Cluster Services does not work correctly in a Windows Server 2003 SP1-based cluster that has the Internet Connection Firewall enabled (883398)


The information in this article applies to:

  • Microsoft Windows Server 2003, Enterprise Edition Service Pack 1 (SP1)
  • Microsoft Windows Server 2003, Datacenter Edition Service Pack 1 (SP1)

SYMPTOMS

Cluster Services in a Microsoft Windows Server 2003 Service Pack 1-based cluster do not start and log the following error in the event log:
Event ID: 1107
Source: ClusSvc
Description: Cluster node xxxxxxx failed to make a connection to the node over network 'Public'.

CAUSE

This behavior occurs if the following conditions are true:
  • The Internet Connection Firewall (ICF) is enabled on the cluster-based server computer.
  • The Cluster Server check box in the Select the server roles that the selected server performs list is not selected in the Security Configuration Wizard.
Additionally, for a cluster node join to work, you must select the Join a cluster check box in the Select Administration and other Options page in the Security Configuration Wizard.

RESOLUTION

To resolve this behavior, follow these steps:
  1. Click Start, point to Administrative Tools, and then click Security Configuration Wizard.
  2. After you create, edit or apply a security policy and reach the Role-Based Service Configuration page, click Next.
  3. In the Select Server Roles page, click All roles in the View list.
  4. Under Select the server roles that the selected server performs, click to select the Cluster server check box, and then click Next.
  5. In the Select Client Features page, select the client features that you want the selected server to perform, and then click Next.
  6. In the Select Administration and Other Options page, click to select the Join a cluster check box, and then click Next.

    Note If the Join a cluster option is not available, click All options in the View list.
  7. Complete the Security Configuration Wizard.

MORE INFORMATION

The Security Configuration Wizard that is included with Windows Server 2003 Service Pack 1 (SP1) helps you select the functional role that is performed by your computer. Additionally, it minimizes attack vulnerability by authoring security policies at the same time.

Note The Security Configuration Wizard is a Windows optional component that you can install by using the Add/Remove Windows Components feature in the Add or Remove Programs tool. For each cluster resource to work correctly, you must select the appropriate server or client role for the cluster resource. For a cluster resource to work correctly, in the Security Configuration Wizard, you must select all the appropriate server roles that the selected server performs. This is in addition to the Cluster server role.

For more information about the Security Configuration Wizard that is included in Windows Server 2003 SP1, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserver2003/technologies/security/configwiz/default.mspx

STATUS

This behavior is by design.

REFERENCES

For more information about Clustering Services in Windows Server 2003, visit the following Microsoft Web site:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/clustering/default.mspx

For more information about "Server Clusters: Security Best Practices for Windows 2000 and Windows Server 2003," visit the following Microsoft Web site:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/clustering/srclscbp.mspx

Modification Type:MajorLast Reviewed:3/14/2006
Keywords:kbhowto kbinfo KB883398 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.