Configure Windows Failover Clustering for SQL Server (Availability Group or FCI) with Limited Security

Configure Windows Failover Clustering for SQL Server (Availability Group or FCI) with Limited Security

Rate This
  • Comments 1

Author: Cephas Lin
Reviewer: Jimmy May

Windows Server Failover Clustering (WSFC) is the new name for Microsoft Cluster Server (MSCS), beginning in Windows Server 2008. In this blog post, I will use WSFC to refer to both.

Some of the SQL Server high availability and disaster recovery (HADR) solutions depend on WSFC for their functionality. These are:

  • SQL Server Failover Clustering prior to SQL Server 2012
  • AlwaysOn Failover Cluster Instances (FCIs) in SQL Server 2012
  • AlwaysOn Availability Groups in SQL Server 2012

When you want to configure one of these solutions on a given set of servers, you must first create a WSFC cluster that encompasses these servers. With the default domain policy settings, this process involves nothing more than running the Create Cluster Wizard in the Failover Cluster Manager on one of the servers. However, when you try to create a WSFC cluster in your domain, you might encounter the following error: You do not have permissions to create a computer object in Active Directory.

This error is due to the fact that the account used to create the WSFC cluster does not have all the necessary rights. Given that many companies vigorously lock down on their domain security, this error can be common. Most likely, there is a particular domain policy that is enabled: Add workstations to domain.

In fact, in addition to create the WSFC cluster, you need similar permissions to create the FCIs as well as availability groups. When this policy is not defined (the default setting), any authenticated user has the necessary permissions. However, this policy is often explicitly defined and your domain administrator may not be willing to explicitly enable this policy on your behalf. Alternatively, the accounts and permissions required to create and maintain your HADR solution can be prestaged. For guidance configuring the required account permissions for WSFC clusters and clustered services, see Failover Cluster Step-by-Step Guide: Configuring Accounts in Active Directory (http://technet.microsoft.com/en-us/library/cc731002(WS.10).aspx).

Example Scenario

Let's walk through a common HADR scenario. Suppose you want to configure a solution that involves two FCIs with database mirroring between them. I will use this scenario so that it applies to versions prior to SQL Server 2012 as well. Also, suppose you want to configure it using the following user account:

User Account

CORP\Install

For each FCI you want to create, you need to prestage a computer account for the WSFC cluster and another computer account for the FCI clustered service that runs within the WSFC cluster. Let's use the following computer names for these accounts:

Cluster Accounts

Cluster1

Cluster2

Clustered Service Accounts

FCI1

FCI2

Once you provide these names for your installation accounts, clusters, and clustered services to your domain administrators, they must do the following to prestage the accounts:

  1. Create the following computer objects in Active Directory (AD): Cluster1, Cluster2, FCI1, and FCI2.
  2. Disable the AD objects for Cluster1 and Cluster2.
  3. Prepare the AD objects with the permissions shown in the following table.

AD Object

Permissions for Accounts

Computers container

Read All Properties and Create Computer Objects for the following accounts:

  • CORP\Install
  • CORP \Cluster1$
  • CORP \Cluster2$

Cluster1

Full control for CORP\Install

Cluster2

Full control for CORP\Install

FCI1

Full control for CORP\Cluster1$

FCI2

Full control for CORP\Cluster2$

Once your domain administrator has prestaged these accounts, you can proceed with the WSFC cluster creation and the FCI installation.

Note: When you create the WSFC clusters, the cluster creation process automatically enables the computer accounts for the clusters (Cluster1 and Cluster2). If at any point you choose to destroy and recreate one of the clusters, your domain administrator must disable the computer name for that cluster before it can be recreated.

Leave a Comment
  • Please add 8 and 5 and type the answer here:
  • Post
  • Nice job on a topic that doesn't get nearly the coverage it needs!

Page 1 of 1 (1 items)