- Configuring Defender Antivirus: Exclusions, real-time protection, scans, and remediations - Mon, Sep 26 2022
- Get updates for Windows Server 2022 in WSUS - Mon, Sep 19 2022
- Microsoft Defender: Control updates for malware signatures using Group Policy or PowerShell - Thu, Sep 15 2022
When building a Windows cluster, you must first enter its name in the respective tool, be it Failover Cluster Manager, PowerShell, or Windows Admin Center. It then creates a namesake CNO name in AD and a corresponding host record in DNS.
CNO prestaging ^
The CNO can then be found in the Computer container by default. The Cluster Wizard in Windows Admin Center does not offer an alternative to this location. Therefore, if you want to use a different location, and the cluster will be set up by an admin who does not have the right to create AD objects, you can prestage the CNO.
To do this, right-click the desired OU in Active Directory Users and Computers and select New > Computer.
In the following dialog box, enter the desired name. After confirming, you should activate the option Protect object from accidental deletion in the Object tab of the CNO's properties.
It is also important to execute the command Deactivate account from the context menu of the computer account. Otherwise, you will get an error that the account is already in use when you create the cluster.
Assigning rights to a cluster admin ^
If the cluster is created by another admin, it should be ensured that they have sufficient permissions to the CNO. To do this, open its properties, go to the Security tab, add the necessary users or groups, and grant them full access.
Finally, the CNO should be given permissions to the OU it is located in so that the admin is able to add cluster roles. For this task, open the properties of the OU, go to the Security tab, click Advanced, and then Add.
Click the Select Principal link to open the selection dialog for accounts to be authorized and add Computers to the Object Types. Then enter the CNO and confirm in the dialog box if the click on Check Names was successful.
In the list of permissions that will then appear, activate Create Computer Objects in addition to the preselected ones.
Problems with missing DNS records ^
By now, you should be able to create a server cluster with this name. When you're done and you try to connect the cluster, it could fail for several reasons. The cause for failure is relatively obvious if you have been using Windows Admin Center (WAC), as its Cluster Creation Tool fails to create the corresponding DNS entry.
The log will then contain Event 1196 with the following entry:
Cluster network name resource "Cluster name" failed registration of one or more associated DNS name(s) for the following reason: DNS server failure.
Ensure that the network adapters associated with dependent IP address resources are configured with at least one accessible DNS server.
You can query the corresponding entries on a cluster node with PowerShell, like this:
Get-EventLog -LogName system -InstanceId 1196 -Newest 5
Creating DNS entries for the CNO ^
Consequently, the DNS entry will be missing after the cluster configuration is complete; therefore, you have to create it yourself. In the DNS manager, execute the command New Host (A or AAAA). Enter the name of the cluster in the dialog box, and enter the IP address of the owner node's management interface to be able to connect immediately.
The cluster owner is obtained by executing the following command on one of the nodes:
Get-ClusterResource| fl -Property *
It is now important to grant the cluster nodes and the CNO full access to the record. This is necessary because cluster ownership changes between the nodes, and therefore, they must all be able to update the DNS entry independently.
To do this, open the properties of the new record, switch to the Security tab, and click Add. Then you must activate Computers again under Object types, so that you can then search for the names of the nodes and the CNO. Finally, confirm your changes.
Removing unsuitable DNS servers ^
Connecting to a cluster might also fail because the network configuration of the cluster nodes contains a DNS server for which they have no permissions. These are typically from internet providers or public DNS services, such as Google.
Subscribe to 4sysops newsletter!
In this case, if you use WAC for cluster configuration, you can connect directly to the individual nodes from there and add only the internal DNS servers via the network tool, for example, by using a static entry.