Error Message:
Sometime after some maintenance you will find Windows cluster services are up on nodes,however when you try to bring Cluster core resources online, it will not come up and kerberos status says -- When trying to update a password,return status indicates that the value provided as the current password is not correct.And resultant CNO is in failed state..
In order to resolve this issue,
->you have to make sure all required Firewall ports (Inbound and outbound) are open on Active directory server.
->you have to make sure all required Firewall ports (Inbound and outbound) are open on all corresponding nodes of cluster
--> Important ports are:-
| Service | Protocol | port |
| ICMP | ICMP | |
| RDP Endpoint Mapper | TCP | 135 |
| RDP Dynamic Assignment | TCP | 6000-6199 |
| LDAP | TCP/UDP | 389 |
| LDAP over SSL | TCP | 636 |
| Global catalog LDAP | TCP | 3268 |
| Global catalog LDAP | TCP | 3269 |
| SMB over IP(Microsoft-DS) | TCP/UDP | 445 |
| Kerberos change/set password | TCP/UDP | 464 |
| Kerberos | TCP/UDP | 88 |
| DNS | TCP/UDP | 53 |
| NTP | TCP/UDP | 123 |
After engaging Firewall team, they opened all firewall ports and then the issue resolved...
now Kerberos status started showing OK.
And i was successfully able to move Cluster core resource from one node to another node.
Thanks for reading..
These 2 blogs can also help in troubleshooting step by step..
https://blogs.technet.microsoft.com/askcore/2012/03/27/why-is-the-cno-in-a-failed-state/
https://blogs.technet.microsoft.com/coremusketeers/2016/03/03/cluster-name-object-failed-repairing-it-gives-the-password-does-not-meet-the-password-policy-requirements/
