SQL Availability Group Listener creation fails - dns

I'm having trouble creating an availability group listener for my newly created SQL 2012 Enterprise AG.
My AG resides on two virtual machines on top of Server 2012 Datacentre with the Hyper-V role. The VM's are part of my domain, and in a WSFC. Each VM has 4 subnets :
(a) 172.33.0.x for management
(b) 172.33.1.x for iSCSI communication
(c) 172.33.2.x for iSCSI communication
(d) 172.33.5.x for inter-VM communication
Only (a) and (d) are set in my cluster to allow cluster communication, and allow client connections.
Whenever I try to create a listener with this query
USE [master]
GO
ALTER AVAILABILITY GROUP [Sharepoint-System-DB-AvailabilityGroup]
ADD LISTENER N'SQL-SHP-AG01-L1' (
WITH IP
((N'172.33.5.203', N'255.255.255.0'),(N'172.33.0.203', N'255.255.255.0'))
, PORT=1433);
GO
I get this error :
Msg 19471, Level 16, State 0, Line 1
The WSFC cluster could not bring the Network Name resource with DNS name 'SQL-SHP-AG01-L1' online. The DNS name may have been taken or have a conflict with existing name services, or the WSFC cluster service may not be running or may be inaccessible. Use a different DNS name to resolve name conflicts, or check the WSFC cluster log for more information.
Msg 19476, Level 16, State 4, Line 1
The attempt to create the network name and IP address for the listener failed. The WSFC service may not be running or may be inaccessible in its current state, or the values provided for the network name and IP address may be incorrect. Check the state of the WSFC cluster and validate the network name and IP address with the network administrator.
I've tried :
Some online posts suggest I try and pre-stage the creation of the computer object in AD, which I did, same error
Set security settings on the Computer OU to allow the computers running the AG to create computer objects, same error
I have another cluster setup (for another AG), that also generates the same error
Something that might be related is, I regularly get one of the following errors on the owner node of the cluster :
Cluster network name resource 'Cluster Name' failed registration of one or more associated DNS name(s) for the following reason:
DNS server failure.
For this, I've tried :
Creating the A record manually, setting the "Allow all authenticated users to change this record"
Allowing "Everyone" full access to the DNS A record
Allowing non-secure updates to my domain's DNS records
Also to no avail, which makes me think there's something deeper wrong. Any suggestions?

We had the same problem. Resolution was to grant the computer object associated with the cluster group 'create computer' rights in Active Directory as per this link - http://technet.microsoft.com/en-us/library/cc731002%28WS.10%29.aspx#BKMK_steps_precreating
It's the cluster group computer object thats needs these permissions.

Open Active Directory Users and Computers, grant permission to the Cluster Name Object (CNO) in which the Availability Group will be created. Two permissions that need to be granted are:
"Read all properties" and "Create computer objects" to the CNO via the container. More details can be found in the following blog
http://blogs.msdn.com/b/psssql/archive/2013/09/30/error-during-installation-of-an-sql-server-failover-cluster-instance.aspx

An additional issue we had was having - versus _ in the name of the AOAG and listener. Once we recreated the AOAG using the underscore we were able to create the listener using an underscore also.

In our case, all the AD permissions were already in place - and yet it was failing to create the Listener with the same error message. In the end, we found that stopping and starting the Cluster Service on both of the Nodes (using cluadmin.msc) somehow rectified the problem and the Listener got created successfully.

Related

Azure WVD Hostpool - Virtual Network displaying "None available"

I keep encountering an irritating blocker when attempting to create a Host Pool for my project's Windows Virtual Desktop (WVD) in Azure and I'm at my wits end figuring out what could be causing this issue.
My existing resource group contains the following resources (all fully setup and configured):
A VNet
Security Group
Key Vault
All of the above resources can be confirmed via the Portal, Azure Powershell and Az CLI.
However, when attempting to create the Host Pool for the WVD which is the next resource we're seeking to provision manually through the Portal, I get prompted to Add virtual machines and upon selecting the option to add a virtual machine, I'm prompted to complete the Network and security configuration. However, the Virtual network dropdown isn't populated with any list, rather showing as "None available".
The Virtual Network definitely exists and I can't understand why the dropdown list continues to be empty. I've deleted and recreated the entire resource group on a number of occasions but all to no avail. Any advice or suggestions on how to get past this issue would be much appreciated.
Thank you for updating your solution. I face exact same problem and follow your guidance and find that my VNET is in a different region v.s. the host pool.
Originally I can not find the drop down item in the virtual network either, my workaround is to create a VNET in the same region on host pool and now I can select it.
Managed to establish what the issue was. It was the selected "Virtual machine location" value that was not allowing me to see the target VNet in the "Virtual network" dropdown list.
By default, Azure was populating the Virtual machine location field with the name of a region where my VNets didn't exist. Once I'd spotted this and switched it to the correct Region, the Virtual network dropdown list further below was populated as expected.

Dcpromo failed - Ownership of FSMO role is set to a server which is deleted or does not exist

I am attempting to use dcpromo on a Windows 2008 R2 server. The command produces a warning and an error in the event log. Below are the print outs of those entries:
-Warning-
Ownership of the following FSMO role is set to a server which is deleted or does not exist.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: CN=Infrastructure,DC=DomainDnsZones,DC=XXX,DC=XXXX
FSMO Server DN: CN=NTDS Settings\0ADEL:xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,CN=XXX-PDC01\0ADEL:xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=XXXX
User Action:
Determine which server should hold the role in question.
Configuration view may be out of date. If the server in question has been promoted recently, verify that the Configuration partition has replicated from the new server recently. If the server in question has been demoted recently and the role transferred, verify that this server has replicated the partition (containing the latest role ownership) lately.
Determine whether the role is set properly on the FSMO role holder server. If the role is not set, utilize NTDSUTIL.EXE to transfer or seize the role. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
Verify that replication of the FSMO partition between the FSMO role holder server and this server is occurring successfully.
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.
-Error-
The operations master roles held by this directory server could not transfer to the following remote directory server.
Remote directory server:
\XXX-AWSDC2.CSI.local
This is preventing removal of this directory server.
User Action
Investigate why the remote directory server might be unable to accept the operations master roles, or manually transfer all the roles that are held by this directory server to the remote directory server. Then, try to remove this directory server again.
Additional Data
Error value:
5005 The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.
Extended error value:
0
Internal ID:
52498782
The following roles have been successfully transferred to the XXX-awsdc2 server
Schema master
Domain naming master
PDC
RID pool manager
Infrastructure master
How do I remove the CN=CSI-PDC01 object using ADSI? It looks like the XXX-PDC01 held the FSMO Server role at one point and then was removed from the domain with out being demoted properly. I've been unable to find any reference to the XXX-PDC01 server anywhere in the DNS, AD or ADSI.
I've also attempted to delete all the AD metadata. As a last resort, I could always use the dcpromo /forceremoval command but I'd prefer to work through the error and demote this domain controller using the dcpromo command without the forceremoval flag.
Thanks!

Azure site Recovery on premise to on premise (offline initial replication)

I have 2 sites. Each site has one SCVMM configured to do Azure Site Recovery
ASR is configured to replicate the VM form one site to another.
Here is the issue, my VM size is big and i want to do the initial replication offline instead of over the Network and it just not allowing me saying permission issues.
Can anyone help me to find, what could be going wrong here?
ERROR MESSAGE
Permissions couldn't be set for one or more hosts on the initial replication folder path.
Provider error code: 31218
Provider error message:
The VMM service couldn't provide permissions for cs\nimbl[enter image description here][1]ecs1$ on \\nimblecs1\f$. Error: Object reference not set to an instance of an object.. During cloud configuration, the VMM service provides permissions for Hyper-V service accounts on the import and export paths used for initial replication.
Provider error possible causes:
The VMM service doesn't have the required privileges to modify the permissions on the import and export paths.
Provider error recommended action:
Ensure that the VMM service account has the required privileges to perform this operation.
POSSIBLE CAUSES
Verify that the initial replication path exists and is accessible.

Azure, creating a new virtual machine, it needs to allow chose the NetworkInterface

As creating a new Virtual Machine in Azure, sure on Resource Manager mode, It allows to configure new/existing plenty of parameters:
Storage account
Virtual Network
Public IP Address
Network security group
Diagnostic Storage Account
and so on ...
But not the Network Interface, creating then a random one with a name like MyVMname666 or any other 3 digits random number
Just: WHY?
Why not allow the user to configure it manually, or chose between existing
I can raise a new environment with all perfect defined resource names, except the Network interface ;-(
You can use PowerShell and\or Cli to achieve that, but this is not the place to raise this question. there's the feedback portal for ideas like that.
As for the PowerShell, here's the way to do that.

AWS Elastic BeanStalk Security Group

I am trying to create Worker Environmenton EBS with Sample Application of Node js which should use existing Security group on VPC.
I create this environment inside VPC (Virtual Private Cloud).
When I create this environment, I keep following configuration for VPC.
Security Group which is selected here is already exist.
In the next screen, I also select instance profile and service role which also exist.
While I create Environment with this setting, It does create Environment fine but it always create new Security group instead of using existing security group.
Why it always create new Security group and not use existing one ?
I want to reuse Security group and not create separate for each worker environment.
Appreciate if someone can guide me in right direction.
Thanks in advance.
Beanstalk uses the security group you asked for, but on creation it also creates a unique one for that configuration. If you launch your instance it will be in the security group as expected.
Instead of stopping it from being created, was able to modify its rules such that I changed to just allow port 22 access only from my private security group.
Namespace: aws:autoscaling:launchconfiguration
OptionName: SSHSourceRestriction
Value: tcp, 22, 22, my-private-security-group
Visit : https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html#SSHSourceRestriction

Resources