Windows 2003 Options for Quorum Disks and Fail-over
Starting with Windows 2003, a more durable approach of managing the quorum disks with clustering was created called majority note set. It all but eliminates the single-point-of-failure weakness in the traditional quorum disk configuration that exists with Windows 2000 servers. However, even this new approach won't always be the best option for many clustered scenarios.
The notion of “quorum” as a single shared disk resource means that the storage subsystem has to interact with the cluster infrastructure to provide the illusion of a single storage device with very strict semantics. Although the quorum disk itself can be made highly available via RAID or mirroring, the controller port may be a single point of failure. In addition, if an application inadvertently corrupts the quorum disk or an operator takes down the quorum disk, the cluster becomes unavailable.
This can be solved by using a “majority node set” option as a single quorum resource from an MSCS perspective. In this set, the cluster log and configuration information will be stored on multiple disks across the cluster. A new majority node set resource takes care to ensure that the cluster configuration data stored on the majority node set is kept consistent across the different disks.
The disks that make up the majority node set could, in principle, be local disks physically attached to the nodes themselves or disks on a shared storage fabric (collection of centralized shared SAN devices that are connected over a switched-fabric or fibre-channel arbitrated loop storage area network [SAN]). In the majority node set implementation that is provided as part of MSCS in Windows Server 2003, every node in the cluster uses a directory on its own local system disk to store the quorum data. If the configuration of the cluster changes, that change is reflected across the different disks. The change is only considered to have been committed (made persistent) if that change is made to a majority of the nodes (that is [Number of nodes configured in the cluster]/2) + 1). In this way, a majority of the nodes have an up-to-date copy of the data. The cluster service itself will only start up if a majority of the nodes currently configured as part of the cluster are up and running as part of the cluster service.
If there are fewer nodes, the cluster is said not to have quorum and therefore the cluster service waits (trying to restart) until more nodes try to join. Only when a majority (or quorum) of nodes is available will the cluster service start up and bring the resources online. This way, since the up-to-date configuration is written to a majority of the nodes, regardless of node failures, the cluster will always guarantee that it starts up with the latest and most up-to-date configuration.
In the case of a failure or split-brain, all resources hosted on the partition of a cluster that has lost quorum are terminated to preserve the clusters' guarantee of only bringing a resource online on one node.
If a cluster becomes partitioned, (for example, if there is a communications failure between two sets of nodes in the cluster), then any partitions that do not have a majority of the configured nodes (less than [n/2]+1 nodes) are said to have lost quorum. The cluster service and all resources hosted on the nodes of partitions that do not have a majority are terminated. This ensures that if there is a partition running that contains a majority of the nodes, it can safely start up any resources that are not running on that partition.
In a typical MSCS cluster, a cluster can continue as long as one of the nodes owns the Quorum disk. Any nodes that can communicate (via heartbeats) with the quorum owner are part of the cluster and can host resources. Any other nodes that are configured to be in the cluster, but that cannot communicate with the quorum owner, are said to have lost quorum, and thus any resources that they are hosting are terminated.
The majority node set resource is an optional quorum resource that Microsoft ships with the MSCS. By default, the physical disk resource is set up as a quorum resource.
CAUTION Because the semantics of a cluster using majority node set are different than a cluster using the standard quorum resource(s), a cluster cannot be converted from one type to another dynamically. The decision on whether to use a traditional quorum resource or the majority node set resource must be made upfront. It cannot be changed later by simply switching cluster quorum resources.
A majority node set is created by first creating a single node cluster. This can be done using the standard cluster setup mechanisms. In the event that the cluster has no shared disks, the cluster configuration wizard will create a single node with a local quorum disk cluster by default. When using shared disks, the cluster configuration wizard will create a single node cluster with a physical disk selected as the quorum resource.
Once a single node cluster is set up, the quorum resource can be switched to the majority node set resource using cluster administrator. You simply open Cluster Administrator and connect to the appropriate cluster. You then create a new resource of type Majority node set. Change the cluster quorum resource to the newly created majority node set resource. The Quorum tab on the cluster properties shows the current quorum resource, and it can be modified by selecting the appropriate resource.
Once a single node cluster is set up using the majority node set resource, other nodes can be added to the cluster. As each node is joined, the quorum calculation is updated. In other words, if two nodes are added to build a 3-node cluster, quorum is adjusted so that two out of the three nodes must be running for the cluster to be considered to have quorum.
The majority node set quorum resource ensures that the quorum data is kept consistent across all nodes of the cluster and it is responsible for making changes to the quorum data stored on all nodes in the cluster.
CAUTION Each node in the cluster stores its quorum data in the following directory on the system disk:
%SystemRoot%ClusterQoN.%ResourceGUID%$\%ResourceGUID%$MSCS
The contents of this directory should not be modified; this directory contains cluster configuration information. Modifying the data in this directory may mean that the cluster service cannot start on the node.
The quorum resource accesses the data on the other nodes in the cluster using a network share. When a node is added to a cluster using the majority node set resource, a file share is created to expose the cluster quorum data to the majority node set resource. The share name is defined as follows:
\%NodeName%\%ResourceGUID%$
The share is created with local system access. Since the cluster service is running under a domain account that is also a member of the local system group, the majority node set resource has access to the share.
The majority node set resource uses the private cluster connection between nodes to transfer data to the shares.
Figure 4.27 shows how the Quorum disk is spread out over multiple nodes as part of the majority set quorum configuration.
