After installing service pack 2 for Windows 2003, push install of Backup Exec Remote agent to the Physical node of a Cluster may fail with the error "Either a required impersonation level was not provided, or the provided impersonation level is invalid."
| Article:TECH55866 | | | Created: 2007-01-01 | | | Updated: 2012-01-23 | | | Article URL http://www.symantec.com/docs/TECH55866 |
Problem
After installing service pack 2 for Windows 2003, push install of Backup Exec Remote agent to the Physical node of a Cluster may fail with the error "Either a required impersonation level was not provided, or the provided impersonation level is invalid."
Error
Attempting to connect to server \\Server Name failed with the following error: Either a required impersonation level was not provided, or the provided impersonation level is invalid.
Solution
Attempt to push install Backup Exec Remote Agent to the Physical node of a Windows Cluster setup may fail with the error message shown in Figure 1 below after Windows 2003 is patched up with Service Pack 2.
Figure 1.
Details:
Service Pack 2 for Windows 2003 modifies various permissions and rights.
It all seems to work fine unless this is on a cluster server.
The reason is because domain controllers do not have local NT Authority accounts.
The permissions get changed to NT Authority\Local in various areas.
Here are the issues experienced because of that:
Figure 1.
Details:
Service Pack 2 for Windows 2003 modifies various permissions and rights.
It all seems to work fine unless this is on a cluster server.
The reason is because domain controllers do not have local NT Authority accounts.
The permissions get changed to NT Authority\Local in various areas.
Here are the issues experienced because of that:
- The RPC service gets changed to NT Authority\Local. It starts and everything appears fine but when the Network Connections service tries to start it fails as if there are no network cards.
- Once you change the RPC service to Local System Account for logon the Network Connections work again.
- Mainly in Backup Exec selections, we would not be able to see the disks/drives on the cluster but only the shares which cannot be selected as they are grayed out.
To resolve the error:
1. Give the backup exec account rights to "Impersonate a client after authentication" policy.
2. If the issue still persists, install remote agent manually on the physical nodes of the cluster.
3. Reboot the servers.
Details : (Windows Server 2003/Windows Server 2000 SP4)
Note: If we change the account that is used to start the Cluster service, we must use Computer Management for Windows Server 2003 to change the account information on each node in the cluster.
To do this, follow these steps:
- Start Computer Management for Windows Server 2003, expand the Services and Applications branch, and then click the Services branch.
- In the right pane, double-click Cluster Service. Select the Log On tab, and then update the account information.
To function correctly in Microsoft Windows Server 2003, the Cluster service account explicitly requires the following rights for all nodes in the cluster:
- Act as part of the operating system ( Only For Windows Server 2000 )
- Adjust memory quotas for a process
- Back up files and directories
- Increase scheduling priorities
- Log on as a service
- Restore files and directories
Also, make sure that the Local Administrator Group has access to the following user rights:
- Debug programs
- Impersonate a client after authentication
- Manage auditing and security log
We can grant these rights in the following locations:
Local Security Policy\Security Settings\Local Policies\User Rights Assignment
Note: If we create a Group Policy setting to update the Impersonate a client after authentication rights policy setting, we need to make sure that the Cluster service account is listed in the policy setting in addition to the Local Administrators group and the account that is called SERVICE. If the Cluster service account is not listed, the computer may no longer have access to Windows Management Instrumentation (WMI). By default, these accounts are listed in the Impersonate a client after authentication rights policy. However, if we create a Group Policy setting without adding the Cluster service account, the local policy setting is overwritten, and WMI access fails.
|
|
Related Articles
Legacy ID
294580
Article URL http://www.symantec.com/docs/TECH55866
Terms of use for this information are found in Legal Notices
Thank you.