How to change the Cluster service account password

Article translations Article translations
Article ID: 305813 - View products that this article applies to.
This article was previously published under Q305813
Expand all | Collapse all

On This Page

SUMMARY

In Windows Clustering for Windows Server 2003, you can change the Cluster service account password on the domain as well as on each local node without having to take the cluster offline. If multiple clusters use the same Cluster service account, you can change them simultaneously. In Microsoft Windows NT 4.0 and Microsoft Windows 2000, to change the Cluster service account password, you have to stop the Cluster service on all nodes before you can make the password change.

To change the password for a Cluster service account in a Windows Server 2003 cluster, the following requirements must be met:
  • Mixed clusters with Windows 2000 are not supported; All nodes must be running Windows Server 2003 or later.
  • All nodes must be using the same domain account for the Cluster service.
  • All nodes must be online or in a paused state.
  • The update mechanism is not transactional; If the password change is not completed on all nodes, there may be a partial downtime in getting the passwords updated.
  • You must be logged on to an account that has domain access to change the Cluster service account password on the domain controller. You must have local administrator rights to each node to change the Local Service account passwords. This account must also have the ability to traverse directories in the cluster domain. (Note: This privilege is given to every user in the domain by default.)
  • This article applies only to the changing of the Cluster service account. If other services are running under the same Cluster service account, you have to change them manually.

MORE INFORMATION

Changing the Cluster service account password

To change the Cluster service account password with Cluster.exe, type the following command from a command prompt to list all of the available parameters:
CLUSTER /changepass /?

Samples

Note: In the following samples:
  • EASTCLUSTER is a cluster name.
  • WESTCLUSTER is a cluster name.
  • NEWpassword is the new password.
  • OLDpassword is the old password.
To change the Cluster service account password for a single cluster, use the following syntax in which the password for EASTCLUSTER would be changed to NEWpassword from OLDpassword:
cluster /cluster:EASTCLUSTER /changepassword:NEWpassword,OLDpassword
Note: If you do not specify NEWpassword and OLDpassword, you are prompted to enter them after you press ENTER.

To change the Cluster service account password on multiple clusters, you need to reference the additional cluster. For example, to change the password for WESTCLUSTER in addition to EASTCLUSTER, you would use the following syntax:
cluster /cluster:EASTCLUSTER,WESTCLUSTER /changepassword:NEWpassword,OLDpassword

When you use some special characters for the password, you may receive an error that is a bit misleading. For example, when you change the password by using the cluster /cluster:testcluster /changepass:Password&1234567890,Password1 command , you receive the following error message:
The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements. '1234567890' is not recognized as an internal or external command, operable program, or batch file.
The special character "&" is truncating the rest of the line. This means that the first error is true because you are changing the password to only "Password" which does not follow the password restrictions correctly. Because the "&" is an old MSDOS command that combined commands together, it is trying to run the command "1234567890" which is invalid. The correct command to change the password for this must have the password enclosed in quotation marks. The following command will change the password correctly:
cluster /cluster:testcluster /changepass:"Password&1234567890",Password1

Using additional switches

You can also use the following additional switches with the /changepassword parameter:

Collapse this tableExpand this table
Switch Description
/skipdcUse this switch to change the password on the cluster nodes but not on the domain controller. This is useful if the domain administrator manually changed the account on the domain controller. When using this switch, you do not need to supply the old password.
/forceTypically, the /changepassword command detects if all nodes in the cluster are online. If one of the nodes in a cluster is offline, the password change fails and an error is displayed. To force a password change on all available nodes, use the /force switch. Any node that is not available during the password change will require manual intervention.
/testYou can use this parameter to test if the password can make the password change to the domain and to all nodes in the cluster before it actually makes any changes. Using this switch before making the change is highly recommended because Cluster.exe is not transactional and cannot roll back the old password if it is not properly written to all nodes of the domain controller.

Troubleshooting

The following table lists all the errors and possible solutions that may occur when using Cluster.exe if there is a problem changing the password for the Cluster service account on the nodes or domain.

Collapse this tableExpand this table
Error CodeError MessageSuggested Action
Failure status from OpenClusterFailed to query cluster name.Verify that the specified cluster is available, that the specified name on the command line is correct, and that the cluster resource that is backing that name (such as Network Name) is online.
Failure status from OpenSCManager, OpenService, QueryServiceConfig, OpenClusterNode, GetClusterNodeId, or GetClusterNodeStateFailed to query node node name of cluster cluster name.Verify that all nodes in the specified cluster are up, joined to the cluster, and are responding to network queries.
ERROR_INVALID_SERVICE_ACCOUNTAll of the clusters are not using the same domain account.Change passwords for clusters that are using separate domain accounts in separate invocations of the cluster command.
ERROR_ALL_NODES_NOT_AVAILABLENot all clusters are available (at least one node is neither UP nor PAUSED).For each specified cluster, verify that all nodes in the cluster are up and joined to the cluster.
Failure status from DsGetDcNameNo domain controllers are available.Verify connectivity between the client computer on which the cluster command is being executed, and a domain controller for the domain of the cluster account.
Failure status from NetUserChangePasswordFailed to change password on the domain controller.Verify connectivity with the domain controller and permissions to change the password (including correctness of old password).
ERROR_MORE_DATAAborting the password change on cluster name after number attempts because the number of nodes in the cluster is not stable.Verify that nodes are not joining the cluster as the password change command is operating.
ERROR_CLUSTER_INCOMPATIBLE_VERSIONSThe password change was not issued on cluster name since it contains at least one Windows NT 4.0 or Windows 2000 node.Evict or upgrade any cluster nodes that are running Windows NT 4.0 or Windows 2000.
ERROR_FILE_CORRUPTThe password change was not issued on cluster name because the cluster service detected data corruption in a message received from the network.

-or-

The password change on node node name of cluster cluster name failed because the cluster service detected data corruption in a message received from the network.
Verify cluster network integrity and/or security. In the case of the node-specific error, it is necessary to manually change the Cluster service account password on the failed node before that node can rejoin the cluster.
CRYPT_E_HASH_VALUEThe password change was not issued on cluster %1!ws! because the cluster service was unable to establish a secure network connection between nodes.

-or-

The password change on node node name of cluster cluster name failed because the cluster service was unable to establish a secure network connection between nodes.
Verify cluster network integrity and/or security. In the case of the node-specific error, it is necessary to manually change the Cluster service account password on the failed node before that node can rejoin the cluster.
Other cluster-specific error statusThe password change on cluster cluster name failed. The error code was number (hex number): system error messageAppropriate action depends on the error code.
Other node-specific error statusThe password change on node node name of cluster cluster name failed. The error code was number (hex number): system error messageAppropriate action depends on the error code. It is necessary to manually change the Cluster service account password on the failed node before that node can rejoin the cluster.
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
827486 You receive an "Either the specified account is not valid or the account's domain could not be contacted" error message when you try to add a node to a server cluster in Windows 2000

Properties

Article ID: 305813 - Last Review: March 2, 2007 - Revision: 7.5
APPLIES TO
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Keywords: 
kbclustering kbhowto KB305813

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com