Rights needed for user account to create a Cluster Name Object (CNO) on Windows Server 2008 R2 Failover Cluster
A CNO is automatically created during cluster setup. When the administrator creates a failover cluster and configures clustered services or applications, the Create Cluster Wizard creates all the Active Directory computer accounts the failover cluster requires and gives each account specific permissions. The wizard also creates a computer account for the failover cluster itself; this account is called the cluster name object.
Question: What permissions do accounts used by failover clusters in Windows Server 2008 need?
Answer: The account used to create the cluster must have administrator rights on the computers that are becoming part of the new cluster and the Create Computer Objects permission on the container where computer accounts are created in the domain. This is because the wizard that creates failover clusters creates the computer account for the new cluster and gives that account the necessary permissions, such as creating computer objects in the domain’s computer account container (which lets the cluster create additional computer accounts for any clustered services or applications).
We must grant the permissions “Read all properties” and “Create Computer objects” to the CNO via the container. Here’s an example of granting the required permissions for demonstration purposes:
1. Open the Active Directory Users and Computers Snap-in (dsa.msc).
2. Locate “Computers” container:
3. Make sure “Advanced Features” is selected:
4. Open the properties of the container and click the “Security” tab. Click “Add” and add the CNO. Make sure to select “Computers” option in the “Object Types” window:
5. Click “Advanced”, highlight the CNO, and click “Edit”:
6. Make sure “Read all properties” and “Create Computer objects” are checked. Click OK until you’re back to the AD Users and Computer window:
7. Retry your previously failed installation. Note that with SQL Server 2012 there will be a “retry” button.
As discussed in previous blogs and articles, there is no longer a Cluster Service account in Failover Clustering. However, there are still some rights needed in Active Directory. The rights of the logged on user and the Cluster Name Object are part of these rights. This blog is only going to cover the rights of the logged on user.
Cluster Validation is a subset of tests that are run to verify the Failover Cluster is going to both be supported or if there are configuration issues that need to be corrected. For the purposes of this blog, I want to discuss the single test of “Validate Active Directory Configuration” under System Configuration. What this is going to do is validate the logged on user can create accounts in Active Directory. When creating a Failover Cluster, it is going to use the current logged on user to create the Cluster Name Object (CNO). Therefore, it must have the rights to do it. If it does not, you will see the below in the Validation Report.
Validate Active Directory Configuration
Validate that all the nodes have the same domain, domain role, and organizational unit.
The user running validate, does not have permissions to create computer objects in the “x” domain.
To successfully create a cluster either, the installer must have the privileges needed to create computer objects in the default container for computers, or a computer object must be pre-created by a domain administrator.
The user creating the cluster requires the ‘Create Computer Object’ permission on the container where computer objects are created in the domain. If the default container has been modified, then this privilege will need to be granted to the user for the new container.
If a pre-existing computer object is used, please ensure that the computer object is in a Disabled state and that the user creating the cluster has ‘Full Control’ permission to that computer object using the Active Directory Users and Computers tool prior to creating the cluster.
If you were to not run Validation and try to create a Failover Cluster, you would receive this error if the account does not have the proper permissions.
As we discussed, we are using the logged on user to create the computer object. So we must look at the rights that the logged on user has. As per our documentation on the rights needed, we say this.
Steps for configuring the account for the person who installs the cluster
Membership in the Domain Admins group, or equivalent, is the minimum required to complete this procedure. In addition, your account must be in the local Administrators group on all of the servers that will be nodes in the failover cluster.
Now, there are numerous organizations that do not have Domain Administrators create Failover Clusters. So the question becomes, exactly what is the “equivalent” rights that are needed for this user. Below are the rights that are needed in the OU.
o Create Computer Objects
o Read All Properties
With the above rights, Cluster Validation will pass and the Cluster object can be created.
Article from: https://blogs.technet.microsoft.com/askcore/2010/06/02/rights-needed-for-user-account-to-create-a-cluster-name-object-cno-on-windows-server-2008-r2-failover-cluster/