Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Windows 2008R2 Failover Cluster - Unable to update password for computer account Expand / Collapse
Author
Message
Posted Tuesday, October 15, 2013 9:12 PM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Thursday, December 11, 2014 10:10 AM
Points: 33, Visits: 765
We have a 2 node Active-Active Windows 2008R2 cluster where the following error started happening all of the sudden.

Cluster network name resource 'SQL Network Name (XXXXXXXXXX)' cannot be brought online. The computer object associated with the resource could not be updated in domain 'XXXXXXXX.CORP' for the following reason:
Unable to update password for computer account.

The text for the associated error code is: Access is denied.


The cluster identity 'XXXXXXXCLU02$' may lack permissions required to update the object. Please work with your domain administrator to ensure that the cluster identity can update computer objects in the domain.


The Kerberos status shows Access Denied for the SQL Network Name resource.

I have found many articles that give details and advice on this error, but what makes our situation unique is that this is only happening if the SQL Service/Application in the cluster is residing on one specific node.

If we move the SQL Service/Application to the other node in the cluster, the error is resolved and Kerberos status shows OK.

We decided to recreate the VCO in Active Directory for both SQL Network Name resources in our cluster by deleting the computer objects in Active Directory and then restarting the SQL Network Name resource to see if we could pinpoint what was going on. On one node where one active instance resides, the VCO was created just fine. On the second node where the other active instance resides, we received the following error.

Cluster network name resource 'XXXXXXXXXX' failed to create its associated computer object in domain 'XXXXXXXXXX.CORP' for the following reason: Unable to create computer account.

The text for the associated error code is: Access is denied.


Please work with your domain administrator to ensure that:
- The cluster identity 'XXXXXXXXCLU02$' can create computer objects. By default all computer objects are created in the 'Computers' container; consult the domain administrator if this location has been changed.
- The quota for computer objects has not been reached.
- If there is an existing computer object, verify the Cluster Identity 'XXXXXXXXXCLU02$' has 'Full Control' permission to that computer object using the Active Directory Users and Computers tool.


We then brought that SQL Service/Application up on the other node in the cluster and sure enough, the VCO was created without issue.

This tells me that the cluster identity for the CNO does indeed have the permissions needed create computer objects AND update them in Active Directory and for some reason there is only an issue from one of the nodes in the cluster.

Has anyone seen this, what appears to be a unique situation, occur?
Post #1505055
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse