3

I normally hang out in the DBA Exchange but I'm coming to ServerFault this time with a Clustering issue.

I am trying to create a MSDTC role for my Windows 2012 R2 Cluster.

The IP address and disk start up fine, but when the name A06SQLX-DTC tries to come on, I get two errors

enter image description here

Cluster resource 'A06SQLX-DTC' of type 'Network Name' in clustered role 'A06SQLX-DTC' failed.

Based on the failure policies for the resource and role, the cluster service may try to bring the resource online on this node or move the group to another node of the cluster and then restart it. Check the resource and group state using Failover Cluster Manager or the Get-ClusterResource Windows PowerShell cmdlet.

I believe this is a permissions issue, because on the AD, I am not seeing an object for A06SQLX-DTC. This object is however present on another AD where I did successfully create a MSDTC role.

One thing I've noticed, is that on the properties of the role, there is an access denied by the Kerberos Status

enter image description here

Which leads me to this article on msdn. But that has not helped.

Read this question as well, but didn't help either.

Further searching in the Cluster Event Logs pulled up this

Cluster network name resource 'A06SQLX-DTC' failed to create its associated computer object in domain 'mydomain.com' during: Resource online.

The text for the associated error code is: Access is denied.

Please work with your domain administrator to ensure that: - The cluster identity 'A06SQLX-CLU-1$' has Create Computer Objects permissions. By default all computer objects are created in the same container as the cluster identity 'A06SQLX-CLU-1$'. - The quota for computer objects has not been reached. - If there is an existing computer object, verify the Cluster Identity 'A06SQLX-CLU-1$' has 'Full Control' permission to that computer object using the Active Directory Users and Computers tool.

Here is my question:

  1. What permissions need to be assigned to my login?
  2. What permission need to be assigned to the nodes?
  3. What permissions need to be assigned to the A06SQLX-CLU-1 object?
Community
  • 1
Craig Efrein
  • 203
  • 1
  • 4
  • 12

1 Answers1

4

To resolve the problem.

The object in Active Directory that represents the Windows Failover Cluster, A06SQLX-CLU-1, needs to be able to create and list objects in its own Active Directory Container.

enter image description here

So the A06SQLX-CLU-1 is contained in a folder 

mydomain.com
|
-----> COMPUTERS
     |
      ------> DEV
            |
             ------> A06SQLX-CLU-1

A06SQLX-CLU-1 will need to create objects/roles (such as msdtc, sql server) in the DEV folder.

Craig Efrein
  • 203
  • 1
  • 4
  • 12
  • +1 for striking a blow against the hated and dreaded MSDTC! – Reaces Sep 10 '15 at 09:08
  • Thanks @Reaces, that was a very annoying problem. I was way too focused on my own AD permissions. – Craig Efrein Sep 10 '15 at 09:15
  • I can [sympathize](http://serverfault.com/questions/717505/local-dtc-is-missing-on-server-2008r2). – Reaces Sep 10 '15 at 09:16
  • Hi Craig, we're facing the same issue, and even if we setup the right permissions, nothing changed. the Kerberos status error is still showing up and we can't add a listener to our availability group. Any idea how to deal with that ? (it's been a week since we're trying to figure it out :| ) – KhalilG Aug 03 '18 at 12:24