Monday, November 15, 2010

Failover Clustering and Domain Requirements

If you plan for Failover Clustering in Windows Server 2008 R2, you also have to dive into Active Directory and install a Domain Controller. Why ? And what if you plan to run your DC as a HA VM ?

Why do you need a Domain?

Systems running Windows Server 2008 R2 Failover Cluster services must be members of a domain. This ensures a common authorization framework for services as they fail over from one node another. It also means that the clients accessing the services of the Failover Cluster can participate in this same authorization framework.
It is recommended that the cluster nodes be member servers and NOT domain controllers.
(The Active Directory are already ‘Highly Available’ in its design and does not need something like Failover Cluster to be HA).
When creating a cluster, the process also creates a Cluster Name Object for the cluster in Active Directory, so the account that creates the Cluster needs to be a Local Administrator on the nodes, and have permission to create objects (computer) in Active Directory.

Run your DC as a HA VM ?

No. Period.
I have to stress that if your entire cluster shuts down, you`re in serious trouble.
You might not be able to start the cluster service, VMs, and you are finished.
Since your VMs is placed on a shared storage and the access here is granted through your cluster, and your cluster won’t come online to play, you might call it a day.

But do not panic, you only need to place your VM outside your cluster. You can even run it as a VM in Hyper-V manager on one of your nodes, but do not make it HA, or place it on shared storage. Also make sure to configure the Auto-Start Action, so your DC boots up with the host.

It`s always best practice to have at least a second domain controller as well, so you are able to support the rest of your infrastructure that require Active Directory to function. It`s a good idea to place this on a dedicated machine, outside your virtual environment.

2 comments:

Anonymous said...

We setup a DC outside our cluster. Instead of using a physical server to be just a DC, we put it on a Hyper-V host that is not part of the cluster but still as a VM. Question, should this DC outside the cluster have what FSMO roles if any?

Kristian Nese said...

You can run Your DC as Virtual machines, and put on every role that you want. however, make sure that you configure this particular VM to be the first one that boots together With the host.

In Windows Server 2012, this has been enhanced, and DC can now run on Your cluster's csv, without any issues. It's also supported to use snaptshots together With domain Controllers as well as cloning.