October 15, 2013 at 9:12 pm
We have a 2 node Active-Active Windows 2008R2 cluster where the following error started happening all of the sudden.
Cluster network name resource 'SQL Network Name (XXXXXXXXXX)' cannot be brought online. The computer object associated with the resource could not be updated in domain 'XXXXXXXX.CORP' for the following reason:
Unable to update password for computer account.
The text for the associated error code is: Access is denied.
The cluster identity 'XXXXXXXCLU02$' may lack permissions required to update the object. Please work with your domain administrator to ensure that the cluster identity can update computer objects in the domain.
The Kerberos status shows Access Denied for the SQL Network Name resource.
I have found many articles that give details and advice on this error, but what makes our situation unique is that this is only happening if the SQL Service/Application in the cluster is residing on one specific node.
If we move the SQL Service/Application to the other node in the cluster, the error is resolved and Kerberos status shows OK.
We decided to recreate the VCO in Active Directory for both SQL Network Name resources in our cluster by deleting the computer objects in Active Directory and then restarting the SQL Network Name resource to see if we could pinpoint what was going on. On one node where one active instance resides, the VCO was created just fine. On the second node where the other active instance resides, we received the following error.
Cluster network name resource 'XXXXXXXXXX' failed to create its associated computer object in domain 'XXXXXXXXXX.CORP' for the following reason: Unable to create computer account.
The text for the associated error code is: Access is denied.
Please work with your domain administrator to ensure that:
- The cluster identity 'XXXXXXXXCLU02$' can create computer objects. By default all computer objects are created in the 'Computers' container; consult the domain administrator if this location has been changed.
- The quota for computer objects has not been reached.
- If there is an existing computer object, verify the Cluster Identity 'XXXXXXXXXCLU02$' has 'Full Control' permission to that computer object using the Active Directory Users and Computers tool.
We then brought that SQL Service/Application up on the other node in the cluster and sure enough, the VCO was created without issue.
This tells me that the cluster identity for the CNO does indeed have the permissions needed create computer objects AND update them in Active Directory and for some reason there is only an issue from one of the nodes in the cluster.
Has anyone seen this, what appears to be a unique situation, occur?
October 5, 2016 at 12:25 pm
You ever figure this out? I'm having the same issue....
October 20, 2016 at 9:44 am
the cluster account requires permissions to create vcos in the domain.
do you have a gpo that's wiping this out by any chance,
check with your admins for further info
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply