Share via

Microsoft Hyper-V Failover Cluster Best Practice

Somnathndy 46 Reputation points
2025-11-15T17:46:35.28+00:00

Hi All,

I need your kind advice on the following –

One of my customer wants a Failover Cluster infrastructure based on Hyper-V on Windows Server 2022 Standard. There are 2 HPE DL380 Server and one MSA2060 SAN at site and required number of licenses for host and VMs. Customer wants the Active Directory to be created on both hosts as following way to meet the AD requirement  –

a.       Installation of Windows Server 2022 on both servers

b.       Installation of Hyper V feature on both servers

c.       Install and configure AD on one server and ADC on other server then VM on Hyper-V

d.       Joining the host servers on the above AD.

e.       Then install and configure MS Failover Cluster between the above two servers.

f.        Then create the required VMs above the cluster

My question is – is it a best practice scenario as per Microsoft? My assumption is after creation of Hyper-V Cluster if I switch off the physical host containing AD, VMs on the Cluster, will not failover to other node as AD is becoming absent due to switch off the physical host and there is no one to authenticate. Customer and their consultant is not ready to accept that.

Please help and provide your kind advice on the above. If a third host is must to hold the AD, then please provide me the document link of that so that I can show to them, as I am unable to find out the same.

Thanks in advance and waiting for your reply.

Regards

Somnath Nandy

Windows for business | Windows Server | Storage high availability | Clustering and high availability
0 comments
Answer accepted by question author
  1. VPHAN 9,355 Reputation points Independent Advisor
    2025-11-15T18:25:25.09+00:00

    Hi Somnathndy,

    The approach described by your customer has a critical architectural flaw regarding Active Directory placement in a Hyper-V failover cluster. Installing an AD Domain Controller on one of the two Hyper-V hosts and a Read-Only Domain Controller (or ADC) on the other host introduces a dependency loop that can prevent cluster failover from functioning as expected. In Hyper-V clustering, cluster nodes must be able to authenticate with Active Directory at all times. If the physical host running the primary DC is powered off, the cluster nodes may fail to authenticate properly, which can prevent the failover of VMs to the remaining node. This behavior is not a failure of Hyper-V itself, but a result of AD dependency on a host that is also providing compute for the cluster.

    Microsoft’s recommended practice is to separate domain controllers from cluster nodes. Domain Controllers should ideally run on their own dedicated servers or be virtualized on a different host that is highly available, but not one of the nodes participating in the Hyper-V cluster that hosts production VMs. If virtualized, DCs must be configured to run on separate physical hosts that do not overlap completely with the Hyper-V cluster nodes, and you should enable features like VM-GenerationID support to avoid USN rollback issues.

    In a two-node Hyper-V cluster, there is no supported way to safely host the only AD DC on one of the cluster nodes and expect failover to work flawlessly. Adding a third server purely to host the AD DC or placing the DCs on separate, resilient infrastructure is the supported method. Microsoft’s official guidance on running domain controllers in a virtualized environment and their best practices for failover clustering can be found in their documentation here: Deploying Active Directory Domain Services in a Virtualized Environment.

    The key takeaway is that AD must be highly available independently of the Hyper-V cluster nodes. Without this separation, any cluster failover that depends on AD authentication is inherently unreliable.

    I hope you are clear with the information. Should you need to know more, don't hesitate to leave a message. In case everything is good, it's really appreciated of you to accept the answer as a way to share your valuable experience with the community. Thank you

    Vivian

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VPHAN 9,355 Reputation points Independent Advisor
    2025-11-17T03:46:15.0333333+00:00

    Good morning,

    Have you found the answer useful? If everything is okay, don't forget to share your experience with the issue by accepting the answer. Should you need more information, free free to leave a message. Happy to help! :)

    Vivian

    1 person found this answer helpful.
    0 comments
  2. Q&A Assist
    2025-11-15T17:46:49.3266667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Your proposed scenario for setting up a Hyper-V Failover Cluster with Active Directory (AD) on the two HPE DL380 servers is not considered a best practice according to Microsoft guidelines. The concern you raised about the potential failure of the cluster if the host containing AD is powered off is valid. In a failover cluster, it is critical that the AD services remain available to authenticate and authorize actions within the cluster. If the primary AD server goes down, the cluster may lose its ability to manage resources effectively, including the failover of virtual machines.

    To ensure high availability and avoid a single point of failure, it is recommended to have at least three domain controllers (DCs) in your environment. This setup allows for redundancy and ensures that even if one DC is unavailable, the others can continue to provide authentication services. Therefore, the best practice would be to either:

    1. Deploy an additional server as a third host to serve as a domain controller, or
    2. Use existing DCs in your environment that are not part of the cluster.

    You can refer to Microsoft's documentation on configuring failover clusters and AD accounts for further guidance on this matter. This will help you explain the necessity of having a dedicated AD infrastructure to your customer and their consultant.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.