I recently created a proof of concept for a client that was built into their production environment. The POC required me to create a couple of failover clusters, so I got the names from the customer, and created them… like I’d done a thousand times before.
Several weeks went by and the customer called me and asked why they weren’t able to move the cluster name object (CNO) into an Active Directory (AD) Organizational Unit (OU). Before I went chasing unicorns I opened an AD console and tried to move it myself. Sure enough, I got an Access Denied response.
Hmmm… I was using my Domain Admin account… Wasn’t that supposed to give me the keys to the kingdom?
Like every object in your computer, the CNO has security properties, and by default, these protect them from being moved. Of course, you can change these permissions if you like, but I am not a huge fan of doing that if I don’t have to. Instead, what I would rather do is place the CNO into the proper OU when it is created, and then leave it there.
The problem with that is the New Failover Cluster Wizard… there is no option to place the cluster into a non-default OU. Well, that’s not entirely true… the option is there, and it is hiding in plain sight. In the Cluster Name dialogue box, simply enter the canonical name… CN=ClusterName,OU=Clusters,DC=SWMI,DC=ca
Simple, huh? It’s so simple that I’ll bet you will want to know how to script this, so you can do it over and over again, right? So watch this:
PS C:\> New-Cluster -Name CN=ClusterName,OU=Clusters,DC=SWMI,DC=ca -Node Server1, Server2, Server 3
Simple as pie, right? It is… but make sure you get your canonical name right, otherwise this will fail, and you won’t know why.
No get back to work!
The World According to Mitch 
Leave a Reply