In Windows 2003 when cluster would attempt to create or modify Kerberos enabled machine accounts it would do so by leveraging the rights assigned to the cluster service account. The Windows 2003 cluster service would use this domain account for the logon right at service startup.
In Windows 2008 when the cluster attempts to create or modify Kerberos enable machine accounts it does so by leveraging the machine account associated with the name of the cluster (this is the Cluster Name Object (CNO) ). The Windows 2008 cluster service now starts under “Local System”.
When the CNO does not have rights to join machine accounts to the domain, or modify existing machine accounts, the Exchange setup will fail after programmatically creating the network name resources and attempting to bring it online.
This situation most commonly occurs when running:
1) Setup.com /newCMS /cmsName:<NAME> /cmsIPv4Address:<IP>
2) Setup.com /recoverCMS /cmsName:<NAME> /cmsIPv4Address:<IP>
The following errors may be noted during setup where the network name failed to come online due to this issue:
"Cluster Common Failure Exception: Failed to bring cluster resource Network name (<NAME>) in cluster group <NAME> online.The group or resource is not in the correct state to perform the requested operation. (Exception from HRESULT:0x8007139f)"
Error 0x8007139f translates to:
ERROR_INVALID_STATE # The group or resource is not in the correct state to # perform the requested operation.
In the application and system logs, the following events may be noted:
Log Name: Application Source: MSExchangeRepl Date: 10/24/2008 2:17:15 PM Event ID: 107 Task Category: Action Level: Error Keywords: Classic User: N/A Computer: <NAME>.domain.com Description: The New-ClusteredMailboxServer operation failed for server <NAME>
Log Name: Application Source: MSExchangeSetup Date: 10/24/2008 2:17:15 PM Event ID: 1002 Task Category: Microsoft Exchange Setup Level: Error Keywords: Classic User: N/A Computer: <NAME>.domain.com Description: Exchange Server component Clustered Mailbox Server failed. Error: Error: Cluster Common Failure Exception: Failed to bring cluster resource Network Name (<NAME>) in cluster group <NAME> online. The event log may contain more details. Cluster Common Failure Exception: The group or resource is not in the correct state to perform the requested operation. (Exception from HRESULT: 0x8007139F)
Log Name: System Source: Microsoft-Windows-FailoverClustering Date: 10/24/2008 2:17:13 PM Event ID: 1194 Task Category: Network Name Resource Level: Error Keywords: User: SYSTEM Computer: <NAME>.domain.com Description: Cluster network name resource 'Network Name (<NAME>)' failed to create its associated computer object in domain 'domain.com' for the following reason: Unable to create computer account. The text for the associated error code is: Access is denied.
To correct this situation this is what I recommend when creating Windows 2008 clusters. (These steps assume the cluster service on the nodes has not already been configured):
If the cluster services have already been configured you can skip the step of creating an account for the CNO and disabling the CNO account since this account should already exist in the active directory.
When these steps are completed you should be able to establish the cluster services and begin the Exchange installation.
If you are using Standby Continuous Replication (SCR) and the target is a single node cluster you will follow the same instructions with the exception of:
By updating permissions for the additional CNO this will ensure that the standby cluster CNO has the appropriate rights when running setup.com /recoverCMS.
If you are using continuous replication hostnames with cluster continuous replication clusters you will follow the same process outlined above to pre-stage your machine accounts associated with the replication names and add the CNO account with full control. The only CNO account that requires permissions is that of the cluster hosting the replication host names – SCR target cluster CNOs do not require permissions to these names.
By pre-staging machine accounts and establishing the appropriate security contexts you can help prevent errors during Exchange setup and commandlet operations.
Why disable the accounts?
Is there a script to do this?
I am not aware of a public script to do this. It usually only needs to be done once.