Delegation of Control - SQL-FineBuild/Common GitHub Wiki

Previous Cluster Install Preparation	Install First SQL Server Cluster Node Next

If you are installing a cluster where the Domain Controller is at Windows 2012 R2 or above then you need to consider Delegation of Control. This section contains the following:

• Delegation of Control Overview

• Configure Delegation of Control

Delegation of Control Overview

When a Computer Object is created in Active Directory, it inherits the right to create other Computer Objects from the standard Computers container. This right is needed to bring Cluster Groups online during a SQL Server cluster install.

It is normal practice in most organisation to move the Computer Object to another container more appropriate to the use of the Computer Object. In Windows 2012 and below the right to create other Computer Objects is retained, but in Windows 2012 R2 and above this right is lost after the Computer Object is moved. The result is that Cluster Groups can no longer be brought online during a SQL Server cluster install.

In order to overcome this problem, an explicit Delegation of Control must be performed. This process is not currently included in SQL FineBuild and must be performed manually. This issue is discussed further in https://blogs.technet.microsoft.com/kaushika/2014/11/17/when-creating-a-new-resource-or-role-in-windows-server-2012-r2-failover-cluster-the-network-name-fails-to-come-online-or-failed-to-create-associated-computer-object-in-domain/

Top

---

Configure Delegation of Control

As described above, Delegation of Control is only required if you are installing a SQL Server cluster where the Domain Controller is at Windows 2012 R2 or above.

The Delegation of Control process can only be performed on a Windows Group, therefore the relevant Computer Object must be a member of a Windows Group. If you are using the recommended Managed Service Accounts then both the Service Accounts and the Computer Object must be contained within the same Windows Group, and it is recommended that this group is used as the target for Delegation of Control.

This process must be performed by a user who has Domain Administrator rights.

1. Open the Active Directory Users and Computers console

   

2. Right-click on any container and select Delegate Control...

   

3. The Welcome windows is displayed. Click Next to continue

   

4. The Select Groups window is displayed. Click Add to select the required Group

   

5. Select the required Group. Click OK to continue

   

6. The selected groups are shown. Click Next to continue

   

7. The Tasks to Delegate window is displayed.

   Select Create custom task to delegate and then click Next to continue

   

8. The Active Directory Object Type window is displayed.

   Select This folder... and then click Next to continue

   

9. The Permissions window is displayed

   Select Creation/Deletion of specific child objects.

   Scroll down and select Create Computer objects and Delete Computer objects, then click Next to continue

   

10. Delegation of Control is now complete. Click Finish to end the Wizard

    

Copyright FineBuild Team © 2016 - 2018. License and Acknowledgements

Previous Cluster Install Preparation	Top	Install First SQL Server Cluster Node Next