RE: Cluster not compatible with Windows Server 2003 Security Guide NTL

From: Chris <Chris@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 7 Mar 2008 08:12:03 -0800

Update: In my environment, the issue was determined to be an issue only with
transitioning a cluster to the Windows Server 2003 Security Guide settings.
The real fix for the issue is to schedule time for the entire cluster to
down, and apply the security group policy settings, without my fix below, to
all of the servers in the clusters and reboot. This is not as smooth as the
origional fix, but doesn't require reduced security.

The reason: The "Require NTLMv2 session security" and "Require 128-bit
encryption" settings appear to be all-or-nothing settings for a cluster,
where servers can't be in the cluster if they don't have the same settings as
the other servers in the cluster, at least in my environment. Adding the
GPO to the servers one at a time will cause the servers with the new settings
to not be able to talk to the existing servers and the cluster service to
then fail on the servers with the new settings.

After much effort, I was able to get Microsoft's clustering to work in my
environment with the settings in Microsoft's 2003 security guide. To assist
other people who may run into this problem, I am posting it to make it easier
to Google.

In my environment, running two Windows Server 2003 R2 SP2 servers and
applying Microsoft's security guide group policy settings to one make it so
the server can't join an existing cluster. The fix: create a new GPO to
override two settings in the security guide GPO for the cluster servers.
These are the two settings that needed to be changed:

Computer Configuration / Windows Settings / Local Policies / Security
Options / "Network Security: Minimum session security for NTLM SSP based
(including secure RPC) clients", and "Network Security: Minimum session
security for NTLM SSP based (including secure RPC) servers".

In both of these, the "Require NTLMv2 session security" and "Require 128-bit
encryption" need to be set to "Disabled".

Also, once the cluster servers have all these settings applied, removing
either the NTLMv2 or 128-bit encryption setting will cause that machine
cluster service to not start.

References:
- Cluster not compatible with Windows Server 2003 Security Guide NTL
  - From: Chris

Prev by Date: Re: Pausing a generic service causes cluster to restart it/failover?
Next by Date: Re: Cluster Backup Software
Previous by thread: Cluster not compatible with Windows Server 2003 Security Guide NTL
Next by thread: Re: MSDTC not coming online after quorum change?
Index(es):
- Date
- Thread

Relevant Pages

Re: Win2k3 Security Settings Break PerfMon
... This can be disabled using Local Security Policy ... This was one of the settings that I modified while troubleshooting the ... > You didn't say what the operating system is of the servers you are having ... a bevy of security templates which automate the ...
(microsoft.public.win2000.security)
Cluster not compatible with Windows Server 2003 Security Guide NTL
... environment with the settings in Microsoft's 2003 security guide. ... override two settings in the security guide GPO for the cluster servers. ... The node cannot join the server cluster because it cannot ...
(microsoft.public.windows.server.clustering)
Re: Print Groups
... Setup a printer with the security setting you desire. ... you can set all the printer on the cluster or remote machine ... One for test and then one for all printer objects on a server. ... Change the settings on one printer, ...
(microsoft.public.windows.server.clustering)
local security policy
... I'm trying automate the configuration of security settings on new w2k ... The servers will all be standalone servers. ... that exported template to new servers in post-installation scripts. ...
(Focus-Microsoft)
Re: Selinux
... I've researched SELinux, and found that it is a Security enhancement for ... require much more granular security settings. ... Web servers, application ...
(Ubuntu)