Patching a passive cluster node using a Configuration Manager 2007 Software Update fails with exit code -2068578304

Article ID: 2855474
Expand all | Collapse all

Symptoms

When patching a passive cluster node using a System Center Configuration Manager 2007 Software Update task sequence, the following error message is reported in the summary log file:

Final result: The patch installer has failed to update the shared features. To determine the reason for failure, review the log files.
Exit code (Decimal): -2068578304 
Exit facility code: 1204 
Exit error code: 0 
Exit message: The SQL Server failover cluster instance <name> was not correctly detected. The instance was discovered on the local node but it was not found to be active. To continue, confirm the state of the instance installed on all applicable nodes of the cluster and the state of the failover cluster resources. 

Cause

This can occur if you are using a Software Update to patch a passive cluster node. When deploying a Software Update, Configuration Manager leverages the WUA agent using the local system account. By default that account does not have the permissions needed to access the remote registry for the partner node and thus the active node cannot be detected. Since the active node cannot be detected the patch cannot be applied.

Workaround

There are three optional workarounds for this issue:

Option 1: Use Configuration Manager to install the patch on the ACTIVE cluster node first.

Option 2: Use Configuration Manager and choose the Software Distribution method rather than the Software Update method. See http://technet.microsoft.com/en-us/library/bb680550.aspx for more information.

NOTE: Please make sure that the “Program can run:” setting is configured for “Only when a user is logged on” and the “Run mode” setting is configured as “Run with user’s rights”.

Option 3: Grant the appropriate computer account (e.g. NTADMINcomputername$) read permissions to the following registry key on every node of the cluster:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg

More information

This issue is by design as we cannot specify another account when performing a Software Update. Configuration Manager 2007 (ConfigMgr 2007) cannot guarantee that all machines will have a particular user-defined user account that can launch the update so it is hard coded to use the built-in account called “NT AUTHORITY\SYSTEM”. All machines must have this account by default and it has local admin permissions. 

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2855474 - Last Review: June 10, 2013 - Revision: 1.0
Keywords: 
KB2855474

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com