Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

The things that are better left unspoken

a blog by Sander Berkouwer

Related

AD Manager Plus
 

Blog roll

News



Archives

Active Directory in Hyper-V environments, Part 8

Hyper-VFailoverClusteringDesigning and implementing an Hyper-V environment can be challenging. Placement of Active Directory Domain Controllers requires additional consideration, especially in Hyper-V Failover Cluster scenarios where Active Directory membership for the cluster nodes is strictly needed.

Windows Server 2012, in Active Directory terms, is a big step forward. We’ve been over the majority of the new features in Active Directory Domain Services on this blog before, so now it’s time to talk about the implications on support policies.

In this blog post, I’ll discuss the newly supported setups in terms of Hyper-V Failover Clustering, beyond the need to apply the hotfix from KnowledgeBase article 2784261, as discussed in Part 7 of this series.

Active Directory Domain Services and Failover Clustering

Failover Cluster nodes require Active Directory membership. In environments without Domain Controllers and/or extra physical iron to place Domain Controllers onto, this poses a challenge.

    

The old guidance

Microsoft has advised against re-using Failover Cluster nodes as Domain Controllers for years. Their official stance was:

  1. It is not recommend to combine the Active Directory Domain Services role and the Failover Cluster feature.
  2. It is not supported for a Failover Cluster running Microsoft Exchange Server or Microsoft SQL Server to be a Domain Controller.
  3. It is recommended to leave at least 1 domain controller on bare metal when deploying domain controllers inside of virtual machines.

4 years ago, I kicked off this series with a blog post with the recommendation to not re-use Hyper-V Failover Cluster nodes as Domain Controllers from both an architectural and performance point of view. While this blogpost offers a workaround for the third recommendation above, my recommendations have been identical to Microsofts.

These recommendation still apply largely to the Windows Server Operating Systems of those days. However, with Windows Server 2012, Microsofts recommendations have changed and I feel it’s time to review my recommendations.

    

The updated guidance

Now, in KnowledgeBase article 281662, Microsoft updates the above guidance with information on Windows Server 2012. The Windows Server 2012-specific changes are listed below:

  1. It is not supported to combine the Active Directory Domain Services role and the Failover Cluster feature on Windows Server 2012
  2. It is no longer recommended to leave at least 1 domain controller on bare metal when deploying domain controllers inside of virtual machines in Windows Server 2012.

AD DS Role and Failover Cluster Feature no longer supported

While combining the Active Directory Domain Services Server Role and Failover Clustering Server Feature on one host have not been recommended in Windows Server 2003, Windows Server 2003 R2, Windows Server 2008 and Windows Server 2008 R2, it is now no longer supported.

Now, don’t misinterpret the above. You can still install the Failover Clustering Server Feature on an existing Windows Server 2012-based Domain Controller. The change in guidance is not reflected in Server Manager. However, if you want to add an existing Domain Controller to a Failover Cluster as a cluster node, the configuration will not pass the Cluster Validation:

Validation Error on Validate Active Directory Configuration in the Validate a Configuration Wizard (click for original screenshot)

Now, as you might be aware, if a configuration doesn’t pass the Configuration Validation, Microsoft will not offer support on it. In the help file for Failover Clustering, Microsoft states:

Microsoft support of Failover Cluster Solutions

Microsoft support a failover cluster solution only if it meets the following requirements:

  • All hardware components in the failover cluster solution are certified for Windows Server 2012. For more information, see Requirements and Steps for Creating a Failover Cluster or Adding a Node.
     
  • The complete cluster configuration (servers, network, and storage) can pass all tests in the Validate a Configuration Wizard. For more information, see Failover Cluster Validation Tests.
     
  • The hardware manufacturers’ recommendations for firmware updates and software updates have been followed. Usually, this means that the latest firmware and software updates have been applied.
    Occasionally, a manufacturer might recommend specific updates other than the latest updates.

Note:
In Windows Server 2008 and Windows Server 2008 R2, the configuration would pass the Cluster Validation.

Bare metal Domain Controller recommendation

In previous versions of Windows Server, the Cluster Service (clussvc) communicated with Active Directory to gather information on the Cluster object when starting. The implication is, the Failover Clustering Service and all the highly available workloads on top if wouldn’t start when an Active Directory Domain Controller is not available: All VMs would not be started after a site-wide power failure when the Domain Controllers would run on top of the Hyper-V platform as highly-available VMs…

In Windows Server 2012, the Cluster Service (clussvc) still attempts to communicate with a Domain Controller when it starts, but when it doesn’t find one, it will start and try to communicate with Active Directory later. This way, the dependency on Active Directory Domain Controllers outside of the cluster is taken away. This feature is known as Active Directory-less Cluster Bootstrapping.

 

Concluding

Two of the guidance points for Active Directory in Hyper-V Failover Cluster environments have been changed with Windows Server 2012.

You can no longer re-use a Domain Controller as the parent partition of a Hyper-V Cluster node in a supported way. This configuration is no longer officially supported by Microsoft.

Active Directory-less Cluster Bootstrapping eliminates the need for communicating with a Domain Controller for a Failover Cluster node’s Cluster Service at startup, before it can bring its highly-available resources online.

 

Further reading

Windows Server 2012 Failover Cluster – Enhanced Integration with Active Directory (AD)
Running Domain Controllers in Hyper-V 
Hyper-V role and Active Directory Service in same server? 
Active Directory and DNS on Hyper-V host 
Installing Domain Controller on Hyper-V Host    

Related KnowledgeBase articles

281662 How to use Windows Server cluster nodes as domain controllers 
888794 Things to consider when you host Active Directory domain controllers in virtual hosting environments 

Related posts

Active Directory in Hyper-V environments, Part 1 
Active Directory in Hyper-V environments, Part 2 
Active Directory in Hyper-V environments, Part 3 
Active Directory in Hyper-V environments, Part 4 
Active Directory in Hyper-V environments, Part 5 
Active Directory in Hyper-V environments, Part 6 
Active Directory in Hyper-V environments, Part 7

Posted: Wednesday, November 28, 2012 5:31 PM by Sander Berkouwer

Comments

DevAdmin » Blog Archive » Cluster e Active Directory said:

Il cluster in ambiente Microsoft ha come prerequisito l’integrazione con Active Directory come descritto nella KB281662: How to use Windows Server cluster nodes as domain controllers:

“There are instances when you can deploy cluster nodes in an environment where there are no pre-existing Active Directory. This scenario requires that you configure at least one of the cluster nodes as a domain controller. It is recommended that 2+ nodes be configured as domain controllers, so that there be at least one backup domain controller. Keeping the configuration of the nodes consistent across the cluster is a general best practice, and you may wish to enable all nodes as domain controllers. Because Active Directory depends on the Domain Name System (DNS), each domain controller must be a DNS server if there is not another DNS server available that supports dynamic updates or SRV records. (Microsoft recommends that you use Active Directory-integrated zones). For additional information, refer to article 255913.”

In realtà sebbene nella premessa venga suggerito che se nell’infrastruttura non esiste un’Active Directory in cui integrarsi la soluzione può essere quella di rendere i nodi dei Domain Controller, questa soluzione non è supportata in vari scenari, quindi la soluzione migliore è avere un domain Controller fisico:

  • Microsoft Exchange Server – Is not supported in a clustered configuration where the cluster nodes are domain controllers. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 898634 Active Directory domain controllers are not supported as Exchange Server cluster nodes
  • Microsoft SQL Server – Is not supported in a clustered configuration where the cluster nodes are domain controllers. For more information, click the following to view more information: Installing SQL Server on a Domain Controller.
  • It is not recommend to combine the Active Directory Domain Services role and the Failover Cluster feature on Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2
  • It is not supported to combine the Active Directory Domain Services role and the Failover Cluster feature on Windows Server 2012

Come indicato nel’ultimo punto in WS2012 non viene più supportato lo scenario in cui i nodi sono anche Domain Controller. A riguardo si veda anche Active Directory in Hyper-V environments, Part 8:

You can still install the Failover Clustering Server Feature on an existing Windows Server 2012-based Domain Controller. The change in guidance is not reflected in Server Manager. However, if you want to add an existing Domain Controller to a Failover Cluster as a cluster node, the configuration will not pass the Cluster Validation

imageIn Windows Server 2012 sono state però apportate delle migliorie all’integrazione tra Failover Cluster e Active Directory, infatti ora il servizio Cluster Service (clussvc) continua a dover comunicare con Active Directory, ma se all’avvio non riesce a contattare un Domain Controller ritenterà in seguito la comunicazione.

Questo implica che si può evitare volendo di avere u Domain Controller fisico, ma avere solo Domain Controller virtuali.

Dal seguente Windows Server 2012: What’s New in Failover Clustering:

“Active Directory Domain Services integration

Integration of failover clusters with Active Directory Domain Services (AD DS) is made more robust in Windows Server 2012 by the following features:

  • Ability to create cluster computer objects in targeted organizational units (OUs) or in the same OUs as the cluster nodes. Aligns failover cluster dependencies on AD DS with the delegated domain administration model that is used in many IT organizations.
  • Automated repair of cluster virtual computer objects (VCOs) if they are deleted accidentally.
  • Cluster access only to Read-only domain controllers. Supports cluster deployments in branch office or perimeter network scenarios.
  • Ability of the cluster to start with no AD DS dependencies. Enables certain virtualized data center scenarios.

noteNote: Failover clusters do not support group Managed Service Accounts.”

Dal seguente Active Directory in Hyper-V environments, Part 8:

Bare metal Domain Controller recommendation

“In previous versions of Windows Server, the Cluster Service (clussvc) communicated with Active Directory to gather information on the Cluster object when starting. The implication is, the Failover Clustering Service and all the highly available workloads on top if wouldn’t start when an Active Directory Domain Controller is not available: All VMs would not be started after a site-wide power failure when the Domain Controllers would run on top of the Hyper-V platform as highly-available VMs…

In Windows Server 2012, the Cluster Service (clussvc) still attempts to communicate with a Domain Controller when it starts, but when it doesn’t find one, it will start and try to communicate with Active Directory later. This way, the dependency on Active Directory Domain Controllers outside of the cluster is taken away. This feature is known as Active Directory-less Cluster Bootstrapping.”

“Two of the guidance points for Active Directory in Hyper-V Failover Cluster environments have been changed with Windows Server 2012.

You can no longer re-use a Domain Controller as the parent partition of a Hyper-V Cluster node in a supported way. This configuration is no longer officially supported by Microsoft.

Active Directory-less Cluster Bootstrapping eliminates the need for communicating with a Domain Controller for a Failover Cluster node’s Cluster Service at startup, before it can bring its highly-available resources online.”

In Windows Server 2012 R2 si è continuato a lavorare sul Failover Clustering introducendo una *** serie di novità tra cui la possibilità di slegare il Failover Cluster da Active Directory. A riguardo si veda What’s New in Failover Clustering in Windows Server 2012 R2:

In Windows Server 2012 R2 Preview, you can deploy a failover cluster without network name dependencies on Active Directory Domain Services (AD DS). When you deploy a cluster by using this method, the cluster network name (also known as the administrative access point) and network names for any clustered roles with client access points are registered in Domain Name System (DNS). However, no computer objects are created for the cluster in AD DS. This includes both the computer object for the cluster itself (also known as the cluster name object or CNO), and computer objects for any clustered roles that would typically have client access points in AD DS (also known as virtual computer objects or VCOs).

Note: The cluster nodes must still be joined to an Active Directory domain.”

“With this deployment method, you can create a failover cluster without the previously required permissions to create computer objects in AD DS or the need to request that an Active Directory administrator pre-stages the computer objects in AD DS. Also, you do not have to manage and maintain the cluster computer objects for the cluster. For example, you can avoid the possible issue where an Active Directory administrator accidentally deletes the cluster computer object, which impacts the availability of cluster workloads.”

A cluster without network names in AD DS uses Kerberos authentication for intra-cluster communication. However, when authentication against the cluster network name is required, the cluster uses NTLM authentication.

We do not recommend this deployment method for any scenario that requires Kerberos authentication.”

Per i dettagli implementativi del Cluster Without Network Names in Active Directory Domain Services si veda Deploy a Cluster Without Network Names in Active Directory Domain Services in cui vengono date ulteriori informazioni in merito al supporto e agli scenari raccomandati:

Cluster WorkloadSupported / Not SupportedMore Information

SQL Server

Supported

We recommend that you use SQL Server Authentication for this type of cluster deployment

File server

Supported, but not recommended

Kerberos authentication is the preferred authentication protocol for Server Message Block (SMB) traffic.

Hyper-V

Supported, but not recommended

Live migration is not supported because it has a dependency on Kerberos authentication.
Quick migration is supported.

Message Queuing (also known as MSMQ)

Not supported

Message Queuing stores properties in AD DS.

 

BitLocker Driver Encryption is not supported.

Cluster-Aware Updating (CAU) in self-updating mode is not supported.
noteNote You can use CAU in remote-updating mode.

You cannot copy a clustered role between failover clusters that use different types of administrative access points.

You cannot change the type of administrative access point after the cluster is deployed.

You can only set the administrative access point type during cluster creation.

If you deploy a highly available file server on a cluster without network names in AD DS, you cannot use Server Manager to manage the file server. Instead, you must use Windows PowerShell or Failover Cluster Manager.

To use Failover Cluster Manager, after you deploy the highly available file server, you must add the fully qualified domain name (FQDN) of the File Server clustered role to the trusted hosts list on each node of the cluster.

Sintetizzando la possibilità di creare il cluster senza integrazione in Active Directory ha comunque una serie di vincoli di cui occorre tenere conto:

  1. I nodi del cluster devono essere membri del dominio
  2. Le comunicazioni Intracluster utilizzeranno l’autenticazione NTLM
  3. Il cluster Hyper-V non possono utilizzare la Live Migration, ma solo la Quick Migration
  4. La configurazione del cluster non può essere tramite Server Manager, ma solo tramite PowerShell o Failover Cluster Manager
  5. Vi sono alcune impostazioni che non possono essere modificate una volta che il cluster è stato configurato (administrative access point type)

Si tenga presente che queste informazioni sono relative alla versione Windows Server 2012 R2 Preview è che quindi potrebbero essere soggette a modifiche come indicato nella TechNet Library:

Content in this topic that applies specifically to Windows Server 2012 R2 Preview is preliminary and subject to change in future releases

Per altre informazioni sul cluster e le sue interazioni con Active Directory si vedano anche:

# January 16, 2014 11:42 PM
Anonymous comments are disabled