Cluster service does not start on a joining node in Windows 2000 cluster

Article ID: 272129 - View products that this article applies to.
This article was previously published under Q272129
Expand all | Collapse all

SYMPTOMS

The Cluster service starts on the first node on a Windows 2000-based cluster, but may not start on a joining node, or a node may not join an existing cluster on the initial installation. The following events may be logged in the system log in sequential order:
Event ID 9
The device, \Device\Scsi\Scsi/Fibre Controller, did not respond within the timeout period.

Event ID 1009
The Clustering Service could not join an existing cluster and could not form a new cluster. The Clustering Service has terminated.

Event ID 7031
The Cluster Service service terminated unexpectedly. It has done this X time(s). The following corrective action will be taken in XXXXXX milliseconds. Restart the service.
Back to the top | Give Feedback

CAUSE

This problem may occur after you apply a security template through a domain policy or by manually setting the LAN Manager Authentication Level Local Security Policy option to anything other than Send LM and NTLM responses on the nodes in a Windows 2000-based cluster.

The Cluster service does not function properly using NTLM 2. All cluster authentication is handled internally to the Cluster service after using RPC datagrams to form a cluster. The only time the Cluster service contacts a domain controller for authentication is when the cluster is first formed to validate the Cluster service account. Every node that requests to join a cluster is validated by using RPC communication over the private network by the node that owns the quorum resource. Only LM or NTLM authentication is used.

LmCompatibility settings range from 0 to 5. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
239869
(http://support.microsoft.com/kb/239869/ )
How to enable NTLM 2 Authentication
Any entry other than "LmCompatibilityLevel=0" allows for the negotiation of NTLM 2 among Windows 2000-based clients and servers. Specifically, the "LmCompatibilityLevel=0" setting equates to "Send LM and NTLM response; never use NTLM 2 session security. Clients use LM and NTLM authentication, and never use NTLM 2 session security; domain controllers accept LM, NTLM, and NTLM 2 authentication."

If you permit or force NTLM 2 by using either a local security policy or by using a domain security policy, a cluster can be formed, but a cluster node cannot be joined. When you install the Cluster service on nodes other than the first and the LmCompatibilityLevel setting is set to something other than 0 (zero), the installation stops working when you are prompted to enter the name of the cluster to join. The error message is:
The specified cluster name could not be found on the network. Make sure the cluster is running and that the cluster node is reachable from this node.
If you start a command prompt and ping the cluster name, the cluster IP address is returned. You can then use Registry Editor to change the LmCompatibilityLevel setting to 0 (zero), which allows the Cluster service installation on the node to be completed. However, the LmCompatibilityLevel setting will be different among the nodes; the Cluster service will not start and the following events will be registered in the System log:
Event ID 1079:
The node cannot join the cluster because it cannot communicate with node NODE1 over any network configured for internal cluster communication. Check the network configuration of the node and the cluster.

Event ID 7023:
The Cluster Service service terminated with the following error: A security package specific error occurred.
Back to the top | Give Feedback

RESOLUTION

The English version of this fix should have the following file attributes or later:
   Date          Time     Version       Size     File name
   -----------------------------------------------------------------
   5/31/2001    11:13p   5.0.2195.3663	501,520  Lsasrv.dll (56-bit)
   5/31/2001    03:31p   5.0.2195.3649	130,320  Adsldpc.dll
   5/31/2001    03:30p   5.0.2195.3649	354,576  Advapi32.dll
   5/31/2001    03:37p   5.0.2195.3649	519,440  Instlsa5.dll
   5/31/2001    03:31p   5.0.2195.3649	142,608  Kdcsvc.dll
   5/30/2001    02:55p   5.0.2195.3649	209,008  Kerberos.dll
   5/29/2001    09:26a   5.0.2195.3649	 69,456  Ksecdd.sys
   5/29/2001    09:26a   5.0.2195.3649	501,520  Lsasrv.dll
   5/29/2001    09:26a   5.0.2195.3649	 33,552  Lsass.exe
   5/30/2001    02:54p   5.0.2195.3649	111,616  Msv1_0.dll
   5/31/2001    03:31p   5.0.2195.3652	908,560  Ntdsa.dll
   5/31/2001    03:31p   5.0.2195.3649	382,736  Samsrv.dll
   5/31/2001    03:31p   5.0.2195.3649	123,664  Wldap32.dll
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756
(http://support.microsoft.com/kb/322756/ )
How to back up and restore the registry in Windows

To resolve this problem, return the NTLM authentication level to its default level of Send LM and NTLM responses. Follow these steps on each node in your Windows 2000-based cluster:
  1. In Control Panel, double-click Administrative Tools.
  2. Start the Local Security Policy tool.
  3. Expand Local Policies, and then click Security Options.
  4. Double-click Lan Manager Authentication Level, and then click Send LM and NTLM responses.
  5. Click OK, and then quit Local Security Policy Editor.
  6. Restart the server.
You can also resolve this issue by editing the registry:
  1. Start Registry Editor.
  2. Locate, and then click the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3. Double-click lmcompatibilitylevel.
  4. Change the Radix setting to Decimal, and then type 0 (the number zero) in the Data box, and then click OK.
  5. Quit Registry Editor.
  6. Restart the server.
Back to the top | Give Feedback

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Windows 2000 Service Pack 3.
Back to the top | Give Feedback

MORE INFORMATION

If your Windows 2000-based cluster is part of a Windows NT 4.0 Service Pack 6a-based domain, click on the article number below to view the article in the Microsoft Knowledge Base for more information:
305379
(http://support.microsoft.com/kb/305379/ )
Authentication problems in Windows 2000 with NTLM2 level above 2
For more information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the following article number to view the article in the Microsoft Knowledge Base:
265173
(http://support.microsoft.com/kb/265173/ )
The Datacenter program and Windows 2000 Datacenter Server product
For more information about how to install multiple hotfixes with only one reboot, click the following article number to view the article in the Microsoft Knowledge Base:
296861
(http://support.microsoft.com/kb/296861/ )
Use QChain.exe to install multiple hotfixes with one reboot
For more information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the following article number to view the article in the Microsoft Knowledge Base:
249149
(http://support.microsoft.com/kb/249149/ )
Installing Microsoft Windows 2000 and Windows 2000 hotfixes


For more information about incompatabilities that may occur when you modify security settings and user rights, click the following article number to view the article in the Microsoft Knowledge Base:
823659
(http://support.microsoft.com/kb/823659/ )
Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments
Back to the top | Give Feedback

Properties

Article ID: 272129 - Last Review: April 21, 2008 - Revision: 3.0
APPLIES TO
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows 2000 Service Pack 2
Keywords: 
kbhotfixserver kbqfe kbbug kbclustering kberrmsg kbfix kbsecurity kbwin2000presp3fix kbwin2000sp3fix KB272129
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top