Before setting up a SQL Cluster, you need to ensure the cluster’s Computer Name Object (CNO) has permissions over its parent OU, to allow it to create new Virtual Computer Objects (VCO). Or more simply, the cluster is going to create a new computer object in the same OU as it currently resides, so set the parent permissions to allow the cluster computer object to do so.
Often different teams are responsible for the setting of these permissions and the eventual SQL cluster install, so here’s a short script which can be used to confirm whether the CNO has enough permission over it’s current parent:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
# Add powershell modules for Active Directory import-module activedirectory; # Set CNO to check here $computer = "SQCDBAUP005"; # Get distinguished name of computer object $dn = (get-adcomputer $computer).distinguishedname; # Extract OU from the DN $index = $dn.indexof(",") + 1; $ou = $dn.substring($index); # Get ACLs on the OU that match the computer name $acl = get-acl "AD:\$ou" $results = $acl.access | where {$_.identityreference -like "*$computer*"}; # Display permissions or not found message if ($results) { $results | ft identityreference, activedirectoryrights -auto; } else { write-host ""; write-host "** No permissions found! **" write-host ""; } |
The result should then be either (showing Full permissions):
Or:
