Milestone Management Server Failover

Executive Summary

Milestone XProtect provides Management Server High Availability [1] through a built-in active-passive mechanism available in its higher-tier editions. The standby node continuously monitors the Management Server service on the primary and automatically takes over if the service or its SQL dependency becomes unavailable. While this ensures continuity of system configuration and management functions, failover introduces a short service interruption and requires one-to-one standby pairing. Other services that may run on the Management Server, such as Event, Log, or Mobile, only fail over if co-hosted, but their individual failure does not trigger the mechanism. This approach protects against management service, hardware, and SQL outages. Still, it inherits the limitations of passive architectures, including non-zero failover time, potential gaps in consistency, and cybersecurity risks associated with shared trust.

*As of Sept 2025.

Failover

When the primary management server fails, the standby node automatically takes over after a detection period (~30 seconds) plus service startup time, keeping VMS operations available.

Consistency

When SQL is co-hosted with the Management Service, the solution utilizes replication to keep SQL databases and VMS configurations in sync between nodes, ensuring the standby can provide access to system data after failover. However, short gaps may still occur during the switchover.

Cybersecurity

A compromise of one node or mirrored database can propagate corruption or encryption to the other, expanding the blast radius.

Ransomware-Locked Data Pages

Rogue Admin Account Creation

Stealth Procedure Injection

Privilege Escalation

Configuration Wipeout

Standby Disk Overfill

Efficiency

Efficiency is one-to-one.

References

1. Milestone Systems. XProtect Management Server Failover 2025 R2, link.