question

sanjayyadav-0917 avatar image
1 Vote"
sanjayyadav-0917 asked LorenHBurlingame-1242 commented

The computer object associated with the cluster network name resource 'Cluster Name' could not be updated in domain ‘domain.com during the Password change operation.

Hello all,

I have already scout through all other related topics but couldn't find the solution yet. 

 The computer object associated with the cluster network name resource 'Cluster Name' could not be updated in domain ‘domain.com during the 
 Password change operation.
    
 The text for the associated error code is: There are currently no logon servers available to service the logon request.
     
 The cluster identity 'SVV-MC-IPCLU$' may lack permissions required to update the object. Please work with your domain administrator to ensure that the cluster identity can update computer objects in the domain.

any help / tip will be appreciated.

windows-server-2016windows-server-clustering
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

Shashank-Singh avatar image
0 Votes"
Shashank-Singh answered Shashank-Singh commented

The problem I believe is this error

The cluster identity 'SVV-MC-IPCLU$' may lack permissions required to update the object. Please work with your domain administrator to ensure that the cluster identity can update computer objects in the domain.

The issue points to permission issue in OU where this object resides. This support article says about password update permission and it seems that is missing

Start the Active Directory Users and Computers snap-in from Administrative Tools.
On the View menu, click Advanced Features.
Locate the computer object that you want the Cluster service account to use.
Right-click the computer object, and then click Properties.
Click the Security tab, and then click Add.
Add the Cluster service account or a group that the Cluster Service account is a member of.
Grant the user or the group the following permissions:

Reset Password
Validated Write to DNS Host Name
Validated Write to Service Principal Name
Click OK.

Did you got chance to go through this blog the-computer-object-associated-with.html


· 6
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sanjayyadav-0917 avatar image sanjayyadav-0917 ·

I have tried everything's as mentioned but the error always comes back,

its not being clear for me with the part of OU. I have already given the object in my case this are the nodes which cluster is managing the permission as described but the error comes up again.



0 Votes 0 ·
Shashank-Singh avatar image Shashank-Singh sanjayyadav-0917 ·

@sanjayyadav-0917 Let us say you have Windows cluster name WinClus and service account in picture whose password you are changing is ServAcc. Now you have to go to domain search for computer object which is WinClus and provide the service account ServAcc privilege mentioned in answer above.

0 Votes 0 ·
sanjayyadav-0917 avatar image sanjayyadav-0917 Shashank-Singh ·

I am really not getting through, I have given the svv-mcx-admin user permission over the cluster but still the same issue

Cluster name. : SVV-MC-IPCLU$

Service Account. : SVV-NCX-ADMIN

Node : IPE001 and IPE002

31214-screenshot-2020-10-09-at-120457.png


0 Votes 0 ·
screenshot-2020-10-09-at-120457.png (72 B)
Show more comments
XiaoweiHe-MSFT avatar image
0 Votes"
XiaoweiHe-MSFT answered LorenHBurlingame-1242 commented

Hi,

According to the error message, please check if the port 464 is open on DC. The port 464 on DC side needs to be opened to update CNO.

Besides, we may also use the command below to test the connection between cluster nodes and DC:

nltest /SERVER: <SERVER NAME> /sc_query: <DomainName>

Thanks for your time!
Best Regards,
Anne

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sanjayyadav-0917 avatar image sanjayyadav-0917 ·

Hi ,

I have checked with nltest and it all looks fine there is no issue between the server and DC, but I still see this error In cluster

0 Votes 0 ·
XiaoweiHe-MSFT avatar image XiaoweiHe-MSFT sanjayyadav-0917 ·

Hi,

Just to confirm if you checked port 464 is open on DC?

Please check the following command on DC to check if 464 is listening:

34826-image.png


1 Vote 1 ·
image.png (40.2 KiB)
LorenHBurlingame-1242 avatar image LorenHBurlingame-1242 sanjayyadav-0917 ·

Just wanted to let you know that this was the issue for me. Port 464 on both DC's was blocked from the cluster servers.

I started getting these errors in my logs a few weeks after creating cluster and, while it didn't affect the functionality of the cluster, it was driving me crazy that I couldn't get rid of these error messages.

I had assigned the permissions correctly and re-checked them a hundred times but couldn't figure it out until I opened the port on the DCs.

Thank you!

0 Votes 0 ·