Active Directory access rights for creating a computer objectBy default, members of the Domain Users group are granted the user right to add workstations to a domain. By default, this user right is set to a maximum quota of ten computer objects in Active Directory. If you exceed this quota, the following event ID message is logged:
If several clusters are using the same domain account as their Cluster service account, you may receive this error message before you create ten computer objects in a given cluster. One way to resolve this issue is to grant the Cluster service account the Create Computer Objects permission on the Computers container. This permission overrides the Add Workstations to a Domain user right, which has a default quota of ten. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
- Log on to the domain controller on which the Cluster service account is stored.
- Start the Domain Controller Security Policy program from Administrative Tools.
- Click to expand Local Policies, and then click to expand User Rights Assignments.
- Double-click Add Workstations to a Domain and note the accounts that are listed.
- The Authenticated Users group (the default group) should be listed. If it is not listed, you must grant this user right to either the Cluster service account or a group that contains the Cluster service account on the domain controllers.
Note You must grant this user right to the domain controllers because computer objects are created on the domain controllers.
- If you explicitly add the Cluster service account to this user right, run gpupdate on the domain controller (or run secedit for Windows 2000) so that the new user right is replicated to all domain controllers.
- Verify that the policy will not be overwritten by another policy. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:250842 Troubleshooting Group Policy application problems
Cluster Service account does not have proper user rights on local nodeVerify that the Cluster Service account has the appropriate user rights on each node of the cluster. The Cluster Service account must be in the local administrators group and should have the rights listed below. These rights are given to the Cluster Service account during the configuration of the Cluster node. It is possible that a higher level policy is over-writing the local policy or that an upgrade from a previous operating system does not add all of the required rights. To verify that these rights are given on the local node, follow these procedures:
- Start the Local Security Settings console from the Administrative Tools group.
- Navigate to User Rights Assignments under Local Policies.
- Verify that the Cluster Service account has explicitly been given the following rights:
- Log on as a service
- Act as part of the operating system
- Back up files and directories
- Adjust memory quotas for a process
- Increase scheduling priority
- Restore files and directories
Note If the Cluster Service account has been removed from the local Administrators Group, manually re-create the Cluster service account and give the Cluster Service the required rights. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:269229 How to manually re-create the Cluster service account
If you are in a Windows Server 2003 domain, search in Help and Support on "RSOP" for instructions on using Resultant Set of Policy.
If the Cluster Service account does not have the "Act as part of the operating system" right, the Network Name resource will fail and the Cluster.log will register the following:
Use the above steps to verify that the Cluster Service account has all the required rights. If the local security policies are being over-written by a Domain or Organizational Unit (OU) Group policy, then there are several options. You can place the Cluster nodes into their own OU that has the "Allow inheritable permissions from parent to propagate to this object" de-deselected.
Required access rights when using a pre-created computer objectIf members of the Authenticated Users group or the Cluster service account are blocked from creating a computer object, if you are the domain administrator, you must pre-create the virtual server computer object. You must grant certain access rights to the Cluster service account on the pre-created computer object. The Cluster service tries to update the computer object that matches the NetBIOS name of the virtual server. One of the following event ID messages may be logged in the system log if there is a problem with the permissions:
Event message 1
Event message 2
Event message 3To verify that the Cluster service account has the proper permissions on the computer object:
- Start the Active Directory Users and Computers snap-in from Administrative Tools.
- On the View menu, click Advanced Features.
- Locate the computer object that you want the Cluster service account to use.
- Right-click the computer object, and then click Properties.
- Click the Security tab, and then click Add.
- Add the Cluster service account or a group that the Cluster Service account is a member of.
- Grant the user or the group the following permissions:
- Reset Password
- Validated Write to DNS Host Name
- Validated Write to Service Principal Name
- Click OK.
Network name resource does not come online when kerberos is disabledA Network Name resource does not come online if a computer object exists but you do not select the Enable Kerberos Authentication option. To resolve the issue, use either of the following procedures:
- Delete the corresponding computer object in Active Directory.
- Click Enable Kerberos Authentication on the Network Name resource.
Article ID: 307532 - Last Review: Jan 7, 2008 - Revision: 1