Failover-Clustering Windows Server
Failover-Clustering Windows Server
Failover Clustering
What's New in Failover Clustering
Health Service
Fault domain awareness
VM Load Balancing
VM Load Balancing Deep-Dive
Deploy a Cloud Witness for a Failover Cluster
Cluster Operating System Rolling Upgrade
Simplified SMB Multichannel and Multi-NIC Cluster Networks
Cluster-Aware Updating
Requirements and best practices
Advanced options
FAQ
Plug-ins
Change history for Failover Clustering topics
Failover Clustering in Windows Server 2016
4/24/2017 • 2 min to read • Edit Online
Failover clustering - a Windows Server feature that enables you to group multiple servers
together into a fault-tolerant cluster - provides new and improved features for software-
defined datacenter customers and many other workloads running clusters on physical
hardware or in virtual machines.
A failover cluster is a group of independent computers that work together to increase the
availability and scalability of clustered roles (formerly called clustered applications and services). The clustered
servers (called nodes) are connected by physical cables and by software. If one or more of the cluster nodes fail,
other nodes begin to provide service (a process known as failover). In addition, the clustered roles are proactively
monitored to verify that they are working properly. If they are not working, they are restarted or moved to another
node.
Failover clusters also provide Cluster Shared Volume (CSV) functionality that provides a consistent, distributed
namespace that clustered roles can use to access shared storage from all nodes. With the Failover Clustering
feature, users experience a minimum of disruptions in service.
Failover Clustering has many practical applications, including:
Highly available or continuously available file share storage for applications such as Microsoft SQL Server and
Hyper-V virtual machines
Highly available clustered roles that run on physical servers or on virtual machines that are installed on servers
running Hyper-V
What's new
Here are some of the new features in Windows Server 2016 - for more details, see What's new in Failover
Clustering:
Cluster operating system rolling upgrades
Enables an administrator to upgrade the operating system of the cluster nodes from without stopping the Hyper-V
or the Scale-Out File Server workloads.
Cloud Witness for a Failover Cluster
A new type of quorum witness that leverages Microsoft Azure to help determine which cluster node should be
considered authoritative if a node goes offline.
Health Service
Improves the day-to-day monitoring, operations, and maintenance experience of Storage Spaces Direct clusters.
Fault Domains
Enables you to define what fault domain to use with a Storage Spaces Direct cluster. A fault domain is a set of
hardware that share a single point of failure, such as a server node, server chassis, or rack.
VM load balancing
Helps load be evenly distributed across nodes in a Failover Cluster by identifying busy nodes and live-migrating
VMs on these nodes to less busy nodes.
Simplified SMB Multichannel and multi-NIC cluster networks
Enables easier configuration of multiple network adapters in a cluster.
Planning
Failover Clustering Hardware Requirements and Storage Options
Validate Hardware for Failover Clustering
Network Recommendations for a Hyper-V Cluster
Deployment
Installing the Failover Clustering Feature and Tools
Validate Hardware for a Failover Cluster
Prestage Cluster Computer Objects in Active Directory Domain Services
Creating a Failover Cluster
Deploy Hyper-V over SMB
Deploy a Scale-Out File Server
iSCSI Target Block Storage, How To
Deploy an Active Directory Detached Cluster
Using Guest Clustering for High Availability
Deploy a Guest Cluster using a Shared Virtual Hard Disk
Building Your Cloud Infrastructure: Scenario Overview
Operations
Configure and Manage the Quorum in a Failover Cluster
Use Cluster Shared Volumes in a Failover Cluster
Cluster-Aware Updating Overview
Community resources
High Availability (Clustering) Forum
Failover Clustering and Network Load Balancing Team Blog
What's new in Failover Clustering in Windows Server
2016
4/24/2017 • 8 min to read • Edit Online
This topic explains the new and changed functionality in Failover Clustering in Windows Server 2016.
WARNING
After you update the cluster functional level, you cannot go back to a Windows Server 2012 R2 cluster functional level.
Until the Update-ClusterFunctionalLevel cmdlet is run, the process is reversible, and Windows Server 2012 R2 nodes
can be added and Windows Server 2016 nodes can be removed.
Storage Replica
Storage Replica is a new feature that enables storage-agnostic, block-level, synchronous replication between
servers or clusters for disaster recovery, as well as stretching of a failover cluster between sites. Synchronous
replication enables mirroring of data in physical sites with crash-consistent volumes to ensure zero data loss at the
file-system level. Asynchronous replication allows site extension beyond metropolitan ranges with the possibility of
data loss.
What value does this change add?
Storage Replica enables you to do the following:
Provide a single vendor disaster recovery solution for planned and unplanned outages of mission critical
workloads.
Use SMB3 transport with proven reliability, scalability, and performance.
Stretch Windows failover clusters to metropolitan distances.
Use Microsoft software end to end for storage and clustering, such as Hyper-V, Storage Replica, Storage
Spaces, Cluster, Scale-Out File Server, SMB3, Data Deduplication, and ReFS/NTFS.
Help reduce cost and complexity as follows:
Is hardware agnostic, with no requirement for a specific storage configuration like DAS or SAN.
Allows commodity storage and networking technologies.
Features ease of graphical management for individual nodes and clusters through Failover Cluster
Manager.
Includes comprehensive, large-scale scripting options through Windows PowerShell.
Help reduce downtime, and increase reliability and productivity intrinsic to Windows.
Provide supportability, performance metrics, and diagnostic capabilities.
For more information, see the Storage Replica in Windows Server 2016.
Cloud Witness
Cloud Witness is a new type of Failover Cluster quorum witness in Windows Server 2016 that leverages Microsoft
Azure as the arbitration point. The Cloud Witness, like any other quorum witness, gets a vote and can participate in
the quorum calculations. You can configure cloud witness as a quorum witness using the Configure a Cluster
Quorum Wizard.
What value does this change add?
Using Cloud Witness as a Failover Cluster quorum witness provides the following advantages:
Leverages Microsoft Azure and eliminates the need for a third separate datacenter.
Uses the standard publicly available Microsoft Azure Blob Storage which eliminates the extra maintenance
overhead of VMs hosted in a public cloud.
Same Microsoft Azure Storage Account can be used for multiple clusters (one blob file per cluster; cluster
unique id used as blob file name).
Provides a very low on-going cost to the Storage Account (very small data written per blob file, blob file
updated only once when cluster nodes' state changes).
For more information, see Deploy a Cloud Witness For a Failover Cluster.
What works differently?
This capability is new in Windows Server 2016.
See Also
Storage
What's New in Storage in Windows Server 2016
Health Service in Windows Server 2016
4/24/2017 • 10 min to read • Edit Online
The Health Service is a new feature in Windows Server 2016 that improves the day-to-day monitoring and
operational experience for clusters running Storage Spaces Direct.
Prerequisites
The Health Service is enabled by default with Storage Spaces Direct. No additional action is required to set it up or
start it. To learn more about Storage Spaces Direct, see Storage Spaces Direct in Windows Server 2016.
Metrics
The Health Service reduces the work required to get live performance and capacity information from your Storage
Spaces Direct cluster. One new cmdlet provides a curated list of essential metrics, which are collected efficiently and
aggregated dynamically across nodes, with built-in logic to detect cluster membership. All values are real-time and
point-in-time only.
Coverage
In Windows Server 2016, the Health Service provides the following metrics:
IOPS (Read, Write, Total)
IO Throughput (Read, Write, Total)
IO Latency (Read, Write)
Physical Capacity (Total, Remaining)
Pool Capacity (Total, Remaining)
Volume Capacity (Total, Remaining)
CPU Utilization %, All Machines Average
Memory, All Machines (Total, Available)
Usage
Use the following PowerShell cmdlet to get metrics for the entire Storage Spaces Direct cluster:
The optional Count parameter indicates how many sets of values to return, at one second intervals.
You can also get metrics for one specific volume or node using the following cmdlets:
Faults
The Health Service constantly monitors your Storage Spaces Direct cluster to detect problems and generate
"Faults". One new cmdlet displays any current Faults, allowing you to easily verify the health of your deployment
without looking at every entity or feature in turn. Faults are designed to be precise, easy to understand, and
actionable.
Each Fault contains five important fields:
Severity
Description of the problem
Recommended next step(s) to address the problem
Identifying information for the faulting entity
Its physical location (if applicable)
For example, here is a typical fault:
Severity: MINOR
Reason: Connectivity has been lost to the physical disk.
Recommendation: Check that the physical disk is working and properly connected.
Part: Manufacturer Contoso, Model XYZ9000, Serial 123456789
Location: Seattle DC, Rack B07, Node 4, Slot 11
NOTE
The physical location is derived from your fault domain configuration. For more information about fault domains, see Fault
Domains in Windows Server 2016. If you do not provide this information, the location field will be less helpful - for example, it
may only show the slot number.
Coverage
In Windows Server 2016, the Health Service provides the following Fault coverage:
Essential cluster hardware:
Node down, quarantined, or isolated
Node network adapter failure, disabled, or disconnected
Node missing one or more cluster networks
Node temperature sensor
Essential storage hardware:
Physical disk media failure, lost connectivity, or unresponsive
Storage enclosure lost connectivity
Storage enclosure fan failure or power supply failure
Storage enclosure current, voltage, or temperature sensors triggered
The Storage Spaces software stack:
Storage pool unrecognized metadata
Data not fully resilient, or detached
Volume low capacity1
Storage Quality of Service (Storage QoS)
Storage QoS malformed policy
Storage QoS policy breach2
Storage Replica
Replication failed to sync, write, start, or stop
Target or source replication group failure or lost communication
Unable to meet configured recovery point objective
Log or metadata corruption
Health Service
Any issues with automation, described in later sections
Quarantined physical disk device
1 Indicates the volume has reached 80% full (minor severity) or 90% full (major severity).
2 Indicates some .vhd(s) on the volume have not met their Minimum IOPS for over 10% (minor), 30% (major), or
50% (critical) of rolling 24-hour window.
NOTE
The health of storage enclosure components such as fans, power supplies, and sensors is derived from SCSI Enclosure
Services (SES). If your vendor does not provide this information, the Health Service cannot display it.
Usage
To see any current Faults, run the following cmdlet in PowerShell:
Get-StorageSubSystem Cluster* | Debug-StorageSubSystem
This returns any Faults which affect the overall Storage Spaces Direct cluster. Most often, these Faults relate to
hardware or configuration. If there are no Faults, this cmdlet will return nothing.
NOTE
In a non-production environment, and at your own risk, you can experiment with this feature by triggering Faults yourself -
for example, by removing one physical disk or shutting down one node. Once the Fault has appeared, re-insert the physical
disk or restart the node and the Fault will disappear again.
You can also view Faults that are affecting only specific volumes or file shares with the following cmdlets:
This returns any faults that affect only the specific volume or file share. Most often, these Faults relate to data
resiliency or features like Storage QoS or Storage Replica.
NOTE
In Windows Server 2016, it may take up to 30 minutes for certain Faults to appear. Improvements are forthcoming in
subsequent releases.
Actions
The next section describes workflows which are automated by the Health Service. To verify that an action is indeed
being taken autonomously, or to track its progress or outcome, the Health Service generates "Actions". Unlike logs,
Actions disappear shortly after they have completed, and are intended primarily to provide insight into ongoing
activity which may impact performance or capacity (e.g. restoring resiliency or rebalancing data).
Usage
One new PowerShell cmdlet displays all Actions:
Get-StorageHealthAction
Coverage
In Windows Server 2016, the Get-StorageHealthAction cmdlet can return any of the following information:
Retiring failed, lost connectivity, or unresponsive physical disk
Switching storage pool to use replacement physical disk
Restoring full resiliency to data
Rebalancing storage pool
Automation
This section describes workflows which are automated by the Health Service in the disk lifecycle.
Disk Lifecycle
The Health Service automates most stages of the physical disk lifecycle. Let's say that the initial state of your
deployment is in perfect health - which is to say, all physical disks are working properly.
Retirement
Physical disks are automatically retired when they can no longer be used, and a corresponding Fault is raised. There
are several cases:
Media Failure: the physical disk is definitively failed or broken, and must be replaced.
Lost Communication: the physical disk has lost connectivity for over 15 consecutive minutes.
Unresponsive: the physical disk has exhibited latency of over 5.0 seconds three or more times within an
hour.
NOTE
If connectivity is lost to many physical disks at once, or to an entire node or storage enclosure, the Health Service will not
retire these disks since they are unlikely to be the root problem.
If the retired disk was serving as the cache for many other physical disks, these will automatically be reassigned to
another cache disk if one is available. No special user action is required.
Restoring resiliency
Once a physical disk has been retired, the Health Service immediately begins copying its data onto the remaining
physical disks, to restore full resiliency. Once this has completed, the data is completely safe and fault tolerant
anew.
NOTE
This immediate restoration requires sufficient available capacity among the remaining physical disks.
NOTE
In some cases, the disk may have failed in a way that precludes even its indicator light from functioning - for example, a total
loss of power.
Physical replacement
You should replace the retired physical disk when possible. Most often, this consists of a hot-swap - i.e. powering
off the node or storage enclosure is not required. See the Fault for helpful location and part information.
Verification
When the replacement disk is inserted, it will be verified against the Supported Components Document (see the
next section).
Pooling
If allowed, the replacement disk is automatically substituted into its predecessor's pool to enter use. At this point,
the system is returned to its initial state of perfect health, and then the Fault disappears.
IMPORTANT
The Supported Components Document does not apply retroactively to drives already pooled and in use.
Example
<Components>
<Disks>
<Disk>
<Manufacturer>Contoso</Manufacturer>
<Model>XYZ9000</Model>
<AllowedFirmware>
<Version>2.0</Version>
<Version>2.1</Version>
<Version>2.2</Version>
</AllowedFirmware>
<TargetFirmware>
<Version>2.1</Version>
<BinaryPath>\\path\to\image.bin</BinaryPath>
</TargetFirmware>
</Disk>
</Disks>
<Cache>
<Disk>
<Manufacturer>Fabrikam</Manufacturer>
<Model>QRSTUV</Model>
</Disk>
</Cache>
</Components>
To list multiple drives, simply add additional <Disk> tags within either section.
To inject this XML when deploying Storage Spaces Direct, use the -XML flag:
To set or modify the Supported Components Document once Storage Spaces Direct has been deployed (i.e. once
the Health Service is already running), use the following PowerShell cmdlet:
NOTE
The model, manufacturer, and the firmware version properties should exactly match the values that you get using the Get-
PhysicalDisk cmdlet. This may differ from your "common sense" expectation, depending on your vendor's implementation.
For example, rather than "Contoso", the manufacturer may be "CONTOSO-LTD", or it may be blank while the model is
"Contoso-XZY9000".
Settings
Many of the parameters which govern the behavior of the Health Service are exposed as settings. You can modify
these to tune the aggressiveness of faults or actions, turn certain behaviors on/off, and more.
Use the following PowerShell cmdlet to set or modify settings.
Usage
Example
Common settings
Some commonly modified settings are listed below, along with their default values.
Volume Capacity Threshold
"System.Storage.Volume.CapacityThreshold.Enabled" = True
"System.Storage.Volume.CapacityThreshold.Warning" = 80
"System.Storage.Volume.CapacityThreshold.Critical" = 90
"System.Storage.StoragePool.CheckPoolReserveCapacity.Enabled" = True
"System.Storage.PhysicalDisk.AutoPool.Enabled" = True
"System.Storage.PhysicalDisk.AutoRetire.OnLostCommunication.Enabled" = True
"System.Storage.PhysicalDisk.AutoRetire.OnUnresponsive.Enabled" = True
"System.Storage.PhysicalDisk.AutoRetire.DelayMs" = 900000 (i.e. 15 minutes)
"System.Storage.PhysicalDisk.Unresponsive.Reset.CountResetIntervalSeconds" = 360 (i.e. 60 minutes)
"System.Storage.PhysicalDisk.Unresponsive.Reset.CountAllowed" = 3
"System.Storage.PhysicalDisk.AutoFirmwareUpdate.SingleDrive.Enabled" = True
"System.Storage.PhysicalDisk.AutoFirmwareUpdate.RollOut.Enabled" = True
"System.Storage.PhysicalDisk.AutoFirmwareUpdate.RollOut.LongDelaySeconds" = 604800 (i.e. 7 days)
"System.Storage.PhysicalDisk.AutoFirmwareUpdate.RollOut.ShortDelaySeconds" = 86400 (i.e. 1 day)
"System.Storage.PhysicalDisk.AutoFirmwareUpdate.RollOut.LongDelayCount" = 1
"System.Storage.PhysicalDisk.AutoFirmwareUpdate.RollOut.FailureTolerance" = 3
Platform / Quiescence
Metrics
"System.Reports.ReportingPeriodSeconds" = 1
Debugging
"System.LogLevel" = 4
See also
Storage Spaces Direct in Windows Server 2016
Developer documentation, sample code, and API reference on MSDN
Fault domain awareness in Windows Server 2016
4/24/2017 • 7 min to read • Edit Online
Failover Clustering enables multiple servers to work together to provide high availability – or put another way, to
provide node fault tolerance. But today's businesses demand ever-greater availability from their infrastructure. To
achieve cloud-like uptime, even highly unlikely occurrences such as chassis failures, rack outages, or natural
disasters must be protected against. That's why Failover Clustering in Windows Server 2016 introduces chassis,
rack, and site fault tolerance as well.
Fault domains and fault tolerance are closely related concepts. A fault domain is a set of hardware components that
share a single point of failure. To be fault tolerant to a certain level, you need multiple fault domains at that level.
For example, to be rack fault tolerant, your servers and your data must be distributed across multiple racks.
This short video presents an overview of fault domains in Windows Server 2016:
Benefits
Storage Spaces, including Storage Spaces Direct, uses fault domains to maximize data safety.
Resiliency in Storage Spaces is conceptually like distributed, software-defined RAID. Multiple copies of all
data are kept in sync, and if hardware fails and one copy is lost, others are recopied to restore resiliency. To
achieve the best possible resiliency, copies should be kept in separate fault domains.
The Health Service uses fault domains to provide more helpful alerts.
Each fault domain can be associated with location metadata, which will automatically be included in any
subsequent alerts. These descriptors can assist operations or maintenance personnel and reduce errors by
disambiguating hardware.
Stretch clustering uses fault domains for storage affinity. Stretch clustering allows faraway servers to
join a common cluster. For the best performance, applications or virtual machines should be run on servers
that are nearby to those providing their storage. Fault domain awareness enables this storage affinity.
Levels of fault domains
There are four canonical levels of fault domains - site, rack, chassis, and node. Nodes are discovered automatically;
each additional level is optional. For example, if your deployment does not use blade servers, the chassis level may
not make sense for you.
Usage
You can use PowerShell or XML markup to specify fault domains. Both approaches are equivalent and provide full
functionality.
IMPORTANT
Specify fault domains before enabling Storage Spaces Direct, if possible. This enables the automatic configuration to prepare
the pool, tiers, and settings like resiliency and column count, for chassis or rack fault tolerance. Once the pool and volumes
have been created, data will not retroactively move in response to changes to the fault domain topology. To move nodes
between chassis or racks after enabling Storage Spaces Direct, you should first evict the node and its drives from the pool
using Remove-ClusterNode -CleanUpDisks .
Use Get-ClusterFaultDomain to see the current fault domain topology. This will list all nodes in the cluster, plus any
chassis, racks, or sites you have created. You can filter using parameters like -Type or -Name, but these are not
required.
Get-ClusterFaultDomain
Get-ClusterFaultDomain -Type Rack
Get-ClusterFaultDomain -Name "server01.contoso.com"
Use New-ClusterFaultDomain to create new chassis, racks, or sites. The -Type and -Name parameters are required.
The possible values for -Type are Chassis , Rack , and Site . The -Name can be any string. (For Node type fault
domains, the name must be the actual node name, as set automatically).
IMPORTANT
Windows Server cannot and does not verify that any fault domains you create correspond to anything in the real, physical
world. (This may sound obvious, but it's important to understand.) If, in the physical world, your nodes are all in one rack,
then creating two -Type Rack fault domains in software does not magically provide rack fault tolerance. You are
responsible for ensuring the topology you create using these cmdlets matches the actual arrangement of your hardware.
Use Set-ClusterFaultDomain to move one fault domain into another. The terms "parent" and "child" are commonly
used to describe this nesting relationship. The -Name and -Parent parameters are required. In -Name , provide the
name of the fault domain that is moving; in -Parent , provide the name of the destination. To move multiple fault
domains at once, list their names.
Set-ClusterFaultDomain -Name "server01.contoso.com" -Parent "Rack A"
Set-ClusterFaultDomain -Name "Rack A", "Rack B", "Rack C", "Rack D" -Parent "Shanghai"
IMPORTANT
When fault domains move, their children move with them. In the above example, if Rack A is the parent of
server01.contoso.com, the latter does not separately need to be moved to the Shanghai site – it is already there by virtue of
its parent being there, just like in the physical world.
You can see parent-child relationships in the output of Get-ClusterFaultDomain , in the ParentName and
ChildrenNames columns.
You can also use Set-ClusterFaultDomain to modify certain other properties of fault domains. For example, you can
provide optional -Location or -Description metadata for any fault domain. If provided, this information will be
included in hardware alerting from the Health Service. You can also rename fault domains using the -NewName
parameter. Do not rename Node type fault domains.
Use Remove-ClusterFaultDomain to remove chassis, racks, or sites you have created. The -Name parameter is
required. You cannot remove a fault domain that contains children – first, either remove the children, or move
them outside using Set-ClusterFaultDomain . To move a fault domain outside of all other fault domains, set its
-Parent to the empty string (""). You cannot remove Node type fault domains. To remove multiple fault domains
at once, list their names.
Open the file, and add <Site> , <Rack> , and <Chassis> tags to specify how these nodes are distributed across
sites, racks, and chassis. Every tag must be identified by a unique Name. For nodes, you must keep the node's
name as populated by default.
IMPORTANT
While all additional tags are optional, they must adhere to the transitive Site > Rack > Chassis > Node hierarchy, and must
be properly closed.
In addition to name, freeform Location="..." and Description="..." descriptors can be added to any tag.
<Topology>
<Site Name="SEA" Location="Contoso HQ, 123 Example St, Room 4010, Seattle">
<Rack Name="A01" Location="Aisle A, Rack 01">
<Node Name="Server01" Location="Rack Unit 33" />
<Node Name="Server02" Location="Rack Unit 35" />
<Node Name="Server03" Location="Rack Unit 37" />
</Rack>
</Site>
<Site Name="NYC" Location="Regional Datacenter, 456 Example Ave, New York City">
<Rack Name="B07" Location="Aisle B, Rack 07">
<Node Name="Server04" Location="Rack Unit 20" />
<Node Name="Server05" Location="Rack Unit 22" />
<Node Name="Server06" Location="Rack Unit 24" />
</Rack>
</Site>
</Topology>
Example: two chassis, blade servers
<Topology>
<Rack Name="A01" Location="Contoso HQ, Room 4010, Aisle A, Rack 01">
<Chassis Name="Chassis01" Location="Rack Unit 2 (Upper)" >
<Node Name="Server01" Location="Left" />
<Node Name="Server02" Location="Right" />
</Chassis>
<Chassis Name="Chassis02" Location="Rack Unit 6 (Lower)" >
<Node Name="Server03" Location="Left" />
<Node Name="Server04" Location="Right" />
</Chassis>
</Rack>
</Topology>
To set the new fault domain specification, save your XML and run the following in PowerShell.
This guide presents just two examples, but the <Site> , <Rack> , <Chassis> , and <Node> tags can be mixed and
matched in many additional ways to reflect the physical topology of your deployment, whatever that may be. We
hope these examples illustrate the flexibility of these tags and the value of freeform location descriptors to
disambiguate them.
Optional: Location and description metadata
You can provide optional Location or Description metadata for any fault domain. If provided, this information
will be included in hardware alerting from the Health Service. This short video demonstrates the value of adding
such descriptors.
See Also
Windows Server 2016
Storage Spaces Direct in Windows Server 2016
Virtual Machine Load Balancing overview
4/24/2017 • 1 min to read • Edit Online
A key consideration for private cloud deployments is the capital expenditure (CapEx) required to go into
production. It is very common to add redundancy to private cloud deployments to avoid under-capacity during
peak traffic in production, but this increases CapEx. The need for redundancy is driven by unbalanced private
clouds where some nodes are hosting more Virtual Machines (VMs) and others are underutilized (such as a freshly
rebooted server).
When you add new capacity to your Failover Cluster, the VM Load Balancing feature automatically balances
capacity from the existing nodes, to the newly added node in the following order:
1. The pressure is evaluated on the existing nodes in the Failover Cluster.
2. All nodes exceeding threshold are identified.
3. The nodes with the highest pressure are identified to determine priority of balancing.
4. VMs are Live Migrated (with no down time) from a node exceeding threshold to a newly added node in the
Failover Cluster.
Recurring load balancing
When configured for periodic balancing, the pressure on the cluster nodes is evaluated for balancing every 30
minutes. Alternately, the pressure can be evaluated on-demand. Here is the flow of the steps:
1. The pressure is evaluated on all nodes in the private cloud.
2. All nodes exceeding threshold and those below threshold are identified.
3. The nodes with the highest pressure are identified to determine priority of balancing.
4. VMs are Live Migrated (with no down time) from a node exceeding the threshold to node under minimum
threshold.
See Also
Virtual Machine Load Balancing Deep-Dive
Failover Clustering
Hyper-V Overview
Virtual Machine Load Balancing deep-dive
4/24/2017 • 1 min to read • Edit Online
Windows Server 2016 introduces the Virtual Machine Load Balancing feature to optimize the utilization of nodes in
a Failover Cluster. This document describes how to configure and control VM Load Balancing.
(Get-Cluster).AutoBalancerLevel = <value>
Using PowerShell:
Run the following:
(Get-Cluster).AutoBalancerMode = <value>
AUTOBALANCERMODE BEHAVIOR
0 Disabled
AUTOBALANCERMODE BEHAVIOR
See Also
Virtual Machine Load Balancing Overview
Failover Clustering
Hyper-V Overview
Deploy a Cloud Witness for a Failover Cluster
4/24/2017 • 8 min to read • Edit Online
Cloud Witness is a new type of Failover Cluster quorum witness being introduced in Windows Server 2016. This
topic provides an overview of the Cloud Witness feature, the scenarios that it supports, and instructions about how
to configure a cloud witness for a Failover Cluster that is running Windows Server 2016.
Cloud Witness always uses Blob as the storage type. Azure uses .core.windows.net as the Endpoint. When
configuring Cloud Witness, it is possible that you configure it with a different endpoint as per your scenario (for
example the Microsoft Azure datacenter in China has a different endpoint).
NOTE
The endpoint URL is generated automatically by Cloud Witness resource and there is no extra step of configuration
necessary for the URL.
See Also
What's New in Failover Clustering in Windows Server
Cluster operating system rolling upgrade
4/24/2017 • 15 min to read • Edit Online
Cluster OS Rolling Upgrade is a new feature in Windows Server 2016 that enables an administrator to upgrade the
operating system of the cluster nodes from Windows Server 2012 R2 to Windows Server 2016 without stopping
the Hyper-V or the Scale-Out File Server workloads. Using this feature, the downtime penalties against Service
Level Agreements (SLA) can be avoided.
Cluster OS Rolling Upgrade provides the following benefits:
Failover clusters running Hyper-V virtual machine and Scale-out File Server (SOFS) workloads can be upgraded
from Windows Server 2012 R2 (running on all nodes in the cluster) to Windows Server 2016 (running on all
cluster nodes of the cluster) without downtime. Other cluster workloads, such as SQL Server, will be unavailable
during the time (typically less than five minutes) it takes to failover to Windows Server 2016.
It does not require any additional hardware. Although, you can add additional cluster nodes temporarily to
small clusters to improve availability of the cluster during the Cluster OS Rolling Upgrade process.
The cluster does not need to be stopped or restarted.
A new cluster is not required. The existing cluster is upgraded. In addition, existing cluster objects stored in
Active Directory are used.
The upgrade process is reversible until the customer choses the "point-of-no-return", when all cluster nodes are
running Windows Server 2016, and when the Update-ClusterFunctionalLevel PowerShell cmdlet is run.
The cluster can support patching and maintenance operations while running in the mixed-OS mode.
It supports automation via PowerShell and WMI.
The cluster public property ClusterFunctionalLevel property indicates the state of the cluster on Windows
Server 2016 cluster nodes. This property can be queried using the PowerShell cmdlet from a Windows
Server 2016 cluster node that belongs to a failover cluster:
A value of 8 indicates that the cluster is running at the Windows Server 2012 R2 functional level. A value of
9 indicates that the cluster is running at the Windows Server 2016 functional level.
This guide describes the various stages of the Cluster OS Rolling Upgrade process, installation steps, feature
limitations, and frequently asked questions (FAQs), and is applicable to the following Cluster OS Rolling Upgrade
scenarios in Windows Server 2016:
Hyper-V clusters
Scale-Out File Server clusters
The following scenario is not supported in Windows Server 2016:
Cluster OS Rolling Upgrade of guest clusters using virtual hard disk (.vhdx file) as shared storage
Cluster OS Rolling Upgrade is fully supported by System Center Virtual Machine Manager (SCVMM) 2016. If you
are using SCVMM 2016, see Upgrading Windows Server 2012 R2 clusters to Windows Server 2016 in VMM for
guidance on upgrading the clusters and automating the steps that are described in this document.
Requirements
Complete the following requirements before you begin the Cluster OS Rolling Upgrade process:
Start with a Windows Server 2012 R2 Failover Cluster
If the cluster workload is Hyper-V VMs, or Scale-Out File Server, you can expect zero-downtime upgrade.
Verify that the Hyper-V nodes have CPUs that support Second-Level Addressing Table (SLAT) using one
of the following methods;
Review the Are you SLAT Compatible? WP8 SDK Tip 01 article that describes two methods to
check if a CPU supports SLATs
Download the Coreinfo v3.31 tool to determine if a CPU supports SLAT.
Figure 3: Intermediate State: Mixed-OS mode: Windows Server 2012 R2 and Windows Server 2016
Failover cluster (Stage 2)
At "Stage 3", all of the nodes in the cluster have been upgraded to Windows Server 2016, and the cluster is ready
to be upgraded with Update-ClusterFunctionalLevel PowerShell cmdlet.
NOTE
At this stage, the process can be fully reversed, and Windows Server 2012 R2 nodes can be added to this cluster.
Figure 4: Intermediate State: All nodes upgraded to Windows Server 2016, ready for Update-
ClusterFunctionalLevel (Stage 3)
After the Update-ClusterFunctionalLevelcmdlet is run, the cluster enters "Stage 4", where new Windows Server
2016 cluster features can be used.
Figure 8: Using the Get-CauRun cmdlet to determine if Cluster Aware Updates is running on
the cluster
Figure 9: Disabling the Cluster Aware Updates role using the Disable-CauClusterRole cmdlet
2. For each node in the cluster, complete the following:
a. Using Cluster Manager UI, select a node and use the Pause | Drain menu option to drain the node
(see Figure 10) or use the Suspend-ClusterNode cmdlet (see Figure 11).
Figure 10: Draining roles from a node using Failover Cluster Manager
Figure 11: Draining roles from a node using the Suspend-ClusterNode cmdlet
b. Using Cluster Manager UI, Evict the paused node from cluster, or use the Remove-ClusterNode
cmdlet.
Figure 12: Remove a node from the cluster using Remove-ClusterNode cmdlet
c. Reformat the system drive and perform a "clean operating system install" of Windows Server 2016
on the node using the Custom: Install Windows only (advanced) installation (See Figure 13)
option in setup.exe. Avoid selecting the Upgrade: Install Windows and keep files, settings, and
applications option since Cluster OS Rolling Upgrade does not encourage in-place upgrade.
g. Using the Server Manager UI or Install-WindowsFeature PowerShell cmdlet, install the Failover
Clustering feature.
Install-WindowsFeature -Name Failover-Clustering
NOTE
When the first Windows Server 2016 node joins the cluster, the cluster enters "Mixed-OS" mode, and the
cluster core resources are moved to the Windows Server 2016 node. A "Mixed-OS" mode cluster is a fully
functional cluster where the new nodes run in a compatibility mode with the old nodes. "Mixed-OS" mode is a
transitory mode for the cluster. It is not intended to be permanent and customers are expected to update all
nodes of their cluster within four weeks.
n. After the Windows Server 2016 node is successfully added to the cluster, you can (optionally) move
some of the cluster workload to the newly added node in order to rebalance the workload across the
cluster as follows:
b. Use Move from the Failover Cluster Manager or the Move-ClusterGroup cmdlet for other
cluster workloads.
3. When every node has been upgraded to Windows Server 2016 and added back to the cluster, or when any
remaining Windows Server 2012 R2 nodes have been evicted, do the following:
IMPORTANT
After you update the cluster functional level, you cannot go back to Windows Server 2012 R2 functional level and
Windows Server 2012 R2 nodes cannot be added to the cluster.
Until the Update-ClusterFunctionalLevel cmdlet is run, the process is fully reversible and Windows Server
2012 R2 nodes can be added to this cluster and Windows Server 2016 nodes can be removed.
After the Update-ClusterFunctionalLevel cmdlet is run, new features will be available.
a. Using the Failover Cluster Manager UI or the Get-ClusterGroup cmdlet, check that all cluster roles are
running on the cluster as expected. In the following example, Available Storage is not being used,
instead CSV is used, hence, Available Storage displays an Offline status (see Figure 18).
Figure 18: Verifying that all cluster groups (cluster roles) are running using the
Get-ClusterGroup cmdlet
b. Check that all cluster nodes are online and running using the Get-ClusterNode cmdlet.
c. Run the Update-ClusterFunctionalLevel cmdlet - no errors should be returned (see Figure 19).
Figure 20: Enable Cluster Aware Updates role using the Enable-CauClusterRole cmdlet
b. Resume backup operations.
5. Enable and use the Windows Server 2016 features on Hyper-V Virtual Machines.
a. After the cluster has been upgraded to Windows Server 2016 functional level, many workloads like
Hyper-V VMs will have new capabilities. For a list of new Hyper-V capabilities. see Migrate and
upgrade virtual machines
b. On each Hyper-V host node in the cluster, use the Get-VMHostSupportedVersion cmdlet to view the
Hyper-V VM configuration versions that are supported by the host.
Figure 21: Viewing the Hyper-V VM configuration versions supported by the host
a. On each Hyper-V host node in the cluster, Hyper-V VM configuration versions can be upgraded by
scheduling a brief maintenance window with users, backing up, turning off virtual machines, and
running the Update-VMVersion cmdlet (see Figure 22). This will update the virtual machine version,
and enable new Hyper-V features, eliminating the need for future Hyper-V Integration Component
(IC) updates. This cmdlet can be run from the Hyper-V node that is hosting the VM, or the
-ComputerName parameter can be used to update the VM Version remotely. In this example, here we
upgrade the configuration version of VM1 from 5.0 to 7.0 to take advantage of many new Hyper-V
features associated with this VM configuration version such as Production Checkpoints (Application
Consistent backups), and binary VM configuration file.
Figure 22: Upgrading a VM version using the Update-VMVersion PowerShell cmdlet
6. Storage pools can be upgraded using the Update-StoragePool PowerShell cmdlet - this is an online
operation.
Although we are targeting Private Cloud scenarios, specifically Hyper-V and Scale-out File Server clusters, which
can be upgraded without downtime, the Cluster OS Rolling Upgrade process can be used for any cluster role.
Restrictions / Limitations
This feature works only for Windows Server 2012 R2 to Windows Server 2016 versions only. This feature
cannot upgrade earlier versions of Windows Server such as Windows Server 2008, Windows Server 2008 R2,
or Windows Server 2012 to Windows Server 2016.
Each Windows Server 2016 node should be reformatted/new installation only. "In-place" or "upgrade"
installation type is discouraged.
A Windows Server 2016 node must be used to add Windows Server 2016 nodes to the cluster.
When managing a mixed-OS mode cluster, always perform the management tasks from an uplevel node that is
running Windows Server 2016. Downlevel Windows Server 2012 R2 nodes cannot use UI or management tools
against Windows Server 2016.
We encourage customers to move through the cluster upgrade process quickly because some cluster features
are not optimized for mixed-OS mode.
Avoid creating or resizing storage on Windows Server 2016 nodes while the cluster is running in mixed-OS
mode because of possible incompatibilities on failover from a Windows Server 2016 node to down-level
Windows Server 2012 R2 nodes.
See also
Release Notes: Important Issues in Windows Server 2016
What's New in Windows Server 2016
What's New in Failover Clustering in Windows Server
Simplified SMB Multichannel and Multi-NIC Cluster
Networks
4/24/2017 • 3 min to read • Edit Online
Simplified SMB Multichannel and Multi-NIC Cluster Networks is a new feature in Windows Server 2016 that
enables the use of multiple NICs on the same cluster network subnet, and automatically enables SMB Mutichannel.
Simplified SMB Multichannel and Multi-NIC Cluster Networks provides the following benefits:
Failover Clustering automatically recognizes all NICs on nodes that are using the same switch / same subnet -
no additional configuration needed.
SMB Multichannel is enabled automatically.
Networks that only have IPv6 Link Local (fe80) IP Addresses resources are recognized on cluster-only (private)
networks.
A single IP Address resource is configured on each Cluster Access Point (CAP) Network Name (NN) by default.
Cluster validation no longer issues warning messages when multiple NICs are found on the same subnet.
Requirements
Multiple NICs per server, using the same switch / subnet.
Figure 2: To achieve maximum network throughput, use multiple NICs on both the Scale-out File Server
cluster and the Hyper-V or SQL Server Failover Cluster Instance cluster - which share the North-South
subnet
Figure 3: Two clusters (Scale-out File Server for storage, SQL Server FCI for workload) both use multiple
NICs in the same subnet to leverage SMB Multichannel and achieve better network throughput.
See also
What's New in Failover Clustering in Windows Server
Cluster-Aware Updating overview
5/1/2017 • 7 min to read • Edit Online
Applies to: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This topic provides an overview of Cluster-Aware Updating (CAU), a feature that automates the software updating
process on clustered servers while maintaining availability.
NOTE
When updating Storage Spaces Direct clusters, we recommend using Cluster-Aware Updating.
Feature description
Cluster-Aware Updating is an automated feature that enables you to update servers in a failover cluster with little
or no loss in availability during the update process. During an Updating Run, Cluster-Aware Updating
transparently performs the following tasks:
1. Puts each node of the cluster into node maintenance mode.
2. Moves the clustered roles off the node.
3. Installs the updates and any dependent updates.
4. Performs a restart if necessary.
5. Brings the node out of maintenance mode.
6. Restores the clustered roles on the node.
7. Moves to update the next node.
For many clustered roles in the cluster, the automatic update process triggers a planned failover. This can cause a
transient service interruption for connected clients. However, in the case of continuously available workloads, such
as Hyper-V with live migration or file server with SMB Transparent Failover, Cluster-Aware Updating can
coordinate cluster updates with no impact to the service availability.
Practical applications
CAU reduces service outages in clustered services, reduces the need for manual updating workarounds,
and makes the end-to-end cluster updating process more reliable for the administrator. When the CAU
feature is used in conjunction with continuously available cluster workloads, such as continuously available
file servers (file server workload with SMB Transparent Failover) or Hyper-V, the cluster updates can be
performed with zero impact to service availability for clients.
CAU facilitates the adoption of consistent IT processes across the enterprise. Updating Run Profiles can be
created for different classes of failover clusters and then managed centrally on a file share to ensure that
CAU deployments throughout the IT organization apply updates consistently, even if the clusters are
managed by different lines-of-business or administrators.
CAU can schedule Updating Runs on regular daily, weekly, or monthly intervals to help coordinate cluster
updates with other IT management processes.
CAU provides an extensible architecture to update the cluster software inventory in a cluster-aware fashion.
This can be used by publishers to coordinate the installation of software updates that are not published to
Windows Update or Microsoft Update or that are not available from Microsoft, for example, updates for
non-Microsoft device drivers.
CAU self-updating mode enables a "cluster in a box" appliance (a set of clustered physical machines,
typically packaged in one chassis) to update itself. Typically, such appliances are deployed in branch offices
with minimal local IT support to manage the clusters. Self-updating mode offers great value in these
deployment scenarios.
Important functionality
The following is a description of important Cluster-Aware Updating functionality:
A user interface (UI) - the Cluster Aware Updating window - and a set of cmdlets that you can use to
preview, apply, monitor, and report on the updates
An end-to-end automation of the cluster-updating operation (an Updating Run), orchestrated by one or
more Update Coordinator computers
A default plug-in that integrates with the existing Windows Update Agent (WUA) and Windows Server
Update Services (WSUS) infrastructure in Windows Server to apply important Microsoft updates
A second plug-in that can be used to apply Microsoft hotfixes, and that can be customized to apply non-
Microsoft updates
Updating Run Profiles that you configure with settings for Updating Run options, such as the maximum
number of times that the update will be retried per node. Updating Run Profiles enable you to rapidly reuse
the same settings across Updating Runs and easily share the update settings with other failover clusters.
An extensible architecture that supports new plug-in development to coordinate other node-updating tools
across the cluster, such as custom software installers, BIOS updating tools, and network adapter or host bus
adapter (HBA) updating tools.
Cluster-Aware Updating can coordinate the complete cluster updating operation in two modes:
Self-updating mode For this mode, the CAU clustered role is configured as a workload on the failover
cluster that is to be updated, and an associated update schedule is defined. The cluster updates itself at
scheduled times by using a default or custom Updating Run profile. During the Updating Run, the CAU
Update Coordinator process starts on the node that currently owns the CAU clustered role, and the process
sequentially performs updates on each cluster node. To update the current cluster node, the CAU clustered
role fails over to another cluster node, and a new Update Coordinator process on that node assumes
control of the Updating Run. In self-updating mode, CAU can update the failover cluster by using a fully
automated, end-to-end updating process. An administrator can also trigger updates on-demand in this
mode, or simply use the remote-updating approach if desired. In self-updating mode, an administrator can
get summary information about an Updating Run in progress by connecting to the cluster and running the
Get-CauRun Windows PowerShell cmdlet.
Remote-updating mode For this mode, a remote computer, which is called an Update Coordinator, is
configured with the CAU tools. The Update Coordinator is not a member of the cluster that is updated
during the Updating Run. From the remote computer, the administrator triggers an on-demand Updating
Run by using a default or custom Updating Run profile. Remote-updating mode is useful for monitoring
real-time progress during the Updating Run, and for clusters that are running on Server Core installations.
NOTE
You can't use the Failover Clustering Tools on Windows Server 2012 to manage Cluster-Aware Updating on a newer
version of Windows Server.
To use CAU only in remote-updating mode, installation of the Failover Clustering Tools on the cluster nodes is not
required. However, certain CAU features will not be available. For more information, see Requirements and Best Practices
for Cluster-Aware Updating.
Unless you are using CAU only in self-updating mode, the computer on which the CAU tools are installed and that
coordinates the updates cannot be a member of the failover cluster.
See also
The following links provide more information about using Cluster-Aware Updating.
Requirements and Best Practices for Cluster-Aware Updating
Cluster-Aware Updating: Frequently Asked Questions
Advanced Options and Updating Run Profiles for CAU
How CAU Plug-ins Work
Cluster-Aware Updating Cmdlets in Windows PowerShell
Cluster-Aware Updating Plug-in Reference
Cluster-Aware Updating requirements and best
practices
4/28/2017 • 20 min to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This section describes the requirements and dependencies that are needed to use Cluster-Aware Updating (CAU)
to apply updates to a failover cluster running Windows Server.
NOTE
You may need to independently validate that your cluster environment is ready to apply updates if you use a plug-in other
than Microsoft.WindowsUpdatePlugin. If you are using a non-Microsoft plug-in, contact the publisher for more
information. For more information about plug-ins, see How Plug-ins Work.
Install the Failover Clustering feature and the Failover Clustering Tools
CAU requires an installation of the Failover Clustering feature and the Failover Clustering Tools. The Failover
Clustering Tools include the CAU tools (clusterawareupdating.dll), the Failover Clustering cmdlets, and other
components needed for CAU operations. For steps to install the Failover Clustering feature, see Installing the
Failover Clustering Feature and Tools.
The exact installation requirements for the Failover Clustering Tools depend on whether CAU coordinates updates
as a clustered role on the failover cluster (by using self-updating mode) or from a remote computer. The self-
updating mode of CAU additionally requires the installation of the CAU clustered role on the failover cluster by
using the CAU tools.
The following table summarizes the CAU feature installation requirements for the two CAU updating modes.
Failover Clustering feature Required on all cluster nodes Required on all cluster nodes
Enable a firewall rule to Disabled Required on all cluster Required on all cluster
allow automatic restarts nodes if a firewall is in use nodes if a firewall is in use
Enable Windows PowerShell Enabled Required on all cluster Required on all cluster
3.0 or 4.0 and Windows nodes nodes to run the following:
PowerShell remoting
- The Save-CauDebugTrace
cmdlet
- PowerShell pre-update
and post-update scripts
during an Updating Run
- Tests of cluster updating
readiness using the Cluster-
Aware Updating window or
the Test-CauSetup Windows
PowerShell cmdlet
Install .NET Framework 4.6 Enabled Required on all cluster Required on all cluster
or 4.5 nodes nodes to run the following:
- The Save-CauDebugTrace
cmdlet
- PowerShell pre-update
and post-update scripts
during an Updating Run
- Tests of cluster updating
readiness using the Cluster-
Aware Updating window or
the Test-CauSetup Windows
PowerShell cmdlet
NOTE
The Remote Shutdown Windows Firewall rule group cannot be enabled when it will conflict with Group Policy settings that
are configured for Windows Firewall.
The Remote Shutdown firewall rule group is also enabled by specifying the –EnableFirewallRules parameter
when running the following CAU cmdlets: Add-CauClusterRole, Invoke-CauRun, and SetCauClusterRole.
The following PowerShell example shows an additional method to enable automatic restarts on a cluster node.
Set-NetFirewallRule -Group "@firewallapi.dll,-36751" -Profile Domain -Enabled true
winrm quickconfig -q
To support WMI remoting, if Windows Firewall is in use on the cluster nodes, the inbound firewall rule for
Windows Remote Management (HTTP-In) must be enabled on each node. By default, this rule is enabled.
Enable Windows PowerShell and Windows PowerShell remoting
To enable self-updating mode and certain CAU features in remote-updating mode, PowerShell must be installed
and enabled to run remote commands on all cluster nodes. By default, PowerShell is installed and enabled for
remoting.
To enable PowerShell remoting, use one of the following methods:
Run the Enable-PSRemoting cmdlet.
Configure a domain-level Group Policy setting for Windows Remote Management (WinRM).
For more information about enabling PowerShell remoting, see about_Remote_Requirements.
Install .NET Framework 4.6 or 4.5
To enable self-updating mode and certain CAU features in remote-updating mode,.NET Framework 4.6, or .NET
Framework 4.5 (on Windows Server 2012 R2) must be installed on all cluster nodes. By default, NET Framework is
installed.
To install .NET Framework 4.6 (or 4.5) using PowerShell if it's not already installed, use the following command:
Combining CAU with methods that update individual nodes automatically (on a fixed time schedule) can cause
unpredictable results, including interruptions in service and unplanned downtime.
We recommend that you follow these guidelines:
For optimal results, we recommend that you disable settings on the cluster nodes for automatic updating,
for example, through the Automatic Updates settings in Control Panel, or in settings that are configured
using Group Policy.
Cau t i on
Automatic installation of updates on the cluster nodes can interfere with installation of updates by CAU and
can cause CAU failures.
If they are needed, the following Automatic Updates settings are compatible with CAU, because the
administrator can control the timing of update installation:
Settings to notify before downloading updates and to notify before installation
Settings to automatically download updates and to notify before installation
However, if Automatic Updates is downloading updates at the same time as a CAU Updating Run, the
Updating Run might take longer to complete.
Do not configure an update system such as Windows Server Update Services (WSUS) to apply updates
automatically (on a fixed time schedule) to cluster nodes.
All cluster nodes should be uniformly configured to use the same update source, for example, a WSUS
server, Windows Update, or Microsoft Update.
If you use a configuration management system to apply software updates to computers on the network,
exclude cluster nodes from all required or automatic updates. Examples of configuration management
systems include Microsoft System Center Configuration Manager 2007 and Microsoft System Center
Virtual Machine Manager 2008.
If internal software distribution servers (for example, WSUS servers) are used to contain and deploy the
updates, ensure that those servers correctly identify the approved updates for the cluster nodes.
Apply Microsoft updates in branch office scenarios
To download Microsoft updates from Microsoft Update or Windows Update to cluster nodes in certain branch
office scenarios, you may need to configure proxy settings for the Local System account on each node. For
example, you might need to do this if your branch office clusters access Microsoft Update or Windows Update to
download updates by using a local proxy server.
If necessary, configure WinHTTP proxy settings on each node to specify a local proxy server and configure local
address exceptions (that is, a bypass list for local addresses). To do this, you can run the following command on
each cluster node from an elevated command prompt:
where <ProxyServerFQDN> is the fully qualified domain name for the proxy server and <port> is the port over
which to communicate (usually port 443).
For example, to configure WinHTTP proxy settings for the Local System account specifying the proxy server
MyProxy.CONTOSO.com, with port 443 and local address exceptions, type the following command:
NOTE
You might need to independently validate that your cluster environment is ready to apply software updates by using a
plug-in other than Microsoft.WindowsUpdatePlugin. If you are using a non-Microsoft plug-in, such as one provided by
your hardware manufacturer, contact the publisher for more information.
IMPORTANT
We highly recommend that you test the cluster for updating readiness in the following situations:
Before you use CAU for the first time to apply software updates.
After you add a node to the cluster or perform other hardware changes in the cluster that require running the Validate a
Cluster Wizard.
After you change an update source, or change update settings or configurations (other than CAU) that can affect the
application of updates on the nodes.
The failover cluster must be available Cannot resolve the failover cluster - Check the spelling of the name of the
name, or one or more cluster nodes cluster specified during the BPA run.
cannot be accessed. The BPA cannot - Ensure that all nodes of the cluster
run the cluster readiness tests. are online and running.
- Check that the Validate a
Configuration Wizard can successfully
run on the failover cluster.
The failover cluster nodes must be One or more failover cluster nodes are Ensure that all failover cluster nodes are
enabled for remote management via not enabled for remote management enabled for remote management
WMI by using Windows Management through WMI. For more information,
Instrumentation (WMI). CAU cannot see Configure the nodes for remote
update the cluster nodes if the nodes management in this topic.
are not configured for remote
management.
PowerShell remoting should be enabled PowerShell isn't installed or isn't Ensure that PowerShell is installed on
on each failover cluster node enabled for remoting on one or more all cluster nodes and is enabled for
failover cluster nodes. CAU cannot be remoting.
configured for self-updating mode or
use certain features in remote-updating For more information, see Configure
mode. the nodes for remote management in
this topic.
Failover cluster version One or more nodes in the failover Verify that the failover cluster that is
cluster don't run Windows Server 2016, specified during the BPA run is running
Windows Server 2012 R2, or Windows Windows Server 2016, Windows Server
Server 2012. CAU cannot update the 2012 R2, or Windows Server 2012.
failover cluster.
For more information, see Verify the
cluster configuration in this topic.
TEST POSSIBLE ISSUES AND IMPACTS RESOLUTION STEPS
The required versions of .NET .NET Framework 4.6, 4.5 or Windows Ensure that .NET Framework 4.6 or 4.5
Framework and Windows PowerShell PowerShell isn't installed on one or and Windows PowerShell are installed
must be installed on all failover cluster more cluster nodes. Some CAU features on all cluster nodes, if they are
nodes might not work. required.
The Cluster service should be running The Cluster service is not running on - Ensure that the Cluster service
on all cluster nodes one or more nodes. CAU cannot (clussvc) is started on all nodes in the
update the failover cluster. cluster, and it is configured to start
automatically.
- Check that the Validate a
Configuration Wizard can successfully
run on the failover cluster.
Automatic Updates must not be On at least one failover cluster node, If Windows Update functionality is
configured to automatically install Automatic Updates is configured to configured for Automatic Updates on
updates on any failover cluster node automatically install Microsoft updates one or more cluster nodes, ensure that
on that node. Combining CAU with Automatic Updates is not configured to
other update methods can result in automatically install updates.
unplanned downtime or unpredictable
results. For more information, see
Recommendations for applying
Microsoft updates.
The failover cluster nodes should use One or more failover cluster nodes are Ensure that every cluster node is
the same update source configured to use an update source for configured to use the same update
Microsoft updates that is different from source, for example, a WSUS server,
the rest of the nodes. Updates might Windows Update, or Microsoft Update.
not be applied uniformly on the cluster
nodes by CAU. For more information, see
Recommendations for applying
Microsoft updates.
A firewall rule that allows remote One or more failover cluster nodes do If Windows Firewall or a non-Microsoft
shutdown should be enabled on each not have a firewall rule enabled that firewall is in use on the cluster nodes,
node in the failover cluster allows remote shutdown, or a Group configure a firewall rule that allows
Policy setting prevents this rule from remote shutdown.
being enabled. An Updating Run that
applies updates that require restarting For more information, see Enable a
the nodes automatically might not firewall rule to allow automatic restarts
complete properly. in this topic.
The proxy server setting on each One or more failover cluster nodes Ensure that the WinHTTP proxy
failover cluster node should be set to a have an incorrect proxy server settings on each cluster node are set to
local proxy server configuration. a local proxy server if it is needed. If a
proxy server is not in use in your
If a local proxy server is in use, the environment, this warning can be
proxy server setting on each node must ignored.
be configured properly for the cluster
to access Microsoft Update or Windows For more information, see Apply
Update. updates in branch office scenarios in
this topic.
TEST POSSIBLE ISSUES AND IMPACTS RESOLUTION STEPS
The CAU clustered role should be The CAU clustered role is not installed To use CAU in self-updating mode, add
installed on the failover cluster to on this failover cluster. This role is the CAU clustered role on the failover
enable self-updating mode required for cluster self-updating. cluster in one of the following ways:
The CAU clustered role should be The CAU clustered role is disabled. For To use CAU in self-updating mode,
enabled on the failover cluster to example, the CAU clustered role is not enable the CAU clustered role on this
enable self-updating mode installed, or it has been disabled by failover cluster in one of the following
using the Disable-CauClusterRole ways:
PowerShell cmdlet. This role is required
for cluster self-updating. - Run the Enable-CauClusterRole
PowerShell cmdlet.
- Select the Configure cluster self-
updating options action in the
Cluster-Aware Updating window.
The configured CAU plug-in for self- The CAU clustered role on one or more - Ensure that the configured CAU plug-
updating mode must be registered on nodes of this failover cluster cannot in is installed on all cluster nodes by
all failover cluster nodes access the CAU plug-in module that is following the installation procedure for
configured in the self-updating options. the product that supplies the CAU
A self-updating run might fail. plug-in.
- Run the Register-CauPlugin
PowerShell cmdlet to register the plug-
in on the required cluster nodes.
All failover cluster nodes should have A self-updating run might fail if the - Ensure that the configured CAU plug-
the same set of registered CAU plug- plug-in that is configured to be used in in is installed on all cluster nodes by
ins an Updating Run is changed to one following the installation procedure for
that is not available on all cluster the product that supplies the CAU
nodes. plug-in.
- Run the Register-CauPlugin
PowerShell cmdlet to register the plug-
in on the required cluster nodes.
The configured Updating Run options The self-updating schedule and Configure a valid self-updating
must be valid Updating Run options that are schedule and set of Updating Run
configured for this failover cluster are options. For example, you can use the
incomplete or are not valid. A self- Set-CauClusterRole PowerShell cmdlet
updating run might fail. to configure the CAU clustered role.
At least two failover cluster nodes must An Updating Run launched in self- Use the Failover Clustering Tools to
be owners of the CAU clustered role updating mode will fail because the ensure that all cluster nodes are
CAU clustered role does not have a configured as possible owners of the
possible owner node to move to. CAU clustered role. This is the default
configuration.
All failover cluster nodes must be able Not all possible owner nodes of the Ensure that all possible owner nodes of
to access Windows PowerShell scripts CAU clustered role can access the the CAU clustered role have
configured Windows PowerShell pre- permissions to access the configured
update and post-update scripts. A self- PowerShell pre-update and post-
updating run will fail. update scripts.
TEST POSSIBLE ISSUES AND IMPACTS RESOLUTION STEPS
All failover cluster nodes should use Not all possible owner nodes of the Ensure that all possible owner nodes of
identical Windows PowerShell scripts CAU clustered role use the same copy the CAU clustered role use the same
of the specified Windows PowerShell PowerShell pre-update and post-
pre-update and post-update scripts. A update scripts.
self-updating run might fail or show
unexpected behavior.
The WarnAfter setting specified for the The specified CAU Updating Run In the Updating Run options, configure
Updating Run should be less than the timeout values make the warning a WarnAfter option value that is less
StopAfter setting timeout ineffective. An Updating Run than the StopAfter option value.
might be canceled before a warning
event log can be generated.
See also
Cluster-Aware Updating overview
Cluster-Aware Updating advanced options and
updating run profiles
6/8/2017 • 8 min to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This topic describes Updating Run options that can be configured for a Cluster-Aware Updating (CAU) Updating
Run. These advanced options can be configured when you use either the CAU UI or the CAU Windows PowerShell
cmdlets to apply updates or to configure self-updating options.
Most configuration settings can be saved as an XML file called an Updating Run Profile and reused for later
Updating Runs. The default values for the Updating Run options that are provided by CAU can also be used in
many cluster environments.
For information about additional options that you can specify for each Updating Run and about Updating Run
Profiles, see the following sections later in this topic:
Options that you specify when you request an Updating Run Use Updating Run Profiles Options that can be set in
an Updating Run Profile
The following table lists options that you can set in a CAU Updating Run Profile.
NOTE
To set the PreUpdateScript or PostUpdateScript option, ensure that Windows PowerShell and .NET Framework 4.6 or 4.5 are
installed and that PowerShell remoting is enabled on each node in the cluster. For more information, see Configure the
nodes for remote management in Requirements and Best Practices for Cluster-Aware Updating.
MaxFailedNodes For most clusters, an integer that is Maximum number of nodes on which
approximately one-third of the number updating can fail, either because the
of cluster nodes nodes fail or the Cluster service stops
running. If one more node fails, the
Updating Run is stopped.
ConfigurationName This setting only has an effect if you run Specifies the PowerShell session
scripts. configuration that defines the session in
which scripts (specified by
If you specify a pre-update script or a PreUpdateScript and
post-update script, but you do not PostUpdateScript) are run, and can
specify a ConfigurationName, the limit the commands that can be run.
default session configuration for
PowerShell (Microsoft.PowerShell) is
used.
Domain=Domain.local
NodeOrder By default, CAU starts with the node Names of the cluster nodes in the order
that owns the smallest number of that they should be updated (if
clustered roles, then progresses to the possible).
node that has the second smallest
number, and so on.
See also
Cluster-Aware Updating
Cluster-Aware Updating Cmdlets in Windows PowerShell
Cluster-Aware Updating: Frequently Asked Questions
5/1/2017 • 10 min to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Cluster-Aware Updating (CAU) is a feature that coordinates software updates on all servers in a failover cluster in a
way that doesn't impact the service availability any more than a planned failover of a cluster node. For some
applications with continuous availability features (such as Hyper-V with live migration, or an SMB 3.x file server
with SMB Transparent Failover), CAU can coordinate automated cluster updating with no impact on service
availability.
NOTE
Currently, the following clustered workloads are tested and certified for CAU: SMB, Hyper-V, DFS Replication, DFS
Namespaces, iSCSI, and NFS.
Can CAU report updates that are initiated from outside CAU?
No. CAU can only report Updating Runs that are initiated from within CAU. However, when a subsequent CAU
Updating Run is launched, updates that were installed through non-CAU methods are appropriately considered to
determine the additional updates that might be applicable to each cluster node.
Advanced Updating Run options The administrator can additionally specify from a large set of advanced
Updating Run options such as the maximum number of times that the update process is retried on each node.
These options can be specified using either the CAU UI or the CAU PowerShell cmdlets. These custom settings can
be saved in an Updating Run Profile and reused for later Updating Runs.
Public plug-in architecture CAU includes features to Register, Unregister, and Select plug-ins. CAU ships with
two default plug-ins: one coordinates the Windows Update Agent (WUA) APIs on each cluster node; the second
applies hotfixes that are manually copied to a file share that is accessible to the cluster nodes. If an enterprise has
unique needs that cannot be met with these two plug-ins, the enterprise can build a new CAU plug-in according to
the public API specification. For more information, see Cluster-Aware Updating Plug-in Reference.
For information about configuring and customizing CAU plug-ins to support different updating scenarios, see How
Plug-ins Work.
Does CAU need components running on the cluster nodes that are
being updated?
CAU doesn't need a service running on the cluster nodes. However, CAU needs a software component (the WMI
provider) installed on the cluster nodes. This component is installed with the Failover Clustering feature.
To enable self-updating mode, the CAU clustered role must also be added to the cluster.
What is the difference between using CAU and VMM?
System Center Virtual Machine Manager (VMM) is focused on updating only Hyper-V clusters, whereas CAU
can update any type of supported failover cluster, including Hyper-V clusters.
VMM requires additional licensing, whereas CAU is licensed for all Windows Server. The CAU features, tools,
and UI are installed with Failover Clustering components.
If you already own a System Center license, you can continue to use VMM to update Hyper-V clusters
because it offers an integrated management and software updating experience.
CAU is supported only on clusters that are running Windows Server 2016, Windows Server 2012 R2, and
Windows Server 2012. VMM also supports Hyper-V clusters on computers running Windows Server 2008
R2 and Windows Server 2008.
See also
Cluster-Aware Updating Overview
How Cluster-Aware Updating plug-ins work
5/1/2017 • 21 min to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Cluster-Aware Updating (CAU) uses plug-ins to coordinate the installation of updates across nodes in a failover
cluster. This topic provides information about using the built-in CAU plug-ins or other plug-ins that you install for
CAU.
Install a plug-in
A plug-in other than the default plug-ins that are installed with CAU (Microsoft.WindowsUpdatePlugin and
Microsoft.HotfixPlugin) must be installed separately. If CAU is used in self-updating mode, the plug-in must be
installed on all cluster nodes. If CAU is used in remote-updating mode, the plug-in must be installed on the remote
Update Coordinator computer. A plug-in that you install may have additional installation requirements on each
node.
To install a plug-in, follow the instructions from the plug-in publisher. To manually register a plug-in with CAU,
run the Register-CauPlugin cmdlet on each computer where the plug-in is installed.
TIP
In the CAU UI, you can only specify a single plug-in for CAU to use to preview or to apply updates during an Updating Run.
By using the CAU PowerShell cmdlets, you can specify one or more plug-ins. If you need to install multiple types of updates
on the cluster, it is usually more efficient to specify multiple plug-ins in one Updating Run, rather than using a separate
Updating Run for each plug-in. For example, fewer node restarts will typically occur.
By using the CAU PowerShell cmdlets that are listed in the following table, you can specify one or more plug-ins
for an Updating Run or scan by passing the –CauPluginName parameter. You can specify multiple plug-in
names by separating them with commas. If you specify multiple plug-ins, you can also control how the plug-ins
influence each other during an Updating Run by specifying the -RunPluginsSerially, -StopOnPluginFailure,
and –SeparateReboots parameters. For more information about using multiple plug-ins, use the links provided
to the cmdlet documentation in the following table.
CMDLET DESCRIPTION
Add-CauClusterRole Adds the CAU clustered role that provides the self-updating
functionality to the specified cluster.
If you do not specify a CAU plug-in parameter by using these cmdlets, the default is the plug-in
Microsoft.WindowsUpdatePlugin.
Specify CAU plug-in arguments
When you configure the Updating Run options, you can specify one or more name=value pairs (arguments) for
the selected plug-in to use. For example, in the CAU UI, you can specify multiple arguments as follows:
Name1=Value1;Name2=Value2;Name3=Value3
These name=value pairs must be meaningful to the plug-in that you specify. For some plug-ins the arguments are
optional.
The syntax of the CAU plug-in arguments follows these general rules:
Multiple name=value pairs are separated by semicolons.
A value that contains spaces is surrounded by quotation marks, for example: Name1="Value with
Spaces".
The exact syntax of value depends on the plug-in.
To specify plug-in arguments by using the CAU PowerShell cmdlets that support the –CauPluginParameters
parameter, pass a parameter of the form:
-CauPluginArguments @{Name1=Value1;Name2=Value2;Name3=Value3}
You can also use a predefined PowerShell hash table. To specify plug-in arguments for more than one plug-in,
pass multiple hash tables of arguments, separated with commas. Pass the plug-in arguments in the plug-in order
that is specified in CauPluginName.
Specify optional plug-in arguments
The plug-ins that CAU installs (Microsoft.WindowsUpdatePlugin and Microsoft.HotfixPlugin) provide
additional options that you can select. In the CAU UI, these appear on an Additional Options page after you
configure Updating Run options for the plug-in. If you are using the CAU PowerShell cmdlets, these options are
configured as optional plug-in arguments. For more information, see Use the Microsoft.WindowsUpdatePlugin
and Use the Microsoft.HotfixPlugin later in this topic.
NOTE
To apply updates other than the important software updates that are selected by default (for example, driver updates), you
can configure an optional plug-in parameter. For more information, see Configure the Windows Update Agent query string.
Requirements
The failover cluster and remote Update Coordinator computer (if used) must meet the requirements for CAU
and the configuration that is required for remote management listed in Requirements and Best Practices for
CAU.
Review Recommendations for applying Microsoft updates, and then make any necessary changes to your
Microsoft Update configuration for the failover cluster nodes.
For best results, we recommend that you run the CAU Best Practices Analyzer (BPA) to ensure that the cluster
and update environment are configured properly to apply updates by using CAU. For more information, see
Test CAU updating readiness.
NOTE
Updates that require the acceptance of Microsoft license terms or require user interaction are excluded, and they must be
installed manually.
Additional options
Optionally, you can specify the following plug-in arguments to augment or restrict the set of updates that are
applied by the plug-in:
To configure the plug-in to apply recommended updates in addition to important updates on each node, in the
CAU UI, on the Additional Options page, select the Give me recommended updates the same way that I
receive important updates check box.
Alternatively, configure the 'IncludeRecommendedUpdates'='True' plug-in argument.
To configure the plug-in to filter the types of GDR updates that are applied to each cluster node, specify a
Windows Update Agent query string using a QueryString plug-in argument. For more information, see
Configure the Windows Update Agent query string.
Configure the Windows Update Agent query string
You can configure a plug-in argument for the default plug-in, Microsoft.WindowsUpdatePlugin, that consists
of a Windows Update Agent (WUA) query string. This instruction uses the WUA API to identify one or more
groups of Microsoft updates to apply to each node, based on specific selection criteria. You can combine multiple
criteria by using a logical AND or a logical OR. The WUA query string is specified in a plug-in argument as follows:
QueryString="Criterion1=Value1 and\/or Criterion2=Value2 and\/or…"
For example, Microsoft.WindowsUpdatePlugin automatically selects important updates by using a default
QueryString argument that is constructed using the IsInstalled, Type, IsHidden, and IsAssigned criteria:
QueryString="IsInstalled=0 and Type='Software' and IsHidden=0 and IsAssigned=1"
If you specify a QueryString argument, it is used in place of the default QueryString that is configured for the
plug-in.
Example 1
To configure a QueryString argument that installs a specific update as identified by ID f6ce46c1-971c-43f9-
a2aa-783df125f003:
QueryString="UpdateID='f6ce46c1-971c-43f9-a2aa-783df125f003' and IsInstalled=0"
NOTE
The preceding example is valid for applying updates by using the Cluster-Aware Updating Wizard. If you want to install a
specific update by configuring self-updating options with the CAU UI or by using the Add-CauClusterRole or Set-
CauClusterRolePowerShell cmdlet, you must format the UpdateID value with two single-quote characters:
QueryString="UpdateID=''f6ce46c1-971c-43f9-a2aa-783df125f003'' and IsInstalled=0"
Example 2
To configure a QueryString argument that installs only drivers:
QueryString="IsInstalled=0 and Type='Driver' and IsHidden=0"
For more information about query strings for the default plug-in, Microsoft.WindowsUpdatePlugin, the search
criteria (such as IsInstalled), and the syntax that you can include in the query strings, see the section about search
criteria in the Windows Update Agent (WUA) API Reference.
NOTE
Hotfixes are sometimes available for download from Microsoft in Knowledge Base articles, but they are also provided to
customers on an as-needed basis.
Requirements
The failover cluster and remote Update Coordinator computer (if used) must meet the requirements for CAU
and the configuration that is required for remote management listed in Requirements and Best Practices for
CAU.
Review Recommendations for using the Microsoft.HotfixPlugin.
For best results, we recommend that you run the CAU Best Practices Analyzer (BPA) model to ensure that the
cluster and update environment are configured properly to apply updates by using CAU. For more information,
see Test CAU updating readiness.
Obtain the updates from the publisher, and copy them or extract them to a Server Message Block (SMB) file
share (hotfix root folder) that supports at least SMB 2.0 and that is accessible by all of the cluster nodes and
the remote Update Coordinator computer (if CAU is used in remote-updating mode). For more information,
see Configure a hotfix root folder structure later in this topic.
NOTE
By default, this plug-in only installs hotfixes with the following file name extensions: .msu, .msi, and .msp.
NOTE
To install most hotfixes provided by Microsoft and other updates, the default hotfix configuration file can be used
without modification. If your scenario requires it, you can customize the configuration file as an advanced task. The
configuration file can include custom rules, for example, to handle hotfix files that have specific extensions, or to
define behaviors for specific exit conditions. For more information, see Customize the hotfix configuration file later in
this topic.
Configuration
Configure the following settings. For more information, see the links to sections later in this topic.
The path to the shared hotfix root folder that contains the updates to apply and that contains the hotfix
configuration file. You can type this path in the CAU UI or configure the HotfixRootFolderPath=<Path>
PowerShell plug-in argument.
NOTE
You can specify the hotfix root folder as a local folder path or as a UNC path of the form
\\ServerName\Share\RootFolderName. A domain-based or standalone DFS Namespace path can be used. However,
the plug-in features that check access permissions in the hotfix configuration file are incompatible with a DFS
Namespace path, so if you configure one, you must disable the check for access permissions by using the CAU UI or
by configuring the DisableAclChecks='True' plug-in argument.
Settings on the server that hosts the hotfix root folder to check for appropriate permissions to access the folder
and ensure the integrity of the data accessed from the SMB shared folder (SMB signing or SMB Encryption).
For more information, see Restrict access to the hotfix root folder.
Additional options
Optionally, configure the plug-in so that SMB Encryption is enforced when accessing data from the hotfix file
share. In the CAU UI, on the Additional Options page, select the Require SMB Encryption in accessing the
hotfix root folder option, or configure the RequireSMBEncryption='True' PowerShell plug-in argument. >
[!IMPORTANT] > You must perform additional configuration steps on the SMB server to enable SMB data
integrity with SMB signing or SMB Encryption. For more information, see Step 4 in Restrict access to the hotfix
root folder. If you select the option to enforce the use of SMB Encryption, and the hotfix root folder is not
configured for access by using SMB Encryption, the Updating Run will fail.
Optionally, disable the default checks for sufficient permissions for the hotfix root folder and the hotfix
configuration file. In the CAU UI, select Disable check for administrator access to the hotfix root folder
and configuration file, or configure the DisableAclChecks='True' plug-in argument.
Optionally, configure the HotfixInstallerTimeoutMinutes= argument to specify how long the hotfix plug-in
waits for the hotfix installer process to return. (The default is 30 minutes.) For example, to specify a timeout
period of two hours, set HotfixInstallerTimeoutMinutes=120.
Optionally, configure the HotfixConfigFileName = plug-in argument to specify a name for the hotfix
configuration file that is located in the hotfix root folder. If not specified, the default name
DefaultHotfixConfig.xml is used.
Configure a hotfix root folder structure
For the hotfix plug-in to work, hotfixes must be stored in a well-defined structure in an SMB file share (hotfix root
folder), and you must configure the hotfix plug-in with the path to the hotfix root folder by using the CAU UI or the
CAU PowerShell cmdlets. This path is passed to the plug-in as the HotfixRootFolderPath argument. You can
choose one of several structures for the hotfix root folder, according to your updating needs, as shown in the
following examples. Files or folders that do not adhere to the structure are ignored.
Example 1 - Folder structure used to apply hotfixes to all cluster nodes
To specify that hotfixes apply to all cluster nodes, copy them to a folder named CAUHotfix_All under the hotfix
root folder. In this example, the HotfixRootFolderPath plug-in argument is set to \\MyFileServer\Hotfixes\Root\.
The CAUHotfix_All folder contains three updates with the extensions .msu, .msi, and .msp that will be applied to
all cluster nodes. The update file names are only for illustration purposes.
NOTE
In this and the following examples, the hotfix configuration file with its default name DefaultHotfixConfig.xml is shown in its
required location in the hotfix root folder.
\\MyFileServer\Hotfixes\Root\
DefaultHotfixConfig.xml
CAUHotfix_All\
Update1.msu
Update2.msi
Update3.msp
...
Example 2 - Folder structure used to apply certain updates only to a specific node
To specify hotfixes that apply only to a specific node, use a subfolder under the hotfix root folder with the name of
the node. Use the NetBIOS name of the cluster node, for example, ContosoNode1. Then, move the updates that
apply only to this node to this subfolder. In the following example, the HotfixRootFolderPath plug-in argument
is set to \\MyFileServer\Hotfixes\Root\. Updates in the CAUHotfix_All folder will be applied to all cluster nodes,
and Node1_Specific_Update.msu will be applied only to ContosoNode1.
\\MyFileServer\Hotfixes\Root\
DefaultHotfixConfig.xml
CAUHotfix_All\
Update1.msu
Update2.msi
Update3.msp
...
ContosoNode1\
Node1_Specific_Update.msu
...
Example 3 - Folder structure used to apply updates other than .msu, .msi, and .msp files
By default, Microsoft.HotfixPlugin only applies updates with the .msu, .msi, or .msp extension. However, certain
updates might have different extensions and require different installation commands. For example, you might
need to apply a firmware update with the extension .exe to a node in a cluster. You can configure the hotfix root
folder with a subfolder that indicates a specific, non-default update type should be installed. You must also
configure a corresponding folder installation rule that specifies the installation command in the <FolderRules>
element in the hotfix configuration XML file.
In the following example, the HotfixRootFolderPath plug-in argument is set to \\MyFileServer\Hotfixes\Root\.
Several updates will be applied to all cluster nodes, and a firmware update SpecialHotfix1.exe will be applied to
ContosoNode1 by using FolderRule1. For information about configuring FolderRule1 in the hotfix configuration
file, see Customize the hotfix configuration file later in this topic.
\\MyFileServer\Hotfixes\Root\
DefaultHotfixConfig.xml
CAUHotfix_All\
Update1.msu
Update2.msi
Update3.msp
...
ContosoNode1\
FolderRule1\
SpecialHotfix1.exe
...
IMPORTANT
To apply most hotfixes provided by Microsoft and other updates, the default hotfix configuration file can be used without
modification. Customization of the hotfix configuration file is a task only in advanced usage scenarios.
By default, the hotfix configuration XML file defines installation rules and exit conditions for the following two
categories of hotfixes:
Hotfix files with extensions that the plug-in can install by default (.msu, .msi, and .msp files).
These are defined as <ExtensionRules> elements in the <DefaultRules> element. There is one <Extension>
element for each of the default supported file types. The general XML structure is as follows:
<DefaultRules>
<ExtensionRules>
<Extension name="MSI">
<!-- Template and ExitConditions elements for installation of .msi files follow -->
...
</Extension>
<Extension name="MSU">
<!-- Template and ExitConditions elements for installation of .msu files follow -->
...
</Extension>
<Extension name="MSP">
<!-- Template and ExitConditions elements for installation of .msp files follow -->
...
</Extension>
...
</ExtensionRules>
</DefaultRules>
If you need to apply certain update types to all cluster nodes in your environment, you can define additional
<Extension> elements.
Hotfix or other update files that are not .msi, .msu, or .msp files, for example, non-Microsoft drivers,
firmware, and BIOS updates.
Each non-default file type is configured as a <Folder> element in the <FolderRules> element. The name
attribute of the <Folder> element must be identical to the name of a folder in the hotfix root folder that will
contain updates of the corresponding type. The folder can be in the CAUHotfix_All folder or in a node-
specific folder. For example, if FolderRule1 is configured in the hotfix root folder, configure the following
element in the XML file to define an installation template and exit conditions for the updates in that folder:
<FolderRules>
<Folder name="FolderRule1">
<!-- Template and ExitConditions elements for installation of updates in FolderRule1 follow -->
...
</Folder>
...
</FolderRules>
The following tables describe the <Template> attributes and the possible <ExitConditions> subelements.
path The full path to the installation program for the file type that
is defined in the <Extension name> attribute.
<Success> Defines one or more exit codes that indicate the specified
update succeeded. This is a required subelement.
<Success_RebootRequired> Optionally defines one or more exit codes that indicate the
specified update succeeded and the node must restart.
Note: Optionally, the <Folder> element can contain the
alwaysReboot attribute. If this attribute is set, it indicates
that if a hotfix installed by this rule returns one of the exit
codes that is defined in <Success> , it is interpreted as a
<Success_RebootRequired> exit condition.
<Fail_RebootRequired> Optionally defines one or more exit codes that indicate the
specified update failed and the node must restart.
<AlreadyInstalled> Optionally defines one or more exit codes that indicate the
specified update was not applied because it is already
installed.
<NotApplicable> Optionally defines one or more exit codes that indicate the
specified update was not applied because it does not apply to
the cluster node.
IMPORTANT
Any exit code that is not explicitly defined in <ExitConditions> is interpreted as the update failed, and the node does not
restart.
IMPORTANT
You must add the account that is used for Updating Runs as a local administrator account on the SMB server. If this is not
permitted because of the security policies in your organization, configure this account with the necessary permissions on the
SMB server by using the following procedure.
To c o n fi g u r e a u se r a c c o u n t o n t h e SM B se r v e r
1. Add the account that is used for Updating Runs to the Distributed COM Users group and to one of the
following groups: Power User, Server Operation, or Print Operator.
2. To enable the necessary WMI permissions for the account, start the WMI Management Console on the SMB
server. Start PowerShell and then type the following command:
wmimgmt.msc
3. In the console tree, right-click WMI Control (Local), and then click Properties.
4. Click Security, and then expand Root.
5. Click CIMV2, and then click Security.
6. Add the account that is used for Updating Runs to the Group or user names list.
7. Grant the Execute Methods and Remote Enable permissions to the account that is used for Updating
Runs.
Step 3. Configure permissions to access the hotfix root folder
By default, when you attempt to apply updates, the hotfix plug-in checks the configuration of the NTFS file system
permissions for access to the hotfix root folder. If the folder access permissions are not configured properly, an
Updating Run using the hotfix plug-in might fail.
If you use the default configuration of the hotfix plug-in, ensure that the folder access permissions meet the
following requirements.
The Users group has Read permission.
If the plug-in will apply updates with the .exe extension, the Users group has Execute permission.
Only certain security principals are permitted (but are not required) to have Write or Modify permission.
The allowed principals are the local Administrators group, SYSTEM, CREATOR OWNER, and TrustedInstaller.
Other accounts or groups are not permitted to have Write or Modify permission on the hotfix root folder.
Optionally, you can disable the preceding checks that the plug-in performs by default. You can do this in one of
two ways:
If you are using the CAU PowerShell cmdlets, configure the DisableAclChecks='True' argument in the
CauPluginArguments parameter for the hotfix plug-in.
If you are using the CAU UI, select the Disable check for administrator access to the hotfix root folder
and configuration file option on the Additional Update Options page of the wizard that is used to
configure Updating Run options.
However, as a best practice in many environments, we recommend that you use the default configuration to
enforce these checks.
Step 4. Configure settings for SMB data integrity
To check for data integrity in the connections between the cluster nodes and the SMB file share, the hotfix plug-in
requires that you enable settings on the SMB file share for SMB signing or SMB Encryption. SMB Encryption,
which provides enhanced security and better performance in many environments, is supported starting in
Windows Server 2012. You can enable either or both of these settings, as follows:
To enable SMB signing, see the procedure in the article 887429 in the Microsoft Knowledge Base.
To enable SMB Encryption for the SMB shared folder, run the following PowerShell cmdlet on the SMB
server:
IMPORTANT
If you select the option to enforce the use of SMB Encryption, and the hotfix root folder is not configured for connections
that use SMB Encryption, the Updating Run will fail.
See also
Cluster-Aware Updating Overview
Cluster-Aware Updating Windows PowerShell Cmdlets
Cluster-Aware Updating Plug-in Reference
Change history for Failover Clustering topics in
Windows Server 2016
6/8/2017 • 1 min to read • Edit Online
This topic lists new and updated topics in the Failover Clustering documentation for Windows Server 2016.
If you're looking for update history for Windows Server 2016, see Windows 10 and Windows Server 2016
update history.
June 2017
NEW OR CHANGED TOPIC DESCRIPTION
Cluster-Aware Updating advanced options Added info about using run profile paths that include spaces.
April 2017
NEW OR CHANGED TOPIC DESCRIPTION
Deploy a cloud witness for a Failover Cluster Clarified the type of storage account that's required (you can't
use Azure Premium Storage or Blob storage accounts).
March 2017
NEW OR CHANGED TOPIC DESCRIPTION
Deploy a cloud witness for a Failover Cluster Updated screenshots to match changes to Microsoft Azure.
February 2017
NEW OR CHANGED TOPIC DESCRIPTION
Cluster operating system rolling upgrade Removed an unnecessary Caution note and added a link.