09-13-2010 08:56 AM
Service Group appears online on primary node with no problems. Switch to secondary and the following error appears in lanman log:
"Failed to update Computer account in Active directory (error_type:2, error_code:0x00000522" and the LanMan Resource fails to online
hardware/build identical on both cluster nodes. SFW HA v5.1 installed on both nodes. All resources probed successfully.
Any ideas anyone?
......not solved yet!
Solved! Go to Solution.
09-13-2010 10:31 AM
HI ash22,
Error 522 is privilege not held. Check the privilege of the user account for the HAD Helper service. You can do this by running the following command:
hadhelper.exe /showconfig
If it shows you missing privileges then run this command on all nodes to reconfigure the Had Helper service acocunt:
hadhelper.exe /configure /user:<user_name>
Replace <user_name> with the domain/user name of the account that Had Helper service should start with.
Thanks,
Wally
09-13-2010 10:31 AM
HI ash22,
Error 522 is privilege not held. Check the privilege of the user account for the HAD Helper service. You can do this by running the following command:
hadhelper.exe /showconfig
If it shows you missing privileges then run this command on all nodes to reconfigure the Had Helper service acocunt:
hadhelper.exe /configure /user:<user_name>
Replace <user_name> with the domain/user name of the account that Had Helper service should start with.
Thanks,
Wally
09-13-2010 11:25 AM
Agree 100% with Wally.
If AD/DNS has been manually updated, you can set 'ADUpdateRequired' to 0. The default is supposed to be 0, but some of the wizards (SQL for one) sets this attribute to 1.
09-13-2010 11:42 AM
The problem with disabling the AD and DNS updates is that certain security methods (such as Kerberos) stops working during failover. Some normal operations of applications like Exchange and SQL depend on Kerberos security. If you disable AD and DNS updates then test your application throughly to ensure that it is working as you expect it to.
-Wally
09-14-2010 07:29 AM
Re-configuring the had helper account on the secondary node was successful (hadhelper /config), but the same errors were generated in Lanman log.
Switching Service Group to primary was successful.
Re-setting all attributes to "False" on Lanman works fine, and the Service Group comes online on both nodes.
Extract from Lanman log:
09-21-2010 10:02 PM
try this
http://www.symantec.com/business/support/index?page=content&id=TECH54363
http://www.symantec.com/business/support/index?page=content&id=TECH74594
09-22-2010 01:25 PM
Hi ash22,
I'm not sure if you have resolved this by now or not. If not here is a troubleshooting process to help determine where the problem is at.
1. Offline the Lanman resource.
2. Disable the ADUpdateRequired, ADCriticalForOnline, DNSUpdateRequired and DNSCriticalForOnline attributes.
3. Test online of the Lanman resource - you already tested to this point so this should be Ok for you.
4. Offline the Lanman resource.
5. Enable the ADUpdateRequired and ADCriticalForOnline attributes.
6. Test online of the Lanman resource.
If the Lanman onlines then AD updates are not causing your problem.
If the Lanman does not online then we need to investigate why Lanman can not update AD.
7. Offline the Lanman resource.
8. Disable ADUpdateRequired and ADCriticalForOnline attributes.
9. Enable DNSUpdateRequired and DNSCriticalForOnline attributes.
10. Test online of the Lanman resource.
If the Lanman onlines then DNS updates are not causing your problem.
If the Lanman does not online then we need to investigate why Lanman can not update DNS.
Typically, I see DNS updates failing when the HADHelper service account has not been given permission to update DNS. With a default domain and windows DNS security settings the HADHelper service account should have rights to update DNS with the privileges that HADHelper sets. However, if addtional securty is set to tighten down DNS updates then addtional privileges/permissions may need be granted to the HADHelper service account.
I see AD update issues when the HADHelper service account does not have rights to create or modify the virtual server's Computer Object in AD.
Please let me know if you are having problems updating DNS, AD or both.
Thanks,
Wally