0

I have a Windows cluster provisioning script. I am not able to execute the New-Cluster command as Administrator. It says that the user should be a domain user to be able to execute the command.

I m trying to use PSExec to login as a domain user and try if the command is working, but still with no success.

C:\Users\Administrator\Desktop\PSTools\PsExec.exe -s -u name -p "pass" -accepteula cmd /c "powershell -noprofile & { Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File"C:\scripts\cluster-config.ps1" " -Verb RunAs; exit }"

(I have passed the params correctly while executing)

The cluster-config.ps1

param(
[Parameter(Mandatory=$true)][string]$clusterName,
[Parameter(Mandatory=$true)][string]$srv1,
[Parameter(Mandatory=$true)][string]$srv2,
[Parameter(Mandatory=$true)][string]$clusterIP
)

#Create and configure the WinCluster
New-Cluster -Name $clusterName -Node $srv1,$srv2 -StaticAddress $clusterIP -AdministrativeAccessPoint ActiveDirectoryAndDns

How can I create a Windows Cluster as ad Administrator? Unfortunately direct login with domain user credentials is not possible.

Vini
  • 1,978
  • 8
  • 40
  • 82

1 Answers1

0

In order to create the new Cluster, you need to have the rights to be able to create a new Cluster computer account in Active Directory. A normal Domain User does not have rights to create a new computer account in Active Directory unless they have the rights delegated to them.

Your statement "direct login with domain user credentials is not possible" is not possible at all. A cluster in an Active Directory creates a physical Computer Account in Active Directory. If you do not have access/don't login to Active Directory you cannot create a cluster.

Usually for a cluster, a Domain Administrator has to first create the cluster (and thereby creating the appropriate Computer account). Then using that newly created account, delegate access. Once the cluster has the appropriate rights delegated to it, if can create the Computer Accounts needed to create the roles needed for the cluster.

  1. Create the cluster with a Domain Administrator login. This will create the initial Active Directory Computer account.
  2. In Active Directory we need to then delegate control for the computer account and Configured Cluster name CLUSTERNAME with rights to add computers to the domain (so that it has rights to add the resources to AD):
  3. Active Directory Users and Computers -> right-click domain -> Delegate Control
  4. Enter Computer Name – CLUSTERNAME
  5. Delegate the following common tasks -> Join a Computer to the domain
HAL9256
  • 12,384
  • 1
  • 34
  • 46
  • Thank you for the answer. The creation of cluster is part of an automation. So the domain user can't login to the machine as part of the automation process. the Domain user has all admin rights. I am trying to use PSExec to make the login to the machine with domain user account – Vini Nov 27 '19 at 11:58
  • Yes, you need to be an administrator on the computer. The problem is that in order to fully *create* the cluster you also need to be able to **create** a computer account in Active Directory. By default Domain Administrators can do this. If you need a regular Domain User to be able to create the Cluster Computer account, you can follow the same steps above, but instead of delegating the computer account the Join Computer to domain, rights you can delegate the Domain User account those rights. Also, you can delegate to a specific OU level (i.e. you don't have to do it on the root of the domain) – HAL9256 Nov 27 '19 at 16:22