Windows Server 2008 Failover Cluster - Event 1207 (CNO computer account password update failed, access is denied)

  • Article

SYMPTOM
===============
Event 1207 (CNO computer account password update failed, access is denied)

image

 

PROBABLE CAUSE
===============
Some default ACL entries are missing on the CNO

 

RESOLUTION
===============
We compared the default ACL entries of a CNO against the problematic CNO in production environment and made the following changes on the one in production
a. Removed "Account Operators" group from "Member of" list
b. Added ACL entry where we grant "Full control" for "Account Operators" which "Apply to: This object only"
c. Added ACL entry where we grant "Full control" for "Administrator" which "Apply to: This object only"
d. Changed ACL entry where we grant "Full control" for "SELF" which "Apply to: This object only"

 

參考文件:

Description of the failover cluster security model in Windows Server 2008
https://support.microsoft.com/kb/947049

Q. 如何讓CNO 有權限幫 VCO 在 AD 裡建立相對應的電腦帳號?
A. 解決方法有兩種,分別是 Delegation 跟 Pre-stage VCO

 

Delegation 方法如下:

請使用以下步驟設定權限委派 "User Right Delegation"

Delegate User with the Right to Create/Delete Computer Account

1. Open ADUC console, right click on the "Computers" OU and click "Delegate Control", click "Next"

2. "Add" the "TPFHS01$" computer object that you would like to delegate task(s) (ie, Authenticated Users), click "Next"

3. Select "Create a custom task to delegate", click "Next" ("Delegate the following common tasks" are predefined tasks for your convenience, we will not be using this)

4. Select "Only the following objects in the folder", check "Computer Objects", check "Create selected objects in this folder", check "Delete selected objects in this folder", click "Next"

5. Check "Full control" in Permissions, click "Next"

6. Click "Finish"

7. Verify the setting by right clicked the OU and click "Properties".  Under "Security" tab you will find the user selected in step 2.

 

Pre-stage VCO方法如下:

以下是 VCO Pre-stage Account 的方法,請參考。

https://technet.microsoft.com/en-us/library/cc731002(WS.10).aspx#BKMK_steps_precreating2

Steps for prestaging an account for a clustered service or application

It is usually simpler if you do not prestage the computer account for a clustered service or application, but instead allow the account to be created and configured automatically when you run the High Availability wizard. However, if it is necessary to prestage accounts because of requirements in your organization, use the following procedure.

Membership in the Account Operators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at https://go.microsoft.com/fwlink/?LinkId=83477.

To prestage an account for a clustered service or application

1. Make sure that you know the name of the cluster and the name that the clustered service or application will have.

2. On a domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

3. In the console tree, right-click Computers or the default container in which computer accounts are created in your domain. Computers is located in Active Directory Users and Computers/domain node/Computers.

4. Click New and then click Computer.

5. Type the name that you will use for the clustered service or application, and then click OK.

6. On the View menu, make sure that Advanced Features is selected.

    When Advanced Features is selected, you can see the Security tab in the properties of accounts (objects) in Active Directory Users and Computers.

7. Right-click the computer account you just created, and then click Properties.

8. On the Security tab, click Add.

9. Click Object Types and make sure that Computers is selected, and then click OK. Then, under Enter the object name to select, type the cluster name account, and then click OK. If a message appears, saying that you are about to add a disabled object, click OK.

10. Make sure that the cluster name account is selected, and then, next to Full Control, select the Allow check box.