Building a new Exchange 2010 environment for a customer recently, I came accross this error message when trying to add servers to the DAG membership:
A server-side database availability group administrative operation failed. Error: The operation failed. CreateCluster errors may result from incorrectly configured static addresses. Error: An error occurred while attempting a cluster operation. Error: Cluster API ‘”CreateCluster() failed with 0x5. Error: Access is denied”‘ failed. [Server: MBX01.domain.com]
An Active Manager operation failed. Error: An error occurred while attempting a cluster operation. Error: Cluster API ‘”CreateCluster() failed with 0x5. Error: Access is denied”‘ failed..
Access is denied
Click here for help… http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.1.267.0&t=exchgf1&e=ms.exch.err.ExC9C315
The operation wasn’t successful because an error was encountered. You may find more details in log file “C:\ExchangeSetupLogs\DagTasks\dagtask_2012-10-22_10-56-30.178_add-databaseavailabiltygroupserver.log”.
Exchange Management Shell command attempted:
Add-DatabaseAvailabilityGroupServer -MailboxServer ‘MBX01’ -Identity ‘DAG01’
I could always add one server to the DAG, and it didn’t matter which of the three, but trying to add a second member produced the error above.
This proved to be a combination of issues:
Active Directory Permissions
The Domain into which Exchange was being deployed was hardened, including a ‘Redirect OU’ for newly created computer objects, instead of the default Computers OU. This Redirect OU had restrictions on permissions.
So, following this http://technet.microsoft.com/en-us/library/ff367878.aspx I pre-staged the CNO in the Computers OU and manually configured permissions for the Exchange Trusted Subsytem group.
This allowed me to now add two of the DAG member servers, but adding the third still produced an error, but this time showing a ‘timed out’ message in place of the ‘access denied’
This led me to the second issue:
Duplicated MAC Address
The third server had been cloned in VMware from one of the first two servers, crucially this cloning had been done after the Failover Cluster feature had been added. This meant that the Virtual Cluster Adapter on both servers had the same MAC address. This MAC address seems to be based upon the MAC of one of the ‘physical adapters’, with the first two digits ammended.
So, after removing the Failover cluster feature and the NIC and re-adding both, the virtual adapter now had a new, non-conflicting MAC address and I could successfully add the final server to the DAG.