Windows Server 2008 Failover Cluster and AD authorizations
We repeatedly faced problems with the creation of a new cluster.
The problem appeared in combination with modified rights delegation in Active Directory with a Windows 2008 Failover Cluster.
Problem with Windows 2008 Failover Cluster
The Cluster Wizard creates a ‘virtual computer object’ (VCO) for the cluster in the Active Directory.
It contains the name of the cluster ‘ClusterNameObject’ (CNO).
The account starting Cluster Wizard needs the permission to create the computer object in the AD!
Every time we tried to create ‘services and applications’ and wanted to use the resource type ‘NetworkName’ online we got an error.
For every resource of this type, another ‘virtual computer object’ was created in the Active Directory.
Because of the modified permissions delegation, computer objects do not have the permission to activate/deactivate other computer objects or change passwords anymore. Exactly this was the problem:
The computer object MSCLUSTER-A did not have any permission on the computer object MSCLUSTERGRP-1.
We equipped MSCLUSTER-A on all other computer objects created by the cluster with Full Control.
Afterwards we could use all resources online without any problems.