Rights needed for user account to create a Cluster Name Object (CNO) on Windows Server 2008 R2 Failover Cluster
As discussed in previous blogs and articles, there is no longer a Cluster Service account in Failover Clustering. However, there are still some rights needed in Active Directory. The rights of the logged-on user and the Cluster Name Object are part of these rights. This blog is only going to cover the rights of the logged-on user.
Cluster Validation is a subset of tests that are run to verify the Failover Cluster is going to both be supported or if there are configuration issues that need to be corrected. For the purposes of this blog, I want to discuss the single test of “Validate Active Directory Configuration” under System Configuration. What this is going to do is validate the logged-on user can create accounts in Active Directory. When creating a Failover Cluster, it is going to use the current logged on user to create the Cluster Name Object (CNO). Therefore, it must have the rights to do it. If it does not, you will see the below in the Validation Report.
Validate Active Directory Configuration Validate that all the nodes have the same domain, domain role, and organizational unit. The user running validate, does not have permissions to create computer objects in the “x” domain. To successfully create a cluster either, the installer must have the privileges needed to create computer objects in the default container for computers, or a computer object must be pre-created by a domain administrator. The user creating the cluster requires the ‘Create Computer Object’ permission on the container where computer objects are created in the domain. If the default container has been modified, then this privilege will need to be granted to the user for the new container. If a pre-existing computer object is used, please ensure that the computer object is in a Disabled state and that the user creating the cluster has ‘Full Control’ permission to that computer object using the Active Directory Users and Computers tool prior to creating the cluster.
If you were to not run Validation and try to create a Failover Cluster, you would receive this error if the account does not have the proper permissions.
As we discussed, we are using the logged-on user to create the computer object. So, we must look at the rights that the logged-on user has. As per our documentation on the rights needed, we say this.
Steps for configuring the account for the person who installs the cluster
Membership in the Domain Admins group, or equivalent, is the minimum required to complete this procedure. In addition, your account must be in the local Administrators group on all the servers that will be nodes in the failover cluster.
Now, there are numerous organizations that do not have Domain Administrators create Failover Clusters. So, the question becomes, exactly what is the “equivalent” rights that are needed for this user. Below are the rights that are needed in the OU.
- Create Computer Objects
- Read All Properties
With the above rights, Cluster Validation will pass and the Cluster object can be created.