Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.
Solved
exchange 2010 failover clustering error 1207 and 1135 troubleshooting
Posted on 2014-02-05
Greetings,
I have a two-server DAG. one of the servers is logging two event id 1207 entries every 15 minutes. They state:
Cluster with name "ClusterName" could not be brought online. The computer object associated with the resource could not be updated in domain "domain.local" for the following reason: unable to update password for computer account.
The text for the associated error code is: RPC server unavailable
The cluster identity may lack permissions required to update the object.
and
"Cluster network name resource '%1' cannot be brought online. The computer object associated with the resource could not be updated in domain '%2' for the following reason: %3.
The text for the associated error code is: %4
The cluster identity '%5' may lack permissions required to update the object. Please work with your domain administrator to ensure that the cluster identity can update computer objects in the domain."
the other server in the DAG had one entry for error ID 1135 stating:
"Cluster node "EXCH10-2" was removed from the active failover cluster membership. Cluster service may have stopped...."
When I go to the DAG computer object in AD, I only see the exchange server with event ID 1135 listed in the permissions.
Also, if I do a nslookup for 192.168.35.20 (DAG IP), it fails. If I do a nslookup for DAG, it returns the previous IP. Not sure if that means anything to troubleshooting the 1207 error.
I am not sure if I should add the 1207 exchange server to the AD DAG computer object permissions or what. Not really sure where to start. I've looked at several resources online but am confused as to which AD objects I should look at and potentially edit, if any. This started 2 days ago.
Thanks a lot!
I have a two-server DAG. one of the servers is logging two event id 1207 entries every 15 minutes. They state:
Cluster with name "ClusterName" could not be brought online. The computer object associated with the resource could not be updated in domain "domain.local" for the following reason: unable to update password for computer account.
The text for the associated error code is: RPC server unavailable
The cluster identity may lack permissions required to update the object.
and
"Cluster network name resource '%1' cannot be brought online. The computer object associated with the resource could not be updated in domain '%2' for the following reason: %3.
The text for the associated error code is: %4
The cluster identity '%5' may lack permissions required to update the object. Please work with your domain administrator to ensure that the cluster identity can update computer objects in the domain."
the other server in the DAG had one entry for error ID 1135 stating:
"Cluster node "EXCH10-2" was removed from the active failover cluster membership. Cluster service may have stopped...."
When I go to the DAG computer object in AD, I only see the exchange server with event ID 1135 listed in the permissions.
Also, if I do a nslookup for 192.168.35.20 (DAG IP), it fails. If I do a nslookup for DAG, it returns the previous IP. Not sure if that means anything to troubleshooting the 1207 error.
I am not sure if I should add the 1207 exchange server to the AD DAG computer object permissions or what. Not really sure where to start. I've looked at several resources online but am confused as to which AD objects I should look at and potentially edit, if any. This started 2 days ago.
Thanks a lot!
-
13
2
2- +1
18 Comments
Active 2 days ago
I restarted the cluster service on the exch10-2 node. It only has one public database. It was dismounted for a few minutes, then went through recovery steps to re-mount it, which it did successfully. I am now seeing event 1207 on the other DAG node. Initially, I only saw this error on the exch10-2 node.
Further, I am now seeing these event IDs
1564 (FSW failed to arbitrate for the file share \\FSW.domain.local\DAG.dom
1069 (cluster resource FSW \\FSW.domain.local\DAG.dom
1573 (node exch10-2 failed to form a cluster. this is because the witness was not accessible. please ensure the witness is online and available) The DAG share appears when I access the FSW server through a UNC path. Although, I am unable to open it (likely because I am logged on as administrator).
To note, I have not received event ID 1207 in the last 30 minutes. It has skipped the last two entries. Errors 1564 and 1069 appeared 3 minutes before the expected 1207.
I think DAG is broken and not even trying.
Thanks for any help
Further, I am now seeing these event IDs
1564 (FSW failed to arbitrate for the file share \\FSW.domain.local\DAG.dom
1069 (cluster resource FSW \\FSW.domain.local\DAG.dom
1573 (node exch10-2 failed to form a cluster. this is because the witness was not accessible. please ensure the witness is online and available) The DAG share appears when I access the FSW server through a UNC path. Although, I am unable to open it (likely because I am logged on as administrator).
To note, I have not received event ID 1207 in the last 30 minutes. It has skipped the last two entries. Errors 1564 and 1069 appeared 3 minutes before the expected 1207.
I think DAG is broken and not even trying.
Thanks for any help
Run this command to verify your FSW.
Get-DatabaseAvailabilityGr
Verify "Witness Directory" is the correct location of your FSW.
Get-DatabaseAvailabilityGr
Verify "Witness Directory" is the correct location of your FSW.
Active 2 days ago
event ID 1207 is showing up every 15 minutes on the first node now. It had not done this until I restarted the cluster service on the second node.
Or just open EMC go to Organization Configuration - Mailbox - Database Availability Groups.
You should see DAG Name, member server and Witness directory
You should see DAG Name, member server and Witness directory
Active 2 days ago
Thanks for replying Spartan_1337.
Everything is correct in the output of that command. The witness directory is correct.
Everything is correct in the output of that command. The witness directory is correct.
Active 2 days ago
EMC shows both nodes and the correct FSW and DAG share as well. Still no 1207 on the second node. They are showing up on the first node every 15 minutes still.
Thanks
Thanks
Active 2 days ago
found this earlier
http://technet.microsoft.com/en-us/library/dd353973(v=ws.10).aspx
everything checked out. Both nodes show up.
I wonder if moving the FSW share will do anything to correct this. I am looking for a list of the correct permissions in AD, and which objects to apply them to.
http://technet.microsoft.com/en-us/library/dd353973(v=ws.10).aspx
everything checked out. Both nodes show up.
I wonder if moving the FSW share will do anything to correct this. I am looking for a list of the correct permissions in AD, and which objects to apply them to.
Active 2 days ago
so I rebooted the FSW server and I am now receiving error 1207 on the second node again but no longer on the first node.
DAG in EMC shows network up. All databases show mounted / healthy.
Not sure where to go from here.
DAG in EMC shows network up. All databases show mounted / healthy.
Not sure where to go from here.
Active today
Have you seen this TechNet blog post: http://bit.ly/1lBiMeo
Exchange 2007 SP1 CCR- Windows 2008 Clusters - File Share Witness (FSW) failures.
There are a number of points addressed in this blog post that also incorporates the errors you originally list.
Philip
Exchange 2007 SP1 CCR- Windows 2008 Clusters - File Share Witness (FSW) failures.
There are a number of points addressed in this blog post that also incorporates the errors you originally list.
Philip
Active 2 days ago
I checked the DAG DNS entry and the check box for 'delete this record when it becomes stale' was selected and the record time stamp is dated 2/3/2014 9:00 PM. Scavenging is not enabled on the forward lookup zone though, so I am not sure if it matters. Also, there was no reverse lookup zone entry for the DAG. I couldn't ping by IP earlier.
I also noticed that the DAG object properties in AD>Computers>DAG 'right-click'>Properties>O
I also noticed that the DAG object properties in AD>Computers>DAG 'right-click'>Properties>O
Hi,
The cluster node computer objects should have full control permission over cluster resource computer object in order to update the object. Please verify full control permission is set for these.
If you have a DAG with the name DAG01, then there will be a computer object in AD with the name DAG01 and computer accounts for exchange servers Exch10-2 should have full permission over this object to update it. Also there is a limit on the number of computer objects which can be created in a Domain. If this limit is reached for an object, then it could have trouble in updating other objects.
Please refer 'Items to review in Active Directory' section in the following article.
http://technet.microsoft.com/en-us/library/cc773451(v=ws.10).aspx
The cluster node computer objects should have full control permission over cluster resource computer object in order to update the object. Please verify full control permission is set for these.
If you have a DAG with the name DAG01, then there will be a computer object in AD with the name DAG01 and computer accounts for exchange servers Exch10-2 should have full permission over this object to update it. Also there is a limit on the number of computer objects which can be created in a Domain. If this limit is reached for an object, then it could have trouble in updating other objects.
Please refer 'Items to review in Active Directory' section in the following article.
http://technet.microsoft.com/en-us/library/cc773451(v=ws.10).aspx
Active 2 days ago
Thanks Sre Raj. I noticed that Exch10-2 was not listed at all on the DAG computer object in AD, while the other node. I'm going to add Exch10-2 and duplicate the permissions.
I had seen that link but it only mentioned checking the quota and that the DAG computer object should have full permissions. There was another article that mentioned, as you did, that the nodes should have certain permissions as well. That said, how do I check the quota? I only see an option to change the quota in ADSIedit, not view the current usage.
Thanks a lot!
I had seen that link but it only mentioned checking the quota and that the DAG computer object should have full permissions. There was another article that mentioned, as you did, that the nodes should have certain permissions as well. That said, how do I check the quota? I only see an option to change the quota in ADSIedit, not view the current usage.
Thanks a lot!
Active 2 days ago
SreRaj, I added exch10-2 and matched the permissions of the first node. I am still getting the same 1207 errors as before. Thx
While editing the value, ms-DS-MachineAccountQuota you could see the current value set for this attribute and by default it will be 10.
Please try modifying this value and also try restarting the node exch10-2.
Please try modifying this value and also try restarting the node exch10-2.
Active 2 days ago
I will check that SreRaj. I will reboot the node when possible. If the reboot does not clear the error, I am going to call Microsoft and have support check it out. Will update.
thx
thx
Active 2 days ago
I have not been able to reboot the server yet. However, all of a sudden, on the 20th the errors stopped on the second node and have not reappeared on either node. DAG info in EMC looks good. Again, I did nothing (no reboot, no disabling / re-enabling NIC, etc.).
Featured Post
Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Join & Write a Comment Already a member? Login.
The article is for all the Exchange users seeking smooth and effective EDB to PST conversion. Exchange Server is the most widely used platform for messaging with collaborative sharing, Exchange online, secure working environment, etc.
Importing Outlook PST contacts to Exchange Server can become a complicated task. Situations arise where an Exchange user is not able to import contacts from PST to Exchange Mailboxes in an efficient manner. Try SysTools Exchange Import to move conta…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video tutorial shows you the steps to go through to set up what I believe to be the best email app on the android platform to read Exchange mail.
Get the app on your phone: The first step is to make sure you have the Samsung Email app on your …
Suggested Courses
Course of the Month7 days, 14 hours left to enroll
584 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.