Why You Need a Domain Controller Outside of Your Azure Stack HCI Cluster

Published: Mar 22, 2023

Network Security

SHARE ARTICLE

Failover clustering in Windows Server and Azure Stack HCI can help to reduce disruptions in service within an organization. In this article, I’m going to explain why you need to have a Windows Server Active Directory domain controller outside of your Azure Stack HCI cluster. I will also detail how to deploy this domain controller in an edge scenario.

Why do you need a domain controller outside of your Azure Stack HCI cluster?

If you’re using Azure Stack HCI and cluster accounts in Active Directory, there is still a legacy requirement for organizations to have DNS and sometimes Active Directory available to start the failover cluster service. Active Directory computer accounts are later used to manage cluster ownership and permissions.

Without the required Active Directory computer accounts, your cluster will not start. If you’re using Azure Stack HCI, that’s a hard condition as storage with the Storage Spaces Direct feature heavily depends on the failover cluster service to operate.

Without Storage Spaces Direct running, Hyper-V will not be able to start any virtual machine. So, if your only domain controllers are deployed on the Azure Stack HCI clustered stage, you have a chicken-and-egg problem: You cannot start the clustered storage service to start your domain controllers because they are stored on storage that cannot be used.

You may want to start or restart a complete cluster after deployment for a couple of reasons, such as the maintenance of power grids or power outages forcing you to shut down your workloads. In any case, you should prepare for this scenario.

Setting up a domain controller and DNS server outside of your Azure Stack HCI cluster

The only way to solve the aforementioned issue is to set up a domain controller and DNS server outside of your Azure Stack HCI Cluster.

Setting up a domain controller outside of your Azure Stack HCI Cluster
Setting up a domain controller outside of your Azure Stack HCI cluster (Image credit: Petri/Flo Fox)

There are several ways to put a domain controller outside your Azure Stack HCI cluster. The most common practice is to have a domain controller on another server. In that case, the server can be virtualized or physically deployed.

For edge or limited-budget scenarios, putting additional systems into a location is often not an option. Therefore, there is another way to deploy a domain controller, and the only requirement is to have a Virtual Private Network connection to a remote location nearby. The remote location could be another office, data center, or cloud service such as Microsoft Azure where a domain controller is available.

You can have your domain controller set up in a remote location and connected via VPN
You can have your domain controller set up in a remote location and connected via VPN (Image credit: Petri/Flo Fox)

After your cluster is kickstarted, you can also start virtual domain controllers within your Azure Stack HCI cluster to support your users.

You can set virtual domain controllers within your Azure Stack HCI cluster
You can set virtual domain controllers within your Azure Stack HCI cluster (Image credit: Petri/Flo Fox)

With these external domain controllers set up, you should be able to restart your Azure Stack HCI clusters after any disaster or planned shutdown.

Closing Note

As I explained in this article, you cannot start Windows Server or an Azure Stack HCI cluster without having Windows Server Active Directory deployed first. In an enterprise scenario, you also need to be a supported solution. Depending on your environment, it may be a good choice to have a remote domain controller to kickstart your Azure Stack HCI cluster. That can also help to reduce costs and overload in a branch or edge scenario.

SHARE ARTICLE