Create an object in AD for Clustering

I need to create a listener for cluster for SQL , and getting the error which is common and its;
The WSFC cluster could not bring the Network Name resource with DNS name ‘’ online. The DNS name may have been taken or have a conflict wit…

There is a solution which is adding some permissions to the cluster CNO, Can that change will be done in powershell.
one othe options is :

Option # 2 Pre-Stage the VCO

This option is useful in situations where the domain administrator does not allow the CNO “Read All Properties” and “Create computer Objects” permissions:

  1. Ensure that you are logged in as a user that has permissions to create computer objects in the domain.

  2. Open the Active Directory Users and Computers Snap-in (dsa.msc).

  3. Right-click View and select “Advanced Features.”


  1. Right click the OU/Container you want the VCO to reside in and click “New” -> “Computer.” In the example below, we are creating the listener object in the Computers container.

  2. Provide a name for the object (this will be your listener name) and click “OK."

  3. Right click the VCO you just created and select “Properties”. Click the Security tab.

  4. Under Security tab, click the Add button. Enter the cluster named object (CNO). In this example, it is agcluster$. Click the Object Types button. Select Computers and click Ok.

  5. Highlight the CNO, check the following permissions, and click “OK” (alternatively, choose Full Control)

Allowed To Authenticate
Change Password
Receive As
Reset Password
Send As
Validate write To DNS Host Name
Validate Write To Service Principle Name
Read Account Restrictions
Write Account Restrictions
Read DNS Host Name Attributes
Read MS-TS-GatewayAccess
Read Personal Information
Read Public Information

  1. Attempt to create the availability group listener.

I’m not sure what your question is. Typically, you have to create a pre-staged computer account because the wizards that create the clusters are running as SYSTEM and don’t have the correct permissions to AD to create the account. You either delegate permissions to the OU for the computer account of the server to have access to create the computer account or you have to create a computer account to pre-stage the cluster name so that when you re-run the wizard that SYSTEM will have access to manipulate that cluster computer account. This isn’t anything to do with Powershell, so if you can’t figure it out it’s better to post on a Server 2012 or forum related to cluster creation.

the question I have to grant that permission for the CNO cluster name, because the whole cluster build is in powershell, the listener is sitting on top of the cluster. I can do that permissions for that CNO as described in above blog . but if I want to do that in powershell instead of GUI ,

if we have the CNO name to be called MyDomain\WINCLUSTER$ object, what are commands to grant those permssions.


It’s Active Directory Delegation, so search for “Powershell Active Directory Delegation”. You would have to decide which method would work for you and test, but this looked close to what you would do:

I don’t know how often you would create clusters that you need to automate it, but doing this in the GUI would take a minute and writing a script do it is probably going to take a couple of hours of dev and testing.

I recently worked on a DSC resource that applies the necessary permissions to the ADComputer object. Here is a script from it that should work for you. You provide the cluster name computer account to give “ownership” of the target computer account.

#requires -Version 4
#requires -Module ActiveDirectory

    [string] $ClusterName,

    [string] $ComputerName

function Get-ADClusterComputerAccessRules {
        [System.Security.Principal.NTAccount] $IdentityReference

    New-ADAccessRule -IdentityReference $IdentityReference -Rights 'DeleteTree, ExtendedRight, Delete, GenericRead'                   # 
    New-ADAccessRule -IdentityReference $IdentityReference -Rights WriteProperty -ObjectType '4c164200-20c0-11d0-a768-00aa006e0529'   # User-Account-Restrictions
    New-ADAccessRule -IdentityReference $IdentityReference -Rights Self -ObjectType 'f3a64788-5306-11d1-a9c5-0000f80367c1'            # Service-Principal-Name
    New-ADAccessRule -IdentityReference $IdentityReference -Rights Self -ObjectType '72e39547-7b18-11d1-adef-00c04fd8d5cd'            # DNS-Host-Name
    New-ADAccessRule -IdentityReference $IdentityReference -Rights WriteProperty -ObjectType '3e0abfd0-126a-11d0-a060-00aa006c33ed'   # SAM-Account-Name
    New-ADAccessRule -IdentityReference $IdentityReference -Rights WriteProperty -ObjectType 'bf967953-0de6-11d0-a285-00aa003049e2'   # Display-Name
    New-ADAccessRule -IdentityReference $IdentityReference -Rights WriteProperty -ObjectType 'bf967950-0de6-11d0-a285-00aa003049e2'   # Description
    New-ADAccessRule -IdentityReference $IdentityReference -Rights WriteProperty -ObjectType '5f202010-79a5-11d0-9020-00c04fc2d4cf'   # User-Logon

function New-ADAccessRule {
        [System.Security.Principal.NTAccount] $IdentityReference,

        [System.DirectoryServices.ActiveDirectoryRights] $Rights,

        [System.Security.AccessControl.AccessControlType] $Type = $([System.Security.AccessControl.AccessControlType]::Allow),

        [Guid] $ObjectType = $([Guid]::Empty),

        [System.DirectoryServices.ActiveDirectorySecurityInheritance] $Inheritance = $([System.DirectoryServices.ActiveDirectorySecurityInheritance]::None),

        [Guid] $InheritedObjectType = $([Guid]::Empty)

    New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($IdentityReference,$Rights,$Type,$ObjectType,$Inheritance,$InheritedObjectType)

$Cluster             = Get-ADComputer -Identity $ClusterName
$Computer            = Get-ADComputer -Identity $ComputerName
$Acl                 = Get-Acl -Path "AD:\$($Computer.DistinguishedName)"
$IdentityReference   = New-Object System.Security.Principal.NTAccount (Get-ADDomain).NetBIOSName,$Cluster.SamAccountName
$ExpectedAccessRules = @(Get-ADClusterComputerAccessRules -IdentityReference $IdentityReference)
$CurrentAccessRules  = @($Acl.Access | Where-Object IdentityReference -eq $IdentityReference)
$MissingAccessRules  = @(Compare-Object -ReferenceObject $CurrentAccessRules -DifferenceObject $ExpectedAccessRules | Where-Object SideIndicator -eq '=>')

Set-Acl -Path "AD:\$($Computer.DistinguishedName)" -AclObject $Acl

Thank you so much, I didn’t use the DSC in the past , I will test it and let you know.

Thanks again.

Adam, Did you ever build Windows Cluster with DSC ? I hope it won’t complicated

Yes I did. I had to create several custom resources to handle our build, thinks like configuring iSCSI as we use that for SAN storage to adding the custom roles and resources to the cluster we regularly use. It was about 2 weeks worth of piecing it together but in the end I am able to deploy cluster solutions with DSC without much trouble now.


The problem I have is the OU is different from the deafult, How can to make the OU as a parameter as well?


So this script assumes the computer account has been created before it is run. You can use New-ADComputer cmdlet to create the computer account where you want it.