Samba is amazing, Windows server is a lot less so. The problem with Windows server is that it takes tons of steps to do basic things. On Samba I had Samba tool and it was very nice and friendly. On Windows server you have a ton of different management panels.
If there was a way I could hold off I would but due to changing requirements I didn’t have much of a choice. (We needed Windows Server bare metal and I was not about to go and buy another machine.)
You connect directly to the ESXi host with root. Because you’re going to have to boot up vCenter in addition to the DC anyway when you’re using SSO. I would use DRS rules to prefer host1 for vCenter and the PDCe for that reason.
Only in the very early days of virtualization (2008-2012) did I recommend keeping a physical server around. I know a lot more now than I did then.
But anymore, I don’t recommend using SSO for hypervisors or backup infrastructure. It’s better to add another wall in front of an attacker trying to laterally move onto these critical platforms for ransom, data exfiltration, etc.
And in reality, these “kaboom events” aren’t terribly common unless you’ve neglected some other part of your infrastructure.