I've posted twice to the server clustering group, but my post hasn't shown
either time, and things are critical.
We had a SAN that went belly up over the weekend, and we're having problems
getting the cluster back on line. It has been running for some time. There
are 3 errors in the event viewer:
Event ID: 1205; The Cluster service failed to bring clustered service or
application 'printserver' completely online or offline. One or more resources
may be in a failed state. This may impact the availability of the clustered
service or application.
Event ID: 1207; Cluster network name resource 'printserver' cannot be
brought online. The computer object associated with the resource could not be
updated in domain 'domain.com' for the following reason:
Unable to obtain the Primary Cluster Name Identity token.
The text for the associated error code is: An attempt has been made to
operate on an impersonation token by a thread that is not currently
impersonating a client.
The cluster identity 'PRINTSERVERCLUS$' may lack permissions required to
update the object. Please work with your domain administrator to ensure that
the cluster identity can update computer objects in the domain.
Event ID: 1069: Cluster resource 'printserver' in clustered service or
application 'printserver' failed.
A possible related error is on the domain controller:
Event ID 4: The Kerberos client received a KRB_AP_ERR_MODIFIED error from
the server . The target name used was host/PRINTSERVERCLUSTER.DOMAIN.COM.
This indicates that the target server failed to decrypt the ticket provided
by the client. This can occur when the target server principal name (SPN) is
registered on an account other than the account the target service is using.
Please ensure that the target SPN is registered on, and only registered on,
the account used by the server. This error can also happen when the target
service is using a different password for the target service account than
what the Kerberos Key Distribution Center (KDC) has for the target service
account. Please ensure that the service on the server and the KDC are both
updated to use the current password. If the server name is not fully
qualified, and the target domain () is different from the client domain
(DOMAIN.COM), check if there are identically named server accounts in these
two domains, or use the fully-qualified name to identify the server.
Additionally, within the Failover Cluster Management GUI, if I select to
manage printservercluster or printservercluster.domain.com, I get "the action
'Manage a Cluster...' did not complete. Could not open a connection to the
cluster 'printservercluster.domain.com'. A security package specific error
occurred." However, I can connection to simply a '.', and within this the
Server Name shows to be in a failed status.
I can RDP to the FQDN.
I've gone through
http://technet.microsoft.com/en-us/l...8WS.10%29.aspx, but I
still have the error.
I would be very grateful if anyone can shed some light on this.