Deploy an Active Directory Detached Cluster OR DNS Cluster OR non domain joined Windows Server 2012R2 Cluster one way ticket #winserv

In Windows Server 2012 R2 , you can deploy a failover cluster without dependencies in Active Directory Domain Services (AD DS) for network names. This is referred to as an Active Directory-detached cluster. Using this deployment method enables you to create a failover cluster without the previously required permissions for creating computer objects in AD DS or the need to request that computer objects are prestaged in AD DS.

When you create an Active Directory-detached cluster, the cluster network name (also known as the administrative access point) and network names for any clustered roles with client access points are registered in Domain Name System (DNS). However, no computer objects are created for the cluster in AD DS. This includes the computer object for the cluster (also known as the cluster name object or CNO) and computer objects for any clustered roles that would typically have client access points in AD DS (also known as virtual computer objects or VCOs).

To deploy an Active Directory-detached cluster, you must use Windows PowerShell. You cannot use Failover Cluster Manager. To create the failover cluster, start Windows PowerShell as an administrator, and then use the New-Cluster cmdlet with the –AdministrativeAccessPoint parameter set to a value of Dns.

But how to create such a cluster

New-Cluster SQLCL02 –Node mvpsql021,mvpsql022 –StaticAddress -NoStorage –AdministrativeAccessPoint Dns








New-Cluster SQLCL02 –Node mvpsql021,mvpsql022 –StaticAddress -NoStorage –AdministrativeAccessPoint Dns

the key is in the –AdministrativeAccessPoint

The option gives you the cluster you want.

    -AdministrativeAccessPoint <AdminAccessPoint>
        Specifies the type of administrative access point that the cmdlet creates for the cluster. The acceptable
        values for this parameter are:

        — ActiveDirectoryAndDns. The cmdlet creates an administrative access point for the cluster. The
        administrative access point is registered in DNS and enabled in Active Directory Domain Services.
        — Dns. The cmdlet creates an administrative access point for the cluster. The administrative access point is
        registered in DNS but is not enabled in Active Directory Domain Services.
       — None. The cmdlet does not create an administrative access point for the cluster. Some clustered roles and
        functionality might not be available for a cluster that does not have an administrative access point. Also,
        you cannot use Failover Cluster Manager to manage a cluster that does not have an administrative access point.


There is only one way to show the state of the cluster









But is a non domain joined CNO any usefull ?

Well I see no good reasons why you would do this.

You can set the type of administrative access point only when you create the cluster. You cannot change it after the cluster is deployed.

SO If you build a SQL cluster and later you think oh I need Kerberos there is NO PowerShell option

set-cluster –AdministrativeAccessPoint ActiveDirectoryAndDns

You will have to rebuild your cluster !


Cluster Workload Supported/Not Supported More Information

SQL Server


We recommend that you use SQL Server Authentication for an Active Directory-detached cluster deployment.

File server

Supported, but not recommended

Kerberos authentication is the preferred authentication protocol for Server Message Block (SMB) traffic.


Supported, but not recommended

Live migration is not supported because it has a dependency on Kerberos authentication.

Quick migration is supported.

Message Queuing (also known as MSMQ)

Not supported

Message Queuing stores properties in AD DS.

In addition, be aware of the following issues for this type of cluster deployment:

  • BitLocker Drive Encryption is not supported.
  • Cluster-Aware Updating (CAU) in self-updating mode is not supported.

Author: Robert Smit [MVP]

Robert Smit is Senior Technical Evangelist and is a current Microsoft MVP in Clustering as of 2009. Robert has over 20 years experience in IT with experience in the educational, health-care and finance industries. Robert’s past IT experience in the trenches of IT gives him the knowledge and insight that allows him to communicate effectively with IT professionals who are trying to address real concerns around business continuity, disaster recovery and regulatory compliance issues. Robert holds the following certifications: MCT - Microsoft Certified Trainer, MCTS - Windows Server Virtualization, MCSE, MCSA and MCPS. He is an active participant in the Microsoft newsgroup community and is currently focused on Hyper-V, Failover Clustering, SQL Server, Azure and all things related to Cloud Computing and Infrastructure Optimalization. Follow Robert on Twitter @ClusterMVP Or follow his blog Linkedin Profile Http:// Robert is also capable of transferring his knowledge to others which is a rare feature in the field of IT. He makes a point of not only solving issues but also of giving on the job training of his colleagues. A customer says " Robert has been a big influence on our technical staff and I have to come to know him as a brilliant specialist concerning Microsoft Products. He was Capable with his in-depth knowledge of Microsoft products to troubleshoot problems and develop our infrastructure to a higher level. I would certainly hire him again in the future. " Details of the Recommendation: "I have been coordinating with Robert implementing a very complex system. Although he was primarily a Microsoft infrastructure specialist; he was able to understand and debug .Net based complext Windows applications and websites. His input to improve performance of applications proved very helpful for the success of our project

10 thoughts on “Deploy an Active Directory Detached Cluster OR DNS Cluster OR non domain joined Windows Server 2012R2 Cluster one way ticket #winserv”

  1. Hi,
    I am trying to set up AD detached cluster using powershell. I am getting an error :

    New-Cluster : A parameter cannot be found that matches parameter name ‘AdministrativeAccessPoint’.
    At line:1 char:101
    + … 117 -NoStorage -AdministrativeAccessPoint Dns
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [New-Cluster], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.FailoverClusters.PowerShell.NewClusterCommand
    Here are OS details:
    OS Name Microsoft Windows Server 2012 Standard
    Version 6.2.9200 Build 9200

    Can you tell what i am doing wrong?

  2. I think it is due to some other issue. I tried to run same command without AdministrativeAccessPoint option and i am getting different error:
    And When I run :

    New-Cluster SQLCL02 –Node node1,node2 -StaticAddress -NoStorage

    I get this error:

    new-cluster : An error occurred while performing the operation.
    An error occurred while creating the cluster ‘SQLCluster01’.
    An error occurred creating cluster ‘SQLCluster01’.
    A constraint violation occurred
    At line:1 char:1
    + new-cluster SQLCluster01 -Node node1, node2 -StaticAddress 172.2 …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [New-Cluster], ClusterCmdletException
    + FullyQualifiedErrorId : New-Cluster,Microsoft.FailoverClusters.PowerShell.NewClusterCommand

  3. nevermind, u can delete my comments. how dumb of me.. i am on windows server 2012 standard, not R2.

  4. Hi,
    I am trying to set up windows 2016 cluster without AD. Cluster gets created fine but I get below error every 15 mins in cluster event logs. Is there any fix for this error. Below error goes away if I create cluster with CNO in AD.

    Error Message:

    Cluster network name resource failed registration of one or more associated DNS names(s) because the access to update the secure DNS Zone was denied.

    Cluster Network name: ‘Cluster Name’
    DNS Zone: ‘’

    Ensure that cluster name object (CNO) is granted permissions to the Secure DNS Zone.

  5. Hi, make sure there are no external dns servers in the nic and that the cno is in the DNS. And if the nodes can’t update the record give the nodes access to the DNS zone.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: