Another quick post with a non-very-obvious solution, this time on a new Windows Server 2008 R2 cluster.
The case went like this:
- The OSes of the nodes were built according to the security requirements of the customer
- We added the Failover Clustering feature and attempted to create a new cluster while running the wizard as a member of Domain Admins who has Administrator permissions on all the nodes
- The computer account in the domain was created for the Cluster Name Object (CNO), the account ‘SELF’ had full control
- The wizard completed fine and the summary report showed no problems
- The Cluster Name resource couldn’t come online
- On the nodes the event ID 1206 was logged, which said:
- Cluster network name resource 'Cluster Name' cannot be brought online. The computer object associated with the resource could not be updated in domain 'domain.name'. The error code was 'Unable to find computer account on DC where it was created'. The cluster identity 'CLUSTER01$' may lack permissions required to update the object. Please work with your domain administrator to ensure that the cluster identity can update computer objects in the domain
- More confusing still, in the security log of the DC, there were “Kerberos pre-authentication failed” errors for the CNOs computer account, indicating that the wrong password was being used
The problem turned out to be that the built-in group “Authenticated Users” had been removed from the built-in group “Users” on the OS of each of the nodes. The customer didn’t want to add “Authenticated Users” back into this group as that would have granted too many accounts too many rights. The work-around we put in was to create a domain group and nest the newly created CNO into this group. This group was placed into the “Users” built in group on all the cluster nodes. In this way, the CNO now has membership in the built-in group “Users” on each of the nodes.
We needed to reboot all of the nodes before this change would take effect.
I hope this helps someone out there.