Monday, 10 March 2014

CAU - Target name resolution error

If removal of the CAU for a Windows Server 2012 R2 Failover Cluster has failed or if anyone has tried manually clean up the CAU, the following error might appear in Server Manager.

A look in the logs shows...:
Log Name: System
Source: DistributedCom
Event ID: 10028
Level: Error
OpCode: Info
More Information: Event Log Online Help
Task Category: None
Keywords: Classic
"DCOM was unable to communicate with the computer CAU-name.domain.local using any of the configured protocols; requested by PID b54 (C:\Windows\system32\ServerManager.exe)."

Log Name: System
Source: FailoverClustering
Event ID: 1228
Level: Error
User: System
OpCode: Info
More Information: Event Log Online Help
Task Category: Network Name Resource
"Cluster network name resource "CAU-name" encountered an error enabling the network name on this node. The reason for the failure was:
"Unable to obtain a logon token"
The error code was "1326".
You may take the network name resource offline and online again to retry."
If you do not see any trace of CAU but still see these error messages is probably the reason that CAU's Distributed Network Name is left lying around in the Failover Cluster. CAU's Distributed Network Name will be added up automatically during configuration of CAU but does not appear in the Failover Cluster Manager, but is hidden. Use PowerShell to list Cluster Resources and you will see the CAU's Distributed Network Name.
  1. Open an elevated Powershell window
  2. Specify Get-ClusterResource -Cluster "Cluster Name"
  3. Remove-ClusterResource "Name"

Monday, 3 March 2014

How to disable Cluster Aware Updating (CAU)

Have you ever wanted to disable Cluster Aware Updating perhaps just for a while or even permanently? The problem is that you might get recurring an Kerberos Security error in Server Manager on one of your cluster nodes.

The error message below will appear in the system log:

"The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server "server name". The target name used was HTTP/server_name.domain.local. This indicates that the server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target server is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain "domain.local" is different from the client domain "domain.local" check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server."

The solution is quite simple but perhaps not obvious even though it's stated in the error message. What you need to do is to add two SPN's to your CAU account.

  1. Open an elevated command prompt
  2. setspn -S http/CAU-account-name CAU-account-name
  3. setspn -S http/CAU-fqdn-account-name CAU-account-name