Event ID 1207 — Active Directory Permissions for Cluster Accounts
Applies To: Windows Server 2008
When you create a new clustered service or application, a computer object (computer account) for that clustered service or application must be created in the Active Directory domain. This computer object is created by the computer object of the cluster itself. If the computer object of the cluster itself does not have the appropriate permissions, it cannot create or update the computer object for the clustered service or application.
|Product:||Windows Operating System|
|Message:||Cluster network name resource '%1' cannot be brought online. The computer object associated with the resource could not be updated in domain '%2' for the following reason:
The text for the associated error code is: %4
The cluster identity '%5' may lack permissions required to update the object. Please work with your domain administrator to ensure that the cluster identity can update computer objects in the domain.
Check permissions and quota related to updating computer objects
A problem occurred when the computer object (computer account) for the cluster in the Active Directory domain tried to update the computer object for a clustered service or application. The computer object for the cluster must have appropriate permissions to allow it to perform the update. Review the information in the event message and choose applicable items from "Items to review in Active Directory."
If you are not currently viewing the event message in Event Viewer, see "Opening Event Viewer and viewing events related to failover clustering." If the event contains an error code that you have not yet looked up, see "Finding more information about error codes that some event messages contain."
Items to review in Active Directory
You can view information for the first three items in the following list by using Active Directory Users and Computers on a domain controller. To open Active Directory Users and Computers on a domain controller, click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
Check whether there is a computer object for the new clustered service or application. If there is, check the permissions associated with that object, and make sure that the computer object for the cluster itself has Full control permission. Also, when viewing the properties for the computer object for the new clustered service or application, confirm that the Account is disabled box is cleared (the account must be enabled, not disabled).
Check the permissions assigned to the computer object (computer account) for the cluster itself. This computer object has the same name as the cluster. It must have the Create Computer Objects permission in the domain.
Check that the domain settings are not preventing a new computer object from being created. By default all computer objects are created in the Computers container. Consult with the domain administrator if this location has been changed.
Check that the domain-wide quota for creating computer objects (by default, 10) has not been reached. If it has, it might be appropriate to consult with the domain administrator about increasing the quota, although this is a domain-wide setting and should be changed only after careful consideration, and only after trying the previous items in this list.
To change the quota, run ADSIEdit.msc, click ADSI Edit, click Action, click Connect to, and then click OK. The Default naming context is added to the console tree. Double-click Default naming context, right-click the domain object underneath it, and then click Properties. Scroll to ms-DS-MachineAccountQuota, click Edit, change the value, and then click OK.
To perform the following procedures, you must be a member of the local Administrators group on each clustered server, and the account you use must be a domain account, or you must have been delegated the equivalent authority.
Opening Event Viewer and viewing events related to failover clustering
To open Event Viewer and view events related to failover clustering:
- If Server Manager is not already open, click Start, click Administrative Tools, and then click Server Manager. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- In the console tree, expand Diagnostics, expand Event Viewer, expand Windows Logs, and then click System.
- To filter the events so that only events with a Source of FailoverClustering are shown, in the Actions pane, click Filter Current Log. On the Filter tab, in the Event sources box, select FailoverClustering. Select other options as appropriate, and then click OK.
- To sort the displayed events by date and time, in the center pane, click the Date and Time column heading.
Finding more information about the error codes that some event messages contain
To find more information about the error codes that some event messages contain:
- View the event, and note the error code.
- Look up more information about the error code in one of two ways:
Search System Error Codes (http://go.microsoft.com/fwlink/?LinkId=83027).
Click Start, point to All Programs, click Accessories, click Command Prompt, and then type:
NET HELPMSG errorcode
Retry the action that resulted in a problem with creating or updating a computer object (computer account), to confirm that any issues have been corrected.