Windows Server 2016 features workgroup cluster support. In Part 3, I’ll give an overview of the required security adjustments you’ll need to make on your hosts and admin PC to get everyone to play nice.
Hyper-V Core 2016: Workgroup Cluster Series
- Obtain your OS image, either of the two options:
- Install, either to bare metal or new VMs
- On first boot, set your admin password. Make this the same on both nodes; required for ease of remote mgmt later.
- Enable Remote Desktop, set date/time, download updates.
- For ease of setup, consider turning off the Windows Firewall temporarily. From the Command Prompt window, type ‘powershell’ then:
netsh advfirewall set allprofiles state off
- If you’re leaving the firewall enabled, punch a few holes:
netsh firewall set service RemoteAdmin enable netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes
- Rename each host (HYPERV1, HYPERV2), join to your existing WORKGROUP (or create a new one?), and reboot.
- Verify you can now use Remote Desktop Connections to access each host.
- Open the Powershell prompt and enable Powershell remote access:
Configure DNS Suffix:
Workgroup clusters require that nodes utilize a DNS suffix, I assume to fake some of the requirements satisfied by normally having an AD domain.
- Determine a DNS Suffix you’ll use (eg, fugelnet.local)
- Set these items in the registry and in DNS, from the Powershell prompt:
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\" -Name Domain -Value fugelnet.localSet-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\" -Name "NV Domain" -Value fugelnet.local Set-DnsClientGlobalSetting -SuffixSearchList fugelnet.local
- Verify your new values:
get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\" get-DnsClientGlobalSetting
- Now we need to configure WSMan, which is responsible for Windows Remote Management operations sessions. I tried this by explicitly naming all nodes in the TRUSTEDHOSTS item, but didn’t see proper authentication until I replaced the node names with a * (not great security). This could have been a formatting issue. Run these from Powershell prompt on BOTH nodes AND your management PC:
set-item wsman:\localhost\client\trustedhosts -value "HYPERV1.fugelnetlocal,HYPERV2.fugelnet.local"
- You may receive an error “ACCESS DENIED” here. If this happens, try:
stop-service WinRM start-service WinRM
- Reboot, if it still errors. This cleared the error for me.
- Enable PSRemoting if you haven’t already (step 9 under “BUILD”)
- Verify your new value:
Configure HOSTS files:
- At this point, we need to know what you’re calling your cluster. Pick a name and stick to it.
- Identify the IP addresses of your hosts (I’m doing DHCP reservations at my router so I don’t have to set static IPs, but there’s Powershell out there to do this). Identify the IP you’ll use for your Cluster IP too.
- From a command prompt (‘exit’ if you’re still at the PS prompt on your hosts), run these to add HOSTS entries for the servername+DNS-Suffix naming scheme required for workgroup clustering. Update to use your own hostnames, DNS suffix, and IP addresses
Set file="%windir%\System32\drivers\etc\hosts" echo 192.168.1.9 HYPERV1 >> %file% echo 192.168.1.9 HYPERV1.fugelnet.local >> %file% echo 192.168.1.10 HYPERV2 >> %file% echo 192.168.1.10 HYPERV2.fugelnet.local >> %file% echo 192.168.1.11 HYPERVCLUSTER >> %file% echo 192.168.1.11 HYPERVCLUSTER.fugelnet.local >> %file%
- Repeat STEP 4 on BOTH NODES as well as your MANAGEMENT PC. I had an issue later connecting to my cluster until I had every possible permutation, including the cluster name, added to HOSTS.
Install Hyper-V and RSAT Tools:
- Hyper-V Manager: Consult these instructions from Microsoft
- Remote Server Administration Tools – Windows 10: download here
Configure Component Services:
Per this helpful blog post, we should also adjust some access permissions within Component Services to allow our management tools to get connected.
- Run ‘dcomcnfg.exe’
- Browse to Computers, right-click My Computer
- Select COM security, Access Permissions > Edit Limits
- Select Remote Access ALLOW for ANONYMOUS LOGON and ALL APPLICATION PACKAGES
This step isn’t required to create a workgroup cluster, but rather is required to manage it. CredSSP provides an encrypted path for sending remote credentials. This allows the local Hyper-V Management Tools to connect to a remote Hyper-V host without domain authentication. Credit due in full to this blog post for providing another piece to this puzzle.
- From each Hyper-V host, run from the PS prompt:
Enable-WSManCredSSP -Role Server -Force
- Connect to your management PC (this can be either Windows Server or Windows 10) and launch gpedit.msc
- “Computer Configuration > Administrative Templates > System > Credentials Delegation“
- Modify “Allow delegating fresh credentials with NTLM-only server authentication“
- Select Enable, then click SHOW button
- In VALUES, enter all possible permutation of host names, click OK and OK
WSMAN/HYPERV1 WSMAN/HYPERV2 WSMAN/HYPERV1.fugelnet.local WSMAN/HYPERV2.fugelnetlocal WSMAN/HYPERVCLUSTER WSMAN/HYPERVCLUSTER.fugelnet.local
When connecting to your individual hosts via the Hyper-V Manager tool, you’ll choose “connect as another user”. Enter the local administrator credentials for that host, then you’ll get a prompt to “enable delegation of user credentials”, which will leverage CredSSP. Choose YES and you should be connected.
Now that we have our nodes up and ready to rock, in Part 4, I’ll outline the process for creating the cluster.