Share via

Test-Cluster -Include "Validate Resource Status" errors "Access denied" to AD

GabeCz 26 Reputation points
2025-12-06T02:30:11.47+00:00

This is the full error message:

  • Validating network name resource Name: NODENAME1 for Active Directory issues.
  • An error occurred while executing the test. The operation has failed. An error occurred while checking the Active Directory organizational unit for the cluster name resource. Access is denied

i can google, and i can use AI. i am asking questions here after exhausting all the online resources, i am not interested in any way generated, copypasted answers. thanks for understanding.

a private from a microsoft employee is welcome, i can grant access to my system if that is enough to check what's missing.

this is the root cause of me going into WAC on the portal, and clicking on "Updates"

what is missing? a role assignment, or something from the lcmuserdev's ad properties/security tab?

i THINK this worked for me in my previous tests but cannot say it for sure.

this happens on a newly set up AD OU, AD user, resource group, nodes, arc gateway, cluster, so everything is pretty much fresh out of the box, done like instructed here:

https://learn.microsoft.com/en-us/azure/azure-local/deploy/deployment-introduction?view=azloc-2510

i added one extra role assignment (all role assignments i added to the subscription level as this is only a dev/test/lab) that is "windows admin center administrator login" to be able to log in to wac after installing it on the portal.

here are all the role assignments i have on the RG (inherited):

owner, reader, azure connected machine onboarding, azure connected machine resource administrator, azure connected resource manager, azure stack hci administrator, key vault administrator, key vault contributor, key vault data access administrator, key vault secrets officer, storage account contributor, windows admin center administrator login

just an addition, we are going to use lenovo professional services to deploy to make sure everything is on the spot. they say there can be no spaces in the OU can this cause all my problems? i'd be surprised...

Azure Local
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-12-06T02:30:24.7533333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The error message you are encountering, "Access is denied," when validating the network name resource against Active Directory typically indicates a permissions issue related to the cluster name object (CNO) or the Active Directory organizational unit (OU) where the cluster resides. Here are some steps you can take to troubleshoot and potentially resolve the issue:

    1. Check Permissions: Ensure that the account you are using has sufficient permissions on the Active Directory OU where the cluster name resource is located. The authenticated users should have at least Read permissions on the default Computers container, as this is often necessary for cluster operations.
    2. Cluster Name Account: Verify that the cluster name account is not disabled in Active Directory. If it is disabled, you can enable it through the Active Directory Users and Computers snap-in.
    3. Role Assignments: Review the role assignments you have set up. While you have added several role assignments at the subscription level, ensure that the account being used for the cluster has the necessary permissions to perform cluster operations in Active Directory.
    4. OU Naming: Regarding the naming of the OU, while spaces in OU names can sometimes cause issues, it is generally more critical to ensure that the proper permissions are set. However, if Lenovo Professional Services has indicated that spaces could be problematic, it may be worth considering renaming the OU without spaces to avoid any potential issues.
    5. Active Directory Replication: If this is a new setup, ensure that Active Directory replication is functioning correctly and that all domain controllers have the latest information.
    6. Cluster Validation: You can also run the Test-Cluster cmdlet with the -Include parameter to check for specific validation errors that might provide more insight into the access issue.

    If after checking these areas you still face issues, it may be beneficial to consult with your Active Directory administrator to ensure that all necessary permissions and configurations are in place for the cluster operations.

    References:

    0 comments
  2. GabeCz 26 Reputation points
    2025-12-06T07:22:55.2+00:00

    this was fixed by delegating read/write rights and create and delete computer objects to the nodes and the cluster

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.