1. Create Prestaged CAU computer object in your Active Directory cluster folder. As an example, use the ClusterName-CAU (ie. Cluster01-CAU). If you don’t do this the CAU wizard will create a randomly named object.
2. Add this new CAU object to the local admins group on all related cluster nodes.
3. Grant cluster object (ie. Cluster01) "full access" to the new CAU object in AD. Open the CAU object, security, add cluster object and check Full Access. Without this access the CAU wizard will fail to complete.
4. Modify the cluster group policy object or local policy on your nodes to grant the cluster object “Force shutdown from a remote system” rights on both nodes. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Force shutdown from a remote system. Without this option the cluster will update the node but can’t force a restart therefore cluster updating will fail.
Note:
If configuration of the CAU failed… You may see Kerberos errors in the Server Manager console on either node or “failed” objects in the cluster resources list. Check the cluster resources using powershell to verify the prestaged cluster object is properly listed. “get-clusterresource” will list all the cluster resources and states.
If CAU object is listed in a failed state or the incorrect object is listed (perhaps you didn’t properly enter a prestaged computer account) rerun the CAU wizard and remove the role. Re-run the powershell command to verify the objects were properly removed by the wizard. If they weren't removed you can remove them manually with the “remove-clusterresource resourcename” command. If the cluster is in a good state, re-run the wizard and configure it again.
I noticed what might be a glitch in the way the wizard creates the resources. The first time you run the wizard you'll notice one of the resources has a somewhat randomized name slightly resembling the prestaged computer account you created. If you run the wizard, remove the settings, then re-run the wizard to add the settings back a second time they'll be named more closely to your prestaged computer account. Bizarre!
Thanks so much for this! Before I followed the above, I ended up with a randomly named CAU account. Now, I can have the CAU account follow our standard naming scheme, and have it all Just Work.
ReplyDelete