Cluster service failure after AD lockdown...

re: Cluster service failure after AD lockdown...

Jason Hartzell — Sat, 16 Dec 2006 12:17:12 GMT

Mr Turner. Great article tons of good info could you though increase some of the text size?

I appreciate the link Sir I will be visiting regularly.

re: Cluster service failure after AD lockdown...

justintu — Sat, 16 Dec 2006 12:20:49 GMT

Thank you for visiting. Text size will be increased with the next post. Thanks for the suggestion.

Justin Turner

Cluster service failure update...

Active Directory, Cluster and other fun stuff... — Thu, 21 Dec 2006 09:52:36 GMT

Just a quick note to say that they did update KB 269229 with my comment about requiring the SERVICE account

re: Cluster service failure after AD lockdown...

JAlifrangis — Thu, 18 Jan 2007 00:41:39 GMT

Yup, that fixed it,

We have successfully recovered both our domain controllers using this fix.

Appearantly someone on the development staff had changed the Impersonate Priviledge to work only for our service account, and not for the rest.

Development for the lose!

re: Cluster service failure after AD lockdown...

justintu — Thu, 18 Jan 2007 02:11:36 GMT

Nice to hear that it helped.

re: Cluster service failure after AD lockdown...

Robert Dunn — Thu, 05 Apr 2007 13:13:47 GMT

Thanks a million, your article has allowed us to get back up and running after a few hours of downtime. Basically all we did was change the logon for the RPC, back to Local System. So we now have network connectivity, Exchange and most importantly, Remote Desktop Connection, so we don't have to be lying on the floor at the local system in the server room :) Now we can look at sorting the policy settings you mentioned, from the comfort of our own desks.

Thanks again.

re: Cluster service failure after AD lockdown...

justintu — Thu, 05 Apr 2007 14:38:17 GMT

Robert: You're welcome. I'm glad it helped.

re: Cluster service failure after AD lockdown...

Tony Rogers — Fri, 04 May 2007 13:22:25 GMT

Thankyou for an informative article. Your article saved me from having to do a server rebuild, as I had no idea what had gone wrong, until I came across this article on Google.

This happened on SBS2003 in my case - and as I'm the only Administrator, I'm at a loss to understand how the users Administrator and SERVICE were ever removed from "Impersonate a client after authentication" as I don't remember doing it!!!

Thanks again. :-)

re: Cluster service failure after AD lockdown...

justintu — Fri, 04 May 2007 14:10:32 GMT

Thanks for the feedback Tony.

As far as how it happened: Since you are the only Administrator, and don't remember doing, I would check for any rogue services or processes running.

You may want to go to http://safety.live.com and do a virus scan. Or maybe the settings got changed by importing one of the "High Security" templates that often get recommended by some of the security sites?

re: Cluster service failure after AD lockdown...

Teeka Leone — Tue, 26 Jun 2007 23:36:23 GMT

Thank you for spelling out step by step how to fix my 'sick' Domain Controller. I experienced EXACTLY what you outlined in this article and was able to fix it. Thank you!!!!

re: Cluster service failure after AD lockdown...

Dan Capor — Fri, 03 Aug 2007 17:13:40 GMT

Thank you Justin,

This problem had plagued our network for a few months. I had only stumbled upon the temportary fix of setting each machine's RPC service to Local System Account, but it was just a bandaid on a gushing wound.

Thank you, Thank you, Thank you.

~Dan

re: Cluster service failure after AD lockdown...

JL — Tue, 07 Aug 2007 08:56:34 GMT

Just wanted to let you know you saved our bacon with this article. THANKS!

re: Cluster service failure after AD lockdown...

Meir — Thu, 30 Aug 2007 19:19:10 GMT

Justin you're the man, you saved my weekend (after foolishly applying a malformed security policy).

Your article is really helpful and important.

I think the title "Cluster service failure after AD lockdown" is a bit illusive, it doesn't reflect the real context of the problem. it can happen actually on any domain member (SQL server services also failed)

Thanks again!

re: Cluster service failure after AD lockdown...

Michele Maran — Sun, 16 Sep 2007 15:42:38 GMT

Thanks for the greats tips. Problem solved for me during Active Directory upgrade from win2k to win2k3.

I remeber that installation of Norton Antivirus Client Server Suite ask me to change impersonate key of domain group policy years old.

Thanks a lot

Michele Maran from Italy

re: Cluster service failure after AD lockdown...

Mr Steve — Fri, 21 Sep 2007 14:42:19 GMT

We had some issues with 2003 SP1 and the Time Service - after a reinstall of SP1 to fix the issue, we had the COM+ and RPC issue also. In our case, the "Impersonate..." policy was never defined in the DCP. Just performing the final restart now, and i'd just like to take the chance to backup Meir's comment that indeed - Justin - YOU ARE THE MAN!!! :0)

RPC permissions on boot

Rich Gautier — Tue, 16 Oct 2007 16:09:48 GMT

You just saved me hours of work. Thank you for your breakout of this problem. It affected us during a security patch and reboot session this morning, even though it only affected some of our machines, the advice and underlying reasons were dead on.

Thank you very much for sharing this info.

re: Cluster service failure after AD lockdown...

Phil Petersen — Tue, 18 Dec 2007 23:25:35 GMT

Thanks. Thanks. Thanks. I've been fighting this problem for days and days at one of customers sites (away from home). Thanks for getting me home for the HOLIDAYS.

re: Cluster service failure after AD lockdown...

Steve Ferrarini — Wed, 12 Mar 2008 06:32:09 GMT

Justin,

Great information! I almost passed by because of the title, but this was exactly what we needed.

Thanks again for the investigative work, and making it available for us to find!

re: Cluster service failure after AD lockdown...

Mon, 07 Apr 2008 18:23:17 GMT

BRILLIANT! Thanks for the leg work and making me look good to my director!

re: Cluster service failure after AD lockdown...

derekmoore333 — Sat, 01 Nov 2008 22:59:49 GMT

For one of the two machines the two machines, on which I had already tried to install a MS Cluster. I had to find this fix, in addition to the above to get RPC and Network connections back online. The second node RPC came online without these additional mods.

http://www.eggheadcafe.com/software/aspnet/32648815/2003-server-r2--network.aspx

1. ON DOMAIN CONTROLLER Group Policy for this SQL CLUSTER, Go to Computer Configuration - Windows Settings - Local Policies – User right Assignment- look for "Bypass traverse checking" Policy and add NETWORK SERVICE.

2. ON LOCAL SQL SERVER, Open Windows Explorer and Go to \Windows\Registration folder - go to properties - Security tab -

add the following accounts with permissions.

a.Administrator - Full rights

b.System - Full rights

c.everyone - Read / Modify(WRITE) and List

Then click "APPLY" and go to "General" tab and click on the "Advance"

button. Here click the "Inheritance option" and finally click "OK"

3. Open regedit

a.go to "My Computer\HKEY_CLASSES_ROOT_\CLSID". Right click on it and

select "Permissions" and add "Authenticated Users" with "Full Permissions"

b.Go to "My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services".

Right click and select "Permissions" and add "Network Service" and "Local

Service" with "Full Permissions"

4.Finally go to "My

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs and set

the "ObjectName" to "NT Authority\NetworkService"

5.Reboot the promblematic server and check if the issue still exists.