Windows Server 2012

Configuring Cluster-Aware Updating in Windows Server 2012

Windows Server 2012 (WS2012) introduced Cluster-Aware Updating (CAU) to allow each member of a cluster be paused, drained of highly available (HA) roles, patched, and rebooted in an orchestrated manner. Without CAU, you will probably be patching your clusters manually (which rarely happens), and in the case of Hyper-V clusters, CAU will leverage Live Migration to ensure that services have zero downtime.

We will be implementing a number of steps:

  1. Prerequisites: Getting the environment and servers ready
  2. Prestaging a computer account: This will be for a HA role that is used by the cluster to orchestrate the CAU patching process.
  3. Configuring CAU
  4. Testing and monitoring CAU patching

CAU Prerequisites

There are a number of prerequisites for installing and maintaining CAU on your clusters. Each cluster node should be configured with:

  • Enabled WMI: This is the default on WS2012. You can run Set-WSManQuickConfig to enable WMI if it is disabled.
  • Enable Windows PowerShell 3.0 and Windows Powershell remoting: This is also the default on WS2012. PowerShell is a Server Manager role, and you can use Enable-PSRemoting to enable remoting.
  • .Net 4.5: This is also installed by default (Server Manager) on WS2012.
  • Remote Shutdown firewall rule: You must enable the Remote Shutdown inbound rule in Windows Firewall. The PowerShell option is Set-NetFirewallRule -Group “@firewallapi.dll,-36751” -Profile Domain -Enabled true.

You will need a location for your nodes from which to download the updates. Unfortunately System Center Configuration Manager does not support CAU yet. The recommended managed solution will be to use WSUS. If you are downloading updates through a proxy (such as directly from Microsoft) then you will need to configure WinHTTP proxy settings on each cluster node. This would be done as follows, with a proxy called TheProxy.Demo.Internal that operates on TCP 80:

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

netsh winhttp set proxy TheProxy.Demo.Internal:80 “<local>”

Prestaging a Computer Account

CAU will require a computer account that will be used by the cluster to create a HA role that enables the cluster to self-manage the orchestrated patching, even if the nodes of the cluster are being rebooted. The setup wizard does allow you to let the cluster create a computer account in Active Directory, but this will get some anonymous name. Take the time to create a prestaged computer account with a name that will mean something to you and your colleagues in a year’s time.

  • Place all cluster nodes and the cluster client access point (CAP) computer account into an OU, preferably named after the cluster.  For example, the cluster CAP is called Demo-FSC2. An OU called Demo-FSC2 is created. The members of the cluster (Demo-FS1 and Demo-FS2) and the CAP (Demo-FSC2) are moved into the new OU.
  • Create a computer account in the new OU and give it a meaningful name. This will be the prestaged computer account. For example, it could be called Demo-FSC2-CAU, indicating that the account is used by CAU on the Demo-FSC2 cluster.
  • Disable (not delete) the new computer account.
  • Enabled the Advanced view in Active Directory Users And Computers. Edit the security (via the Advanced button) of the cluster’s OU. Grant the cluster CAP (in our case, Demo-FSC2) List All Properties and Create Computer Account permissions to This Object And All Descendent Objects.


The prestaged computer account and cluster accounts.

Configuring Cluster-Aware Updating permissions

Granting the cluster permissions to the cluster’s OU.

Configure CAU

Now you will open up Failover Cluster Manager (FCM) and configure CAU for your cluster:

  • Browse to the cluster in FCM and launch Cluster-Aware Updating from the Configure pane.
  • Click the Configure Cluster Self-Updating Options link in the Cluster-Aware Updating wizard.
  • In the Add-Clustered Role step of the wizard, check the box for Add The CAU Clustered Role box and also check the I Have A Prestaged Computer Object box.
  • Type in the name of the prestaged computer account, for example Demo-FSC2-CAU.
  • Configure when you want CAU to run in the Self-Updating Schedule step. You can choose a daily, weekly, or monthly day/time. In the case of Hyper-V, many will choose to run CAU during a midweek workday; this is because there is no perceivable downtime for virtual machine services and engineers/administrators will be on hand to monitor operations instead of being woken at 5 a.m. on a Sunday morning if a drained host had a problem.
  • The Advanced Options wizard step allows you to customize how CAU runs. This includes how many failed hosts will be tolerated, retry attempts (three by default), a patching timeout (very dangerous, because you don’t want half-patched servers), and various kinds of scripts that can be run.
  • Additional Options allows you to include recommended updates, which is… well, recommended.

Configuring Cluster-Aware Updating

Using the prestaged computer account.

If all goes well the wizard will complete with a Success status. Check the prerequisites, the name of the prestaged computer account, and the permissions on the cluster’s OU.

Testing and Monitoring CAU

With CAU configured, your cluster will automatically:

  1. Drain each node, using live migration in the case of Hyper-V
  2. Patch it
  3. Reboot it if required (it usually is)
  4. Repeat the process with each node in turn

You can initiate a patch run manually from FCM on a cluster node once you have completed the above configuration. Launch the Cluster-Aware Updating Wizard and then run Apply Updates To This Cluster. The status of the update job will be visible under Log Of Updates In Progress. You can also run Generate Report On Past Updating Runs from a specific time window, with the added option of exporting the report in HTML format.

Warning: WS2012 Hyper-V VMs with Low Priority

By default WS2012 Hyper-V uses Quick Migration on virtual machines with a low cluster priority. You can change this default behaviour so that low priority VMs are moved using live migration, just like medium- and high-priority VMs. WS2012 R2 Hyper-V uses live migration by default for VMs of all priorities.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (7)

7 responses to “Configuring Cluster-Aware Updating in Windows Server 2012”

  1. […] Configure Cluster-Aware Updating in Windows Server 2012 NewsWindows Firewall 2014 WINDOWS OPEN FIREWALL Recommended: The trouble with routers | The Silicon Underground Enable Windows Firewall on Windows 8 | Support by iYogi Brien Malone's Tech Blog: Percussion CM System (Rhythmyx) and … Configuring Port 9002 for Export to ESXi in Replay 4 – Continue reading → WINDOWS PORT FIREWALL 2014 I tried permitting the application utilizing Windows Firewall (Windows 7 Ultimate) however which didn’t function, at when I’m turning off the firewall completely. That’s not a advantageous long-term answer. Answer by DarrellTCP 2300-2400,6073,47624 UDP 2300-2400,6073 I am not running windows Continue reading → WINDOWS KERNEL FIREWALL 2014 Today I decided that I am officially tired with Windows and want to install Linux on my laptop. I read on a website all the pro and cons of each operating system ( Windows, OS, Linux) and discovered that Linux Continue reading → HOW DO YOU TURN OFF WINDOWS FIREWALL 2014 Recommended: Installing Ubuntu One In Windows 7 – Hangs At “Getting Information … Windows Vista: .exe file won't run – Straight Dope Message Board XP machine not loading networking pre logon – Spiceworks The Portable Freeware Collection • View topic Continue reading → 2014 ALLOW A PROGRAM THROUGH WINDOWS FIREWALL As I said, I have Windows 7. I have been able to host for years, (due to the fact that I know how to generally fix hosting, but not now) I quit about 4-5 months ago, and started playing again Continue reading → 2014 WINDOWS FIREWALL QUICKBOOKS Updates What my question is, is how do I clean it up? I have alot of programs on here that I don’t use anymore, example Quickbooks, that won’t remove itself totally from the add/remove programs. Also, it was set up on Continue reading → NO WINDOWS FIREWALL SERVICE WINDOWS 7 2014 The article explains the procedure for disabling Windows firewall. The instructions provided here are simple and correct to date. However, you must follow them carefully to avoid running in to common Windows firewall problems. Windows firewall helps keep your PC Continue reading → 2014 DOWNLOAD WINDOWS FIREWALL – 2014 I’m downloading with bittorrent and I have to disable windows firewall for a better internet speed but I don’t know how. I can’t finf it in the control panel. Answer by ngtuhanh188click start menu ->program->Accessories->System Tools->security have fun Answer by Continue reading → GROUP POLICY WINDOWS FIREWALL WITH ADVANCED SECURITY 2014 I want to change my firewall setting from group policy to recommended. Answer by Rickyhere is the link, tells you how to get to the settings…. that is assuming you have Active Directory setup, and you can utilize GP Continue reading → 2014 YOUTUBE WINDOWS FIREWALL News YOUTUBE WINDOWS FIREWALL Omaha, NE (PRWEB) September 05, 2014 If a National Marketing/PR Firm takes about high-profile customers, tackling controversial issues be about excellent alert for a politically-motivated cyber attack which anti-virus plus firewall programs reportedly cant currently block. Called Continue reading → 2014 WINDOWS FIREWALL MISSING WINDOWS XP I’m using Window XP, and I want to change the setting of my windows firewall. Unfortunately, it’s not visible in control panel. How can I make it visible? Answer by JimDandyWindows Firewall is only available, on Windows XP, after you Continue reading → 2014 ALLOW PING THROUGH WINDOWS FIREWALL News While playing Call of Duty on multi player, I keep lagging pretty bad. I took a look at my ping and it is only ever perfect (full green bars) or the lowest it can be. This is all results from Continue reading → ArchiveWINDOWS VISTA SERVICE PACK 1 2014 […]

  2. Interesting post, I have problem with my cluster CAU – both HyperV hosts have error in Server Manager – Management – Kerberos target resolution error – which is DNS thing – pointing to non existing server which shoul be CAU representation (it name is CAU-SF4s2)… I did try to create OU in ADUC just for cluster objects with same name as cluster representation, but it won’t let me have the same name, also can’t set rights to Create Computer objects on that OU with cluster representation as principal….

Leave a Reply

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where he dealt with large and complex IT infrastructures and MicroWarehouse Ltd. where he worked with Microsoft partners in the small/medium business space.
Live Webinar - Thursday, December 2nd! Active Directory Masterclass: AD Configuration Strategies for Stronger SecurityREGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: