If you are using LDAP auth for your hypervisor (vsphere as an example) how do you auth after a kaboom event and your AD server VMs have not auto started.
I remember reading somewhere (prob /r/Sysadmin) that having one bare metal AD server just incase everything goes offline.
You use console to turn on embedded shell then Ctrl+Alt+Fn over to it (I forget whether it's on f1 or f2), then you can use esxcli and all the rest of that to fix it up.
Once you get enough networking/storage pieces sorted out you can get back into the management HTML UI and SSH
Then when you're done fixing, turn shell and SSH back off.
You connect directly to the ESXi host with root. Because you're going to have to boot up vCenter in addition to the DC anyway when you're using SSO. I would use DRS rules to prefer host1 for vCenter and the PDCe for that reason.
Only in the very early days of virtualization (2008-2012) did I recommend keeping a physical server around. I know a lot more now than I did then.
But anymore, I don't recommend using SSO for hypervisors or backup infrastructure. It's better to add another wall in front of an attacker trying to laterally move onto these critical platforms for ransom, data exfiltration, etc.
And in reality, these "kaboom events" aren't terribly common unless you've neglected some other part of your infrastructure.