SQL Server with Mr. Denny

Jan 7 2014   8:46AM GMT

SQL 2012 Cluster, Windows 2012 R2 OS, Windows 2008 R2 Domains



Posted by: Denny Cherry
Tags:
Allan Hirt
AlwaysOn
Clustering
Database
Database Administration
DataCenter
Error 1069
Error 1194
High Availability
Microsoft Cluster Service
Microsoft Windows
MSCS
SQL Server
SQL Server 2012
SQL Server 2014
Windows 2008 R2
Windows 2012 R2

Recently I was installing SQL Server 2012 on a new Windows 2012 R2 cluster for a client and ran across a bit of a problem. When the SQL Installer was attempting to start SQL Server for the first time SQL Server was throwing Windows errors 1069 and 1194 which basically say…

Cluster network name resource ‘%1′ failed to create its associated computer object in domain ‘%2′ for the following reason: %3.

The text for the associated error code is: %4

Please work with your domain administrator to ensure that:
- The cluster identity ‘%5′ can create computer objects. By default all computer objects are created in the ‘Computers’ container; consult the domain administrator if this location has been changed.
- The quota for computer objects has not been reached.
- If there is an existing computer object, verify the Cluster Identity ‘%5′ has ‘Full Control’ permission to that computer object using the Active Directory Users and Computers tool.

What this basically means is that the account which is trying to create the computer account within the domain doesn’t have the correct permissions needed to create the account. Now in this case the domain has a domain group called “Add Computers To The Domain” which has the “Create Computer” right in all OUs within Active Directory. Adding the CLUSTER$ account for this cluster to this group did nothing. The reason for this is because this group has only a single right “Create Computer”. For Windows 2012 R2 clusters to be able to successfully create computer objects in Active Directory the CLUSTER$ account needs to have what is considered to be “Read” permissions. Specifically this is three different permissions on the OU which are:

  • List Contents
  • Read all properties
  • Read Permissions

In addition this account needs to “Create Computer” right as well.

My solution in this case was to create a new group in Active Directory and grant that group these four rights to the group. This way if the problem comes up again for new clusters (which I’m sure that it will) the fix will simply be to drop the computer account for the cluster into the group, wait for domain replication to finish, then try starting the client access point again.

My solution in this case was to grant the domain group rights to the OU which the SQL Server objects where going to be created in within Active Directory. For some reason when attempting to grant this permission through a group the permission wasn’t granted correctly.

Much thanks to Allan Hirt (@SQLHA) for validating that I’m not crazy and that these were the correct permissions at midnight my time which was 3am his time.

Denny

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: