Mixed up in Hyper-V network configuration

francoisrose used Ask the Experts™
Hello, let's get straight to the point.  This is the infrastructure that I'm trying to obtain (ip adresses fictive):

I have 2 brand new (and powerful) servers running Windows server 2008 Enterprise.

Server 1 acts as main server.  Server 2 will act as a backup with failover clustering of Server 1.

On Server 1, a domain is created for the main office, with around 30 users.  That server has DNS, DHCP and file sharing roles.  Hyper-V role is also added, but no virtual machine is yet created on it.  The server itself has 6 network ports, spread over 3 double-port NICS.

(fictive IPs):

Port 1: (active, principal connection)
Port 2: (inactive at the moment, plan to use it in the cluster)
Port 3: (inactive at the moment)
Port 4: (inactive at the moment)
Port 5: (inactive at the moment)
Port 6: (inactive, but renamed as "Hyper-V physical connection", as I intend to use it as the physical link of Hyper-V).

Subnet on all nics.

For the main office, everything works well, users connect, access the shares and all.  My problems come from my Hyper-V configuration.  Being somewhat a newbie with the product and with virtualization, I'm just stuck with how to configure the networking part.  What I want for the VM:

- Will host Server Standard 2003
- Will be the DC of a NEW domain, with 6 users who will use it as their main server for file shares, authentication, printing.

The VM will use the host server's access to the Internet to connect to the Internet itself and share it to the machines connecting to it.  While this is possible, the users of the new domain will only interact with the VM, and not the host's domain, users and shares.  

Basically, 2 domains, 1 on a VM with computers connecting to it, but Internet shared between both through the host's connection.

What I can't figure out is how to configure the IP addressing both on the host and on the VM so the VM connects to the Internet of the host's machine, and how to configure the users' computer that will only use the VM's domain to only connect to that machine and not the host, basically using only the nic dedicated to the VM.  

Am I making any sense?  

Please help!

Thank you!

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

When you say share the Internet, is there some form of proxy server running on the host machine that the VM needs to go through, or is there just a NAT firewall/router on the LAN with an IP in the range 10.13.224.x?  If a firewall/router with an IP address, what type is it?
It's probably a bit late now, but are you aware the host should not have anything running on it other then the HyperV role?  I know it's a bit of an overhead, but really in this instance you should have created two VMs, one for each AD domain.



No, there's no proxy.  The gateway is on the same ip range, and is a fiber optics to ethernet converter (constantly connected).

As for your second comment, I understand that, but since the vm is really running a minimal configuration, and that clustering will be used anyways, I figured that it would be ok to work the way I am.

I am not done with the configs, so nothing is for sure yet.  I can still reinstall with minimal configs and hyper-v role only.  It still doesn't tell me how to configure the network though lol.

Thank you.
It depends on the level of seperation you're trying to achieve between the two Active Directories.

The first problem is that the gateway has an IP of say  If you're not going to use any form of proxy then all servers and all PCs need to be able to use this as their default gateway if they're going to get Internet access, so all servers and all users need to be on the same subnet as that IP, so 10.13.224.x.  Depending on the gateway in question it may be able to have two LAN IPs in different subnets which changes this, but there's no point in my guessing at that.

The simplest way:
Give the host sever an IP like on its interface to the LAN (a Virtual Network Adapter once HyperV role is installed), give the VM an IP like on its interface to the LAN (the Virtual Network Adapter) and give all PCs IPs in the range 10.13.224.x.  On PCs that are to use the host's Active Directory set their Primary DNS server to, on PCs that are to use the VM's Active Directory set their Primary DNS server to  This will work straightaway but there are some obvious downsides -
- No physical seperation of the two Active Directory domains and their PCs.  In theory a user from one AD can browse to a PC/Server of the other, though provided they don't have a matching AD user account they won't gain access.
- DHCP is only useful for giving out IPs, you will have to set the DNS settings manually on each PC as the DHCP server won't be able to differenciate who to give what DNS settings to.
- Users will probably end up with multiple choices of the domain they want to log on to at logon.  Again no major deal if there is no cross over of user accounts.

If these downsides aren't acceptable in your scenario you're going to have to look further into the capabilities of your gateway.  Some firewalls would allow the LAN interface have two seperate IP addresses in different subnets, in which case you could leave all your PCs/Servers on the one LAN/switch, but give the VM server an IP like and give it's PCs IPs in the same subnet.  The downsides here are -
- DHCP is even less useful as it won't be able to determine what IPs to give each computer, nevermind what DNS settings.
- A computer savvy user could easily figure out to give his PC a second IP in the other range and gain access to the second server.  Again mitigated by decent passwords through.

The best solution is that the gateway has two physically seperate LAN interfaces that don't allow traffic between the ports and can be given different IPs.  In this case you connect the host server and its PCs up to a seperate switch that is connected to one LAN interface of the gateway, you connect the VM server's NIC to another switch along with its PCs and hook that up to the second LAN interface on the gateway.  In this case DHCP will work to its full advantage as there is no crosstalk between LANs.  You've got physical seperation so no chance of somebody accessing the other server without actually unplugging themselves from their switch.
This could be achieved with a router or even ISA Server installed on one of the boxes if you wanted to go down that road.

I hope that's of some use.  I haven't implemented your exact scenario before, but I've done a few similar so this is the way I'd do it, though there may be others...


If I set up manually the Ips of the computer connecting to the VM (around 5 machines), specifying the DNS to be the VM's ip, can I leave the DHCP on for the other machines that are connecting on my host, so that they get the adresses dynamically, with the DNS being the host's?


Thank you, everything works well now :)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial