Clustering problems - Network Name offline

Discussion in 'Clustering' started by Allyn, May 17, 2010.

  1. Allyn

    Allyn Guest

    We had a SAN that went belly up over the weekend, and we're having problems
    getting the cluster back on line. It has been running for some time. There
    are 3 errors in the event viewer:

    Event ID: 1205; The Cluster service failed to bring clustered service or
    application 'printserver' completely online or offline. One or more resources
    may be in a failed state. This may impact the availability of the clustered
    service or application.

    Event ID: 1207; Cluster network name resource 'printserver' cannot be
    brought online. The computer object associated with the resource could not be
    updated in domain '' for the following reason:
    Unable to obtain the Primary Cluster Name Identity token.

    The text for the associated error code is: An attempt has been made to
    operate on an impersonation token by a thread that is not currently
    impersonating a client.

    The cluster identity 'PRINTSERVERCLUS$' may lack permissions required to
    update the object. Please work with your domain administrator to ensure that
    the cluster identity can update computer objects in the domain.

    Event ID: 1069: Cluster resource 'printserver' in clustered service or
    application 'printserver' failed.


    A possible related error is on the domain controller:

    Event ID 4: The Kerberos client received a KRB_AP_ERR_MODIFIED error from
    the server . The target name used was host/PRINTSERVERCLUSTER.DOMAIN.COM.
    This indicates that the target server failed to decrypt the ticket provided
    by the client. This can occur when the target server principal name (SPN) is
    registered on an account other than the account the target service is using.
    Please ensure that the target SPN is registered on, and only registered on,
    the account used by the server. This error can also happen when the target
    service is using a different password for the target service account than
    what the Kerberos Key Distribution Center (KDC) has for the target service
    account. Please ensure that the service on the server and the KDC are both
    updated to use the current password. If the server name is not fully
    qualified, and the target domain () is different from the client domain
    (DOMAIN.COM), check if there are identically named server accounts in these
    two domains, or use the fully-qualified name to identify the server.


    I apologize if the previous post eventually shows up and there are duplicate
    posts, but we urgently need to get this running.

    The PRINTSERVERCLUSTER$ account was never deleted from the domain, and per a
    couple of similar hits, I added this account to "Access this computer from
    the network" under the User Rights Assignement in the Local Security Policy.

    I would be very grateful for any thoughts and directions.
    Allyn, May 17, 2010
    1. Advertisements

  2. Allyn

    frankm Guest

    frankm, May 18, 2010
    1. Advertisements

  3. Just based on the SAN failure, I am betting that you have some disk
    signature issues. So, the previous post about using the clusterrecovery.exe
    tool is a good first step. Does the quorum disk come online?

    Since the SAN failed, it is likely that the SAN configurations for the HBA
    WWNs have been lost and not properly reconfigured. Make sure that you reset
    the LUN masks.

    If the SAN has been reconfigured, you should be able to at least see the
    cluster disk from each node. Can you do that? You will also need to be able
    to see the disk used for the printer spool with any shared drivers that you
    might have installed there, too.
    So, the name itself isn't coming online? Well, that is completely different
    from a disk error. Does the name still map to the cluster's virtual IP in
    DNS? Is the name still valid in AD?
    This again points to the name resource being the problem here. Can you
    create a new name resource dependent on the IP and see if it comes online?
    If so, then you might want to delete the AD computer account and recreate
    it. If there is a problem with creating a new name resource, then you may
    have to take other steps. Of course, you can always create another IP
    resource and name resource to verify that they will come online. This will
    at least tell you if there is a problem with the cluster services.
    This sounds like a Cluster Name Object (CNO) issue.
    Have you run setspn with the name?

    Good luck.

    Russ Kaufmann
    MVP, MCT, MCITP x7, MCTS x9, MCSE x4, CTT+, a Microsoft Gold Certified Partner

    Russ Kaufmann, May 18, 2010
  4. Allyn

    RCan Guest

    Hi Russ, Hi Allyn,

    I would also bet at "CNO" issues :)

    Check this out to "repair" the CNO in your active directory :
    Failover Cluster Step-by-Step Guide: Configuring Accounts in Active
    especially section "Steps for troubleshooting problems related to accounts
    used by the cluster"

    Hope that helps

    RCan, May 18, 2010
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.