Fix: Adding special permissions to the cluster computer object failed

Scenario

You have two or more 2012 R2 up-to-date nodes and want to create new failover cluster. Logged user is Domain Admin.

You install the required features:

Install-WindowsFeature FailoverClustering -IncludeManagementTools

Run validation tests and it’s green:

Test-Cluster -Node node1,node2

Run cluster creating:

New-Cluster -Name TestCluster -Node node1,node2 -StaticAddress 192.168.1.100 -NoStorage

and you receive:

Adding special permissions to the computer object failed. Trying to add ‘Full-Access’ permissions for security principal to computer object CN=,OU=,DC=,DC= failed. Verify that the user running create cluster has permissions to update the computer object in Active Directory Domain Services. The parameter is incorrect.

  • Steps for prestaging required objects don’t work too.
  • Changing user rights or adding new user for cluster creating  –>  no luck
  • No time synchronization issues between nodes and DCs
  • Networks are configured properly
  • Validation tests are all “green”
  • Firewall is disabled

Solution

1. Create new computer object for cluster name (Go to ADUC –> your OU –> new –> computer)

cluster creating error 1

3. Turn on view with advanced features

cluster creating error 3

4. Right click on CNO (computer object for new cluster) and go to Security tab –> select Advanced

cluster creating error 4

5. Click on “Disable Inheritance” (for 2012/2012 R2) or clear “Allow inheritable permissions from parent to propagate to this object and all the child objects” (2008/2008R2) and “Remove all inherited permissions from this object”

cluster creating error 5

6. Right click on the new cluster name and disable it (prestaged computer object from step 1)

cluster creating error 2

7. Go back to the failover cluster wizard and try to create cluster again