Adding special permissions to the computer object failed. Trying to add ‘Full-Access’ permissions for security principal to computer object CN=,OU=,DC=,DC= failed. Verify that the user running create cluster has permissions to update the computer object in Active Directory Domain Services. The parameter is incorrect.
—
Steps for prestaging required objects don’t work too.
Changing user rights or adding new user for cluster creating –> no luck
No time synchronization issues between nodes and DCs
Networks are configured properly
Validation tests are all “green”
Firewall is disabled
Solution
1. Create new computer object for cluster name (Go to ADUC –> your OU –> new –> computer)
3. Turn on view with advanced features
4. Right click on CNO (computer object for new cluster) and go to Security tab –> select Advanced
5. Click on “Disable Inheritance” (for 2012/2012 R2) or clear “Allow inheritable permissions from parent to propagate to this object and all the child objects” (2008/2008R2) and “Remove all inherited permissions from this object”
6. Right click on the new cluster name and disable it (prestaged computer object from step 1)
7. Go back to the failover cluster wizard and try to create cluster again
Virtual machine configuration is stored in XML-file and Hyper-V (Virtual Machine Management Service) always maintains (read/write queries) this file when some changes occurs. No doubt, XML-file is the most important file for every VM. It’s true, but Hyper-V operates with registry so often as with XML. I prefer to say , Hyper-V has a “mirror of some VM configuration” in the registry (especially, in the previous versions of Windows Server) .The main target of this post is to show you how Hyper-V works together with XML and registry. I use powershell cmdlets from Hyper-V module and some test VMs. At the end of article, I describe differences between registry hives , related with Hyper-V in 2008 R2 and 2012.
Let’s start with the the most simple operation for every Hyper-V administrator
Creating a basic VM (no vhd, no connected adapters):
PS C:\Windows\system32> New-VM -Name WikiTest1 -NoVHD -Generation 2
Name State CPUUsage(%) MemoryAssigned(M) Uptime Status
---- ----- ----------- ----------------- ------ ------
WikiTest1 Off 0 0 00:00:00 Operating normally
Virtual Machine Management server (VMMS) sends a query CreateFile that creates VM_GUID.XML file in the folder Virtual Machines (by default), in my case for my VM WikiTest1 was created file EF259B05-2CDE-4317-8ACF-E80CB364D66C.xml. If we add additional network adapter without VM switch connection, VMMS sends a query WriteFile and updates our XML-file with the new synthetic adapter (note that PortName and SwitchName are empty):
But It’s not enough and VMMS (with vmswitch.sys) creates new registry hives (RegCreateKey, RegSetValue queries) for every PortName in the SwitchName hive:
Match PortName and SwitchName from XML and GUIDs in the registry hive – they are certainly identical. SwitchName has a constant UID (one for every hyper-v switch) and it is fixed for all VMs. PortName characterizes each dedicated port (port is an interpretation of “Virtual Adapter” term) on the hyper-v virtual switch.
Note:HKLM\System\CurrentControlSet\Services is also a registry hive where Hyper-V keeps general settings for Integration Services and VMMS
Note: if you decide to disconnect VM from hyper-v switch , only “IsConnected” flag in the XML configuration file sets from True to False (PortName and SwitchName are with their last values ).And if you reconnect VM again , VMMS rewrites XML with the absolutely new PortName UID
VMMS creates new subhive under the virtual switch hive
HKLM\System\CurrentControlSet\Services\VMSMP\Parameters\SwitchList\FDDD2A3C-85E3-4807-9E28-7A40C8D494A7\6FAC595A-2507-4690-A840-5746B09D81A1\Properties\{952c5004-4465-451c-8cb8-fa9ab382b773} , for keeping VLAN settings for PortName 6FA.. on the Switch with UID FDDD…
VMMS also updates XML file with feature references and data block for VLANs (feature ID = UID of created RegValues):
“Mirror of configuration” in the Registry (VLAN Settings in the REG_BINARY):
How it was in 2008 R2?
In 2008 R2 VM “mirror of configuration” in the registry was different (even want to say “completely different”). When you create a VM and connect one to the virtual switch, VMMS updates in XML PortName + SwitchName values and creates new RegValues in the registry with the only difference being that the setting VLAN (mostly) in pure form (REG_DWORD) are located in the registry. Within the XML we can see only references to GUIDs of these parameters. We do not see here any VLAN settings, neither feature with data blocks.
Reg_DWORD values for VLAN Settings (AccessVlanId = VLAN ID in the VM network adapter properties):
Ok, so what? As you know, the main difference between VM import/export in 2008 R2 and 2012 is the required existence of the EXP-file for a successful import (in 2012/R2 we do not need it). EXP-file is created in the process of exporting the VM and provides additional configuration information (guess what!?).
Hint (excerpt from exp-file for VM with VlanID 25):