Article ID: 302389 - View products that this article applies to.
This article was previously published under Q302389
This article describes the properties that are available for the Network Name resource in Microsoft Windows Server 2003 that are not included in earlier versions of Windows.
One of the features of the Network Name resource in Windows Server 2003 is the ability to create a computer object in Active Directory that allows programs to use Kerberos as an authentication protocol when the program contacts a service by using a cluster virtual name. Programs on a virtual server that are Active Directory aware now have a correctly-maintained Active Directory computer object. Other features include better DNS integration and three status indicators for NetBIOS, DNS, and Kerberos. The rest of this article describes how to enable and use these features.
Enable Kerberos authenticationNote You receive the following error message if you try to set the Enable Kerberos Authentication option without taking the Network Name resource offline:
A VirtualServer is comprised of a Network Name and IP Address resource. The Network Name resource has been updated for Windows Server 2003 to enable the use of Kerberos authentication and the creation of a corresponding computer object. By default, Kerberos authentication and the creation of a computer object for the VirtualServer is disabled and NTLM is used for authentication. To enable the Kerberos authentication and the creation of a computer object:
An error occurred attempting to set properties: The group or resource is not in the correct state to perform the requested operation. Error ID: 5023 (0000139f)
By default, domain users are limited to creating ten computer objects in the Active Directory. To create more computer objects, you must increase the limit, or the domain administrator can pre-create the computer objects. If the domain administrator gives explicit "Create Computer Objects" rights to the Cluster service account, the quota is over-ridden. If the computer object is pre-created, the Cluster service account will need proper permissions to be able to "hijack" the object so that it can write the correct attributes to it.
The three attributes that are written to the VirtualServer's computer object are:
You can view these attributes by using the Adsiedit.msc utility that is included on the Windows Server 2003 CD-ROM in the SUPPORT folder.
You can view the primary DNS suffix by running the ipconfig /all command at a command prompt. Under Windows IP Configuration, the Primary DNS Suffix section contains the primary DNS suffix that is used for the computer object. Note that the individual network adapters may have different specific suffixes, however, the Network Name resource uses the primary DNS suffix.
Renaming the Network Name and its corresponding computer objectThe process of renaming a VirtualServer that has an associated computer object is similar to renaming a standard Network Name resource, except the resource has to be offline to make the change. Take the Network Name resource offline, and then change the Parameters property to the new name. The Network Name resource will automatically contact Active Directory and change the computer object's name. For the rename operation to be successful, both the Network Name on the cluster and the computer name in the Active Directory must be changed. If both cannot be changed, the original name is rolled back, and the change is not completed. The Cluster service account will require the "Write all Properties" access right to make the change to the computer object. computer objects cannot be manually renamed in the Active Directory Computers and Users MMC.
Disabling Kerberos authenticationThe Cluster service never deletes a computer object from Active Directory. Instead, the Cluster service disables it. To disable the computer object, click to clear the Enable Kerberos Authentication option. After the computer object is disabled, the Network Name resource does not come online until you either select the Enable Kerberos Authentication option again or manually delete the computer object from Active Directory.
DNS settingsThe DNS Registration Must Succeed option on a Network Name resource helps to make sure that DNS is updated before the resource comes online. If you select this option, the DNS HOST (A) record for the VirtualServer must be registered or the Network Name Resource fails to come online. If the DNS server accepts dynamic updates but the record could not be updated, that is considered a failure. If the DNS server does not accept dynamic updates (older versions of DNS) or there are no DNS servers associated with the resource's associated network, the Network Name will still come online. To enable the DNS Registration Must Succeed option, follow these steps:
Status indicatorsWhen you view the properties of a Network Name resource, three status indicators are available, NetBIOS Status, DNS Status, and Kerberos Status. To view these indicators:
Seven parameters for the Network Name resource in Windows Server 2003 that are not included in earlier versions of WindowsThe following parameters under the Network Name resource are used to support the features of the Network Name Resource in Windows Server 2003 that are not included in earlier versions of Windows. To view these Network Name resource parameters, type cluster res "network_name_resource" /priv at a command prompt, and then press ENTER. The parameters are as follows:
Command-line optionsLike most of administration tasks of a server cluster, you can enable the "DNS Registration Must Succeed" and "Enable Kerberos Authentication" features from a command prompt by using the Cluster.exe tool. Cluster.exe is installed by default, so to use it, issue the following commands at a command prompt (assuming you are running these commands from one of the cluster nodes).
To enable the DNS Registration Must Succeed option from the command prompt, type the following command:
cluster res "NETWORK_NAME_RESOURCE" /priv RequireDNS=1Set RequireDNS=0 to disable RequireDNS.
To enable the Enable Kerberos Authentication option from the command prompt, type the following command:
cluster res "NETWORK_NAME_RESOURCE" /priv RequireKerberos=1Set RequireKerberos=0 to disable RequireKerberos.
To view the Status indicators from Cluster.exe, type the following command:
cluster.exe res "NETWORK_NAME_RESOURCE" /privFor more information about Cluster.exe and other uses, see "Help and Support," and then search for Cluster.exe.
The File Replication service and server clustersThe File Replication service (FRS) does not replicate with a file share that is on a server cluster under a virtual server's computer object. The FRS service looks for subscription information only under the node's computer object. The FRS service does not scan the virtual server's computer object. Distributed File System (DFS) uses the FRS to replicate data among multiple servers when a replication policy is enabled. If the DFS link with the replication policy is a virtual server, data is not replicated with any other partner. You may have to use another method to replicate the data. For example, you may have to use a file copy script.
TroubleshootingFor information about troubleshooting the creation and manipulation of computer objects by the Cluster service account, see the following article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/307532/ )Troubleshooting the manipulation of computer objects by the Cluster service account
Contact us for more help
Connect with Answer Desk for expert help.