How to Switch a Failover Cluster to a New Domain

This blog discusses a new feature in the upcoming release of Windows Server 2019.  Currently, Windows Insiders receive current builds of Server 2019.  We urge you to become an Insider and play a part in making Windows Server 2019 the best that it can be.  To do so, go to this link and sign up.

In this blog I will describe one of the new capabilities in Windows Server 2019 that enables changing a deployed Failover Cluster from one domain to another.

For the last two decades, changing the domain membership of a Failover Cluster has always required that the cluster be destroyed and re-created. This is a time-consuming process, and we have worked to improve this.

This is going to enable scenarios such as building a Failover Cluster in one location and then ship it to its final location or in the event that companies have merged and need to move them to their domain structure.

Moving a Cluster from one domain is a straight-forward process. To accomplish this, we introduced two new PowerShell commandlets.

  • New-ClusterNameAccount – creates a Cluster Name Account in Active Directory
  • Remove-ClusterNameAccount – removes the Cluster Name Accounts from Active Directory

In the following example, this is my setup and goal:

  • 2-node Windows Server, version 1709 Failover Cluster
  • In the Cluster, the Cluster Name is CLUSCLUS and I have a File Server called FS-CLUSCLUS
  • Both nodes are member of the same domain
  • Both nodes and Cluster need to move to a new domain

The process to accomplish to accomplish this is to change the cluster from one domain to a workgroup and back to the new domain. For example:

Steps to Change Domain Membership

Create a local Administrator account with the same name and password on all nodes.

Log on to the first node with a domain user or administrator account that has Active Directory permissions to the Cluster Name Object (CNO), Virtual Computer Objects (VCO), has access to the Cluster, and open PowerShell.

Ensure all cluster Network Name resources are in an Offline state and run the below command to change the type of the Cluster to a workgroup.

Remove-ClusterNameAccount -Cluster CLUSCLUS -DeleteComputerObjects

Use Active Directory Users and Computers to ensure the CNO and VCO computer objects associated with all cluster names have been removed.

If so, it is a good idea to go ahead and stop the Cluster Service on both nodes and set the service to MANUAL so that it does not start during this process.

Stop-Service -Name ClusSvc

Set-Service -Name ClusSvc -StartupType Manual

Change the nodes domain membership to a workgroup, reboot, then join to the new domain, and reboot again.

Once the nodes are in the new domain, log on to a node with a domain user or administrator account that has Active Directory permissions to create objects, has access to the Cluster, and open PowerShell. start the Cluster Service, and set it back to Automatic.

Start-Service -Name ClusSvc

Set-Service -Name ClusSvc -StartupType Automatic

Bring the Cluster Name and all other cluster Network Name resources to an Online state.

Start-ClusterResource -Name "Cluster Name"

Start-ClusterResource -Name FS-CLUSCLUS

We now need to change Cluster to be a part of the new domain with associated active directory objects. To do this, the command is below. The network name resources must be in an online state.

New-ClusterNameAccount -Name CLUSTERNAME -Domain -UpgradeVCOs

Please note that if you do not have any additional groups with names (i.e. a Hyper-V Cluster with only virtual machines), the -UpgradeVCOs parameter switch is not needed.

Use Active Directory Users and Computers to check the new domain and ensure the associated computer objects were created. If they have, then bring the remaining resources in the groups online.

Start-ClusterGroup -Name "Cluster Group"

Start-ClusterGroup -Name FS-CLUSCLUS

John Marlin
Senior Program Manager
High Availability and Storage
Microsoft Corporation