Solved

Hyper-V 2012 R2 - MPIO config error “Access Denied”

Posted on 2015-01-23
44
1,048 Views
Last Modified: 2015-03-24
I am in the midst of migrating to a Hyper-V 2012 R2 cluster and am currently configuring the first host to connect to the iSCSI CSV via MPIO.

I "think" I have everything working properly but when I try to create a log file to verify via the MPIO properties (GUI) or invoke the "mpclaim -v" powershell command (or command prompt) while elevated as Admin, I get the following errors;

GUI - Failed to probe MPIO storage configuration. Access is denied.

Elevated Powershell/CMD - File creation failed. C:\Windows\System32\MPIO_Configuration.log. Error 5 Failed to write MPIO configuration to file. Access is denied.

I have only been able to locate one article relating to the same problem but the solution was not applicable to me. Someone made a reference to " Local Security Policy/Public Key Policies/Encrypting File System/Properties/Certificates" and to allow something there but when I go there on the local machine, there are no keys or anything.. just a message that says "No Encrypting File System Policies Defined".

Here's the article;

https://social.technet.microsoft.com/Forums/windowsserver/en-US/6526b8c8-0fa9-4b47-9c31-3463896ffd51/access-denied-trying-to-capture-mpio-config?forum=winserverfiles

Anyone have any insight into this?

Thank you in advance!
0
Comment
Question by:bsgitoffice
  • 22
  • 9
  • 9
  • +2
44 Comments
 
LVL 24

Expert Comment

by:VB ITS
ID: 40567761
Did you actually enable the Allow EFS to generate self-signed certificates when a certification authority is not available setting in the Local Security Policy though?

- Right click Start button then click Run
- In the Run dialog box that appears type in secpol.msc then click OK
- Expand Public Key Policies on the left then right click on Encrypting File System
- Click on Properties
EFS-Properties.png- Select Allow in the General tab
- Click on the Certificates tab and confirm that Allow EFS to generate self-signed certificates when a certification authority is not available is ticked
- Configure the rest of the settings as desired, however the default settings should suffice.
- Reboot your server when done
- Try running the mpclaim command again
0
 

Author Comment

by:bsgitoffice
ID: 40567889
Per my original posting, I already looked in Local Security Policy and within the Encryption File System key, but there is nothing there. See attached screenshot.
0
 

Author Comment

by:bsgitoffice
ID: 40567891
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40567948
If you look at my above post you'll note that I said you need to RIGHT CLICK on Encrypting File System, then click on Properties to see the settings.
EFS-Properties.pngAllow-EFS.pngEnable-EFS-2.pngPlease re-read my instructions in my previous post, I tried to be as detailed as possible.
0
 

Author Comment

by:bsgitoffice
ID: 40568376
You are absolutely correct. My sincere apologies.

If you look at the timestamp, it was nearly midnight and so my attention to detail wasn't at 100% ;o)

I followed your instructions to the letter but I am still getting the same errors.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40568716
That's OK, it's happened to all of us! :)

Did you reboot your server after making the changes?
0
 

Author Comment

by:bsgitoffice
ID: 40568835
Yep, I rebooted (per your instructions) but the problem persists.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40582184
I saw your article
I don't understand how EFS is relevant here in this scenario

U should enable MPIO support for ISCSi device from MPIO Properties and
after that your ISCSI device vendor ID should get added automatically to MPIO devices tab, if its not getting added, you should add it manually to MPIO Devices in MPIO Properties and reboot the server once to make it effective

Check below post for step by step
http://terrytlslau.tls1.cc/2013/09/configure-iscsi-connections-with-mpio_11.html
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 40583163
I hit this all the time in our cluster setups though we are using SAS based DAS and not iSCSI.

IIRC, cd \Temp on the C: drive.
mpclaim -v >Report.txt
Notepad Report.txt

It's vague and I'm not back into our system until the morning and can verify. There may be another -L switch for mpclaim for it to drop the log file in C:\Temp.
0
 

Author Comment

by:bsgitoffice
ID: 40584282
@Mahesh, iSCSI devices were already added and MPIO configured (see attached screenshot).

@ Philip Elder, Sorry, I've already tried that. No matter where I output the txt file, the file will only contain the same "access denied" error.
Capture.PNG
0
 

Author Comment

by:bsgitoffice
ID: 40584290
@Philip Elder - If I use the "-l" switch, the txt file is blank.
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 40584380
This is what I get:
MPClaim Text Output
That is on a Hyper-V 2008 R2 cluster node.
0
 

Author Comment

by:bsgitoffice
ID: 40584418
@Philip Elder - This is what I get when I do the same thing:

Capture.PNG
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 40584437
Elevated CMD not PoSh.
0
 

Author Comment

by:bsgitoffice
ID: 40584756
Capture.PNG
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 40584776
What DSM is in operation here?

CMD --> MPIOCPL [Enter] --> Devices --> ?

Or, in Disk Management right click on any MPIO enabled drive and Properties then under the MPIO tab the DSM will display. Here you can click DETAILS. What MPIO version?
0
 

Author Comment

by:bsgitoffice
ID: 40584791
Capture.PNG
Capture1.PNG
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 40584802
That's what we have.

Are the nodes in their own OU structure or nested in with a bunch of other servers?

If possible, have an OU structure from the domain root for your cluster setup and configure the necessary firewall exceptions for cluster services and permissions.

I take it you are logged in as Local Admin or Domain Admin? Try logging in as the other and running in C:\Temp. Does that work?
0
 

Author Comment

by:bsgitoffice
ID: 40584834
At the moment, I have just one Server 2012 R2 node attached to the iSCSI CSV. I do have a separate OU for the hyper-v nodes/csv nodes. All the 2008 R2 nodes and one 2012 R2 node are in there, plus the cluster object.

I have been logging in as a domain admin plus I tried another account with domain admin rights but to no success. I haven't tried a local admin account yet.

When you say necessary firewall rules, do you mean the ones that automatically get set when you install the Hyper-V role?
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 40585107
Is the Cluster Role installed?
0
 

Author Comment

by:bsgitoffice
ID: 40585118
Yes, the Failover Cluster role is installed.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 24

Expert Comment

by:VB ITS
ID: 40585144
From what I know, the output file generated by the mpclaim command gets encrypted by EFS. I think in this case your Data Recovery Agent certificate has expired.

Can you please open the Group Policy Management Console on one of your Domain Controllers, go into the Default Domain Policy then go to this path?: Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Encrypting File System

Has the certificate in there issued to Administrator expired? If so, you'll need to renew it. Follow the steps in this article which should still be applicable for Server 2008 and onwards: http://blogs.technet.com/b/askds/archive/2008/01/07/replacing-an-expired-dra-certificate.aspx
0
 

Author Comment

by:bsgitoffice
ID: 40586745
It is expired (as of 2006).

It also looks like the default domain policy is disabled.
0
 

Author Comment

by:bsgitoffice
ID: 40586776
The first option is greyed out and so I cannot export the private key per the instructions.

Capture.PNG
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 40586845
The DEFAULT DOMAIN POLICY is disabled?!?! Huh?

Sounds like GP may be a rat's nest. :(

That policy should _never_ be disabled or edited. It contains a whole host of settings to keep a domain functional. I suggest comparing against a live DDP that has not been touched to verify that it will not further toast the domain.

It can be rebuilt if need be: KB556025: Manually Recreate Default GPOs.
0
 

Author Comment

by:bsgitoffice
ID: 40586862
Yeah, I inherited this domain as is. The guy who built it and ran for 10 years is long gone.

I have a CA authority running on one of the DC's. Shouldn't EFS try to use that instead of self-signed?
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 40586877
I suggest addressing the Group Policy deficiencies before going anywhere with EFS.
0
 

Author Comment

by:bsgitoffice
ID: 40586888
Yeah, the computer and User settings were set to disabled for whatever reason.

I switched them back on.


Is it safe to delete the expired DRA and create a new one? Unfortunately, I have never had to do this before.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40587759
It also looks like the default domain policy is disabled.
Never a good idea to disable this policy!

The first option is greyed out and so I cannot export the private key per the instructions.
This is because the private key for the DRA certificate can't be found.
Missing-DRA-private-key.pngThe original private key is stored in the Administrator profile of the first domain controller in the domain. If you don't have access to this Administrator profile then you may have issues decrypting files down the track.

Is it safe to delete the expired DRA and create a new one? Unfortunately, I have never had to do this before.
Yes it is, as long as you keep the exported certificate on file somewhere and have backup copies of it.
0
 

Author Comment

by:bsgitoffice
ID: 40588862
I agree about the disabled Default Domain Policy, but as I said I inherited this "situation". I turned both user and computer settings back on yesterday. I've also exported the expired cert and created a new DRA. I've follow the instructions per the link above to the letter but the error remains.

I've created a separate OU for hyper-v nodes and CSV nodes. I've blocked inheritance on this OU and linked only specific GPO's that I want applied to these servers (which includes the default domain policy). Honestly, if MS didn't decide to start charging $500 per incident then I would've just opened a case with them ;) But I am not certain this issue is worth a $500 hit since it isn't technically stopping me from setting up my new cluster, it is simply preventing me from verifying my MPIO config.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40589967
I agree about the disabled Default Domain Policy, but as I said I inherited this "situation".
Understood, I wasn't blaming you just pointing it out for any others who may stumble across this thread.

When you re-enabled the Default Domain Policy did you run gpupdate /force on the Hyper-V host or reboot it?
0
 

Author Comment

by:bsgitoffice
ID: 40591191
I sure did. Same error.
0
 
LVL 65

Expert Comment

by:Jim Horn
ID: 40595053
Since the latest 'request attention' notice went to all experts, you've reached the bottom of the barrel.   No clue.

Recommend working with the experts in this question to get to your solution, as at first glance I see a whole lot of effort provided you.

Good luck.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40596733
Did you remove the changes you made to the local security policies which I outlined in my first comment after renewing the domain's Data Recovery Agent certificate?
0
 

Author Comment

by:bsgitoffice
ID: 40598553
I switched the "File Encryption using EFS" option to NOT DEFINED.

After doing this, everything in the certificates tab is greyed out.

I ran gpupdate /force and tried mpclaim -v and got the same error.
0
 

Author Comment

by:bsgitoffice
ID: 40598576
Doesn't look like this is going to be solved here.

I may need to just bite the bullet and open a case with MS. Maybe I'll get lucky and it'll turn out to be something that warrants a "freebie".
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40598577
Did you run Command Prompt as an Administrator then changed directory to some other folder you create on the Hyper-V host's C: drive?

- Create a new folder in the root of the C: drive and call it Test
- Open Command Prompt as an Administrator
- Type in cd c:\temp
- Try the mpclaim -v command

If that doesn't work then I'm out of ideas unfortunately. I tested with an environment that had a similar issue recently which had 2008 R2 cluster nodes and got around it by renewing the DRA certificate.
0
 

Author Comment

by:bsgitoffice
ID: 40598649
Yes sir.

I created a folder called temp at C: root and ran those commands via cmd and powershell with elevated permissions.

No dice.

I appreciate all the effort. I am going to talk to my teammate and see if I can convince him to open a case with MS on this. The issue doesn't "appear" to be blocking or interfering with my migration to a 2012 R2 cluster "so far".

Again, I appreciate everyone's help!
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40603177
Alright let us know how you go with MS if you do open a case as I'm out of ideas unfortunately.

As you said this doesn't actually stop your cluster from working, you just can't verify your MPIO configuration.
0
 

Accepted Solution

by:
bsgitoffice earned 0 total points
ID: 40676336
Sorry for the long delay,

The problem ended up being a defect with the iSCSI storage device. As soon as I connected a FC storage device, I stopped getting the error. I am going to move forward with the FC storage.

Thanks again everyone.
0
 

Author Closing Comment

by:bsgitoffice
ID: 40684212
It turned out the error I was getting was not the fault of the OS at all. It was due to the iSCSI storage being faulty.
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 40684595
Our storage connection of choice is Direct Attached SAS. Each cable connection is 24Gb of essentially zero latency bandwidth. Each node has a minimum of two for 48Gb of aggregate bandwidth.

Our two node Scale-Out File Server clusters are 96Gb of aggregate bandwidth while our four nodes are 192Gb of aggregate bandwidth.

No FC or iSCSI complications. It's straightforward simple to set up and deploy.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

First I will try to share a design of a Veeam Backup Infrastructure without Direct NFS Access backup. Note: Direct NFS Access backup transport mechanism is only available in Veeam v9 In above I try to design the Veeam Backup flow between i…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now