In Sql Server 2012, I am trying to install Failover Clustering to configure AlwaysOn Availability Groups. When I run Cluster Validation test wizard, it comes back with a lot of errors. One of them points to not having privileges to create 'Computer Object' in our Active Directory. So, I tried to gather any documentation that would help me understand what this means and I found this article on MSDN
Now, I have a question:
In the MSDN article, the paragraph right above this diagram talks about some 'Computer Account' and 'Computer Account for Clustered Service'. I re-read the paragraphs several times, but I am not sure if I can distinguish between these two. Could someone with experience on AoAG, shed some light on what this means.
Best Answer
What it means is that the computer object of the cluster (within Active Directory) will have the same set of the permissions as the user that created the cluster (and in turn, the cluster computer object).
This cluster computer object will then be the security context when a cluster service or application needs to have a computer object created.
Think of it like this:
Joecreates a cluster and the cluster computer object isCluster1. When a computer object of the cluster needs to be created, it will be under the context ofCluster1. AndCluster1will have the permission set ofJoe.Take a look at a blog post I wrote on this very topic (SQL Salt). Maybe that will shed a little more light on this. When you create a listener, for instance, auditing AD will show that it is the cluster computer object that is actually creating the listener computer object.
In many environments this elevated security for computer objects may be undesirable. Therefore you can pre-stage these objects within AD. The end result should be the same.