Backtrack:  
 
by lunarg on July 17th 2015, at 14:01

When you create a Windows Server 2012 failover cluster, the following event may be logged in the System log:

Event ID 1222 (Microsoft-Windows-FailoverClustering)
The computer object associated with cluster network name resource could not be updated.
Unable to protect the Virtual Computer Object (VCO) from accidental deletion.

When a failover cluster or a cluster role is created, a computer account (a so-called Cluster Name Object (CNO)) is created in Active Directory. Since Server 2012, these objects are flagged to prevent accidental deletion. If the main cluster resource (also a computer account) does not have the required permissions on the OU containing the CNOs (by default, this is the default Computers OU), setting the flag on newly created CNOs will fail, resulting in the event being logged.

To resolve, you can either assign the proper permissions on the OU where the CNOs are kept, or you can manually flag the CNO to prevent accidental deletion.

  1. Open Active Directory Users and Computers on a domain controller (or using RSAT). If you really want to, you could also use ADAM but the instructions below are only for ADUC.
  2. For ADUC, in the menu at the top, click View, then make sure Advanced Features is checked.
  3. Assign the correct permissions

    Note that correcting the permissions is only useful for new cluster roles. Existing cluster roles (CNOs) won't be automatically affected, and still require a manual change on each of the CNOs to prevent accidental deletion.

    1. Right-click the OU containing the CNO. By default, this is the Computers OU, select Properties, then click the Security tab.
    2. Add the computer account (which is technically also a CNO) for the cluster, and give it write permissions on the OU.
    3. Follow the steps below to manually flag the cluster computer account to prevent accidental deletion, as this won't be done yet. Also, you need to manually set the flag for each of the CNOs that already exist.

    Manually flag the CNO (computer account)

    1. Locate the computer account (CNO) for each of cluster roles, including the cluster itself.
    2. Right-click the object, then click Properties, then go to the Object tab.
    3. Check the Protect object from accidental deletion, then click OK.