Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, January 27, 2017 7:44 PM
All replies (32)
Sunday, January 29, 2017 2:37 PM
Hi Ecapadmin,
It seems there is no related infromation about the error.
Do you mean the failover cluster is working normally but getting the error in cluster validation?
If yes, I suppose we could ignore the error temporarily. And wait for official documents and solutions about the error.
Best Regards,
Leo
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, January 30, 2017 1:27 PM
Leo,
Thank you for the response. Yes the cluster is working as expected with some test VM's but because it fails the validation test MS will not offer support. Not a problem now but if production VM's were put in the cluster and problem came up, we could not get support.
Tuesday, January 31, 2017 7:18 AM
Hi Evapadmin,
Did you get the same result if you run the validation again?
Is the network connection between the nodes and DC stable?
Best Regards,
Leo
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, July 7, 2017 2:29 PM
Hello,
i have a 3 node cluster with MS 2016 Datacenter.
And we have the same problem in cluster validation.
An error occurred while executing the test.
The operation has failed. An error occurred while checking the Active Directory organizational unit for the cluster name resource.
The parameter is incorrect.
Any solutions from Microsoft?
The Network between the nodes and DC's are stable. No other problems, the cluster works fine.
Thank you
Wednesday, September 6, 2017 12:05 PM
hello,
does anyone have already a solution for this i get alsow this error on a Hyper-V cluster and a file cluster (2016 Datacenter & 2016 Standard )
Wednesday, November 15, 2017 6:38 PM | 1 vote
In order to resolve this, ensure that the Cluster computer object has Read on the root of your domain (does not need to go farther down the tree) and that it has Create Computer Objects and Read All Properties on the domain (must be inherited by the OU where the cluster computer object resides.
If you try to grant this on the OU where the cluster computer object exists, it will fail. It must start at the root of the domain.
The name of the cluster computer object is the cluster name with a $ at end (e.g. if cluster name is HV-CLUS1, the computer object will be HV-CLUS1$). Be sure to select the Computers type when trying to grant permissions otherwise you will not be able to check names successfully.
Grant Thompson
Wednesday, January 24, 2018 3:08 PM
Hello, we just stood up a 3 node Windows Fail Over Cluster, all brand new Dell R740 windows Server 2016 fully patched. Nothing is running on these servers, brand new set up this week. When i validate each node I get all green checks. After I create the cluster and validate it I get the same error posted here:
An error occurred while executing the test.
The operation has failed. An error occurred while checking the Active Directory organizational unit for the cluster name resource.
The parameter is incorrect.
We have done what Grant suggested but it did not help. Is it ok to proceed or will this put us in an unsupported configuration.
Many thanks
Fed
Wednesday, January 24, 2018 4:02 PM | 1 vote
You will be in an unsupported configuration. In my experience this is definitely an AD permissions issue. Double check that you granted the Cluster computer object Read permissions at the root of your domain and Create Computer Objects and Read All Properties on the domain (must be inherited by the OU where the cluster computer object resides.
I realize you said you did this but check again.
If it still fails, did you move the cluster computer object somewhere? If so, try putting it back into the default Computers node.
Has anything been done to default AD permissions?
Grant Thompson
Wednesday, January 24, 2018 6:00 PM
We have a SQL 2012 Cluster that is not exhibiting this behavior.
We have tried both, let the cluster wizard create the cluster object, (it defaults to the computer OU). We then run the validation wizard and it fails. When we pre-create the object in our SQL OU it creates the cluster, but fails the validation. even after granting the correct permissions. No nothing has been done to default AD permissions.
It seems to be a bug with SQL 2016 WFC.
We even try running this command (edited for security) and yet the validation fails.
dsacls "dc=foo,dc=bar,dc=foo,dc=com" /I:S /G "foo\foo-bar$:GRCC;;computer"
Tuesday, May 1, 2018 11:15 AM
Hello,
I'm having this same issue, was wondering if anyone found a solution?
Strange thing is, we have a test & dev environment (which is actually a restore of the production AD), where I built a 2-node 2016 cluster (on VMs with RDMs) and did not have this problem. In our production environment I'm building on HP Gen9 BL460c blades, and having this exact issue.
Thanks
Tuesday, May 1, 2018 5:39 PM
Did you try my earlier suggestion?
In order to resolve this, ensure that the Cluster computer object has Read on the root of your domain (does not need to go farther down the tree) and that it has Create Computer Objects and Read All Properties on the domain (must be inherited by the OU where the cluster computer object resides.
If you try to grant this on the OU where the cluster computer object exists, it will fail. It must start at the root of the domain.
The name of the cluster computer object is the cluster name with a $ at end (e.g. if cluster name is HV-CLUS1, the computer object will be HV-CLUS1$). Be sure to select the Computers type when trying to grant permissions otherwise you will not be able to check names successfully.
Be sure to mark as the answer if this works for you.
Grant Thompson
Wednesday, May 2, 2018 5:05 PM
In my case, I can see by the "effective permissions" that this account has the "read all properties" permission. It does NOT have the "Create computer objects" permission but this is on purpose since it's quite a large organization and we have to pre-stage our computer objects.
I have several 2008R2 and 2012R2 clusters and I built them the exact same way on this same AD domain. The only difference is that this happens to be Windows 2016 Standard instead of an earlier version of Win server.
I don't meant to hijack the OP's thread, just trying to see if there was ever a proper solution since I don't see this marked as an answer and this thread hasn't been modified since January 2018.
I've got a support case open with MS Premier support since I can't wait any longer to find a solution for this, but I will gladly reply with the solution that works for me.
Wednesday, May 2, 2018 5:27 PM
Did you pre-stage the cluster object correctly (including permissions)?
Grant Thompson
Wednesday, May 9, 2018 11:46 AM
Sorry for the delay replying, still working on this issue with MS and multiple other tasks and projects.
But yes, I can absolutely guarantee the cluster object was prestaged correctly. I've been building 2008R2 and 2012R2 clusters using this same method, and never had a problem. I have also double-checked absolutely everything.
Please note that this is a large organization and for reasons I can't reveal, our DC's are at a minimum level of 2008R2, but the DFL is 2003. I believe this is still supported as long as there are not any remaining 2003 domain controllers, which I confirmed is the case.
Any thoughts?
Wednesday, May 9, 2018 11:58 PM
I do not have any more thoughts. The only time I have seen this issue it was the permissions issue. I have never seen it with pre-staging. Do post the resolution here for the next person to run into this.
Grant Thompson
Thursday, May 10, 2018 12:12 PM
That's exactly it, I've never had this problem before either. Thanks for your time, I will certainly post the resolution once we find it.
Tuesday, May 15, 2018 1:21 PM
Hello Technut79,
we face the same problem here. Did Microsoft solve the problem? If so what was the problem ?
Friday, May 25, 2018 1:42 PM
Hi,
Did you get any solution from MS.
Wednesday, August 15, 2018 12:47 PM
Hi All,
I have this issue since 3 weeks now and I have even an opened case with Microsoeft still ongoing.
Whenver this is reported, anyone suggests the standard steps to follow for cluster creation which I guess everyone reporting this issue has already done it.
I even use the same VM redeploying it in the exact same conditions with 2012 and it works perfect, with Image 2016 it cannot work. The typical behaviour in 2016 is that the cluster CON takes vary long to even be creted, and yes if someone asks again, it is prestaged and in disabled mode. I even tried to do everything with highest account priviledges (domain admin) and full permissions fratened to CON in OU level and also the prestaged CAP name.
I wonder if it is related with DFL as it worked fine in another domain which is DFL 2012 R2 but yet, in a lab enviorement combination WIndows Cluster 2016 in DFL 2008 R2 worked. At this point the only thing that comes into my mind is that probably some security hardening or updates in windows 2016 conflict with DFL 2008 R2.
Monday, August 20, 2018 7:35 PM
hi all
has anyone got a solution for this, i cannot even create a file server role, it just fails after long waiting and never create any ad objects, tried all permissions. if I pre-stage the AD object, it errors saying object already exists even if disalbe it and give CNO full permissions on it.
in the same cluster, i have SOFS object running after pre-staging the vco and disabling it.
many thanks
TA
TA
Monday, September 3, 2018 8:44 AM | 1 vote
HI Everyone,
I am glad to tell that this issue is now known to Microsoft.
I managed with a support engineer to resolve this with a fix but which is still private and not launched yet.
It is expected to be released on 18-Sep-2018 as accumulutative but the date may change.
The issue seems to be that cluster service uses LDAP to query DC instead of ADSI which was used in
2012 R2. Using LDAP, when an object is not found on a DC, DC issues a referral
to another DC to query. As suspected this is happening only in a multi domain forest.
This fix will query instead the Global Catalogue to indentify that the prestaged object is not in use.
Patching level should aslos include KB4343887 before installing the expected fix.
So everyone needs to be patient till endo of September :)
Monday, September 3, 2018 10:57 AM
hi
i had a premium case opened with MS and can confirm that the private hotfix from MS(as Erion stated) worked for me too
was told the hotfix will be released to public in second half of September.
thanks
TA
Monday, September 24, 2018 8:29 PM
hi All
MS has release update with fix for this issue.
https://support.microsoft.com/en-us/help/4457127/windows-10-update-kb4457127
Thanks
TA
Tuesday, September 25, 2018 8:59 AM
Sadly,
KB4457127 does not resolve the issue for us.
The article also does not mention the issue described in this topic, as far as i'm aware.
Friday, February 8, 2019 2:42 PM | 4 votes
Hi all.
We had the same problem and reported it to MS. After several months of working on it, they gave us the solution.
I hope it serves you: Add the "Authenticated Users" user with Read permission to the Computers OU
Best Regards,
CarlosP
Wednesday, May 15, 2019 6:19 PM
Hi all.
We had the same problem and reported it to MS. After several months of working on it, they gave us the solution.
I hope it serves you: Add the "Authenticated Users" user with Read permission to the Computers OU
Best Regards,
CarlosP
Thank you this worked for us !
Friday, May 24, 2019 3:25 PM
Same issue here on 2019 Standard. Which permissions we need to grant and where?
We have domain.local\Computers which is not used and domain.local\Computers\Servers\Region\Subregion\Subtype\subtype\OUForCluster
I have the same issue - SOFS Cluster role is added OK ( before this I create a computer object CLUSTER-SOFS and give a CLUSTER-NAME$ permissions of Full Control to it ) .
But during cluster validation I have the same error as Topic Starter has.
BTW, for CAU role I have no such problems.
UPD:
We granted Authenticated Users [READ] permission on CN=Computers,DC=domain,DC=tld container for “This object and all descendants” and now this test passed. We do not use CN=Computers container, but this seems to be hardcoded somewhere.
Monday, May 27, 2019 7:35 AM
Although we don't either use the domain.local\Computers, we had to assign the "Authenticated Users" group Read permissions on that container.
A big thank you to CarlosP for sharing this information!
Thursday, August 29, 2019 11:18 PM
Hi Carlos,
Thanks very much for posting the solution. It worked for me and saved my time trying to chase Microsoft. Appreciate it.
Friday, September 13, 2019 5:00 PM
Having the exact same issue, we already have authenticated users on the OU , maybe we have to create a whole new OU just for clusters.
Friday, September 13, 2019 5:55 PM
erion, do you still have the hotfix you use ? i really would like to test it
Sunday, February 9, 2020 3:52 PM
I had this issue.
I resolved it just changing the order of the network adapters in cluster configuration.