What happened to the Cluster Service Account?

Before Windows Server 2008, the cluster required the use of a Cluster Service Account (CSA).  This was a domain user under whose credentials the cluster service, as well as cluster resources, ran.  The CSA presented some problems, the most obvious of which was requiring administrators to rotate this password every so often.

In Windows Server 2008, we removed this requirement.  To replace the CSA, we created the Cluster Name Object (CNO).  This is a Network Name resource that acts as the identity of the Cluster.  This CNO in turn owns all of the Virtual Computer Objects (VCO) in the cluster.  The VCOs are the computer names to which clients connect.  The cluster service and cluster resources, now impersonate the CNO or the proper VCO.

To give an example, suppose you created a cluster named “SQLCLUSTER01” and this cluster hosts two applications, named “CORPSQL01” and “CORPDOCS.”  Active Directory will contain three computer objects – SQLCLUSTER01, CORPSQL01, and CORPDOCS.  SQLCLUSTER01 be the owner of CORPSQL01 and CORPDOCS.

Taking this example one step further, suppose that this cluster is configured to have a File Share Witness.  To which identity would you need to grant permissions on the file share used as this witness?

For more information about Active Directory with Failover Clustering, check out our TechNet guide on Configuring Accounts for Active Directory:   http://technet.microsoft.com/en-us/library/cc731002.aspx.

Matt Kurjanowicz
Software Development Engineer
Clustering & High Availability