Wednesday, September 07, 2005

Clusters, security templates, OUs, and GPOs

If you have been keeping up with some of my past posts, you have seen that I have been wrestling with clustering issues and also with security templates and GPOs. I came up with a list of things that has been helpful to us in deploying our clusters.
  • Do not apply "high security" templates to the base operating system.
  • Organize your clustered nodes in to OUs (a single OU for the physical nodes of the cluster if possible.)
  • Put the clustered server OU as close to the root as possible.
  • Create a GPO specifically for the clustered nodes; use that GPO to restrict settings that need to be locked down. This simplifies troubleshooting if you only have ONE GPO that affects your clustered nodes.
  • Block inheritance of GPOs on the cluster OU.
  • Watch out for wayward GPOs on parent OUs and especially GPOs that have the Enforced (or No Override) setting on them.
  • Remember, GPOs apply the the physical nodes of the cluster, not the virtual servers.
A good reference for applying more restrictive settings to clustered nodes is: How to apply more restrictive security settings on a Windows Server 2003-based cluster server.


Post a Comment

<< Home