Windows

Windows Server 2025 and Hyper-V Cluster Setup: End to End

Eric Black

Eric Black

18 min read
Windows Server 2025 Hyper-V Failover Cluster Storage Spaces Direct S2D Live Migration Networking

Standalone Infrastructure | Component: Windows Server 2025 Datacenter | Audience: Enterprise Architects, Senior Sysadmins

Building a Windows Server 2025 Hyper-V cluster end to end touches six or seven distinct technical domains, and mistakes in any one of them don't always surface immediately. You get a cluster that validates and runs fine until the first node failure, the first live migration under load, or the first time you try to add a node. This article covers all of it: prerequisites and hardware decisions, cluster networking with SET teaming and RDMA, quorum design, storage architecture with a clear decision guide between S2D and SAN-based approaches, Hyper-V configuration, live migration setup, VM placement, and stretch cluster design for multi-site deployments.

There are also several Windows Server 2025 specific behaviors worth knowing before you start. Credential Guard is now enabled by default on all domain-joined servers, which breaks CredSSP live migration. LBFO teams can no longer be attached to a Hyper-V virtual switch. Live migration network selection has been redesigned to handle both switchless and multi-site topologies. And S2D gets thin provisioning, resync priority controls, and a new Campus Cluster topology for stretched S2D. These aren't minor updates. They affect how you design and configure things from day one.

1. Prerequisites and Hardware Requirements

All cluster nodes must run Windows Server 2025 Datacenter Edition. For S2D specifically, Datacenter Edition is required on every node. Standard Edition doesn't include S2D. If you're using a SAN with shared storage, Standard Edition works for the Hyper-V cluster role itself, but Datacenter is still the right choice for production deployments due to its unlimited VM rights and better fit for dense virtualization.

Hardware requirements from the official Microsoft failover clustering hardware requirements guide:

  • Processors: Hardware assisted virtualization (Intel VT or AMD-V) and hardware enforced DEP (Intel XD bit or AMD NX bit) are required for the Hyper-V role. All nodes should match processor generation to avoid live migration compatibility issues. Mixed CPU generations require configuring CPU compatibility mode on VMs, which limits the available instruction sets.
  • Networking: Minimum two network adapters per node for redundancy. Production Hyper-V clusters should use at least two 10 GbE adapters, with 25 GbE strongly preferred for any environment running S2D or dense VM workloads. RDMA capable adapters (iWARP or RoCE) are required for SMB Direct and recommended for S2D storage networks.
  • All hardware must pass Test-Cluster validation. This isn't optional and isn't a formality. Microsoft doesn't support clusters that haven't passed the full validation suite. Run it before you create the cluster, fix everything it flags, and run it again.
  • Identical hardware across nodes is strongly recommended. Mismatched NIC models, drivers, and firmware cause intermittent issues that are difficult to diagnose. The Microsoft S2D hardware requirements page is explicit that NIC adapters, drivers, and firmware must be an exact match for SET teaming to function correctly.

Software Prerequisites

PowerShell: Install required roles and features on all cluster nodes
# Run on each node, or use Invoke-Command to target all nodes at once
$nodes = "HV-Node1", "HV-Node2", "HV-Node3", "HV-Node4"

Invoke-Command -ComputerName $nodes -ScriptBlock {
    Install-WindowsFeature `
        -Name Hyper-V, Failover-Clustering, Data-Center-Bridging, `
               RSAT-Clustering-PowerShell, Hyper-V-PowerShell, `
               FS-FileServer `
        -IncludeManagementTools `
        -Restart
}

# After nodes restart, join all to the domain if not already done
# Then verify features installed correctly
Invoke-Command -ComputerName $nodes -ScriptBlock {
    Get-WindowsFeature Hyper-V, Failover-Clustering | Select-Object Name, InstallState
}
Windows Server 2025 enables Credential Guard by default on all domain-joined servers that aren't domain controllers. This breaks CredSSP live migration, which was the default authentication method in Windows Server 2022 and earlier. If you're upgrading existing nodes rather than deploying fresh, your live migration will stop working after upgrading to 2025 unless you switch to Kerberos constrained delegation before or immediately after the upgrade. This is documented in the official Microsoft "Live migration with Hyper-V breaks when upgrading to Windows Server 2025" article. Configure Kerberos constrained delegation before you upgrade any production nodes.

2. Cluster Networking: SET, VLANs, and Traffic Isolation

Getting networking right before you create the cluster saves enormous pain later. A cluster with poorly separated traffic is hard to troubleshoot and tends to fail in non-obvious ways under load. The right approach for Windows Server 2025 is a converged network using Switch Embedded Teaming with RDMA capable adapters and separate vNICs per traffic type on VLANs.

SET vs LBFO: No Longer a Choice

Windows Server 2025 removes the ability to attach an LBFO team to a Hyper-V virtual switch. Attempts to do so fail with an explicit error. SET (Switch Embedded Teaming) is the only supported teaming method for Hyper-V hosts on Windows Server 2025. If you have existing LBFO teams from a previous Windows version and you're upgrading, you need to rebuild your virtual switches using SET before the upgrade, or rebuild them after. There's no in-place migration path from LBFO to SET.

SET supports RDMA on teamed adapters, which LBFO doesn't. SET integrates into the Hyper-V virtual switch, allowing the same physical NICs to carry VM traffic, management traffic, SMB Direct storage traffic, and live migration traffic simultaneously, with QoS policies controlling bandwidth allocation per traffic type. That's the converged networking model for Hyper-V clusters.

Traffic Types and VLAN Design

Traffic TypeVLANBandwidth AllocationRDMANotes
Management10010% minimumNoHost OS management, RDP, WinRM, domain traffic
Cluster heartbeat2005% minimumNoDedicated cluster network, no routing to other VLANs
Live Migration30020% minimumOptionalIsolated from VM traffic. Compression default, SMB if RDMA available
VM (tenant)400+35% minimumSR-IOV optionalMultiple VLANs for tenant isolation as needed
Storage (SMB)500, 50130% minimumRequired for S2DTwo separate storage VLANs for redundancy. Jumbo frames (MTU 9014) required for RDMA
PowerShell: Create SET-based converged switch and configure vNICs per traffic type
# Run on each node
# NET01 and NET02 are your RDMA-capable physical NIC names - adjust to match your hardware

# Step 1: Create the SET-based Hyper-V virtual switch
New-VMSwitch -Name "ConvergedSwitch" `
             -NetAdapterName "NET01","NET02" `
             -EnableEmbeddedTeaming $true `
             -AllowManagementOS $false  # We'll add an explicit management vNIC

# Step 2: Add management OS vNICs per traffic type
Add-VMNetworkAdapter -ManagementOS -Name "Management"    -SwitchName "ConvergedSwitch"
Add-VMNetworkAdapter -ManagementOS -Name "Cluster"       -SwitchName "ConvergedSwitch"
Add-VMNetworkAdapter -ManagementOS -Name "LiveMigration" -SwitchName "ConvergedSwitch"
Add-VMNetworkAdapter -ManagementOS -Name "SMB-1"         -SwitchName "ConvergedSwitch"
Add-VMNetworkAdapter -ManagementOS -Name "SMB-2"         -SwitchName "ConvergedSwitch"

# Step 3: Assign VLANs to each vNIC
Set-VMNetworkAdapterVlan -ManagementOS -VMNetworkAdapterName "Management"    -Access -VlanId 100
Set-VMNetworkAdapterVlan -ManagementOS -VMNetworkAdapterName "Cluster"       -Access -VlanId 200
Set-VMNetworkAdapterVlan -ManagementOS -VMNetworkAdapterName "LiveMigration" -Access -VlanId 300
Set-VMNetworkAdapterVlan -ManagementOS -VMNetworkAdapterName "SMB-1"         -Access -VlanId 500
Set-VMNetworkAdapterVlan -ManagementOS -VMNetworkAdapterName "SMB-2"         -Access -VlanId 501

# Step 4: Assign QoS minimum bandwidth weights (must add to 100 across all vNICs)
Set-VMNetworkAdapter -ManagementOS -Name "Management"    -MinimumBandwidthWeight 10
Set-VMNetworkAdapter -ManagementOS -Name "Cluster"       -MinimumBandwidthWeight 5
Set-VMNetworkAdapter -ManagementOS -Name "LiveMigration" -MinimumBandwidthWeight 20
Set-VMNetworkAdapter -ManagementOS -Name "SMB-1"         -MinimumBandwidthWeight 15
Set-VMNetworkAdapter -ManagementOS -Name "SMB-2"         -MinimumBandwidthWeight 15

# Step 5: Enable RDMA on the SMB vNICs (requires RDMA capable physical NICs)
Enable-NetAdapterRdma -Name "vEthernet (SMB-1)"
Enable-NetAdapterRdma -Name "vEthernet (SMB-2)"

# Step 6: Map each SMB vNIC to a specific physical NIC for RSS affinity
Set-VMNetworkAdapterTeamMapping -ManagementOS -VMNetworkAdapterName "SMB-1" -PhysicalNetAdapterName "NET01"
Set-VMNetworkAdapterTeamMapping -ManagementOS -VMNetworkAdapterName "SMB-2" -PhysicalNetAdapterName "NET02"

# Step 7: Set static IPs on each vNIC (adjust subnets to match your environment)
New-NetIPAddress -InterfaceAlias "vEthernet (Management)"    -IPAddress 10.0.100.11 -PrefixLength 24
New-NetIPAddress -InterfaceAlias "vEthernet (Cluster)"       -IPAddress 10.0.200.11 -PrefixLength 24
New-NetIPAddress -InterfaceAlias "vEthernet (LiveMigration)" -IPAddress 10.0.300.11 -PrefixLength 24
New-NetIPAddress -InterfaceAlias "vEthernet (SMB-1)"         -IPAddress 10.0.500.11 -PrefixLength 24
New-NetIPAddress -InterfaceAlias "vEthernet (SMB-2)"         -IPAddress 10.0.501.11 -PrefixLength 24

Write-Host "Network configuration complete on $(hostname). Repeat on each node with appropriate IP addresses."
For RoCE (RDMA over Converged Ethernet) environments, Data Center Bridging (DCB) is required to make the fabric lossless. Configure Priority Flow Control on the switch for the storage VLAN, and enable DCB on the host NICs with Set-NetQosDcbxSetting. iWARP RDMA doesn't require DCB, making it simpler to deploy. For RoCE environments, coordinate jumbo frame configuration (MTU 9014) across both the NICs and the physical switch on the storage VLANs before running cluster validation. Validation will flag mismatches.

3. Creating the Failover Cluster and Configuring Quorum

Validation Before Creation

Run cluster validation before creating the cluster. This generates an HTML report that identifies every configuration issue across networking, storage, and system configuration. Warnings are acceptable. Failures are not. Don't create a cluster against a node set that has validation failures. The validation report is also your support evidence: Microsoft requires a clean or warning only validation report before opening support cases on cluster issues.

PowerShell: Validate and create the cluster
# Run from a management station with RSAT or from one of the nodes

# Validation - fix failures before proceeding
Test-Cluster -Node "HV-Node1","HV-Node2","HV-Node3","HV-Node4" `
             -Include "Hyper-V Configuration","Inventory","Network","Storage","System Configuration"

# Create the cluster - use -NoStorage for S2D deployments
# For SAN-based deployments, omit -NoStorage to let clustering claim shared disks
New-Cluster -Name "HV-Cluster01" `
            -Node "HV-Node1","HV-Node2","HV-Node3","HV-Node4" `
            -StaticAddress 10.0.100.20 `
            -NoStorage  # Required for S2D; omit for SAN-based deployments

# Verify cluster formed correctly
Get-ClusterNode
Get-ClusterNetwork | Select-Object Name, Role, State, IPv4Addresses

Configuring Cluster Networks for Specific Roles

PowerShell: Set cluster network roles and live migration preference
# Restrict which networks carry which cluster traffic
# Cluster heartbeat should only use the dedicated Cluster network
Get-ClusterNetwork | ForEach-Object {
    switch ($_.Name) {
        "Cluster Network 1" { $_.Role = [Microsoft.FailoverClusters.PowerShell.ClusterNetworkRole]::Cluster }   # heartbeat only
        "Cluster Network 2" { $_.Role = [Microsoft.FailoverClusters.PowerShell.ClusterNetworkRole]::ClusterAndClient } # management
        "Cluster Network 3" { $_.Role = [Microsoft.FailoverClusters.PowerShell.ClusterNetworkRole]::None }      # live migration - set via Hyper-V
        "Cluster Network 4" { $_.Role = [Microsoft.FailoverClusters.PowerShell.ClusterNetworkRole]::None }      # storage - no cluster traffic
        "Cluster Network 5" { $_.Role = [Microsoft.FailoverClusters.PowerShell.ClusterNetworkRole]::None }      # storage - no cluster traffic
    }
}

# Set live migration to use the dedicated LM network
# Windows Server 2025 has improved network selection logic - it now automatically
# prefers the correct network for source/destination pairs in both switched and switchless topologies
Get-ClusterResourceType -Name "Virtual Machine" | `
    Set-ClusterParameter -Name MigrationExcludeNetworks -Value (
        (Get-ClusterNetwork | Where-Object { $_.Name -notmatch "LiveMig" }).Id -join ";"
    )

Quorum Design

Quorum determines how many node failures the cluster survives while staying online. The formula is: for the cluster to remain operational, more than half of the total votes (nodes plus witness) must be available. Getting the vote count wrong is how you end up with a cluster that goes offline when it shouldn't, or stays online when it shouldn't.

Node CountRecommended ConfigurationFailure ToleranceNotes
2 nodesNode + Cloud Witness (or Disk Witness)1 nodeWithout a witness, losing one node = 1 of 2 votes = 50%, cluster stops. Witness gives you 2 of 3 votes on failure.
3 nodesNode Majority (no witness needed)1 nodeOdd number of nodes. 2 of 3 votes survive a single failure. Adding a witness gives 3 of 4, no extra failure tolerance.
4 nodesNode + Cloud Witness2 nodesEven number. Witness gives 3 of 5 votes after a double failure scenario.
5+ nodesNode MajorityFloor(N/2)Odd counts are self-balancing. Add a witness on even counts.
Stretched cluster (2 sites)Cloud Witness in a third region/site1 siteThe witness must be in a third location, not at either site. If the witness is at Site A, it fails with Site A and you lose quorum.
PowerShell: Configure Cloud Witness (recommended for most environments)
# Cloud Witness uses Azure Blob Storage - requires an Azure Storage account
# One blob per cluster; same storage account can serve multiple clusters
# Uses SAS tokens internally - access key is used to generate the token, not stored directly

Set-ClusterQuorum -CloudWitness `
                  -AccountName "yourstorageaccountname" `
                  -AccessKey   "your-storage-account-access-key"

# Verify quorum configuration
Get-ClusterQuorum

# Check dynamic quorum and dynamic witness status
(Get-Cluster).DynamicQuorum   # Should be 1 (enabled)
(Get-Cluster).DynamicWitness  # Should be 1 (enabled)

# Verify each node's vote weight
Get-ClusterNode | Select-Object Name, State, NodeWeight, DynamicWeight

Dynamic Quorum is enabled by default on Windows Server 2025. It adjusts node vote weights automatically as nodes join and leave the cluster, reducing the risk of the cluster going offline during rolling maintenance. Keep it enabled unless you have a documented reason to override it. Dynamic Witness works in parallel: if the witness is the deciding factor for quorum, Dynamic Witness keeps it active. If it's not needed for a given cluster state, the witness vote weight is suppressed until needed.

4. Storage Architecture Decision Guide

Storage Spaces Direct and SAN-based storage are not competing choices where one is always right. They solve different problems and have different operational profiles. Here's the honest comparison.

FactorStorage Spaces Direct (S2D)SAN (iSCSI or FC)
Capital costLower for new deployments: no external storage array. Higher for the servers themselves (NVMe drives, fast NICs)Higher upfront SAN hardware cost. Often lower server cost since servers don't carry storage.
Operational modelStorage and compute in the same servers. Simpler to manage when done well, complex when storage health requires attention during VM operations.Separate storage team manages the SAN. Well-understood operational model in traditional IT shops.
Scale2 to 16 nodes. Scale by adding nodes. Can't add storage independently of compute.Scale compute and storage independently. Add SAN capacity without adding servers.
ResilienceTwo-way mirror: survives 1 failure. Three way mirror (3+ nodes): survives 2 failures. Nested mirror accelerated parity available for larger deployments.Depends entirely on SAN configuration. Enterprise SANs typically offer better single device resilience but can have shared failure domains.
PerformanceNVMe based S2D on fast inter-node fabric can exceed most SANs. Performance degrades during resync after failures.All-flash SAN offers very consistent performance. No resync impact on compute nodes during storage failure recovery.
Edition requirementDatacenter Edition required on every nodeStandard Edition is sufficient for the cluster role. Datacenter for VM density benefits.
Windows Server 2025 new featuresThin provisioning, smart resync controls (5 priority levels), ReFS deduplication for VMs, Campus Clusters for stretched S2D, NVMe-oF initiator supportNVMe-oF initiator support in 2025 brings SAN-like performance over TCP fabric. S2D and SAN CSVs can now coexist in the same cluster (new in 2022/2025).

S2D Setup

S2D is enabled after the cluster is created. The -NoStorage flag on New-Cluster is critical: it prevents the cluster from claiming drives for general cluster storage before S2D takes over. If you omit it, S2D may not be able to claim the drives it needs.

PowerShell: Enable S2D and create volumes
# Enable Storage Spaces Direct
# Confirm prompt - this is irreversible; drives are consumed by the S2D pool
Enable-ClusterS2D -Confirm:$false

# Verify pool created and drives claimed
Get-StoragePool | Where-Object IsPrimordial -eq $false
Get-PhysicalDisk | Select-Object FriendlyName, MediaType, OperationalStatus, Usage

# Create a three-way mirror volume (requires 3+ nodes, tolerates 2 failures)
# Use thin provisioning (new in Windows Server 2025) to overcommit the pool
New-Volume -FriendlyName "VMs-Production" `
           -StoragePoolFriendlyName "S2D on HV-Cluster01" `
           -FileSystem CSVFS_ReFS `
           -Size 10TB `
           -ResiliencySettingName Mirror `
           -PhysicalDiskRedundancy 2 `
           -ProvisioningType Thin

# Create a two-way mirror volume (2 nodes, tolerates 1 failure)
New-Volume -FriendlyName "VMs-Dev" `
           -StoragePoolFriendlyName "S2D on HV-Cluster01" `
           -FileSystem CSVFS_ReFS `
           -Size 2TB `
           -ResiliencySettingName Mirror `
           -PhysicalDiskRedundancy 1 `
           -ProvisioningType Thin

# Verify volumes are CSVs and mounted on all nodes
Get-ClusterSharedVolume | Select-Object Name, State, SharedVolumeInfo

SAN-Based Setup (iSCSI or FC)

PowerShell: Add SAN LUNs to cluster and configure as CSVs
# For iSCSI: Connect initiators on each node first
# Ensure the iSCSI initiator is running and connected to the target on all nodes
Start-Service msiscsi
Set-Service msiscsi -StartupType Automatic

# Connect to iSCSI target (run on each node)
New-IscsiTargetPortal -TargetPortalAddress "192.168.100.10"
Connect-IscsiTarget -NodeAddress "iqn.2025-01.com.example:storage01" -IsPersistent $true

# Initialize and prepare disks - run once from one node after all nodes are connected
# Disks should appear as Available Storage in Failover Cluster Manager
Get-ClusterAvailableDisk | Add-ClusterDisk

# Convert clustered disks to CSVs
# Format as NTFS first (SAN volumes), then add to CSV
Get-ClusterDisk | Where-Object {
    $_.State -eq "Online" -and $_.IsClustered -eq $true
} | Add-ClusterSharedVolume

# Verify CSVs accessible on all nodes at C:\ClusterStorage\
Get-ClusterSharedVolume | Select-Object Name, State, SharedVolumeInfo
Windows Server 2022 and 2025 support S2D and SAN CSVs coexisting in the same cluster. You can have S2D volumes formatted as ReFS and SAN volumes formatted as NTFS both active as CSVs simultaneously. S2D volumes must use ReFS before adding to CSV. SAN volumes must use NTFS. If you're migrating an existing SAN-based cluster to add S2D without replacing everything at once, this coexistence support is what makes a phased transition possible. Live migration of VM storage between S2D and SAN CSVs works without VM downtime.

5. Hyper-V Configuration and Live Migration

Virtual Switch and VM Default Paths

PowerShell: Configure Hyper-V host defaults on each node
# Run on each node (or via Invoke-Command)
# Point default VM and VHD paths to your CSV volume
Set-VMHost -VirtualMachinePath "C:\ClusterStorage\VMs-Production"
Set-VMHost -VirtualHardDiskPath "C:\ClusterStorage\VMs-Production"

# Set live migration authentication to Kerberos
# Required on Windows Server 2025 - CredSSP is broken by Credential Guard
Set-VMHost -VirtualMachineMigrationAuthenticationType Kerberos

# Set live migration performance option
# Compression: default, good balance for 10 GbE without RDMA
# SMB: use when RDMA is available on the live migration network (highest throughput)
Set-VMHost -VirtualMachineMigrationPerformanceOption Compression

# Set maximum simultaneous live migrations
# Default is 2. Increase for large environments with fast LM networks.
# Don't exceed the number of physical NICs in the live migration path
Set-VMHost -MaximumVirtualMachineMigrations 4
Set-VMHost -MaximumStorageMigrations 2

Kerberos Constrained Delegation for Live Migration

Switching to Kerberos authentication for live migration requires configuring constrained delegation in Active Directory for each node's computer account. This is the step most guides bury in a footnote but that will block every live migration if you skip it.

PowerShell: Configure Kerberos constrained delegation for live migration (run on a domain controller or with AD RSAT)
# Run from a machine with Active Directory module and Domain Admin rights
# Repeat for each pair of nodes: each node must delegate to every other node

$nodes = "HV-Node1", "HV-Node2", "HV-Node3", "HV-Node4"

foreach ($sourceNode in $nodes) {
    $sourceAccount = Get-ADComputer -Identity $sourceNode
    $delegationTargets = @()

    foreach ($destNode in $nodes) {
        if ($destNode -ne $sourceNode) {
            # Allow source to delegate Microsoft Virtual System Migration Service to dest
            $delegationTargets += "Microsoft Virtual System Migration Service/$destNode"
            $delegationTargets += "Microsoft Virtual System Migration Service/$destNode.domain.local"
            # Also allow CIFS delegation if you need storage live migration
            $delegationTargets += "cifs/$destNode"
            $delegationTargets += "cifs/$destNode.domain.local"
        }
    }

    Set-ADComputer -Identity $sourceAccount `
                   -Add @{ "msDS-AllowedToDelegateTo" = $delegationTargets }

    Write-Host "Delegation configured for $sourceNode -> $($nodes -ne $sourceNode -join ', ')"
}

# Force AD replication and verify
Sync-ADObject -Object (Get-ADComputer "HV-Node1").DistinguishedName -Destination (Get-ADDomainController)
(Get-ADComputer "HV-Node1" -Properties "msDS-AllowedToDelegateTo")."msDS-AllowedToDelegateTo"

VM Placement: Preferred Owners and Anti-Affinity

Hyper-V clustering doesn't have a built-in equivalent of vSphere DRS for fully automated load balancing. What it does have is preferred owners, possible owners, and anti-affinity rules for controlling where VMs run and how the cluster places them after a failover.

PowerShell: Set preferred owners, possible owners, and anti-affinity groups
# Run from any cluster node or a management station with RSAT-Clustering-PowerShell installed

# Preferred owner: which node the VM prefers to run on after cluster restart
# The VM will still fail over to other nodes if the preferred node is unavailable
Set-ClusterOwnerNode -Group "VM: SQL-Primary" -Owners "HV-Node1","HV-Node2"

# Possible owners: which nodes are allowed to run this VM at all
# Use this to prevent a VM from failing over to nodes that lack a required license
# or resource (e.g. GPU, specific storage path)
Set-ClusterOwnerNode -Resource "VM: SQL-Primary" -Owners "HV-Node1","HV-Node2","HV-Node3"

# Anti-affinity: prevent VMs from running on the same node simultaneously
# Windows Server 2025 uses AntiAffinityClassNames for this
# VMs with the same anti-affinity class name won't run on the same node after failover
(Get-ClusterGroup "VM: SQL-Primary").AntiAffinityClassNames   = "SQL-HA-Pair"
(Get-ClusterGroup "VM: SQL-Secondary").AntiAffinityClassNames = "SQL-HA-Pair"

# Verify placement
Get-ClusterGroup | Where-Object { $_.GroupType -eq "VirtualMachine" } |
    Select-Object Name, OwnerNode, State | Sort-Object OwnerNode

6. Stretch Clusters and Multi-Site Considerations

A stretched cluster spans two physical sites. VMs can run at either site, and if a site fails, VMs restart at the surviving site automatically. Windows Server 2025 has improved the live migration network selection logic specifically to handle multi-site scenarios where there's no common subnet between nodes in different sites. Previously this caused routed paths to go undiscovered and live migrations between sites to fail intermittently.

Quorum for Stretched Clusters

The witness placement in a stretched cluster matters more than anything else. The witness must be in a third location, not at either production site. A Cloud Witness in a separate Azure region is the right choice for most stretched cluster deployments. If the witness is at Site A and Site A fails, you lose both the witness and half your nodes simultaneously, which means quorum may not survive depending on how votes are distributed.

The recommended stretched cluster vote distribution: equal nodes at each site, plus a Cloud Witness in a third region. With 2 nodes per site and a Cloud Witness, that's 5 total votes. Losing Site A means losing 2 votes, leaving 3 of 5 votes active at Site B plus the witness. Cluster survives.

S2D Campus Clusters

Windows Server 2025 introduces Campus Clusters for S2D, which extends S2D across two racks or two buildings connected by a low latency, high bandwidth link. It uses a four way mirror resiliency configuration that can survive the loss of an entire rack of nodes while maintaining data availability. The nodes are grouped into sites and racks within S2D's topology, and the pool allocates storage to ensure each copy of data lands in a different rack.

PowerShell: Configure S2D Campus Cluster site and rack topology
# After creating the cluster with -NoStorage and before enabling S2D,
# configure the site and rack topology so S2D knows how to distribute copies

# Define sites
New-ClusterFaultDomain -Name "Site-Primary"   -Type Site -Description "Primary datacenter"
New-ClusterFaultDomain -Name "Site-Secondary" -Type Site -Description "Secondary building"

# Define racks within each site
New-ClusterFaultDomain -Name "Rack-1" -Type Rack -Parent "Site-Primary"
New-ClusterFaultDomain -Name "Rack-2" -Type Rack -Parent "Site-Secondary"

# Assign nodes to racks
Set-ClusterFaultDomain -Name "HV-Node1" -Parent "Rack-1"
Set-ClusterFaultDomain -Name "HV-Node2" -Parent "Rack-1"
Set-ClusterFaultDomain -Name "HV-Node3" -Parent "Rack-2"
Set-ClusterFaultDomain -Name "HV-Node4" -Parent "Rack-2"

# Verify topology
Get-ClusterFaultDomain | Select-Object Name, Type, Parent

# Now enable S2D - it will detect the multi-rack topology and
# prompt to set rack fault tolerance on the storage pool
# Answer Y to enable four way mirror resiliency across racks
Enable-ClusterS2D -Confirm:$false

# Update the storage pool to latest version after S2D is enabled
Get-StoragePool S2D* | Update-StoragePool

# Create a volume using nested mirror for campus cluster resilience
# NestedMirror provides two-way mirror within each site, plus mirroring between sites
New-Volume -FriendlyName "VMs-CampusHA" `
           -StoragePoolFriendlyName "S2D on HV-Cluster01" `
           -FileSystem CSVFS_ReFS `
           -Size 5TB `
           -ResiliencySettingName Mirror `
           -PhysicalDiskRedundancy 3 `
           -ProvisioningType Thin

Cluster Rolling OS Upgrade

Windows Server 2025 supports cluster rolling OS upgrades from Windows Server 2022 without downtime. You drain each node, upgrade it to 2025, add it back, and move to the next node. The cluster functional level stays at the 2022 level until all nodes are upgraded, at which point you upgrade the functional level explicitly. This is a new feature that finally brings Windows Server clusters in line with what VMware vSphere has offered for years in terms of rolling upgrade support.

PowerShell: Complete the cluster functional level upgrade after all nodes are on 2025
# After all nodes are upgraded to Windows Server 2025:

# Verify all nodes are running 2025 before upgrading functional level
Get-ClusterNode | ForEach-Object {
    $os = Invoke-Command -ComputerName $_.Name -ScriptBlock {
        (Get-CimInstance Win32_OperatingSystem).Caption
    }
    [PSCustomObject]@{ Node = $_.Name; OS = $os }
}

# Check current cluster functional level
Get-Cluster | Select-Object Name, ClusterFunctionalLevel

# Upgrade to Windows Server 2025 functional level
# This is irreversible - ensure all nodes are on 2025 before running
Update-ClusterFunctionalLevel -Confirm:$false

# Verify upgrade
Get-Cluster | Select-Object Name, ClusterFunctionalLevel

Key Takeaways

  • Windows Server 2025 enables Credential Guard by default on domain-joined servers, breaking CredSSP live migration. Configure Kerberos constrained delegation before upgrading any production node from an earlier OS version.
  • LBFO teams can no longer be attached to a Hyper-V virtual switch on Windows Server 2025. SET (Switch Embedded Teaming) is the only supported option. LBFO to SET migration requires rebuilding virtual switches. There's no in-place conversion path.
  • Use a converged SET switch with separate vNICs per traffic type (management, cluster, live migration, VM, storage) assigned to VLANs and QoS minimum bandwidth weights. Map the SMB storage vNICs to specific physical NICs using Set-VMNetworkAdapterTeamMapping for correct RDMA affinity.
  • Always run Test-Cluster before New-Cluster and fix every failure. Warnings are acceptable. Failures are not. The validation report is your support evidence with Microsoft.
  • Use -NoStorage when creating a cluster that will use S2D. Omit it for SAN-based clusters where the cluster should claim shared disks automatically.
  • Quorum witness placement is critical in stretched clusters. The witness must be in a third location, not at either site. Cloud Witness in a separate Azure region is the right choice for most multi-site deployments.
  • S2D on Windows Server 2025 adds thin provisioning, five level resync priority controls, ReFS deduplication for VM workloads, and Campus Clusters for stretched two-rack S2D deployments with four way mirror resilience.
  • S2D and SAN CSVs can now coexist in the same Windows Server 2025 cluster. S2D volumes must be ReFS. SAN volumes must be NTFS. VM storage live migration between S2D and SAN CSVs works without VM downtime, enabling phased transitions.
  • Anti-affinity in Windows Server 2025 clusters uses AntiAffinityClassNames on cluster groups. VMs sharing the same class name won't be placed on the same node after failover. This is the Hyper-V equivalent of VM-to-VM anti-affinity rules in vSphere.

Read more