New event log messages for the Cluster service account are included in Windows Server 2003 Service Pack 1 and Update Rollup 1 for Windows 2000 Service Pack 4

This article describes some of the changes that have been made to Cluster service-related event log messages in Microsoft Windows Server 2003 Service Pack 1 (SP1) and Update Rollup 1 for Microsoft Windows 2000 Service Pack 4 (SP4).

The Cluster service is a service that requires a domain user account.

The server cluster Setup program changes the local security policy for this account by granting a set of user rights to the account. Additionally, this account is made a member of the local Administrators group.

If one or more of these user rights are missing, the Cluster service may stop immediately during startup or later, depending on when the Cluster service requires the particular user right.

In Windows Server 2003 and Windows 2000 Server, you receive notification that a user right that was not granted to the Cluster service account was required for cluster operation. However, this notification does not indicate which required user right is missing.

Windows Server 2003 SP1 and Update Rollup 1 for Windows 2000 SP4 include changes that help resolve this issue. These changes are in the Service Control Manager (SCM) program and in the Cluster service.

Changes to Service Control Manager

The Cluster service now detects when the Cluster service account is not a member of the local Administrators group. In this scenario, the following error is logged:

Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Type: Error
User: N/A
Computer: Computer_Name
Description: The Service_Name service terminated with the following error. The specified user account is not a member of the specified group account.

In this scenario, if you try to start the Cluster service at a command prompt, you receive the following error:

Additionally, the SCM has been modified to detect when the Cluster service account does not have the �Log on as a Service� user right assigned. In this scenario, a new event, Event ID 7041, appears in the system event log. Event ID 7041 appears as follows:

Event Source: Service Control Manager
Event Category: None
Event ID: 7041
Type: Error
User: N/A
Computer: Computer_Name
Description: The Service_Name service was unable to log on as domain\account with the currently configured password due to the following error:

Logon failure: the user has not been granted the requested logon type at this computer.

This account is missing the �Log on as a Service� user right. This right must be granted to the service account in order to run this service. The Local Security Policy editor (secpol.msc) can be used to grant this privilege to the account on this machine. If this node is a member of a cluster, check that this user right is granted to the service account on all nodes in this cluster.

If this user right continues to be revoked from the service account, it might be the result of a Group Policy object removing the privilege. Check with your domain administrator to determine if this is the cause of the revocation.

Changes to the Cluster service

When the Cluster service starts, it now checks the user rights that are granted to the Cluster service account together with the Cluster service account's group membership.

If an incorrect configuration is detected, the Cluster service stops, and an appropriate message is either displayed on the computer or logged in the system event log. In this scenario, the Cluster service starts and continues to run only after the appropriate corrections are made to the Cluster service account. Therefore, the server cluster administrator is quickly alerted that a problem exists with the Cluster service account configuration.

In this scenario, the Cluster service logs Event ID 1234 in the system event log. Event ID 1234 appears as follows:

The Cluster Service Account (CSA) is missing the following required user rights (privileges) in order to correctly operate:

list of missing privilege display names

These privileges, which were granted to the CSA during Cluster setup, must be present before running the Cluster Service. You can grant these privileges via the Local Security Policy editor (secpol.msc) or through a Group Policy object that is associated with the CSA's user object in the DS.

If the privileges continue to be removed from the CSA, check with your domain administrator that a Group Policy Object is in place that is stripping the privileges from the CSA. If so, this GPO must not be applied to the CSA.

In this scenario, when you try to start the Cluster service at a command prompt, you receive the following system error: In Windows Server 2008, the failover cluster does not use a domain user account to run the Cluster service. Instead, the Windows Server 2008 failover cluster logs on by using the Local System account. Therefore, the information in this article does not apply.

However, if this setting is changed, the Cluster service fails to start. Additionally, you may receive the following error message in the Services management console: Additionally, an event that resembles the following event is logged in the System log:

Log Name: System
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Task Category: None
Type: Error
Keywords: Classic
User: N/A
Computer: Computer_Name
Description: The Cluster Service service failed to start due to the following error: A privilege that the service requires to function properly does not exist in the service account configuration. You may use the Services Microsoft Management Console (MMC) snap-in (services.msc) and the Local Security Settings MMC snap-in (secpol.msc) to view the service configuration and the account configuration.

For more information about the rights that are required for a server cluster in Windows 2000 and in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base: For more information about how to configure and secure a server cluster, visit the following Microsoft Web site: