Description of the failover cluster security model in Windows Server 2008


This article describes changes in Windows Server 2008 to the new security model for the Microsoft failover cluster service.

More Information

Earlier versions of Microsoft clustering technology

In the earlier versions of Microsoft clustering technology, the cluster service runs in the context of a domain user account that is modified during the cluster configuration process. Therefore, the cluster service has all the required rights on the local cluster node to function appropriately.

By default, all communications with the cluster use NT LAN Manager (NTLM) authentication, and the security context is the cluster service account. In Windows 2000 Service Pack 3 and later versions, Kerberos version 5 protocol authentication is available. Kerberos authentication requires manual configuration by using the Cluster.exe Command Line Interface (CLI).

In Windows Server 2003-based clusters, Kerberos authentication can be enabled in the Cluster Administrator interface for a cluster Network Name resource. Because the cluster service account is a domain user account, the cluster service account is constrained by all group policies that affect users and groups. For example, these group policies include, but may not be limited to, password expiration policies, user rights assignments, local and domain group membership, and so on.

Microsoft clustering technology in Windows Server 2008

In Windows Server 2008 Failover Clusters, the cluster service no longer runs in the context of a domain user account. Instead, the cluster service runs in the context of a local system account that has restricted rights to the cluster node. By default, Kerberos authentication is used. If the application does not support Kerberos authentication, NTLM authentication is used.

During the installation of the Failover Cluster feature, a domain user account is only required for the following tasks:
  • When you run the Failover Cluster Validation process.
  • When you create the cluster.
To complete each of these tasks, you must have the following access and rights:
  • Local administrator access to each node in the cluster
  • Rights to create computer objects in the domain
After a cluster is created, the domain user account is no longer required for the cluster to function appropriately. However, the domain user account is required to administer the cluster. To administer the cluster, this domain user account must be a member of the Local Administrators group on each cluster node. During the Create Cluster process, a computer object is created in Active Directory Domain Services (AD DS). The default location of this computer object is the Computers container.

The computer object that represents the name of the cluster becomes the new security context for this cluster. This computer object is known as the Cluster Name Object (CNO). The CNO is used for all communications with the cluster. By default, all communications use Kerberos authentication. However, the communications can also use NTLM authentication if it is necessary.

Note Computer accounts that correspond to the cluster Network Name resources can be pre-staged in AD DS. The computer accounts can be pre-staged in containers other than the Computers container. If you want to set a pre-staged computer account to be the CNO, you must disable this computer account before you create the cluster. If you do not disable this computer account, the Create Cluster process will fail.

The CNO creates all other Network Name resources that are created in a Failover Cluster as part of a Client Access Point (CAP). These Network Name resources are known as Virtual Computer Objects (VCOs). The CNO Access Control List (ACL) information is added to each VCO that is created in AD DS. Additionally, the CNO is responsible for synchronizing the domain password for each VCO it created. The CNO synchronizes the domain password every 7 days.