Windows 2012 Active Directory Support and Integration

With Failover Clustering in Windows Server 2008, the creation of a Client Access Point (CAP) in a cluster resulted in computer objects being created in Active Directory. These cluster related objects became the new security context for the cluster.  This meant that the cluster service did not run in the context of a domain user account. With Windows Server 2012, that changes. The cluster service runs using a local system account on each cluster node.
There are a number of areas where Windows Server 2012 Failover Clustering works better with Active Directory, too. Some of these include:

  • Support for Read Only Domain Controllers (RODCs) – In Windows Server 2012, you can use RODCs to support your Failover Clusters. This makes it possible for you to put clusters in DMZs and Branch Offices in a more secure fashion.

  • The ability to easily recover from the accidental deletion of a Virtual Computer Object (VCO) - If the computer VCO corresponding to a Client Access Point is deleted, you can initiate a repair action to automatically recreate the computer object in Active Directory.

  • Smart placement of computer objects - The CNO is created in the same OU as the nodes in the cluster and the VCOs are created in the same OU as the CNO. That means no mixing and matching.

  • Starting the Cluster without Active Directory accessible – Prior to Windows Server 2012, the Failover Clustering service had to connect to a domain controller before it could start. As you can imagine, this could be challenging if you were running your DCs in VMs. The situation was even worse when the virtualized domain controllers were located on a Cluster Shared Volume (CSV) that used NTLM to authenticate with a domain controller. In Windows Server 2012, this problem is fixed. The cluster nodes don’t need to communicate with domain controllers in order to start up and enable the CSVs.

  • Protection against accidental deletion of the Cluster Name Object (CNO). When you create clusters in Windows Server 2012, the Computer Object matching the Cluster Name Object is marked so that accidental deletion is prevented and it requires the Domain Admin to take additional action to delete it.

Read More about Windows Server 2012 Hyper-V Failover Clusters