Unable to Change Share Permissions on a File Share Cluster Resource

I ran into a weird issue the other day when configuring permissions on a Share that was clustered.  I couldn’t find much online about this, and the one similar issue from Russ was not the issue here.

Here is a little background info to help set the stage.  An admin changes the permission on the Shared Folder (not the File Share Cluster Resource) that is clustered from Read to Full Control.  This works when connecting to the node explicitly but not with the cluster name.  So he fails over the resource to the other node and notices that the permissions had reset to Read.  This is where I get called in.  I’m thinking this is going to be a very easy 30 second fix (which it ended up being…but more on that later).  I had the admin explain to me what process was followed to change the permission.  Right away I knew that changing the permission on the Shared Folder and not the File Share resource was an issue. 

I went into to Cluster Administrator (cluadmin.msc) and went to alter the permissions from Read to Full Control for the group in question and I was presented with the following error:

An error occurred validating the cluster security descriptor
The RPC server is unavailable
Error ID -2147023174 (800706ba)

image

As most of you know this is a very generic error.  In fact if there is one error I can’t stand from Microsoft it is “The RPC server is unavailable” error.  After doing some research and testing we found that we couldn’t even add a new Security Principal to the permissions of this cluster.  It mentioned that the Computer was not part of the domain.  In hind sight I wish I would have got the entire error for you but I forgot to grab the screen cap for that one.  The name it was referencing was the clustered name.  Well the cluster name is not going to have an Active Directory account so I went to check in DNS and sure enough there was no record for this cluster name in DNS.  After adding the record into DNS we were able to immediately change the permission.

There I go again assuming things were set up correctly initially.  I really need to break that wall down and start from the very beginning when I’m troubleshooting.  Ah the things we take for granted when looking at a problem.

2 Comments

  1. Jeffery Land says:

    That”s something I”m still trying to train myself from as well. Walking into a new environment and just assuming that everything had been set up properly to begin with. Second thing I”m trying to train myself on is to be more swift to check DNS. I find the majority of directory related problems stemming from DNS. Yet I”m always finding myself wandering down too many dead ends before getting to that part. Guess it is all just part of the learning curve!

  2. BrianM says:

    You are so right about checking DNS first. I had two seperate incidents this week that were issues because of something in DNS. I do have to say that both times I knew right where to go which isn”t always the case. 🙂

Leave a comment

*