Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, December 2, 2019 4:42 PM
I have seen this question posted on the forum many times before, but no solution worked for me.
I have three servers that I would like to configure in a failover cluster, but I cannot perform validation testing. Every time that I try to perform a validation, it gives me an error when adding a server: "You do not have administrative privileges on the server <servername>."
The account that I am using is a domain account, and it is apart of the local Admin, Remote Desktop Users, and Remote Management Users group on each server.
To make sure that the account I was using wasn't corrupt, I deleted the user profile from the Registry and had it recreated, with no change.
None of the servers are a DC.
I shouldn't need to have domain permissions to create computer objects. I've done this in the past without having this ability and it worked fine. I also shouldn't need to be a domain admin. I've done this in the past without being a domain admin, and it worked fine.
I also notice that if I try to remotely manage another server through Server Manager (i.e. trying to launch "Computer Management" under a remote server), i get a popup window with the title "Event Viewer" and the message "Access Denied(5)"
It's as if the servers are not recognizing this domain account as being apart of local admins, even though it's apart of the group on each server.
All replies (8)
Tuesday, December 3, 2019 9:51 AM
Hi,
Thanks for your question.
Yes, I agree with you, The Account of the person who installs the cluster does not have to be a domain administrator account. It can be a domain user account if it meets the other requirements as below.
- The account must have administrative permissions on the servers that will become cluster nodes.
- The account (or the group that the account is a member of) must be given the Create Computer objects and Read All Properties permissions in the container that is used for computer accounts in the domain.
- If your organization chooses to prestage the cluster name account (a computer account with the same name as the cluster), the prestaged cluster name account must give “Full Control” permission to the account of the person who installs the cluster.
Detailed reference for you,
/en-us/windows-server/failover-clustering/configure-ad-accounts
In addition, please refer to the above reference and the following cluster prestage for the requirement of the cluster deploying.
/en-us/windows-server/failover-clustering/prestage-cluster-adds
Besides, the credentials to add servers to servermanager, we can check this docs,
/en-us/windows-server/administration/server-manager/add-servers-to-server-manager
Highly appreciate your effort and time. If you have any question or concern, please feel free to let me know.
Best regards,
Michael
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Tuesday, December 31, 2019 3:45 PM
I hate to come back after nearly a month, but this is still not working for me.
To confirm:
- I am using a domain user account.
- My domain user account is apart of the local administrators group on each server
- My domain user account has permission to create Computer Objects in AD as well as Read All Properties
I still receive the same error when trying to add a server to configuration validation. Same error when creating a cluster without running validation.
You do not have administrative privileges on the server 'XXXXX'.
I have tried prestaging a cluster, and that seems to make no difference. I still get the same error.
I've tried uninstalling the Failover Cluster feature on all servers and reinstalling on all servers. Same error.
I have tried deleting the all registry keys related to failover clusters, uninstalling the role, and reinstalling. Same error.
I have tried `cluster node <server_name> /forcecleanup` on each of the servers. Same error.
The servers are available and reachable in server manager from each node. There are no communication issues between the servers.
I am truly at a loss for what else to try. I've done this in the past with the exact same account, permissions, and machines. It baffles me that it could just not work now, and without any clear indication as to why.
Thursday, January 2, 2020 12:22 PM
Hi,
Can you remove cluster feature, reboot the servers. Install the feature and then try creating cluster? I had faced similar issue and after performing re-installing the cluster feature, it worked for me.
Thanks,
Umesh.S.K
Thursday, January 2, 2020 9:44 PM
I have uninstalled, rebooted, and reinstalled the feature countless times on all servers. It has no effect.
Today I performed a system recovery on all servers. I was able to add the servers to validation configuration (WITHOUT the error!!!) after the system recovery, but I didn't have Hyper-V installed on two of the servers. After installing Hyper-V role onto those two servers, I can no longer add them to validation configuration and the admin privileges error makes it's appearance yet again.
I'm stumped. Why did installing the Hyper-V role suddenly revoke my access?!
Friday, January 3, 2020 2:31 PM
Did you add your domain account to the Hyper-V Administrators group on each node?
tim
Friday, January 3, 2020 5:31 PM
I had not before, but I have now added my domain account to the Hyper-V Administrators group on each server, rebooted each, and still no change.
Currently, I managed to set up a 1 node cluster from the original server that had Hyper-V already installed. If I try to add a node to the cluster from that machine, I keep getting Access Denied errors. This is through the Failover Cluster Manager AND through Powershell.
I granted full access to myself on the cluster via Powershell. Access denied.
I tried going to the server I was getting denied from and join it locally from the machine through FCM, but then it told me that I don't have administrative privileges on the cluster.... WHAT?! Same result when trying to add the node via Powershell.
I tried another `cluster node <problem_server_name> /forcecleanup` and tried again, still access is denied.
I tried granting myself full cluster access yet again (which DOES execute successfully), and still, it tells me that I don't have the needed administrative privileges.
I swear I am using the same user. I swear that I am making minimal changes to my servers. They're literally all identical to one another: brand new machines fully clean with nothing but Windows roles/features and git installed on them. Same OS, same updates, same everything. `Get-ClusterAccess` shows that my domain account does indeed have full cluster rights. Yet again I must enunciate that my domain account is also apart of local administrators, Hyper-V administrators, remote desktop users, and remote management user groups on each server.
This has turned into such a headache. The only other thing I can think to do is to do another system recovery on the problem server, but I'm afraid that I'll lose access again as soon as Hyper-V role is installed.
Please, please, please. Any other ideas or suggestions are greatly appreciated.
Saturday, January 4, 2020 1:42 PM
Sounds like it is time to open a support case with Microsoft. They can work with you through the issue.
tim
Sunday, January 5, 2020 12:21 PM
Hi,
Can you check if there is any issue with time sync with its domain controller?
Thanks,
Umesh.S.K