AD account permission required for SQL Server failover Cluster Installation
如果沒有Domain管理員的權限要安裝SQL Server Cluster需要在Active Directory額外設定一些電腦帳戶與權限,當參考以下這篇MSDN文件時常常會被一些名詞混淆。
Failover Cluster Step-by-Step Guide: Configuring Accounts in Active Directory
https://technet.microsoft.com/en-us/library/cc731002(WS.10).aspx
文章裡面的cluster name account就是CNO也就是cluster computer account也就是一個在AD上的一個電腦帳戶(名稱是建立Cluster時所給予的一個network name),以這篇文章為例就是cluster1,如果在設定權限時要搜尋到這個電腦帳戶就必須輸入cluster1$
所以 cluster name account (cluster name object) = CNO = cluster computer account = computer account of the cluster itself = cluster1$
以下列出3種可能的情境
Scenario 1.If you do not have domain administrative permissions (如果安裝者沒有網域管理員權限,必須事先給予安裝者與CNO需要的權限)
(1)The user account used to create the cluster(ex. ClusterAdmin) must have administrative permissions on the servers that will become cluster nodes
執行Create Cluster的帳戶必須有節點本機管理員權限
(2)The user account used to create the cluster(ex. ClusterAdmin) requires create Computer objects and Read All Properties permissions in the Computers container
執行Create Cluster的帳戶必須有在Computers容器建立電腦與讀取全部屬性的權限
(3)Cluster Computer Account(CNO) requires create Computer objects and Read All Properties permissions in the Computers container
Cluster電腦帳戶(cluster1$)必須要有在Computers容器建立電腦與讀取全部屬性的權限
Scenario 2.If you do not have domain administrative permissions and you want to prestaging the cluster name account(CNO)
(如果安裝者沒有網域管理員權限,必須事先建立CNO,並且給予安裝者對CNO完全控制權限與CNO需要的權限)
(1)The user account used to create the cluster(ex. ClusterAdmin) must have administrative permissions on the servers that will become cluster nodes
執行Create Cluster的帳戶必須有節點本機管理員權限
(2)create and disable computer account(CNO) for Windows Cluster by Domain administrator
由網域管理員新增Cluster電腦帳戶(cluster1)
(3)The user account used to create the cluster(ex. ClusterAdmin) requires Full Permission on Cluster computer account(CNO)
執行Create Cluster的帳戶必須有Cluster電腦帳戶(cluster1$)的完全控制的權限
(4)Cluster computer account(CNO) requires create Computer objects and Read All Properties permissions in the Computers container
Cluster電腦帳戶(cluster1$)必須要有在Computers容器建立電腦與讀取全部屬性的權限
Scenario 3.If you do not have domain administrative permissions and you want to prestaging the cluster name account(CNO) and other clustered service or application
(如果安裝者沒有網域管理員權限,必須事先建立CNO與其他應用程式的電腦帳戶,並且給予安裝者對CNO與這些電腦帳戶有完全控制權限)
(1)The user account used to create the cluster(ex. ClusterAdmin) must have administrative permissions on the servers that will become cluster nodes
執行Create Cluster的帳戶必須有節點本機管理員權限
(2)create and disable computer account(CNO) for Windows Cluster by Domain administrator
由網域管理員新增Cluster電腦帳戶(cluster1)
(3)The user account used to create the cluster(ex. ClusterAdmin) requires Full permission on Cluster computer account(CNO)
執行Create Cluster的帳戶必須有Cluster電腦帳戶(cluster1$)的完全控制的權限
(4)create and disable computer account for cluster services(ex. SQLClust1, cluster1DTC) by Domain administrator
由網域管理員新增Cluster service電腦帳戶(SQLClust1, cluster1DTC)
(5)Cluster computer account(CNO) requires Full Permission on cluster services computer account(the name of the account that was created in step (4))
Cluster電腦帳戶(cluster1$)必須有Cluster service電腦帳戶(SQLClust1, cluster1DTC)的完全控制的權限
PS.by default預設值電腦帳戶建立在Computers container容器,但是您的網域管理員可能將預設位置修改到其他OU,此時上面的所有步驟有關computers container就要改成這個特定的OU。
Redirecting the users and computers containers in Active Directory domains
https://support.microsoft.com/kb/324949
[Reference]
Failover Cluster Step-by-Step Guide: Configuring Accounts in Active Directory
https://technet.microsoft.com/en-us/library/cc731002(WS.10).aspx