During the installation process for the Microsoft Cluster service, the specified domain account is granted rights that are necessary for the Cluster service to function correctly. If you ever have to change or re-create the account, you must manually grant these rights back to the domain account that is used to start the Cluster service, on each node of the cluster. Additionally, make sure that security policies do not remove rights or permissions from the Cluster service account. If rights or permissions are removed from the Cluster service account, the Cluster service may no longer function.
Back to the top
The account that is used to start the Cluster service must be a minimum of a domain-level USER account, and it must be added to the local administrative group on each node in the cluster. Add the account to the Local Administrators group on each node in the cluster by using either the User Manager tool in Microsoft Windows NT 4.0, or Computer Management in Microsoft Windows 2000 Server or in Microsoft Windows Server 2003.
Note Many of the rights that are mentioned in this section are assigned "by proxy." The Cluster service account must be a member of the local administrator group on the node. Therefore, if the local administrators group has a specific right, typically you do not have to add the Cluster service account. However, if you are having difficulties with the rights for the Cluster service account, you can explicitly grant all the rights directly to the account that starts the Cluster service. In Windows Server 2003, you must explicitly assign the Cluster service account to the local Administrators group of each node.
For more information about a related topic, click the following article number to view the article in the Microsoft Knowledge Base:
812877 (http://support.microsoft.com/kb/812877/)
Cluster service does not start after you upgrade to Windows Server 2003, Enterprise Edition
Make sure that the following user rights are granted to either the local Administrator group or the domain level Cluster service account.
Back to the top
Windows Server 2003
Note If you change the account that is used to start the Cluster service, you must use
Computer Management for Windows Server 2003 to change the account information on each node in the cluster. To do this, follow these steps:
| 1. | Start Computer Management for Windows Server 2003, expand the Services and Applications branch, and then click the Services branch. |
| 2. | In the right pane, double-click Cluster Service. Select the Log On tab, and then update the account information. |
To function correctly in Microsoft Windows Server 2003, the Cluster service account explicitly requires the following rights for all nodes in the cluster:
| • | Act as part of the operating system |
| • | Adjust memory quotas for a process |
| • | Back up files and directories |
| • | Increase scheduling priorities |
| • | Log on as a service |
| • | Restore files and directories |
Also, make sure that the Local Administrator Group has access to the following user rights:
| • | Debug programs |
| • | Impersonate a client after authentication |
| • | Manage auditing and security log |
You can grant these rights in the following locations:
Local Security Policy\Security Settings\Local Policies\User Rights Assignment
Note If you create a Group Policy setting to update the
Impersonate a client after authentication rights policy setting, make sure that the Cluster service account is listed in the policy setting in addition to the Local Administrators group and the account that is called SERVICE. If the Cluster service account is not listed, the computer may no longer have access to Windows Management Instrumentation (WMI). By default, these accounts are listed in the
Impersonate a client after authentication rights policy. However, if you create a Group Policy setting without adding the Cluster service account, the local policy setting is overwritten, and WMI access fails.
Back to the top
Windows 2000 Server
Note If you change the account that is used to start the Cluster service, follow these steps:
| 1. | From the desktop, click Start, and then click All Programs. |
| 2. | Click Administrative Tools, and then click Services. In the right pane, double-click Cluster Service. |
| 3. | Select the Log On tab, and update the account information. |
The Cluster service account requires the following rights on all nodes in the cluster to function correctly:
| • | Act as part of the operating system. |
| • | Back up files and directories. |
| • | Increase quotas. |
| • | Increase scheduling priority. |
| • | Load and unload device drivers. |
| • | Lock pages in memory. |
| • | Log on as a service. |
| • | Restore files and directories. |
Also, make sure that the Local Administrator Group has access to the following user rights:
| • | Debug programs |
| • | Impersonate a client after authentication |
| • | Manage auditing and security log |
You can grant these rights in the following location:
Local Security Policy\Security Settings\Local Policies\User Rights Assignment
Back to the top
Windows NT 4.0
To configure the user rights on a Windows NT 4.0 cluster node, click
User Manager, click
Policies, click
User Rights. Make sure that you click
Show Advanced User Rights.
The Cluster service account requires the following rights on all nodes in the cluster to function correctly:
| • | Back up files and directories |
| • | Increase quotas |
| • | Increase scheduling priority |
| • | Load and unload device drivers |
| • | Lock pages in memory |
| • | Log on as a service |
| • | Restore files and directories |
Back to the top
Additional things to consider
When you remove a required right from the Cluster service account, you may cause unexpected behavior. The Cluster service may not start, or the service may not create certain clustered resources or bring these resources online. For example, if the Cluster service or the local administrator group does not have a particular user right, the
Manage auditing and security log user rights assignment cannot create a Microsoft Distributed Transaction Coordinator (MSDTC) resource because the Cluster service cannot create the required crypto checkpoint settings.
Another example of this problem may occur when you modify the
Access this computer from the network user right. You can modify this user right in the following location:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
By default, the Everyone and Administrator groups are both assigned this right. However, if you remove this right from these groups, and you do not specifically add the Cluster service account, you may not be able to join nodes to an existing cluster. Additionally, you may receive an "Access Denied" error when you try to access the cluster by using Cluster Administrator (Cluadmin.exe).
If an organization implements Group Policy objects that override the local security policies and that remove a user right from the Cluster service by changing the effective user rights, the Cluster service will fail at some point. To resolve this problem, follow these steps:
| 1. | Create an organizational unit (OU) in the domain or in the forest, and then block policy inheritance on that OU. |
| 2. | Move the cluster nodes into the OU. |
| 3. | To inherit the new user rights, stop and restart the Cluster service on each node. |
If you have Kerberos authentication enabled for any one of a cluster's virtual servers, and you change the Cluster service account, you may affect access to the computer object in Active Directory directory service. Before you enable the Kerberos protocol for any virtual servers, see the following Microsoft Knowledge Base article:
307532 (http://support.microsoft.com/kb/307532/) How to troubleshoot the Cluster service account when it modifies computer objects
Additionally, make sure that the Cluster service has the following user rights for computer objects in the appropriate OU:
| • | Reset password |
| • | Change password |
| • | Validated write to DNS Host Name |
| • | Validated write to ServicePrincipalName |
Back to the top
