For the last two decades, changing the domain membership of a Failover Cluster has always required that the cluster be destroyed and re-created. This is a time-consuming process, and we have worked to improve this.
This is going to enable scenarios such as building a Failover Cluster in one location and then ship it to its final location or in the event that companies have merged and need to move them to their domain structure.
Moving a Cluster from one domain is a straight-forward process. To accomplish this, we introduced two new PowerShell commandlets.
New-ClusterNameAccount – creates a Cluster Name Account in Active Directory
Remove-ClusterNameAccount – removes the Cluster Name Accounts from Active Directory
In the following example, this is my setup and goal:
2-node Windows Server, version 1709 Failover Cluster
In the Cluster, the Cluster Name is CLUSCLUS and I have a File Server called FS-CLUSCLUS
Both nodes are member of the same domain
Both nodes and Cluster need to move to a new domain
NOTE:Although I am using Windows Server Failover Cluster in this example, this applies to all later versions of Windows Server Failover Cluster, Windows Server Storage Spaces Direct, and Azure Stack HCI.
The process to accomplish to accomplish this is to change the cluster from one domain to a workgroup and back to the new domain. For example:
Steps to Change Domain Membership
1. Create a local Administrator account with the same name and password on all nodes.
2. Log on to the first node with a domain user or administrator account that has Active Directory permissions to the Cluster Name Object (CNO), Virtual Computer Objects (VCO), has access to the Cluster, and open PowerShell.
3. Ensure all cluster Network Name resources are in an Offline state and run the below command to change the type of the Cluster to a workgroup.
6. Change the nodes domain membership to a workgroup, reboot, then join to the new domain, and reboot again.
7. Once the nodes are in the new domain, log on to a node with a domain user or administrator account that has Active Directory permissions to create objects, has access to the Cluster, and open PowerShell. start the Cluster Service, and set it back to Automatic.
10. If you do not have any additional groups with network names (i.e. a Hyper-V Cluster with only virtual machines), the -UpgradeVCOs parameter switch is not needed.
NOTE: If you are using the new USB Witness feature, you will be unable to add the cluster to the new domain. The reasoning is that the file share witness type must utilize Kerberos for authentication. Simply change the witness to none before adding the cluster to the domain. Once it is completed, recreate the USB witness. The error you will see is:
New-ClusternameAccount : Cluster name account cannot be created. This cluster contains a file share witness with invalid permissions for a cluster of type AdministrativeAccesssPoint ActiveDirectoryAndDns. To proceed, delete the file share witness. After this you can create the cluster name account and recreate the file share witness. The new file share witness will be automatically created with valid permissions.
11. Use Active Directory Users and Computers to check the new domain and ensure the associated computer objects were created. If they have, then bring the remaining resources in the groups online.
One last thing I wanted to add. Accomplishing parts of this are well within support. I.E. if you wish to go only from a workgroup to a domain or a domain to a workgroup, perfectly fine. When going from a domain to a workgroup, the AdministrativeAccessPoint will change from ActiveDirectoryAndDNS to DNS. When going from a workgroup to a domain, this parameter will change from DNS to ActiveDirectoryAndDNS.
Thanks, John Marlin Senior Program Manager High Availability and Storage