PROCESS

DOCUMENT

How to pre-stage Cluster objects in Active Directory

This document describes steps to pre-stage required cluster objects in Active Directory in case the Active
Directory is highly restrictive. Please familiarize yourself with this document and refer to Microsoft and
Avid documentation for more details.

Table of Contents

Glossary ....................................................................................................................................................... 2
Pre-requisites: ............................................................................................................................................. 2
Prestage Cluster Name Object, CNO ........................................................................................................... 3
Prestage Virtual Computer Object, VCO ...................................................................................................... 5
Add DNS A-record and associated PTR Record ............................................................................................ 7
Server Execution User security policies ....................................................................................................... 9
Appendix A: Granting CNO permission to create VCO .............................................................................. 10
Appendix B: Reference documentation used for this guide: ..................................................................... 14

How to pre-stage Cluster objects in Active Directory v.1.0 Page 1 of 14

 PROCESS DOCUMENT

Glossary

Following terms will be used, please ensure you are familiar with the terms and their abbreviations:

AD = Active Directory
ADUC =Active Directory Users and Computers

CNO = Cluster Name Object, Windows Server Failover Cluster computer object in Active Directory
VCO = Virtual Computer Object, a network name resource running on Windows Server Failover Cluster,
in this document, the Interplay Engine virtual name.
OU = Organizational Unit, a management group in Active Directory which can contain users and
computers
SEU = Server Execution User

DNS = Domain Name Server

Pre-requisites:

To pre-stage CNO and VCO, an AD user who has Domain Admin rights or equivalent must be used. Also
mark down the name you wish to use for CNO and VCO e.g. CNO: Cluster01, VCO: VIEC

CNO name:_________________________
CNO IP Address:_____________________
VCO name:_________________________

VCO IP Address:_____________________

How to pre-stage Cluster objects in Active Directory v.1.0 Page 2 of 14

 PROCESS DOCUMENT

Prestage Cluster Name Object, CNO

On a Domain Controller server or on another workstation with Active Directory management tools
installed, open Active Directory Users and Computers (ADUC) tool. Navigate to OU where you want to
create the Cluster Name Object, CNO.

1. Right click on the OU, and select New and select Computer

2. In the Computer Name text box, type in the name of the CNO e.g. Cluster01
3. As the CNO needs to be in disabled state prior to creation of the cluster, right click the created
computer object and select Disable Account. Observe the arrow pointing down on computer
icon, indicating object in disabled state

You have now created the Cluster Name Object; next step is to grant required user rights to user
creating the cluster. For this, we will use the ADUC tool, but ensure you have Advanced Features
enabled in View menu.

1. In ADUC tool, right click the created CNO and select Properties

How to pre-stage Cluster objects in Active Directory v.1.0 Page 3 of 14

 PROCESS DOCUMENT

2. On Security tab, click Add and select the user or group you wish to grant access to control this
object

3. Once user or group is added, grant Full Access to that user/group. Click OK

How to pre-stage Cluster objects in Active Directory v.1.0 Page 4 of 14

 PROCESS DOCUMENT

Prestage Virtual Computer Object, VCO

There are two ways to allow creation of VCOs, either grant CNO enough rights to create the VCO, or
prestage the VCO and grant CNO access rights to it. This section is going to describe the latter,
prestaging the VCO. Similar to prestaging the CNO, we are going to use ADUC tool for this process.

On a Domain Controller server or on another workstation with Active Directory management tools
installed, open Active Directory Users and Computers (ADUC) tool. Navigate to OU where you want to
create the Virtual Computer Object, VCO.

1. Right click on the OU, and select New and select Computer
2. In the Computer Name text box, type in the name of the CNO e.g. VIEC and click OK
3. Please note that VCO should not be disabled, unlike the CNO

You have now created the Virtual Compute Object; next step is to grant required user rights to CNO to
manage the VCO. For this, we will again use the ADUC tool, but ensure you have Advanced Features
enabled in View menu (similar to CNO process)

1. In ADUC tool, right click the created VCO and select Properties
2. On Security tab, click Add
3. In the Select Users, Computer, Service Account or Groups, click Object Types and select
Computers check box.

4. Type in the name of the CNO you created in “Prestaging the Cluster Name Object, CNO” stage
.e.g Cluster01 and click OK. Please note: There may be a pop-up dialogue about adding disabled

How to pre-stage Cluster objects in Active Directory v.1.0 Page 5 of 14

 PROCESS DOCUMENT

object, click OK to continue

5. Once CNO is added, grant Full Access to that object and click OK.

How to pre-stage Cluster objects in Active Directory v.1.0 Page 6 of 14

 PROCESS DOCUMENT

Add DNS A-record and associated PTR Record

Once the CNO and VCO have been created in Active Directory, you need to ensure the DNS record for
both objects are correctly entered in DNS. Following procedure outlines the steps to create the DNS A-
record and PTR in Windows Server DNS, if you have non-Windows DNS server, please consult the vendor
of the DNS for exact steps.

On a DNS/Domain Controller or on another workstation with DNS management tools installed, open
DNS management Console.

1. Navigate to the forward lookup zone of your domain and right click on top of the name of the
domain
2. Select New Host (A or AAAA)

3. Enter the name of the CNO e.g. Cluster01 and enter respective IP-address. Ensure the FQDN
name is correct. Also ensure the Create Associated Pointer (PTR) record option is enabled

4. Click Add Host
5. Repeat the procedure for VCO e.g. VIEC

How to pre-stage Cluster objects in Active Directory v.1.0 Page 7 of 14

 PROCESS DOCUMENT

6. Again, ensure the FQDN is correct and Create Associated Pointer (PTR) record option is enabled

To verify the successful creation of the A-record and PTR record, on another host open command
prompt and type nslookup CNOname where replace the CNOname with the name you gave during the
proess e.g. nslookup Cluster01 and verify the command returns correct IP address. Perform the same
command with VCO name.

Please note: it may take up to 15 minutes for changes to replicate across the DNS servers in
Active Directory environment.

How to pre-stage Cluster objects in Active Directory v.1.0 Page 8 of 14

 PROCESS DOCUMENT

Server Execution User security policies

When Interplay Engine has been created successfully on the Windows Server Failover Cluster, there are
two services, which require specific security rights. The user, which is running these services, is called
Server Execution User and in a clustered configuration, this needs to be a domain user with following
security rights enabled:

- Act as part of the operating system

- Back up files and directories
- Restore files and directories
- Adjust memory quotas for a process
- Log on as a service
- Increase scheduling priorities
- Manage auditing and security log
- Impersonate a client after authentication
- Debug programs

Usually, the Interplay Engine installer ensures the user selected as SEU will have correct rights, but it is
best to verify these, especially if you encounter problems starting up services. To verify the settings,
open Local Security Policy and verify the SEU has correct rights:

How to pre-stage Cluster objects in Active Directory v.1.0 Page 9 of 14

 PROCESS DOCUMENT

Appendix A: Granting CNO permission to create VCO

If you do not want to precreate VCO e.g. you do not know the name of the Interplay Engine virtual name
yet, you can allow the CNO to create all necessary computer accounts in Active Directory. If you are in a
restricted Active Directory environment, you may need to change the rights of the CNO. Following steps
will guide you how to do this. For this process we will use ADUC tool, please ensure the Advanced
Features is enabled (see previous sections)

Please note: By default, Windows Server 2008R2 Failover Cluster will create all computer objects
(VCOs) in default Computers container in Active Directory. If your domain administration has
decided to redirect the default computer creation to another container, you need to make the
changes to that container. In Windows Server 2012R2 Failover Cluster, the creation of the VCOs
happens in the same OU where the CNO resides.

1. Navigate to the Computers container (in case of Windows Server 2008R2) or to the OU where
your CNO resides (in case of Windows Server 2012R2). For this example we are going to use
default Computers container.

2. Right-click the Computers container (or OU) and select Properties

How to pre-stage Cluster objects in Active Directory v.1.0 Page 10 of 14

 PROCESS DOCUMENT

3. Open Security tab and click Advanced

4. In the Advanced Security Settings dialog box, click Add

How to pre-stage Cluster objects in Active Directory v.1.0 Page 11 of 14

 PROCESS DOCUMENT

5. Click in Object Types and enable Computers then enter the name of the CNO and click OK. There
might be a warning message that says that you are about to add a disabled object, click OK

6. In Permission Entry, ensure you have selected This object and all descendant objects in Apply to:
field. To allow CNO to create objects in the selected container or OU, enable Create Computer
Objects in the Allow section. Click OK

7. Click OK in Advanced Security Settings for Computers to set the rights

How to pre-stage Cluster objects in Active Directory v.1.0 Page 12 of 14

 PROCESS DOCUMENT

To verify all necessary rights have been assigned, you can use Effective Permissions tab. Use Select to
select CNO (ensure you enable Computers object type) and verify the right Create Computer objects is
enabled. Click OK to continue

Please note: These instructions were created in Domain Controller running Windows 2008R2.
Windows 2012R2 based Domain Controller may have different style of windows and slightly
different options, but main concepts still apply.

How to pre-stage Cluster objects in Active Directory v.1.0 Page 13 of 14

 PROCESS DOCUMENT

Appendix B: Reference documentation used for this guide:

- Failover Cluster Step-by-Step Guide: Configuring Accounts in Active Directory

https://technet.microsoft.com/en-us/library/cc731002(v=ws.10).aspx
- Prestage Cluster Computer Objects in Active Directory Domain Services
https://technet.microsoft.com/en-us/library/dn466519(v=ws.11).aspx
- Avid Interplay Engine Failover Guide for AS3000 Servers
http://avid.force.com/pkb/articles/en_US/user_guide/en418451
- Interplay | Production Software Installation and Configuration Guide
http://resources.avid.com/SupportFiles/attach/Interplay_Install_SW_Guide_V3_5.pdf

How to pre-stage Cluster objects in Active Directory v.1.0 Page 14 of 14