Allyn
2010-05-17 20:51:01 UTC
We had a SAN that went belly up over the weekend, and we're having problems
getting the cluster back on line. It has been running for some time. There
are 3 errors in the event viewer:
Event ID: 1205; The Cluster service failed to bring clustered service or
application 'printserver' completely online or offline. One or more resources
may be in a failed state. This may impact the availability of the clustered
service or application.
==========
Event ID: 1207; Cluster network name resource 'printserver' cannot be
brought online. The computer object associated with the resource could not be
updated in domain 'domain.com' for the following reason:
Unable to obtain the Primary Cluster Name Identity token.
The text for the associated error code is: An attempt has been made to
operate on an impersonation token by a thread that is not currently
impersonating a client.
The cluster identity 'PRINTSERVERCLUS$' may lack permissions required to
update the object. Please work with your domain administrator to ensure that
the cluster identity can update computer objects in the domain.
=========
Event ID: 1069: Cluster resource 'printserver' in clustered service or
application 'printserver' failed.
==========
A possible related error is on the domain controller:
Event ID 4: The Kerberos client received a KRB_AP_ERR_MODIFIED error from
the server . The target name used was host/PRINTSERVERCLUSTER.DOMAIN.COM.
This indicates that the target server failed to decrypt the ticket provided
by the client. This can occur when the target server principal name (SPN) is
registered on an account other than the account the target service is using.
Please ensure that the target SPN is registered on, and only registered on,
the account used by the server. This error can also happen when the target
service is using a different password for the target service account than
what the Kerberos Key Distribution Center (KDC) has for the target service
account. Please ensure that the service on the server and the KDC are both
updated to use the current password. If the server name is not fully
qualified, and the target domain () is different from the client domain
(DOMAIN.COM), check if there are identically named server accounts in these
two domains, or use the fully-qualified name to identify the server.
========
I apologize if the previous post eventually shows up and there are duplicate
posts, but we urgently need to get this running.
The PRINTSERVERCLUSTER$ account was never deleted from the domain, and per a
couple of similar hits, I added this account to "Access this computer from
the network" under the User Rights Assignement in the Local Security Policy.
I would be very grateful for any thoughts and directions.
getting the cluster back on line. It has been running for some time. There
are 3 errors in the event viewer:
Event ID: 1205; The Cluster service failed to bring clustered service or
application 'printserver' completely online or offline. One or more resources
may be in a failed state. This may impact the availability of the clustered
service or application.
==========
Event ID: 1207; Cluster network name resource 'printserver' cannot be
brought online. The computer object associated with the resource could not be
updated in domain 'domain.com' for the following reason:
Unable to obtain the Primary Cluster Name Identity token.
The text for the associated error code is: An attempt has been made to
operate on an impersonation token by a thread that is not currently
impersonating a client.
The cluster identity 'PRINTSERVERCLUS$' may lack permissions required to
update the object. Please work with your domain administrator to ensure that
the cluster identity can update computer objects in the domain.
=========
Event ID: 1069: Cluster resource 'printserver' in clustered service or
application 'printserver' failed.
==========
A possible related error is on the domain controller:
Event ID 4: The Kerberos client received a KRB_AP_ERR_MODIFIED error from
the server . The target name used was host/PRINTSERVERCLUSTER.DOMAIN.COM.
This indicates that the target server failed to decrypt the ticket provided
by the client. This can occur when the target server principal name (SPN) is
registered on an account other than the account the target service is using.
Please ensure that the target SPN is registered on, and only registered on,
the account used by the server. This error can also happen when the target
service is using a different password for the target service account than
what the Kerberos Key Distribution Center (KDC) has for the target service
account. Please ensure that the service on the server and the KDC are both
updated to use the current password. If the server name is not fully
qualified, and the target domain () is different from the client domain
(DOMAIN.COM), check if there are identically named server accounts in these
two domains, or use the fully-qualified name to identify the server.
========
I apologize if the previous post eventually shows up and there are duplicate
posts, but we urgently need to get this running.
The PRINTSERVERCLUSTER$ account was never deleted from the domain, and per a
couple of similar hits, I added this account to "Access this computer from
the network" under the User Rights Assignement in the Local Security Policy.
I would be very grateful for any thoughts and directions.