How to Create a Cluster in a Restrictive Active Directory Environment

How to Create a Cluster in a Restrictive Active Directory Environment

Rate This
  • Comments 9

In Windows Server 2012 there have been several enhancements to how Windows Server Failover Clusters integrate with the Active Directory.  In this blog I am going to discuss some of the changes to help enable creating Failover Clusters in restrictive Active Directory environments where permissions to create computer objects is delegated to specific organizational units (OU).

In Windows Server 2008 R2, Failover Clustering created computer objects in the Active Directory under the default Computers container for cluster Network name resources.  In Windows Server 2012 this has changed to enable greater flexibility when setting up a Failover Cluster.

Cluster Name Object (CNO)

The CNO is the computer object associated with the cluster network name resource called “Cluster Name” that is created during initial setup of the cluster.  Before running Create Cluster one of the requirements is that all nodes be members of a domain.  Since all nodes are domain joined and have corresponding computer objects, the OU in which the nodes computer objects reside in is used as the location to create the CNO.  If you had permissions to setup the node computer objects, then this will enable creating a cluster to ‘just work’ with no additional considerations needed.  The default setup experience now has better heuristics.

For increased flexibility, if you wish to create the CNO in a different OU location, now with Windows Server 2012 you can do so by specifying the full distinguished name during either the Create Cluster wizard in Failover Cluster Manager or through the New-Cluster PowerShell cmdlet.  The distinguished name includes the path to the OU under which you would like the computer object created.

Specifying a Custom OU with Failover Cluster Manager:

To create a cluster with the Failover Cluster manager Create Cluster wizard and for example have the CNO placed in the OU named "Cluster":

Specifying a Custom OU with PowerShell:

To create a cluster via PowerShell and for example have the CNO placed in the OU named “Cluster” it would be in the following syntax:

New-Cluster -Name CN=MyCluster,OU=Cluster,DC=Contoso,DC=com -Node node1,node2

Virtual Computer Object (VCO)

The VCO is the computer object associated with all other cluster network name resources that are created for highly available roles on the cluster.  This would include roles such as for a highly available File Server or SQL Server for example.

The VCO’s will all be created in the same OU in which the CNO currently resides at creation time.

Additional Information:

The user credentials of the currently logged on user who is creating the Failover Cluster will be used to create the computer objects in Active Directory.  The user must have Create Computer Objects permissions to the OU to create the computer objects.  Additionally, the CNO must have Create Computer Objects privileges in the OU it currently resides in to be able to create VCO’s.

If you do not have Create Computer Objects permissions, your domain admin can manually pre-stage the CNO and VCO computer objects.  See this step-by-step guide for information on how to configure cluster accounts in the Active Directory:

If you wish to move the CNO or VCO’s to a different location than the one they are originally created in, it is safe to do so without impacting the functionality of the Failover Cluster.

Elden Christensen
Principal Program Manager Lead
Clustering & High-Availability

Leave a Comment
  • Please add 8 and 8 and type the answer here:
  • Post
  • Hi, just as with Windows Server 2008 R2 my experience is that it doesn't matter what permissions I have in the same OU where the cluster nodes reside; I am still unable to create a cluster. I get the error that I do not have permissions to create computer objects.

    So, like before I added the same "Create Computer" permission for me on the "Computers" OU (the default) and voila! Now I can create a cluster.

    And since I have the Domain Admin possibility in my test lab, I destroyed the cluster, logged on to one cluster node as Domain Admin and just created the cluster again w/o issues.

    So, what is the permission in the "Computers" OU for the accounts you are using in your tests?

    Is there anything else that should be checked regarding permissions for an account that administer a cluster?

  • Hi Jimmy,

    There was a bug with pre-release versions which has since been fixed.  Please try again with RTM.



  • There are several always on clusters in my Windows 2012 environment. The were created in the default OUs, but I would like to move them to a custom OU. Is there still an issue with moving the VCOs to custom OUs that were created after the cluster or can theyu be moved to any OU regardless of when the OU was created?

  • Yes, you can move the CNO and VCO's to a different OU post-creation

  • Hello Elden,

    I'm seeing that you're PPM for Clustering and HA. I have a question about an issue experienced last days ago. We have two DC's (in Cloud), with different subnets but in the same domain. For testing purpose, we have turned the FSMO Holder off and after that, we noticed some ID 1570 describing authentication failures, Nodes should be contacted done by the second DC, right?

    Replication, DNS and other things related to it are OK!

  • I am curious, can I run a 2012 Hyper V Cluster on 2000 Domain level / Forest Level?

  • It is not supported to deploy a Windows Server 2012 Failover Cluster in domain running at a Windows 2000 domain functional level.

    Additionally, Windows 2000 Server is no longer supported.  See the Microsoft Support Lifecycle at this link:



  • Hi

    There is a procedure to create a cluster without having that kind of permissions, specially when working in restricted environment

    You may ask the Ad team to create the cluster computer account  in both Active Directory and in  DNS ,

    and change the Security properties of this cluster account, and add the  account used to login and create the cluster.

    The Ad cluster account must have also  security access to the DNS cluster entry.

    In a restricted active directory, it will be easier to get these rights than get the create computer objects permission in the OU computers


  • If default domain policy has not been modified, each user has a 10 machines creation bonus granted, so any user could create a cluster till the VCO objest reach that limit, am I wrong?

    Does the CNO object really needs the "Create object machines" permissions to create extra objects?, which is the explanation for that?


Page 1 of 1 (9 items)