How to Setup a Failover Cluster in a RODC Environment

How to Setup a Failover Cluster in a RODC Environment

Rate This
  • Comments 9

In Windows Server 2012, a Failover Cluster can be created in an environment that has access only to a Read Only Domain Controller (RODC) but not a Read Write Domain Controller (RWDC). This deployment model can be useful in a branch office with unreliable network connectivity or in a perimeter network (DMZ) where the cluster resides outside a firewall.

In a previous blog, we discussed how a cluster can be created in a restrictive active directory environment. In the blog, we explained the role of a Cluster Name Object (CNO) and Virtual Computer Object (VCO) in a Failover Cluster. With a Read Only Domain Controller, the Cluster Service is unable to create a CNO or VCO. Therefore, these computer objects will need to be pre-created on a RWDC and then replicated to the cluster RODC, before the cluster creation process is commenced. This blog provides the steps on how this can be done: 1) Using the graphical interface 2) Using Windows PowerShell© These steps should be followed to first pre-create a CNO (computer object that has the same name as your cluster) and a VCO for each clustered service or application (computer object has the same name as the clustered service or application and is created in the same container as the CNO).

Steps to configure the CNO and VCO for a RODC Environment:

1.      On an RWDC launch the Active Directory Users and Computers snap-in (type dsa.msc) or to configure using a script open a Windows PowerShell© prompt in Administrator mode.

2.      Right-click Computers or the organizational unit (OU) container in which computer accounts are created in your domain and create a new Computer object for your cluster CNO (Cluster Name) or VCO(Clustered Application or Service Name):


Using PowerShell:

To create the Computer object in the default Computers container:

new-adComputer -name “myclusterCNO” -dnshostname “”


  To Create the Computer object in an alternate OU:

new-adComputer -name “myclusterCNO” -dnshostname “” -Path $OUDistinguishName -Enabled $true

3.      For a CNO, give the user account that will be used to create the cluster, full control of the computer object created. For VCOs, ensure that you give the Cluster account (CNO) full permission to access the object. For instance for a cluster myclusterCNO in domain testcluster, the account testcluster\myclusterCNO should have permission to the VCO.

  • On the View menu ensure that Advanced Features is selected.
  • Right-click on the computer object created in step 2 and select Properties:



  • Select the Security tab and add the user account used for cluster creation.
  • Select the newly created user account and give it Full Control for the computer object:


Using PowerShell:

$objUser = New-Object System.Security.Principal.NTAccount(“domain\user”)

$objADAR = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($objUser, “GenericAll”,"Allow")

$adName = get-AdComputer -Identity “myclusterCNO”



$targetObj = get-adobject -Identity $adName.DistinguishedName -properties *

$ntSecurityObj = $targetObj.nTSecurityDescriptor


Set-ADObject $adName –Replace @{ntSecurityDescriptor=$ntSecurityObj}


You can verify through the graphical interface that the permissions have now propagated for the user account:


4.      Next modify the following attributes for the computer object: 

Attribute Name





Must be less than 15 characters

<Cluster name>$





Service Principle Name

List which includes the following entries:

Host/<computer object name>


MSClusterVirtualServer/<computer object Name>


MSServerClusterMgmtAPI/<Computer Object Name>


For CNO also add:

MSServerCluster/<computer object Name>




  •          You can modify the attributes by selecting the Attribute Editor tab on the computer object properties page:


Using PowerShell:

$adName = get-AdComputer -Identity “myclusterCNO”

$dn = $adName.DistinguishedName

set-adcomputer -Identity $dn -add @{'msds-supportedencryptiontypes'= 28}

set-adComputer -Identity $dn  -ServicePrincipalName @{Add="Host/myclusterCNO", "Host/", "MSClusterVirtualServer/myclusterCNO", "MSClusterVirtualServer/", "MSServerClusterMgmtAPI/myclusterCNO", "MSServerClusterMgmtAPI/"}

For CNO also add:

 set-adComputer -Identity $dn  -ServicePrincipalNames @{Add=" MSServerCluster/myclusterCNO", "MSServerCluster/"} 


5.       Add the CNO or the VCO SAM account name to the Allow RODC Password Replication Group

  •          Select the Domain Controller container from dsa.msc
  •          Right-click on the Computer Object corresponding to the RODC


  •          Select the Password Replication Policy tab in the property pane for the RODC Computer Object.
  •          Add the CNO and VCO SAM account names(with $ at the end)> to the Allow RODC Password Replication Group:



Using PowerShell:

Add-ADDomainControllerPasswordReplicationPolicy -Identity “RODC” -AllowedList "testCluster$","vcoName$”

  •    Supply the CNO and VCO SAM account name(with $ at the end)  as arguments to the  AllowedList parameter

6.      Finally, replicate the CNO or VCO computer object created on the RWDC to the RODC: 

repadmin /rodcpwdrepl  <RODC server name> <RWDC server name> <distinguished name of the CNO or VCO without quotes e.g.: CN=myClusterCNO,CN=Computers,DC=testcluster,DC=com >

Now that you have the computer objects pre-staged and replicated to your RODC, you are ready to create a cluster in a RODC environment. In a previous blog we provided the steps to create a Failover Cluster.




Subhasish Bhattacharya

Program Manager

Clustering and High Availability

Microsoft Corporation

Leave a Comment
  • Please add 1 and 4 and type the answer here:
  • Post
  • Great article but I'm looking for some clarification on something......

    In step 4, (modifying the computer attributes) in your list under "Service Principal Name" you have

    Host/<computer object name>  --> To me this would be "host/myClusterCNO"  --> which you correctly screenshot.

    Host/<FQDN> --> To me this would be host/ --> You just list the domain without the host name.  Which should it be?

    Also, for the entire step 4 in general you mention to " Next modify the following attributes for the computer object:" Do we do this just for the CNO or the VCO as well??  I am assuming the VCO as well because later in the Service Principal Table you mention "For CNO also add:...."

    I just want to make sure.

    Thanks in advance for your help!!


  • Hi John,

    That's correct - <FQDN> could be more accurately described as a <Domain Name>.

    Yes. These steps should be repeated for each VCO as well, except for any instructions specifically anointed for a CNO.

    Please do let me know if you have any further questions.

    - Subhasish

  • Subhasish - Thanks so much for the fast reply!!  At first when reading your article I thought this was aimed towards ..... How to pre-stage CNO and VCO because Server 2008 doesn't allow clusters in RODC environment.  I figured this because Server 2012 has the ability to be built in a RODC so why make an article for 2012?  If I am correct, and this is geared towards Server 2008 then I have a follow up question.....

    - My entire environment is Server 2008 R2, and I absolutely need a MS Cluster in the perimeter.  I have one RODC in my perimeter and no access for member servers back to the RWDCs in the core.

    - I pre-staged the CNO and VCO as per this article however the issue is when I try to create the cluster the wizard stops me in my tracks because it insists on contacting AD (it wants RWDC) to get a topology of the member nodes :(

    Is there anyway to get around this?  I even tried creating the cluster via Powershell as sometimes its more "allowing" then wizards, but alas.... no luck.  I am desperately looking for a solution as Server 2012 is not even close to being supported in my environment and there is a strong need for a IIS cluster in the perimeter.  

    My only thought is maybe to open the ports in the firewall for cluster creation and then once its up and running close the ports back up.  However I'm not sure if during clusters "normal operation" there is another need for it to communicate with a RWDC??

    Thanks!! - John

  • Unfortunately, this configuration is not supported pre-WS 2012. Your cluster will need access to a RWDC even beyond the cluster creation process...

    - Subhasish

  • Hi,

    Thank you, great article!

    But I have a few difficulties creating the failover cluster.

    I'm trying to create a failover cluster for a DMZ, and I followed the steps you describe.

    - I first create the CNO (myClusterName) in the correct OU in RWDC

    - I apply all parameters described in this post to the CNO.

    - I start a replication to RODC (and I check).

    - When I create the cluster from the failover cluster wizard with the same name as the CNO (myClusterName), I've got an error on the wizard : "An enabled computer account (object) for 'myClusterName' was found. This usually means that the name is in use by another computer or cluster network name. If this is not the case then please disable or delete the existing computer account in Active Directory"

    I've tried to disable the computer object in AD, it let me finish the wizard but thow an error when "Verifying computer object 'myClusterName' in the domain" : Unknown error (0xc000005e). I can't find events linked to this error in the event viewer.

    I also tried to put the DN of the CNO in the wizard, instead of the name:

    - It let finish the wizard without having to disable the Computer object in AD

    - But it throw an error: "An attempt to use the specified cluster name failed because an enabled computer object with the given name already exists in the domain"

    Do you have ideas about this behavior ?



  • Hi Nico,

    Thanks for your comment. There are a couple of steps I can think of to troubleshoot this issue.

    - First delete the CNO you've created and try to create a cluster. This would ensure that there is no other CNO lingering on somewhere.

    - Next, instead of creating the CNO in the RODC and replicating. Pre-stage the CNO in the RWDC and see if this works. If it does you would be able to follow the steps on the RODC and replicate without issue. As a sanity check here as some independent steps to pre-stage the CNO on a RWDC -

    Hope this helps.



  • Hi Subhasish,

    Thank you for sharing this stuff.

    We have 2008R2 RODC in DMZ and we tried creating the cluster as specified in this article. But at the end of the cluster creation, we have got the following error.

    Unable to successfully cleanup.

    An error occured while creating the cluster.

    An error occured while creating the cluster 'ClusterName'

    The specified Domain either does not exist or could not be contacted

    If we open ports from DMZ member servers to RWDC, does it work? If yes, can you please tell me the ports required to open from member server to RWDC?

    Is there any alternate for creating Cluster in 2008 RODC environment?

    Does this work properly if we create cluster in Production network and then move them to DMZ?

    Please help me in this.

    Thanks in Advance...


  • Hi Vijay,

    Unfortunately, support for clustering with a RODC is supported only for Windows Server 2012 and beyond. For releases before this your cluster will need to have access to a RWDC.



  • Hi every one i hope any one give solution, i new in failover clustering i have to configure SQL Failover cluster in restricted AD, the AD administrator Create CNO and objects required to SQL, now i have to configure, please anyone explain me how cofigure/install SQL Failover cluster with Pre created objects Name.

Page 1 of 1 (9 items)