Managing Active Directory can get complicated. Often, the native tools for managing AD are just not up to the task. The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.
Solved
exchange 2010 failover clustering error 1207 and 1135 troubleshooting
Posted on 2014-02-05
Greetings,
I have a two-server DAG. one of the servers is logging two event id 1207 entries every 15 minutes. They state:
Cluster with name "ClusterName" could not be brought online. The computer object associated with the resource could not be updated in domain "domain.local" for the following reason: unable to update password for computer account.
The text for the associated error code is: RPC server unavailable
The cluster identity may lack permissions required to update the object.
and
"Cluster network name resource '%1' cannot be brought online. The computer object associated with the resource could not be updated in domain '%2' for the following reason: %3.
The text for the associated error code is: %4
The cluster identity '%5' may lack permissions required to update the object. Please work with your domain administrator to ensure that the cluster identity can update computer objects in the domain."
the other server in the DAG had one entry for error ID 1135 stating:
"Cluster node "EXCH10-2" was removed from the active failover cluster membership. Cluster service may have stopped...."
When I go to the DAG computer object in AD, I only see the exchange server with event ID 1135 listed in the permissions.
Also, if I do a nslookup for 192.168.35.20 (DAG IP), it fails. If I do a nslookup for DAG, it returns the previous IP. Not sure if that means anything to troubleshooting the 1207 error.
I am not sure if I should add the 1207 exchange server to the AD DAG computer object permissions or what. Not really sure where to start. I've looked at several resources online but am confused as to which AD objects I should look at and potentially edit, if any. This started 2 days ago.
Thanks a lot!
I have a two-server DAG. one of the servers is logging two event id 1207 entries every 15 minutes. They state:
Cluster with name "ClusterName" could not be brought online. The computer object associated with the resource could not be updated in domain "domain.local" for the following reason: unable to update password for computer account.
The text for the associated error code is: RPC server unavailable
The cluster identity may lack permissions required to update the object.
and
"Cluster network name resource '%1' cannot be brought online. The computer object associated with the resource could not be updated in domain '%2' for the following reason: %3.
The text for the associated error code is: %4
The cluster identity '%5' may lack permissions required to update the object. Please work with your domain administrator to ensure that the cluster identity can update computer objects in the domain."
the other server in the DAG had one entry for error ID 1135 stating:
"Cluster node "EXCH10-2" was removed from the active failover cluster membership. Cluster service may have stopped...."
When I go to the DAG computer object in AD, I only see the exchange server with event ID 1135 listed in the permissions.
Also, if I do a nslookup for 192.168.35.20 (DAG IP), it fails. If I do a nslookup for DAG, it returns the previous IP. Not sure if that means anything to troubleshooting the 1207 error.
I am not sure if I should add the 1207 exchange server to the AD DAG computer object permissions or what. Not really sure where to start. I've looked at several resources online but am confused as to which AD objects I should look at and potentially edit, if any. This started 2 days ago.
Thanks a lot!
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
13
2
2- +1
18 Comments
Active 4 days ago
I restarted the cluster service on the exch10-2 node. It only has one public database. It was dismounted for a few minutes, then went through recovery steps to re-mount it, which it did successfully. I am now seeing event 1207 on the other DAG node. Initially, I only saw this error on the exch10-2 node.
Further, I am now seeing these event IDs
1564 (FSW failed to arbitrate for the file share \\FSW.domain.local\DAG.dom
1069 (cluster resource FSW \\FSW.domain.local\DAG.dom
1573 (node exch10-2 failed to form a cluster. this is because the witness was not accessible. please ensure the witness is online and available) The DAG share appears when I access the FSW server through a UNC path. Although, I am unable to open it (likely because I am logged on as administrator).
To note, I have not received event ID 1207 in the last 30 minutes. It has skipped the last two entries. Errors 1564 and 1069 appeared 3 minutes before the expected 1207.
I think DAG is broken and not even trying.
Thanks for any help
Further, I am now seeing these event IDs
1564 (FSW failed to arbitrate for the file share \\FSW.domain.local\DAG.dom
1069 (cluster resource FSW \\FSW.domain.local\DAG.dom
1573 (node exch10-2 failed to form a cluster. this is because the witness was not accessible. please ensure the witness is online and available) The DAG share appears when I access the FSW server through a UNC path. Although, I am unable to open it (likely because I am logged on as administrator).
To note, I have not received event ID 1207 in the last 30 minutes. It has skipped the last two entries. Errors 1564 and 1069 appeared 3 minutes before the expected 1207.
I think DAG is broken and not even trying.
Thanks for any help
Active today
Run this command to verify your FSW.
Get-DatabaseAvailabilityGr
Verify "Witness Directory" is the correct location of your FSW.
Get-DatabaseAvailabilityGr
Verify "Witness Directory" is the correct location of your FSW.
Active 4 days ago
event ID 1207 is showing up every 15 minutes on the first node now. It had not done this until I restarted the cluster service on the second node.
Active today
Or just open EMC go to Organization Configuration - Mailbox - Database Availability Groups.
You should see DAG Name, member server and Witness directory
You should see DAG Name, member server and Witness directory
Active 4 days ago
Thanks for replying Spartan_1337.
Everything is correct in the output of that command. The witness directory is correct.
Everything is correct in the output of that command. The witness directory is correct.
Active 4 days ago
EMC shows both nodes and the correct FSW and DAG share as well. Still no 1207 on the second node. They are showing up on the first node every 15 minutes still.
Thanks
Thanks
Active 4 days ago
found this earlier
http://technet.microsoft.com/en-us/library/dd353973(v=ws.10).aspx
everything checked out. Both nodes show up.
I wonder if moving the FSW share will do anything to correct this. I am looking for a list of the correct permissions in AD, and which objects to apply them to.
http://technet.microsoft.com/en-us/library/dd353973(v=ws.10).aspx
everything checked out. Both nodes show up.
I wonder if moving the FSW share will do anything to correct this. I am looking for a list of the correct permissions in AD, and which objects to apply them to.
Active 4 days ago
so I rebooted the FSW server and I am now receiving error 1207 on the second node again but no longer on the first node.
DAG in EMC shows network up. All databases show mounted / healthy.
Not sure where to go from here.
DAG in EMC shows network up. All databases show mounted / healthy.
Not sure where to go from here.
Active 3 days ago
Have you seen this TechNet blog post: http://bit.ly/1lBiMeo
Exchange 2007 SP1 CCR- Windows 2008 Clusters - File Share Witness (FSW) failures.
There are a number of points addressed in this blog post that also incorporates the errors you originally list.
Philip
Exchange 2007 SP1 CCR- Windows 2008 Clusters - File Share Witness (FSW) failures.
There are a number of points addressed in this blog post that also incorporates the errors you originally list.
Philip
Active 4 days ago
I checked the DAG DNS entry and the check box for 'delete this record when it becomes stale' was selected and the record time stamp is dated 2/3/2014 9:00 PM. Scavenging is not enabled on the forward lookup zone though, so I am not sure if it matters. Also, there was no reverse lookup zone entry for the DAG. I couldn't ping by IP earlier.
I also noticed that the DAG object properties in AD>Computers>DAG 'right-click'>Properties>O
I also noticed that the DAG object properties in AD>Computers>DAG 'right-click'>Properties>O
Hi,
The cluster node computer objects should have full control permission over cluster resource computer object in order to update the object. Please verify full control permission is set for these.
If you have a DAG with the name DAG01, then there will be a computer object in AD with the name DAG01 and computer accounts for exchange servers Exch10-2 should have full permission over this object to update it. Also there is a limit on the number of computer objects which can be created in a Domain. If this limit is reached for an object, then it could have trouble in updating other objects.
Please refer 'Items to review in Active Directory' section in the following article.
http://technet.microsoft.com/en-us/library/cc773451(v=ws.10).aspx
The cluster node computer objects should have full control permission over cluster resource computer object in order to update the object. Please verify full control permission is set for these.
If you have a DAG with the name DAG01, then there will be a computer object in AD with the name DAG01 and computer accounts for exchange servers Exch10-2 should have full permission over this object to update it. Also there is a limit on the number of computer objects which can be created in a Domain. If this limit is reached for an object, then it could have trouble in updating other objects.
Please refer 'Items to review in Active Directory' section in the following article.
http://technet.microsoft.com/en-us/library/cc773451(v=ws.10).aspx
Active 4 days ago
Thanks Sre Raj. I noticed that Exch10-2 was not listed at all on the DAG computer object in AD, while the other node. I'm going to add Exch10-2 and duplicate the permissions.
I had seen that link but it only mentioned checking the quota and that the DAG computer object should have full permissions. There was another article that mentioned, as you did, that the nodes should have certain permissions as well. That said, how do I check the quota? I only see an option to change the quota in ADSIedit, not view the current usage.
Thanks a lot!
I had seen that link but it only mentioned checking the quota and that the DAG computer object should have full permissions. There was another article that mentioned, as you did, that the nodes should have certain permissions as well. That said, how do I check the quota? I only see an option to change the quota in ADSIedit, not view the current usage.
Thanks a lot!
Active 4 days ago
SreRaj, I added exch10-2 and matched the permissions of the first node. I am still getting the same 1207 errors as before. Thx
While editing the value, ms-DS-MachineAccountQuota you could see the current value set for this attribute and by default it will be 10.
Please try modifying this value and also try restarting the node exch10-2.
Please try modifying this value and also try restarting the node exch10-2.
Active 4 days ago
I will check that SreRaj. I will reboot the node when possible. If the reboot does not clear the error, I am going to call Microsoft and have support check it out. Will update.
thx
thx
Active 4 days ago
I have not been able to reboot the server yet. However, all of a sudden, on the 20th the errors stopped on the second node and have not reappeared on either node. DAG info in EMC looks good. Again, I did nothing (no reboot, no disabling / re-enabling NIC, etc.).
Featured Post
This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Are you an Exchange administrator employed with an organization? And, have you encountered a corrupt Exchange database due to which you are not able to open its EDB file. This article will explain all the steps to repair corrupt Exchange database.
Are you ready to implement Active Directory best practices without reading 300+ pages?
You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses
Course of the Month9 days, left to enroll
721 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.