-
Notifications
You must be signed in to change notification settings - Fork 48
Add TSG for Test-Cluster administrative privileges failure during dep… #271
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
erskinejohn
wants to merge
1
commit into
main
Choose a base branch
from
tsg/test-cluster-admin-privileges
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+71
−0
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
69 changes: 69 additions & 0 deletions
69
...ironmentValidator/Known-Issue-Test-Cluster-Administrative-Privileges-Failure.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| # Test-Cluster Administrative Privileges Failure During Deployment | ||
|
|
||
| <table border="1" cellpadding="6" cellspacing="0" style="border-collapse:collapse; margin-bottom:1em;"> | ||
| <tr><th style="text-align:left; width: 180px;">Component</th><td><strong>EnvironmentValidator - ValidateCluster</strong></td></tr> | ||
| <tr><th style="text-align:left; width: 180px;">Severity</th><td><strong>Critical - blocks deployment</strong></td></tr> | ||
| <tr><th style="text-align:left;">Applicable Scenarios</th><td><strong>Deployment</strong></td></tr> | ||
| </table> | ||
|
|
||
| ## Overview | ||
|
|
||
| During deployment, cluster validation may fail with an "administrative privileges" error when running `Test-Cluster` against one or more nodes. Despite the error message, this is not a permissions problem. The affected nodes were not properly rebooted after joining the domain, leaving their authentication in an incomplete state. | ||
|
|
||
| ## Symptoms | ||
|
|
||
| The deployment fails during cluster validation with one of these error messages: | ||
|
|
||
| ``` | ||
| Failed to execute Test-Cluster: You do not have administrative privileges on the server <NodeName> | ||
| ``` | ||
|
|
||
| ``` | ||
| Access is denied | ||
| ``` | ||
|
|
||
| ``` | ||
| An error occurred opening cluster <NodeName> | ||
| ``` | ||
|
|
||
| ## Root Cause | ||
|
|
||
| During the domain join phase of deployment, nodes must be rebooted for their Kerberos credentials to be fully registered in Active Directory. In some deployments, one or more nodes are not rebooted after domain join. When cluster validation later runs `Test-Cluster`, it cannot authenticate to those nodes using Kerberos, producing the "administrative privileges" error. | ||
|
|
||
| ## Resolution | ||
|
|
||
| ### Step 1: Reboot the affected node(s) | ||
|
|
||
| Reboot each node mentioned in the error message: | ||
|
|
||
| ```powershell | ||
| Restart-Computer -ComputerName <FailingNodeName> -Force | ||
erskinejohn marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| ``` | ||
|
|
||
| Wait 2-3 minutes for the reboot to complete. | ||
|
|
||
| ### Step 2: Confirm the reboot resolved the issue | ||
|
|
||
| From another node, verify you can connect to the rebooted node: | ||
|
|
||
| ```powershell | ||
| Invoke-Command -ComputerName <FailingNodeName> -ScriptBlock { whoami } | ||
| ``` | ||
|
Comment on lines
+35
to
+51
|
||
|
|
||
| If this returns a username successfully, the issue is resolved. | ||
|
|
||
| ### Step 3: Resume deployment | ||
|
|
||
| Resume the deployment from the Azure portal by navigating to the deployment and selecting **Resume** or **Retry**. | ||
|
|
||
| You can also verify cluster validation manually before resuming: | ||
|
|
||
| ```powershell | ||
| Test-Cluster -Node <Node1>, <Node2> | ||
| ``` | ||
|
|
||
| This should now succeed without "administrative privileges" errors. | ||
|
|
||
| ## Prevention | ||
|
|
||
| This issue is being addressed in an upcoming release. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What: The metadata table lists component/severity/scenario but omits affected versions (and any known fixed version), while the Prevention section only says “upcoming release”.
Why: Without version scope, readers can’t quickly determine if they’re impacted or whether upgrading would address the issue.
How: Add an “Affected Versions” row (and fixed version if known). If the exact version isn’t known, state the best available scope (e.g., “All versions prior to ” or “Unknown at time of writing”).