Clusters That Are Upgraded from Windows NT 4.0 Do Not Contain the System SID in the Security Descriptor (812876)


The information in this article applies to:

  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition

SYMPTOMS

When you upgrade a Microsoft Windows NT 4.0-based cluster server to Windows Server 2003, or when you upgrade a Windows NT 4.0-based cluster server to a Windows 2000-based cluster server and then to Windows Server 2003, the SYSTEM security identifier (SID) is not added to the security descriptor of the cluster.

WORKAROUND

To work around this issue, assign the SYSTEM account Full Control permissions to the cluster. To do so, follow these steps:
  1. Start the Cluster Administrator utility, and then connect to the cluster that you want to add the SYSTEM account to.
  2. In the left pane, click the cluster that you want to add the SYSTEM account to.
  3. On the File menu, click Properties.
  4. Click the Security tab, and then click Add.
  5. Type system in the Enter the object names to select (examples) box, click Check Names, and then click OK.
  6. Click SYSTEM in the Group or user names box, click to select the Full Control check box under Allow, and then click OK.

STATUS

Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

The security descriptor of a cluster is a data structure that contains security information associated with that cluster. Security descriptors include information about who owns the object, who can access the object and in what way, and what types of access are audited. To work correctly, some cluster-aware programs or services may require that the Cluster security descriptor contain the SYSTEM SID. Additionally, when you try to use the Cluster Administrator utility to set security permissions on a cluster, you cannot do so unless the SYSTEM account is added to the cluster with Full Control permissions.
Modification Type:MajorLast Reviewed:2/24/2004
Keywords:kbpending kbbug KB812876
©2004 Microsoft Corporation. All rights reserved.