Search This Blog

Apr 13, 2014

Error 1207 ID - The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements

Here a way to find out and fix the pain in the ass ID 1207 when you don't have the default access denied message. That it's to help who has the following error below: Hope it helps.

<Scenario>
ID 1207 being logged on the DAG member servers (Host Owner) each 15 minutes.Even if you tried move the "Cluster Group" to another servers the ID still being generated on the server that now it's hosting the "Cluster Group"

Log Name:      System
Source:        Microsoft-Windows-FailoverClustering
Date:          4/12/2014 2:33:32 PM
Event ID:      1207
Task Category: Network Name Resource
Level:         Error
User:          SYSTEM
Computer:      EX01.chang.com
Description: Cluster network name resource 'Cluster Name' cannot be brought online. The computer object associated with the resource could not be updated in domain 'chang.com' for the following reason:
Unable to update password for computer account.
The text for the associated error code is: The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.
The cluster identity 'DAG01$' may lack permissions required to update the object. Please work with your domain administrator to ensure that the cluster identity can update computer objects in the domain.


<Troubleshooting Actions >
The first though was review all the permissions and compare the DAGs account with the EUR since the EUR Servers was not generating any ID 1207 on the DAG members servers.
Second step was review the cluster.log and check the communication between the server impacted and domain controler (PDC).

000021a8.00003948::2014/04/12-14:26:09.160 INFO  [RES] Network Name <Cluster Name>: Trying to find computer account DAG02 object GUID(913b4ecd1bd89047a6186b15a9f69e21) on any available domain controller.
000021a8.00003948::2014/04/12-14:26:09.300 INFO  [RES] Network Name <Cluster Name>: Found computer account DAG01 on domain controller \\DC0008.chang.com.
000021a8.00003948::2014/04/12-14:26:09.300 INFO  [RES] Network Name <Cluster Name>: Trying to obtain the VSToken for Core Cluster Name resource
000021a8.00003948::2014/04/12-14:26:09.316 INFO  [RES] Network Name <Cluster Name>: GetCoreNetnameObject_VSToken returning status 0
000021a8.00003948::2014/04/12-14:26:09.316 INFO  [RES] Network Name <Cluster Name>: Obtained the security token for cluster name account.
00001a5c.00004e2c::2014/04/12-14:26:12.373 INFO  [GUM] Node 5: Processing RequestLock 7:211485
00001a5c.00004e2c::2014/04/12-14:26:12.373 INFO  [GUM] Node 5: Processing GrantLock to 7 (sent by 5 gumid: 11988005)
00001a5c.00001d1c::2014/04/12-14:26:12.623 INFO  [GUM] Node 5: Processing RequestLock 3:223687
00001a5c.00004e2c::2014/04/12-14:26:12.623 INFO  [GUM] Node 5: Processing GrantLock to 3 (sent by 7 gumid: 11988006)
000021a8.00003948::2014/04/12-14:26:14.760 ERR   [RES] Network Name <Cluster Name>: Unable to update password for computer account DAG02 on DC \\PDC0101.chang.com, status 2245.
00001a5c.00002eb4::2014/04/12-14:26:14.776 INFO  [GUM] Node 5: Processing RequestLock 5:221212
00001a5c.00001d1c::2014/04/12-14:26:14.776 INFO  [GUM] Node 5: Processing GrantLock to 5 (sent by 3 gumid: 11988007)
000021a8.00003948::2014/04/12-14:26:14.776 WARN  [RES] Network Name <Cluster Name>: Automatic Password rotation failed with status 2245.Will retry in  2245 seconds
000021a8.00003948::2014/04/12-14:26:14.776 INFO  [RES] Network Name <Cluster Name>: TimerQueueTimer rescheduled to fire after 900 secs


After reviewing the PDC server and capture network traces between the PDC x EX01, we could see the communications were working fine.
Reviewed the code error 2245 and that means the object could not reset the password account.

Found the "Computer Account" in the 'userAccountControl' attribute was set with the incorrect value (0x220 - for User Account).

Using as example another DAG01, the first pic show the wrong configuration


This second picture show us how is the correct value. Checked and the ID 1207 has been generated only for DAG02 servers.




One part of the symptom was when we try find the DAG0X account using the ADUC snap-in the return value is empty. After resetting the value we can find the computer account in the ADUC snap-in.

<Solution>
UserAccountControl must be changed from 0x220  to 0x1000 value.
Now you can see the account as Workstation/Server Computer Account under ADUC snap-in.

No comments:

Post a Comment