Q. When I create a cluster in Windows Server 2016 is it true certificates are used for intra-cluster authentication?
A. Yes. Windows Server 2016 removes the requirement that nodes in a cluster are part of the same domain. It's now possible to have:
- Nodes in the same domain
- Nodes in different domains
- Mix of member and workgroup joined nodes
This is very useful for certain applications, especially SQL Server. However because machines may not be part of the same domain or even trusted domains using Kerberos for intra-cluster node communications is not possible. Therefore for 2016 clusters a certificate is automatically created that is used by all nodes and stored in the cluster database which is used for the authentication between nodes in the cluster. The certificate is stored in the personal certificate folder of the Cluster service account on each node in the cluster.