Designing and implementing an Hyper-V environment can be challenging. Placement of Active Directory Domain Controllers requires additional consideration, especially in Hyper-V Failover Cluster scenarios where Active Directory membership for the cluster nodes is strictly needed.
Windows Server 2012, in Active Directory terms, is a big step forward. We’ve been over the majority of the new features in Active Directory Domain Services on this blog before, so now it’s time to talk about the implications on support policies.
In this blog post, I’ll discuss the newly supported setups in terms of Hyper-V Failover Clustering, beyond the need to apply the hotfix from KnowledgeBase article 2784261, as discussed in Part 7 of this series.
Active Directory Domain Services and Failover Clustering
Failover Cluster nodes require Active Directory membership. In environments without Domain Controllers and/or extra physical iron to place Domain Controllers onto, this poses a challenge.
The old guidance
Microsoft has advised against re-using Failover Cluster nodes as Domain Controllers for years. Their official stance was:
- It is not recommend to combine the Active Directory Domain Services role and the Failover Cluster feature.
- It is not supported for a Failover Cluster running Microsoft Exchange Server or Microsoft SQL Server to be a Domain Controller.
- It is recommended to leave at least 1 domain controller on bare metal when deploying domain controllers inside of virtual machines.
4 years ago, I kicked off this series with a blog post with the recommendation to not re-use Hyper-V Failover Cluster nodes as Domain Controllers from both an architectural and performance point of view. While this blogpost offers a workaround for the third recommendation above, my recommendations have been identical to Microsofts.
These recommendation still apply largely to the Windows Server Operating Systems of those days. However, with Windows Server 2012, Microsofts recommendations have changed and I feel it’s time to review my recommendations.
The updated guidance
Now, in KnowledgeBase article 281662, Microsoft updates the above guidance with information on Windows Server 2012. The Windows Server 2012-specific changes are listed below:
- It is not supported to combine the Active Directory Domain Services role and the Failover Cluster feature on Windows Server 2012
- It is no longer recommended to leave at least 1 domain controller on bare metal when deploying domain controllers inside of virtual machines in Windows Server 2012.
AD DS Role and Failover Cluster Feature no longer supported
While combining the Active Directory Domain Services Server Role and Failover Clustering Server Feature on one host have not been recommended in Windows Server 2003, Windows Server 2003 R2, Windows Server 2008 and Windows Server 2008 R2, it is now no longer supported.
Now, don’t misinterpret the above. You can still install the Failover Clustering Server Feature on an existing Windows Server 2012-based Domain Controller. The change in guidance is not reflected in Server Manager. However, if you want to add an existing Domain Controller to a Failover Cluster as a cluster node, the configuration will not pass the Cluster Validation:
Now, as you might be aware, if a configuration doesn’t pass the Configuration Validation, Microsoft will not offer support on it. In the help file for Failover Clustering, Microsoft states:
Microsoft support of Failover Cluster Solutions
Microsoft support a failover cluster solution only if it meets the following requirements:
- All hardware components in the failover cluster solution are certified for Windows Server 2012. For more information, see Requirements and Steps for Creating a Failover Cluster or Adding a Node.
- The complete cluster configuration (servers, network, and storage) can pass all tests in the Validate a Configuration Wizard. For more information, see Failover Cluster Validation Tests.
- The hardware manufacturers’ recommendations for firmware updates and software updates have been followed. Usually, this means that the latest firmware and software updates have been applied.
Occasionally, a manufacturer might recommend specific updates other than the latest updates.
In Windows Server 2008 and Windows Server 2008 R2, the configuration would pass the Cluster Validation.
Bare metal Domain Controller recommendation
In previous versions of Windows Server, the Cluster Service (clussvc) communicated with Active Directory to gather information on the Cluster object when starting. The implication is, the Failover Clustering Service and all the highly available workloads on top if wouldn’t start when an Active Directory Domain Controller is not available: All VMs would not be started after a site-wide power failure when the Domain Controllers would run on top of the Hyper-V platform as highly-available VMs…
In Windows Server 2012, the Cluster Service (clussvc) still attempts to communicate with a Domain Controller when it starts, but when it doesn’t find one, it will start and try to communicate with Active Directory later. This way, the dependency on Active Directory Domain Controllers outside of the cluster is taken away. This feature is known as Active Directory-less Cluster Bootstrapping.
Two of the guidance points for Active Directory in Hyper-V Failover Cluster environments have been changed with Windows Server 2012.
You can no longer re-use a Domain Controller as the parent partition of a Hyper-V Cluster node in a supported way. This configuration is no longer officially supported by Microsoft.
Active Directory-less Cluster Bootstrapping eliminates the need for communicating with a Domain Controller for a Failover Cluster node’s Cluster Service at startup, before it can bring its highly-available resources online.
Windows Server 2012 Failover Cluster – Enhanced Integration with Active Directory (AD)
Running Domain Controllers in Hyper-V
Hyper-V role and Active Directory Service in same server?
Active Directory and DNS on Hyper-V host
Installing Domain Controller on Hyper-V Host