CreateCluster() failed with 0x5 adding members to DAG in Exchange 2013
UPDATE: While TechNet article “Create a Database Availability Group” only mentions Windows 2008 R2 domain controllers, I must thank Scott Schnoll for the following clarification: “Creating an Exchange 2013 DAG with Mailbox servers on Windows Server 2012? You must pre-stage CNO before adding first server!”. TechNet documentation will be updated to reflect the same I assume.
If you are in IT long enough, you know the fact that nothing will every work without throwing an issue or two you have to solve. Especially if you are dealing with recently released software such as Exchange 2013.
In my lab, I had installed all Exchange servers I needed in different sites. All my domain controllers and Exchange servers are running Windows Server 2012. Since I am not testing co-existence, it is a green field deployment.
Since everything so far was working as expected, I proceeded with creation of DAG. From EAC, creating DAG itself worked with no issues. I then went ahead and added first mailbox server to DAG. this step, however, refused to complete with error:
A server-side database availability group administrative operation failed. Error The operation failed. CreateCluster errors may result from incorrectly configured static addresses. Error: An error occurred while attempting a cluster operation. Error: Cluster API ‘”CreateCluster() failed with 0x5. Error: Access is denied”‘ failed.. [Server: MBX1.fabrikam.int]
Looking at CNO, I noticed Exchange Trusted Subsystem had special permissions assigned and not “Full Control” on CNO that the process created automatically.
Assigning “Full Control” to Exchange Trusted Subsystem on CNO, I assumed should fix the issue, however, it actually produced a completely different error when I tried to add the mailbox server to DAG again:
An Active Manager operation failed with a transient error. Please retry the operation. Error: The fully qualified domain name for node ‘DAG1’ could not be found.
I also noticed mailbox server account with similar permissions and not “Full Control” on the object.
From reading TechNet forums I knew a solution existed where you can just delete DAG CNO and pre-stage it as described in TechNet article: Pre-Stage the Cluster Network Object for a Database Availability Group.
I was able to fix the issue using one of the following two methods:
- Disable CNO, assign “Full Control” to ETS on the DAG object and remove mailbox server from permissions list on CNO. Add mailbox server to DAG.
- Delete CNO from AD and pre-stage CNO using process described in the article mentioned above. Add mailbox server to DAG.
I am not sure if it is a bug or known issue with Server 2012 domain controllers. It remains to be seen as more guidance become available from Microsoft.
If you are wondering why the last lines above are striked out, please read the update at the top of the page for explanation.