Fix: Adding special permissions to the cluster computer object failed


You have two or more 2012 R2 up-to-date nodes and want to create new failover cluster. Logged user is Domain Admin.

You install the required features:

Install-WindowsFeature FailoverClustering -IncludeManagementTools

Run validation tests and it’s green:

Test-Cluster -Node node1,node2

Run cluster creating:

New-Cluster -Name TestCluster -Node node1,node2 -StaticAddress -NoStorage

and you receive:

Adding special permissions to the computer object failed. Trying to add ‘Full-Access’ permissions for security principal to computer object CN=,OU=,DC=,DC= failed. Verify that the user running create cluster has permissions to update the computer object in Active Directory Domain Services. The parameter is incorrect.

  • Steps for prestaging required objects don’t work too.
  • Changing user rights or adding new user for cluster creating  –>  no luck
  • No time synchronization issues between nodes and DCs
  • Networks are configured properly
  • Validation tests are all “green”
  • Firewall is disabled


1. Create new computer object for cluster name (Go to ADUC –> your OU –> new –> computer)

cluster creating error 1

3. Turn on view with advanced features

cluster creating error 3

4. Right click on CNO (computer object for new cluster) and go to Security tab –> select Advanced

cluster creating error 4

5. Click on “Disable Inheritance” (for 2012/2012 R2) or clear “Allow inheritable permissions from parent to propagate to this object and all the child objects” (2008/2008R2) and “Remove all inherited permissions from this object”

cluster creating error 5

6. Right click on the new cluster name and disable it (prestaged computer object from step 1)

cluster creating error 2

7. Go back to the failover cluster wizard and try to create cluster again

Hyper-V 3.0 interaction with registry and how it was in 2008 R2

Russian version/Русская версия

Virtual machine configuration is stored in XML-file and Hyper-V (Virtual Machine Management Service) always maintains (read/write queries) this file when some changes occurs. No doubt, XML-file is the most important file for every VM. It’s true, but Hyper-V operates with registry so often as with XML. I prefer to say , Hyper-V has a “mirror of some VM configuration” in the registry (especially, in the previous versions of Windows Server) .The main target of this post is to show you  how Hyper-V works together with XML and registry. I use powershell cmdlets from Hyper-V module and some test VMs. At the end of article, I describe differences between registry hives , related with Hyper-V in 2008 R2 and 2012.

Let’s start with the the most simple operation for every Hyper-V administrator

Creating a basic VM (no vhd, no connected adapters):

PS C:\Windows\system32> New-VM -Name WikiTest1 -NoVHD -Generation 2

Name      State CPUUsage(%) MemoryAssigned(M) Uptime   Status
----      ----- ----------- ----------------- ------   ------
WikiTest1 Off   0           0                 00:00:00 Operating normally

Virtual Machine Management server (VMMS) sends a query CreateFile  that creates VM_GUID.XML  file in the folder  Virtual Machines (by default), in my case for my VM WikiTest1 was created file EF259B05-2CDE-4317-8ACF-E80CB364D66C.xml. If we add additional network adapter without VM switch connection, VMMS sends a query WriteFile and updates our XML-file with the new synthetic adapter  (note that PortName and SwitchName are empty):

<type_id type="string">Virtual Machines</type_id>
    <version type="integer">1280</version>
      <logical_id type="string">EF259B05-2CDE-4317-8ACF-E80CB364D66C</logical_id>
    <PortName type="string"></PortName>
    <SwitchName type="string"></SwitchName>
      <device type="string">2fc216b0-d2e2-4967-9b6d-b8a5c9ca2778</device>
      <flags type="integer">1</flags>
      <instance type="string">1314FBB0-9385-44B7-8DDE-18D4118EFDDD</instance>
      <name type="string">Synthetic Ethernet Port</name>

Connecting VM to Hyper-V switch

PS C:\Windows\system32> Connect-VMNetworkAdapter -VMName WikiTest1 -SwitchName VM

VMMS sends query WriteFile and updates XML-file (IsConnected=True, PortName+SwitchName with GUIDs :

<IsConnected type="bool">True</IsConnected>
 <MacAddress type="string">00-00-00-00-00-00</MacAddress>
 <MacAddressIsStatic type="bool">False</MacAddressIsStatic>
 <PortName type="string">6FAC595A-2507-4690-A840-5746B09D81A1</PortName>
 <SwitchName type="string">FDDD2A3C-85E3-4807-9E28-7A40C8D494A7</SwitchName>

But It’s not enough and VMMS (with vmswitch.sys) creates new registry hives (RegCreateKey, RegSetValue queries) for every PortName in the SwitchName hive:



Match PortName and SwitchName from XML and GUIDs in the registry hive – they are certainly identical. SwitchName  has a constant UID (one for every hyper-v switch) and it is fixed for all VMs. PortName characterizes each dedicated port (port is an interpretation of “Virtual Adapter” term) on the hyper-v virtual switch.

Note: HKLM\System\CurrentControlSet\Services is also a registry hive where Hyper-V keeps general settings for Integration Services and VMMS

Note: if you decide to disconnect VM from hyper-v switch ,  only “IsConnected” flag  in the XML configuration file sets from True to  False (PortName and SwitchName are with their last values ).And if you reconnect VM again , VMMS rewrites XML with the absolutely new PortName UID

Configuring VLANs on port

PS C:\Windows\system32> Set-VMNetworkAdapterVlan -VMName WikiTest1 -Trunk -AllowedVlanIdList 10-20 -NativeVlanId 15

VMMS creates new subhive under the virtual switch hive

HKLM\System\CurrentControlSet\Services\VMSMP\Parameters\SwitchList\FDDD2A3C-85E3-4807-9E28-7A40C8D494A7\6FAC595A-2507-4690-A840-5746B09D81A1\Properties\{952c5004-4465-451c-8cb8-fa9ab382b773} , for keeping VLAN settings for PortName 6FA.. on the Switch with UID FDDD…

VMMS also updates XML file with feature references and data block for VLANs (feature ID = UID of created RegValues):

        <DisplayName type="string">Ethernet Switch Port VLAN Settings</DisplayName>
        <Flags type="integer">0</Flags>
         <Id type="string">958A1AF7-327C-42F4-8864-517617BDE876</Id>

Mirror of configuration” in the Registry (VLAN Settings in the REG_BINARY):


How it was in 2008 R2?

​In 2008 R2 VM “mirror of configuration”  in the registry was different (even want to say “completely different”). When you create a VM and connect one to the virtual switch, VMMS updates in XML PortName + SwitchName values  and creates new RegValues in the registry with the only difference being that the setting VLAN (mostly) in pure form (REG_DWORD) are located in the registry. Within the XML we can see only references to GUIDs of these parameters. We do not see here any VLAN settings, neither feature with data blocks.

Reg_DWORD values for VLAN Settings (AccessVlanId = VLAN ID in the VM network adapter properties):


Ok, so what? As you know, the main difference between VM import/export in 2008 R2 and 2012 is the required existence of the EXP-file for a successful import (in 2012/R2 we do not need it). EXP-file is created in the process of exporting the VM and provides additional configuration information (guess what!?).

Hint (excerpt from exp-file for VM with VlanID 25):