Cluster Name Object Failed, Repairing it gives ‘The password does not meet the password policy requirements’

 

Hello, My name is Anirudh and today we will be talking about a problem where the Cluster Name Object (CNO) fails to come online in the Failover Cluster Manager.

 

If you are looking for steps to follow on a general CNO failure, please follow the steps mentioned in the blog https://blogs.technet.microsoft.com/askcore/2012/03/27/why-is-the-cno-in-a-failed-state/ . The steps mentioned below are specific to the situation.

 

When trying to bring the CNO online, it fails. When we try to repair the CNO, it gives the Event ID as below

 

Log Name: System
Source: Microsoft-Windows-FailoverClustering
Date: 3/3/2016 9:21:22 PM
Event ID: 1207
Task Category: Network Name Resource
Level: Error
User: SYSTEM
Computer: 2012R2Node1.contoso.com
Description: Cluster network name resource 'Cluster Name' cannot be brought online. The computer object associated with the resource could not be updated in domain 'contoso.com' for the following reason:
Unable to update password for computer account.
The text for the associated error code is: The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.
The cluster identity 'Cluster2012$' may lack permissions required to update the object. Please work with your domain administrator to ensure that the cluster identity can update computer objects in the domain.

 

 

When you generate cluster logs for this time for the last 2 minutes using , it gives an error

000011c4.00003922::2016/03/03-21:21:14.760 ERR [RES] Network Name <Cluster Name>: Unable to update password for computer account Cluster2012 on DC \\DC.contoso.com, status 2245.

000011c4.00003922::2016/03/03-21:21:14.766 WARN [RES] Network Name <Cluster Name>: Automatic Password rotation failed with status 2245.Will retry in 2245 seconds
000011c4.00003922::2016/03/03-21:21:14.776 INFO [RES] Network Name <Cluster Name>: TimerQueueTimer rescheduled to fire after 900 secs

 

Error 2245 translates to

 

 

 

Which is pretty much what we see in the Event logs. This could be due to the User Account Control property set incorrectly in the AD. When you open the properties of the computer object in Active Directory, you see the value of userAccountControl set incorrectly.

 

 

 

If there is a value over there which translates to PASSWD_NOTREQD, it needs to be changed to 4096 (HEX: 0x1000) which translates to WORKSTATION_TRUST_ACCOUNT before attempting the repair of the CNO.

The repair then should reset the password for the CNO and help bring it online.

 

Hope this helps.

 

 

Anirudh Gandhi

Support Escalation Engineer | Microsoft Windows Core

Disclaimer : This information is provided ‘as-is’ with no warranties

Comments

• Anonymous
  April 04, 2016
  Hi.
  
  I had the same problem, but the cause was different. It looked to be caused by a wrong machine password cache in the cluster.
  In the properties of the cluster and in the properties of the cluster application, the "Kerberos Status" was not OK. I do not remember the status. Sorry.
  Microsoft support suggested we reboot the inactive node and activate it.
  After that the "Kerberos Status" remained not OK. Them I put the cluster (not the application) offline and back online, and the "Kerberos Status" returned to Ok and the errors stopped to appears at the Event Viewer.
  In the other node, that was the active one, appeared the error message:
  
  Event ID: 4
  The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server nnnn$. The target name used was cifs/nnnn.nnnn.nnnn. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (nnnn.nnnn) is different from the client domain (nnnn.nnnn), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
  
  I also restarted the other node and activated it to confirm that "Kerberos Status" remained OK there.
  
  Cássio.
• Anonymous
  April 27, 2016
  Hi Cassio. There can be several causes for the same error in the event logs. The cluster logs ought to help. In your case, they would have clearly thrown a SPN error