Error during installation of an SQL server Failover Cluster Instance

A common issue I've run into while helping with SQL Server Failover Cluster (FCI) installations is the failure of the Network Name. In the following post I'll discuss a bit of background, the common root cause, and how to resolve it.

Background

The SQL Server Database Engine service is dependent on the Network Name resource. A failure of the Network Name will result in the SQL Server Resource not coming online.

When the Windows Failover Cluster (WFC) is initially configured a Cluster Name object (CNO) will be created. The CNO is visible as a computer object in your Activity Directory Users and Computer snap-in (dsa.msc). By default the CNO will be created in the Computers container and granted specific permissions:

image

After a successful SQL Server FCI installation you will now see a Virtual Computer Object (VCO) for the SQL Server Network Name:

clip_image002

*Note: After the CNO is created any additional Network Name resource in the cluster is considered a Virtual Computer Object. VCO’s are simply Computer objects in which the CNO has permissions to change the properties or reset the password.

Problem

But what if the CNO does not possess the required permissions to create computer objects in the “Computers” container?

It is in the above scenario where we commonly see the following errors during SQL Server FCI installation:

clip_image003

The following error has occurred:

The cluster resource 'SQL Server (SQL2012)' could not be brought online due to an error bringing the dependency resource 'SQL Network Name(VSQL2012)' online. Refer to the Cluster Events in the Failover Cluster Manager for more information.

A user encountering the same issue while installing a pre-SQL Server 2012 version may see:

The cluster resource 'SQL Server (MSSQLSERVER)' could not be brought online. Error: The resource failed to come online due to the failure of one or more provider resources. (Exception from HRESULT: 0x80071736)

System log:

Cluster network name resource 'SQL Network Name (VSQL2012)' failed to create its associated computer object in domain 'motox.com' during: Resource online.

The text for the associated error code is: A constraint violation occurred.

Please work with your domain administrator to ensure that:

- The cluster identity 'CLUS2012$' has Create Computer Objects permissions. By default all computer objects are created in the same container as the cluster identity 'CLUS2012$'.

- The quota for computer objects has not been reached.

- If there is an existing computer object, verify the Cluster Identity 'CLUS2012$' has 'Full Control' permission to that computer object using the Active Directory Users and Computers tool.

Cluster log:

[RES] Network Name: [NNLIB] Creating object VSQL2012 using ADSI in OU OU=SQL,DC=motox,DC=com on DC: \\MOTOXDC.motox.com , result: 8239

[RES] Network Name: [NNLIB] Failed to create Computer Object VSQL2012 in the Active Directory, error 8239

Cause

The common cause of the Network Name resource failure is insufficient permissions. More specifically, the permission "Create Computer Objects" has not been granted to the Cluster Name Object(CNO).

https://technet.microsoft.com/en-us/library/cc731002(v=ws.10).aspx

“…when you create a failover cluster and configure clustered services or applications, the failover cluster wizards create the necessary Active Directory computer accounts (also called computer objects) and give them specific permissions. The wizards create a computer account for the cluster itself (this account is also called the cluster name object or CNO) and a computer account for most types of clustered services and applications”

When the SQL Server Network Name is first brought online during the FCI installation process, the CNO identity is used to create the VCO(as long as the VCO doesn’t already exist). If the required permissions are not granted to the CNO, the creation of the VCO will fail and so will your SQL Server FCI installation.

*Note: The Create Computer objects right only applies to Domain Functional Levels above Windows Server 2003. For Windows Server 2003 the required privilege is “Add Workstations to the Domain”.

Resolution(s)

Option #1

We must grant the permissions "Read all properties" and "Create Computer objects" to the CNO via the container. Here's an example of granting the required permissions for demonstration purposes:

1. Open the Active Directory Users and Computers Snap-in (dsa.msc).

2. Locate “Computers” container:

clip_image004

3. Make sure "Advanced Features" is selected:

clip_image005

4. Open the properties of the container and click the "Security" tab. Click "Add" and add the CNO. Make sure to select “Computers” option in the “Object Types” window:

clip_image006

clip_image007

5. Click "Advanced", highlight the CNO, and click "Edit":

clip_image008

6. Make sure "Read all properties" and "Create Computer objects" are checked. Click OK until you're back to the AD Users and Computer window:

clip_image009

7. Retry your previously failed installation. Note that with SQL Server 2012 there will be a “retry” button.

Option # 2

We can also “Pre-Stage” the VCO, which is useful in situations where the Domain Administrator does not allow the CNO “Read All Properties” and “Create computer Objects” permissions:

1. Ensure that you are logged in as a user that has permissions to create computer objects in the domain.

2. Open the Active Directory Users and Computers Snap-in (dsa.msc).

3. Select View -> Advanced Features.

4. Right click the OU/Container you want the VCO to reside in and click “New” -> “Computer”

clip_image010

5. Provide a name for the object (This will be your SQL Server Network Name) and click “OK”:

clip_image011

6. Right click on the on the VCO you just created and select “Properties”. Click the security tab and then click “Add”:

clip_image012

7. Enter the CNO (Make sure to select “Computers” option in the “Object Types” window) and click “OK”.

clip_image013

clip_image014

8. Highlight the CNO, check the following permissions, and click “OK”.

Read

Allowed To Authenticate

Change Password

Receive As

Reset Password

Send As

Validate write To DNS Host Name

Validate Write To Service Principle Name

Read Account Restrictions

Write Account Restrictions

Read DNS Host Name Attributes

Read MS-TS-GatewayAccess

Read Personal Information

Read Public Information

*Note: You can replace step #8 by giving the CNO “Full Control” over the VCO

9. Install SQL Server and the Network Name resource should start without issue.

References:

Failover Cluster Step-by-Step Guide: Configuring Accounts in Active Directory

https://technet.microsoft.com/en-us/library/cc731002(WS.10).aspx

Before Installing Failover Clustering

https://msdn.microsoft.com/en-us/library/ms189910.aspx/html

Add workstations to domain

https://technet.microsoft.com/en-us/library/cc780195(v=WS.10).aspx

Troy Moen – Support Escalation Engineer