Cluster e Active Directory
Il cluster in ambiente Microsoft ha come prerequisito l’integrazione con Active Directory come descritto nella KB281662: How to use Windows Server cluster nodes as domain controllers:
“There are instances when you can deploy cluster nodes in an environment where there are no pre-existing Active Directory. This scenario requires that you configure at least one of the cluster nodes as a domain controller. It is recommended that 2+ nodes be configured as domain controllers, so that there be at least one backup domain controller. Keeping the configuration of the nodes consistent across the cluster is a general best practice, and you may wish to enable all nodes as domain controllers. Because Active Directory depends on the Domain Name System (DNS), each domain controller must be a DNS server if there is not another DNS server available that supports dynamic updates or SRV records. (Microsoft recommends that you use Active Directory-integrated zones). For additional information, refer to article 255913.”
In realtà sebbene nella premessa venga suggerito che se nell’infrastruttura non esiste un’Active Directory in cui integrarsi la soluzione può essere quella di rendere i nodi dei Domain Controller, questa soluzione non è supportata in vari scenari, quindi la soluzione migliore è avere un domain Controller fisico:
- Microsoft Exchange Server – Is not supported in a clustered configuration where the cluster nodes are domain controllers. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 898634 Active Directory domain controllers are not supported as Exchange Server cluster nodes
- Microsoft SQL Server – Is not supported in a clustered configuration where the cluster nodes are domain controllers. For more information, click the following to view more information: Installing SQL Server on a Domain Controller.
- It is not recommend to combine the Active Directory Domain Services role and the Failover Cluster feature on Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2
- It is not supported to combine the Active Directory Domain Services role and the Failover Cluster feature on Windows Server 2012
Come indicato nel’ultimo punto in WS2012 non viene più supportato lo scenario in cui i nodi sono anche Domain Controller. A riguardo si veda anche Active Directory in Hyper-V environments, Part 8:
“You can still install the Failover Clustering Server Feature on an existing Windows Server 2012-based Domain Controller. The change in guidance is not reflected in Server Manager. However, if you want to add an existing Domain Controller to a Failover Cluster as a cluster node, the configuration will not pass the Cluster Validation”
In Windows Server 2012 sono state però apportate delle migliorie all’integrazione tra Failover Cluster e Active Directory, infatti ora il servizio Cluster Service (clussvc) continua a dover comunicare con Active Directory, ma se all’avvio non riesce a contattare un Domain Controller ritenterà in seguito la comunicazione.
Questo implica che si può evitare volendo di avere u Domain Controller fisico, ma avere solo Domain Controller virtuali.
Dal seguente Windows Server 2012: What’s New in Failover Clustering:
“Active Directory Domain Services integration
Integration of failover clusters with Active Directory Domain Services (AD DS) is made more robust in Windows Server 2012 by the following features:
- Ability to create cluster computer objects in targeted organizational units (OUs) or in the same OUs as the cluster nodes. Aligns failover cluster dependencies on AD DS with the delegated domain administration model that is used in many IT organizations.
- Automated repair of cluster virtual computer objects (VCOs) if they are deleted accidentally.
- Cluster access only to Read-only domain controllers. Supports cluster deployments in branch office or perimeter network scenarios.
- Ability of the cluster to start with no AD DS dependencies. Enables certain virtualized data center scenarios.
Note: Failover clusters do not support group Managed Service Accounts.”
Dal seguente Active Directory in Hyper-V environments, Part 8:
Bare metal Domain Controller recommendation
“In previous versions of Windows Server, the Cluster Service (clussvc) communicated with Active Directory to gather information on the Cluster object when starting. The implication is, the Failover Clustering Service and all the highly available workloads on top if wouldn’t start when an Active Directory Domain Controller is not available: All VMs would not be started after a site-wide power failure when the Domain Controllers would run on top of the Hyper-V platform as highly-available VMs…
In Windows Server 2012, the Cluster Service (clussvc) still attempts to communicate with a Domain Controller when it starts, but when it doesn’t find one, it will start and try to communicate with Active Directory later. This way, the dependency on Active Directory Domain Controllers outside of the cluster is taken away. This feature is known as Active Directory-less Cluster Bootstrapping.”
“Two of the guidance points for Active Directory in Hyper-V Failover Cluster environments have been changed with Windows Server 2012.
You can no longer re-use a Domain Controller as the parent partition of a Hyper-V Cluster node in a supported way. This configuration is no longer officially supported by Microsoft.
Active Directory-less Cluster Bootstrapping eliminates the need for communicating with a Domain Controller for a Failover Cluster node’s Cluster Service at startup, before it can bring its highly-available resources online.”
In Windows Server 2012 R2 si è continuato a lavorare sul Failover Clustering introducendo una fitta serie di novità tra cui la possibilità di slegare il Failover Cluster da Active Directory. A riguardo si veda What’s New in Failover Clustering in Windows Server 2012 R2:
“In Windows Server 2012 R2 Preview, you can deploy a failover cluster without network name dependencies on Active Directory Domain Services (AD DS). When you deploy a cluster by using this method, the cluster network name (also known as the administrative access point) and network names for any clustered roles with client access points are registered in Domain Name System (DNS). However, no computer objects are created for the cluster in AD DS. This includes both the computer object for the cluster itself (also known as the cluster name object or CNO), and computer objects for any clustered roles that would typically have client access points in AD DS (also known as virtual computer objects or VCOs).
Note: The cluster nodes must still be joined to an Active Directory domain.”
“With this deployment method, you can create a failover cluster without the previously required permissions to create computer objects in AD DS or the need to request that an Active Directory administrator pre-stages the computer objects in AD DS. Also, you do not have to manage and maintain the cluster computer objects for the cluster. For example, you can avoid the possible issue where an Active Directory administrator accidentally deletes the cluster computer object, which impacts the availability of cluster workloads.”
“A cluster without network names in AD DS uses Kerberos authentication for intra-cluster communication. However, when authentication against the cluster network name is required, the cluster uses NTLM authentication.
We do not recommend this deployment method for any scenario that requires Kerberos authentication.”
Per i dettagli implementativi del Cluster Without Network Names in Active Directory Domain Services si veda Deploy a Cluster Without Network Names in Active Directory Domain Services in cui vengono date ulteriori informazioni in merito al supporto e agli scenari raccomandati:
|Cluster Workload||Supported / Not Supported||More Information|
|We recommend that you use SQL Server Authentication for this type of cluster deployment|
Supported, but not recommended
Kerberos authentication is the preferred authentication protocol for Server Message Block (SMB) traffic.
Supported, but not recommended
Live migration is not supported because it has a dependency on Kerberos authentication.
Message Queuing (also known as MSMQ)
Message Queuing stores properties in AD DS.
“BitLocker Driver Encryption is not supported.
Cluster-Aware Updating (CAU) in self-updating mode is not supported.
Note You can use CAU in remote-updating mode.
You cannot copy a clustered role between failover clusters that use different types of administrative access points.
You cannot change the type of administrative access point after the cluster is deployed.
You can only set the administrative access point type during cluster creation.
If you deploy a highly available file server on a cluster without network names in AD DS, you cannot use Server Manager to manage the file server. Instead, you must use Windows PowerShell or Failover Cluster Manager.
To use Failover Cluster Manager, after you deploy the highly available file server, you must add the fully qualified domain name (FQDN) of the File Server clustered role to the trusted hosts list on each node of the cluster.
Sintetizzando la possibilità di creare il cluster senza integrazione in Active Directory ha comunque una serie di vincoli di cui occorre tenere conto:
- I nodi del cluster devono essere membri del dominio
- Le comunicazioni Intracluster utilizzeranno l’autenticazione NTLM
- Il cluster Hyper-V non possono utilizzare la Live Migration, ma solo la Quick Migration
- La configurazione del cluster non può essere tramite Server Manager, ma solo tramite PowerShell o Failover Cluster Manager
- Vi sono alcune impostazioni che non possono essere modificate una volta che il cluster è stato configurato (administrative access point type)
Si tenga presente che queste informazioni sono relative alla versione Windows Server 2012 R2 Preview è che quindi potrebbero essere soggette a modifiche come indicato nella TechNet Library:
Content in this topic that applies specifically to Windows Server 2012 R2 Preview is preliminary and subject to change in future releases
Per altre informazioni sul cluster e le sue interazioni con Active Directory si vedano anche: