Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. A Network Name resource that has the Kerberos protocol enabled does not come online on the first attempt in a Windows Server 2008 failover cluster

A Network Name resource that has the Kerberos protocol enabled does not come online on the first attempt in a Windows Server 2008 failover cluster

View products that this article applies to.

Symptoms

You are using the Migrate Services and Applications Wizard in Windows Server 2008 Failover Clustering, and your Windows Server 2003 source cluster has Kerberos authentication enabled. In this case, the resources in the newly migrated resource group do not appear online as expected. If Kerberos authentication is not enabled on the source cluster, this problem does not occur.

↑ Back to the top

Cause

This problem occurs because of changes in Windows Server 2008 Failover Clustering and how computer objects are created in Active Directory. If Kerberos authentication is enabled, the Migrate Services and Applications Wizard does not capture the Cluster Service Account (CSA) information. The wizard cannot bring the resource in the newly migrated resource group online without this information. The Cluster Name Object (CNO) cannot capture the computer object that is created in the Windows Server 2003 server cluster.

↑ Back to the top

Resolution

To resolve this problem, follow these steps for each resource in the newly migrated resource group:
  1. Right-click the resource.
  2. Select Bring this Resource Online. The resource will now be in a failed state.
  3. Right-click the resource.
  4. Select Bring this Resource Online.
  5. You are prompted for a user name and a password for the Windows Server 2003 Cluster Service Account. After you enter this information, the resource appears online.
Note If the resource depends on another resource, the other resource must be online before you follow these steps. If the resource still does not come online, you must delete the Virtual Computer Object (VCO) in Active Directory.

↑ Back to the top

More information

To avoid this problem, modify the Discretionary Access Control List (DACL) for all computer objects that are created by the Windows Server 2003 server cluster by granting the Cluster Name Object (CNO) Full Control permissions. However, you have to do this before you migrate Network Name resources from a Windows Server 2003 server cluster to a Windows Server 2008 failover cluster.

↑ Back to the top

Keywords: KB950806, kbprb, kbtshoot, kbexpertiseinter, kbclustering

↑ Back to the top

Article Info
Article ID : 950806
Revision : 3
Created on : 9/11/2010
Published on : 9/11/2010
Exists online : False
Views : 271