Unable to add file shares in a Windows 2012 R2 Failover Cluster
My name is Chinmoy Joshi and I am a Support Escalation Engineer with the Windows Core team. I’m writing today to share information regarding an issue which I came across with multiple customers recently.
Consider a two node 2012 R2 Failover Cluster using shared disks to host a File Server role. To add shares to the File Server role, select the role and right-mouse click on it to get the Add File Share option. The Add File Share option is also available along the far right column. Upon doing this, you may receive an error “There were errors retrieving file shares” or the Add Share wizard gets stuck with, “Unable to retrieve all data needed to run the wizard”.
When starting the add share wizard, it is going to try and enumerate all current shares on the node and across the Cluster. There can be multiple reasons why Failover Cluster Manager would throw these errors. We will be covering two of the known scenarios that can cause this.
Scenario 1:
Domain Users/Admins can be part of nested groups; meaning, they are a in a group that is part of another group. As part of the security, there is a token header being passed and that header can be bloated. Bloated headers can occur when the user/admin is part of nested group or may be migrated from some domain to a new domain carrying older SID’s. In our case, the domain user was a part of large number of active directory groups. There can be three ways to resolve this:
A) Reduce the number of active directory groups the user is member of,
B) Clean up the SID History, or
C) Modify the Https service registry with the following registry values:
Caution: Please backup the registry before modifying in case you need to revert the changes.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
"MaxFieldLength"=dword:0000fffe
"MaxRequestBytes"=dword:00010000
Note that these keys may not be there, so they will need to be created.
Here, HTTPS protocol uses Kerberos for authentication and the token header generated was too large throwing an error. When this is the case, you will see the following event:
Log Name: Microsoft-Windows-FileServices-ServerManager-EventProvider/Operational
Source: Microsoft-Windows-FileServices-ServerManager-EventProvider
Event ID: 0
Level: Error
Description: Exception: Caught exception Microsoft.Management.Infrastructure.CimException: The WinRM client received an HTTP bad request status (400), but the remote service did not include any other information about the cause of the failure.
at Microsoft.Management.Infrastructure.Internal.Operations.CimSyncEnumeratorBase`1.MoveNext()
at Microsoft.FileServer.Management.Plugin.Services.FSCimSession.PerformQuery(String cimNamespace, String queryString)
at Microsoft.FileServer.Management.Plugin.Services.ClusterEnumerator.RetrieveClusterConnections(ComputerName serverName, ClusterMemberTypes memberTypeToQuery)
References:
Problems with Kerberos authentication when a user belongs to many groups
Scenario 2:
The second most popular reason for not able to get the file shares created is the WinRM policy being enabled for IPv4filter. When this is set, you will see this in the wizard:
To see if it is set on the Cluster nodes, go into the Local Security Policy from the Administrative Tools or Server Manager. Once there, follow down the path to:
If you go into the Group Policy Editor, it would be located at:
Local Computer Policy
Computer Configuration
Administrative Templates
Windows Components
Windows Remote Management (WinRM)
WinRM Service
Allow remote server management through WinRM
If it is enabled, open that policy up and check to see if the box for IPv6 has an asterisks in it.
You will run into this error if only IPv4 is selected. So to resolve this, you would need to either disable the policy or also add an asterisks for IPv6. For the change to take effect, you will need to reboot the system. After the reboot, go back into Group Policy Editor to see if it has been reverted back. If it has, you will need to check your domain policies and have this done there.
Hope this helps you save time in resolving the issue, Good Luck!!
Chinmoy Joshi
Support Escalation Engineer
Comments
- Anonymous
September 15, 2015
Good one Chin ! - Anonymous
September 25, 2015
i am facing this problem before i was able to create a share. my error message is below
Log Name: Microsoft-Windows-FileServices-ServerManager-EventProvider/Operational
Source: Microsoft-Windows-FileServices-ServerManager-EventProvider
Date: 9/25/2015 8:50:51 PM
Event ID: 0
Task Category: Trace
Level: Error
Keywords: General
User: FORTRESSAdministrator
Computer: CLS01.Fortress.org
Description:
Exception: Caught exception Microsoft.Management.Infrastructure.CimException: The WinRM client cannot process the request because the server name cannot be resolved.
at Microsoft.Management.Infrastructure.Internal.Operations.CimSyncEnumeratorBase1.MoveNext()<br>at Microsoft.FileServer.Management.Plugin.Services.FSCimSession.PerformQuery(String cimNamespace, String queryString)<br>at Microsoft.FileServer.Management.Plugin.Services.ClusterEnumerator.RetrieveClusterConnections(ComputerName serverName, ClusterMemberTypes memberTypeToQuery)<br>Event Xml:<br>http://schemas.microsoft.com/win/2004/08/events/event"><br><br><br>0<br>0<br>2<br>1<br>0<br>0x2000000000000001<br><br>16<br><br><br>Microsoft-Windows-FileServices-ServerManager-EventProvider/Operational<br>CLS01.Fortress.org<br><br><br><br>Caught exception Microsoft.Management.Infrastructure.CimException: The WinRM client cannot process the request because the server name cannot be resolved.<br>at Microsoft.Management.Infrastructure.Internal.Operations.CimSyncEnumeratorBase
1.MoveNext()
at Microsoft.FileServer.Management.Plugin.Services.FSCimSession.PerformQuery(String cimNamespace, String queryString)
at Microsoft.FileServer.Management.Plugin.Services.ClusterEnumerator.RetrieveClusterConnections(ComputerName serverName, ClusterMemberTypes memberTypeToQuery) - Anonymous
September 29, 2015
Thank you, James for the question. It looks like a WinRm issue to me. Hence, will suggest referring this blog for suggestions and guidance: :http://blogs.technet.com/b/jonjor/archive/2009/01/09/winrm-windows-remote-management-troubleshooting.aspx Hope it helps you. - Anonymous
January 02, 2016
In My case I have 4 node WFC with WIN RM enabled and it is on the ESXi 5.5 U2.
As in powershell get-smbshare shows online but WFC mgmt console showing loading screen only.
Any hint where to check. - Anonymous
January 06, 2016
Hi Kamlesh, a good place to start will be the event logs under>Applications and services logs>Microsoft>windows>FileServices-ServerManager-EventProvider/Operational. Look for "event id: 0" and it's description as that could give you more leads. Also, please go through my another blog hovering around the winRm issue
http://blogs.technet.com/b/askcore/archive/2015/11/23/errors-retrieving-file-shares-on-windows-failover-cluster.aspx