As you know, Windows 2008 Cluster does not need the cluster service account anymore; it relies on SYSTEM account. This is nice, but also it was the reason why I could not install MS DTC (Distributed Transaction Coordinator) on the Windows 2008 cluster. Below you can find the solution
First thing first: This is Description of the failover cluster security model in Windows Server 2008. Short generic description that helps to understand the idea.
MS DTC service depends on a volume resource and a network name resource. Network name in turn depends on the ip address. You need to enter all this information during the installation of MS DTC. It will install itself correctly, without any bad signs in the installation log. However, the network name resource fails to start. The reason is in the System event log:
Cluster network name resource ‘CLUSTER01’ failed to create its associated computer object in domain ‘mydomain.net’ for the following reason: Unable to create computer account.
The text for the associated error code is: Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased.
You can create the account for DTC before installation, but you cannot join it domain for it. Actually, when the Windows 2008 cluster attempts to create or modify Kerberos enable machine account it does so by leveraging the machine account associated with the cluster. So, the resolution is:
- Delete MS DTC from the cluster
- Create a domain computer account for MS DTC
- Create a DNS record for this account
- Grant the cluster computer account full access to this MS DTC computer account
- Install MS DTC from scratch
Also, as this article says, there can be a problem with a new security feature called Loopback Check. This feature does not allow NTLM authentication if you try to access server using a name which is not its Net-Bios name (or) IPAddress. Exactly the case for MS DTC, which has its own computer name. In order to turn this feature off:
- Open RegEdit
- Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- Create a DWORD value, named DisableLoopbackCheck
- Assign 1 to this value
- Restart the server