Shulou(Shulou.com)06/02 Report--

Today, Lao Wang is here to talk to you about the workgroup deployment model in WSFC 2016. As Lao Wang said at the beginning of the WSFC 2016 series, for WSFC 2016, we will start with maintenance management, debugging optimization, deployment and migration. Basically, we have talked about almost the new maintenance and management features of WSFC 2016, and there are still several articles on optimization and deployment.

Before we talk about the workgroup deployment model, let's first look at the historical question, why should there be a workgroup deployment model?

Getting up early in the 2003 era, if we were to build a cluster, each cluster would need to use a CSA (Cluster Service Account), that is, a domain account, to support the startup of cluster services and the operation of cluster resources.

After such a model has been running for a period of time, some administrators begin to complain that once the password of the account is accidentally changed, or some account management policies are applied, the cluster cannot be started, and so on.

So in 2008, Microsoft changed the cluster account model and introduced the CNO and VCO models.

CNO Cluster Name Object

1. As part of the cluster access identity, the administrator or application can connect to the CNO visiting cluster

two。 Responsible for managing VCO virtual machine object creation, password synchronization, VCO DNS record creation and maintenance.

The 3.CNO will be written to a specific SPN, and the application will validate the Kerberos with the cluster through CNO

The association between 4.CNO and VCO is created and can be viewed in the cluster node registry

Basically, when we create a cluster, when we enter the cluster name, the cluster will use our current account to create the cluster, contact the AD, and generate the CNO computer object under the specified OU. Therefore, we need the permission to create the computer object on the OU. After the CNO is created, we will also take our account to DNS to create the DNS record of the CNO. Computer objects and DNS records together count as a CAP, and management or applications rely on this CAP to visit the cluster.

After the CNO is created, the so-called VCO virtual computer object means that the cluster applications we run on top of the cluster usually require a separate access name and IP. After the wizard is completed, the cluster will take the access name we entered and go to AD to create VCO and DNS records of VCO. Here, the computer objects and DNS records of VCO are maintained by CNO. After CNO has created the VCO, it will write the permission of CNO in the VCO ACL.

Basically, you can see that after the 2008 era, the relationship between clusters and AD domains has become closer and closer. If you want to deploy Windows Cluster, you must have an AD, which may face some problems for many enterprises.

There are only a few SQL DBA in our enterprise. We need SQL clusters, but we don't understand AD. Deploying clusters requires problems with AD,AD, and SQL DBA can't solve the problems at the AD level.

Incur additional management costs

Once the AD domain server is maintained, the cluster will fail to start

We mentioned above that the cluster creates CNO,VCO computer objects in AD, which, like other computer objects, also need to be synchronized with passwords, and AD needs to be contacted for verification at startup. Before 2012, it is assumed that the AD server is being maintained and restarted, and if the cluster is undergoing failover, manual switchover, or cold start, the cluster needs to go online. You will find that the cluster network name resource cannot be connected because the AD,CNO and VCO cannot be verified, so the cluster is closed and the cluster can not start until AD is restarted, which leads to additional downtime.

The key is that the cluster is too close to AD. every time it is online, it needs to be verified with AD, and Kerbros verification also needs to go through AD.

Therefore, if some enterprises do not have the requirements of the AD domain environment, they may be thinking about whether they can not use the AD domain, or reduce the cluster's dependence on the AD domain.

Microsoft updated its technology in this area in the era of WSFC 2012, mainly with two

No Active Directory cluster startup

In some virtualization scenarios, the domain controller may also be virtualized, just in the cluster, then it is likely to fall into a circular problem, the cluster starts, but the virtual machine is in the cluster, and the domain-controlled virtual machine does not start the cluster all the time. WSFC 2012 Microsoft can support the cluster node to start without starting the domain controller in the virtual domain controller scenario.

Tip: although Microsoft claims to have this technology, it is recommended that you deploy an additional domain control outside the cluster, or always keep a physical machine domain control.

two。 No Active Directory dependent cluster

2012 start to support non-AD dependent clusters, that is, clusters that do not need to create CNO and VCO objects, cluster administrators no longer need to care too much about AD, nor need to worry about the deletion of CNO VCO objects, resulting in the situation in which the cluster cannot be used. in the 2012 era, this technology still requires cluster nodes to join the domain, but when creating a cluster, there is no need to contact the AD administrator to assign AD write permissions, and the cluster administrator can create the cluster on its own.

This so-called non-AD dependent cluster looks good. Combined with the AD-free cluster startup technology, the dependence on AD can be reduced to a minimum, but it also has its disadvantages. No Computer Object No Kerberos, you cannot verify the Kerberos of the non-AD dependent cluster. Although Kerberos can be used for communication within the cluster, access to the cluster name from the outside can be verified only through NTLM.

The following is the support of the cluster load for an environment without AD dependency

Cluster workload support / do not support more information SQL Server support we recommend that you use SQL Server authentication for Active Directory independent cluster deployment. File server supports, but Kerberos authentication is not recommended as the preferred authentication protocol for server message block (SMB) traffic. Hyper-V supports it, but fast migration is not recommended and live migration is not supported because it is dependent on Kerberos authentication. Message Queuing (also known as MSMQ) does not support message queuing storage properties in AD DS

In addition to the above resources: Bitlocker cluster disk encryption, automatically updated CAU is not supported

Basically the most suitable load is SQL Server, SQL DBA can now deploy a SQL cluster or SQL Always on, and then use SQL authentication, AD server restart maintenance for a short time will not affect the normal operation of the SQL cluster.

The steps to create an AD-free cluster in the 2012 era are as follows

# create a cluster without AD dependency

New-Cluster SQLCluster-Node sql01,sql02-StaticAddress 10.0.0.80-NoStorage-AdministrativeAccessPoint Dns

# View the cluster management point mode

(Get-Cluster). AdministrativeAccessPoint

The AdministrativeAccessPoint in the command is the management point mode of the cluster. By default, it is composed of CNO computer objects and DNS records. If you do not need the cluster to depend on AD or CNO, you can specify only DNS as the management point separately.

It should be noted that WSFC 2012 creates a cluster without AD dependency, and there is no way to use GUI, but only through Powershell operation.

Once created, the cluster deployment architecture has been determined and cannot be changed unless the cluster is destroyed and rebuilt

After you have created an AD-free cluster, you need to configure shared storage for the cluster, witness the model, in a workgroup cluster or multi-domain cluster, cluster witness supports only most nodes, disk witness, cloud witness

This is the model of the 2012 era. It seems that there are not many friends who pay attention to this function in China. In fact, Lao Wang thinks that some SQL DBA should be known, which can at least reduce part of the dependence of your SQL cluster on AD domain.

There are still some problems with whether maybe is an AD-free environment, for example, AD is still needed, and AD is usually on the same server as DNS. If this server is maintained, the cluster may have problems after a period of time.

In the era of WSFC 2016, Microsoft can now deploy WSFC clusters in a complete workgroup environment, without the need for domain membership, to get rid of AD and directly use workgroups to deploy clusters, which is too convenient for administrators who do not have an AD domain environment and want to deploy clusters, or administrators who want to deploy clusters but do not want to manage AD domains at all

But as in the 2012 era without AD dependency, No Computer Object No Kerberos still supports the same load, and the most suitable load is the SQL cluster & AG uses SQL authentication

Experimental verification of WSFC 2016 workgroup mode cluster

Environment introduction

DNS&iscsi

Lan:10.0.0.2 255.0.0.0

Iscsi:30.0.0.2 255.0.0.0

HV01

MGMET:10.0.0.9 255.0.0.0 DNS 10.0.0.2

ISCSI:30.0.0.9 255.0.0.0

CLUS:18.0.0.9 255.0.0.0

HV02

MGMET:10.0.0.10 255.0.0.0 DNS 10.0.0.2

ISCSI:30.0.0.10 255.0.0.0

CLUS:18.0.0.10 255.0.0.0

Workgroup mode cluster prerequisites

All node operating systems must be Windows Server 2016

All nodes must use certified identification hardware

All nodes must install the failover clustering feature

The workgroup mode cluster needs to use the same password and the same user on each node, the user needs to be a member of the local administrative group, and the registry key value needs to be modified if it is a non-administrator user.

For workgroup mode clusters, each node is required to have a primary DNS suffix

Operation flow

Create a local user with the same password on each node

Add users to each node local administrator group

Set the user password and check that the password will never expire

Modify registry key value

Since we do not use the default administrator user, we need to modify the registry key values of each node

Enter the registry at the following location: HKLM:\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Policies\ System

Add DWORD key value LocalAccountTokenFilterPolicy, set to 1

Add DNS main suffix for each node. Restart after modification.

After all the prerequisites are ready, we can create a workgroup cluster through GUI or Powershell. The Powershell command is the same as the 2012 AD-free cluster.

Here we choose to create it through the GUI interface, open the failover manager, create the cluster, and add the node name. Normally, you can see the node with the DNS suffix after entering it.

Cluster verification, here we choose no for the time being

Enter the cluster name, here if we deploy the traditional AD domain model, we will use our name to create CNO and DNS management points, but here because we are a workgroup model, only DNS management points will be created

Click next to confirm, and you can see that the Cluster creation Wizard recognizes that we are currently a workgroup cluster and automatically confirms that we are registered as DNS only.

After the creation, you can see that the cluster is currently working normally, and automatically helps us select the minimum disk larger than 512MB as a witness. WSFC 2016 does not support file sharing witness, whether it is a workgroup cluster or a multi-domain cluster.

At this point, if you execute the Cluster Verification Wizard, you can see a warning about the AD configuration, which indicates that we are currently deploying in workgroup mode and need to update the same patch for all nodes to ensure that the DNS name is copied to the authoritative DNS server of the cluster node.

Tip: don't forget that performing cluster verification in a production environment, if storage verification is checked, will cause the application to go offline.

After the workgroup cluster is created, we can start to deploy the cluster-based application. According to Microsoft's suggestion, it is still the SQL cluster using SQL authentication & AG is the best scenario, but Lao Wang believes that there is no need for Kerberos authentication and does not need to write the application of AD domain objects, and also try the workgroup deployment model.

Most of the new features in WSFC 2016 can also be used in workgroup mode clusters, such as

Fault domain site awareness

Site health detection

Cloud Winess

Cluster Log optimization

Simple SMB multichannel

Cluster VM load balancing (No LiveMigration Only QuickMigration)

VM resiliency and Storage Fault tolerance (No LiveMigration Only QuickMigration)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.