From c95f894a2f744715c5a75fe6637954bea7fa601f Mon Sep 17 00:00:00 2001 From: John Erskine Date: Thu, 9 Apr 2026 20:01:30 +0100 Subject: [PATCH] Add TSG for Test-Cluster administrative privileges failure during deployment Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- ...uster-Administrative-Privileges-Failure.md | 69 +++++++++++++++++++ TSG/EnvironmentValidator/README.md | 2 + 2 files changed, 71 insertions(+) create mode 100644 TSG/EnvironmentValidator/Known-Issue-Test-Cluster-Administrative-Privileges-Failure.md diff --git a/TSG/EnvironmentValidator/Known-Issue-Test-Cluster-Administrative-Privileges-Failure.md b/TSG/EnvironmentValidator/Known-Issue-Test-Cluster-Administrative-Privileges-Failure.md new file mode 100644 index 0000000..0c99957 --- /dev/null +++ b/TSG/EnvironmentValidator/Known-Issue-Test-Cluster-Administrative-Privileges-Failure.md @@ -0,0 +1,69 @@ +# Test-Cluster Administrative Privileges Failure During Deployment + + + + + +
ComponentEnvironmentValidator - ValidateCluster
SeverityCritical - blocks deployment
Applicable ScenariosDeployment
+ +## Overview + +During deployment, cluster validation may fail with an "administrative privileges" error when running `Test-Cluster` against one or more nodes. Despite the error message, this is not a permissions problem. The affected nodes were not properly rebooted after joining the domain, leaving their authentication in an incomplete state. + +## Symptoms + +The deployment fails during cluster validation with one of these error messages: + +``` +Failed to execute Test-Cluster: You do not have administrative privileges on the server +``` + +``` +Access is denied +``` + +``` +An error occurred opening cluster +``` + +## Root Cause + +During the domain join phase of deployment, nodes must be rebooted for their Kerberos credentials to be fully registered in Active Directory. In some deployments, one or more nodes are not rebooted after domain join. When cluster validation later runs `Test-Cluster`, it cannot authenticate to those nodes using Kerberos, producing the "administrative privileges" error. + +## Resolution + +### Step 1: Reboot the affected node(s) + +Reboot each node mentioned in the error message: + +```powershell +Restart-Computer -ComputerName -Force +``` + +Wait 2-3 minutes for the reboot to complete. + +### Step 2: Confirm the reboot resolved the issue + +From another node, verify you can connect to the rebooted node: + +```powershell +Invoke-Command -ComputerName -ScriptBlock { whoami } +``` + +If this returns a username successfully, the issue is resolved. + +### Step 3: Resume deployment + +Resume the deployment from the Azure portal by navigating to the deployment and selecting **Resume** or **Retry**. + +You can also verify cluster validation manually before resuming: + +```powershell +Test-Cluster -Node , +``` + +This should now succeed without "administrative privileges" errors. + +## Prevention + +This issue is being addressed in an upcoming release. diff --git a/TSG/EnvironmentValidator/README.md b/TSG/EnvironmentValidator/README.md index e023546..ad46c43 100644 --- a/TSG/EnvironmentValidator/README.md +++ b/TSG/EnvironmentValidator/README.md @@ -13,6 +13,8 @@ This folder contains the TSG's related to Environment Validators. * [Known Issue: WinRM cannot process the configuration request](Known-Issue-WinRM-cannot-process-the-configuration-request.md) * [Known Issue: This module requires Az.Accounts version 5.3.0](Known-Issue-This-module-requires-Az-Accounts-version-5-3-0.md) * [Known Issue: Pre-Update Health Check fails with AllResults property error](Known-Issue-AllResults-property-error-during-Pre-Update-Health-Check.md) +* [Known Issue: Test-Cluster Administrative Privileges Failure During Deployment](Known-Issue-Test-Cluster-Administrative-Privileges-Failure.md) + ## Networking For Network Environment Validator TSGs, see [Networking/README.md](Networking/README.md).