Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Server Clustering » Windows Cluster Takes 2 Minutes to Fail Over
Windows Cluster Takes 2 Minutes to Fail Over [message #158089] Fri, 21 August 2009 09:10 Go to next message
EH  is currently offline EH  United Kingdom
Messages: 181
Registered: September 2009
Senior Member
There seems to be a lot written about this on the net, and yet I can't find
the answer that fixes it for me.

I have a 2-node cluster on Windows Server 2003. Whenever it fails over it
takes 2 minutes to do it, and gets stuck waiting on Cluster Name and MSDTC
Resource in the Cluster Group.

When it fails over I get the following event in the System event log:

"The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/server2.mydomain.local. The target name used was . This indicates that
the password used to encrypt the kerberos service ticket is different than
that on the target server. Commonly, this is due to identically named
machine accounts in the target realm (MYDOMAIN.LOCAL), and the client realm.
Please contact your system administrator."

I have no idea how to resolve this, or even if it is the cause of the
problem.

I also note that in dnsmgmt, the private IP addresses of the two cluster
nodes keep appearing in the A records. I delete them on both servers and
they come back. I have been through the advanced TCP/IP properties and
checked that "Register the connection's addresses in DNS" is not checked,
but still they come back. Again, I don't know if this is a red herring.

Can anyone shed any light on this?

TIA

Charles
Re: Windows Cluster Takes 2 Minutes to Fail Over [message #158110 is a reply to message #158089] Thu, 27 August 2009 06:25 Go to previous messageGo to next message
EH  is currently offline EH  United Kingdom
Messages: 181
Registered: September 2009
Senior Member
Does anyone have any ideas about this? Any suggestions of things I can try
or places I can look are welcome.

Thanks

Charles


"Charles" <blank@nowhere.com> wrote in message
news:ukEcIDmIKHA.4376@TK2MSFTNGP03.phx.gbl...
> There seems to be a lot written about this on the net, and yet I can't
> find the answer that fixes it for me.
>
> I have a 2-node cluster on Windows Server 2003. Whenever it fails over it
> takes 2 minutes to do it, and gets stuck waiting on Cluster Name and MSDTC
> Resource in the Cluster Group.
>
> When it fails over I get the following event in the System event log:
>
> "The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
> host/server2.mydomain.local. The target name used was . This indicates
> that the password used to encrypt the kerberos service ticket is different
> than that on the target server. Commonly, this is due to identically named
> machine accounts in the target realm (MYDOMAIN.LOCAL), and the client
> realm. Please contact your system administrator."
>
> I have no idea how to resolve this, or even if it is the cause of the
> problem.
>
> I also note that in dnsmgmt, the private IP addresses of the two cluster
> nodes keep appearing in the A records. I delete them on both servers and
> they come back. I have been through the advanced TCP/IP properties and
> checked that "Register the connection's addresses in DNS" is not checked,
> but still they come back. Again, I don't know if this is a red herring.
>
> Can anyone shed any light on this?
>
> TIA
>
> Charles
>
>
Re: Windows Cluster Takes 2 Minutes to Fail Over [message #158119 is a reply to message #158110] Wed, 02 September 2009 09:23 Go to previous messageGo to next message
RuNCo  is currently offline RuNCo  Slovakia
Messages: 2
Registered: September 2009
Junior Member
What about to check cluster log?

"Charles" <blank@nowhere.com> wrote in message
news:u8mcrCwJKHA.5956@TK2MSFTNGP03.phx.gbl...
> Does anyone have any ideas about this? Any suggestions of things I can try
> or places I can look are welcome.
>
> Thanks
>
> Charles
>
>
> "Charles" <blank@nowhere.com> wrote in message
> news:ukEcIDmIKHA.4376@TK2MSFTNGP03.phx.gbl...
>> There seems to be a lot written about this on the net, and yet I can't
>> find the answer that fixes it for me.
>>
>> I have a 2-node cluster on Windows Server 2003. Whenever it fails over it
>> takes 2 minutes to do it, and gets stuck waiting on Cluster Name and
>> MSDTC Resource in the Cluster Group.
>>
>> When it fails over I get the following event in the System event log:
>>
>> "The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
>> host/server2.mydomain.local. The target name used was . This indicates
>> that the password used to encrypt the kerberos service ticket is
>> different than that on the target server. Commonly, this is due to
>> identically named machine accounts in the target realm (MYDOMAIN.LOCAL),
>> and the client realm. Please contact your system administrator."
>>
>> I have no idea how to resolve this, or even if it is the cause of the
>> problem.
>>
>> I also note that in dnsmgmt, the private IP addresses of the two cluster
>> nodes keep appearing in the A records. I delete them on both servers and
>> they come back. I have been through the advanced TCP/IP properties and
>> checked that "Register the connection's addresses in DNS" is not checked,
>> but still they come back. Again, I don't know if this is a red herring.
>>
>> Can anyone shed any light on this?
>>
>> TIA
>>
>> Charles
>>
>>
Re: Windows Cluster Takes 2 Minutes to Fail Over [message #158124 is a reply to message #158119] Thu, 03 September 2009 19:03 Go to previous messageGo to next message
Dawho  is currently offline Dawho  United States
Messages: 4
Registered: September 2009
Junior Member
To fix your DNS problem, in your DNS server you must set it to listen
only on addresses that you want to have A records for.

RuNCo wrote:
> What about to check cluster log?
>
> "Charles" <blank@nowhere.com> wrote in message
> news:u8mcrCwJKHA.5956@TK2MSFTNGP03.phx.gbl...
>> Does anyone have any ideas about this? Any suggestions of things I can
>> try or places I can look are welcome.
>>
>> Thanks
>>
>> Charles
>>
>>
>> "Charles" <blank@nowhere.com> wrote in message
>> news:ukEcIDmIKHA.4376@TK2MSFTNGP03.phx.gbl...
>>> There seems to be a lot written about this on the net, and yet I
>>> can't find the answer that fixes it for me.
>>>
>>> I have a 2-node cluster on Windows Server 2003. Whenever it fails
>>> over it takes 2 minutes to do it, and gets stuck waiting on Cluster
>>> Name and MSDTC Resource in the Cluster Group.
>>>
>>> When it fails over I get the following event in the System event log:
>>>
>>> "The kerberos client received a KRB_AP_ERR_MODIFIED error from the
>>> server host/server2.mydomain.local. The target name used was . This
>>> indicates that the password used to encrypt the kerberos service
>>> ticket is different than that on the target server. Commonly, this is
>>> due to identically named machine accounts in the target realm
>>> (MYDOMAIN.LOCAL), and the client realm. Please contact your system
>>> administrator."
>>>
>>> I have no idea how to resolve this, or even if it is the cause of the
>>> problem.
>>>
>>> I also note that in dnsmgmt, the private IP addresses of the two
>>> cluster nodes keep appearing in the A records. I delete them on both
>>> servers and they come back. I have been through the advanced TCP/IP
>>> properties and checked that "Register the connection's addresses in
>>> DNS" is not checked, but still they come back. Again, I don't know if
>>> this is a red herring.
>>>
>>> Can anyone shed any light on this?
>>>
>>> TIA
>>>
>>> Charles
>>>
>>>
Re: Windows Cluster Takes 2 Minutes to Fail Over [message #158125 is a reply to message #158110] Thu, 03 September 2009 21:30 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Charles" <blank@nowhere.com> wrote in message
news:u8mcrCwJKHA.5956@TK2MSFTNGP03.phx.gbl...
> Does anyone have any ideas about this? Any suggestions of things I can try
> or places I can look are welcome.
>
> Thanks
>
> Charles
>
>
> "Charles" <blank@nowhere.com> wrote in message
> news:ukEcIDmIKHA.4376@TK2MSFTNGP03.phx.gbl...
>> There seems to be a lot written about this on the net, and yet I can't
>> find the answer that fixes it for me.
>>
>> I have a 2-node cluster on Windows Server 2003. Whenever it fails over it
>> takes 2 minutes to do it, and gets stuck waiting on Cluster Name and
>> MSDTC Resource in the Cluster Group.
>>
>> When it fails over I get the following event in the System event log:
>>
>> "The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
>> host/server2.mydomain.local. The target name used was . This indicates
>> that the password used to encrypt the kerberos service ticket is
>> different than that on the target server. Commonly, this is due to
>> identically named machine accounts in the target realm (MYDOMAIN.LOCAL),
>> and the client realm. Please contact your system administrator."
>>
>> I have no idea how to resolve this, or even if it is the cause of the
>> problem.
>>
>> I also note that in dnsmgmt, the private IP addresses of the two cluster
>> nodes keep appearing in the A records. I delete them on both servers and
>> they come back. I have been through the advanced TCP/IP properties and
>> checked that "Register the connection's addresses in DNS" is not checked,
>> but still they come back. Again, I don't know if this is a red herring.
>>
>> Can anyone shed any light on this?
>>
>> TIA
>>
>> Charles
>>
>>


Charles,

I am not a Cluster expert, so I can't help with that portion. But as far as
DNS and what's being registered, you are seeing default functionality.
pparently whatever record you are creating and deleting the default hostname
record, the system is seeing that as an SPN mismatch to the machine's
default FQDN, which is causing the kerb issues.

If the server is a DC, the netlogon service will always refresh it's
LdapIpAddress, A record, and GcIpAddress every 24 hours. If a DNS server, it
will register its nameserver record, hence what you are seeing. You can try,
as one poster mentioned, to tell it to only listen to a specific IP so that
registers.

You can also disable registration completely. Once that's done, if a DC, you
can then configure the netlogon registry entry to 'publish' (create) the
necessary records and IP you want, or if a DNS server, simply create static
entries.

Keep in mind, whatever you want to force register, the SPN of the machine,
which is based on it's configured FQDN must be registered properly, or you
will see kerb issues.

To get an idea of what's involved, I have a blog on multihomed DCs which
shows how to disable registration and create your own records. You can read
through the steps involved and apply what is applicable to your scenario.

Multihomed DCs with DNS, RRAS, and/or PPPoE adapters
http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihom ed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

I hope that helps.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Goto Forum:
  


Current Time: Sun Sep 24 15:31:18 EDT 2017

Total time taken to generate the page: 0.04755 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software