Author Posts

June 1, 2015 at 11:06 am

I need to create a listener for cluster for SQL , and getting the error which is common and its;
The WSFC cluster could not bring the Network Name resource with DNS name " online. The DNS name may have been taken or have a conflict wit....

There is a solution which is adding some permissions to the cluster CNO, Can that change will be done in powershell.
one othe options is :

Option # 2 Pre-Stage the VCO

This option is useful in situations where the domain administrator does not allow the CNO “Read All Properties” and “Create computer Objects” permissions:

1. Ensure that you are logged in as a user that has permissions to create computer objects in the domain.

2. Open the Active Directory Users and Computers Snap-in (dsa.msc).

3. Right-click View and select "Advanced Features."


4. Right click the OU/Container you want the VCO to reside in and click “New” -> “Computer.” In the example below, we are creating the listener object in the Computers container.

5. Provide a name for the object (this will be your listener name) and click “OK."

6. Right click the VCO you just created and select “Properties”. Click the Security tab.

7. Under Security tab, click the Add button. Enter the cluster named object (CNO). In this example, it is agcluster$. Click the Object Types button. Select Computers and click Ok.

8. Highlight the CNO, check the following permissions, and click “OK” (alternatively, choose Full Control)

Allowed To Authenticate
Change Password
Receive As
Reset Password
Send As
Validate write To DNS Host Name
Validate Write To Service Principle Name
Read Account Restrictions
Write Account Restrictions
Read DNS Host Name Attributes
Read MS-TS-GatewayAccess
Read Personal Information
Read Public Information

9. Attempt to create the availability group listener.

June 1, 2015 at 11:51 am

I'm not sure what your question is. Typically, you have to create a pre-staged computer account because the wizards that create the clusters are running as SYSTEM and don't have the correct permissions to AD to create the account. You either delegate permissions to the OU for the computer account of the server to have access to create the computer account or you have to create a computer account to pre-stage the cluster name so that when you re-run the wizard that SYSTEM will have access to manipulate that cluster computer account. This isn't anything to do with Powershell, so if you can't figure it out it's better to post on a Server 2012 or forum related to cluster creation.

June 1, 2015 at 12:26 pm

the question I have to grant that permission for the CNO cluster name, because the whole cluster build is in powershell, the listener is sitting on top of the cluster. I can do that permissions for that CNO as described in above blog . but if I want to do that in powershell instead of GUI ,

if we have the CNO name to be called MyDomain\WINCLUSTER$ object, what are commands to grant those permssions.


June 1, 2015 at 12:34 pm

It's Active Directory Delegation, so search for "Powershell Active Directory Delegation". You would have to decide which method would work for you and test, but this looked close to what you would do:

I don't know how often you would create clusters that you need to automate it, but doing this in the GUI would take a minute and writing a script do it is probably going to take a couple of hours of dev and testing.

June 1, 2015 at 3:37 pm

I recently worked on a DSC resource that applies the necessary permissions to the ADComputer object. Here is a script from it that should work for you. You provide the cluster name computer account to give "ownership" of the target computer account.

#requires -Version 4
#requires -Module ActiveDirectory

    [string] $ClusterName,

    [string] $ComputerName

function Get-ADClusterComputerAccessRules {
        [System.Security.Principal.NTAccount] $IdentityReference

    New-ADAccessRule -IdentityReference $IdentityReference -Rights 'DeleteTree, ExtendedRight, Delete, GenericRead'                   # 
    New-ADAccessRule -IdentityReference $IdentityReference -Rights WriteProperty -ObjectType '4c164200-20c0-11d0-a768-00aa006e0529'   # User-Account-Restrictions
    New-ADAccessRule -IdentityReference $IdentityReference -Rights Self -ObjectType 'f3a64788-5306-11d1-a9c5-0000f80367c1'            # Service-Principal-Name
    New-ADAccessRule -IdentityReference $IdentityReference -Rights Self -ObjectType '72e39547-7b18-11d1-adef-00c04fd8d5cd'            # DNS-Host-Name
    New-ADAccessRule -IdentityReference $IdentityReference -Rights WriteProperty -ObjectType '3e0abfd0-126a-11d0-a060-00aa006c33ed'   # SAM-Account-Name
    New-ADAccessRule -IdentityReference $IdentityReference -Rights WriteProperty -ObjectType 'bf967953-0de6-11d0-a285-00aa003049e2'   # Display-Name
    New-ADAccessRule -IdentityReference $IdentityReference -Rights WriteProperty -ObjectType 'bf967950-0de6-11d0-a285-00aa003049e2'   # Description
    New-ADAccessRule -IdentityReference $IdentityReference -Rights WriteProperty -ObjectType '5f202010-79a5-11d0-9020-00c04fc2d4cf'   # User-Logon

function New-ADAccessRule {
        [System.Security.Principal.NTAccount] $IdentityReference,

        [System.DirectoryServices.ActiveDirectoryRights] $Rights,

        [System.Security.AccessControl.AccessControlType] $Type = $([System.Security.AccessControl.AccessControlType]::Allow),

        [Guid] $ObjectType = $([Guid]::Empty),

        [System.DirectoryServices.ActiveDirectorySecurityInheritance] $Inheritance = $([System.DirectoryServices.ActiveDirectorySecurityInheritance]::None),

        [Guid] $InheritedObjectType = $([Guid]::Empty)

    New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($IdentityReference,$Rights,$Type,$ObjectType,$Inheritance,$InheritedObjectType)

$Cluster             = Get-ADComputer -Identity $ClusterName
$Computer            = Get-ADComputer -Identity $ComputerName
$Acl                 = Get-Acl -Path "AD:\$($Computer.DistinguishedName)"
$IdentityReference   = New-Object System.Security.Principal.NTAccount (Get-ADDomain).NetBIOSName,$Cluster.SamAccountName
$ExpectedAccessRules = @(Get-ADClusterComputerAccessRules -IdentityReference $IdentityReference)
$CurrentAccessRules  = @($Acl.Access | Where-Object IdentityReference -eq $IdentityReference)
$MissingAccessRules  = @(Compare-Object -ReferenceObject $CurrentAccessRules -DifferenceObject $ExpectedAccessRules | Where-Object SideIndicator -eq '=>')

Set-Acl -Path "AD:\$($Computer.DistinguishedName)" -AclObject $Acl

June 2, 2015 at 11:27 am

Thank you so much, I didn't use the DSC in the past , I will test it and let you know.

Thanks again.

June 4, 2015 at 7:37 am

Adam, Did you ever build Windows Cluster with DSC ? I hope it won't complicated

June 4, 2015 at 9:48 am

Yes I did. I had to create several custom resources to handle our build, thinks like configuring iSCSI as we use that for SAN storage to adding the custom roles and resources to the cluster we regularly use. It was about 2 weeks worth of piecing it together but in the end I am able to deploy cluster solutions with DSC without much trouble now.

June 6, 2015 at 11:27 am


The problem I have is the OU is different from the deafult, How can to make the OU as a parameter as well?


June 9, 2015 at 5:42 am

So this script assumes the computer account has been created before it is run. You can use New-ADComputer cmdlet to create the computer account where you want it.