How to move a Windows Cluster Server from one domain to another (269196)


The information in this article applies to:

  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows NT Server, Enterprise Edition 4.0
This article was previously published under Q269196

SUMMARY

Windows clustering is designed to provide high availability of server resources. This article describes how to move a cluster from one domain to another.

Note We do not recommend performing this type of move in a production environment.

MORE INFORMATION

To move a cluster server from one domain to another, the best solution is usually to rebuild the cluster in the new domain. However, you can move a cluster server from one domain to another.

You can use the following steps to allow the Cluster service to start and operate in a new domain. Note that these steps are not sufficient to ensure that all resources will be available in the new domain.

NOTE: Microsoft does not provide support to administrators attempting to move resources from one domain to another if the underlying operation is unsupported, such as moving a Microsoft Exchange server from one domain to another. Also, you cannot move Windows NT 4.0-based clusters from one domain to another if any of the nodes in the cluster are domain controllers.

Moving a cluster from one domain to another is more dependent on the resources that the cluster hosts than on the functionality of the Cluster service itself. You can move a Cluster server from one domain to another with a manageable amount of risk; it is the administrator's responsibility to evaluate and manage the risks associated with moving the resources that are hosted by the cluster.

Many resources that can be hosted on a Cluster server have dependencies on domain attributes. For example, any Windows NT-based services that are hosted by the cluster must run in the context of a service user account. If the service user account is a local user account, which is unlikely in a clustered environment, you should be able to move the services to the new domain without any issues. If these services log on with domain accounts, the administrator must determine whether he or she can re-create the user accounts for these services in the new domain, along with the necessary rights and privileges. Administrators usually determine that the risks associated with attempting to do this are unacceptably high, and that the best alternative is to rebuild the cluster in the new domain.

After you assess the ability of each cluster resource to be moved to the new domain, you can decide whether to move the cluster or build a new cluster.

WARNING: Microsoft recommends that you perform a full backup of all data on all shared hard disks on each node in the cluster before you attempt to move the cluster.

The steps in this article allow the Cluster service to start in the new domain. However, you may or may not be able to bring the resources online in the new domain, and the resources that can be brought online may or may not work properly.

To move the cluster:
  1. Create a user account for the Cluster service in the new domain. You must make sure that no Group Policy objects (GPOs) or security template requirements remove any of these rights. The user account must have the following rights:
    • Lock pages in memory.
    • Log on as a service.
    • Act as part of the operating system. (Windows 2000 and Windows Server 2003)
    • Back up files and directories.
    • Increase quotas.
    • Increase scheduling priority.
    • Load and unload device drivers.
    • Restore files and directories.
    • Adjust memory quotas for a process (WIndows Server 2003).

      For additional information about the Cluster service account, click the following article number to view the article in the Microsoft Knowledge Base:

      269229 How to manually re-create the Cluster service account


    In addition, the Cluster service account must have administrative privileges on all nodes in the cluster.
  2. Set the Startup value for the Cluster service to Manual on all nodes in the cluster:
    1. Click Start, point to Settings, click Control Panel, and then double-click Services.
    2. Click Cluster Server, and then click Startup.
    3. Change the Startup Type from Automatic to Manual.
    4. Click OK.
  3. Stop the Cluster service on all cluster nodes:
    1. Click Start, point to Settings, click Control Panel, and then double-click Services.
    2. Click Cluster Server, and then click Stop.
  4. Power down all nodes except one.
  5. Move the node into the new domain by using procedures that are appropriate to your operating system. Complete the process, and then restart the node.
  6. On the node, change the service account used by the Cluster service to log on to the domain to the user account you just created.
  7. Start the Cluster service on that node.
  8. Use Cluster Administrator to verify that there are no issues. Attempt to bring all resources online. Test the functionality of all resources from client computers, and then check the System event log for error messages.NOTE: At this point, you can still cancel the move by moving this node back into the old domain and starting the nodes that have not been moved.
  9. If moving the first node is successful, continue to migrate the other nodes in the cluster to the new domain starting with step 5 for each node.
Warning: If you move a computer with a Virtual Microsoft SQL Server 7.0 instance to another domain, and you do not first uncluster SQL Server 7.0, the SQL cluster resources may fail. Because of the failure of the SQL Server 7.0, you may have to work with Microsoft PSS to manually uncluster SQL Server 7.0. After you have unclustered SQL Server 7.0, you must use the SQL Cluster Failover Wizard to re-establish your clustered SQL Server computers. You may also have to completely remove SQL Server 7.0, and then reinstall it. For additional information about what to do if you must move a clustered SQL Server 2000 instance to a new domain, click the following article number to view the article in the Microsoft Knowledge Base:

319016 How to change domains for a SQL Server 2000 failover cluster

NOTE: If your DNS server is in a secure zone DNS registrations may be affected. In a secure DNS zone, the credentials of the account performing the registration are captured and stored with the records. This protects them from being maliciously replaced with incorrect values. In the case of a cluster virtual server, the original cluster service account would be used for this purpose. You may see DNS registration failures in the System Event logs, commonly error 9005 (refused). If this occurs, delete the records on the DNS server, and bring the Network Name offline, then online again, so the new credentials can be recorded with the registration.
Modification Type:MajorLast Reviewed:8/23/2004
Keywords:kbenv kbhowto KB269196
©2004 Microsoft Corporation. All rights reserved.