Pre-stage the Cluster Network Object for a Database Availability Group

In environments where computer account creation is restricted or where computer accounts are created in a container other than the default computers container, you prestage the cluster network object (CNO) and then provision the CNO by assigning permissions to it. You create and disable a computer account for the CNO and then either:

  • Assign full control of the computer account to the computer account of the first mailbox you're adding to the DAG
  • Assign full control of the computer account to the Exchange Trusted Subsystem universal security group (USG).

After completing the following steps, allow time for Active Directory replication to occur. After the object is replicated, you can add the first member to the DAG.

Pre-stage the CNO

  1. Open Active Directory Users and Computers.
  2. Expand the forest node.
  3. Right-click the organizational unit (OU) in which you want to create the new account, select New and then select Computer.
  4. In New Object - Computer, type the computer account name for the CNO in the Computer name box. This is the name that you'll use for the DAG itself. Click OK to create the account.
  5. Right-click the new computer account, and then click Disable Account. Click Yes to confirm the disable action, and then click OK.

Assign permissions to the CNO

  1. Open Active Directory Users and Computers.
  2. If Advanced Features aren't enabled, turn them on by clicking View, and then clicking Advanced Features.
  3. Right-click the new computer account, and then click Properties.
  4. In <Computer Name> Properties, on the Security tab, click Add to add either the computer account for the first node to be added to the DAG or to add the Exchange Trusted Subsystem USG:
    • To add the Exchange Trusted Subsystem, type Exchange Trusted Subsystem in the Enter the object names to select field. Click OK to add the USG. Then select the Exchange Trusted Subsystem USG and in Permissions for Exchange Trusted Subsystem field, select Full Control in the Allow column. Click OK to save the permission settings.
    • To add the computer account for the first node to be added to the DAG, click Object Types. In the Object Types dialog box, clear the Built-in security principals, Groups, and Users check boxes. Select the Computers check box. Click OK. In the Enter the object names to select field, type the name of the first Mailbox server to be added to the DAG, and then click OK. Then, select the first node's computer account, and in the Permissions for <NodeName> field, select Full Control in the Allow column. Click OK to save the permission settings.