Scenario
You have two or more 2012 R2 up-to-date nodes and want to create new failover cluster. Logged user is Domain Admin.
You install the required features:
Install-WindowsFeature FailoverClustering -IncludeManagementTools
Run validation tests and it’s green:
Test-Cluster -Node node1,node2
Run cluster creating:
New-Cluster -Name TestCluster -Node node1,node2 -StaticAddress 192.168.1.100 -NoStorage
and you receive:
Adding special permissions to the computer object failed. Trying to add ‘Full-Access’ permissions for security principal to computer object CN=,OU=,DC=,DC= failed. Verify that the user running create cluster has permissions to update the computer object in Active Directory Domain Services. The parameter is incorrect.
—
- Steps for prestaging required objects don’t work too.
- Changing user rights or adding new user for cluster creating –> no luck
- No time synchronization issues between nodes and DCs
- Networks are configured properly
- Validation tests are all “green”
- Firewall is disabled
Solution
1. Create new computer object for cluster name (Go to ADUC –> your OU –> new –> computer)
3. Turn on view with advanced features
4. Right click on CNO (computer object for new cluster) and go to Security tab –> select Advanced
5. Click on “Disable Inheritance” (for 2012/2012 R2) or clear “Allow inheritable permissions from parent to propagate to this object and all the child objects” (2008/2008R2) and “Remove all inherited permissions from this object”
6. Right click on the new cluster name and disable it (prestaged computer object from step 1)
7. Go back to the failover cluster wizard and try to create cluster again
UseIT | Roman Levchenko 