Hisecdc Causes Problems with Cluster Domain Controllers (295091)
The information in this article applies to:
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server
This article was previously published under Q295091 IMPORTANT: This article contains information about modifying the registry. Before you
modify the registry, make sure to back it up and make sure that you understand how to restore
the registry if a problem occurs. For information about how to back up, restore, and edit the
registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
SYMPTOMS
After you run the Hisecdc template on one of your domain controllers that are also your clustered nodes, you cannot restart the cluster service on either node.
The following events are logged in the System log in sequential order:
Event ID 9
The device, Device Scsi Scsi Fibre Controller, did not respond
within the timeout period.
Event ID 1009
The Clustering Service could not join an existing cluster and
could not form a new cluster. The Clustering Service has terminated.
Event ID 7031
The Cluster Service service terminated unexpectedly. It has done
this X time(s). The following corrective action will be taken in
XXXXXX milliseconds. Restart the service.
You may also receive the following error message:
Either the specified account is not valid or the domain cannot be contacted
NOTE: You may receive this error message if the format of the account with which the cluster starts (at Services\Cluster Service Properties\Log ON) is in the format clusteraccount@domain-name (such as clustersvc@microsoft.com). If the accounts is in this format, change it to DOMAIN\account (for example: MICROSOFT\clustersvc). After this change, the service should start automatically.
If you try to change the account through a terminal server connection, the option to change is not available. You have to change the account information while you are physically at the server.
CAUSE
This problem occurs because computers that you configure by using Hisecdc can only communicate with other Windows 2000 computers. Hisecdc sets the default Domain security profile to use Ntlm2. Hisecdc is a highly secure template that defines security settings for Windows 2000 network communications. The security areas are set to require maximum protection for network traffic and protocols used between computer running Windows 2000.
RESOLUTIONWARNING: If you use Registry Editor incorrectly, you may cause serious problems that may
require you to reinstall your operating system. Microsoft cannot guarantee that you can solve
problems that result from using Registry Editor incorrectly. Use Registry Editor at your own
risk.
To resolve this problem, return the NTLM authentication level to its default level of "Send LM and NTLM responses". Follow these steps on each node in your Windows 2000-based cluster:
- In Control Panel, double-click Administrative Tools.
- Start the Local Security Policy tool, or if both nodes are the only domain controllers, use the Domain Security Policy tool.
- Expand Local Policies, and then click Security Options.
- Double-click Lan Manager Authentication Level, and then click Send LM and NTLM responses.
- Click OK, and then quit Local Security Policy Editor.
- Restart the server.
You can also resolve this issue by editing the registry:
- Start Registry Editor (Regedt32.exe).
- Locate and click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- Double-click lmcompatibilitylevel.
- Change the Radix setting to Decimal, and then type the number "0" in the Data box. Click OK.
- Quit Registry Editor.
- Restart the server.
STATUSMicrosoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
| Modification Type: | Minor | Last Reviewed: | 1/27/2006 |
|---|
| Keywords: | kbClustering kbprb w2000mscs KB295091 |
|---|
|