Fix: Adding special permissions to the cluster computer object failed


Scenario

You have two or more 2012 R2 up-to-date nodes and want to create new failover cluster. Logged user is Domain Admin.

You install the required features:

Install-WindowsFeature FailoverClustering -IncludeManagementTools

Run validation tests and it’s green:

Test-Cluster -Node node1,node2

Run cluster creating:

New-Cluster -Name TestCluster -Node node1,node2 -StaticAddress 192.168.1.100 -NoStorage

and you receive:

Adding special permissions to the computer object failed. Trying to add ‘Full-Access’ permissions for security principal to computer object CN=,OU=,DC=,DC= failed. Verify that the user running create cluster has permissions to update the computer object in Active Directory Domain Services. The parameter is incorrect.

  • Steps for prestaging required objects don’t work too.
  • Changing user rights or adding new user for cluster creating  –>  no luck
  • No time synchronization issues between nodes and DCs
  • Networks are configured properly
  • Validation tests are all “green”
  • Firewall is disabled

Solution

1. Create new computer object for cluster name (Go to ADUC –> your OU –> new –> computer)

cluster creating error 1

3. Turn on view with advanced features

cluster creating error 3

4. Right click on CNO (computer object for new cluster) and go to Security tab –> select Advanced

cluster creating error 4

5. Click on “Disable Inheritance” (for 2012/2012 R2) or clear “Allow inheritable permissions from parent to propagate to this object and all the child objects” (2008/2008R2) and “Remove all inherited permissions from this object”

cluster creating error 5

6. Right click on the new cluster name and disable it (prestaged computer object from step 1)

cluster creating error 2

7. Go back to the failover cluster wizard and try to create cluster again

5 thoughts on “Fix: Adding special permissions to the cluster computer object failed”

  1. I love you so very very much, right now. I spent an hour banging my head against this issue. I had even already tried prestaging the cluster account… I just didn’t clear the inherited permissions. Wow. THANKS MICROSOFT!

  2. HMM… Had the same issue. What is actually causing this? There is some deny permission from the domain inherited probably?

  3. Hello
    I am facing an issue, while adding node in the cluster, “You do not have priveldge to add this node in the cluster” windows server 2012 failover cluster.
    anyone have the solution, please let me know,

    1. Are you adding a node to existing cluster? Verify that your account is local administrator on each node, have “Create Computer Objects” and “Read All Properties” rights in the container where cluster objects will be placed. Try to run cluster validation and then review Active Directory section in the reports. Any warnings?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s