��к�

Select the product you need help with

�Ըա��ѭ�պ�ԡ�ä��ҧ�ա��駴��µ��ͧ

��Ţ�� (Article ID): 269229 - ��Ե�ѳ��Ǣ�ͧ㹺��

��ԡ��ʹ٢�ͨӡѴ��Ѻ�Դ�ͺ�ͧ KB ��¤��

��ԡ��ʴ��¤��е鹩�Ѻ��ѧ��§��ҧ�ѹ

��·�� | �غ��

��ҧ��кǹ��õԴ��Ѻ��ú�ԡ�ä��ͧ Microsoft �ѭ��к��Ѻ�Է��Ѻ��ú�ԡ�ä��ӧҹ��ҧ�١��ͧ ��Ҥس��ա��¹�ŧ ��ͺѭ�ռ��ҧ��ա�� س��ͧ��Է��㹡�á�Ѻ仺ѭ��㹡��÷ӧҹ�ͧ��ԡ�ä�� ˹�ͧ�� µ��ͧ �͡�ҡ�� Ǩ�ͺ�� º�¤��ʹ��ź�Է��Է�Ԩҡ�ѭ�պ�ԡ�ä�� Է��Է��ж١��͡�ҡ�ѭ�պ�ԡ�ä�� ԡ�ä��Ҩ��ӧҹ

��Ѻ仴�ҹ�� | ��ʹ��

��

�ѭ�շ��÷ӧҹ�ͧ��ԡ�ä��ͧ�դ�ҹ��ش�ͧ�ѭ�� USER ��дѺ ��е�ͧ�١��㹡��к��㹺��˹�㹤�� ѭ��Ѻ��ŷ�ͧ��˹�㹤�� ¡��ͧ��͡�èѴ��ü�� Microsoft Windows NT 4.0 ��ͨѴ��ä�� ͧ Microsoft Windows 2000 �� Microsoft Windows Server 2003

��˵�:�ӹǹ�ͧ�Է��к��ǹ��Ѻ��á�˹� "�¾��͡�� ѭ�պ�ԡ�ä��ͧ��Ҫԡ�ͧ��к��㹺��˹� �ѧ�� Ң�ҷ��੾�С��ŷ�ͧ�� »��Ԥس��繵�ͧ��ѭ�պ�ԡ�ä�� ҧ�á�� Ҥس��ѧ�ջѭ�ҡѺ�Է��Ѻ�ѭ�պ�ԡ�ä�� س��ö�Դ��Է��µç仺ѭ�շ��ԡ�ä�� Windows Server 2003 �س��ҧ�ҡ��ͧ��˹��ѭ�պ�ԡ�ä��Ѻ��к��㹢ͧ��˹��Ѻ��ǡѺ��Ǣ�ͷ��Ǣ�ͧ �ô��ԡ��Ţ��仹��ʹٺ�� Microsoft Knowledge Base::

812877

(http://support.microsoft.com/kb/812877/ )

��ԡ�ä��÷ӧҹ��ѧ�ҡ��س��Ѻ�� Windows Server 2003, Edition 䫵�ͧ��

��Ǩ�ͺ�� Ѻ�Է��ͧ��仹��㹡��к��дѺ��ԡ�úѭ��

Windows Server 2003

��˵�:��Ҥس��¹�ѭ�ռ��١��÷ӧҹ�ͧ��ԡ�ä�� س��ͧ����èѴ��ä����Ѻ Windows Server 2003 ��¹�ŧ��źѭ�ռ��麹��˹�㹤�� ӵ��鹵͹��仹��::

��÷ӧҹ�ͧ��èѴ��Ѻ Windows Server 2003 ����ԡ��ء��branch ��Шҡ�� ԡ����ԡ���Ң�
㹺ҹ˹�ҵ�ҧ��ҹ�� ԡ�ͧ����ԡ�ä��. ��͡����͡�Թ�� Шҡ�� Ѻ��ا��źѭ�ռ��

��͵�ͧ��÷ӧҹ��ҧ�١��ͧ� Microsoft Windows Server 2003 �ѭ�պ�ԡ�ä��ҧ�ҡ��ͧ�Է��仹��Ѻ�˹��㹤��:

��˹�ҷ��ǹ˹�觢ͧ�к��Ժѵԡ��
��û�Ѻ��ا�ǵ�Ңͧ˹��¤��Ѻ��кǹ��
��ͧ��á��
��дѺ��Ӥѭ��Ѵ��˹��
��к��繡�ú�ԡ��
�׹��á��

Also, make sure that the Local Administrator Group has access to the following user rights:

Debug programs
Impersonate a client after authentication
Manage auditing and security log

You can grant these rights in the following locations:

Local Security Policy\Security Settings\Local Policies\User Rights Assignment

��˵�:If you create a Group Policy setting to update theImpersonate a client after authentication rightspolicy setting, make sure that the Cluster service account is listed in the policy setting in addition to the Local Administrators group and the account that is called SERVICE. If the Cluster service account is not listed, the computer may no longer have access to Windows Management Instrumentation (WMI). By default, these accounts are listed in theImpersonate a client after authentication rights��º��: However, if you create a Group Policy setting without adding the Cluster service account, the local policy setting is overwritten, and WMI access fails.

windows 2000 Server

��˵�:If you change the account that is used to start the Cluster service, follow these steps:

From the desktop, click��÷ӧҹ�� ԡ��.
��ԡ��ͧ��͡�ô��к��� ԡ��ԡ��. 㹺ҹ˹�ҵ�ҧ��ҹ�� ԡ�ͧ��Cluster Service.
��͡����͡�Թtab, and update the account information.

The Cluster service account requires the following rights on all nodes in the cluster to function correctly:

Act as part of the operating system.
Back up files and directories.
Increase quotas.
Increase scheduling priority.
Load and unload device drivers.
Lock pages in memory.
Log on as a service.
Restore files and directories.

Also, make sure that the Local Administrator Group has access to the following user rights:

Debug programs
Impersonate a client after authentication
Manage auditing and security log

You can grant these rights in the following location:

Local Security Policy\Security Settings\Local Policies\User Rights Assignment

Windows NT 4.0

To configure the user rights on a Windows NT 4.0 cluster node, click��ǨѴ��ü��ԡ��º����ԡ�Է��ͧ��. ��Ǩ�ͺ�� س��ԡ�ʴ��Է��ͧ��٧.

The Cluster service account requires the following rights on all nodes in the cluster to function correctly:

��ͧ��á��
Increase quotas
Increase scheduling priority
Load and unload device drivers
Lock pages in memory
Log on as a service
�׹��á��

Additional things to consider

When you remove a required right from the Cluster service account, you may cause unexpected behavior. The Cluster service may not start, or the service may not create certain clustered resources or bring these resources online. For example, if the Cluster service or the local administrator group does not have a particular user right, theManage auditing and security loguser rights assignment cannot create a Microsoft Distributed Transaction Coordinator (MSDTC) resource because the Cluster service cannot create the required crypto checkpoint settings.

Another example of this problem may occur when you modify theAccess this computer from the networkuser right. You can modify this user right in the following location:

�� Configuration\Windows Settings\Security Settings\Local Policies\User �Է��㹡�á�˹�

By default, the Everyone and Administrator groups are both assigned this right. However, if you remove this right from these groups, and you do not specifically add the Cluster service account, you may not be able to join nodes to an existing cluster. Additionally, you may receive an "Access Denied" error when you try to access the cluster by using Cluster Administrator (Cluadmin.exe).

If an organization implements Group Policy objects that override the local security policies and that remove a user right from the Cluster service by changing the effective user rights, the Cluster service will fail at some point. ��͵�ͧ��ѭ�ҹ�� ӵ��鹵͹��仹��:

Create an organizational unit (OU) in the domain or in the forest, and then block policy inheritance on that OU.
Move the cluster nodes into the OU.
To inherit the new user rights, stop and restart the Cluster service on each node.

If you have Kerberos authentication enabled for any one of a cluster's virtual servers, and you change the Cluster service account, you may affect access to the computer object in Active Directory directory service. Before you enable the Kerberos protocol for any virtual servers, see the following Microsoft Knowledge Base article:

307532

(http://support.microsoft.com/kb/307532/ )

How to troubleshoot the Cluster service account when it modifies computer objects

Additionally, make sure that the Cluster service has the following user rights for computer objects in the appropriate OU:

Reset password
Change password
Validated write to DNS Host Name
Validated write to ServicePrincipalName

��Ѻ仴�ҹ�� | ��ʹ��

�س��ѵ�

��Ţ�� (Article ID): 269229 - ��Ǥ��ش��: 8 ��Ҥ� 2554 - Revision: 4.0

��Ѻ

Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows 2000 Advanced Server
Microsoft Windows NT Server 4.0 Enterprise Edition

kbproductlink kbclustering kbhowto w2000mscs kbmt KB269229 KbMtth

��¤��

��Ӥѭ: ��«Ϳ��Ŵ��¤��ͧ Microsoft ᷹��繹ѡ�ŷ��繺ؤ�� Microsoft �պ��¹ѡ��к��Ŵ��¤�� س��ö��Ҷ֧��㹰ҹ��ͧ�� Ңͧ�س�ͧ ��ҧ�á�� Ŵ��¤��Ҩ�բ�ͺ��ͧ ��Ҩ�բ�ͼԴ��Ҵ㹤��Ѿ�� ٻẺ��ҡó� ��ǡѺ�óշ��ǵ�ҧ�ҵԾٴ�Դ��;ٴ��Ңͧ�س Microsoft ��ǹ�Ѻ�Դ�ͺ��ͤ��Ҵ��͹ ��Դ��Ҵ��ͤ��·��Դ�ҡ��ҼԴ��Ҵ ��͡��麷�Ţͧ�١�� Microsoft �ա�û�Ѻ��ا�Ϳ��Ŵ��¤��繻�Ш�

��仹��繩�Ѻ��ѧ��ɢͧ��:269229

(http://support.microsoft.com/kb/269229/en-us/ )

��Ѻ仴�ҹ�� | ��ʹ��