Azure stack HCI 23H2 cluster deployment validation failed at

Question

Hello,

We are trying to setup Azure stack HCI 23H2 and facing issues. Azure stack HCI 23H2 cluster deployment validation failed at Azure Stack HCI External Active Directory. Here are some details in the log. Please suggest how to resolve the issue.

---

Name

Azure Stack HCI External Active Directory

Status

Error

Description

Check external active directory preparation

Type 'ValidateExternalAD' of Role 'EnvironmentValidator' raised an exception: ExternalAD requirements not met. Review output and remediate: Rule: HealthCheckSource : Deployment\ExternalActiveDirectory\2ad12394 Name : AzStackHci_ExternalActiveDirectory_Test_OrganizationalUnit_ExecutingAsDeploymentUser DisplayName : Test AD Organizational Unit - ExecutingAsDeploymentUser Tags : {} Title : Test AD Organizational Unit - ExecutingAsDeploymentUser Status : FAILURE Severity : CRITICAL Description : Tests that the specified organizational unit exists and contains the proper OUs Remediation :

TargetResourceID : Test_AD_OU_NODE03-HCI TargetResourceName : Test_AD_OU_NODE03-HCI TargetResourceType : ActiveDirectory Timestamp : 3/5/2024 6:17:45 PM AdditionalData: Key : Detail Value : The ActiveDirectory user account 'domain\hcia' is ineligible to be used as a deployment user: the user is missing the GenericAll permission to the organizational unit

Answer 1

Hello Vinay P K

Welcome to microsoft Q&A,Thankyou for posting your query here

1. Based on the Error message it seems like you have provided an error message related to external active directory preparation.

2.The error message indicates that the Active Directory user account 'domain\hcia' is ineligible to be used as a deployment user because the user is missing the Generic All permission to the organizational unit

3.Ensure that the ActiveDirectory user account 'domain\hcia' has the GenericAll permission to the organizational unit.

   I.  Log in to the Active Directory Domain Services (AD DS) domain controller as a domain administrator.

  II. Open the Active Directory Users and Computers snap-in.

  III.  Navigate to the organizational unit that you want to grant the GenericAll permission to.

  IV.  Right-click on the organizational unit and select "Delegate Control".

  V.  In the Delegation of Control Wizard, click "Next" to proceed.

  VI.  Click "Add" to add the user account 'domain\hcia'.

 VII.  Select "Create a custom task to delegate" and click "Next".

VIII.  Select "Only the following objects in the folder" and check the box next to "Organizational Unit".

  IX. Check the box next to "Create selected objects in this folder" and "Delete selected objects in this folder".

  X. Check the box next to "Read all properties" and "Write all properties".

  XI. Check the box next to "Read permissions" and "Write permissions".

 XII.  Check the box next to "Modify the membership of a group" and "Modify the membership of a built-in group".

XIII. Click "Next" to proceed.

XIV. Click "Finish" to complete the delegation of control.

4.Verify that the specified organizational unit exists and contains the proper OUs.

   I.  Log in to the Active Directory Domain Services (AD DS) domain controller as a domain administrator.

   II.  Open the Active Directory Users and Computers snap-in.

  III. Navigate to the parent organizational unit that should contain the specified organizational unit.

  IV.  Verify that the specified organizational unit exists and is listed under the parent organizational unit.

   V. Right-click on the specified organizational unit and select "Properties".

  VI. Click on the "Object" tab and verify that the object type is "organizational Unit".

VII. Click on the "Managed By" tab and verify that the managed by field is set correctly.

VIII. Click on the "Members" tab and verify that the proper OUs are listed as members of the organizational unit.

  IX.  If the specified organizational unit does not exist or does not contain the proper OUs, create or modify it accordingly

5.Re-run the validation process to confirm that the issue has been resolved.

Hope this helps you

If an answer has been helpful, please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A! 

Answer 2

Hi Anveshreddy,

Thanks for the help, steps provided and response. I did try to follow the steps. However, for below steps I could not follow / find options exactly. Ensure that the ActiveDirectory user account 'domain\hcia' has the GenericAll permission to the organizational unit. VIII. I could find "Organizational Unit objects" not just ""Organizational Unit" XI. Check the box next to "Read permissions" and "Write permissions".- Could not find these permissions. XII.  Check the box next to "Modify the membership of a group" and "Modify the membership of a built-in group".- could not find option to select. 4.Verify that the specified organizational unit exists and contains the proper OUs. VI. Click on the "Object" tab and verify that the object type is "organizational Unit". - could not find Object tab. 5.Re-run the validation process to confirm that the issue has been resolved. Clicked on "Try Again" and failed at same stage. Validation was all green and issue is at next step task execution.

Answer 3

Hi,

To resolve this issue, the following permissions need to be applied explicitly to the user on the OU. The EnvironmentChecker is not expecting a superset of permissions to be provided (this will be fixed in a future release).

For the given OU

Create & Delete child computer objects.

Read permissions to all the AD objects 

msFVE-RecoverInformationobjects – General – Permissions Full control 

Alternatively, customers can use the ADtool PowerShell Gallery | AsHciADArtifactsPreCreationTool 10.2402 which will provide the above permissions to a given OU. 

Hope this helps!