How to resolve Cluster account permission issues

All we need is an easy explanation of the problem, so here it is.

Can anyone advise please?

I am in the process of creating a SQL 2016 SP2 SQL FCI. The WSFC was created by the server team and handed over to me. I ran the cluster configuration validation tests and got the following warning:

"The cluster network name xxx does not have Create Computer Objects permissions on the Organizational Unit OU=xxx …. This can result in issues during the creation of additional network names in this OU"

As it was only a warning, I decided to attempt the SQL installation regardless. On first attempt, it wouldn’t let me create the SQL Cluster virtual network name until the Domain admin gave me the create computer objects rights in AD. After that I passed that stage and ran the installation to the end. However, at the tail end I got an error:

"Error installing SQL Server Database Engine Service Features.
The cluster resource ‘SQL Server’ could not be brought online due to an error bringing the dependency resource ‘SQL Network Name (abc)’ online. Refer to Cluster Events in the Failover Cluster Manager for more information. Error code:0x86D80058"

Cluster Events:
Cluster network name resource failed registration of one or more associated DNS name(s) because the access to update the secure DNS Zone was denied.
Cluster Network name: ‘Cluster Name’
DNS Zone: ‘xyz

Ensure that cluster name object (CNO) is granted permission to the Secure DNS Zone.

So, from my research, it would seem that the warning given by the cluster configuration validation tests is the cause of the problem. My question therefore is how to fix the problem. Does the server admin’s account used in creating the windows cluster need to be a domain admin? Or just giving them create computer objects is enough? I think they already have create computer objects, so I’m not sure if they need to be domain admins? Will giving them Read All Properties in addition to Create Computer objects fix the issue? Kindly advise please.

Lastly, when the correct permission has been given, how do I fix the errors in the SQL installation? Do I need to uninstall it or is there a quicker way? What impact could uninstall have when I come to re-install. Is there anything I need to watch out for in uninstalling?

Thank you.

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

Plase, try granting the Create Computer objects permission to the cluster name machine object at the OU level. (the OU where you placed the cluster machine object)

How to resolve Cluster account permission issues

Make sure the cluster machine Object has been granted the Read all Properties permission.

How to resolve Cluster account permission issues

Ref:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731002(v=ws.10)?redirectedfrom=MSDN

If you are facing again the DNS registration error, that can come from differente sources.
One common case is that there is a static DNS reservation on the domain controller.

  • Identify the source of the static reservation and try to ensure that
    this does not happen again. Cluster DNS records should be dynamic.
  • Identify the static DNS record in your Active Directory Integrated
    DNS forward lookup zone. Ask for help from your DNS or AD team if
    necessary.
  • Delete the static record Take the Cluster Name Object
    representing the DNS record offline in Failover Cluster manager. Be
    aware that any dependent resources will also go offline.
  • Bring everything back online. This should trigger a new DNS registration
    attempt. You could also wait for the cluster to attempt this
    automatically, but client connections may fail while you are waiting.
  • Verify that the DNS record is created as a dynamic record. It should
    have a current Timestamp.

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply