Cluster not compatible with Windows Server 2003 Security Guide NTL
- From: Chris <Chris@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 6 Mar 2008 07:11:01 -0800
After much effort, I was able to get Microsoft's clustering to work in my
environment with the settings in Microsoft's 2003 security guide. To assist
other people who may run into this problem, I am posting it to make it easier
to Google.
In my environment, running two Windows Server 2003 R2 SP2 servers and
applying Microsoft's security guide group policy settings to one make it so
the server can't join an existing cluster. The fix: create a new GPO to
override two settings in the security guide GPO for the cluster servers.
These are the two settings that needed to be changed:
Computer Configuration / Windows Settings / Local Policies / Security
Options / "Network Security: Minimum session security for NTLM SSP based
(including secure RPC) clients", and "Network Security: Minimum session
security for NTLM SSP based (including secure RPC) servers".
In both of these, the "Require NTLMv2 session security" and "Require 128-bit
encryption" need to be set to "Disabled".
Also, once the cluster servers have all these settings applied, removing
either the NTLMv2 or 128-bit encryption setting will cause that machine
cluster service to not start.
I don't know for sure if it is just my environment or not, but wanted to
make it easier for the other similiar unanswered posts I have seen on the
Internet to resolve the issue if it is not just a quirk in my environment.
If anyone has run into the same issue and knows a better way to fix it or
knows the root cause or if Microsoft is planning to fix this in the future,
please let me know / post it. I was unable to get funding to afford to
report this bug to Microsoft though their tech support.
--
Here are the error log messages that occur if the above steps are not taken:
SECURITY - Source: Security, Category: Logon/Logoff, Event ID: 537, User: NT
Authority\System, Reason: An error occurred during logon, Logon Type: 3,
Logon Process: A few non-keyboard characters, Authentication Package: NTLM,
Status Code: 0x80090302
SYSTEM - Source: ClusSvc, Category: Node Mgr, Event ID: 1079, User: N/A,
Description: The node cannot join the server cluster because it cannot
communicate with node (NAME) over any network configured for internal server
cluster communication. Check the network configuration of the node and the
server cluster.
--
References:
- Microsoft's Windows Server 2003 Security Guide:
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx
Mentions a possible issue with cluster servers for the Debug Programs user
right, but nothing else cluster related.
- Microsoft KB 890761: http://support.microsoft.com/kb/890761
This said to disable the NTLMv2 requirement above, but didn't mention
128-bit encryption, so the fix didn't work for me.
- Microsoft KB 239869: http://support.microsoft.com/kb/239869
How to enable NTLM 2 authentication article, interesting read
- Usenet 2006 microsoft.public.windows.server.clustering:
http://forums.techarena.in/showthread.php?t=491431
Unfortunately not on Microsoft's web site, did not find this right away and
misread it as only disabling NTLMv2 session security.
.
- Follow-Ups:
- Prev by Date: Pausing a generic service causes cluster to restart it/failover?
- Next by Date: Re: Help me understand failover scenarios with the cluster I have built?
- Previous by thread: Pausing a generic service causes cluster to restart it/failover?
- Next by thread: RE: Cluster not compatible with Windows Server 2003 Security Guide NTL
- Index(es):
Relevant Pages
|
Loading
