SQL SERVER – Unable to Create Always On Listener – Attempt to Locate a Writeable Domain Controller (in Domain Unspecified Domain) Failed

SQL
No Comments

SQL SERVER – Unable to Create Always On Listener - Attempt to Locate a Writeable Domain Controller (in Domain Unspecified Domain) Failed xerror This is one of the common causes in Always On for which my clients contact me – “Unable to create listener”. In this blog we would learn about how to fix event Id 1212 – Attempt to locate a writeable domain controller.

When my client contacted me, they were having the same error with three different clusters which makes them believe that this an issue outside the cluster configuration. They were unable to Create Listener and getting Msg 41009 – The Windows Server Failover Clustering (WSFC) Resource Control API Returned Error.

First thing I did was to check the event log and I found below message.

Log Name: System
Source: Microsoft-Windows-FailoverClustering
Event ID: 1212
Task Category: Network Name Resource
Level: Error
Keywords:
User: SYSTEM
Description:
Cluster network name resource ‘AGListener’ cannot be brought online. Attempt to locate a writeable domain controller (in domain unspecified domain) in order to create or update a computer object associated with the resource failed for the following reason:
More data is available.
The error code was ‘234’. Ensure that a writeable domain controller is accessible to this node within the configured domain. Also, ensure that the DNS server is running in order to resolve the name of the domain controller.

I explained that whenever there are any issues related to cluster resource, we should always look at cluster log. If you are not sure how to generate cluster logs, read my earlier blog on the same topic. SQL SERVER – Steps to Generate Windows Cluster Log?

Here were the messages in the cluster log

ERR[RES] Network Name: [NNLIB] Searching for object SQLLISTENER on first choice DC failed. Error 234.
WARN [RES] Network Name : AccountAD: PopulateNetnameADState – FindSuitableDCNew failed with error 234 with known good password. Retrying with proposed password
INFO [RES] Network Name: [NNLIB] FindSuitableDCNew – objectName SQLLISTENER, username – MZNAPWCLEQU004$, firstChoiceDCName – \\DCAZ.domain.com
INFO [RES] Network Name: [NNLIB] LDAP bind to first choice DC \\DCAZ.domain.com failed. Error 5. Trying to LDAP bind with empty DC
INFO [RES] Network Name: [NNLIB] LDAP bind to first choice DC failed. Error 5. Trying second choice DC
INFO [RES] Network Name: [NNLIB] LDAP bind to second choice DC failed. Error 5.
ERR [RES] Network Name : AccountAD: PopulateNetnameADState – FindSuitableDCNew failed with error 5 with known proposed password
ERR [RES] Network Name : AccountAD: Populate netname AD state (bind to DC & search for object if exists) for object SQLLISTENER failed with error 234

We are seeing two errors here:

  1. Error 234
  2. Error 5

I don’t know what error 234 is but I do know that error 5 = Access is denied.

One of the most common cause would be where the Domain Administrator does not allow the CNO “Read All Properties” and “Create Computer Objects” permissions. You might see “Access is denied” in the event log.

Here are the steps, which are also known as pre-staging of virtual computer object (VCO) in domain controller.

  • If possible, connect to the domain controller. Ensure that we are logged in as a user that has permissions to create computer objects in the domain.
  • Open the Active Directory Users and Computers Snap-in (dsa.msc).
  • In Menu > View -> Advanced Features. (Otherwise, we would not see option explained in next steps)
  • Right-click the OU/Container where we want the VCO to be created and click “New” -> “Computer”
  • Provide a name for the object (This will be your SQL Server Network Name in FCI or Listener Name in AG) and click “OK”:
  • Right-click on the on the VCO which we just created and select “Properties”. Click the security tab and then click “Add”:
  • Enter the CNO (Make sure to select “Computers” option in the “Object Types” window) and click “OK”. The CNO is a Cluster Name Object. This is the name of the Windows Cluster name NOT listener or FCI name.
  • Give CNO “Full Control” over the VCO.

If all above steps are followed, we should not get access denied and if we try creating Listener, it should be successful.

Reference: Pinal Dave (https://blog.SQLAuthority.com)

, , , ,
Previous Post
SQL SERVER – Always On Secondary Replica Huge Redo Queue – Version Store is Full. New Version(s) Could Not be Added
Next Post
SQL SERVER – Always On Availability Groups and Full-Text Index

Related Posts

Leave a Reply

Menu