Microsoft Cluster Service logon as local account

[Moebius]

Archived from groups: microsoft.public.win2000.advanced_server (More info?)

We are implementing a two nodes Microsoft Cluster for SAP pourposes.

This cluster has to be Domain Controller independent, that is:

- Suposse that all the Domain Controllers in our Domain go down (or
Active Directory get corrupted). This way nobody could logon to the
Domain, but all of them -of course- could logon locally in their
machines.

- Imagine that under some extrange circumstances we also need to
reboot all the nodes in the SAP Cluster.

- Obiously if the MSCService account is Domain based (i.e.
Domain/Administrator) the service won't start at all and therefore the
cluster won't work. This way if one cluster node goes down, SAP goes
down.

The premise is: SAP cluster must work regardless of any other network
system (included Domain Controller)

So my question is: Is it possible to assign a local machine account
for Microsoft Cluster Service? If affirmative, to which security local
policies do we have to add to the local machine account?

Thanks in advance and best regards.

Javier Roldán
Computer Engineer

 

[Guest]

Archived from groups: microsoft.public.win2000.advanced_server (More info?)

No, you cannot use local accounts. You must use a domain user account for
the cluster service account.

It is possible to setup the cluster nodes as DC's in their own domainlet so
that as long as the cluster nodes are online, your domainlet would be
active. It's not recommended, but it is possible. Read the following KB
article for more details:

Windows 2000 and Windows Server 2003 cluster nodes as domain controllers
http://support.microsoft.com/default.aspx?scid=kb;en-us;281662

Regards,
John

"Moebius" <moebius4u@yahoo.com> wrote in message
news:94a67abc.0406300857.4f13379f@posting.google.com...
> We are implementing a two nodes Microsoft Cluster for SAP pourposes.
>
> This cluster has to be Domain Controller independent, that is:
>
> - Suposse that all the Domain Controllers in our Domain go down (or
> Active Directory get corrupted). This way nobody could logon to the
> Domain, but all of them -of course- could logon locally in their
> machines.
>
> - Imagine that under some extrange circumstances we also need to
> reboot all the nodes in the SAP Cluster.
>
> - Obiously if the MSCService account is Domain based (i.e.
> Domain/Administrator) the service won't start at all and therefore the
> cluster won't work. This way if one cluster node goes down, SAP goes
> down.
>
> The premise is: SAP cluster must work regardless of any other network
> system (included Domain Controller)
>
> So my question is: Is it possible to assign a local machine account
> for Microsoft Cluster Service? If affirmative, to which security local
> policies do we have to add to the local machine account?
>
> Thanks in advance and best regards.
>
> Javier Roldán
> Computer Engineer

 

[Moebius]

Archived from groups: microsoft.public.win2000.advanced_server (More info?)

Thanks a lot John,

I totally agree with you. The best solution for our pourposes is to
setup the cluster nodes as Domain Controllers in their own domain.

After reading the KB article you posted we have to take into account
basically the following (summing up):

- Both cluster nodes must be Domain Controllers (never only one)
- Since W2000 and W2003 depend on DNS, each Domain Controller must be
a DNS server

I have done it and now I'm happy. ;-)

Thanks again and best regards.

Javier Roldan

"John Toner [MVP]" <jtoner@mvps.DIE.SPAM.DIE.org> wrote in message news:<eIVOI36XEHA.1652@TK2MSFTNGP09.phx.gbl>...
> No, you cannot use local accounts. You must use a domain user account for
> the cluster service account.
>
> It is possible to setup the cluster nodes as DC's in their own domainlet so
> that as long as the cluster nodes are online, your domainlet would be
> active. It's not recommended, but it is possible. Read the following KB
> article for more details:
>
> Windows 2000 and Windows Server 2003 cluster nodes as domain controllers
> http://support.microsoft.com/default.aspx?scid=kb;en-us;281662
>
> Regards,
> John
>
> "Moebius" <moebius4u@yahoo.com> wrote in message
> news:94a67abc.0406300857.4f13379f@posting.google.com...
> > We are implementing a two nodes Microsoft Cluster for SAP pourposes.
> >
> > This cluster has to be Domain Controller independent, that is:
> >
> > - Suposse that all the Domain Controllers in our Domain go down (or
> > Active Directory get corrupted). This way nobody could logon to the
> > Domain, but all of them -of course- could logon locally in their
> > machines.
> >
> > - Imagine that under some extrange circumstances we also need to
> > reboot all the nodes in the SAP Cluster.
> >
> > - Obiously if the MSCService account is Domain based (i.e.
> > Domain/Administrator) the service won't start at all and therefore the
> > cluster won't work. This way if one cluster node goes down, SAP goes
> > down.
> >
> > The premise is: SAP cluster must work regardless of any other network
> > system (included Domain Controller)
> >
> > So my question is: Is it possible to assign a local machine account
> > for Microsoft Cluster Service? If affirmative, to which security local
> > policies do we have to add to the local machine account?
> >
> > Thanks in advance and best regards.
> >
> > Javier Roldán
> > Computer Engineer