Pages

1 Feb 2011

Exchange 2010 SP1: Problem while adding DAG members

Today, I encountered a problem with adding DAG members. I created DAG without any problems but later when I was trying to add a new member to DAG I received the following error:

Error:
A server-side database availability group administrative operation failed. Error: The operation failed. CreateCluster errors may result from incorrectly configured static addresses. Error: An error occurred while attempting a cluster operation. Error: Cluster API '"CreateCluster() failed with 0x5. Error: Access is denied"' failed. [Server: MBX01.domain.local]
An Active Manager operation failed. Error: An error occurred while attempting a cluster operation. Error: Cluster API '"CreateCluster() failed with 0x5. Error: Access is denied"' failed..
Access is denied
Click here for help... http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.1.267.0&t=exchgf1&e=ms.exch.err.ExC9C315
Warning:
The operation wasn't successful because an error was encountered. You may find more details in log file "C:\ExchangeSetupLogs\DagTasks\dagtask_2011-02-01_10-56-20.943_add-databaseavailabiltygroupserver.log".
Exchange Management Shell command attempted:
Add-DatabaseAvailabilityGroupServer -MailboxServer 'MBX01' -Identity 'DAG1'


I checked the log file and found that there was a problem with adding DAG computer object which is called CNO (Cluster Name Object):
[2011-02-01T10:06:50] ClusterSetupProgressCallback( eSetupPhase = ClusterSetupPhaseConfigureClusterAccount, ePhaseType = ClusterSetupPhaseEnd, ePhaseSeverity = ClusterSetupPhaseFatal, dwPercentComplete = 94, szObjectName = DAG1, dwStatus = 0x5 )
[2011-02-01T10:06:50] ClusterSetupProgressCallback( eSetupPhase = ClusterSetupPhaseConfigureClusterAccount, ePhaseType = ClusterSetupPhaseEnd, ePhaseSeverity = ClusterSetupPhaseFatal, dwPercentComplete = 94, szObjectName = DAG1, dwStatus = 0x5 )


The correct dwStaus is 0x0 which means "success", dwStatus = 0x5 means "access denied".  I realised that my client's Active Directory domain was hardened and there were non-standard permissions on AD objects. In particular the Active Directory attribute mS-DS-MachineAccountQuota was set to 0. This is why Exchange couldn't create CNO.


The solution:

  1. Create CNO account manually and grant Full Control over this object for all your DAG members (computer accounts).
  2. Disable CNO account - It took me a while to figure it out. If you keep this account enabled you will receive another error during adding DAG members.
  3. Now you can add members to DAG.


Notice: The following advice might be useful when you troubleshoot DAG.
1. After installation of a Failover Cluster feature, the Cluster service startup mode is set to disabled. It is also true after creating a DAG - this is a normal situation.
2. FSW (File Share Witness) is not created during creation of DAG, the folder and share are created when you add the second DAG member - FSW is only needed when you have even number of members.

No comments: