Clusters, security templates, OUs, and GPOs
If you have been keeping up with some of my past posts, you have seen that I have been wrestling with clustering issues and also with security templates and GPOs. I came up with a list of things that has been helpful to us in deploying our clusters.
- Do not apply "high security" templates to the base operating system.
- Organize your clustered nodes in to OUs (a single OU for the physical nodes of the cluster if possible.)
- Put the clustered server OU as close to the root as possible.
- Create a GPO specifically for the clustered nodes; use that GPO to restrict settings that need to be locked down. This simplifies troubleshooting if you only have ONE GPO that affects your clustered nodes.
- Block inheritance of GPOs on the cluster OU.
- Watch out for wayward GPOs on parent OUs and especially GPOs that have the Enforced (or No Override) setting on them.
- Remember, GPOs apply the the physical nodes of the cluster, not the virtual servers.