Access denied when adding a second node

Discussion:

(too old to reply)

Pascal MIETLICKI

2010-04-29 15:15:34 UTC

Hi all,

We have an existing cluster with 1 node but when we try to add a second
node we have an error.
With the command : cluster /add /node:boxi2
It returns :
Configuration du noud boxi2
---------------------------------------
12% Validation de l'‚tat du cluster sur le noud boxi2.Cette phase a
‚chou‚ pour l'objet cluster ®ÿboxi2ÿ¯ avec le statut d'erreur
-2147024891 (0x80070005).
Cette phase a ‚chou‚ pour l'objet cluster ®ÿboxi2ÿ¯ avec le statut
d'erreur -2147024891 (0x80070005).
Nettoyage en cours de boxi2.
L'erreur systŠme 5 s'est produite (0x00000005).

Sorry it's in French, but the last part of the error is : Access denied
(just after cleanup of boxi2 node).

With the graphic tool (in cluster management), we have : "An error
occured when adding node "boxi2" to the cluster "clusterboxi".

We have several questions :
Is it required to have the cluster service started on the second node
(the one we are trying to add to the cluster)?
Would it be a problem with registry permission?

We tried to find solutions on technet but we didn't find any.

Thank you in advance for all the help you could provide.

Best regards,
P.MIETLICKI
P.EMILE

RCan

2010-04-29 19:10:29 UTC

Permalink

Hi Pascal,

sounds for me like an cleanup issue. Was the node which you cannot join to
the cluster before an member of an cluster before ?
If you are still runnig an windows 2003 cluster please try to run the
cluster.exe with the /force /cleanup parameters.
http://technet.microsoft.com/en-us/library/cc739895(WS.10).aspx
cluster node /force[cleanup] /evict

And check this :
Subsequent nodes cannot join a cluster, and events 1070 and 1009 are logged
with Windows Server 2003
http://support.microsoft.com/kb/886717/en-us

MS Cluster Server Troubleshooting and Maintenance
http://technet.microsoft.com/en-us/library/cc723248.aspx

Regards
Ramazan

Post by Pascal MIETLICKI
Hi all,
We have an existing cluster with 1 node but when we try to add a second
node we have an error.
With the command : cluster /add /node:boxi2
Configuration du noud boxi2
---------------------------------------
12% Validation de l'‚tat du cluster sur le noud boxi2.Cette phase a ‚chou‚
pour l'objet cluster ®ÿboxi2ÿ¯ avec le statut d'erreur -2147024891
(0x80070005).
Cette phase a ‚chou‚ pour l'objet cluster ®ÿboxi2ÿ¯ avec le statut
d'erreur -2147024891 (0x80070005).
Nettoyage en cours de boxi2.
L'erreur systŠme 5 s'est produite (0x00000005).
Sorry it's in French, but the last part of the error is : Access denied
(just after cleanup of boxi2 node).
With the graphic tool (in cluster management), we have : "An error occured
when adding node "boxi2" to the cluster "clusterboxi".
Is it required to have the cluster service started on the second node (the
one we are trying to add to the cluster)?
Would it be a problem with registry permission?
We tried to find solutions on technet but we didn't find any.
Thank you in advance for all the help you could provide.
Best regards,
P.MIETLICKI
P.EMILE

Pascal MIETLICKI

2010-04-30 09:35:16 UTC

Permalink

Hi,

Thank you for the answer.
We forgot to say that we are under Windows server 2008. We made some
more tests, we created a new cluster in order to test if we can add the
node that normally has an "Access denied" with the initial cluster and
it worked.

But we can't remove the initial cluster (the person in charge does not
allow us to do this), and when we try to add a second node to this "odd"
cluster, we have the "Access denied" message... So it's very strange and
we don't know how to "repair" this cluster.
We tried the solution you sent (cluster node boxi2 /forcecleanup /evict,
the evict option indicates that the node is not inside the cluster) and
it didn't change anything (still the "Access denied" message).

My suggestion would be to delete the initial cluster and re-create a new
one with the 2 nodes inside but I'm not allowed to do it, so the only
option is to figure out what's going on with the existing cluster and
repair it.

Thank you very much for your help.

RCan

2010-05-01 19:38:44 UTC

Permalink

Can you please share more details what happens on eventlog / cluster log
sides (cluster log /gen) ?

PS : Are you domain administrator when you do this and why are you "not
allowed" to reinstall the cluster ?

Regards
Ramazan

Post by Pascal MIETLICKI
Hi,
Thank you for the answer.
We forgot to say that we are under Windows server 2008. We made some more
tests, we created a new cluster in order to test if we can add the node
that normally has an "Access denied" with the initial cluster and it
worked.
But we can't remove the initial cluster (the person in charge does not
allow us to do this), and when we try to add a second node to this "odd"
cluster, we have the "Access denied" message... So it's very strange and
we don't know how to "repair" this cluster.
We tried the solution you sent (cluster node boxi2 /forcecleanup /evict,
the evict option indicates that the node is not inside the cluster) and it
didn't change anything (still the "Access denied" message).
My suggestion would be to delete the initial cluster and re-create a new
one with the 2 nodes inside but I'm not allowed to do it, so the only
option is to figure out what's going on with the existing cluster and
repair it.
Thank you very much for your help.

Pascal MIETLICKI

2010-05-03 10:28:52 UTC

Permalink

Hi,

We did have the right to re-create it (administrative agreement) but we
still have a problem when we try to add a second node (whatever node it is).

For example, if I create a cluster with 2 nodes inside directly, we have :
"error status -2147024891 (0x80070005).
System error 5 happened (0x00000005)."

If I create a cluster with only one node (boxi1 or boxi2), it works
fine. But I have the same error message when I try to add the second node.

In Event log, we have :
"Le nœud « BOXI2 » n’a pas pu établir de session de communication
lorsqu’il a joint le cluster. Cela est dû à un problème
d’authentification. Assurez-vous que les nœuds exécutent des versions
compatibles du logiciel de service de cluster."

Which means :
"Node boxi2 failed to establish a communication session while joining
the cluster. This was due to an authentication failure. Please verify
that the nodes are running compatible versions of the cluster service
software."

We have no idea of what we can do to solve it. We checked the rights in
AD, we deleted the cluster and its objects in AD, but it happens
everytime we try to create a new one (whatever name we give to it).

I'm looking forward for your help.

Regards,

Pascal MIETLICKI

2010-05-04 07:27:09 UTC

Permalink

Hi all,

I forgot to mention that all the validation tests (with the 2 nodes we
try to join) are done correctly (via the validation tool). It says that
it would normally function like a charm. But we have the "access
refused" and the "failed to establish a communication session while
joining the cluster".

We have almost the same problem than :
http://social.technet.microsoft.com/Forums/en-US/winserverClustering/thread/a7bd3fa5-4349-4115-ae25-67670c3aab85

We really need your help, we have no clue.

Thank you very much.

Regards,

Russ Kaufmann

2010-05-04 15:51:27 UTC

Permalink

Post by Pascal MIETLICKI
Hi all,
I forgot to mention that all the validation tests (with the 2 nodes we try
to join) are done correctly (via the validation tool). It says that it
would normally function like a charm. But we have the "access refused" and
the "failed to establish a communication session while joining the
cluster".
http://social.technet.microsoft.com/Forums/en-US/winserverClustering/thread/a7bd3fa5-4349-4115-ae25-67670c3aab85
We really need your help, we have no clue.

OK, so let's go to some basic troubleshooting steps.
1. Can you ping from one server to the other by using the public IP address?
2. Can you ping from one server to the other by using the private/heartbeat
IP address?
3. Did you uncheck the register this network connection in DNS for the
private network adapter?
4. Can you run, "Net view \\servername" from one node to the other?
5. Have you tried disabling the Windows firewall on all network connections?

Hopefully some of these steps will get you going the right direction.

--
Russ Kaufmann
MVP, MCT, MCITP x7, MCTS x9, MCSE x4, CTT+
ClusterHelp.com, a Microsoft Gold Certified Partner

Email:***@clusterhelp.com
http://www.clusterhelp.com
Blog: http://msmvps.com/clusterhelp

Pascal MIETLICKI

2010-05-05 07:17:11 UTC

Permalink

Post by Russ Kaufmann
OK, so let's go to some basic troubleshooting steps.
1. Can you ping from one server to the other by using the public IP address?

Yes

Post by Russ Kaufmann
2. Can you ping from one server to the other by using the
private/heartbeat IP address?

Yes

Post by Russ Kaufmann
3. Did you uncheck the register this network connection in DNS for the
private network adapter?

No, it was check, I unchecked it. Our private network is in
10.0.0.0/255.0.0.0

Post by Russ Kaufmann
4. Can you run, "Net view \\servername" from one node to the other?

Yes, the shares are different between the 2 nodes

Post by Russ Kaufmann
5. Have you tried disabling the Windows firewall on all network connections?

Yes, it is already disabled

I re-tried to create the cluster and still have the "access denied".
I saw that maybe we could re-build the Active Directory (it is one of
the solution on
http://social.technet.microsoft.com/Forums/en-US/winserverClustering/thread/a7bd3fa5-4349-4115-ae25-67670c3aab85
but the problem re-appeared for them 3 days later, so we are skeptical.

Still no clue...

If you have any suggestion, it would be great.

Thank you very much for your help, this is good to know that we can rely
on a community when we have problems like that.

Edwin vMierlo [MVP]

2010-05-05 07:33:35 UTC

Permalink

If you have disabled IPv6, and you have disabled the DHCP Client service,
you may see similar behaviour

Start the DHCP Client service and re-try

HTH,
Edwin.

Post by Pascal MIETLICKI

Post by Russ Kaufmann
OK, so let's go to some basic troubleshooting steps.
1. Can you ping from one server to the other by using the public IP address?

Yes

Post by Russ Kaufmann
2. Can you ping from one server to the other by using the
private/heartbeat IP address?

Yes

Post by Russ Kaufmann
3. Did you uncheck the register this network connection in DNS for the
private network adapter?

No, it was check, I unchecked it. Our private network is in
10.0.0.0/255.0.0.0

Post by Russ Kaufmann
4. Can you run, "Net view \\servername" from one node to the other?

Yes, the shares are different between the 2 nodes

Post by Russ Kaufmann
5. Have you tried disabling the Windows firewall on all network connections?

Yes, it is already disabled
I re-tried to create the cluster and still have the "access denied".
I saw that maybe we could re-build the Active Directory (it is one of the
solution on
http://social.technet.microsoft.com/Forums/en-US/winserverClustering/thread/a7bd3fa5-4349-4115-ae25-67670c3aab85
but the problem re-appeared for them 3 days later, so we are skeptical.
Still no clue...
If you have any suggestion, it would be great.
Thank you very much for your help, this is good to know that we can rely
on a community when we have problems like that.

Pascal MIETLICKI

2010-05-05 14:03:45 UTC

Permalink

Hi,

We have not disabled the DHCP client service but we don't use IPv6 nor
the DHCP (our ip addresses are statics).

Still no idea about what to do to solve this problem.

If anyone has a suggestion, we would be very glad to hear it.

Thank you.

Post by Edwin vMierlo [MVP]
If you have disabled IPv6, and you have disabled the DHCP Client service,
you may see similar behaviour
Start the DHCP Client service and re-try
HTH,
Edwin.

Post by Pascal MIETLICKI

Post by Russ Kaufmann
OK, so let's go to some basic troubleshooting steps.
1. Can you ping from one server to the other by using the public IP address?

Yes

Post by Russ Kaufmann
2. Can you ping from one server to the other by using the
private/heartbeat IP address?

Yes

Post by Russ Kaufmann
3. Did you uncheck the register this network connection in DNS for the
private network adapter?

No, it was check, I unchecked it. Our private network is in
10.0.0.0/255.0.0.0

Post by Russ Kaufmann
4. Can you run, "Net view \\servername" from one node to the other?

Yes, the shares are different between the 2 nodes

Post by Russ Kaufmann
5. Have you tried disabling the Windows firewall on all network connections?

Yes, it is already disabled
I re-tried to create the cluster and still have the "access denied".
I saw that maybe we could re-build the Active Directory (it is one of the
solution on
http://social.technet.microsoft.com/Forums/en-US/winserverClustering/thread/a7bd3fa5-4349-4115-ae25-67670c3aab85
but the problem re-appeared for them 3 days later, so we are skeptical.
Still no clue...
If you have any suggestion, it would be great.
Thank you very much for your help, this is good to know that we can rely
on a community when we have problems like that.

Edwin vMierlo [MVP]

2010-05-06 08:05:16 UTC

Permalink

It is not about using DHCP.

Is DHCP Client service started ?
If not please start and retry

thanks,
Edwin.

Hi,
We have not disabled the DHCP client service but we don't use IPv6 nor the
DHCP (our ip addresses are statics).
Still no idea about what to do to solve this problem.
If anyone has a suggestion, we would be very glad to hear it.
Thank you.

Post by Edwin vMierlo [MVP]
If you have disabled IPv6, and you have disabled the DHCP Client service,
you may see similar behaviour
Start the DHCP Client service and re-try
HTH,
Edwin.

Post by Pascal MIETLICKI

Post by Russ Kaufmann
OK, so let's go to some basic troubleshooting steps.
1. Can you ping from one server to the other by using the public IP address?

Yes

Post by Russ Kaufmann
2. Can you ping from one server to the other by using the
private/heartbeat IP address?

Yes

Post by Russ Kaufmann
3. Did you uncheck the register this network connection in DNS for the
private network adapter?

No, it was check, I unchecked it. Our private network is in
10.0.0.0/255.0.0.0

Post by Russ Kaufmann
4. Can you run, "Net view \\servername" from one node to the other?

Yes, the shares are different between the 2 nodes

Post by Russ Kaufmann
5. Have you tried disabling the Windows firewall on all network connections?

Yes, it is already disabled
I re-tried to create the cluster and still have the "access denied".
I saw that maybe we could re-build the Active Directory (it is one of the
solution on
http://social.technet.microsoft.com/Forums/en-US/winserverClustering/thread/a7bd3fa5-4349-4115-ae25-67670c3aab85
but the problem re-appeared for them 3 days later, so we are skeptical.
Still no clue...
If you have any suggestion, it would be great.
Thank you very much for your help, this is good to know that we can rely
on a community when we have problems like that.

Pascal MIETLICKI

2010-05-10 15:13:08 UTC

Permalink

Yes it is started on both nodes.

Still "Access denied".

Thanks,
pascal

Edwin vMierlo [MVP]

2010-05-12 06:50:34 UTC

Permalink

This could be WMI, can you check (to rule this in or out):

The target is operating within a "disjoint" namespace, meaning that the
domain that the computer is a member of does not participate within the
FQDN.

NetBIOS Name = AppServer1
Domain = HQ
Normal FQDN = AppServer1.hq.domian.com
Target FQDN = AppServer1.domain.com
Computer Object = this is registered based on domain name,
so the computer object knows only AppServer1.hq.domain.com

WMI does a validation check to make sure that the Computer Object is the
FQDN that you connect to. If it is not, then an Access Denied error occurs.

Post by Pascal MIETLICKI
Yes it is started on both nodes.
Still "Access denied".
Thanks,
pascal