Workgroup and Multi-Domain Clusters in Windows Server 2016

Hi, folks!

In Windows Server 2012/2012 R2 and previous versions, there is one global requirement for cluster : single-domain joined nodes . Active Directory Detached cluster, which was introduced in 2012 R2, has the same requirement and does not provide advanced flexibility either. Beginning from Windows Server 2016 (Technical Preview 3/future RTM)  you have additional options : create cluster with nodes in Workgroup and create cluster in multi-domain environment.

My demo:

WS 2016 TP3 on tp3-1 and tp3-2 nodes. Workgroup joined (default settings). No storage.


Single-Domain clusters:.

  • All servers must be running Windows Server 2016 (TP3 is the latest build of WS 2016 RTM is available. The process and requirements are the same)
  • All servers must have the Failover Clustering feature installed.
PS C:\Users\rlevchenko> Install-WindowsFeature Failover-Clustering -IncludeManagementTools

Success Restart Needed Exit Code      Feature Result
------- -------------- ---------      --------------
True    No             Success        {Remote Server Administration Tools, Failo...

Multi-Domain and Workgroup clusters:

  • Failover Clustering mmc is not supported. Use Powershell.

Under local user, Workgroup (same for previous Windows Server ) :

failover cluster manager 2016 workgroup multi-domain

  • To create new cluster you must have local user with administrative privileges on each node. The username and password must be the same on all nodes.
PS C:\Users\rlevchenko> net user /add cluadm Password
The command completed successfully.
PS C:\Users\rlevchenko> net localgroup administrators cluadm /add
The command completed successfully.
  • If you receive error “Requested Registry access is not allowed” you need to changeLocalAccountTokenFilterPolicy value to 1 :
New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LocalAccountTokenFilterPolicy -Value 1
The command completed successfully.
  • Each cluster node must have a primary DNS suffix.

dns suffix workgroup windows server 2016

  • To create new cluster in Workgroup or Multi-Domain you have to use DNS as an Administrative Access Point. Warning can be safely ignored (see below)
PS C:\Users\rlevchenko> New-Cluster -Name WGCL -Node tp3-1,tp3-2 -AdministrativeAccessPoint DNS  -StaticAddress
WARNING: There were issues while creating the clustered role that may prevent it from starting. For more information
view the report file below.
WARNING: Report file location: C:\Windows\cluster\Reports\Create Cluster Wizard WGCL on 2015.09.02 At 14.26.58.htm


PS C:\Users\rlevchenko> Get-ClusterNode

Name                 ID    State
----                 --    -----
tp3-1                1     Up
tp3-2                2     Up

PS C:\Users\rlevchenko> Get-ClusterResource

Name               State  OwnerGroup    ResourceType
----               -----  ----------    ------------
Cluster IP Address Online Cluster Group IP Address
Cluster Name       Online Cluster Group Network Name

There is 1 warning in the report. It’s expected :

No appropriate disk could be found for the witness disk


Workgroup and Multi-Domain clusters support only Disk Witness or Cloud Witness (Azure Storage). There is no support for File Share Witness (!)

Cloud witness example

Create storage in Azure:

azure cloud witness 1

Note storage account name and primary access key

windows server 2016 azure cloud witness 2

Change witness options in FCM:

windows server 2016 azure cloud witness

Paste access keys from above (azure storage name and account key are required + change service endpoint if it is required (very rare)):

windows server 2016 azure cloud witness 3

Or use Powershell (with default endpoint value, “-Endpoint”):

Set-ClusterQuorum -CloudWitness -AccountName <StorageAccountName> -AccessKey <StorageAccountAccessKey>

The following table summarizes whether this deployment method is supported for a specific cluster workload.

Cluster Workload

Supported/Not Supported

More Information

SQL Server


We recommend that you use SQL Server Authentication for an Active Directory-detached cluster deployment.

File server

Supported, but not recommended

Kerberos authentication is the preferred authentication protocol for Server Message Block (SMB) traffic.


Supported, but not recommended

Live migration is not supported because it has a dependency on Kerberos authentication.

Quick migration is supported.

Message Queuing (also known as MSMQ)

Not supported

Message Queuing stores properties in AD DS.

Some restrictions in TP3:

  • The following tests will incorrectly generate an Error and can safely be ignored:
    • Cluster Configuration – Validate Resource Status
    • System Configuration – Validate Active Directory Configuration
  • The Get-ClusterDiagnostics cmdlet is not supported on Workgroup and Multi-domain clusters in the Windows Server 2016 TP3 release.

I’ll keep this post up-to-date.

37 thoughts on “Workgroup and Multi-Domain Clusters in Windows Server 2016”

  1. Is it normal after following all steps for the cluster to report error:
    Cluster network name resource ‘Cluster Name’ failed registration of one or more associated DNS name(s) for the following reason:
    DNS bad key.

    If not, how is this fixable?
    The cluster is running and the cluster node(s) are up.

    1. Hi, Jeremy!

      1. RTM or TPs?
      2. Workgroup cluster or between domains?
      3. Have you checked DNS health? Does it work? Ensure that DNS record for CNO is existed
      4. Share your NIC settings on cluster nodes (DNS, IPs)
      5. Try to repair CNO (cluadmin.msc -> core resources -> and select more actions for Cluster Name)

  2. Hi. How should cluster creation command be run if initiated from a remote computer against two non-domain joined Win2016 servers? I’ve tried the below, but not working… I’ve tried using start-process to initiate. I’ve tried using credSSP, but not having any joy. The creds are local admins on both cluster nodes (same username, same password). WSFC Windows Feature is installed on both nodes. Any assistance is appreciated.

    Invoke-Command -ComputerName $servers[0] -Credential $myCreds -ScriptBlock {New-Cluster -Name $using:clusterName -Node $using:node1,$using:node2 -AdministrativeAccessPoint DNS -StaticAddress $using:clusterIP -NoStorage }

    Error received is:
    There was an error adding node ‘NODE2’ to the cluster
    You do not have administrative privileges on the server ‘NODE2’.
    Attempted to perform an unauthorized operation.
    + CategoryInfo : PermissionDenied: (:) [New-Cluster], ClusterCmdletException
    + FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.FailoverClusters.PowerShell.NewClusterCommand


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: