In the past, I have written a few blogs where I explained a few issues about the failure of listener creation in the cluster. In this blog, we would see another cause of listener creation failure.
I explained that whenever there are any issues related to the cluster resources, we should always look at the cluster log. If you are not sure how to generate cluster logs, read my earlier blog on the same topic. SQL SERVER – Steps to Generate Windows Cluster Log?
- Listener Name – ProdListener
- Windows Cluster Name – WinCluster
Here were the messages in the cluster log
[RES] Network Name : AccountAD: PopulateNetnameADState – DCFlags 1073745937 LdapReferralAllowed 0
[RES] Network Name: [NNLIB] FindSuitableDCNew – objectName ProdListener, username – WinCluster$, firstChoiceDCName – \\DC01.domain.com
[RES] Network Name: [NNLIB] Found first choice DC that has the object ProdListener DCName – \\DC01.domain.com.
[RES] Network Name: [NNLIB] GetOUForVCOCreation – OU name of CNO is OU=IN,DC=Domain,DC=Com
[RES] Network Name: [NNLIB] GetOUForVCOCreation – CNO SID is S-1-5-21-2987268983-2468375096-37832846-293957
[RES] Network Name : AccountAD: Object ProdListener already exists, using DC: \\DC01.domain.com
[RES] Network Name: [NNLIB] Changing Password for object ProdListener on DC: \\DC01.domain.com result: 5
[RES] Network Name: [NN] IdentityLocal End Impersonating
[RES] Network Name : AccountAD: Provisioning computer object failed with error 5
[RES] Network Name : AccountAD: OnInitializeEnd: 5
[RES] Network Name : Configuration: InitializeReplyCreation of NetName (type Singleton), result: 5, IsCanceled: false
I have trimmed the cluster logs and kept only interesting messages. In my client’s case, they already had the Listener (ProdListener) provisioned in the domain controller. The most relevant error is “Changing Password for object ProdListener on DC: \\DC01.domain.com result: 5”. This essentially means that the Cluster is trying to change the password of the object and failing with access denied. The key part here is that this operation is done by “username – WinCluster$”. This is not a domain user but a cluster computer object, also known as CNO.
“Access is denied” error can be caused due to many other reasons which can cause network name or client access point resource in cluster creation to fail. Based on my experience one of the most common causes would be where the Domain Administrator does not allow the CNO “Read All Properties” and “Create Computer Objects” permissions. You might see “Access is denied” in the event log.
WORKAROUND/SOLUTION – Listener Failure
Based on the cluster log snipper, it was clear that a domain admin needs to provide access on VCO to CNO. VCO is a virtual computer object which is a listener in Always On scenario. CNO is a cluster name object which is a computer object for Windows Cluster network name in active directory.
- Open the Active Directory Users and Computers Snap-in (dsa.msc) on a domain controller.
- In Menu > View -> check Advanced Features. (Otherwise, we would not see option explained in next steps)
- Right-click the OU/Container where we want the VCO (ProdListener in above example) to be created and click “New” -> “Computer”
- Provide a name for the object (This will be Listener Name for AG) and click “OK”.
- Right-click on the VCO which we just created and select “Properties”. Click the Security tab and then click “Add”:
- Enter the CNO (Make sure to select “Computers” option in the “Object Types” window) and click “OK”. The CNO is a Cluster Name Object. This is the name of the Windows Cluster name NOT listener or FCI name.
- Give CNO “Full Control” over the VCO.
After this, we should be able to bring listeners online in the cluster manager.
Reference: Pinal Dave (https://blog.sqlauthority.com)