Links to all of the articles that are referenced within this article are located in the "References" section.
There are instances when you can deploy cluster nodes in an environment where there are no pre-existing Active Directory. This scenario requires that you configure at least one of the cluster nodes as a domain controller. It is recommended that 2+ nodes be configured as domain controllers, so that there be at least one backup domain controller. Keeping the configuration of the nodes consistent across the cluster is a general best practice, and you may wish to enable all nodes as domain controllers. Because Active Directory depends on the Domain Name System (DNS), each domain controller must be a DNS server if there is not another DNS server available that supports dynamic updates or SRV records. (Microsoft recommends that you use Active Directory-integrated zones). For additional information, refer to article 255913.
- Microsoft Exchange Server - Is not supported in a clustered configuration where the cluster nodes are domain controllers. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 898634 Active Directory domain controllers are not supported as Exchange Server cluster nodes
- Microsoft SQL Server - Is not supported in a clustered configuration where the cluster nodes are domain controllers. For more information, click the following to view more information: Installing SQL Server on a Domain Controller
- Windows Server Hyper-V - It is not recommended to run other workloads (including the domain controller role) in the hypervisor parent partition.
Consider the following important points when you are deploying Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 Failover Clustering nodes as domain controllers:
- It is not recommend to combine the Active Directory Domain Services role and the Failover Cluster feature on Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2
- It is not supported for a Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 node in a Failover Cluster to be a Read-Only Domain Controller (RODC)
- It is not supported for a Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 Failover Cluster running Microsoft Exchange Server or Microsoft SQL Server to be a domain controller
- It is not supported to combine the Active Directory Domain Services role and the Failover Cluster feature on Windows Server 2012
- It is recommended that at least two nodes be configured as domain controllers and potentially all nodes for consistency if cluster nodes are configured as domain controllers.
- There is overhead that is associated with the running of a domain controller. A domain controller that is idle can use anywhere between 130 to 140 megabytes (MB) of RAM, which includes the running of Failover Clustering. There is also replication traffic if these domain controllers have to replicate with other domain controllers within the domain and across domains. Most corporate deployments of clusters include nodes with gigabytes (GB) of memory so this is not generally an issue.
- If the Windows Server 2003 cluster nodes are the only domain controllers, they each have to be DNS servers as well, and they should point to themselves for primary DNS resolution, and to each other for secondary DNS resolution. You must address the problem of the ability to not register the private interface in DNS, especially if it is connected by way of a crossover cable (two-node only). For additional information about how to configure the heartbeat interface, click the following article number to view the article in the Microsoft Knowledge Base: 258750 Recommended private "heartbeat" configuration on a cluster serverHowever, before you can accomplish step 12 in article 258750, you must first modify other configuration settings, which are outlined in the following article in the Microsoft Knowledge Base:275554 The host's "A" record is registered in DNS after you choose not to register the connection's address
- If the cluster nodes are the only domain controllers, they must each be global catalog servers, or you must implement domainlets.
- The first domain controller in the forest takes on all flexible single master operation (FISMO) roles, refer to article 197132. You can redistribute these roles to each node. However, if a node fails, the flexible single master operation roles that the node has taken on are no longer available. You can use Ntdsutil to forcibly take away the roles and assign them to the node that is still running (refer to article 223787). Review article 223346 for information about placement of flexible single master operation roles throughout the domain.
- Clustering other programs, such as SQL or Exchange, in a scenario where the nodes are also domain controllers, may not result in optimal performance due to resource constraints
- You cannot cluster domain controllers for fault tolerance. You can promote computers to be domain controllers, and then you can install the Cluster service on those computers, but there is no method to store Active Directory on any one of the cluster's managed drives. There is no "failover" of Active Directory. Having multiple domain controllers are by the very nature deliver high availability of directory services.
- Nodes in a Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 Failover Cluster must have access to a Read-Write Domain Controller
- It is supported to deploy a Windows Server 2012 Failover Cluster in an environment which only has access to a Read-Only Domain Controller (RODC)
- It is recommended to leave at least 1 domain controller on bare metal when deploying domain controllers inside of virtual machines with Windows Server 2008 and Windows Server 2008 R2