PAM Question in AD
Our Exchange 2010 DAG PAM DNS name is also registered in AD as a computer object.  Is this AD object needed or just DNS entry?
May 29th, 2015 11:19am

Yes, AD computer object with the DAG name is needed. i.e CNO

In Exchange 2010 when using the Database Availability Group (DAG) we leverage the cluster services in Windows 2008 and Windows 2008 R2. 

When utilizing the cluster services in Windows 2008 and Windows 2008 R2 the cluster core resources cluster name is a Kerberos enabled name.  This requires that a machine account be created within the directory for association with this cluster name resource.  This is known as the CNO or cluster name object. 

In environments where computer account creation is restricted, it may become necessary to pre-stage the CNO for the clustered services and assign the appropriate rights.  There are two methods which work to establish this security context:

1)  Assign the machine account of the first node added to the DAG with full control of the pre-staged object.

2)  Assign the Exchange Trusted Subsystem universal security group with full control of the pre-staged object.

And then disable the computer object before you add any DAG member


  • Marked as answer by JT_CP 15 hours 7 minutes ago
Free Windows Admin Tool Kit Click here and download it now
May 29th, 2015 12:12pm

Thanks!

Looking at various articles, this this object should be disabled? and can I move it to any OU I want?

May 29th, 2015 1:07pm

Yes, AD computer object with the DAG name is needed. i.e CNO

In Exchange 2010 when using the Database Availability Group (DAG) we leverage the cluster services in Windows 2008 and Windows 2008 R2. 

When utilizing the cluster services in Windows 2008 and Windows 2008 R2 the cluster core resources cluster name is a Kerberos enabled name.  This requires that a machine account be created within the directory for association with this cluster name resource.  This is known as the CNO or cluster name object. 

In environments where computer account creation is restricted, it may become necessary to pre-stage the CNO for the clustered services and assign the appropriate rights.  There are two methods which work to establish this security context:

1)  Assign the machine account of the first node added to the DAG with full control of the pre-staged object.

2)  Assign the Exchange Trusted Subsystem universal security group with full control of the pre-staged object.

And then disable the computer object before you add any DAG member


  • Marked as answer by JT_CP Friday, May 29, 2015 4:19 PM
Free Windows Admin Tool Kit Click here and download it now
May 29th, 2015 4:10pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics