Shulou(Shulou.com)06/02 Report--

Friends may often encounter the problem of online failure of the network name when installing the cluster role on WSFC2012, resulting in the cluster application not configured successfully, and eventually the application will not provide services normally, such as SQL Server,DTC, sometimes it cannot be solved even if it is reinstalled, so why on earth is this problem? let's analyze it from scratch today.

The cluster resource 'SQL Server' could not be brought online due to an error bringing the dependency resource' SQL Network Name 'online.

When it comes to this typical mistake, if you want to understand it thoroughly, you have to start with CNO,VCO. In this article, Lao Wang will string these concepts together again, trying to make administrators understand them thoroughly.

One of the key features of a highly available cluster is to provide services continuously, so it is necessary to implement a logical external name, which is coordinated by the cluster logic. If a node currently providing services is down, the user's access request for the logical external name is automatically transferred to other living nodes, so that the user always thinks that the cluster application is alive.

This logical external name is implemented in Microsoft WSFC system as client access point, client access point, usually has three parts: DNS,CNO,VCO, DNS records are used for client access resolution cluster and cluster applications, CNO is used to support cluster connections, cluster Kerberos authentication, and VCO is used to help specific cluster applications achieve node orientation.

For a cluster, complete client access points include cluster DNS records + cluster CNO names, and Kerberos authentication is not supported if only DNS records are used, such as workgroup clusters, multi-domain clusters.

For a cluster application, a complete cluster application access point, including application DNS record + application VCO name, and what level of application access point is used depends on the application situation. For example, some cluster applications can share cluster DNS+ cluster CNO, then there is no need to create an application access point, or only DNS records are needed, or a complete application access point is created, if the cluster application is a complete application access point. Then it should be the cluster application for authentication, or failover orientation, which needs to be implemented using a separate computer object.

CNO Cluster Name Object was introduced in WSFC 2008

1. As part of the cluster access identity, the administrator or application can connect to the CNO visiting cluster

two。 Responsible for managing VCO virtual machine object creation, password synchronization, VCO DNS record creation and maintenance.

After 3.CNO has created the VCO, it will write the permission of CNO in the VCO ACL.

The 4.CNO will be written to a specific SPN, and the application will validate the Kerberos with the cluster through CNO

The association between 5.CNO and VCO is created and can be viewed in the cluster node registry

6. Mistakenly deleting CNO or VCO objects will cause the cluster not to go online properly, and the application will not be able to verify Kerberos with the cluster.

After a brief look at the concept, let's further understand through practical cases why network names cannot be online is rare in the WSFC 2008 era, but is often seen in WSFC 2012.

The key answer is the principle of where CNO objects are created.

In the era of WSFC 2008, regardless of our cluster node computer object, under that OU, the cluster CNO object and VCO object were only created under the default Computer container, unless we preset the CNO,VCO object under other OU in advance.

As shown in the figure, I have placed the cluster computer nodes under a separate OU as planned

However, when installing a cluster, WSFC 2008 still places CNO VCO in the default Computers container

And because each object of the default computer container has the right to create computer objects, CNO objects and VCO objects can be created normally as long as the account that creates the cluster has Computers permissions to create computer objects and read all properties. Even if CNO has been moved to a different OU,VCO, it will be created in the default computer container.

Therefore, in the era of WSFC 2008, there is basically no problem that the network name cannot be online, and the network name cannot be online. This problem usually refers to the CNO or VCO object, which cannot be created normally in AD, and the permissions are insufficient.

Why do you often encounter this error after WSFC 2012? the answer is that the principle of where CNO objects are created has changed.

The two most critical points

Starting with WSFC 2012, the CNO object will be created under the same OU with the cluster computer object.

CNO will follow the VCO object to create under the same OU

What is the impact of the rule change? the good side is that it can help standardize AD computer objects, and the downside is that it brings additional permission granting work.

Imagine that in WSFC 2012, if we moved the cluster node computer object to a new OU, the cluster CNO would also be created on that OU

The creation of the CNO is done by the cluster installation account, so you need to ensure that the cluster installation account has permission to create computer objects and read all properties or join the domain admins group directly to the OU where the node is located.

After the CNO is created, we need to run the cluster application to create the VCO, and CNO is responsible for the creation and maintenance of the VCO, but because it is not the default computer OU, CNO does not have permission for the OU where the node resides, so the process of creating the VCO fails, and the cluster shows that the network name cannot go online.

The error appears as follows

The solution is to add CNO computer permissions to create computer objects and read all attribute permissions for a separately planned cluster OU, whether it is a planned new installation, or the cluster is installed first, and then the CNO object and the cluster computer object are moved to another OU. Do this at the OU where the current CNO object is located.

After the permission is granted, start the cluster role again, the problem can be solved, and the cluster application is online normally.

To avoid this problem, there are two solutions.

Without planning, the cluster node computers are under the default computer OU, so that CNO and VCO can go online without adding CNO permissions.

In general, there are many computer objects in the enterprise, and putting them under the default computer OU is not good-looking and not easy to manage, so Lao Wang suggested that it is appropriate to create a separate OU for the cluster node, and it is also good that the CNO,VCO object will be created in the associated node OU, except that the CNO object needs to be granted permission to the OU separately when installing the cluster role, if there are many clusters under the OU. Lao Wang suggests that you create a CNO computer object group, automatically add all newly installed cluster CNO objects to the group, and then grant the permissions to the CNO group according to OU, so that the permissions are ready whenever you create an application.

There is also a problem that the cluster name resource failed to register in DNS. The cluster network name resource 'SQL Network Name (VirutalClusterName)' failed to register one or more associated DNS names for the following reasons

This problem occurs because the CNO object does not have permission to the DNS server. Because the CNO object is responsible for maintaining VCO computer objects and DNS records, the DNS record of VCO will also be registered and created by the CNO object in DNS. This error occurs, that is, the CNO object does not have permission for the DNS zone.

You can manually add the permission to modify the DNS area for CNO to create permission. After the addition is completed, you can go offline and cluster role again. The problem can be solved.

Tip: in WSFC, if we delete the cluster role, the VCO object will become disabled, destroy the cluster, and the CNO object will become disabled. If we plan the cluster OU and see the disabled CNO and VCO objects, we can know that they are cluster roles or clusters that have been deleted and can be deleted directly. By default, the GUI interface to destroy the cluster CNO object is disabled, if you use the command Remove-Cluster-CleanupAD to destroy Then the CNO can be deleted directly from the destruction process.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.