We have just setup a new Hyper-V cluster based on 2012 R2 in a completely new AD Domain. We have two physical hosts (nodes) running 2012 R2 (domain members). A 2008 R2 (Swedish version) DC running on a physical machine. A virtual DC running
on the cluster (2008 R2 English version). We have also setup two virtual member servers running 2012 R2 Swedish version. One of them a WSUS server. Everything was at this point working flawlessly.
Later we did two things; enabling CAU and adding a custom security group to the “Allow logon through Terminal Services” setting in Default Domain Policy.
Symptom 1 – Unable to RDP to DC:s:
Next, no one (not even Domain Admins) was able to logon remotely. We removed the group from the GPO setting (hence back to its orginal setting – unset). We verified using rsop on all servers that the change back had taken effect. However,
we (Domain Admins) could still not RDP to the DC:s, only to member servers.
Symptom 2 – Differences in firewall policies.
Next, we added two virtual member servers and added them to the domain. First thing we noticed was that we were not able to ping those new servers because the Windows firewall did not allow ping. Further investigation showed that the new
servers had in general a lot less active firewall exceptions compared to other member servers, although they are in the same OU, have the same GPO:s and we have not did any manual configuration of firewall rules. Why is there a difference in active firewall
exceptions?
Symptom 3 – Weird CAU log entries in cluster Log.
See log entries further down. The CAU role “CAUcorp-qhc) is not visible under “Roles” in Cluster Manager but a computer object is created in Active Directory.
-----logs---
Cluster network name resource 'corp-wsus' failed to create its associated computer object in domain 'domain.se' for the following reason: Resource online.
Cluster resource 'corp-wsus' of type 'Distributed Network Name' in clustered role 'CAUcorp-qhc' failed.
Cluster network name resource 'corp-wsus' failed to create its associated computer object in domain 'domain.se' for the following reason: Resource online.
Cluster resource 'corp-wsus' of type 'Distributed Network Name' in clustered role 'CAUcorp-qhc' failed.
Clustered role 'CAUcorp-qhc' has exceeded its failover threshold. It has exhausted the configured number of failover attempts within the failover period of time allotted to it and will be left in a failed state.