次の方法で共有


Error during installation of an SQL server Failover Cluster Instance

A common issue I've run into while helping with SQL Server Failover Cluster (FCI) installations is the failure of the Network Name. In the following post I'll discuss a bit of background, the common root cause, and how to resolve it.

Background

The SQL Server Database Engine service is dependent on the Network Name resource. A failure of the Network Name will result in the SQL Server Resource not coming online.

When the Windows Failover Cluster (WFC) is initially configured a Cluster Name object (CNO) will be created. The CNO is visible as a computer object in your Activity Directory Users and Computer snap-in (dsa.msc). By default the CNO will be created in the Computers container and granted specific permissions:

image

After a successful SQL Server FCI installation you will now see a Virtual Computer Object (VCO) for the SQL Server Network Name:

clip_image002

*Note: After the CNO is created any additional Network Name resource in the cluster is considered a Virtual Computer Object. VCO’s are simply Computer objects in which the CNO has permissions to change the properties or reset the password.

Problem

But what if the CNO does not possess the required permissions to create computer objects in the “Computers” container?

It is in the above scenario where we commonly see the following errors during SQL Server FCI installation:

clip_image003

The following error has occurred:

The cluster resource 'SQL Server (SQL2012)' could not be brought online due to an error bringing the dependency resource 'SQL Network Name(VSQL2012)' online. Refer to the Cluster Events in the Failover Cluster Manager for more information.

A user encountering the same issue while installing a pre-SQL Server 2012 version may see:

The cluster resource 'SQL Server (MSSQLSERVER)' could not be brought online. Error: The resource failed to come online due to the failure of one or more provider resources. (Exception from HRESULT: 0x80071736)

System log:

Cluster network name resource 'SQL Network Name (VSQL2012)' failed to create its associated computer object in domain 'motox.com' during: Resource online.

The text for the associated error code is: A constraint violation occurred.

Please work with your domain administrator to ensure that:

- The cluster identity 'CLUS2012$' has Create Computer Objects permissions. By default all computer objects are created in the same container as the cluster identity 'CLUS2012$'.

- The quota for computer objects has not been reached.

- If there is an existing computer object, verify the Cluster Identity 'CLUS2012$' has 'Full Control' permission to that computer object using the Active Directory Users and Computers tool.

Cluster log:

[RES] Network Name: [NNLIB] Creating object VSQL2012 using ADSI in OU OU=SQL,DC=motox,DC=com on DC: \\MOTOXDC.motox.com , result: 8239

[RES] Network Name: [NNLIB] Failed to create Computer Object VSQL2012 in the Active Directory, error 8239

Cause

The common cause of the Network Name resource failure is insufficient permissions. More specifically, the permission "Create Computer Objects" has not been granted to the Cluster Name Object(CNO).

https://technet.microsoft.com/en-us/library/cc731002(v=ws.10).aspx

“…when you create a failover cluster and configure clustered services or applications, the failover cluster wizards create the necessary Active Directory computer accounts (also called computer objects) and give them specific permissions. The wizards create a computer account for the cluster itself (this account is also called the cluster name object or CNO) and a computer account for most types of clustered services and applications”

When the SQL Server Network Name is first brought online during the FCI installation process, the CNO identity is used to create the VCO(as long as the VCO doesn’t already exist). If the required permissions are not granted to the CNO, the creation of the VCO will fail and so will your SQL Server FCI installation.

*Note: The Create Computer objects right only applies to Domain Functional Levels above Windows Server 2003. For Windows Server 2003 the required privilege is “Add Workstations to the Domain”.

Resolution(s)

Option #1

We must grant the permissions "Read all properties" and "Create Computer objects" to the CNO via the container. Here's an example of granting the required permissions for demonstration purposes:

1. Open the Active Directory Users and Computers Snap-in (dsa.msc).

2. Locate “Computers” container:

clip_image004

3. Make sure "Advanced Features" is selected:

clip_image005

4. Open the properties of the container and click the "Security" tab. Click "Add" and add the CNO. Make sure to select “Computers” option in the “Object Types” window:

clip_image006

clip_image007

5. Click "Advanced", highlight the CNO, and click "Edit":

clip_image008

6. Make sure "Read all properties" and "Create Computer objects" are checked. Click OK until you're back to the AD Users and Computer window:

clip_image009

7. Retry your previously failed installation. Note that with SQL Server 2012 there will be a “retry” button.

Option # 2

We can also “Pre-Stage” the VCO, which is useful in situations where the Domain Administrator does not allow the CNO “Read All Properties” and “Create computer Objects” permissions:

1. Ensure that you are logged in as a user that has permissions to create computer objects in the domain.

2. Open the Active Directory Users and Computers Snap-in (dsa.msc).

3. Select View -> Advanced Features.

4. Right click the OU/Container you want the VCO to reside in and click “New” -> “Computer”

clip_image010

5. Provide a name for the object (This will be your SQL Server Network Name) and click “OK”:

clip_image011

6. Right click on the on the VCO you just created and select “Properties”. Click the security tab and then click “Add”:

clip_image012

7. Enter the CNO (Make sure to select “Computers” option in the “Object Types” window) and click “OK”.

clip_image013

clip_image014

8. Highlight the CNO, check the following permissions, and click “OK”.

Read

Allowed To Authenticate

Change Password

Receive As

Reset Password

Send As

Validate write To DNS Host Name

Validate Write To Service Principle Name

Read Account Restrictions

Write Account Restrictions

Read DNS Host Name Attributes

Read MS-TS-GatewayAccess

Read Personal Information

Read Public Information

*Note: You can replace step #8 by giving the CNO “Full Control” over the VCO

9. Install SQL Server and the Network Name resource should start without issue.

References:

Failover Cluster Step-by-Step Guide: Configuring Accounts in Active Directory

https://technet.microsoft.com/en-us/library/cc731002(WS.10).aspx

Before Installing Failover Clustering

https://msdn.microsoft.com/en-us/library/ms189910.aspx/html

Add workstations to domain

https://technet.microsoft.com/en-us/library/cc780195(v=WS.10).aspx

Troy Moen – Support Escalation Engineer

Comments

  • Anonymous
    October 26, 2013
    Finally!  This will save MANY hours in the future!   Thanks!

  • Anonymous
    January 11, 2014
    Awesome!  Thank you so much for posting this!  

  • Anonymous
    January 16, 2014
    Thanks for this info, it helped a lot! However, why is it like this? Is there not some way how cluster instance can be installed automatically without these help steps?

  • Anonymous
    April 22, 2014
    OMG. I LOVE YOU!!! 2 DAYS TO FIND WHAT WAS WRONG! THAT SOLUTION SAVE ME! THANK YOU!

  • Anonymous
    May 05, 2014
    Many thanks! This info was a great help.

  • Anonymous
    May 13, 2014
    Even after you followed the above steps , if still not resolved, do not cance your installation then try ipconfig /flushdns and run ipconfig /registerdns then it will work.

  • Anonymous
    May 20, 2014
    Thank you very much for this article, it saved me from deep frustration

  • Anonymous
    December 10, 2014
    I had been struggling with this until I found your article, many thanks!!

  • Anonymous
    January 06, 2015
    Thank you a lot for your support! But I need understand something...The Object CLUS2012, we have to create it?This object appears on your machine automatically or you have used as name as example?

  • Anonymous
    February 03, 2015
    Thank you so much. I tried Option #1 (no go) I then did Option #2 (It worked Perfect) Thank you again

  • Anonymous
    February 17, 2015
    Thanks for your excellent article.

  • Anonymous
    May 21, 2015
    Wow.  Black magic.  But well described, saved me a rebuild and reinstall.  Thanks!

  • Anonymous
    November 08, 2015
    You are Awesome!!!!! Thanks very very very much

  • Anonymous
    April 27, 2016
    this is such a life saver ! thanks man for sharing this awesome guidefeeling lucky to find this after few hours struggling this problem

  • Anonymous
    June 13, 2016
    Great post. Thank you

  • Anonymous
    June 28, 2016
    Hi, I have a problem about change server name. I received an error (Error Code: 0x8007005) "Cluster network name resource 'SQL Network Name (OLD_NAME)' failed to perform a name change operation. The domain controller '\DC...' where computer object 'OLD_NAME' was being renamed, could not be contacted. The error code was '5'. Ensure a writeable domain controller is accessible and check for any connectivity issue." So not change name. What can I do? Thanks.

  • Anonymous
    July 22, 2016
    Great! The second option solved my problem in installation time.

  • Anonymous
    May 04, 2017
    Restarting the cluster service let the permissions take effect so I could continue my install by pressing 'retry'

  • Anonymous
    August 02, 2017
    This blog helped us after 2 days of toiling clueless over the error while we were attempting Always on installation.SQL Server listener was failing to get created with ambigous errors.Further research in cluster logs lead to this error which was fixed by AD admins.Thanks a lot for the information

  • Anonymous
    May 08, 2019
    Thanks for this writeup. Our issue was the name already existed in the domain and the re-installation was using the same name.The name was disabled for some reason. It started working after i enabled the accounts.