I can tell you how many times I have heard about this error. This can appear in any of the situation where SQL needs to create a cluster network name resource in the WSFC Cluster. Here are the two situations I can think of:
- Installing SQL Server Failover Cluster instance.
- Creating listener in the AlwaysOn availability group.
Below is the error which was sent by one of my clients. This appeared while creating listener from management studio.
Here is the text of the message.
The WSFC cluster could not bring the Network Name resource with DNS name ‘<DNS name>’ online. The DNS name may have been taken or have a conflict with existing name services, or the WSFC cluster service may not be running or may be inaccessible. Use a different DNS name to resolve name conflicts, or check the WSFC cluster log for more information.
The attempt to create the network name and IP address for the listener failed. The WSFC service may not be running or may be inaccessible in its current state, or the values provided for the network name and IP address may be incorrect. Check the state of the WSFC cluster and validate the network name and IP address with the network administrator.
Above error can be caused due to many reasons which can cause network name or client access point resource in cluster creation to fail. One of the most common cause would be where the Domain Administrator does not allow the CNO “Read All Properties” and “Create computer Objects” permissions. You might see “Access is denied” in the event log.
Here are the steps, which are also known as prestaging of virtual computer object (VCO) in domain controller.
- If possible, connect to domain controller. Ensure that we are logged in as a user that has permissions to create computer objects in the domain.
- Open the Active Directory Users and Computers Snap-in (dsa.msc).
- In Menu > View -> Advanced Features. (Otherwise, we would not see option explained in next steps)
- Right click the OU/Container where we want the VCO to be created and click “New” -> “Computer”
- Provide a name for the object (This will be your SQL Server Network Name in FCI or Listener Name in AG) and click “OK”:
- Right click on the on the VCO which we just created and select “Properties”. Click the security tab and then click “Add”:
- Enter the CNO (Make sure to select “Computers” option in the “Object Types” window) and click “OK”. The CNO is a Cluster Name Object. This is the name of the Windows Cluster name NOT listener or FCI name.
- Give CNO “Full Control” over the VCO.
If all above steps are followed, we should not get access denied and if we try creating Listener, it should be successful.
What are the other errors you have seen while creating listener?
Reference: Pinal Dave (https://blog.sqlauthority.com)
20 Comments. Leave new
I’ve been working with NUMA and SQL Server. It seems to work work well as a standalone solution. However, I have a client that wishes to use NUMA in a 2016 availability group. For the AG network listener(s), how do you assign the node mask? It is fairly straight forward using SS configuration manager, but clusters and AG do not seem to write their IP address to a registry location that I can find.
I didn’t get the question. Can you please elaborate?
Hi,
I’m also having the same issue with AG creation. I have implemented the above solution and granted CNO permission to MSSQL server service account user and also checked the solution from “http://www.sqlservercentral.com/articles/always+on/145147/”.
But still getting the same error message on AG creation.
Here are the (dummy)details i’m using for MSSQL cluster setup.
windows login: “example.com\lokesh” (granted CNO permission)
MSSQL service account: “example.com\mssql_svc_acc” (grantes CNO permission)
Can you please suggest what else permissions do i need to assign & to which user account?
Also having the same problem on my labs, if I find the solution I would gladly post Here
D.C: Server 2012 R2 + 2 2012 R2 With SQL 2016 Developer for testing purposes
What’s the error you see in event log? Which resource is failing to come online. Network Name or IP Address.
This worked for me thanks.
Great. Thanks for taking time and updating me, Ryan.
I have the same issue. I applied the pre-staging of virtual computer but still getting the message below:
The WSFC cluster could not bring the Network Name resource with DNS name ‘’ online. The DNS name may have been taken or have a conflict with existing name services, or the WSFC cluster service may not be running or may be inaccessible.
any other suggestion would be appreciated. Thanks
Thanks Pinal,
This post helped to resolve the listener issue promptly.
Regards
Riyaz
Thanks you so much, i’m very fan for this page, always help me when i have problems
Thank you…I followed your steps and was able to get by this error.
I have the same issue, but after give the full control the issue is still exist, can you give me some advice,thank you!
I have attempt to use the way as bellow:
Launch Failover Cluster Manager.
In the Roles pane, right-click the availability group resource and choose Add Resource and then Client Access Point.
Enter a DNS Name and click in the affirmative through the rest of the wizard to create the CAP. The CAP is created, the IP Address resource comes online, but the network name resource fails to come online.
Right-click the Network Name resource, click the General tab and check the DNS Status, it will read “DNS handle is invalid.” but my issue display OK, cannot bring the resource online, so I can’t contnue with this way.
i have created listener but unable to connect ssms with listener name on secondary nodes .please suggest
Thank you Pinal. Your article served its purpose for me to narrow down to the exact issue. Much Appreciated.
Worked for me. Thanks
Worked for me, thank you :)
Thanks. This work for me
Thank you very much Pinal Dave.
above solution worked for me .
Thank you for your post but having spent the last 5 hours trying to get this to work I am throwing the towel in. We have an SQL 2022 installation on Server 2019 in Azure. I have followed all the requirements for permissions and still cannot bring the DNN resource on line. error is invalid handle access denied. Tried elevating all permissions but still the same. The SQL logs say give the cluster name the create computer objects etc, that has been done, it has even been added to domain admins and still the same. I cannot log on to the SQL box with a DA account due to restrictions so I have to use my server admin account which is a member of the local admins and the appropriate SQL permissions.
Failed to connect to the health service[=== System ===]
[System] 000021ec.00002728::2025/08/23-13:08:48.636 ERR Cluster network name resource ‘61150’ failed to create its associated computer object in domain ‘XXdomain.domainXX’ during: Resource online.
Please work with your domain administrator to ensure that:
– The cluster identity ‘CNO’ has Create Computer Objects permissions. By default all computer objects are created in the same container as the cluster identity ‘CNO’.
– The quota for computer objects has not been reached.
– If there is an existing computer object, verify the Cluster Identity ‘CNO’ has ‘Full Control’ permission to that computer object using the Active Directory Users and Computers tool.
[System] 00001420.00002868::2025/08/23-13:08:48.646 ERR Cluster resource ‘61150’ of type ‘Distributed Network Name’ in clustered role ‘Name of DNN’ failed. The error code was ‘0x5’ (‘Access is denied.’).:48.636 ERR Cluster network name resource ‘61150’ failed to create its associated computer object in domain ‘XXdomain.domainXX’ during: Resource online.
We do work in a very tightly controlled environment and I do not know what else to try. We had an absolute nightmare getting it setup in the first instance about 4 months ago, and ended up giving all permissions on the OU which resolved it. I removed all but necessary permissions and tested, everything was working.
Any help would be greatly appreciated.
Thanks
RedEye
Forgot to add this error the handle is invalid 0x80070006 which I believe is permissions. Also at one point, it did mention Kerberos but I cannot find any failures for that in the security logs of the server or the domain controller.