Cluster network name resource failed to create its associated computer object in domain

A lot of cluster errors starts here just because the cluster account has no access in the Active directory.

A sample of a DHCP server that is just created is failing.

Cluster network name resource ‘MVPDHCP79’ failed to create its associated computer object in domain ‘mvp.local’ during: Resource online.

The text for the associated error code is: A constraint violation occurred.

Please work with your domain administrator to ensure that:

– The cluster identity ‘CLUSTER12$’ has Create Computer Objects permissions. By default all computer objects are created in the same container as the cluster identity ‘CLUSTER12$’.

 

clip_image015_thumb clip_image017_thumb

In the cluster manager you can see the just created resources and as you can see the DHCP resource is not online. Why ? well in the error screen you can see

clip_image019_thumb

Cluster network name resource ‘MVPDHCP79’ failed to create its associated computer object in domain ‘mvp.local’ during: Resource online.

The text for the associated error code is: A constraint violation occurred.

Please work with your domain administrator to ensure that:

– The cluster identity ‘CLUSTER12$’ has Create Computer Objects permissions. By default all computer objects are created in the same container as the cluster identity ‘CLUSTER12$’.

– The quota for computer objects has not been reached.

– If there is an existing computer object, verify the Cluster Identity ‘CLUSTER12$’ has ‘Full Control’ permission to that computer object using the Active Directory Users and Computers tool.

Cluster resource ‘MVPDHCP79’ of type ‘Network Name’ in clustered role ‘MVPDHCP79’ failed.

The cluster identity ‘CLUSTER12$’ has Create Computer Objects permissions. By default all computer objects are created in the same container as the cluster identity ‘CLUSTER12$’.

Ok seams clear to me the Cluster computer object has no access to create a object in the AD.

Easy to fix just give the account god mode and your done… Well yes but I do it different.

In the AD I created a OU where I placed My Cluster resources.

clip_image021_thumb clip_image023_thumb

In my OU I do delegation of Control

clip_image025_thumb clip_image027_thumb

I pick my cluster netbiosname and choose what to do with it. custom rule

clip_image029_thumb clip_image031_thumb

and create object is this folder this way I have control over who and what is creating objects in my AD , all I need is that the cluster computer account can create objects in the AD.

clip_image033_thumb clip_image035_thumb

And in my cluster I bring the DHCP online and yes is is online and in the AD there is my DHCP object

clip_image037_thumb clip_image039_thumb

And it is creating the objects in the cluster OU

Author: Robert Smit [MVP]

Robert Smit is Senior Technical Evangelist and is a current Microsoft MVP in Clustering as of 2009. Robert has over 20 years experience in IT with experience in the educational, health-care and finance industries. Robert’s past IT experience in the trenches of IT gives him the knowledge and insight that allows him to communicate effectively with IT professionals who are trying to address real concerns around business continuity, disaster recovery and regulatory compliance issues. Robert holds the following certifications: MCT - Microsoft Certified Trainer, MCTS - Windows Server Virtualization, MCSE, MCSA and MCPS. He is an active participant in the Microsoft newsgroup community and is currently focused on Hyper-V, Failover Clustering, SQL Server, Azure and all things related to Cloud Computing and Infrastructure Optimalization. Follow Robert on Twitter @ClusterMVP Or follow his blog https://robertsmit.wordpress.com Linkedin Profile Http://nl.linkedin.com/in/robertsmit Robert is also capable of transferring his knowledge to others which is a rare feature in the field of IT. He makes a point of not only solving issues but also of giving on the job training of his colleagues. A customer says " Robert has been a big influence on our technical staff and I have to come to know him as a brilliant specialist concerning Microsoft Products. He was Capable with his in-depth knowledge of Microsoft products to troubleshoot problems and develop our infrastructure to a higher level. I would certainly hire him again in the future. " Details of the Recommendation: "I have been coordinating with Robert implementing a very complex system. Although he was primarily a Microsoft infrastructure specialist; he was able to understand and debug .Net based complext Windows applications and websites. His input to improve performance of applications proved very helpful for the success of our project

17 thoughts on “Cluster network name resource failed to create its associated computer object in domain”

  1. Pingback: Windows Server 2012 Configure / Deploy Hyper-v Replica Broker How To #TEE13 #MSteched | The Windows Server Cluster Failover Blog

  3. I had the same problem, do you know why this is happening? It’s no standard procedure to grant permissions by hand here, right?

  5. Great post, helped me get MSDTC and my clustered File Server up after it kept failing to “start role”….Thanks!!

  6. Thank you for being the mentor on this matter. We enjoyed your
    article quite definitely and most of all appreciated how you really
    handled the aspect I widely known as controversial. You are always very kind to readers much
    like me and help me in my lifestyle. Thank you.

  7. This is the perfect website for everyone who wants to understand this topic.
    You understand a whole lot its almost hard to argue with you (not that I actually will need to…HaHa).
    You definitely put a brand new spin on a topic that has been written about
    for decades. Wonderful stuff, just wonderful!

  8. OR… just configure CAU before you start moving your cluster AD objects around 😉
    If you just leave your cluster AD objects in the default ‘Computers’ container in the root of the domain, it will work. you can then move the objects to another OU, it will not break anything, the wizard only needed permissions to create the CAU object in AD, which is has in the default computers container…

  9. this has nothing to do with the creating AD object. If you want to move the AD object to an other location just turnoff the deletion checkbox on the AD object.

    using CAU to move AD object is …. You missed the point here. SRY.

  11. whoah this blog is fantastic i really like studying your articles. Keep up the good paintings! You understand, many individuals are looking around for this info, you could aid them greatly. bgdaafekegga

  12. This is really helpful! Thanks so much. Solved my issue.
    Very difficult to see the pictures as they have been compacted too much, but apart from that, you are a genius!

  14. Thank you for the article. Just wanted to add what to what ec price recommended. We have a script that automatically moves computer accounts out of the default OU container to an assigned OU based on the computers IP Address. Moving the cluster computer account back to the default computers OU resolved the issue for me.

  15. Thanks Rob. We had an issue when having moved computers out of the default OU in AADDS and then attempting to install clustering features on them – the underlying problem was the permissions on the new OU – your blog helped us quickly sort that – thanks for making the effort to write it up – i know what a lot of work that is from personal experience

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: