Forum Discussion

jmThia's avatar
jmThia
Brass Contributor
Jul 02, 2025

Workgroup Failover Cluster backup service account

Hello, We have built a workgroup Hyper-V cluster. Live migration works well when taking a node. But the only account that we can use is the one used at the cluster creation.  I found some post abou...
clustering
Windows Server
kyazaferr's avatar
kyazaferr
MCT
Oct 08, 2025

Why other local accounts fail

Even if you create another local user with the same name and password on all nodes, Windows treats it as a different security principal (unique SID).
The cluster’s internal authentication uses the SID of the account that created the cluster — not just the username.
Therefore, “same name/password” does not equal “same identity.”
Options for management and backup

Option A – Continue using the original cluster account
This is the only supported method in a pure workgroup cluster.
You can use this account for administration and service operations.

Option B – Move to domain membership
If you need multiple named administrators, delegated permissions, or backup agents running under service accounts, join the servers to an Active Directory domain.
Once domain-joined, you can grant specific domain accounts Cluster Administrator rights via:

Grant-ClusterAccess -User "DOMAIN\UserName" -Full


Option C – Scripted elevation
In a workgroup scenario, you could wrap backup jobs or administrative scripts to run as the cluster’s setup account using “Run as different user,” but this is not scalable or secure for production.

Backup implications

Most enterprise backup tools (like Veeam, DPM, or Altaro) expect Kerberos authentication or domain service accounts.
In a workgroup cluster, these tools usually cannot authenticate or discover the cluster unless using stored local credentials for each node individually — they can’t use a central service account.


Recommendation

For reliability, manageability, and backup integration:
Join the nodes to an AD domain.
Workgroup clusters are supported mainly for small or disconnected environments, but they don’t support multi-user administrative models.

Summary:
In a workgroup cluster, only the original local account that created the cluster can manage it — other accounts (even with same credentials) won’t work because of SID mismatch.
If you need named admin and backup service accounts, you must use Active Directory–joined servers

Resources