Clusters, security templates, OUs, and GPOs

If you have been keeping up with some of my past posts, you have seen that I have been wrestling with clustering issues and also with security templates and GPOs. I came up with a list of things that has been helpful to us in deploying our clusters.

• Do not apply "high security" templates to the base operating system.
  
• Organize your clustered nodes in to OUs (a single OU for the physical nodes of the cluster if possible.)
• Put the clustered server OU as close to the root as possible.
• Create a GPO specifically for the clustered nodes; use that GPO to restrict settings that need to be locked down. This simplifies troubleshooting if you only have ONE GPO that affects your clustered nodes.
  
• Block inheritance of GPOs on the cluster OU.
• Watch out for wayward GPOs on parent OUs and especially GPOs that have the Enforced (or No Override) setting on them.
  
• Remember, GPOs apply the the physical nodes of the cluster, not the virtual servers.
  

A good reference for applying more restrictive settings to clustered nodes is: How to apply more restrictive security settings on a Windows Server 2003-based cluster server.