Virtual servers

To access a network application or resource in a nonclustered environment, network clients must connect to a physical server (that is, a specific computer on the network identified by a unique network name and Internet protocol (IP) address). If that server fails, access to the application or resource is impossible.

Through server clusters, XOX and XOX enable the creation of virtual servers. Unlike a physical server, a virtual server is not associated with a specific computer and can be failed over like a group. If the node hosting the virtual server fails, clients can still access its resources using the same server name.

A virtual server is a group that contains:

A Network Name resource.
An IP Address resource.
All other resources, including applications, to be accessed by the clients of the virtual server.
Other virtual servers.

For more information on groups, see Groups.

A virtual server acts like a physical server in the following ways:

Allows access to network resources.
Is published to network clients under a unique server name.
Is associated with a network name and an IP address.

Kerberos authentication for virtual servers

Server clusters can maintain an Active Directory computer object for virtual servers in a cluster. This allows clients accessing these virtual servers to use the security features provided by Kerberos as well as NTLM. Applications that can use Active Directory, such as Message Queuing on a virtual server, can now publish information to these computer objects.

Limitations include:

You cannot apply Group Policy to a virtual server or the applications running on the virtual server. That is, when a virtual computer object is part of an Organizational Unit that has an associated Group Policy object, that Group Policy is not applied to the virtual server object.
The Cluster service account is limited to creating a maximum of 10 virtual server computer objects in Active Directory by default. For information on overriding this default, see Granting additional permissions to the Cluster service account below.

By default, Kerberos authentication for virtual servers is not enabled. You can use Cluster Administrator or cluster.exe commands to enable this feature and to configure the Kerberos properties for the network name resource of the virtual server. For more information on configuring these Kerberos properties, see To enable Kerberos authentication for virtual servers and Cluster resource.

The Cluster service account and Active Directory access rights

By default, the Cluster service account is a member of the Authenticated Users group, and as such, will have the user right Add workstations to domain. For this user right, the default quota limitation on the number of computer accounts that can be created is 10. The value of the quota can be changed by the domain administrator.

Note

This quota applies to the Cluster service account and not to the individual server cluster. If the same Cluster service account is used for multiple servers clusters, then the quota applies to the total number of computer accounts in all the clusters.

The default permissions granted to the Cluster service account when the computer object is created as a result of using this Add workstations to domain user right do not allow the Cluster service account to rename or disable the virtual computer object. These operations are attempted when the name of the Network Name resource is changed or if Kerberos authentication is in the process of being disabled.

Granting additional permissions to the Cluster service account

There are a number of techniques that can be used to overcome the limitation on the number of virtual server computer objects that the Cluster service account can create. All of these techniques include granting the Cluster service account one or more permissions on objects in Active Directory. At a minimum, the Cluster service account needs to be able to:

Reset the password on the virtual computer object.
Write the DnsHostName attribute on the object.
Write the ServicePrincipalName attribute on the object.
Create Message Queuing Configuration objects if the network name resource is the dependent resource of an Message Queuing resource.

The ability to write all properties is needed if it is necessary to allow the virtual computer object to be renamed or disabled. The following table identifies the permissions needed by the Cluster service account for a virtual computer object.

Permission	Description	Reference
Add workstations to domain	This is given by default to the Cluster service account (and all domain accounts). With this access right, the Cluster service is allowed to create computer objects in Active Directory.	Add workstations to domain
Write all Properties	Allows changes to the properties of the computer objects. For example, if you need to rename the computer object, you must give the Cluster service this access right.
Create Computer Objects	Overrides the default limit of 10 virtual server computer objects in Active Directory.	Add workstations to domain

You cannot rename the computer object for a virtual server using Active Directory tools. Instead, you must use Cluster Administrator or cluster.exe to rename the Network Name for the virtual server. The Cluster service will then automatically change the name of the computer object.

For more information on the concepts in this topic, see: