Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
A Network Name resource that has the Kerberos protocol enabled does not come online on the first attempt in a Windows Server 2008 failover cluster
Article ID: 950806 - View products that this article applies to.
You are using the Migrate Services and Applications Wizard in Windows Server 2008 Failover Clustering, and your Windows Server 2003 source cluster has Kerberos authentication enabled. In this case, the resources in the newly migrated resource group do not appear online as expected. If Kerberos authentication is not enabled on the source cluster, this problem does not occur.
This problem occurs because of changes in Windows Server 2008 Failover Clustering and how computer objects are created in Active Directory. If Kerberos authentication is enabled, the Migrate Services and Applications Wizard does not capture the Cluster Service Account (CSA) information. The wizard cannot bring the resource in the newly migrated resource group online without this information. The Cluster Name Object (CNO) cannot capture the computer object that is created in the Windows Server 2003 server cluster.
To resolve this problem, follow these steps for each resource in the newly migrated resource group:
To avoid this problem, modify the Discretionary Access Control List (DACL) for all computer objects that are created by the Windows Server 2003 server cluster by granting the Cluster Name Object (CNO) Full Control permissions. However, you have to do this before you migrate Network Name resources from a Windows Server 2003 server cluster to a Windows Server 2008 failover cluster.
Article ID: 950806 - Last Review: September 11, 2010 - Revision: 2.1