Author
: Cephas Lin
Reviewer
: Jimmy May
Windows Server Failover Clustering (WSFC) is the new name for Microsoft Cluster Server (MSCS), beginning in Windows Server 2008. In this blog post, I will use WSFC to refer to both.
Some of the SQL Server high availability and disaster recovery (HADR) solutions depend on WSFC for their functionality. These are:
- SQL Server Failover Clustering prior to SQL Server 2012
- AlwaysOn Failover Cluster Instances (FCIs) in SQL Server 2012
- AlwaysOn Availability Groups in SQL Server 2012
When you want to configure one of these solutions on a given set of servers, you must first create a WSFC cluster that encompasses these servers. With the default domain policy settings, this process involves nothing more than running the Create Cluster Wizard in the Failover Cluster Manager on one of the servers. However, when you try to create a WSFC cluster in your domain, you might encounter the following error: You do not have permissions to create a computer object in Active Directory .
This error is due to the fact that the account used to create the WSFC cluster does not have all the necessary rights. Given that many companies vigorously lock down on their domain security, this error can be common. Most likely, there is a particular domain policy that is enabled: Add workstations to domain .
In fact, in addition to create the WSFC cluster, you need similar permissions to create the FCIs as well as availability groups. When this policy is not defined (the default setting), any authenticated user has the necessary permissions. However, this policy is often explicitly defined and your domain administrator may not be willing to explicitly enable this policy on your behalf. Alternatively, the accounts and permissions required to create and maintain your HADR solution can be prestaged . For guidance configuring the required account permissions for WSFC clusters and clustered services, see Failover Cluster Step-by-Step Guide: Configuring Accounts in Active Directory (http://technet.microsoft.com/en-us/library/cc731002(WS.10).aspx).
Example Scenario
Let's walk through a common HADR scenario. Suppose you want to configure a solution that involves two FCIs with database mirroring between them. I will use this scenario so that it applies to versions prior to SQL Server 2012 as well. Also, suppose you want to configure it using the following user account:
|
User Account |
CORP\Install |
For each FCI you want to create, you need to prestage a computer account for the WSFC cluster and another computer account for the FCI clustered service that runs within the WSFC cluster. Let's use the following computer names for these accounts:
|
Cluster Accounts |
Cluster1 Cluster2 |
|
Clustered Service Accounts |
FCI1 FCI2 |
Once you provide these names for your installation accounts, clusters, and clustered services to your domain administrators, they must do the following to prestage the accounts:
- Create the following computer objects in Active Directory (AD): Cluster1 , Cluster2 , FCI1 , and FCI2 .
- Disable the AD objects for Cluster1 and Cluster2 .
- Prepare the AD objects with the permissions shown in the following table.
|
AD Object |
Permissions for Accounts |
|
Computers container |
Read All Properties and Create Computer Objects for the following accounts:
|
|
Cluster1 |
Full control for CORP\Install |
|
Cluster2 |
Full control for CORP\Install |
|
FCI1 |
Full control for CORP\Cluster1$ |
|
FCI2 |
Full control for CORP\Cluster2$ |
Once your domain administrator has prestaged these accounts, you can proceed with the WSFC cluster creation and the FCI installation.
Note : When you create the WSFC clusters, the cluster creation process automatically enables the computer accounts for the clusters ( Cluster1 and Cluster2 ). If at any point you choose to destroy and recreate one of the clusters, your domain administrator must disable the computer name for that cluster before it can be recreated.