CAU - Target name resolution error

If removal of the CAU for a Windows Server 2012 R2 Failover Cluster has failed or if anyone has tried manually clean up the CAU, the following error might appear in Server Manager.

 

 

A look in the logs shows...:

 

Log Name: System

Source: DistributedCom

Event ID: 10028

Level: Error

User:

OpCode: Info

More Information: Event Log Online Help

Logged:

Task Category: None

Keywords: Classic

Computer:

 

"DCOM was unable to communicate with the computer CAU-name.domain.local using any of the configured protocols; requested by PID b54 (C:\Windows\system32\ServerManager.exe)."

 

 



....and/or:

 

Log Name: System

Source: FailoverClustering

Event ID: 1228

Level: Error

User: System

OpCode: Info

More Information: Event Log Online Help

Logged:

Task Category: Network Name Resource

Keywords:

Computer:

 

"Cluster network name resource "CAU-name" encountered an error enabling the network name on this node. The reason for the failure was:

"Unable to obtain a logon token"

 

The error code was "1326".

 

You may take the network name resource offline and online again to retry."

 

 

If you do not see any trace of CAU but still see these error messages is probably the reason that CAU's Distributed Network Name is left lying around in the Failover Cluster. CAU's Distributed Network Name will be added up automatically during configuration of CAU but does not appear in the Failover Cluster Manager, but is hidden. Use PowerShell to list Cluster Resources and you will see the CAU's Distributed Network Name.

 

1. Open an elevated Powershell window
2. Specify Get-ClusterResource -Cluster "Cluster Name"
3. 
4. Remove-ClusterResource "Name"

 



How to disable Cluster Aware Updating (CAU)

Have you ever wanted to disable Cluster Aware Updating perhaps just for a while or even permanently? The problem is that you might get recurring an Kerberos Security error in Server Manager on one of your cluster nodes.

The error message below will appear in the system log:

"The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server "server name". The target name used was HTTP/server_name.domain.local. This indicates that the server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target server is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain "domain.local" is different from the client domain "domain.local" check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server."

The solution is quite simple but perhaps not obvious even though it's stated in the error message. What you need to do is to add two SPN's to your CAU account.

1. Open an elevated command prompt
2. setspn -S http/CAU-account-name CAU-account-name
3. setspn -S http/CAU-fqdn-account-name CAU-account-name