Saturday, February 15, 2014

Prestage cluster name object (CNO) and virtual computer object (VCO) in Failover Clustering in Windows Server 2012 or R2

By default, When a domain administrator or a domain user account under Local Administrator group and Account Operators group creates a cluster, a cluster name object (CNO) is created in the computer container or organizational unit (OU) which also contain cluster nodes. If administrators doesn't change the default computer location, cluster nodes and cluster name objects are under "Computer" container.

Why do we need to prestage a cluster name object? 

There are some reasons.
  • Administrators would like to put a cluster name object to a specific organizational unit (OU) before creating a cluster
  • Delegate the right for someone to install a cluster in domain environment
  • Control the computers naming convention 


Normally, a member of Domain Administrators or Account Operators group can create a computer object in domain environment. If administrators delegate a domain user to create a cluster, we can add a domain user account to Account Operators group or prestage a cluster name object and then grant full control in a computer account for a domain user account.

In this lab, I will prestage a cluster name object (CNO) and virtual computer object (VCO) in my cluster environment.

Goals
  • Prestage a cluster name object in an organizational unit (OU) named CNO
  • Prestage a virtual computer object in an organizational unit (OU) named VCO
  • Grant the permission for a domain user account named ClusterAdmin
Prerequisites
  • 1 domain computer named CS01 which is installed Windows Server 2012 R2 dataceneter with GUI has been joined to a domain test.tls1.lab
  • Failover Clustering feature has been installed in CS01
  • 1 domain controller named DC01 which is installed Windows Server 2012 R2 datacenter  with GUI for the domain test.tls1.lab
  • 1 domain user account named ClusterAdmin is added into Local Administrator groups of CS01

  • 1 shared disk for the cluster to create MSDTC role
Lab
Prestage a cluster name object named "CU03" in an organizational unit (OU)

1. On DC01, log in as Domain Administrator.
2. Launch "Active Directory Users and Computers".
3. On the menu, click "View > Advanced Features".


4. Navigate to "CNO" OU, right-click "CNO", select "New Computer".


5. On "New Object -Computer" window, under "Computer name", enter "CU03".


6. Click "OK".
7. Right-click "CU03", select "Properties".


8. On "CU03 Properties" window, select "Security" tab.
9. Click "Add".


10. Enter "ClusterAdmin".
11. Grant "Allow - Full control" for "ClusterAdmin".


12. Click "OK".
13. Right-click "CU03", select "Disable Account".


14. Click "Yes".
15. Click "OK".


According to Prestage Cluster Computer Objects in Active Directory Domain Services, we must disable the computer name object so that during cluster creation, the cluster creation process can confirm that the account is not currently in use by an existing computer or cluster in the domain.

Create a cluster named CU03 in CS01
1. On CS01, log in as ClusterAdmin.
2. Launch "Failover Cluster Manager".
3. Next to "Actions" panel, click "Create Cluster".


4. On "Before You Begin" window, click "Next".
5. On "Select Servers" window, next to "Enter server name", enter "CS01".


CS01 has been added to "Select servers".

6. Click "Next".
7. On "Access Point for Administering the Cluster" window, next to "Cluster Name", enter "CU03".
8. Next to "Address", assign a IP address for CU03.


9. Click "Next".
10. On "Confirmation" window, click "Next".
11. On "Summary" window, click "Finish".


12. Go to DC01, back to "Active Directory Users and Computers".


CU03 has been enabled because the cluster was created.

Create a  virtual computer object named DTC01 in CS01
A virtual computer object (VCO) is a client access point for a role in a cluster. A VCO is created when administrator create a role in a cluster. However, the VCO isn't created by any domain account. It's created by an associated cluster computer object. A VCO is similar to cluster name object (CNO). By default, a VCO is created in the same container or organizational unit (OU) which also contain a created CNO. However, we changed the default location of the CNO, CS01 and we'd like to put a VCO, DTC01 to another OU. Administrators need to prestage a VCO to an OU and grant the permission for the CNO, CS01.

1. Still on DC01, right-click "VCO" OU, select "New > Computer".


2. On "New Object -Computer" window, under "Computer name", enter "DTC01".


3. Click "OK".
4. Right-click "DTC01", select "Properties".
5. On "CU03 Properties" window, select "Security" tab.
6. Click "Add".


This time we will add "CU03" and grant full control permission.

6. On "Select Users, Computers, Service Accounts, or Groups", click "Object Types".


7. On "Object Types", check "Computers".


8. Click "OK".
9. Enter "CU03".
10. Grant "Allow - Full control" for "CU03".


11. Click "OK".
12. Disable "DTC01" by selecting "Disable Account".


13. Go to CS01, expand "CU03.test.tls1.lab > Storage > Disks" in "Failover Cluster Manager".
14. Next to "Actions" panel, click "Add Disk".


15. On "Add Disks to a Cluster" window, select a shared disk, click "OK".


For more information to create a shared disk in test environment, please access Testing Shared VHDX in Windows Server 2012 R2 Hyper-V environment.

16. Right-click "Roles", select "Configure Role".


17. On "Before You Begin" window, click "Next".
18. On "Select Role" window, select "Distributed Transaction Coordinator (DTC)".


19. Click "Next".
20. On "Client Access Point" window, next to "Name", enter "DTC01".
21. Next to "Address", assign a IP address for "DTC01".


22. Click "Next".
23. On "Select Storage" window, check "Cluster Disk 1".


24. Click "Next".
25. On "Confirmation" window, click "Next".
26. On "Summary" window, click "Finish".


As mentioned, a VCO is created in the same container or organizational unit (OU) which also contain a created CNO. In the summary window, the High Availability Wizard assume the VCO has been created in the above OU.


DTC01 can start-up normally. If we don't prestage the VCO and grant the permission, DTC01 cannot start.

26.  Go to DC01, back to "Active Directory Users and Computers".


DTC01 has been enabled.

Remark: we also need to grant the permission for a CNO If the CNO is not under the default location which which also contain cluster nodes.

Create a VCO in the same OU
If we'd like to put the VCO to the same container or organizational unit (OU), we can grant the CNO permissions to the OU.

1. Still in "Active Directory Users and Computers".
2. Right-click "CNO", select "Properties".
3. Select "Security" tab, click "Advanced".


4. On "Advanced Security Settings for CNO", click "Add".


5. On "Permission Entry for CNO", click "Select a principal".


6. On "Select Users, Computers, Service Accounts, or Groups", click "Object Types".


7. On "Object Types", check "Computers".


8. Click "OK".
9. Enter "CU03".
10. Next to "Permissions" section, check "Create Computer objects".


11. Click "OK" three times to close "CNO Properties".

Besides, we can consider delegating the permission to a group which includes all cluster name objects (CNO).

More information:



This posting is provided “AS IS” with no warranties, and confers no rights!

2 comments:

  1. Hi Tery,

    Thanks for the post. I prestaged VCO for DTC but when i try to configure name for dtc its throwing error 'dtc1' is already in use in active directory. Can you help me resolve this?

    ReplyDelete
    Replies
    1. Hi,
      Please try to grant full control permission of DTC for your cluster name.

      Delete