Configuring cluster accounts in Active Directory

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Azure Stack HCI, versions 21H2 and 20H2

In Windows Server, when you create a failover cluster and configure clustered services or applications, the failover cluster wizards create the necessary Active Directory computer accounts (also called computer objects) and give them specific permissions. The wizards create a computer account for the cluster itself (this account is also called the cluster name object or CNO) and a computer account for most types of clustered services and applications, the exception being a Hyper-V virtual machine. The permissions for these accounts are set automatically by the failover cluster wizards. If the permissions are changed, they will need to be changed back to match cluster requirements. This guide describes these Active Directory accounts and permissions, provides background about why they are important, and describes steps for configuring and managing the accounts.

Overview of Active Directory accounts needed by a failover cluster

This section describes the Active Directory computer accounts (also called Active Directory computer objects) that are important for a failover cluster. These accounts are as follows:

  • The user account used to create the cluster. This is the user account used to start the Create Cluster wizard. The account is important because it provides the basis from which a computer account is created for the cluster itself.

  • The cluster name account. (the computer account of the cluster itself, also called the cluster name object or CNO). This account is created automatically by the Create Cluster wizard and has the same name as the cluster. The cluster name account is very important, because through this account, other accounts are automatically created as you configure new services and applications on the cluster. If the cluster name account is deleted or permissions are taken away from it, other accounts cannot be created as required by the cluster, until the cluster name account is restored or the correct permissions are reinstated.

    For example, if you create a cluster called Cluster1 and then try to configure a clustered print server called PrintServer1 on your cluster, the Cluster1 account in Active Directory will need to retain the correct permissions so that it can be used to create a computer account called PrintServer1.

    The cluster name account is created in the default container for computer accounts in Active Directory. By default this is the "Computers" container, but the domain administrator can choose to redirect it to another container or organizational unit (OU).

  • The computer account (computer object) of a clustered service or application. These accounts are created automatically by the High Availability wizard as part of the process of creating most types of clustered services or application, the exception being a Hyper-V virtual machine. The cluster name account is granted the necessary permissions to control these accounts.

    For example, if you have a cluster called Cluster1 and then you create a clustered file server called FileServer1, the High Availability wizard creates an Active Directory computer account called FileServer1. The High Availability wizard also gives the Cluster1 account the necessary permissions to control the FileServer1 account.

The following table describes the permissions required for these accounts.

Account Details about permissions

Account used to create the cluster

Requires administrative permissions on the servers that will become cluster nodes. Also requires Create Computer objects and Read All Properties permissions in the container that is used for computer accounts in the domain.

Cluster name account (computer account of the cluster itself)

When the Create Cluster wizard is run, it creates the cluster name account in the default container that is used for computer accounts in the domain. By default, the cluster name account (like other computer accounts) can create up to ten computer accounts in the domain.

If you create the cluster name account (cluster name object) before creating the cluster—that is, prestage the account—you must give it the Create Computer objects and Read All Properties permissions in the container that is used for computer accounts in the domain. You must also disable the account, and give Full Control of it to the account that will be used by the administrator who installs the cluster. For more information, see Steps for prestaging the cluster name account, later in this guide.

Computer account of a clustered service or application

When the High Availability wizard is run (to create a new clustered service or application), in most cases a computer account for the clustered service or application is created in Active Directory. The cluster name account is granted the necessary permissions to control this account. The exception is a clustered Hyper-V virtual machine: no computer account is created for this.

If you prestage the computer account for a clustered service or application, you must configure it with the necessary permissions. For more information, see Steps for prestaging an account for a clustered service or application, later in this guide.

Note

In earlier versions of Windows Server, there was an account for the Cluster service. Since Windows Server 2008, however, the Cluster service automatically runs in a special context that provides the specific permissions and privileges necessary for the service (similar to the local system context, but with reduced privileges). Other accounts are needed, however, as described in this guide.

How accounts are created through wizards in failover clustering

The following diagram illustrates the use and creation of computer accounts (Active Directory objects) that are described in the previous subsection. These accounts come into play when an administrator runs the Create Cluster wizard and then runs the High Availability wizard (to configure a clustered service or application).

Use and creation of computer accounts

Note that the above diagram shows a single administrator running both the Create Cluster wizard and the High Availability wizard. However, this could be two different administrators using two different user accounts, if both accounts had sufficient permissions. The permissions are described in more detail in Requirements related to failover clusters, Active Directory domains, and accounts, later in this guide.

How problems can result if accounts needed by the cluster are changed

The following diagram illustrates how problems can result if the cluster name account (one of the accounts required by the cluster) is changed after it is automatically created by the Create Cluster wizard.

Problems if cluster name is changed

If the type of problem shown in the diagram occurs, a certain event (1193, 1194, 1206, or 1207) is logged in Event Viewer. For more information about these events, see https://go.microsoft.com/fwlink/?LinkId=118271.

Note that a similar problem with creating an account for a clustered service or application can occur if the domain-wide quota for creating computer objects (by default, 10) has been reached. If it has, it might be appropriate to consult with the domain administrator about increasing the quota, although this is a domain-wide setting and should be changed only after careful consideration, and only after confirming that the preceding diagram does not describe your situation. For more information, see Troubleshoot issues caused by changes in cluster-related Active Directory accounts.

As described in the preceding three sections, certain requirements must be met before clustered services and applications can be successfully configured on a failover cluster. The most basic requirements concern the location of cluster nodes (within a single domain) and the level of permissions of the account of the person who installs the cluster. If these requirements are met, the other accounts required by the cluster can be created automatically by the failover cluster wizards. The following list provides details about these basic requirements.

  • Nodes: All nodes must be in the same Active Directory domain. (The domain cannot be based on Windows NT 4.0, which does not include Active Directory.)

  • Account of the person who installs the cluster: The person who installs the cluster must use an account with the following characteristics:

    • The account must be a domain account. It does not have to be a domain administrator account. It can be a domain user account if it meets the other requirements in this list.

    • The account must have administrative permissions on the servers that will become cluster nodes. The simplest way to provide this is to create a domain user account, and then add that account to the local Administrators group on each of the servers that will become cluster nodes. For more information, see Steps for configuring the account for the person who installs the cluster, later in this guide.

    • The account (or the group that the account is a member of) must be given the Create Computer objects and Read All Properties permissions in the container that is used for computer accounts in the domain. For more information, see Steps for configuring the account for the person who installs the cluster, later in this guide.

    • If your organization chooses to prestage the cluster name account (a computer account with the same name as the cluster), the prestaged cluster name account must give "Full Control" permission to the account of the person who installs the cluster. For other important details about how to prestage the cluster name account, see Steps for prestaging the cluster name account, later in this guide.

Planning ahead for password resets and other account maintenance

The administrators of failover clusters might sometimes need to reset the password of the cluster name account. This action requires a specific permission, the Reset password permission. Therefore, it is a best practice to edit the permissions of the cluster name account (by using the Active Directory Users and Computers snap-in) to give the administrators of the cluster the Reset password permission for the cluster name account. For more information, see Troubleshoot password issues with the cluster name account.

Steps for configuring the account for the person who installs the cluster

The account of the person who installs the cluster is important because it provides the basis from which a computer account is created for the cluster itself.

The minimum group membership required to complete the following procedure depends on whether you are creating the domain account and assigning it the required permissions in the domain, or whether you are only placing the account (created by someone else) into the local Administrators group on the servers that will be nodes in the failover cluster. If the former, membership in Account Operators or equivalent, is the minimum required to complete this procedure. If the latter, membership in the local Administrators group on the servers that will be nodes in the failover cluster, or equivalent, is all that is required. Review details about using the appropriate accounts and group memberships at https://go.microsoft.com/fwlink/?LinkId=83477.

To configure the account for the person who installs the cluster

  1. Create or obtain a domain account for the person who installs the cluster. This account can be a domain user account or an Account Operators account. If you use a standard user account, you'll have to give it some extra permissions later in this procedure.

  2. If the account that was created or obtained in step 1 isn't automatically included in the local Administrators group on computers in the domain, add the account to the local Administrators group on the servers that will be nodes in the failover cluster:

    1. Click Start, click Administrative Tools, and then click Server Manager.

    2. In the console tree, expand Configuration, expand Local Users and Groups, and then expand Groups.

    3. In the center pane, right-click Administrators, click Add to Group, and then click Add.

    4. Under Enter the object names to select, type the name of the user account that was created or obtained in step 1. If prompted, enter an account name and password with sufficient permissions for this action. Then click OK.

    5. Repeat these steps on each server that will be a node in the failover cluster.

    Important

    These steps must be repeated on all servers that will be nodes in the cluster.

  3. If the account that was created or obtained in step 1 is a domain administrator account, skip the rest of this procedure. Otherwise, give the account the Create Computer objects and Read All Properties permissions in the container that is used for computer accounts in the domain:

    1. On a domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

    2. On the View menu, make sure that Advanced Features is selected.

      When Advanced Features is selected, you can see the Security tab in the properties of accounts (objects) in Active Directory Users and Computers.

    3. Right-click the default Computers container or the default container in which computer accounts are created in your domain, and then click Properties. Computers is located in Active Directory Users and Computers/domain-node/Computers.

    4. On the Security tab, click Advanced.

    5. Click Add, type the name of the account that was created or obtained in step 1, and then click OK.

    6. In the Permission Entry for container dialog box, locate the Create Computer objects and Read All Properties permissions, and make sure that the Allow check box is selected for each one.

      Screenshot that shows Create Computer objects option set to Allow.

Steps for prestaging the cluster name account

It is usually simpler if you do not prestage the cluster name account, but instead allow the account to be created and configured automatically when you run the Create Cluster wizard. However, if it is necessary to prestage the cluster name account because of requirements in your organization, use the following procedure.

Membership in the Domain Admins group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at https://go.microsoft.com/fwlink/?LinkId=83477. Note that you can use the same account for this procedure as you will use when creating the cluster.

To prestage a cluster name account

  1. Make sure that you know the name that the cluster will have, and the name of the user account that will be used by the person who creates the cluster. (Note that you can use that account to perform this procedure.)

  2. On a domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. In the console tree, right-click Computers or the default container in which computer accounts are created in your domain. Computers is located in Active Directory Users and Computers/domain-node/Computers.

  4. Click New and then click Computer.

  5. Type the name that will be used for the failover cluster, in other words, the cluster name that will be specified in the Create Cluster wizard, and then click OK.

  6. Right-click the account that you just created, and then click Disable Account. If prompted to confirm your choice, click Yes.

    The account must be disabled so that when the Create Cluster wizard is run, it can confirm that the account it will use for the cluster is not currently in use by an existing computer or cluster in the domain.

  7. On the View menu, make sure that Advanced Features is selected.

    When Advanced Features is selected, you can see the Security tab in the properties of accounts (objects) in Active Directory Users and Computers.

  8. Right-click the folder that you right-clicked in step 3, and then click Properties.

  9. On the Security tab, click Advanced.

  10. Click Add, click Object Types and make sure that Computers is selected, and then click OK. Then, under Enter the object name to select, type the name of the computer account you just created, and then click OK. If a message appears, saying that you are about to add a disabled object, click OK.

  11. In the Permission Entry dialog box, locate the Create Computer objects and Read All Properties permissions, and make sure that the Allow check box is selected for each one.

    Permission Entry dialog box

  12. Click OK until you have returned to the Active Directory Users and Computers snap-in.

  13. If you are using the same account to perform this procedure as will be used to create the cluster, skip the remaining steps. Otherwise, you must configure permissions so that the user account that will be used to create the cluster has full control of the computer account you just created:

    1. On the View menu, make sure that Advanced Features is selected.

    2. Right-click the computer account you just created, and then click Properties.

    3. On the Security tab, click Add. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

    4. Use the Select Users, Computers, or Groups dialog box to specify the user account that will be used when creating the cluster. Then click OK.

    5. Make sure that the user account that you just added is selected, and then, next to Full Control, select the Allow check box.

      Screenshot that shows the Security tab in the Cluster1 Properties dialog box.

Steps for prestaging an account for a clustered service or application

It is usually simpler if you do not prestage the computer account for a clustered service or application, but instead allow the account to be created and configured automatically when you run the High Availability wizard. However, if it is necessary to prestage accounts because of requirements in your organization, use the following procedure.

Membership in the Account Operators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at https://go.microsoft.com/fwlink/?LinkId=83477.

To prestage an account for a clustered service or application

  1. Make sure that you know the name of the cluster and the name that the clustered service or application will have.

  2. On a domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. In the console tree, right-click Computers or the default container in which computer accounts are created in your domain. Computers is located in Active Directory Users and Computers/domain-node/Computers.

  4. Click New and then click Computer.

  5. Type the name that you will use for the clustered service or application, and then click OK.

  6. On the View menu, make sure that Advanced Features is selected.

    When Advanced Features is selected, you can see the Security tab in the properties of accounts (objects) in Active Directory Users and Computers.

  7. Right-click the computer account you just created, and then click Properties.

  8. On the Security tab, click Add.

  9. Click Object Types and make sure that Computers is selected, and then click OK. Then, under Enter the object name to select, type the cluster name account, and then click OK. If a message appears, saying that you are about to add a disabled object, click OK.

  10. Make sure that the cluster name account is selected, and then, next to Full Control, select the Allow check box.

    Security tab

For more information, see Troubleshoot issues with accounts used by failover clusters.