Article ID: 2829783 - View products that this article applies to.
Expand all | Collapse all

On This Page

Summary

When you cannot create a Microsoft SQL Server 2012 AlwaysOn availability group listener, it is frequently a symptom of other problems in which you cannot create an object in Active Directory or register IP addresses in DNS. These problems usually occur because of the domain policy, or because of a lack of permissions for the Windows cluster to interact with Active Directory or DNS.

When you create a listener in SQL Server, Windows cluster creates a client access point resource. If SQL Server cannot create a listener, it may be unable to report the cause because Windows cluster is creating the resource. In this situation, you can collect the Windows cluster log and Windows System event log in order to diagnose the cause.

If you cannot create a listener, it is usually because of at least one of the following reasons:
  • You do not have sufficient Windows cluster permissions to create and change an Active Directory cluster name account.
  • You cannot register the IP address in DNS because of certain problems that involve a duplicate or invalid IP address.
  • You violate the Windows policies.
This article discusses the steps that you can perform in order to diagnose a failed attempt to create a listener if SQL Server cannot report the cause. Additionally, this article lists some error messages that you may see when the availability group listener creation fails.

More information

SQL Server may not report the cause when you cannot create an availability group listener

Collapse this imageExpand this image
assets folding start expanded
When you create an availability group listener by using SQL Server Management Studio's Add Listener dialog box, you may receive an error message that includes information about the cause of the error, which can help you to resolve the issue. For example, you receive an error message about an incorrect IP address for the subnet that resembles the following:

The specified IP Address '<IP Address>' is not valid in the cluster-allowed IP range. Check with the network administrator to select values that are appropriate for the cluster-allowed IP range. (Microsoft SQL Server, Error: 19457)

Collapse this imageExpand this image
Image 1


However, you may also receive an error message that does not explain why you cannot create the group listener. For example, when you try to create an availability group listener, you receive an error message that resembles the following, which does not specify the actual cause of the error:

Msg 19471, Level 16, State 0, Line 2
The WSFC cluster could not bring the Network Name resource with DNS name '<DNS name>' online. The DNS name may have been taken or have a conflict with existing name services, or the WSFC cluster service may not be running or may be inaccessible. Use a different DNS name to resolve name conflicts, or check the WSFC cluster log for more information.

Msg 19476, Level 16, State 4, Line 2
The attempt to create the network name and IP address for the listener failed. The WSFC service may not be running or may be inaccessible in its current state, or the values provided for the network name and IP address may be incorrect. Check the state of the WSFC cluster and validate the network name and IP address with the network administrator.
Collapse this imageExpand this image
Image 2


Collapse this imageExpand this image
assets folding end

How to determine why you cannot create an availability group listener

Collapse this imageExpand this image
assets folding start collapsed
This issue occurs because the Windows cluster cannot create and bring online the client access point that is a clustered resource. When you encounter this issue, you can collect the relevant information from the Windows cluster log and the Windows System event log in order to find the cause. To do this, follow these steps.

Step 1: Note the exact time that the problem occurred

Perform whatever steps are required to reproduce the problem, and note the time that this problem occurs.

Step 2: Review the data in the Windows cluster log (Cluster.log)

Search the Cluster.log file for the network name that you designated for the group listener.

Notes
  • The Cluster.log file entries are in logged in Coordinated Universal Time (UTC).
  • To generate the Windows cluster log by using an administrative command prompt in Windows Server 2008 R2 or a later version of Windows Server, run the following command:
    Cluster log /g

    Collapse this imageExpand this image
    Image 4
  • To generate the Windows cluster log by using Windows PowerShell, run the following cmdlet in an elevated PowerShell window:
    Get-ClusterLog

    Collapse this imageExpand this image
    Image 5
  • By default, the log file is created in %WINDIR%\cluster\reports.

Step 3: Review the data from the Windows System event log

Review the Windows System event log for entries that are related to the listener creation attempt by using the time that you noted in step 1.

Collapse this imageExpand this image
assets folding end collapsed

Example 1: You cannot create a group listener because of domain policy

Collapse this imageExpand this image
assets folding start collapsed
Sometimes, SQL Server cannot report specific information about why you cannot create a group listener because of domain policy. For example, domain policy enables a domain user to create ten computer accounts by default. When you try to create a group listener that would be your eleventh computer account, SQL Server can only report the generic error messages "Msg 19471" and "Msg 19476" that are discussed in "More Information" section.

To find the cause for why you cannot create a group listener, review the Windows System event log and the Cluster.log file.
  • To review the Windows System event log, follow these steps:
    1. Click Start, point to Programs, point to Administrative Tools, and then click Event Viewer.
    2. In the console tree, expand Windows Logs, and then click System.
    3. In the details pane, scroll through the most recent events and locate event 1194. Under the General tab, several causes are proposed for the cause of the failure.
    4. Click the Details tab. In the Friendly View under the EventData section, you can find a more specific error message that resembles the following:
      You have exceeded the maximum number of computer accounts that you are allowed to create in this domain.
      Collapse this imageExpand this image
      Image 6
  • To review the entries in the Cluster.log file, follow these steps:
    1. Click Start, point to All Programs, point to Windows PowerShell V2, right-click Windows PowerShell ISE, and then click Run as administrator.
    2. At the command prompt, run the following cmdlet in order to generate a cluster log:
      Get-ClusterLog

      Collapse this imageExpand this image
      Image 5
    3. Open the Cluster.log file in Notepad.
    4. Click Edit, and then click Find in Notepad, and search for the string "Failed to create Computer Object <DNS Name>." Review the results, and you can find messages that resemble the following:

      00000d24.00000dc8::<Time stamp> INFO [RES] Network Name: [<Network name>] NetUserAdd object <DNS name> on Sub domain name: \\Domain name, result: 8557


      00000d24.00000dc8::<Time stamp> ERR [RES] Network Name: [<Network name>] Failed to create Computer Object <DNS name> in the Active Directory, error 8557
    5. To determine what the error indicates, type Net helpmsg 8557 at the command prompt, and then press Enter.
      Collapse this imageExpand this image
      Image 9

Conclusion

You can now conclude that the cause of the problem is attributed to an Active Directory policy that is in effect in your environment. In this specific case, authenticated users in a domain that are assigned the "Add workstations to a domain" user permission and can create up to ten computer accounts in the domain. You receive the error message because you have exceeded this limit.

Collapse this imageExpand this image
assets folding end collapsed

Example 2: You cannot create a listener because of cluster name account permissions

Collapse this imageExpand this image
assets folding start collapsed
Sometimes, SQL Server cannot report specific information about why you cannot create a group listener because of insufficient permissions in Active Directory. For example, the cluster name account requires the "Create Computer objects" permission when you create a clustered service or an application. When the cluster name account does not have this permission, SQL Server cannot create the availability group listener. When you try to create a group listener with insufficient permissions, SQL Server can only report the generic error messages "Msg 19471" and "Msg 19476" that are discussed in "More Information" section.

To find the cause of this problem, review the Windows System event log and the Cluster.log file.
  • Review the Windows System event log. To do this, follow these steps:
    1. Click Start, point to Programs, point to Administrative Tools, and then click Event Viewer.
    2. In the console tree, expand Windows Logs, and then click the System log that contains the event that you want to view.
    3. Under the Details tab, scroll through the most recent events and locate event 1194. Under the General tab, several reasons are proposed for the cause of the failure, such as "The cluster identity '<Domain user>' has Create Computer Objects permissions."
    4. Click the Details tab. In the Friendly View under the EventData section, you can find a more specific error message that resembles the following:
      The specified directory service attribute or value does not exist.
      Collapse this imageExpand this image
      Image 12
  • Review the entries in Cluster.log file. To do this, follow these steps:
    1. Click Start, point to All Programs, point to Windows PowerShell V2, right-click Windows PowerShell ISE, and then click Run as administrator.
    2. At the command prompt, run the following cmdlet in order to generate a cluster log:
      Get-ClusterLog
      Collapse this imageExpand this image
      Image 5
    3. Open the Cluster.log file in Notepad.
    4. Click Edit, and then click Find in Notepad, search for the string "Failed to create Computer Object <DNS name>." Review the results, and you can find a message that resembles the following:

      00000d24.000005f8::<Time stamp> ERR [RES] Network Name: [<Network name>] Failed to create Computer Object <DSN name> in the Active Directory, error 8202

    5. To determine what the error indicates, type Net helpmsg 8202 at the command prompt, and then press Enter.
      Collapse this imageExpand this image
      Image 14

Conclusion

You can now conclude that the cluster name account does not have the "Create Computer object" permission in the computer container in Active Directory Users and Computers.

Collapse this imageExpand this image
assets folding end collapsed

Guidance about the user rights when you create availability group listeners

Collapse this imageExpand this image
assets folding start collapsed
For more information about how to obtain sufficient permissions in Active Directory when you create availability group listeners in SQL Server, go to the following Microsoft TechNet website:
How to configure Active Directory computer accounts in a failover cluster
Before you create a Windows failover cluster, you have to check whether the domain user account that is running the Create Cluster Wizard has the "Create Computer Objects"permission.For more information, you can view the "Steps for configuring the account for the person who installs the cluster" section of the previously mentioned guide.

If your organization security policy does not let you grant this permission to a specific user account, you can ask your domain administrators to grant the "Create Computer Objects" permission to the cluster name account after you have created the Windows failover cluster. For more information, you can view the "Steps for prestaging the cluster name account" section of the previously mentioned guide.

When you run the High Availability Wizard, it is usually simpler to let the account be created and configured automatically if you have not prestaged the computer account for a clustered service, an application, or a listener virtual network name. However, if you have to prestage accounts because of requirements in your organization, then follow the steps in the "Steps for configuring the account for a clustered service or application" section of the previously mentioned guide.

Notes
  • To use the procedure that is described in this section, you must have the domain administrator or account operator permission.
  • If you set up an availability group listener across multiple subnets, you must obtain static IP addresses from each subnet that your replica belongs to. Usually, you have to talk to the network administrators to do this.

Properties

Article ID: 2829783 - Last Review: April 11, 2013 - Revision: 4.0
Applies to
  • Microsoft SQL Server 2012 Developer
  • Microsoft SQL Server 2012 Enterprise
  • Microsoft SQL Server 2012 Standard
  • Microsoft SQL Server 2012 Web
  • SQL Server 2012 Enterprise Core
Keywords: 
kbsurveynew kbtshoot kbexpertiseadvanced kbgraphic KB2829783

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com