Managing Active Directory does not always have to be complicated. If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why
Course Of The Month
Become a Premium Member and unlock a new, free course in leading technologies each month.
Solved
exchange 2010 failover clustering error 1207 and 1135 troubleshooting
Posted on 2014-02-05
Greetings,
I have a two-server DAG. one of the servers is logging two event id 1207 entries every 15 minutes. They state:
Cluster with name "ClusterName" could not be brought online. The computer object associated with the resource could not be updated in domain "domain.local" for the following reason: unable to update password for computer account.
The text for the associated error code is: RPC server unavailable
The cluster identity may lack permissions required to update the object.
and
"Cluster network name resource '%1' cannot be brought online. The computer object associated with the resource could not be updated in domain '%2' for the following reason: %3.
The text for the associated error code is: %4
The cluster identity '%5' may lack permissions required to update the object. Please work with your domain administrator to ensure that the cluster identity can update computer objects in the domain."
the other server in the DAG had one entry for error ID 1135 stating:
"Cluster node "EXCH10-2" was removed from the active failover cluster membership. Cluster service may have stopped...."
When I go to the DAG computer object in AD, I only see the exchange server with event ID 1135 listed in the permissions.
Also, if I do a nslookup for 192.168.35.20 (DAG IP), it fails. If I do a nslookup for DAG, it returns the previous IP. Not sure if that means anything to troubleshooting the 1207 error.
I am not sure if I should add the 1207 exchange server to the AD DAG computer object permissions or what. Not really sure where to start. I've looked at several resources online but am confused as to which AD objects I should look at and potentially edit, if any. This started 2 days ago.
Thanks a lot!
I have a two-server DAG. one of the servers is logging two event id 1207 entries every 15 minutes. They state:
Cluster with name "ClusterName" could not be brought online. The computer object associated with the resource could not be updated in domain "domain.local" for the following reason: unable to update password for computer account.
The text for the associated error code is: RPC server unavailable
The cluster identity may lack permissions required to update the object.
and
"Cluster network name resource '%1' cannot be brought online. The computer object associated with the resource could not be updated in domain '%2' for the following reason: %3.
The text for the associated error code is: %4
The cluster identity '%5' may lack permissions required to update the object. Please work with your domain administrator to ensure that the cluster identity can update computer objects in the domain."
the other server in the DAG had one entry for error ID 1135 stating:
"Cluster node "EXCH10-2" was removed from the active failover cluster membership. Cluster service may have stopped...."
When I go to the DAG computer object in AD, I only see the exchange server with event ID 1135 listed in the permissions.
Also, if I do a nslookup for 192.168.35.20 (DAG IP), it fails. If I do a nslookup for DAG, it returns the previous IP. Not sure if that means anything to troubleshooting the 1207 error.
I am not sure if I should add the 1207 exchange server to the AD DAG computer object permissions or what. Not really sure where to start. I've looked at several resources online but am confused as to which AD objects I should look at and potentially edit, if any. This started 2 days ago.
Thanks a lot!
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
13
2
2- +1
18 Comments
I restarted the cluster service on the exch10-2 node. It only has one public database. It was dismounted for a few minutes, then went through recovery steps to re-mount it, which it did successfully. I am now seeing event 1207 on the other DAG node. Initially, I only saw this error on the exch10-2 node.
Further, I am now seeing these event IDs
1564 (FSW failed to arbitrate for the file share \\FSW.domain.local\DAG.dom
1069 (cluster resource FSW \\FSW.domain.local\DAG.dom
1573 (node exch10-2 failed to form a cluster. this is because the witness was not accessible. please ensure the witness is online and available) The DAG share appears when I access the FSW server through a UNC path. Although, I am unable to open it (likely because I am logged on as administrator).
To note, I have not received event ID 1207 in the last 30 minutes. It has skipped the last two entries. Errors 1564 and 1069 appeared 3 minutes before the expected 1207.
I think DAG is broken and not even trying.
Thanks for any help
Further, I am now seeing these event IDs
1564 (FSW failed to arbitrate for the file share \\FSW.domain.local\DAG.dom
1069 (cluster resource FSW \\FSW.domain.local\DAG.dom
1573 (node exch10-2 failed to form a cluster. this is because the witness was not accessible. please ensure the witness is online and available) The DAG share appears when I access the FSW server through a UNC path. Although, I am unable to open it (likely because I am logged on as administrator).
To note, I have not received event ID 1207 in the last 30 minutes. It has skipped the last two entries. Errors 1564 and 1069 appeared 3 minutes before the expected 1207.
I think DAG is broken and not even trying.
Thanks for any help
Run this command to verify your FSW.
Get-DatabaseAvailabilityGr
Verify "Witness Directory" is the correct location of your FSW.
Get-DatabaseAvailabilityGr
Verify "Witness Directory" is the correct location of your FSW.
event ID 1207 is showing up every 15 minutes on the first node now. It had not done this until I restarted the cluster service on the second node.
Or just open EMC go to Organization Configuration - Mailbox - Database Availability Groups.
You should see DAG Name, member server and Witness directory
You should see DAG Name, member server and Witness directory
Thanks for replying Spartan_1337.
Everything is correct in the output of that command. The witness directory is correct.
Everything is correct in the output of that command. The witness directory is correct.
EMC shows both nodes and the correct FSW and DAG share as well. Still no 1207 on the second node. They are showing up on the first node every 15 minutes still.
Thanks
Thanks
found this earlier
http://technet.microsoft.com/en-us/library/dd353973(v=ws.10).aspx
everything checked out. Both nodes show up.
I wonder if moving the FSW share will do anything to correct this. I am looking for a list of the correct permissions in AD, and which objects to apply them to.
http://technet.microsoft.com/en-us/library/dd353973(v=ws.10).aspx
everything checked out. Both nodes show up.
I wonder if moving the FSW share will do anything to correct this. I am looking for a list of the correct permissions in AD, and which objects to apply them to.
so I rebooted the FSW server and I am now receiving error 1207 on the second node again but no longer on the first node.
DAG in EMC shows network up. All databases show mounted / healthy.
Not sure where to go from here.
DAG in EMC shows network up. All databases show mounted / healthy.
Not sure where to go from here.
Active today
Have you seen this TechNet blog post: http://bit.ly/1lBiMeo
Exchange 2007 SP1 CCR- Windows 2008 Clusters - File Share Witness (FSW) failures.
There are a number of points addressed in this blog post that also incorporates the errors you originally list.
Philip
Exchange 2007 SP1 CCR- Windows 2008 Clusters - File Share Witness (FSW) failures.
There are a number of points addressed in this blog post that also incorporates the errors you originally list.
Philip
I checked the DAG DNS entry and the check box for 'delete this record when it becomes stale' was selected and the record time stamp is dated 2/3/2014 9:00 PM. Scavenging is not enabled on the forward lookup zone though, so I am not sure if it matters. Also, there was no reverse lookup zone entry for the DAG. I couldn't ping by IP earlier.
I also noticed that the DAG object properties in AD>Computers>DAG 'right-click'>Properties>O
I also noticed that the DAG object properties in AD>Computers>DAG 'right-click'>Properties>O
Hi,
The cluster node computer objects should have full control permission over cluster resource computer object in order to update the object. Please verify full control permission is set for these.
If you have a DAG with the name DAG01, then there will be a computer object in AD with the name DAG01 and computer accounts for exchange servers Exch10-2 should have full permission over this object to update it. Also there is a limit on the number of computer objects which can be created in a Domain. If this limit is reached for an object, then it could have trouble in updating other objects.
Please refer 'Items to review in Active Directory' section in the following article.
http://technet.microsoft.com/en-us/library/cc773451(v=ws.10).aspx
The cluster node computer objects should have full control permission over cluster resource computer object in order to update the object. Please verify full control permission is set for these.
If you have a DAG with the name DAG01, then there will be a computer object in AD with the name DAG01 and computer accounts for exchange servers Exch10-2 should have full permission over this object to update it. Also there is a limit on the number of computer objects which can be created in a Domain. If this limit is reached for an object, then it could have trouble in updating other objects.
Please refer 'Items to review in Active Directory' section in the following article.
http://technet.microsoft.com/en-us/library/cc773451(v=ws.10).aspx
Thanks Sre Raj. I noticed that Exch10-2 was not listed at all on the DAG computer object in AD, while the other node. I'm going to add Exch10-2 and duplicate the permissions.
I had seen that link but it only mentioned checking the quota and that the DAG computer object should have full permissions. There was another article that mentioned, as you did, that the nodes should have certain permissions as well. That said, how do I check the quota? I only see an option to change the quota in ADSIedit, not view the current usage.
Thanks a lot!
I had seen that link but it only mentioned checking the quota and that the DAG computer object should have full permissions. There was another article that mentioned, as you did, that the nodes should have certain permissions as well. That said, how do I check the quota? I only see an option to change the quota in ADSIedit, not view the current usage.
Thanks a lot!
SreRaj, I added exch10-2 and matched the permissions of the first node. I am still getting the same 1207 errors as before. Thx
While editing the value, ms-DS-MachineAccountQuota you could see the current value set for this attribute and by default it will be 10.
Please try modifying this value and also try restarting the node exch10-2.
Please try modifying this value and also try restarting the node exch10-2.
I will check that SreRaj. I will reboot the node when possible. If the reboot does not clear the error, I am going to call Microsoft and have support check it out. Will update.
thx
thx
I have not been able to reboot the server yet. However, all of a sudden, on the 20th the errors stopped on the second node and have not reappeared on either node. DAG info in EMC looks good. Again, I did nothing (no reboot, no disabling / re-enabling NIC, etc.).
Featured Post
With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
A hard and fast method for reducing Active Directory Administrators members.
This article will help to fix the below errors for MS Exchange Server 2013
I. Certificate error "name on the security certificate is invalid or does not match the name of the site"
II. Out of Office not working
III. Make Internal URLs and Externa…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA).
For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651
If you want to manage em…
Attackers love to prey on accounts that have privileges.
Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month5 days, 21 hours left to enroll
626 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.