Hi, folks!
In Windows Server 2012/2012 R2 and previous versions, there is one global requirement for cluster : single-domain joined nodes . Active Directory Detached cluster, which was introduced in 2012 R2, has the same requirement and does not provide advanced flexibility either. Beginning from Windows Server 2016 (Technical Preview 3/future RTM) you have additional options : create cluster with nodes in Workgroup and create cluster in multi-domain environment.
My demo:
WS 2016 TP3 on tp3-1 and tp3-2 nodes. Workgroup joined (default settings). No storage.
Prerequisites
Single-Domain clusters:.
- All servers must be running Windows Server 2016 (
TP3 is the latest build of WS 2016RTM is available. The process and requirements are the same) - All servers must have the Failover Clustering feature installed.
PS C:\Users\rlevchenko> Install-WindowsFeature Failover-Clustering -IncludeManagementTools
Success Restart Needed Exit Code Feature Result
------- -------------- --------- --------------
True No Success {Remote Server Administration Tools, Failo...
- All servers must have certified hardware and passed validation tests (use windows server catalog)
Multi-Domain and Workgroup clusters:
- Failover Clustering mmc is not supported. Use Powershell.
Under local user, Workgroup (same for previous Windows Server ) :
- To create new cluster you must have local user with administrative privileges on each node. The username and password must be the same on all nodes.
PS C:\Users\rlevchenko> net user /add cluadm Password The command completed successfully.
PS C:\Users\rlevchenko> net localgroup administrators cluadm /add The command completed successfully.
- If you receive error “Requested Registry access is not allowed” you need to changeLocalAccountTokenFilterPolicy value to 1 :
New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LocalAccountTokenFilterPolicy -Value 1 The command completed successfully.
- Each cluster node must have a primary DNS suffix.
- To create new cluster in Workgroup or Multi-Domain you have to use DNS as an Administrative Access Point. Warning can be safely ignored (see below)
PS C:\Users\rlevchenko> New-Cluster -Name WGCL -Node tp3-1,tp3-2 -AdministrativeAccessPoint DNS -StaticAddress 10.0.0.100 WARNING: There were issues while creating the clustered role that may prevent it from starting. For more information view the report file below. WARNING: Report file location: C:\Windows\cluster\Reports\Create Cluster Wizard WGCL on 2015.09.02 At 14.26.58.htm Name ---- WGCL PS C:\Users\rlevchenko> Get-ClusterNode Name ID State ---- -- ----- tp3-1 1 Up tp3-2 2 Up PS C:\Users\rlevchenko> Get-ClusterResource Name State OwnerGroup ResourceType ---- ----- ---------- ------------ Cluster IP Address Online Cluster Group IP Address Cluster Name Online Cluster Group Network Name
There is 1 warning in the report. It’s expected :
No appropriate disk could be found for the witness disk
Workgroup and Multi-Domain clusters support only Disk Witness or Cloud Witness (Azure Storage). There is no support for File Share Witness (!)
Cloud witness example
Create storage in Azure:
Note storage account name and primary access key
Change witness options in FCM:
Paste access keys from above (azure storage name and account key are required + change service endpoint if it is required (very rare)):
Or use Powershell (with default endpoint value, “-Endpoint”):
Set-ClusterQuorum -CloudWitness -AccountName <StorageAccountName> -AccessKey <StorageAccountAccessKey>
The following table summarizes whether this deployment method is supported for a specific cluster workload.
|
Cluster Workload |
Supported/Not Supported |
More Information |
|---|---|---|
|
SQL Server |
Supported |
We recommend that you use SQL Server Authentication for an Active Directory-detached cluster deployment. |
|
File server |
Supported, but not recommended |
Kerberos authentication is the preferred authentication protocol for Server Message Block (SMB) traffic. |
|
Hyper-V |
Supported, but not recommended |
Live migration is not supported because it has a dependency on Kerberos authentication. Quick migration is supported. |
|
Message Queuing (also known as MSMQ) |
Not supported |
Message Queuing stores properties in AD DS. |
Some restrictions in TP3:
- The following tests will incorrectly generate an Error and can safely be ignored:
- Cluster Configuration – Validate Resource Status
- System Configuration – Validate Active Directory Configuration
- The Get-ClusterDiagnostics cmdlet is not supported on Workgroup and Multi-domain clusters in the Windows Server 2016 TP3 release.
I’ll keep this post up-to-date.
:
UseIT | Roman Levchenko 