logs, the following events may be noted:

Log Name: Application
Source: MSExchangeRepl
Date: 10/24/2008 2:17:15 PM
Event ID: 107
Task Category: Action
Level: Error
Keywords: Classic
User: N/A
Computer: <NAME>.domain.com
Description:
The New-ClusteredMailboxServer operation failed for server <NAME>

Log Name: Application
Source: MSExchangeSetup
Date: 10/24/2008 2:17:15 PM
Event ID: 1002
Task Category: Microsoft Exchange Setup
Level: Error
Keywords: Classic
User: N/A
Computer: <NAME>.domain.com
Description:
Exchange Server component Clustered Mailbox Server failed.
Error: Error:
Cluster Common Failure Exception: Failed to bring cluster resource Network Name (<NAME>) in cluster group <NAME> online. The event log may contain more details. Cluster Common Failure Exception: The group or resource is not in the correct state to perform the requested operation. (Exception from HRESULT: 0x8007139F)

Log Name: System
Source: Microsoft-Windows-FailoverClustering
Date: 10/24/2008 2:17:13 PM
Event ID: 1194
Task Category: Network Name Resource
Level: Error
Keywords:
User: SYSTEM
Computer: <NAME>.domain.com
Description:
Cluster network name resource 'Network Name (<NAME>)' failed to create its
associated computer object in domain 'domain.com' for the following reason: Unable to create computer account. The text for the associated error code is: Access is denied.

To correct this situation this is what I recommend when creating Windows 2008 clusters.  (These steps assume the cluster service on the nodes has not already been configured):

  • Using Active Directory Users and Computers showing advanced features:
    • In the appropriate container create a new machine account to correspond to the name of the cluster – this will be the cluster name object or CNO.
    • In the appropriate container create a new machine account for the Exchange name – this will be the CMS or clustered mailbox server name.
  • Once the machine accounts are created, the necessary permissions should be updated:
    • Get the properties of the CMS computer account.
    • Select the security tab.
    • Select add.
      • Select the object types button – change the scope to just computer accounts.
      • In the search field, type the name of the CNO machine account and press check names.
      • Press OK once the machine account is found.
    • In the group or user names box, find the machine account just added.
      • Assign the FULL CONTROL right to this machine account.
  • Complete the process by disabling both the CNO account and the CMS account.
  • Allow time for AD replication.

If the cluster services have already been configured you can skip the step of creating an account for the CNO and disabling the CNO account since this account should already exist in the active directory.

When these steps are completed you should be able to establish the cluster services and begin the Exchange installation.

If you are using Standby Continuous Replication (SCR) and the target is a single node cluster you will follow the same instructions with the exception of:

  • Create two CNO accounts, one for each cluster.
  • Add both CNO accounts with full control to the same CMS account.
  • Disable all accounts created.

By updating permissions for the additional CNO this will ensure that the standby cluster CNO has the appropriate rights when running setup.com /recoverCMS.

If you are using continuous replication hostnames with cluster continuous replication clusters you will follow the same process outlined above to pre-stage your machine accounts associated with the replication names and add the CNO account with full control.  The only CNO account that requires permissions is that of the cluster hosting the replication host names – SCR target cluster CNOs do not require permissions to these names.

By pre-staging machine accounts and establishing the appropriate security contexts you can help prevent errors during Exchange setup and commandlet operations.

Comments
  • Why disable the accounts?

  • Thanks TIMMCMIC!

    Is there a script to do this?

  • @Dave...

    I am not aware of a public script to do this.  It usually only needs to be done once.

    TIMMCMIC

  • @Dave...

    I am not aware of a public script to do this.  It usually only needs to be done once.

    TIMMCMIC

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment