question

JosephLarrew-0337 avatar image
0 Votes"
JosephLarrew-0337 asked ChrisStanlake-5629 answered

Can't add Exchange Server 2019 server to a DAG Error:CreateCluster() failed with 0x42a

Environment: Exchange Server 2019 Exchange 2013 exists Forest functional level – 2016 Exchange Server OS – Server 2019 Exchange servers are VMs (vSphere 6.7) Hey team, got an odd error here when my customer runs “Add-DatabaseAvailabilityGroupServer” for the first server being added to a 2019 DAG: [2020-10-06T21:22:34] The operation wasn't successful because an error was encountered. You may find more details in log file "C:\ExchangeSetupLogs\DagTasks\dagtask_2020-10-06_21-19-28.923_add-databaseavailabiltygroupserver.log" on "XXXX-EX19A1-X". (the log is attached) [2020-10-06T21:22:34] WriteError! Exception = Microsoft.Exchange.Cluster.Replay.DagTaskOperationFailedException: A server-side database availability group administrative operation failed. Error The operation failed. CreateCluster errors may result from incorrectly configured static addresses. Error: An error occurred while attempting a cluster operation. Error: Cluster API failed: "CreateCluster() failed with 0x42a. Error: The service has returned a service-specific error code". ---> [30752-error-dag.txt][1] When I look up further in the log that the error mentions, I see the error code mentioned: [2020-10-06T21:22:34] ClusterSetupProgressCallback( eSetupPhase = ClusterSetupPhaseFormingCluster, ePhaseType = ClusterSetupPhaseEnd, ePhaseSeverity = ClusterSetupPhaseFatal, dwPercentComplete = 56, szObjectName = xxxx-daga-x, dwStatus = 0x42a ) We tried adding a different server first, but same error occurs. I’ve seen a couple of links mentioning permissions/configurations on the CNO and duplicate MACs, but all those things are set correctly as well. We’ve also tried removing and re-creating the DAG (with the same name and with a different name) without an IP without success. At first, we were getting an error about Failover Clustering not being installed. We checked that and it said a restart was pending, so we restarted and now we get this error above. Also in the log, it mentions the DAG CNO doesn’t exist, but it does. Screenshots show the command we ran and where it sticks, then the second shows the error message that comes up afterward. Anyone got any ideas? ![30773-screenshot.png][2]![30783-failedscreenshot.png][3] [1]: /answers/storage/attachments/30752-error-dag.txt [2]: /answers/storage/attachments/30773-screenshot.png [3]: /answers/storage/attachments/30783-failedscreenshot.png

office-exchange-server-administrationoffice-exchange-server-itprooffice-exchange-server-deployment
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We've also found that the cluster service won't start, so that's kind of a big deal...

0 Votes 0 ·

The event log shows events 1090, 7024, and 7031, with 1090 being a critical error about an attempt to read configuration data from the Windows registry failed with error 2. It's not a part of a cluster and I can't use Add Node Wizard to add it (not that I would want to anyway).

0 Votes 0 ·

Well, if there is no cluster, would the service start? I found that the error is referring to a file not being found. Of course it isn't found because there is no cluster, thus the service shouldn't start, right?

0 Votes 0 ·

Now we also can't add any servers to the 2013 DAGs in the lab. We've been making some changes around AD, but we still haven't figured it out.

0 Votes 0 ·
AshokM-8240 avatar image
0 Votes"
AshokM-8240 answered AshokM-8240 commented

Hi,

Can you please check the below,

  1. Have you pre-staged the CNO object?

https://docs.microsoft.com/en-us/exchange/high-availability/manage-ha/pre-stage-dag-cnos?view=exchserver-2019

  1. Can you try creating IP-Less DAG and check if the issue still persists

  2. Make sure the firewall communication between the Exchange servers are allowed

  3. Try disabling windows firewall/AV on the exchange temporarily and check again

  4. If you have multiple NIC's, make sure it uses the primary NIC for the communication

  5. Uninstall the failover cluster manager, disable IPv6 using registry, reboot the server and then try adding it

Disabling IPv6 using registry, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters
Set DisabledComponents to ffffffff

Please Note: Take the backup of the registry before making changes and be careful in the changes as the improper configuration would lead to other issues.

Also, its not recommended to disable IPv6, this is only for addressing this issue and check if this resolves. I fixed the similar issue in an environment by disabling IPv6 and once the node is added successfully, I re-enabled it again.


  1. Check the GPO for any deny policy on the local logins because a local user account CLIUSR will be created

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Deny Log on Locally



"Now we also can't add any servers to the 2013 DAGs in the lab. We've been making some changes around AD, but we still haven't figured it out."

Could you please explain what changes are done in AD and are you trying to add both Exchange 2013 & 2019 in same DAG?

Cluster service will be installed while installing the Failover cluster manager and it will start once the node is added to the DAG. Cluster service wont start event is triggered because the node is trying to join DAG and it will attempt to start it. So, this can be ignored for now unless it is still populating even after the node is joined.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I'm marking this as the answer because it led me down the path of checking GPOs. Well, what we ended up doing is moving the computer object to an OU where no GPOs were being applied and then gave it a go. Turns out it worked, so some group policy setting was the issue. As the lazy admin I am, I didn't disable settings one-by-one and re-attempt the operation to really find out which setting it was, but the only thing that makes sense to me is either "Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment" or "Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options"

1 Vote 1 ·

Glad to know the issue has been resolved. Please find the GPO settings for Deny in "User Rights Assignment" & "Security Options" policies. As an additional note, GPO's needs to be applied as part of Windows Server MSB.

0 Votes 0 ·

Pre-staged CNO - Yes, done according to link you provided.

Yes, we created one, but we still cannot add anything to even an IP-less DAG

There are no external firewalls

We can try disabling Windows firewall, though in my experience, this usually does nothing because Exchange is FAIRLY pretty good at configuring Windows Firewall requirements

To confirm if the primary NIC is being used, how do you suggest doing that? I normally do it with a "Get-TransportConfig" and ensuring it is all 0's. Also, we only have one NIC on these servers. They are VMs, so we can create NICs that are "big enough" for Exchange requirements (10GB throughput)

Have tried this, no effect

Interesting and good point. I do need to check this.

Unfortunately, I won't be much able to describe changes done to AD, as this is a lab environment where more people are involved than the Exchange team. Since it is a lab environment, changes aren't really being logged how they should.

0 Votes 0 ·

So I log on to this server and I can see the failover clustering feature was successfully installed, but the CLIUSR isn't listed in Local User Management snap-in. Quite interesting. Any idea when it is supposed to get created? Like, is it supposed to get created once the cluster is actually and successfully created? Or is it supposed to get created when the clustering feature gets installed?

0 Votes 0 ·
KaelYao-MSFT avatar image
0 Votes"
KaelYao-MSFT answered JosephLarrew-0337 commented

anonymous user
Hi,
if there is no cluster, would the service start?
I tested it in my lab(Exchange 2019 CU2):
If the server hasn't been add to the DAG (a cluster)yet,the cluster service is disabled and can't be started(the button is grayed out)
Are you able to click start? And after that does the Event Viewer generate the 1090,7024,7031 errors?

Now we also can't add any servers to the 2013 DAGs in the lab.
Did you receive the same error as Exchange 2019?
Please check if there are some network problems between the new servers and the numbers of the DAG.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am able to change the startup type to automatic (or anything else) and then try to start it, then it generates those errors, which I now think is expected and correct behavior, so no big deal on that. These servers and the DAG IPs are on the same subnet with no traffic being restricted between IPs on that same subnet (normal configuration in most places).

0 Votes 0 ·
JosephLarrew-0337 avatar image
1 Vote"
JosephLarrew-0337 answered KaelYao-MSFT commented

For the TL:DR folks, the answer ended up being that there was a "Deny access to this computer from the network" setting configured to not allow "Local Accounts" (read as: CLIUSR). And that makes sense because that user is heavily involved in managing and establishing the cluster.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Glad to hear that you have found the answer.
Thanks for your sharing!

0 Votes 0 ·
ChrisStanlake-5629 avatar image
0 Votes"
ChrisStanlake-5629 answered

So glad I found this post, the same GPO setting was stopping me adding a second server into a DAG in Exchange 2019.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.