Create an object in AD for Clustering

This topic contains 9 replies, has 3 voices, and was last updated by  Adam Weigert 2 years, 6 months ago.

  • Author
    Posts
  • #25853

    M. Kokoy
    Participant

    I need to create a listener for cluster for SQL , and getting the error which is common and its;
    The WSFC cluster could not bring the Network Name resource with DNS name " online. The DNS name may have been taken or have a conflict wit....

    http://blogs.msdn.com/b/alwaysonpro/archive/2014/03/25/create-listener-fails-with-message-the-wsfc-cluster-could-not-bring-the-network-name-resource-online.aspx

    There is a solution which is adding some permissions to the cluster CNO, Can that change will be done in powershell.
    one othe options is :

    Option # 2 Pre-Stage the VCO

    This option is useful in situations where the domain administrator does not allow the CNO “Read All Properties” and “Create computer Objects” permissions:

    1. Ensure that you are logged in as a user that has permissions to create computer objects in the domain.

    2. Open the Active Directory Users and Computers Snap-in (dsa.msc).

    3. Right-click View and select "Advanced Features."

    clip_image005

    4. Right click the OU/Container you want the VCO to reside in and click “New” -> “Computer.” In the example below, we are creating the listener object in the Computers container.

    5. Provide a name for the object (this will be your listener name) and click “OK."

    6. Right click the VCO you just created and select “Properties”. Click the Security tab.

    7. Under Security tab, click the Add button. Enter the cluster named object (CNO). In this example, it is agcluster$. Click the Object Types button. Select Computers and click Ok.

    8. Highlight the CNO, check the following permissions, and click “OK” (alternatively, choose Full Control)

    Read
    Allowed To Authenticate
    Change Password
    Receive As
    Reset Password
    Send As
    Validate write To DNS Host Name
    Validate Write To Service Principle Name
    Read Account Restrictions
    Write Account Restrictions
    Read DNS Host Name Attributes
    Read MS-TS-GatewayAccess
    Read Personal Information
    Read Public Information

    9. Attempt to create the availability group listener.

  • #25854

    Rob Simmers
    Participant

    I'm not sure what your question is. Typically, you have to create a pre-staged computer account because the wizards that create the clusters are running as SYSTEM and don't have the correct permissions to AD to create the account. You either delegate permissions to the OU for the computer account of the server to have access to create the computer account or you have to create a computer account to pre-stage the cluster name so that when you re-run the wizard that SYSTEM will have access to manipulate that cluster computer account. This isn't anything to do with Powershell, so if you can't figure it out it's better to post on a Server 2012 or forum related to cluster creation.

  • #25855

    M. Kokoy
    Participant

    the question I have to grant that permission for the CNO cluster name, because the whole cluster build is in powershell, the listener is sitting on top of the cluster. I can do that permissions for that CNO as described in above blog . but if I want to do that in powershell instead of GUI ,

    if we have the CNO name to be called MyDomain\WINCLUSTER$ object, what are commands to grant those permssions.

    Thanks

  • #25856

    Rob Simmers
    Participant

    It's Active Directory Delegation, so search for "Powershell Active Directory Delegation". You would have to decide which method would work for you and test, but this looked close to what you would do:

    http://blogs.technet.com/b/joec/archive/2013/04/25/active-directory-delegation-via-powershell.aspx

    I don't know how often you would create clusters that you need to automate it, but doing this in the GUI would take a minute and writing a script do it is probably going to take a couple of hours of dev and testing.

  • #25859

    Adam Weigert
    Participant

    I recently worked on a DSC resource that applies the necessary permissions to the ADComputer object. Here is a script from it that should work for you. You provide the cluster name computer account to give "ownership" of the target computer account.

    #requires -Version 4
    #requires -Module ActiveDirectory
    
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory)]
        [ValidateNotNullOrEmpty()]
        [string] $ClusterName,
    
        [Parameter(Mandatory)]
        [ValidateNotNullOrEmpty()]
        [string] $ComputerName
    )
    
    function Get-ADClusterComputerAccessRules {
        [CmdletBinding()]
        param
        (
            [Parameter(Mandatory)]
            [ValidateNotNull()]
            [System.Security.Principal.NTAccount] $IdentityReference
        )
    
        New-ADAccessRule -IdentityReference $IdentityReference -Rights 'DeleteTree, ExtendedRight, Delete, GenericRead'                   # 
        New-ADAccessRule -IdentityReference $IdentityReference -Rights WriteProperty -ObjectType '4c164200-20c0-11d0-a768-00aa006e0529'   # User-Account-Restrictions
        New-ADAccessRule -IdentityReference $IdentityReference -Rights Self -ObjectType 'f3a64788-5306-11d1-a9c5-0000f80367c1'            # Service-Principal-Name
        New-ADAccessRule -IdentityReference $IdentityReference -Rights Self -ObjectType '72e39547-7b18-11d1-adef-00c04fd8d5cd'            # DNS-Host-Name
        New-ADAccessRule -IdentityReference $IdentityReference -Rights WriteProperty -ObjectType '3e0abfd0-126a-11d0-a060-00aa006c33ed'   # SAM-Account-Name
        New-ADAccessRule -IdentityReference $IdentityReference -Rights WriteProperty -ObjectType 'bf967953-0de6-11d0-a285-00aa003049e2'   # Display-Name
        New-ADAccessRule -IdentityReference $IdentityReference -Rights WriteProperty -ObjectType 'bf967950-0de6-11d0-a285-00aa003049e2'   # Description
        New-ADAccessRule -IdentityReference $IdentityReference -Rights WriteProperty -ObjectType '5f202010-79a5-11d0-9020-00c04fc2d4cf'   # User-Logon
    }
    
    function New-ADAccessRule {
        [CmdletBinding()]
        param
        (
            [Parameter(Mandatory)]
            [ValidateNotNull()]
            [System.Security.Principal.NTAccount] $IdentityReference,
    
            [Parameter(Mandatory)]
            [System.DirectoryServices.ActiveDirectoryRights] $Rights,
    
            [System.Security.AccessControl.AccessControlType] $Type = $([System.Security.AccessControl.AccessControlType]::Allow),
    
            [Guid] $ObjectType = $([Guid]::Empty),
    
            [System.DirectoryServices.ActiveDirectorySecurityInheritance] $Inheritance = $([System.DirectoryServices.ActiveDirectorySecurityInheritance]::None),
    
            [Guid] $InheritedObjectType = $([Guid]::Empty)
        )
    
        New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($IdentityReference,$Rights,$Type,$ObjectType,$Inheritance,$InheritedObjectType)
    }
    
    $Cluster             = Get-ADComputer -Identity $ClusterName
    $Computer            = Get-ADComputer -Identity $ComputerName
    $Acl                 = Get-Acl -Path "AD:\$($Computer.DistinguishedName)"
    $IdentityReference   = New-Object System.Security.Principal.NTAccount (Get-ADDomain).NetBIOSName,$Cluster.SamAccountName
    $ExpectedAccessRules = @(Get-ADClusterComputerAccessRules -IdentityReference $IdentityReference)
    $CurrentAccessRules  = @($Acl.Access | Where-Object IdentityReference -eq $IdentityReference)
    $MissingAccessRules  = @(Compare-Object -ReferenceObject $CurrentAccessRules -DifferenceObject $ExpectedAccessRules | Where-Object SideIndicator -eq '=>')
    
    $MissingAccessRules.ForEach{$Acl.AddAccessRule($_.InputObject)}
        
    Set-Acl -Path "AD:\$($Computer.DistinguishedName)" -AclObject $Acl
    
  • #25889

    M. Kokoy
    Participant

    Thank you so much, I didn't use the DSC in the past , I will test it and let you know.

    Thanks again.

  • #25939

    M. Kokoy
    Participant

    Adam, Did you ever build Windows Cluster with DSC ? I hope it won't complicated

  • #25943

    Adam Weigert
    Participant

    Yes I did. I had to create several custom resources to handle our build, thinks like configuring iSCSI as we use that for SAN storage to adding the custom roles and resources to the cluster we regularly use. It was about 2 weeks worth of piecing it together but in the end I am able to deploy cluster solutions with DSC without much trouble now.

  • #25985

    M. Kokoy
    Participant

    Adam,

    The problem I have is the OU is different from the deafult, How can to make the OU as a parameter as well?

    Thanks.

  • #26201

    Adam Weigert
    Participant

    So this script assumes the computer account has been created before it is run. You can use New-ADComputer cmdlet to create the computer account where you want it.

You must be logged in to reply to this topic.