Friday, October 26, 2012

Exchange 2013 DAG CreateCluster() Failed Error

So far I have encountered the following problem in two completely separate Exchange 2013 Preview environments when creating a Database Availability Group [DAG].

Started by creating a simple DAG without any problems, only specifying its IP address and letting Exchange decide which server to use as the Witness Server. However, whenever I tried to add any of the mailbox servers to this DAG, I would get the following error:
 
Note the "CreateCluster() failed with 0x5. Error: Access is denied" part of the error message.


If we look at the dagtask log mentioned in the error above, we will see all the tasks Exchange performs when adding a server to the DAG and where it failed:
[2012-10-26T18:23:18] ClusterSetupProgressCallback( eSetupPhase = ClusterSetupPhaseConfigureClusterAccount, ePhaseType = ClusterSetupPhaseStart, ePhaseSeverity = ClusterSetupPhaseInformational, dwPercentComplete = 94, szObjectName = DAG1 in organizational unit CN=Computers,DC=letsexchange,DC=com, dwStatus = 0x0 )

[2012-10-26T18:23:18] ClusterSetupProgressCallback( eSetupPhase = ClusterSetupPhaseConfigureClusterAccount, ePhaseType = ClusterSetupPhaseEnd, ePhaseSeverity = ClusterSetupPhaseFatal, dwPercentComplete = 94, szObjectName = DAG1 in organizational unit CN=Computers,DC=letsexchange,DC=com, dwStatus = 0x5 )

When dwStatus is 0x0, it means “success” but 0x5 means “access denied” just like the error we received in the Shell.
After some troubleshooting, I found out that the DAG’s Cluster Name Object [CNO] wasn’t created properly! There were two problems with the CNO:
1. The Exchange Trusted Subsystem universal security group didn’t have Full Access permissions to it;
2. The CNO was enabled in Active Directory:


After assigning full control to DAG1 AD object to the Exchange Trusted Subsystem and then disabling it, everything worked just fine:

5 comments:

  1. This is documented at http://technet.microsoft.com/en-us/library/dd351172(v=exchg.150).aspx. When creating a DAG using Mailbox servers that are running Windows Server 2012, you must pre-stage the CNO for the DAG before adding the first server.

    ReplyDelete
  2. Hi Scott,

    Thanks a lot for your comment! I saw that article when troubleshooting but because it says “(...) in an Active Directory environment with Windows Server 2008 R2 directory servers (...)” and both my environments are pure 2012, I thought it didn’t apply... But I guess it does :)
    Thanks once again!

    Regards, Nuno

    ReplyDelete
  3. Very helpful post. Thank you Nuno.

    This guidance still applies for Exchange 2013 RTM. I also came across it using Windows Server 2012 Directory Services (2012 Functional Level) and Windows Server 2012 Exchange nodes. I also felt the Microsoft guidance was incomplete/misleading.

    ReplyDelete
    Replies
    1. Thank you!
      The documentation has been updated :)

      Regards, Nuno

      Delete
  4. This comment has been removed by a blog administrator.

    ReplyDelete