Creating the network

Your cluster requires a custom network. Use VPC to create a custom network andone subnetwork by runninggcloud commands in Cloud Shell.

1. Create the network:

   gcloud compute networks create wsfcnet --subnet-mode custom

   The name of the network you created iswsfcnet.

2. Create a subnetwork. Replace[YOUR_REGION] with a nearby GCP region:

   gcloudcomputenetworkssubnetscreatewsfcnetsub1--network wsfcnet --region [YOUR_REGION] --range 10.0.0.0/16

   The name of the subnetwork you created iswsfcnetsub1.

Notice that theCIDR range for IP addresses in this subnetwork is10.0.0.0/16. This is an examplerange used for this tutorial. In production systems, work with your networkadministrators to allocate appropriate ranges for IP addresses for yoursystems.

Create firewall rules

By default, your network is closed to external traffic. You must open ports inthe firewall to enable remote connections to the servers. Usegcloud commandsin Cloud Shell to create the rules.

1. For this tutorial, open port 3389 on the main network toenable RDP connections. In the following command, replace[YOUR_IPv4_ADDRESS] with the IP address of the computer you use toconnect to your VM instances. In a production system,you can provide an IP address range or a series of addresses.

   gcloudcomputefirewall-rulescreateallow-rdp--network wsfcnet --allow tcp:3389 --source-ranges [YOUR_IPv4_ADDRESS]

2. On the subnetwork, allow all protocols on all ports to enable theservers to communicate with each other. In production systems, consideropening only specific ports, as needed.

   gcloud compute firewall-rules create allow-all-subnet --network wsfcnet --allow all --source-ranges 10.0.0.0/16

   Notice that thesource-ranges value matches the CIDR range you used to createthe subnetwork.

3. View your firewall rules:

   gcloud compute firewall-rules list

   You should see output similar to the following:

   NAME              NETWORK  DIRECTION  PRIORITY  ALLOW            DENY  DISABLEDallow-all-subnet  wsfcnet  INGRESS    1000      all                    Falseallow-rdp         wsfcnet  INGRESS    1000      tcp:3389               False

Enabling failover clustering in Compute Engine

To enable failover clustering in the Compute Engine agent,you need to add the flagenable-wsfc=true to your VM definitions either byspecifying it as custom metadata for the VM or by creating aconfiguration file on each VM, as described in theCompute Enginedocumentation.

This tutorial defines the flag as custom metadata when the VMs are created, asdescribed in the next section. The tutorial also relies on the defaultbehavior forwsfc-addrs andwsfc-agent-port, so you don't need to setthese values.

Creating the servers

Next, create the 3 servers. Use thegcloud command in Cloud Shell.

Create the first cluster-node server

Create a new Compute Engine instance. Configure the instance as follows:

• Name the instancewsfc-1.
• Set the--zone flag to a convenient zone near you. For example,us-central1-a.
• Set the--machine-type flag ton1-standard-2.
• Set the--image-project flag towindows-cloud.
• Set the--image-family flag towindows-2016.
• Set the--scopes flag tohttps://www.googleapis.com/auth/compute.
• Set the--can-ip-forward flag to enable IP forwarding.
• Set the--private-network-ip flag to10.0.0.4.
• Set the network towsfcnet and the subnetwork towsfcnetsub1.
• Use the--metadata parameter to setenable-wsfc=true.

Run the following command, replacing[YOUR_ZONE_1] with the nameof your first zone:

gcloudcomputeinstancescreatewsfc-1--zone [YOUR_ZONE_1] --machine-type n1-standard-2 --image-project windows-cloud --image-family windows-2016 --scopes https://www.googleapis.com/auth/compute --can-ip-forward --private-network-ip 10.0.0.4 --network wsfcnet --subnet wsfcnetsub1 --metadata enable-wsfc=true

Create the second cluster-node server

For the second server, follow the same steps, except:

• Set the instance name to:wsfc-2.
• Set the--zone flag to a different zone than the zone that you usedfor the first server. For example,us-central1-b.
• Set the--private-network-ip flag to10.0.0.5.

Replace[YOUR_ZONE_2] with the name of your second zone:

gcloudcomputeinstancescreatewsfc-2--zone [YOUR_ZONE_2] --machine-type n1-standard-2 --image-project windows-cloud --image-family windows-2016 --scopes https://www.googleapis.com/auth/compute --can-ip-forward --private-network-ip 10.0.0.5 --network wsfcnet --subnet wsfcnetsub1  --metadata enable-wsfc=true

Create the third server for Active Directory

For the domain controller, follow the same steps, except:

• Set the instance name to:wsfc-dc.
• Set the--zone flag to a different zone than the zones that you usedfor the other servers. For example,us-central1-c.
• Set the--private-network-ip flag to10.0.0.6.
• Omit--metadata enable-wsfc=true.

Replace[YOUR_ZONE_3] with the name of your zone:

gcloudcomputeinstancescreatewsfc-dc--zone [YOUR_ZONE_3] --machine-type n1-standard-2 --image-project windows-cloud --image-family windows-2016 --scopes https://www.googleapis.com/auth/compute --can-ip-forward --private-network-ip 10.0.0.6 --network wsfcnet --subnet wsfcnetsub1

View your instances

You can see the details about the instances you created.

gcloud compute instances list

You will see output similar to the following:

NAME     ZONE           MACHINE_TYPE  PREEMPTIBLE INTERNAL_IP  EXTERNAL_IP     STATUSwsfc-1   us-central1-a  n1-standard-2             10.0.0.4     35.203.131.133  RUNNINGwsfc-2   us-central1-b  n1-standard-2             10.0.0.5     35.203.130.194  RUNNINGwsfc-dc  us-central1-c  n1-standard-2             10.0.0.6     35.197.27.2     RUNNING

Connecting to your VMs

To connect to a Windows-based VM, you must first generate a password for the VM.You can then connect to the VM using RDP.

Generating passwords

1. In the Google Cloud console, go to theVM instances page.

   Go to VM instances

2. Click the name of the VM instance for which you need a new password.

3. On the instance details page, click theSet Windows Passwordbutton. A password is generated for you. Copy the password and store it in asecure place.

Connecting through RDP

The Compute Engine documentation provides details about how to connect to yourWindows VM instances by using RDP. You can either:

• Use an existing client.
• Add a Chrome RDP plugin to your browser and thenconnect through theGoogle Cloud console.

Whenever this tutorial tells you to connect to a Windows instance, use yourpreferred RDP connection.

Configuring Windows networking

The internal IP addresses that you assigned when you created the VMs arestatic. To ensure that Windows treats the IP addresses as static, you need toadd them, along with the IP addresses of the default gateway and the DNSserver, to the Windows Server networking configuration.

Use RDP to connect towsfc-1,wsfc-2, andwsfc-dc,and repeat the following steps for each instance:

1. In Server Manager, in the left pane, selectLocal Server.
2. In theEthernet entry of theProperties pane, clickIPv4 address assigned by DHCP, IPv6 enabled.
3. Right-clickEthernet and selectProperties.
4. Double-clickInternet Protocol Version 4 (TCP/IPv4).
5. SelectUse the following IP address.

6. Enter the internal IP address that you assigned to the VM when youcreated it.

   • Forwsfc-1, enter "10.0.0.4".
   • Forwsfc-2 enter "10.0.0.5".
   • Forwsfc-dc enter "10.0.0.6".

7. ForSubnet mask, enter "255.255.0.0".

8. ForDefault gateway, enter10.0.0.1, the IP address that wasautomatically reserved for the default gateway when you created the subnetwsfcnetsub1.

   The IP address for the default gateway is always the secondaddress in the primary IP range for a subnet. SeeUnusable addresses in IPv4 subnet ranges.

9. Forwsfc-1 andwsfc-2 only:

   1. ClickUse the following DNS server addresses.

   2. ForPreferred DNS server, enter "10.0.0.6".

10. Close all the dialog boxes.

    You lose RDP connectivity because these changes reset the virtual networkadapter for the VM instance.

11. Close the RDP session and then reconnect to the instance.If a dialog box from the previous step is still open, close it.

12. In the properties section for the local server, verify that theEthernet setting reflects the local server IP address (10.0.0.4,10.0.0.5,or10.0.0.6). If it doesn't, re-open theInternetProtocol Version 4 (TCP/IPv4) dialog box and update the setting.

This is a good time to take snapshots ofwsfc-1 andwsfc-2.

Setting up Active Directory

Now, set up the domain controller.

1. Use RDP to connect to the server namedwsfc-dc.
2. Using the Windows Computer Management desktop app, set a password for thelocal Administrator account.
3. Enable the local Administrator account.

4. Follow the steps in the Microsoft instructions below to set up the domaincontroller, with these additional notes. You can use default values for mostsettings.

   • Select the DNS Server role check box. This step is not specified in theinstructions.
   • Select theRestart the destination server automatically ifrequired check box.
   • Promote the file server to a domain controller.
   • During theAdd a new forest step, name your domain "WSFC.TEST".
   • Set the NetBIOS domain name to "WSFC" (the default).

   Microsoft instructions

This is a good time to take a snapshot ofwsfc-dc.

Create the domain user account

It can take some time forwsfc-dc to restart. Before joining servers to thedomain, use RDP to sign in towsfc-dc to validate that the domain controlleris running.

You need a domain user that has administrator privileges for the clusterservers. Follow these steps:

1. On the domain controller (wsfc-dc) clickStart, and then typedsa to find and open the Active Directory Users and Computers app.
2. Right-clickWSFC.TEST, point toNew, and then clickUser.
3. For theFull name and theUser logon name, entercluster-admin.
4. ClickNext.
5. Enter and confirm a password for the user. Select password options in thedialog box. For example, you can set the password to never expire.
6. Confirm the settings and then clickFinish.

7. Makecluster-admin an administrator onwsfc-dc:

   • Right-clickcluster-admin and selectAdd to a group.
   • TypeAdministrators, and clickOK.

This tutorial uses theWSFC.TEST\cluster-admin account as an administratoraccount wherever such an account is required. In a production system, followyour usual security practices for allocating accounts and permissions. For moreinformation, seeOverview of Active Directory accounts needed by a failover cluster.

Join the servers to the domain

Add the two cluster-node servers to theWSFC.TEST domain. Perform thefollowing steps on each cluster-node server (wsfc-1 andwsfc-2):

1. InServer Manager >Local Server, in theProperties pane, clickWORKGROUP.
2. ClickChange.
3. SelectDomain and then enter "WSFC.TEST".
4. ClickOK.
5. Provide the credentials forWSFC.TEST\cluster-admin to join the domain.
6. ClickOK.
7. Close the dialog boxes and follow the prompts to restart the server.

8. InServer Manager, makecluster-admin an administrator onwsfc-1 andwsfc-2. Alternatively, you can manage administrative privileges byusing a group policy.

   • On theTools menu, selectComputer Management >Local Usersand Groups >Groups >Administrators, and then clickAdd.
   • Enter "cluster-admin" and the clickCheck names.
   • ClickOK.

This is a good point to take snapshots of all three VMs.

Setting up failover clustering

Reserve an IP address for the cluster in Compute Engine

When you create the failover cluster, you assign an IP address to create an administrative access point. In a production environment, you mightuse an IP address from a separate subnet.However, in this tutorial you reserve an IP address from the subnet youalready created. Reserving the IP address prevents conflicts with other IPassignments.

1. Open a terminal on a host VM or open Cloud Shell.

   Go to Cloud Shell

2. Reserve an IP address. For this tutorial, use10.0.0.8:

   gcloud compute addresses create cluster-access-point --region [YOUR_REGION] --subnet wsfcnetsub1 --addresses 10.0.0.8

3. To confirm the reservation of the IP address:

   gcloud compute addresses list

Create the cluster

To create and configure the failover cluster:

1. Use RDP to connectwsfc-1 andwsfc-2.

2. Follow the steps in the Microsoft instructions below, with these additional notes:

   • Install the Failover Clustering feature onwsfc-1 andwsfc-2. Don't install the Failover Clustering feature onwsfc-dc.
   • Run the Failover Cluster Manager app as the domain userWSFC.TEST\cluster-admin. Otherwise, you might encounter permissionsissues.It's a good idea to always run Failover Cluster Manager this way or toconnect to a server ascluster-admin to ensure you have the requiredpermissions.
   • Addwsfc-1 andwsfc-2 to the cluster as nodes.

   • When validating the configuration:

     • On theTesting Options​ page, selectRun only tests Iselect​, ​and then clickNext​.

     • On theTest Selection​ page, clearStorage because theStorage​ option will fail when running on Compute Engine (as itwould for separate standalone physical servers).

       Common issues you might encounter during cluster validation include:

       • Only one network interface between replicas. You canignore this one, because it doesn't apply in a cloud-based setup.
       • Windows Updates not the same on both replicas. If youconfigured your Windows instances to apply updatesautomatically, one of the nodes mighthave applied updates that the other hasn't downloaded yet. You shouldkeep the servers in identical configurations.
       • Pending reboot. You've made changes to one of the servers,and it needs a reboot to apply. Don't ignore this one.
       • The servers do not all have the same domain role. You canignore this one.
       • The servers are not all in the same Organizational Unit (OU).This tutorial doesn't use an OU at all, but in a production systemconsider putting your cluster in its own OU. The Microsoftinstructions describe this best practice.
       • Unsigned drivers were found. You can ignore this one.

   • On theSummary page, you can selectCreate the cluster now usingthe validated nodes to continue on to create the cluster, rather thanclosing the wizard and reopening it.

   • In the Create Cluster Wizard, on theAccess point page:

     • Name your cluster "testcluster".
     • In theAddress field, enter the IP address that you reserved earlier,10.0.0.8.

   Microsoft instructions

Add the cluster administrator

Adding a domain account as an administrator for the cluster enables you toperform actions on the cluster from tools such as Windows PowerShell. Add thecluster-admin domain account as a cluster admin.

1. On the cluster node that hosts the cluster resources, in Failover ClusterManager, select your cluster in the left pane and then clickPropertiesin the right pane.
2. Select theCluster Permissions tab.
3. ClickAdd and then addcluster-admin.
4. Withcluster-admin selected in theGroup or user names list, selectFull Control in thePermissions pane.
5. ClickApply andOK.

This is a good point to take snapshots.

Creating the file share witness

You have a two-node failover cluster, but the cluster uses a voting mechanism todecide which node should be active. To achieve a quorum, you can add afile share witness.

This tutorial simply adds a shared folder to the domain controller server.If this server were to go offline at the same time one of the cluster nodes isrestarting, the entire cluster could stop working because the remaining servercan't vote by itself. For this tutorial, the assumption is that the GCPinfrastructure features, such asLive Migration andautomatic restart,provide enough reliability to keep the shared folder alive.

If you want to create a more-highly-available file share witness, you have theseoptions:

• Use a cluster of Windows Servers to provide the share by usingStorage Spaces Direct.This Windows Server 2016 feature can provide a highly available share forthe quorum witness. For example, you could create a cluster for your ActiveDirectory domain controller to provide both highly available domainservices and provide the file share witness at the same time.
• Use data replication software, such as SIOS Datakeeper, with WindowsFailover Server Clustering for synchronous or asynchronous replication.

Follow these steps to create the file share for the witness:

1. Connect towsfc-dc. This server hosts the file share.
2. In Explorer, browse to theC drive.
3. In the title bar, click theNew Folder button.
4. Name the new foldershares.
5. Double-click theshares folder to open it.
6. Add a new folder and name itclusterwitness-testcluster.

Configure sharing for the file share witness

You must set permissions on the file share witness folder to enable the clusterto use it.

1. From Explorer, right-click theclusterwitness-testcluster folder andselectProperties.
2. On theSharing tab, clickAdvanced Sharing.
3. SelectShare this folder.
4. ClickPermissions and then clickAdd.
5. ClickObject Types, selectComputers, and then clickOK.
6. Add the machine accounttestcluster$.
7. GiveFull Control permissions totestcluster$.
8. ClickApply and then close all the dialog boxes.

Add the file share witness to the failover cluster

Now, configure the failover cluster to use the file share witness as a quorumvote.

1. On the computer that hosts the cluster resources (wsfc-1), openthe Failover Cluster Manager.
2. In the left pane, right-click the name of the cluster(testcluster.WSFC.TEST) then point toMore Actions, and then clickConfigure Cluster Quorum Settings.
3. On theSelect Quorum Configuration Option panel, chooseSelect the quorum witness.
4. On theSelect Quorum Witness panel, chooseConfigure a file share witness.
5. For theFile Share Path, enter the path to the shared folder, such as\\wsfc-dc\clusterwitness-testcluster.
6. Confirm the settings and then clickFinish.

Testing the failover cluster

Your Windows Server failover cluster should now be working. You can testmanually moving cluster resources between your instances. You're not done yet,but this is a good checkpoint to validate that everything you've done so far isworking.

1. Onwsfc-1, note the name of theCurrent Host Server in FailoverCluster Manager.
2. Run Windows PowerShell ascluster-admin.

3. In PowerShell, run the following command to change the current host server:

   Move-ClusterGroup -Name "Cluster Group"

You should see the name of the current host server change to the other VM.

If this didn't work, review the previous steps and see if you missed anything.The most common issue is a missing firewall rule that isblocking access on the network. Refer to theTroubleshooting section for more issues to check.

Otherwise, you can now move on to setting up the internal load balancer, whichis required in order to route network traffic to the current host server in thecluster.

This is a good time to take snapshots.

Adding a role to the failover cluster

In Windows failover clustering,roles host clustered workloads. You can use arole to specify in the cluster the IP address that your application uses. Forthis tutorial, you add a role for the test workload, which is the InternetInformation Services (IIS) web server, and assign an IP address to the role.

Reserve an IP address for the role in Compute Engine

To prevent IP addressing conflicts within your subnet in Compute Engine, reserve the IP address for the role.

1. Open a terminal on a host VM or open Cloud Shell.

   Go to Cloud Shell

2. Reserve an IP address. For this tutorial, use10.0.0.9:

   gcloud compute addresses create load-balancer-ip --region [YOUR_REGION] --subnet wsfcnetsub1 --addresses 10.0.0.9

3. To confirm the reservation of the IP address:

   gcloud compute addresses list

Add the role

Follow these steps:

1. In Failover Cluster Manager, in theActions pane, selectConfigure Role.
2. In theSelect Role page, selectOther Server.
3. In theClient Access Point page, enter the nameIIS.
4. Set the address to10.0.0.9.
5. SkipSelect Storage andSelect Resource Types.
6. Confirm the settings and then clickFinish.

Creating the internal load balancer

Create and configure the internal load balancer, which is required in orderto route network traffic to the active cluster host node. You will use theGoogle Cloud console, because the user interface gives you a good view intohow internal load balancing is organized.

You will also create a Compute Engine instance group for each zonein the cluster, which the load balancer uses to manage the cluster nodes.

Create the instance groups

Create an instance group in each zone that containsa cluster node and then add each node to the instance group in its zone.Don't add the domain controllerwsfc-dc to an instance group.

1. Create an instance group for each zone in the cluster, replacing[ZONE_1]with the name of your first zone and[ZONE_2] with the name of your second:

   gcloud compute instance-groups unmanaged create wsfc-group-1 --zone=[ZONE_1]

   gcloud compute instance-groups unmanaged create wsfc-group-2 --zone=[ZONE_2]

2. Add the server in each zone to the instance group for that zone:

   gcloud compute instance-groups unmanaged add-instances wsfc-group-1 --instances wsfc-1 --zone [ZONE_1]

   gcloud compute instance-groups unmanaged add-instances wsfc-group-2 --instances wsfc-2 --zone [ZONE_2]

3. Confirm that your instance groups were created and that each groupcontains one instance:

   gcloud compute instance-groups unmanaged list

     NAME          ZONE           NETWORK  NETWORK_PROJECT   MANAGED  INSTANCES  wsfc-group-1  us-central1-a  wsfcnet  exampleproject    No       1  wsfc-group-2  us-central1-b  wsfcnet  exampleproject    No       1

Create the load balancer

Start your configuration

1. In the Google Cloud console, go to theLoad balancing page.

   Go to Load balancing

2. ClickCreate load balancer.
3. ForType of load balancer, selectNetwork Load Balancer (TCP/UDP/SSL) and clickNext.
4. ForProxy or passthrough, selectPassthrough load balancer and clickNext.
5. ForPublic facing or internal, selectInternal and clickNext.
6. ClickConfigure.

Basic configuration

1. ForName, enter "wsfc-lb".
2. Select your current region.
3. Selectwsfcnet forNetwork.

Configure the backend

Recall that the GCP internal load balancer uses a periodic health check todetermine the active node. The health check pings the Compute Engine clusterhost agent that is running on the active cluster node. The health check payloadis the IP address of the application, which is represented by the clusteredrole. The agent responds with a value of 1 if the node is active or 0 if it isnot.

1. ClickBackend configuration.
2. UnderBackends, add each instance group that you created by selectingits name and clickingDone.

3. Create a health check.

   • ForName, enter "wsfc-hc".
   • Accept the defaultProtocol setting ofTCP and change thePort to "59998" for cluster host agent responses.
   • ForRequest, enter "10.0.0.9".
   • ForResponse, enter "1".
   • ForCheck interval, enter "2".
   • ForTimeout enter "1".
   • ClickSave and continue.

Configure the frontend

The frontend configuration creates a forwarding rule that defines how the loadbalancer handles incoming requests. For this tutorial, to keep it simple, youwill test the system by making requests between the VMs in the subnetwork.

In your production system, you probably want to open the system up to externaltraffic, such as Internet traffic. To do this, you cancreate a bastion host that accepts external traffic and forwards it to your internal network. Using abastion host is not covered in this tutorial.

1. In the center pane, clickFrontend configuration.
2. ForName, enter "wsfc-lb-fe".
3. Select your subnetwork (wsfcnetsub1).
4. ForInternal IP, selectload-balancer-ip (10.0.0.9). This is the sameIP address that you set for the role.
5. ForPorts, enter "80".
6. ClickDone.

Review and finalize

1. To see a summary of the internal load balancer settings, in the centerpane, clickReview and finalize. The summary appears in the right pane.

2. ClickCreate. It takes a moment to create the load balancer.

   

Create firewall rules for the health check

You might have noticed that the Google Cloud console notified you that thehealth-check system would require a firewall rule to enable the health checks toreach their targets. In this section, you set up the firewall rule.

1. In the Google Cloud console, go to theCloud Shell.

   Go to Cloud Shell

2. Run the following command to create the firewall rule:

   gcloud compute firewall-rules create allow-health-check --network wsfcnet --source-ranges 130.211.0.0/22,35.191.0.0/16 --allow tcp:59998

Open the Windows Firewall

On each cluster node,wsfc-1 andwsfc-2, create a firewall rule in theWindows firewall to allow the load balancer to access each Windows system.

1. Open the Windows Firewall with Advanced Security app.

2. In the left navigation pane, selectInbound Rules.

3. In the right navigation pane, selectNew Rule.

4. On theRule Type panel, selectCustom as the rule type and clickNext.

5. On theProgram panel, accept the default and clickNext.

6. On theProtocol and Ports panel:

   1. In theProtocol type: field, selectTCP.
   2. In theLocal port: field, selectSpecific Ports and enter59998.

7. On theScope panel, underWhich remote IP addresses does this ruleapply to:

   1. SelectThese IP addresses:.

   2. Add each of the following IP address to theThis IP address or subnetfield by clickingAdd:

      • 130.211.0.0/22
      • 35.191.0.0/16

   3. ClickNext.

8. On theAction panel, acceptAllow the connection and clickNext.

9. On theProfile panel, accept the defaults and clickNext.

10. Specify a name for the firewall rule and clickFinish.

Validating the load balancer

After your internal load balancer is running, you can inspect its status tovalidate that it can find a healthy instance, and then test failover again.

1. In the Google Cloud console, go to theLoad balancing page.

   Go to Load balancing

2. Click the name of the load balancer (wsfc-lb).

   In theBackend section of the summary, you should see the instancegroups listed.

   In the following image from the details page of thewsfc-lb load balancer,instance groupwsfc-group-1 contains the activenode, as indicated by1 / 1 in theHealthy column. Instance groupwsfc-group-2 contains the inactive node, as indicated by0 / 1.

   

   If both instance groups show0 / 1, the load balancer might still besyncing with the nodes. Sometimes, you need to do at least one failoveraction to get the load balancer to find the IP address.

3. In Failover Cluster Manager, expand the cluster name and click onRoles.In theOwner Node column, note the server name for theIIS role.

4. Start a failover by right-clicking theIIS role and selectingMove >Best Possible Node. This action moves therole to the other node, as shown in theOwner Node column.

   

5. Wait until theStatus showsRunning.

6. Return to theLoad balancer details page, clickRefresh, and verifythat the1 / 1 and0 / 1 values in theHealthy columnhave switched instance groups.

   

gcloud compute backend-services get-health wsfc-lb --region=[REGION]

backend: https://compute.googleapis.com/compute/v1/projects/exampleproject/zones/us-central1-a/instanceGroups/wsfc-group-1status:  healthStatus:  - healthState: HEALTHY    instance: https://compute.googleapis.com/compute/v1/projects/exampleproject/zones/us-central1-a/instances/wsfc-1    ipAddress: 10.0.0.4    port: 80  kind: compute#backendServiceGroupHealth---backend: https://compute.googleapis.com/compute/v1/projects/exampleproject/zones/us-central1-b/instanceGroups/wsfc-group-2status:  healthStatus:  - healthState: UNHEALTHY    instance: https://compute.googleapis.com/compute/v1/projects/exampleproject/zones/us-central1-b/instances/wsfc-2    ipAddress: 10.0.0.5    port: 80  kind: compute#backendServiceGroupHealth

1. On each cluster node,install IIS.

   • On theSelect role services page, be sure thatDefault Documentis selected underCommon HTTP Features.
   • On theConfirmation page, select the checkbox that enablesautomatic restarting of the destination server.

2. Validate that each web server is working.

   1. Use RDP to connect to the VM namedwsfc-dc.
   2. In Server Manager, clickLocal Server in the navigation pane on theleft side of the window.
   3. in theProperties section at the top, turn offIE Enhanced Security Configuration.
   4. Open Internet Explorer.

   5. Browse to the IP address of each server:

      http://10.0.0.4/

      http://10.0.0.5/

In each case, you see theWelcome page, which is the default IIS webpage.

Edit the default web pages

Change each default web page so you can easily see which server is currentlyserving the page.

1. Use RDP to connect to the VM namedwsfc-1.
2. Run Notepad as administrator.
3. OpenC:\inetpub\wwwroot\iisstart.htm in Notepad. Remember to browse forAll Files, not just text files.

4. In the<title> element, change the text to the name of the currentserver. For example:

       <title>wsfc-1</title>

5. Save the HTML file.

6. Repeat these steps forwsfc-2, setting the<title> element towsfc-2.

Now, when you view a web page served from one of these servers, the name of theserver appears as the title in the Internet Explorer tab.

Test the failover

1. Use RDP to connect to the VM namedwsfc-dc.
2. Open Internet Explorer.

3. Browse to the IP address of the load balancer role:

   http://10.0.0.9/

   You see theWelcome page with the name of the current serverdisplayed in the tab title.

4. Stop the current server to simulate a failure. In Cloud Shell, run thefollowing command, replacing[INSTANCE_NAME] with the name of the current server you saw in the previousstep, such aswsfc-1:

   gcloudcomputeinstancesstop[INSTANCE_NAME]--zone=[ACTIVE_ZONE]

5. Switch to your RDP connection towsfc-dc.

   It can take a few moments for the load balancer to detect the move andreroute the traffic.

6. After 30 seconds or so, refresh the page in Internet Explorer.

   You should now see the name of the new active node displayed in the tab title.For example, if you started withwsfc-1 active, you now seewsfc-2 inthe title. If you don't see the change right away or see a page-not-found error,refresh the browser again.

Congratulations! You now have a working Windows Server 2016 failover clusterrunning on GCP.

Troubleshooting

Here are some common issues you can check if things aren't working.

GCP firewall rules blocks health check

If the health check isn't working, double-check that you have a firewall rule toenable incoming traffic from the IP addresses that the health check system uses:130.211.0.0/22and35.191.0.0/16.

Windows Firewall blocks health check

Make sure port 59998 is open in Windows Firewall on each cluster node. SeeOpen the Windows Firewall.

Cluster nodes using DHCP

It's important that each VM in the cluster has a static IP address. If a VM isconfigured to use DHCP in Windows, change the networking settings in Windows tomake the IPv4 address match the IP address of the VM as shown in the Google Cloud console. Also set the gateway IP address to match the address of thesubnetwork gateway in the GCP VPC.

GCP network tags in firewall rules

If you use network tags in your firewall rules, be sure the correct tags are seton every VM instance. This tutorial doesn't use tags, but if you've set them forsome other reason, they must be used consistently.