Discussion:
Clustering problems - Network Name offline
(too old to reply)
Allyn
2010-05-17 20:51:01 UTC
Permalink
We had a SAN that went belly up over the weekend, and we're having problems
getting the cluster back on line. It has been running for some time. There
are 3 errors in the event viewer:

Event ID: 1205; The Cluster service failed to bring clustered service or
application 'printserver' completely online or offline. One or more resources
may be in a failed state. This may impact the availability of the clustered
service or application.

==========
Event ID: 1207; Cluster network name resource 'printserver' cannot be
brought online. The computer object associated with the resource could not be
updated in domain 'domain.com' for the following reason:
Unable to obtain the Primary Cluster Name Identity token.

The text for the associated error code is: An attempt has been made to
operate on an impersonation token by a thread that is not currently
impersonating a client.


The cluster identity 'PRINTSERVERCLUS$' may lack permissions required to
update the object. Please work with your domain administrator to ensure that
the cluster identity can update computer objects in the domain.
=========



Event ID: 1069: Cluster resource 'printserver' in clustered service or
application 'printserver' failed.

==========

A possible related error is on the domain controller:

Event ID 4: The Kerberos client received a KRB_AP_ERR_MODIFIED error from
the server . The target name used was host/PRINTSERVERCLUSTER.DOMAIN.COM.
This indicates that the target server failed to decrypt the ticket provided
by the client. This can occur when the target server principal name (SPN) is
registered on an account other than the account the target service is using.
Please ensure that the target SPN is registered on, and only registered on,
the account used by the server. This error can also happen when the target
service is using a different password for the target service account than
what the Kerberos Key Distribution Center (KDC) has for the target service
account. Please ensure that the service on the server and the KDC are both
updated to use the current password. If the server name is not fully
qualified, and the target domain () is different from the client domain
(DOMAIN.COM), check if there are identically named server accounts in these
two domains, or use the fully-qualified name to identify the server.

========

I apologize if the previous post eventually shows up and there are duplicate
posts, but we urgently need to get this running.

The PRINTSERVERCLUSTER$ account was never deleted from the domain, and per a
couple of similar hits, I added this account to "Access this computer from
the network" under the User Rights Assignement in the Local Security Policy.

I would be very grateful for any thoughts and directions.
frankm
2010-05-18 16:47:14 UTC
Permalink
If you lost the quorum drive, you may be stuck, but...
Try this............clusterrecovery, the name is a little deceiving.
http://www.microsoft.com/downloads/details.aspx?familyid=2be7ebf0-a408-4232-9353-64aafd65306d&displaylang=en

Explanation
http://blogs.technet.com/askcore/archive/2007/11/12/so-what-does-cluster-recovery-actually-recover-anyway.aspx


frankm
Post by Allyn
We had a SAN that went belly up over the weekend, and we're having problems
getting the cluster back on line. It has been running for some time. There
Event ID: 1205; The Cluster service failed to bring clustered service or
application 'printserver' completely online or offline. One or more resources
may be in a failed state. This may impact the availability of the clustered
service or application.
==========
Event ID: 1207; Cluster network name resource 'printserver' cannot be
brought online. The computer object associated with the resource could not be
Unable to obtain the Primary Cluster Name Identity token.
The text for the associated error code is: An attempt has been made to
operate on an impersonation token by a thread that is not currently
impersonating a client.
The cluster identity 'PRINTSERVERCLUS$' may lack permissions required to
update the object. Please work with your domain administrator to ensure that
the cluster identity can update computer objects in the domain.
=========
Event ID: 1069: Cluster resource 'printserver' in clustered service or
application 'printserver' failed.
==========
Event ID 4: The Kerberos client received a KRB_AP_ERR_MODIFIED error from
the server . The target name used was host/PRINTSERVERCLUSTER.DOMAIN.COM.
This indicates that the target server failed to decrypt the ticket provided
by the client. This can occur when the target server principal name (SPN) is
registered on an account other than the account the target service is using.
Please ensure that the target SPN is registered on, and only registered on,
the account used by the server. This error can also happen when the target
service is using a different password for the target service account than
what the Kerberos Key Distribution Center (KDC) has for the target service
account. Please ensure that the service on the server and the KDC are both
updated to use the current password. If the server name is not fully
qualified, and the target domain () is different from the client domain
(DOMAIN.COM), check if there are identically named server accounts in these
two domains, or use the fully-qualified name to identify the server.
========
I apologize if the previous post eventually shows up and there are duplicate
posts, but we urgently need to get this running.
The PRINTSERVERCLUSTER$ account was never deleted from the domain, and per a
couple of similar hits, I added this account to "Access this computer from
the network" under the User Rights Assignement in the Local Security Policy.
I would be very grateful for any thoughts and directions.
Russ Kaufmann
2010-05-18 18:46:27 UTC
Permalink
Post by Allyn
We had a SAN that went belly up over the weekend, and we're having problems
getting the cluster back on line. It has been running for some time. There
Just based on the SAN failure, I am betting that you have some disk
signature issues. So, the previous post about using the clusterrecovery.exe
tool is a good first step. Does the quorum disk come online?

Since the SAN failed, it is likely that the SAN configurations for the HBA
WWNs have been lost and not properly reconfigured. Make sure that you reset
the LUN masks.

If the SAN has been reconfigured, you should be able to at least see the
cluster disk from each node. Can you do that? You will also need to be able
to see the disk used for the printer spool with any shared drivers that you
might have installed there, too.
Post by Allyn
Event ID: 1205; The Cluster service failed to bring clustered service or
application 'printserver' completely online or offline. One or more resources
may be in a failed state. This may impact the availability of the clustered
service or application.
So, the name itself isn't coming online? Well, that is completely different
from a disk error. Does the name still map to the cluster's virtual IP in
DNS? Is the name still valid in AD?
Post by Allyn
==========
Event ID: 1207; Cluster network name resource 'printserver' cannot be
brought online. The computer object associated with the resource could not be
Unable to obtain the Primary Cluster Name Identity token.
This again points to the name resource being the problem here. Can you
create a new name resource dependent on the IP and see if it comes online?
If so, then you might want to delete the AD computer account and recreate
it. If there is a problem with creating a new name resource, then you may
have to take other steps. Of course, you can always create another IP
resource and name resource to verify that they will come online. This will
at least tell you if there is a problem with the cluster services.
Post by Allyn
The text for the associated error code is: An attempt has been made to
operate on an impersonation token by a thread that is not currently
impersonating a client.
The cluster identity 'PRINTSERVERCLUS$' may lack permissions required to
update the object. Please work with your domain administrator to ensure that
the cluster identity can update computer objects in the domain.
=========
This sounds like a Cluster Name Object (CNO) issue.
Post by Allyn
Event ID: 1069: Cluster resource 'printserver' in clustered service or
application 'printserver' failed.
With everything else failing, this is fully expected to also fail. <G>
Post by Allyn
==========
Event ID 4: The Kerberos client received a KRB_AP_ERR_MODIFIED error from
the server . The target name used was host/PRINTSERVERCLUSTER.DOMAIN.COM.
This indicates that the target server failed to decrypt the ticket provided
by the client. This can occur when the target server principal name (SPN) is
registered on an account other than the account the target service is using.
Please ensure that the target SPN is registered on, and only registered on,
the account used by the server. This error can also happen when the target
service is using a different password for the target service account than
what the Kerberos Key Distribution Center (KDC) has for the target service
account. Please ensure that the service on the server and the KDC are both
updated to use the current password. If the server name is not fully
qualified, and the target domain () is different from the client domain
(DOMAIN.COM), check if there are identically named server accounts in these
two domains, or use the fully-qualified name to identify the server.
Have you run setspn with the name?

Good luck.
--
Russ Kaufmann
MVP, MCT, MCITP x7, MCTS x9, MCSE x4, CTT+
ClusterHelp.com, a Microsoft Gold Certified Partner

Email:***@clusterhelp.com
http://www.clusterhelp.com
Blog: http://msmvps.com/clusterhelp
RCan
2010-05-18 19:23:41 UTC
Permalink
Hi Russ, Hi Allyn,

I would also bet at "CNO" issues :-)

Check this out to "repair" the CNO in your active directory :
Failover Cluster Step-by-Step Guide: Configuring Accounts in Active
Directory
http://technet.microsoft.com/en-us/library/cc731002(WS.10).aspx
especially section "Steps for troubleshooting problems related to accounts
used by the cluster"

Hope that helps

Regards
Ramazan
Post by Russ Kaufmann
Post by Allyn
We had a SAN that went belly up over the weekend, and we're having problems
getting the cluster back on line. It has been running for some time. There
Just based on the SAN failure, I am betting that you have some disk
signature issues. So, the previous post about using the
clusterrecovery.exe tool is a good first step. Does the quorum disk come
online?
Since the SAN failed, it is likely that the SAN configurations for the HBA
WWNs have been lost and not properly reconfigured. Make sure that you
reset the LUN masks.
If the SAN has been reconfigured, you should be able to at least see the
cluster disk from each node. Can you do that? You will also need to be
able to see the disk used for the printer spool with any shared drivers
that you might have installed there, too.
Post by Allyn
Event ID: 1205; The Cluster service failed to bring clustered service or
application 'printserver' completely online or offline. One or more resources
may be in a failed state. This may impact the availability of the clustered
service or application.
So, the name itself isn't coming online? Well, that is completely
different from a disk error. Does the name still map to the cluster's
virtual IP in DNS? Is the name still valid in AD?
Post by Allyn
==========
Event ID: 1207; Cluster network name resource 'printserver' cannot be
brought online. The computer object associated with the resource could not be
Unable to obtain the Primary Cluster Name Identity token.
This again points to the name resource being the problem here. Can you
create a new name resource dependent on the IP and see if it comes online?
If so, then you might want to delete the AD computer account and recreate
it. If there is a problem with creating a new name resource, then you may
have to take other steps. Of course, you can always create another IP
resource and name resource to verify that they will come online. This will
at least tell you if there is a problem with the cluster services.
Post by Allyn
The text for the associated error code is: An attempt has been made to
operate on an impersonation token by a thread that is not currently
impersonating a client.
The cluster identity 'PRINTSERVERCLUS$' may lack permissions required to
update the object. Please work with your domain administrator to ensure that
the cluster identity can update computer objects in the domain.
=========
This sounds like a Cluster Name Object (CNO) issue.
Post by Allyn
Event ID: 1069: Cluster resource 'printserver' in clustered service or
application 'printserver' failed.
With everything else failing, this is fully expected to also fail. <G>
Post by Allyn
==========
Event ID 4: The Kerberos client received a KRB_AP_ERR_MODIFIED error from
the server . The target name used was host/PRINTSERVERCLUSTER.DOMAIN.COM.
This indicates that the target server failed to decrypt the ticket provided
by the client. This can occur when the target server principal name (SPN) is
registered on an account other than the account the target service is using.
Please ensure that the target SPN is registered on, and only registered on,
the account used by the server. This error can also happen when the target
service is using a different password for the target service account than
what the Kerberos Key Distribution Center (KDC) has for the target service
account. Please ensure that the service on the server and the KDC are both
updated to use the current password. If the server name is not fully
qualified, and the target domain () is different from the client domain
(DOMAIN.COM), check if there are identically named server accounts in these
two domains, or use the fully-qualified name to identify the server.
Have you run setspn with the name?
Good luck.
--
Russ Kaufmann
MVP, MCT, MCITP x7, MCTS x9, MCSE x4, CTT+
ClusterHelp.com, a Microsoft Gold Certified Partner
http://www.clusterhelp.com
Blog: http://msmvps.com/clusterhelp
Loading...