Rights needed for user account when precreating a Cluster Name Object (CNO) on Windows Server 2008 R2 Failover Cluster

  • Article

Greetings Cluster fans, John Marlin here again.  In my previous blog, I explained what rights were needed for an account in Active Directory when allowing the Failover Cluster to create the Cluster Name Account (CNO).  In this blog, I will explain the minimum rights needed when objects are being pre-created.

Just to set proper expectations, this is a use at your own risk as it works, but if you call into support and their are issues, they will be strongly recommending you use the proper rights which is Full Control.  This was also only tested on Windows Server 2008 R2 Failover Clusters.  This was not tested in any version prior or after.  To answer your next possible question, do not ask me to do this for another version as this was an all day 2-day affair.  You can do the same on your own as it is a matter of having all rights, trying it out, remove a right, try it again.  If it works, leave it off and move to the next rule.  If it doesn't work, put it back and move to the next rule.  This is actually pretty simplistic and easy to test, but it takes a lot of your time.

In many companies, Active Directory is being locked down to prevent unwanted actions from occurring.  One of these is to lock down the Default Computers Organizational Unit (OU) so that users cannot create objects.  The Domain Administrators would rather precreate objects to:

  1. Keep naming conventions to better identify where an object resides and what its role is, i.e. TXSQLDALBE (Backend SQL Server running in Dallas, Texas)
  2. Create Organizational Units based of roles, services, or locations where the objects will reside.
  3. Prevent non-Domain administrators from having full control permissions

These Domain Admins are also starting to offload the creation of Clusters to a specific group of users that do not have full rights in Active Directory.

I created a simple Domain User (John Marlin) and a Creating Clusters group which he is a part of (as well as default Domain Users Group).  I created an OU called Clusters and removed Everyone from the rights.

I then manually created a new computer object that will be my Cluster Name Object (CNO) called TXSQLDAL in this Clusters OU, disabled it, and created my dnsHostName entry.  On the Security permissions of this object, I added the Creating Clusters Group with the following rights.

On the initial rights window, I selected:

      Read 
     Allowed To Authenticate
     Change Password
     Receive As
     Reset Password
     Send As
     Validate write To DNS Host Name
     Validate Write To Service Principle Name
     Read Account Restrictions
     Write Account Restrictions
     Read DNS Host Name Attributes
     Read MS-TS-GatewayAccess
     Read Personal Information
     Read Public Information

You then would need to select the Advanced button to create a couple additional Special Permissions.   If you sort by accounts and edit the entry for this account that says "Special", you will need to select these permissions:

      Modify Permissions
     Modify Owner

 

Once this was done, I can successfully create the Cluster and the Cluster Name came online.  If all these rights are not in place, you can receive one of the below.  The first is an Access Denied error attempting to create the Cluster

 

If you have enough of the rights, but not all listed or remove Authenticated Users from the OU permissions, it may create the Cluster, but the Cluster Name will fail to come online.  In the System Event Log, you will receive the following:

Event ID: 1207
Source: FailoverClustering
Description: Cluster network name resource ‘Cluster Name’ cannot be brought online. The computer object associated with the resource could not be updated in domain ‘X’ for the following reason:
 
Unable to get computer object using GUID

If you generate a Cluster Log and review it, you will see the following:

 Trying to find computer account TXSQLDAL object GUID <GUID>
Search for existing computer account failed. Status 8007200A
Trying to find object <GUID> on a PDC
Unable to find object <GUID> on a PDC

So ensure you have all of the rights above are in place on both the object and the OU (at least READ).

Since you are precreating the CNO, you are also going to be precreating Virtual Computer Objects (VCO).  One note about this is to ensure that the CNO and all of its VCOs are in the same OU.  Since the Cluster Name Object (CNO) is the account that will need permissions, on the VCO Security tab, you need to add just on the initial window:

      Read 
     Allowed To Authenticate
     Change Password
     Receive As
     Reset Password
     Send As
     Validate write To DNS Host Name
     Validate Write To Service Principle Name
     Read Account Restrictions
     Write Account Restrictions
     Read DNS Host Name Attributes
     Read MS-TS-GatewayAccess
     Read Personal Information
     Read Public Information

The Modify Permissions or Modify Owner on this object is not needed as the CNO is already given the rights to do what it needs.  You are able to successfully bring the VCO online.

All of the documentation we have recommends Full rights on the Active Directory objects; however, if you lock things down, these are the minimum rights you will need.

Happy Clustering !!