Workgroup and Multi-Domain Clusters in Windows Server 2016

Hi, folks!

In Windows Server 2012/2012 R2 and previous versions, there is one global requirement for cluster : single-domain joined nodes . Active Directory Detached cluster, which was introduced in 2012 R2, has the same requirement and does not provide advanced flexibility either. Beginning from Windows Server 2016 (Technical Preview 3/future RTM)  you have additional options : create cluster with nodes in Workgroup and create cluster in multi-domain environment.

My demo:

WS 2016 TP3 on tp3-1 and tp3-2 nodes. Workgroup joined (default settings). No storage.

Prerequisites

Single-Domain clusters:.

  • All servers must be running Windows Server 2016 (TP3 is the latest build of WS 2016 RTM is available. The process and requirements are the same)
  • All servers must have the Failover Clustering feature installed.
PS C:\Users\rlevchenko> Install-WindowsFeature Failover-Clustering -IncludeManagementTools

Success Restart Needed Exit Code      Feature Result
------- -------------- ---------      --------------
True    No             Success        {Remote Server Administration Tools, Failo...

Multi-Domain and Workgroup clusters:

  • Failover Clustering mmc is not supported. Use Powershell.

Under local user, Workgroup (same for previous Windows Server ) :

failover cluster manager 2016 workgroup multi-domain

  • To create new cluster you must have local user with administrative privileges on each node. The username and password must be the same on all nodes.
PS C:\Users\rlevchenko> net user /add cluadm Password
The command completed successfully.
PS C:\Users\rlevchenko> net localgroup administrators cluadm /add
The command completed successfully.
  • If you receive error “Requested Registry access is not allowed” you need to changeLocalAccountTokenFilterPolicy value to 1 :
New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LocalAccountTokenFilterPolicy -Value 1
The command completed successfully.
  • Each cluster node must have a primary DNS suffix.

dns suffix workgroup windows server 2016

  • To create new cluster in Workgroup or Multi-Domain you have to use DNS as an Administrative Access Point. Warning can be safely ignored (see below)
PS C:\Users\rlevchenko> New-Cluster -Name WGCL -Node tp3-1,tp3-2 -AdministrativeAccessPoint DNS  -StaticAddress 10.0.0.100
WARNING: There were issues while creating the clustered role that may prevent it from starting. For more information
view the report file below.
WARNING: Report file location: C:\Windows\cluster\Reports\Create Cluster Wizard WGCL on 2015.09.02 At 14.26.58.htm

Name
----
WGCL

PS C:\Users\rlevchenko> Get-ClusterNode

Name                 ID    State
----                 --    -----
tp3-1                1     Up
tp3-2                2     Up

PS C:\Users\rlevchenko> Get-ClusterResource

Name               State  OwnerGroup    ResourceType
----               -----  ----------    ------------
Cluster IP Address Online Cluster Group IP Address
Cluster Name       Online Cluster Group Network Name

There is 1 warning in the report. It’s expected :

No appropriate disk could be found for the witness disk

image

Workgroup and Multi-Domain clusters support only Disk Witness or Cloud Witness (Azure Storage). There is no support for File Share Witness (!)

Cloud witness example

Create storage in Azure:

azure cloud witness 1

Note storage account name and primary access key

windows server 2016 azure cloud witness 2

Change witness options in FCM:

windows server 2016 azure cloud witness

Paste access keys from above (azure storage name and account key are required + change service endpoint if it is required (very rare)):

windows server 2016 azure cloud witness 3

Or use Powershell (with default endpoint value, “-Endpoint”):

Set-ClusterQuorum -CloudWitness -AccountName <StorageAccountName> -AccessKey <StorageAccountAccessKey>

The following table summarizes whether this deployment method is supported for a specific cluster workload.

Cluster Workload

Supported/Not Supported

More Information

SQL Server

Supported

We recommend that you use SQL Server Authentication for an Active Directory-detached cluster deployment.

File server

Supported, but not recommended

Kerberos authentication is the preferred authentication protocol for Server Message Block (SMB) traffic.

Hyper-V

Supported, but not recommended

Live migration is not supported because it has a dependency on Kerberos authentication.

Quick migration is supported.

Message Queuing (also known as MSMQ)

Not supported

Message Queuing stores properties in AD DS.

Some restrictions in TP3:

  • The following tests will incorrectly generate an Error and can safely be ignored:
    • Cluster Configuration – Validate Resource Status
    • System Configuration – Validate Active Directory Configuration
  • The Get-ClusterDiagnostics cmdlet is not supported on Workgroup and Multi-domain clusters in the Windows Server 2016 TP3 release.

I’ll keep this post up-to-date.