Posted byrafaelitPosted inExchange Server, microsoft, UncategorizedTags:cliusr, rxchange
What is the CLIUSR Account?
With Exchange 2016-19 / Server 2016-19 set up in DAG. you get an alert in ECP that says “The certificate ‘CLIUSR’ on server ‘servername’ is about to expire on ‘date'”
TheCLIUSR account is a local user account created by the Failover Cluster feature. Windows Server Failover Cluster service uses this local account for adding nodes, joining nodes to the cluster, etc.
This local “user” account is not an administrative account or domain account. This account is automatically created for you on each of the nodes when you create a cluster or on a new node being added to the existing Cluster. This account is completely self-managed by the Cluster Service and handles automatically rotating the password for the account and synchronizing all the nodes for you. The CLIUSR password is rotated at the same frequency as the CNO, as defined by your domain policy (which is every 30 days by default).
there is not much documentation that we could find that references a certificate issued to CLIUSR, but according to this thread (https://social.technet.microsoft.com/Forums/en-US/eda7a791-032b-45a5-9df8-0fd5a488d0f5/the-certificate-cliusr-on-server-servername-is-about-to-expire-on-date?forum=Exch2019), we could know: “Windows clustering appears to self-manage these, making the Exchange ECP warnings unnecessary (and a bit scary). So nothing to do in exchange, despite the warnings. “
SHMUEL H.
