Hello!
Organization use Exchange 2007 SP3 mailbox servers in SCC.
There are 4 active and 1 passive node in cluster.
All OS are Windows server 2008 Ent SP2.
All domain controllers OS Windows server 2008 Std SP2.
Cluster and domain controllers placed in the same AD site.
On all active nodes every day occures an error, registered in "System" journal:
____________________________________
Log Name: System
Source: Microsoft-Windows-FailoverClustering
Date: 2/5/2013 8:33:34 PM
Event ID: 1207
Task Category: Network Name Resource
Level: Error
Keywords:
User: SYSTEM
Computer: node1.domainname.com
Description:
Cluster network name resource 'Network Name (App1)' cannot be brought online. The computer object associated with the resource could not be updated in domain 'domainname.com' for the following reason:
Unable to update password for computer account.
The text for the associated error code is: Access is denied.
The cluster identity 'Cluster$' may lack permissions required to update the object. Please work with your domain administrator to ensure that the cluster identity can update computer objects in the domain.
____________________________________
And on 3 active nodes periodical occurs event, registered in "FailoverClustering/Operational" journal:
____________________________________
Log Name: Microsoft-Windows-FailoverClustering/Operational
Source: Microsoft-Windows-FailoverClustering
Date: 2/5/2013 2:27:54 PM
Event ID: 1201
Task Category: Resource Control Manager
Level: Information
Keywords:
User: SYSTEM
Computer: node1.domainname.com
Description:
The Cluster service successfully brought the clustered service or application 'App1' online.
____________________________________
I don't understand - why contradictory events occurs on cluster nodes.
I looked for some articles to resolve problem and find these:
http://technet.microsoft.com/en-us/library/cc773451(v=ws.10).aspx
http://support.microsoft.com/kb/947049?wa=wsignin1.0
..and a lot of forums, same topics....
All cluster accounts, include CNO, computers (nodes), applications (services), placed in default location - "Computers" container.
I check permissions for container and for accounts:
____
For container "Computers"
- CNO "Cluster$" have permissions "Full Control" - this object only.
____
For all accounts (CNO, computers, applications)
- CNO "Cluster$" have special permissions: list contents + read all attributes + change password
____
Now cluster and application run correct. I moved applications between nodes, and all also working correct. But..
I can't find information how to "Check that the domain-wide quota for creating computer objects (by default, 10) has not been reached"
I think, that the error may be related with incorrect permissions for cluster accounts.
The problem I have is that I can't to make change in permissions (and other any changes), before argues the correct solution.
Also, I can't experiment in prodaction environment, and I haven't got a test environment to emulate same errors and trying resolve them.
And I must guarantee, that after I make changes - cluster will continue working properly, and I must argue the solution.
Someone have any expirience with successfull resolve this error?
Maybe there are reasons that I missed?
Please help me to fix this issue.
Thanks!