This article describes some of the changes that have been made to Cluster service-related event log messages in Microsoft Windows Server 2003 Service Pack 1 (SP1) and Update Rollup 1 for Microsoft Windows 2000 Service Pack 4 (SP4).
The Cluster service is a service that requires a domain user account.
The server cluster Setup program changes the local security policy for this account by granting a set of user rights to the account. Additionally, this account is made a member of the local Administrators group.
If one or more of these user rights are missing, the Cluster service may stop immediately during startup or later, depending on when the Cluster service requires the particular user right.
In Windows Server 2003 and Windows 2000 Server, you receive notification that a user right that was not granted to the Cluster service account was required for cluster operation. However, this notification does not indicate which required user right is missing.
Windows Server 2003 SP1 and Update Rollup 1 for Windows 2000 SP4 include changes that help resolve this issue. These changes are in the Service Control Manager (SCM) program and in the Cluster service.
Changes to Service Control Manager
The Cluster service now detects when the Cluster service account is not a member of the local Administrators group. In this scenario, the following error is logged:
Event Source: Service Control Manager Event Category: None Event ID: 7023 Type: Error User: N/A Computer: Computer_Name Description: The Service_Name service terminated with the following error. The specified user account is not a member of the specified group account.
In this scenario, if you try to start the Cluster service at a command prompt, you receive the following error:
C:\WINDOWS\Cluster>net start clussvc The Cluster Service service is starting. The Cluster Service service could not be started.
A system error has occurred.
System error 1321 has occurred.
The specified user account is not a member of the specified group account.
Additionally, the SCM has been modified to detect when the Cluster service account does not have the “Log on as a Service” user right assigned. In this scenario, a new event, Event ID 7041, appears in the system event log. Event ID 7041 appears as follows:
Event Source: Service Control Manager Event Category: None Event ID: 7041 Type: Error User: N/A Computer: Computer_Name Description: The Service_Name service was unable to log on as domain\account with the currently configured password due to the following error:
Logon failure: the user has not been granted the requested logon type at this computer.
This account is missing the “Log on as a Service” user right. This right must be granted to the service account in order to run this service. The Local Security Policy editor (secpol.msc) can be used to grant this privilege to the account on this machine. If this node is a member of a cluster, check that this user right is granted to the service account on all nodes in this cluster.
If this user right continues to be revoked from the service account, it might be the result of a Group Policy object removing the privilege. Check with your domain administrator to determine if this is the cause of the revocation.
Changes to the Cluster service
When the Cluster service starts, it now checks the user rights that are granted to the Cluster service account together with the Cluster service account's group membership.
If an incorrect configuration is detected, the Cluster service stops, and an appropriate message is either displayed on the computer or logged in the system event log. In this scenario, the Cluster service starts and continues to run only after the appropriate corrections are made to the Cluster service account. Therefore, the server cluster administrator is quickly alerted that a problem exists with the Cluster service account configuration.
In this scenario, the Cluster service logs Event ID 1234 in the system event log. Event ID 1234 appears as follows:
The Cluster Service Account (CSA) is missing the following required user rights (privileges) in order to correctly operate:
list of missing privilege display names
These privileges, which were granted to the CSA during Cluster setup, must bepresent before running the Cluster Service. You can grant these privileges viathe Local Security Policy editor (secpol.msc) or through a Group Policy objectthat is associated with the CSA's user object in the DS.
If the privileges continue to be removed from the CSA, check with your domainadministrator that a Group Policy Object is in place that is stripping theprivileges from the CSA. If so, this GPO must not be applied to the CSA.
In this scenario, when you try to start the Cluster service at a command prompt, you receive the following system error:
C:\WINDOWS\cluster>net start clussvc The Cluster Service service is starting. The Cluster Service service could not be started.
A system error has occurred.
System error 1314 has occurred.
A required privilege is not held by the client.
In Windows Server 2008, the failover cluster does not use a domain user account to run the Cluster service. Instead, the Windows Server 2008 failover cluster logs on by using the Local System account. Therefore, the information in this article does not apply.
However, if this setting is changed, the Cluster service fails to start. Additionally, you may receive the following error message in the Services management console:
Service: Windows could not start the Cluster Service service on Local Computer. Error 1297: A privilege that the service requires to function properly does not exist in the service account configuration.
Additionally, an event that resembles the following event is logged in the System log:
Log Name: System Event Source: Service Control Manager Event Category: None Event ID: 7000 Task Category: None Type: Error Keywords: Classic User: N/A Computer: Computer_Name Description: The Cluster Service service failed to start due to the following error: A privilege that the service requires to function properly does not exist in the service account configuration. You may use the Services Microsoft Management Console (MMC) snap-in (services.msc) and the Local Security Settings MMC snap-in (secpol.msc) to view the service configuration and the account configuration.
For more information about the rights that are required for a server cluster in Windows 2000 and in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:
269229 How to manually re-create the Cluster service account
For more information about how to configure and secure a server cluster, visit the following Microsoft Web site: