Home
%3CLINGO-SUB%20id%3D%22lingo-sub-372059%22%20slang%3D%22en-US%22%3EWorkgroup%20and%20Multi-domain%20clusters%20in%20Windows%20Server%202016%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-372059%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EFirst%20published%20on%20MSDN%20on%20Aug%2017%2C%202015%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3EIn%20Windows%20Server%202012%20R2%20and%20previous%20versions%2C%20a%20cluster%20could%20only%20be%20created%20between%20member%20nodes%20joined%20to%20the%20same%20domain.%20Windows%20Server%202016%20breaks%20down%20these%20barriers%20and%20introduces%20the%20ability%20to%20create%20a%20Failover%20Cluster%20without%20Active%20Directory%20dependencies.%20Failover%20Clusters%20can%20now%20therefore%20be%20created%20in%20the%20following%20configurations%3A%20%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3ESingle-domain%20Clusters%3A%20%3C%2FSTRONG%3E%20Clusters%20with%20all%20nodes%20joined%20to%20the%20same%20domain%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EMulti-domain%20Clusters%3A%20%3C%2FSTRONG%3E%20Clusters%20with%20nodes%20which%20are%20members%20of%20different%20domains%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EWorkgroup%20Clusters%3A%20%3C%2FSTRONG%3E%20Clusters%20with%20nodes%20which%20are%20member%20servers%20%2F%20workgroup%20(not%20domain%20joined)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1703037014%22%20id%3D%22toc-hId-1703037014%22%20id%3D%22toc-hId-1703037014%22%20id%3D%22toc-hId-1703037014%22%3EPre-requisites%3C%2FH2%3E%0A%3CP%3E%3CBR%20%2F%3EThe%20prerequisites%20for%20Single-domain%20clusters%20are%20unchanged%20from%20previous%20versions%20of%20Windows%20Server.%20%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CUL%3E%0A%3CLI%3EAll%20servers%20must%20be%20running%20Windows%20Server%202016.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CUL%3E%0A%3CLI%3EAll%20servers%20must%20have%20the%20Failover%20Clustering%20feature%20installed.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CUL%3E%0A%3CLI%3EAll%20servers%20must%20use%20logo%E2%80%99d%20hardware%20that%20has%20been%20certified%20and%20the%20collection%20of%20servers%20must%20pass%20all%20cluster%20validation%20tests.%20For%20more%20information%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fjj612869.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20Failover%20Clustering%20Hardware%20Requirements%20and%20Storage%20Options%20%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fjj134244.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20Validate%20Hardware%20for%20a%20Failover%20Cluster%20%3C%2FA%3E%20.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20addition%20to%20the%20pre-requisites%20of%20Single-domain%20clusters%2C%20the%20following%20are%20the%20pre-requisites%20for%20Multi-domain%20or%20Workgroup%20clusters%20in%20the%20Windows%20Server%202016%3A%20%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CUL%3E%0A%3CLI%3ETo%20create%20a%20new%20cluster%20or%20to%20add%20nodes%20to%20the%20cluster%2C%20a%20local%20account%20needs%20to%20be%20provisioned%20on%20all%20nodes%20of%20the%20cluster%20(as%20well%20as%20the%20node%20from%20which%20the%20operation%20is%20invoked)%20with%20the%20following%20requirements%3A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3COL%3E%0A%3COL%3E%0A%3COL%3E%0A%3CLI%3ECreate%20a%20local%20%E2%80%98User%E2%80%99%20account%20on%20each%20node%20in%20the%20cluster%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FOL%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3COL%3E%0A%3COL%3E%0A%3CLI%3EThe%20username%20and%20password%20of%20the%20account%20must%20be%20the%20same%20on%20all%20nodes%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FOL%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3COL%3E%0A%3COL%3E%0A%3CLI%3EThe%20account%20is%20a%20member%20of%20the%20local%20%E2%80%98Administrators%E2%80%99%20group%20on%20each%20node%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FOL%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3COL%3E%0A%3COL%3E%0A%3CLI%3EWhen%20using%26nbsp%3Ba%20non-builtin%20local%20administrator%20account%20to%20create%20the%20cluster%2C%20set%20the%20LocalAccountTokenFilterPolicy%20registry%20policy%20to%20%3CSTRONG%3E%201%20%3C%2FSTRONG%3E%20%2C%20on%20all%20the%20nodes%20of%20the%20cluster.%20Builtin%20administrator%20accounts%20include%20the%20'Administrator'%20account.%20You%20can%20set%20the%26nbsp%3BLocalAccountTokenFilterPolicy%26nbsp%3Bregistry%20policy%26nbsp%3Bas%20follows%3A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FOL%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CUL%3E%0A%3CLI%3EOn%20each%20node%20of%20the%20cluster%20launch%20a%26nbsp%3BMicrosoft%20PowerShell%26nbsp%3Bshell%20as%20an%20administrator%20and%20type%3A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3Enew-itemproperty%20-path%20HKLM%3A%5CSOFTWARE%5CMicrosoft%5CWindows%5CCurrentVersion%5CPolicies%5CSystem%20-Name%20LocalAccountTokenFilterPolicy%20-Value%201%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20998px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F90591iC687BE4FFEFA5F51%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWithout%20setting%20this%20policy%20you%20will%20see%20the%20following%20error%20while%20trying%20to%20create%20a%20cluster%20using%20non-builtin%20administrator%20accounts.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20823px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F90592i39CE0B827BEBE541%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CUL%3E%0A%3CLI%3EThe%20Failover%20Cluster%20needs%20to%20be%20created%20as%20an%20%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fdn265970.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20Active%20Directory-Detached%20Cluster%20%3C%2FA%3E%20without%20any%20associated%20computer%20objects.%20Therefore%2C%20the%20cluster%20needs%20to%20have%20a%20Cluster%20Network%20Name%20(also%20known%20as%20administrative%20access%20point)%20of%20type%20DNS.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CUL%3E%0A%3CLI%3EPrimary%20DNS%20Suffix%20Requirements%20%3CBR%20%2F%3E%3CBR%20%2F%3E%3CUL%3E%0A%3CUL%3E%0A%3CLI%3EEach%20cluster%20node%20needs%20to%20have%20a%20primary%20DNS%20suffix.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FUL%3E%3CBR%20%2F%3E%3CUL%3E%0A%3CUL%3E%0A%3CLI%3EFor%20Multi-domain%20Clusters%3A%20The%20DNS%20suffix%20for%20all%20the%20domains%20in%20the%20cluster%2C%20should%20be%20present%20on%20all%20cluster%20nodes%E2%80%A6%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FUL%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20550px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F90593i537896931FF9918B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--849119947%22%20id%3D%22toc-hId--849119947%22%20id%3D%22toc-hId--849119947%22%20id%3D%22toc-hId--849119947%22%3EDeployment%3C%2FH2%3E%0A%3CP%3E%3CBR%20%2F%3EWorkgroup%20and%20Multi-domain%20clusters%20maybe%20deployed%20using%20the%20following%20steps%3A%20%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3COL%3E%0A%3COL%3E%0A%3CLI%3ECreate%20consistent%20local%20user%20accounts%20on%20all%20nodes%20of%20the%20cluster.%20Ensure%20that%20the%20username%20and%20password%20of%20these%20accounts%20are%20same%20on%20all%20the%20nodes%20and%20add%20the%20account%20to%20the%20local%20Administrators%20group.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20752px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F90594iCCEA7946494238DE%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E2.%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BEnsure%20that%20each%20node%20to%20be%20joined%20to%20the%20cluster%20has%20a%20primary%20DNS%20suffix.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20418px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F90595i64DC79ABE8B7AF2B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EFor%20Multi-domain%20Clusters%20ensure%20that%20the%26nbsp%3BDNS%20suffix%20for%20all%20the%20domains%20in%20the%20cluster%20is%20present%20on%20all%20cluster%20nodes.%20%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20927px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F90596i0AA285F159DE5EA0%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E3.%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Create%20a%20Cluster%20with%20the%20Workgroup%20nodes%20or%20nodes%20joined%20to%20different%20domains.%20You%20may%20use%20the%20Failover%20Cluster%20Manager%20or%20Microsoft%20PowerShell.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E%20Using%20Failover%20Cluster%20Manager%20%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20following%20video%20shows%20the%20steps%20to%20create%20a%20Workgroup%20or%20Multi-Domain%20cluster%20using%20the%20Failover%20Cluster%20Manager%20UI.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%5Bvideo%20width%3D%221920%22%20height%3D%221080%22%20mp4%3D%22%3CA%20href%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2F2016%2F08%2FWorkgroupCluster.mp4%26quot%3B%5D%5B%2Fvideo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2F2016%2F08%2FWorkgroupCluster.mp4%22%5D%5B%2Fvideo%3C%2FA%3E%5D%3C%2FP%3E%0A%3CP%3E%3CEM%3E%20Using%20PowerShell%20%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20creating%20the%20cluster%2C%20use%20the%20AdministrativeAccessPoint%20switch%20to%20specify%20a%20type%20of%20DNS%20so%20that%20the%20cluster%20does%20not%20attempt%20to%20create%20computer%20objects.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20534px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F90597iF7ED1E877965F182%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%20%3CBR%20%2F%3ENew-Cluster%20%E2%80%93Name%20%3CCLUSTER%20name%3D%22%22%3E%20-Node%20%3CNODES%20to%3D%22%22%20cluster%3D%22%22%3E%20-AdministrativeAccessPoint%20DNS%3C%2FNODES%3E%3C%2FCLUSTER%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20845px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F90598i25B85196E10510A7%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20561px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F90599i569A3447359A8C64%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-893690388%22%20id%3D%22toc-hId-893690388%22%20id%3D%22toc-hId-893690388%22%20id%3D%22toc-hId-893690388%22%3EWorkload%3C%2FH2%3E%0A%3CP%3E%3CBR%20%2F%3EThe%20following%20table%20summarizes%20the%20workload%20support%20for%20Workgroup%20and%20Multi-site%20clusters.%3C%2FP%3E%0A%3CTABLE%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%3E%3CBR%20%2F%3E%3CP%3E%3CSTRONG%3E%20Cluster%20Workload%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CBR%20%2F%3E%3CP%3E%3CSTRONG%3E%20Supported%2FNot%20Supported%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CBR%20%2F%3E%3CP%3E%3CSTRONG%3E%20More%20Information%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CBR%20%2F%3E%3CP%3ESQL%20Server%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CBR%20%2F%3E%3CP%3ESupported%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CBR%20%2F%3E%3CP%3EWe%20recommend%20that%20you%20use%20SQL%20Server%20Authentication.%26nbsp%3B%20This%20will%20apply%20to%20only%20SQL%20Server%20Always%20On%20Availability%20Groups%20(AGs).%26nbsp%3B%20SQL%20Server%20Failover%20Cluster%20Instances%20(FCI)%20will%20require%20Kerberos%20for%20Active%20Directory%20authentication.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CBR%20%2F%3E%3CP%3EFile%20Server%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CBR%20%2F%3E%3CP%3ESupported%2C%20but%20not%20recommended%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CBR%20%2F%3E%3CP%3EKerberos%20(which%20is%20not%20available)%20authentication%20is%20the%20preferred%20authentication%20protocol%20for%20Server%20Message%20Block%20(SMB)%20traffic.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CBR%20%2F%3E%3CP%3EHyper-V%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CBR%20%2F%3E%3CP%3ESupported%2C%20but%20not%20recommended%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CBR%20%2F%3E%3CP%3ELive%20migration%20is%20not%20supported.%20Quick%20migration%20is%20supported.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CBR%20%2F%3E%3CP%3EMessage%20Queuing%20(MSMQ)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CBR%20%2F%3E%3CP%3ENot%20supported%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CBR%20%2F%3E%3CP%3EMessage%20Queuing%20stores%20properties%20in%20AD%20DS.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1658466573%22%20id%3D%22toc-hId--1658466573%22%20id%3D%22toc-hId--1658466573%22%20id%3D%22toc-hId--1658466573%22%3EQuorum%20Configuration%3C%2FH2%3E%0A%3CP%3E%3CBR%20%2F%3EThe%20witness%20type%20recommended%20for%20Workgroup%20clusters%20and%20Multi-domain%20clusters%20is%20a%20%3CA%20href%3D%22http%3A%2F%2Fblogs.msdn.com%2Fb%2Fclustering%2Farchive%2F2014%2F11%2F14%2F10572766.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20Cloud%20Witness%20%3C%2FA%3E%20or%20Disk%20Witness.%20%26nbsp%3BFile%20Share%20Witness%20(FSW)%20is%20not%20supported%20with%20a%20Workgroup%20or%20Multi-domain%20cluster.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-84343762%22%20id%3D%22toc-hId-84343762%22%20id%3D%22toc-hId-84343762%22%20id%3D%22toc-hId-84343762%22%3EServicing%3C%2FH2%3E%0A%3CP%3E%3CBR%20%2F%3EIt%20is%20recommended%20that%20nodes%20in%20a%20cluster%20have%20a%20consistent%20configuration.%20%26nbsp%3BMulti-domain%20and%20Workgroup%20clusters%20introduce%20higher%20risk%20of%20configuration%20drift%2C%20when%20deploying%20ensure%20that%3A%20%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CUL%3E%0A%3CLI%3EThe%20same%20set%20of%20Windows%20patches%20are%20applied%20to%20all%20nodes%20in%20the%20clusters%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CUL%3E%0A%3CLI%3EIf%20group%20policies%20are%20rolled%20out%20to%20the%20cluster%20nodes%2C%20they%20are%20not%20conflicting.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1827154097%22%20id%3D%22toc-hId-1827154097%22%20id%3D%22toc-hId-1827154097%22%20id%3D%22toc-hId-1827154097%22%3EDNS%20Replication%3C%2FH2%3E%0A%3CP%3E%3CBR%20%2F%3EIt%20should%20be%20ensured%20that%20the%20cluster%20node%20and%20network%20names%20for%20Workgroup%20and%20Multi-domain%20clusters%20are%20replicated%20to%20the%20DNS%20servers%20authoritative%20for%20the%20cluster%20nodes.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-372059%22%20slang%3D%22en-US%22%3E%3CP%3EFirst%20published%20on%20MSDN%20on%20Aug%2017%2C%202015%20In%20Windows%20Server%202012%20R2%20and%20previous%20versions%2C%20a%20cluster%20could%20only%20be%20created%20between%20member%20nodes%20joined%20to%20the%20same%20domain.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-372059%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ecluster%20deployment%20planning%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Esubhasish%20bhattacharya%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20server%202016%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-718199%22%20slang%3D%22en-US%22%3ERe%3A%20Workgroup%20and%20Multi-domain%20clusters%20in%20Windows%20Server%202016%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-718199%22%20slang%3D%22en-US%22%3E%3CP%3EJohn%2CThanks%20for%20the%20article%20of%20the%20domain%20Independent%20Cluster%2C%20I%20have%20a%20question%2C%20if%20we%20already%20have%20the%20cluster%20with%20CNO%2C%20and%20wanted%20to%20add%20a%20node%20of%20the%20workgroup%20or%20a%20node%20from%20another%20domain%20%2C%26nbsp%3B%20Is%20it%20possible%20to%20add%20that%20to%20the%20current%20cluster%20which%20originally%20is%20not%20built%20with%20DNS%20administrative%20option%3F%20or%20we%20have%20to%20destroy%20the%20current%20cluster%20and%20do%20the%20rebuild%20of%20all%20of%20the%20nodes%20together%20with%20DNS%20option.%20thanks.%26nbsp%3B%20Kokoy%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-793784%22%20slang%3D%22en-US%22%3ERe%3A%20Workgroup%20and%20Multi-domain%20clusters%20in%20Windows%20Server%202016%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-793784%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F365799%22%20target%3D%22_blank%22%3E%40mkokoy%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUnfortunately%20no.%26nbsp%3B%20The%20initial%20creation%20of%20the%20Cluster%20would%20define%20the%20type%20of%20nodes%20that%20can%20be%20added.%26nbsp%3B%20The%20type%20is%20defined%20by%20the%20AdministrativeAccessPoint%20value.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDNS%20%3D%20does%20not%20add%20to%20active%20directory%20but%20does%20register%20with%20DNS.%26nbsp%3B%20So%20multi-domain%2C%20workgroup%2C%20or%20any%20combination%20of%20nodes%3C%2FP%3E%0A%3CP%3EActiveDirectory%20%3D%20registers%20all%20nodes%20in%20the%20same%20active%20directory%20domain%20but%20does%20not%20register%20with%20DNS%3C%2FP%3E%0A%3CP%3EActiveDirectoryandDNS%20%3D%20registers%20all%20nodes%20in%20the%20same%20active%20directory%20domain%20and%20registers%20with%20DNS%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

First published on MSDN on Aug 17, 2015
In Windows Server 2012 R2 and previous versions, a cluster could only be created between member nodes joined to the same domain. Windows Server 2016 breaks down these barriers and introduces the ability to create a Failover Cluster without Active Directory dependencies. Failover Clusters can now therefore be created in the following configurations:

    • Single-domain Clusters: Clusters with all nodes joined to the same domain

 

    • Multi-domain Clusters: Clusters with nodes which are members of different domains

 

    • Workgroup Clusters: Clusters with nodes which are member servers / workgroup (not domain joined)



Pre-requisites


The prerequisites for Single-domain clusters are unchanged from previous versions of Windows Server.

    • All servers must be running Windows Server 2016.

 

    • All servers must have the Failover Clustering feature installed.

 



In addition to the pre-requisites of Single-domain clusters, the following are the pre-requisites for Multi-domain or Workgroup clusters in the Windows Server 2016:

    • To create a new cluster or to add nodes to the cluster, a local account needs to be provisioned on all nodes of the cluster (as well as the node from which the operation is invoked) with the following requirements:





      1. Create a local ‘User’ account on each node in the cluster

 

      1. The username and password of the account must be the same on all nodes

 

      1. The account is a member of the local ‘Administrators’ group on each node

 

      1. When using a non-builtin local administrator account to create the cluster, set the LocalAccountTokenFilterPolicy registry policy to 1 , on all the nodes of the cluster. Builtin administrator accounts include the 'Administrator' account. You can set the LocalAccountTokenFilterPolicy registry policy as follows:




    • On each node of the cluster launch a Microsoft PowerShell shell as an administrator and type:




new-itemproperty -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LocalAccountTokenFilterPolicy -Value 1

 

Without setting this policy you will see the following error while trying to create a cluster using non-builtin administrator accounts.

 




    • The Failover Cluster needs to be created as an Active Directory-Detached Cluster without any associated computer objects. Therefore, the cluster needs to have a Cluster Network Name (also known as administrative access point) of type DNS.

 

    • Primary DNS Suffix Requirements

        • Each cluster node needs to have a primary DNS suffix.

        • For Multi-domain Clusters: The DNS suffix for all the domains in the cluster, should be present on all cluster nodes…






Deployment


Workgroup and Multi-domain clusters maybe deployed using the following steps:

    1. Create consistent local user accounts on all nodes of the cluster. Ensure that the username and password of these accounts are same on all the nodes and add the account to the local Administrators group.




2.    Ensure that each node to be joined to the cluster has a primary DNS suffix.


For Multi-domain Clusters ensure that the DNS suffix for all the domains in the cluster is present on all cluster nodes.

3.    Create a Cluster with the Workgroup nodes or nodes joined to different domains. You may use the Failover Cluster Manager or Microsoft PowerShell.

 

Using Failover Cluster Manager

 

The following video shows the steps to create a Workgroup or Multi-Domain cluster using the Failover Cluster Manager UI.


[video width="1920" height="1080" mp4="https://msdnshared.blob.core.windows.net/media/2016/08/WorkgroupCluster.mp4"][/video]

Using PowerShell

 

When creating the cluster, use the AdministrativeAccessPoint switch to specify a type of DNS so that the cluster does not attempt to create computer objects.




New-Cluster –Name <Cluster Name> -Node <Nodes to Cluster> -AdministrativeAccessPoint DNS

 



Workload


The following table summarizes the workload support for Workgroup and Multi-site clusters.


Cluster Workload


Supported/Not Supported


More Information


SQL Server


Supported


We recommend that you use SQL Server Authentication.  This will apply to only SQL Server Always On Availability Groups (AGs).  SQL Server Failover Cluster Instances (FCI) will require Kerberos for Active Directory authentication.


File Server


Supported, but not recommended


Kerberos (which is not available) authentication is the preferred authentication protocol for Server Message Block (SMB) traffic.


Hyper-V


Supported, but not recommended


Live migration is not supported. Quick migration is supported.


Message Queuing (MSMQ)


Not supported


Message Queuing stores properties in AD DS.

 

Quorum Configuration


The witness type recommended for Workgroup clusters and Multi-domain clusters is a Cloud Witness or Disk Witness.  File Share Witness (FSW) is not supported with a Workgroup or Multi-domain cluster.

Servicing


It is recommended that nodes in a cluster have a consistent configuration.  Multi-domain and Workgroup clusters introduce higher risk of configuration drift, when deploying ensure that:

    • The same set of Windows patches are applied to all nodes in the clusters

 

    • If group policies are rolled out to the cluster nodes, they are not conflicting.



DNS Replication


It should be ensured that the cluster node and network names for Workgroup and Multi-domain clusters are replicated to the DNS servers authoritative for the cluster nodes.

2 Comments
Occasional Visitor

John,Thanks for the article of the domain Independent Cluster, I have a question, if we already have the cluster with CNO, and wanted to add a node of the workgroup or a node from another domain ,  Is it possible to add that to the current cluster which originally is not built with DNS administrative option? or we have to destroy the current cluster and do the rebuild of all of the nodes together with DNS option. thanks.  Kokoy

Microsoft

@mkokoy

 

Unfortunately no.  The initial creation of the Cluster would define the type of nodes that can be added.  The type is defined by the AdministrativeAccessPoint value.

 

DNS = does not add to active directory but does register with DNS.  So multi-domain, workgroup, or any combination of nodes

ActiveDirectory = registers all nodes in the same active directory domain but does not register with DNS

ActiveDirectoryandDNS = registers all nodes in the same active directory domain and registers with DNS