Access denied when validating configuration for a failover cluster

- August 25, 2011

hi,

i've spent days trying install cluster on 2 virtual server 2012 r2 nodes running on esx 6. no matter try comes following error in validation report:

an error occurred while executing test.
an error occurred while getting information software updates installed on nodes.

one or more errors occurred.

creating instance of com component clsid {4142dd5d-3472-4370-8641-de7856431fb0} iclassfactory failed due following error: 80070005 access denied. (exception hresult: 0x80070005 (e_accessdenied)).

i've checked things mentioned in https://social.technet.microsoft.com/forums/windowsserver/en-us/39e6e957-95fd-4de5-89c2-0ea60e63b9d6/access-is-denied-messages-in-win2012-r2-failover-cluster-validation-report-and-csv-entering-a-paused?forum=winserverclustering , several other things. no change.

my last finding related problem is, everytime access denied error happens, 2 entries logged in security event log of 1 of our domain controllers:

note: blacked service name shows username.

aaccording rfc4120 error 0x1b (27) means

 kdc_err_must_use_user2user            27  server principal valid                                                user2user only

i'm logged on domain admin local admin rights on cluster nodes , have no idea might reason problem. can shed light on this, please?

thanks,

klaus

hi,

i'm sorry not having looked @ several weeks. busy doing other things higher priority. things lead me origin of problem.

i got working. won't guess problem was:

with windows server 2012 r2 new security feature has been introduced: "protected users" security group. details can found here: https://technet.microsoft.com/en-us/library/dn466518.aspx

the information security policies in our enterprise recommend "domain admins" added group. , here problem starts: whatever reason kerberos error mentioned above happens during cluster validation. , because kerberos fails, ntlm used fallback. ntlm not allowed members of "protected users" group. => permission denied.

if run cluster validation user not member of "protected users" works fine.

have fun.

klaus

btw: leaves open questions like: why kerberos fail during cluster validation? has ever run cluster validation "protected user"? if not, there bug? maybe i'll these once have little time...

Windows Server > High Availability (Clustering)

Search This Blog

Como

Access denied when validating configuration for a failover cluster

Comments

Post a Comment

Popular posts from this blog

Edit Group Policy

Hyper-V VM not reaching OS 'Logon' screen

DNS question...