You have two or more 2012 R2 up-to-date nodes and want to create new failover cluster. Logged user is Domain Admin.
You install the required features:
Install-WindowsFeature FailoverClustering -IncludeManagementTools
Run validation tests and it’s green:
Test-Cluster -Node node1,node2
Run cluster creating:
New-Cluster -Name TestCluster -Node node1,node2 -StaticAddress 192.168.1.100 -NoStorage
and you receive:
Adding special permissions to the computer object failed. Trying to add ‘Full-Access’ permissions for security principal to computer object CN=,OU=,DC=,DC= failed. Verify that the user running create cluster has permissions to update the computer object in Active Directory Domain Services. The parameter is incorrect.
- Steps for prestaging required objects don’t work too.
- Changing user rights or adding new user for cluster creating –> no luck
- No time synchronization issues between nodes and DCs
- Networks are configured properly
- Validation tests are all “green”
- Firewall is disabled
1. Create new computer object for cluster name (Go to ADUC –> your OU –> new –> computer)
3. Turn on view with advanced features
4. Right click on CNO (computer object for new cluster) and go to Security tab –> select Advanced
5. Click on “Disable Inheritance” (for 2012/2012 R2) or clear “Allow inheritable permissions from parent to propagate to this object and all the child objects” (2008/2008R2) and “Remove all inherited permissions from this object”
6. Right click on the new cluster name and disable it (prestaged computer object from step 1)
7. Go back to the failover cluster wizard and try to create cluster again
9 thoughts on “Fix: Adding special permissions to the cluster computer object failed”
I love you so very very much, right now. I spent an hour banging my head against this issue. I had even already tried prestaging the cluster account… I just didn’t clear the inherited permissions. Wow. THANKS MICROSOFT!
HMM… Had the same issue. What is actually causing this? There is some deny permission from the domain inherited probably?
Yes, u r right. The best practice is to place all cluster resources to the specific OU to minimize GPO or ACLs impact
I am facing an issue, while adding node in the cluster, “You do not have priveldge to add this node in the cluster” windows server 2012 failover cluster.
anyone have the solution, please let me know,
Are you adding a node to existing cluster? Verify that your account is local administrator on each node, have “Create Computer Objects” and “Read All Properties” rights in the container where cluster objects will be placed. Try to run cluster validation and then review Active Directory section in the reports. Any warnings?
I do not have any issues with Cluster at this time, however while running Cluster Validation, see a warning “The Servers are not all in the same organizational Unit” Its a 2 Node Windws 2012 Cluster, any changes are required?
Hi! Yes, it’s recommended to place them in a single OU to simplify GPO management and etc.
Tks for your help, this is the fix for the issue that I had
Is there a way to add special permissions via powershell?