Fix: Adding special permissions to the cluster computer object failed

Scenario

You have two or more 2012 R2 up-to-date nodes and want to create new failover cluster. Logged user is Domain Admin.

You install the required features:

Install-WindowsFeature FailoverClustering -IncludeManagementTools

Run validation tests and it’s green:

Test-Cluster -Node node1,node2

Run cluster creating:

New-Cluster -Name TestCluster -Node node1,node2 -StaticAddress 192.168.1.100 -NoStorage

and you receive:

Adding special permissions to the computer object failed. Trying to add ‘Full-Access’ permissions for security principal to computer object CN=,OU=,DC=,DC= failed. Verify that the user running create cluster has permissions to update the computer object in Active Directory Domain Services. The parameter is incorrect.

  • Steps for prestaging required objects don’t work too.
  • Changing user rights or adding new user for cluster creating  –>  no luck
  • No time synchronization issues between nodes and DCs
  • Networks are configured properly
  • Validation tests are all “green”
  • Firewall is disabled

Solution

1. Create new computer object for cluster name (Go to ADUC –> your OU –> new –> computer)

cluster creating error 1

3. Turn on view with advanced features

cluster creating error 3

4. Right click on CNO (computer object for new cluster) and go to Security tab –> select Advanced

cluster creating error 4

5. Click on “Disable Inheritance” (for 2012/2012 R2) or clear “Allow inheritable permissions from parent to propagate to this object and all the child objects” (2008/2008R2) and “Remove all inherited permissions from this object”

cluster creating error 5

6. Right click on the new cluster name and disable it (prestaged computer object from step 1)

cluster creating error 2

7. Go back to the failover cluster wizard and try to create cluster again

RDS: Unable to connect to the server by using Windows Powershell Remoting

Scenario

You are trying install RDS 2012 R2 (no matter quick or standard mode) and get error during compatibility check:

Unable to connect to the server by using Windows PowerShell remoting.

rds compatibility error

  • Server is joined to domain
  • Server is running on 2012 R2 up-to-date
  • Current user is a member of  group “Administrators”  (lusrmgr.msc  -> groups)
  • PowerShell is configured to receive remote queries (Enable-PSRemoting)
  • Remote Desktop Services are not forbidden in GPOs (default policies)
  • Remote management is enabled in Server Manager (servermanager -> local server -> remote management)
  • Firewall rules for remote management are enabled (Get-NetFirewallRule *winmgmt*|select name,enabled)
  • There are no network and time synchronization issues between this server and my environment

Solution

If you ping server you may notice IPv6 name format (in my case). Windows Server management consoles don’t like it in my case (any thoughts/comments?). So turn off IPv6 (if you are not using it) on your network adapter. I think unchecked “register this connection in the DNS”, ipconfig /flushdns work too. But did no try.

I had a lot of VDI deployments but faced with this problem for the first time.

Note:  same issue was with Active Directory mmc. There was the wrong status of Domain Controller in “change domain controller..” (was Offline). Turning IPv6 ON resolved this behavior. Agruments against disabling IPv6