Hi, folks!
In Windows Server 2012/2012 R2 and previous versions, there is one global requirement for cluster : single-domain joined nodes . Active Directory Detached cluster, which was introduced in 2012 R2, has the same requirement and does not provide advanced flexibility either. Beginning from Windows Server 2016 (Technical Preview 3/future RTM) you have additional options : create cluster with nodes in Workgroup and create cluster in multi-domain environment.
My demo:
WS 2016 TP3 on tp3-1 and tp3-2 nodes. Workgroup joined (default settings). No storage.
Prerequisites
Single-Domain clusters:.
- All servers must be running Windows Server 2016 (
TP3 is the latest build of WS 2016RTM is available. The process and requirements are the same) - All servers must have the Failover Clustering feature installed.
PS C:\Users\rlevchenko> Install-WindowsFeature Failover-Clustering -IncludeManagementTools
Success Restart Needed Exit Code Feature Result
------- -------------- --------- --------------
True No Success {Remote Server Administration Tools, Failo...
- All servers must have certified hardware and passed validation tests (use windows server catalog)
Multi-Domain and Workgroup clusters:
- Failover Clustering mmc is not supported. Use Powershell.
Under local user, Workgroup (same for previous Windows Server ) :
- To create new cluster you must have local user with administrative privileges on each node. The username and password must be the same on all nodes.
PS C:\Users\rlevchenko> net user /add cluadm Password The command completed successfully.
PS C:\Users\rlevchenko> net localgroup administrators cluadm /add The command completed successfully.
- If you receive error “Requested Registry access is not allowed” you need to changeLocalAccountTokenFilterPolicy value to 1 :
New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LocalAccountTokenFilterPolicy -Value 1 The command completed successfully.
- Each cluster node must have a primary DNS suffix.
- To create new cluster in Workgroup or Multi-Domain you have to use DNS as an Administrative Access Point. Warning can be safely ignored (see below)
PS C:\Users\rlevchenko> New-Cluster -Name WGCL -Node tp3-1,tp3-2 -AdministrativeAccessPoint DNS -StaticAddress 10.0.0.100 WARNING: There were issues while creating the clustered role that may prevent it from starting. For more information view the report file below. WARNING: Report file location: C:\Windows\cluster\Reports\Create Cluster Wizard WGCL on 2015.09.02 At 14.26.58.htm Name ---- WGCL PS C:\Users\rlevchenko> Get-ClusterNode Name ID State ---- -- ----- tp3-1 1 Up tp3-2 2 Up PS C:\Users\rlevchenko> Get-ClusterResource Name State OwnerGroup ResourceType ---- ----- ---------- ------------ Cluster IP Address Online Cluster Group IP Address Cluster Name Online Cluster Group Network Name
There is 1 warning in the report. It’s expected :
No appropriate disk could be found for the witness disk
Workgroup and Multi-Domain clusters support only Disk Witness or Cloud Witness (Azure Storage). There is no support for File Share Witness (!)
Cloud witness example
Create storage in Azure:
Note storage account name and primary access key
Change witness options in FCM:
Paste access keys from above (azure storage name and account key are required + change service endpoint if it is required (very rare)):
Or use Powershell (with default endpoint value, “-Endpoint”):
Set-ClusterQuorum -CloudWitness -AccountName <StorageAccountName> -AccessKey <StorageAccountAccessKey>
The following table summarizes whether this deployment method is supported for a specific cluster workload.
|
Cluster Workload |
Supported/Not Supported |
More Information |
|---|---|---|
|
SQL Server |
Supported |
We recommend that you use SQL Server Authentication for an Active Directory-detached cluster deployment. |
|
File server |
Supported, but not recommended |
Kerberos authentication is the preferred authentication protocol for Server Message Block (SMB) traffic. |
|
Hyper-V |
Supported, but not recommended |
Live migration is not supported because it has a dependency on Kerberos authentication. Quick migration is supported. |
|
Message Queuing (also known as MSMQ) |
Not supported |
Message Queuing stores properties in AD DS. |
Some restrictions in TP3:
- The following tests will incorrectly generate an Error and can safely be ignored:
- Cluster Configuration – Validate Resource Status
- System Configuration – Validate Active Directory Configuration
- The Get-ClusterDiagnostics cmdlet is not supported on Workgroup and Multi-domain clusters in the Windows Server 2016 TP3 release.
I’ll keep this post up-to-date.
UseIT | Roman Levchenko 
Are you using DNS at all here? I cannot get this setup in a lab with just two VMs and no physical DNS server.
Hi, John. Yes, I’m using DNS here . Workgroup cluster is an “advanced type” of detached cluster https://technet.microsoft.com/en-us/library/dn265970.aspx . DNS is being used for Cluster Network Name and no domain relationships are required as it was needed for detached cluster
Is it normal after following all steps for the cluster to report error:
Cluster network name resource ‘Cluster Name’ failed registration of one or more associated DNS name(s) for the following reason:
DNS bad key.
If not, how is this fixable?
The cluster is running and the cluster node(s) are up.
Hi, Jeremy!
1. RTM or TPs?
2. Workgroup cluster or between domains?
3. Have you checked DNS health? Does it work? Ensure that DNS record for CNO is existed
4. Share your NIC settings on cluster nodes (DNS, IPs)
5. Try to repair CNO (cluadmin.msc -> core resources -> and select more actions for Cluster Name)
Hi. How should cluster creation command be run if initiated from a remote computer against two non-domain joined Win2016 servers? I’ve tried the below, but not working… I’ve tried using start-process to initiate. I’ve tried using credSSP, but not having any joy. The creds are local admins on both cluster nodes (same username, same password). WSFC Windows Feature is installed on both nodes. Any assistance is appreciated.
Invoke-Command -ComputerName $servers[0] -Credential $myCreds -ScriptBlock {New-Cluster -Name $using:clusterName -Node $using:node1,$using:node2 -AdministrativeAccessPoint DNS -StaticAddress $using:clusterIP -NoStorage }
Error received is:
There was an error adding node ‘NODE2’ to the cluster
You do not have administrative privileges on the server ‘NODE2’.
Attempted to perform an unauthorized operation.
+ CategoryInfo : PermissionDenied: (:) [New-Cluster], ClusterCmdletException
+ FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.FailoverClusters.PowerShell.NewClusterCommand
Thanks
Darren
Darren, it sounds like I may be running into the same problem as you did. Were you able to resolve?
Hi Dan, yes I did solve the issue.
Refer to my comment on this page here: https://4sysops.com/archives/solve-the-powershell-multi-hop-problem-without-using-credssp/
Hope it helps
Also this article was very helpful too:
https://www.ryanjadams.com/2018/07/domain-independent-cluster/
Regards
Darren