Jaa

New Network Name Resource Fails to come Online

  • Artikkeli

I recently encountered an issue involving the failure of a new Network Name resource to come online. Doing some investigation I found a number of instances where this has been encountered, with different resolutions provided. Since no root cause was defined, fellow Directory Services Engineer Robert Williams and I set out to determine the cause.

You’ll know you’ve encountered this issue if you create a new Network Name resource and it fails to online with the following errors:

In the System Event log you will see a Failover Cluster event 1194:

Log Name: System

Source: Microsoft-Windows-FailoverClustering

Date: 3/27/2013 1:19:07 PM

Event ID: 1194

Task Category: Network Name Resource

Level: Error

Keywords:

User: SYSTEM

Computer: ComputerName

Description:

Cluster network name resource 'ComputerName' failed to create its associated computer object in domain 'DomainName' for the following reason: Unable to obtain access to Computer Object in DS.

 

The text for the associated error code is: Access is denied.

 

Please work with your domain administrator to ensure that:

  • The cluster identity 'CNO' can create computer objects. By default all computer objects are created in the 'Computers' container; consult the domain administrator if this location has been changed.
  • The quota for computer objects has not been reached.
  • If there is an existing computer object, verify the Cluster Identity 'CNO' has 'Full Control' permission to that computer object using the Active Directory Users and Computers tool.

 

In the Cluster log you will see the following entries:

 

00000ea4.000012b0::2013/03/25-16:55:04.113 ERR [RES] Network Name < NetworkName>: Failed to obtain access to computer account < AccountName>, status 80070005

00000ea4.000012b0::2013/03/25-16:55:04.128 ERR [RHS] Online for resource <NetworkName> failed.

 

 

Note: To generate a Cluster log, run the following command from an administrators command prompt. The Cluster.log file will be generated in the c:\windows\cluster\reports directory. The entry will be in the Cluster log on the Node where the online attempt failed.

 

Cluster log /gen

We determined that the root cause of the issue is due to the removal of NT AUTHORITY\Authenticated Users from the local Users group. Note below that it is present by default:

 

 

clip_image002[7]

 

 

The best solution is to add back NT AUTHORITY\Authenticated to the local Users Group. This will require a reboot for the change to take effect. If your security team is unwilling to do this, you can disable the following two Security policies and refresh the policy by running gpupdate /force:

 

Network access: Do not allow anonymous enumeration of SAM accounts

Network access: Do not allow anonymous enumeration of SAM accounts and shares

 

clip_image004[7]

 

You will have to determine which of these two options best fits the security requirements for your environment. It may be a good option to create a separate Organizational Unit (OU) for your Cluster servers. This will allow you to affect the preferred change to the limited subset of servers.

 

Steven Andress

Senior Support Escalation Engineer

Microsoft Customer Support & Services

Comments

  • Anonymous
    April 04, 2013
    <a href=" adsonlineindia.com/">Online Business Directory</a>Great thought is a big cause of a big change so keep showing your thoughts in your blogs.Your blogs are admirable and full of knowledge. Thanks for giving us such kind of matter to study. Adopting new ideas is a good thing about your blog and I just want that please give more updates like this.Adsonlineindia is a leading Online Business Directory site which covers almost all top cities of India. Anyone can post here without any cost. So start posting your business for better user experience. if you want to free add visit this website:- <a href="adsonlineindia.com/.../a>
  • Anonymous
    November 11, 2013
    This is an excellent article, however it assumes a level of familiarity with windows that an admin may not have.The command "cluster log /gen" is not possible on my Windows 2012 R2.  Cluster.exe does not exist.  I had this exact same problem, but had to resort to creating a new CNO because I didn't know how to deal with the details in your explanation.
  • Anonymous
    February 03, 2014
    This is an excellent and useful article, however it assumes a level of familiarity with windows that an admin may not have. http://marotravel.com/pulau-tidung-murah
  • Anonymous
    February 03, 2014
    This is an excellent and useful article, however it assumes a level of familiarity with windows that an admin may not have. www.marotravel.com/pulau-tidung-murah
  • Anonymous
    December 27, 2014
    I have this exact same problem. However, my local Users group contains the Authenticated Users. This is preventing me from putting Windows 2012R2 into our production environment. I may have to open a ticket with Microsoft.
  • Anonymous
    December 27, 2014
    The comment has been removed
  • Anonymous
    January 07, 2015
    The comment has been removed
  • Anonymous
    September 09, 2015
    If you're like me you hate both solutions offered in this blog, in that case - add LOCAL SERVICE and NETWORK SERVICE to the local Users group and it might just fix it for you like it did for me. We empty out the Users group but inherently that is how LOCAL/NETWORK service get there access to many things in the OS including files in %WINDIR%. Really those identities should have the access gained by being put into the Users group so there is no harm/foul in adding them back in my opinion.
  • Anonymous
    February 11, 2016
    Thank you very much for the information, I have days searching for answers to my problem ..In my case, there is an added detail, the cluster nodes are DC so there are no Local accounts ... I tested the workaround, Local disable policies, but is failing. These local policies do not apply to domain controllers.Any suggestions?Thank youJLMC