First published on MSDN on Mar 30, 2012 Show In Windows Server 2012 there have been several enhancements to how Windows Server Failover Clusters integrate with the Active Directory. In this blog I am going to discuss some of the changes to help enable creating Failover Clusters in restrictive Active Directory environments where permissions to create computer objects is delegated to specific organizational units (OU).
Can anyone advise please? I am in the process of creating a SQL 2016 SP2 SQL FCI. The WSFC was created by the server team and handed over to me. I ran the cluster configuration validation tests and got the following warning: "The cluster network name xxx does not have Create Computer Objects permissions on the Organizational Unit OU=xxx .... This can result in issues during the creation of additional network names in this OU" As it was only a warning, I decided to attempt the SQL installation regardless. On first attempt, it wouldn't let me create the SQL Cluster virtual network name until the Domain admin gave me the create computer objects rights in AD. After that I passed that stage and ran the installation to the end. However, at the tail end I got an error: "Error installing SQL Server Database Engine Service Features. The cluster resource 'SQL Server' could not be brought online due to an error bringing the dependency resource 'SQL Network Name (abc)' online. Refer to Cluster Events in the Failover Cluster Manager for more information. Error code:0x86D80058" Cluster Events: Cluster network name resource failed registration of one or more associated DNS name(s) because the access to update the secure DNS Zone was denied. Cluster Network name: 'Cluster Name' DNS Zone: 'xyz' Ensure that cluster name object (CNO) is granted permission to the Secure DNS Zone. So, from my research, it would seem that the warning given by the cluster configuration validation tests is the cause of the problem. My question therefore is how to fix the problem. Does the server admin's account used in creating the windows cluster need to be a domain admin? Or just giving them create computer objects is enough? I think they already have create computer objects, so I'm not sure if they need to be domain admins? Will giving them Read All Properties in addition to Create Computer objects fix the issue? Kindly advise please. Lastly, when the correct permission has been given, how do I fix the errors in the SQL installation? Do I need to uninstall it or is there a quicker way? What impact could uninstall have when I come to re-install. Is there anything I need to watch out for in uninstalling? Thank you.
A lot of cluster errors starts here just because the cluster account has no access in the Active directory. A sample of a DHCP server that is just created is failing. Cluster network name resource ‘MVPDHCP79’ failed to create its associated computer object in domain ‘mvp.local’ during: Resource online. The text for the associated error code is: A constraint violation occurred. Please work with your domain administrator to ensure that: – The cluster identity ‘CLUSTER12$’ has Create Computer Objects permissions. By default all computer objects are created in the same container as the cluster identity ‘CLUSTER12$’.  In the cluster manager you can see the just created resources and as you can see the DHCP resource is not online. Why ? well in the error screen you can see Cluster network name resource ‘MVPDHCP79’ failed to create its associated computer object in domain ‘mvp.local’ during: Resource online. The text for the associated error code is: A constraint violation occurred. Please work with your domain administrator to ensure that: – The cluster identity ‘CLUSTER12$’ has Create Computer Objects permissions. By default all computer objects are created in the same container as the cluster identity ‘CLUSTER12$’. – The quota for computer objects has not been reached. – If there is an existing computer object, verify the Cluster Identity ‘CLUSTER12$’ has ‘Full Control’ permission to that computer object using the Active Directory Users and Computers tool. Cluster resource ‘MVPDHCP79’ of type ‘Network Name’ in clustered role ‘MVPDHCP79’ failed. The cluster identity ‘CLUSTER12$’ has Create Computer Objects permissions. By default all computer objects are created in the same container as the cluster identity ‘CLUSTER12$’. Ok seams clear to me the Cluster computer object has no access to create a object in the AD. Easy to fix just give the account god mode and your done… Well yes but I do it different. In the AD I created a OU where I placed My Cluster resources. In my OU I do delegation of Control I pick my cluster netbiosname and choose what to do with it. custom rule and create object is this folder this way I have control over who and what is creating objects in my AD , all I need is that the cluster computer account can create objects in the AD. And in my cluster I bring the DHCP online and yes is is online and in the AD there is my DHCP object And it is creating the objects in the cluster OU
When building a Windows cluster, you must first enter its name in the respective tool, be it Failover Cluster Manager, PowerShell, or Windows Admin Center. It then creates a namesake CNO name in AD and a corresponding host record in DNS. CNO prestaging ^The CNO can then be found in the Computer container by default. The Cluster Wizard in Windows Admin Center does not offer an alternative to this location. Therefore, if you want to use a different location, and the cluster will be set up by an admin who does not have the right to create AD objects, you can prestage the CNO. To do this, right-click the desired OU in Active Directory Users and Computers and select New > Computer. Creating a new computer object for the cluster name in Active Directory In the following dialog box, enter the desired name. After confirming, you should activate the option Protect object from accidental deletion in the Object tab of the CNO's properties. Assigning a name to the cluster object It is also important to execute the command Deactivate account from the context menu of the computer account. Otherwise, you will get an error that the account is already in use when you create the cluster. Assigning rights to a cluster admin ^If the cluster is created by another admin, it should be ensured that they have sufficient permissions to the CNO. To do this, open its properties, go to the Security tab, add the necessary users or groups, and grant them full access. Finally, the CNO should be given permissions to the OU it is located in so that the admin is able to add cluster roles. For this task, open the properties of the OU, go to the Security tab, click Advanced, and then Add. Click the Select Principal link to open the selection dialog for accounts to be authorized and add Computers to the Object Types. Then enter the CNO and confirm in the dialog box if the click on Check Names was successful. Selecting a CNO as the principal for permissions in the OU In the list of permissions that will then appear, activate Create Computer Objects in addition to the preselected ones. The CNO requires the permission to create new computer objects in its OU Problems with missing DNS records ^By now, you should be able to create a server cluster with this name. When you're done and you try to connect the cluster, it could fail for several reasons. The cause for failure is relatively obvious if you have been using Windows Admin Center (WAC), as its Cluster Creation Tool fails to create the corresponding DNS entry. The log will then contain Event 1196 with the following entry: Cluster network name resource "Cluster name" failed registration of one or more associated DNS name(s) for the following reason: DNS server failure. Ensure that the network adapters associated with dependent IP address resources are configured with at least one accessible DNS server. Event 1196 shown here in PowerShell refers to the failed creation of the DNS record You can query the corresponding entries on a cluster node with PowerShell, like this: Get-EventLog -LogName system -InstanceId 1196 -Newest 5 Creating DNS entries for the CNO ^Consequently, the DNS entry will be missing after the cluster configuration is complete; therefore, you have to create it yourself. In the DNS manager, execute the command New Host (A or AAAA). Enter the name of the cluster in the dialog box, and enter the IP address of the owner node's management interface to be able to connect immediately. The cluster owner is obtained by executing the following command on one of the nodes: Get-ClusterResource| fl -Property * Determining the owner node of the cluster with PowerShell It is now important to grant the cluster nodes and the CNO full access to the record. This is necessary because cluster ownership changes between the nodes, and therefore, they must all be able to update the DNS entry independently. To do this, open the properties of the new record, switch to the Security tab, and click Add. Then you must activate Computers again under Object types, so that you can then search for the names of the nodes and the CNO. Finally, confirm your changes. The cluster nodes and the CNO must be given full access to the CNOs DNS record Removing unsuitable DNS servers ^Connecting to a cluster might also fail because the network configuration of the cluster nodes contains a DNS server for which they have no permissions. These are typically from internet providers or public DNS services, such as Google. In this case, if you use WAC for cluster configuration, you can connect directly to the individual nodes from there and add only the internal DNS servers via the network tool, for example, by using a static entry.
|
The cluster network name does not have Create Computer objects permissions on the Organizational
Pos Terkait
Copyright © 2024 ketiadaan Inc.
