Changing the Cluster service account password
To change the Cluster service account password with Cluster.exe,
type the following command from a command prompt to list all of the available
parameters:
CLUSTER /changepass /?
Samples
Note: In the following samples:
- EASTCLUSTER is a cluster name.
- WESTCLUSTER is a cluster name.
- NEWpassword is the new
password.
- OLDpassword is the old
password.
To change the Cluster service account password for a single
cluster, use the following syntax in which the password for EASTCLUSTER would
be changed to
NEWpassword from
OLDpassword:
cluster /cluster:EASTCLUSTER /changepassword:NEWpassword,OLDpassword
Note: If you do not specify
NEWpassword and
OLDpassword, you are prompted to enter them after
you press ENTER.
To change the Cluster service account password on
multiple clusters, you need to reference the additional cluster. For example,
to change the password for WESTCLUSTER in addition to EASTCLUSTER, you would
use the following syntax:
cluster /cluster:EASTCLUSTER,WESTCLUSTER /changepassword:NEWpassword,OLDpassword
When
you use some special characters for the password, you may receive an error that
is a bit misleading. For example, when you change the password by using the
cluster /cluster:testcluster /changepass:Password&1234567890,Password1 command , you receive the following error message:
The password does not meet the password policy requirements.
Check the minimum password length, password complexity and password history
requirements. '1234567890' is not recognized as an internal or external
command, operable program, or batch file.
The special character "&" is truncating the rest of the line. This
means that the first error is true because you are changing the password to only
"Password" which does not follow the password restrictions correctly. Because
the "&" is an old MSDOS command that combined commands together, it is
trying to run the command "1234567890" which is invalid. The correct command to
change the password for this must have the password enclosed in quotation
marks. The following command will change the password correctly:
cluster /cluster:testcluster /changepass:"Password&1234567890",Password1
Using additional switches
You can also use the following additional switches with the
/changepassword parameter:
Switch
| Description |
---|
/skipdc | Use this switch to change the password on the cluster
nodes but not on the domain controller. This is useful if the domain
administrator manually changed the account on the domain controller. When using
this switch, you do not need to supply the old password. |
/force | Typically, the /changepassword command detects if all nodes in the cluster are online. If one of
the nodes in a cluster is offline, the password change fails and an error is
displayed. To force a password change on all available nodes, use the /force switch. Any node that is not available during the password change
will require manual intervention. |
/test | You can use this parameter to test if the password can
make the password change to the domain and to all nodes in the cluster before
it actually makes any changes. Using this switch before making the change is
highly recommended because Cluster.exe is not transactional and cannot roll
back the old password if it is not properly written to all nodes of the domain
controller. |
Troubleshooting
The following table lists all the errors and possible solutions
that may occur when using Cluster.exe if there is a problem changing the
password for the Cluster service account on the nodes or domain.
Error Code | Error Message | Suggested
Action |
---|
Failure status from OpenCluster | Failed to query
cluster name. | Verify that the specified
cluster is available, that the specified name on the command line is correct,
and that the cluster resource that is backing that name (such as Network Name)
is online. |
Failure status from OpenSCManager, OpenService,
QueryServiceConfig, OpenClusterNode, GetClusterNodeId, or
GetClusterNodeState | Failed to query node node
name of cluster cluster
name. | Verify that all nodes in the specified cluster are
up, joined to the cluster, and are responding to network queries. |
ERROR_INVALID_SERVICE_ACCOUNT | All of the clusters are
not using the same domain account. | Change passwords for clusters that
are using separate domain accounts in separate invocations of the cluster
command. |
ERROR_ALL_NODES_NOT_AVAILABLE | Not all clusters are
available (at least one node is neither UP nor PAUSED). | For each
specified cluster, verify that all nodes in the cluster are up and joined to
the cluster. |
Failure status from DsGetDcName | No domain controllers
are available. | Verify connectivity between the client computer on which
the cluster command is being executed, and a domain controller for the domain
of the cluster account. |
Failure status from NetUserChangePassword | Failed to
change password on the domain controller. | Verify connectivity with the
domain controller and permissions to change the password (including correctness
of old password). |
ERROR_MORE_DATA | Aborting the password change on
cluster name after number
attempts because the number of nodes in the cluster is not
stable. | Verify that nodes are not joining the cluster as the password
change command is operating. |
ERROR_CLUSTER_INCOMPATIBLE_VERSIONS | The password
change was not issued on cluster name since it
contains at least one Windows NT 4.0 or Windows 2000 node. | Evict or
upgrade any cluster nodes that are running Windows NT 4.0 or Windows 2000. |
ERROR_FILE_CORRUPT | The password change was not issued
on cluster name because the cluster service detected
data corruption in a message received from the network.
-or-
The password change on node node name
of cluster cluster name failed because the cluster
service detected data corruption in a message received from the network.
| Verify cluster network integrity and/or security. In the case of the
node-specific error, it is necessary to manually change the Cluster service
account password on the failed node before that node can rejoin the
cluster. |
CRYPT_E_HASH_VALUE | The password change was not issued
on cluster %1!ws! because the cluster service was unable to establish a secure
network connection between nodes.
-or-
The password change
on node node name of cluster cluster
name failed because the cluster service was unable to establish a
secure network connection between nodes. | Verify cluster network
integrity and/or security. In the case of the node-specific error, it is
necessary to manually change the Cluster service account password on the failed
node before that node can rejoin the cluster. |
Other cluster-specific error status | The password
change on cluster cluster name failed. The error
code was number (hex
number): system error
message | Appropriate action depends on the error
code. |
Other node-specific error status | The password change
on node node name of cluster cluster
name failed. The error code was number
(hex number): system error
message | Appropriate action depends on the error code. It
is necessary to manually change the Cluster service account password on the
failed node before that node can rejoin the cluster. |