Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Mixed up in Hyper-V network configuration

Posted on 2008-11-11
Medium Priority
Last Modified: 2013-11-11
Hello, let's get straight to the point.  This is the infrastructure that I'm trying to obtain (ip adresses fictive):

I have 2 brand new (and powerful) servers running Windows server 2008 Enterprise.

Server 1 acts as main server.  Server 2 will act as a backup with failover clustering of Server 1.

On Server 1, a domain is created for the main office, with around 30 users.  That server has DNS, DHCP and file sharing roles.  Hyper-V role is also added, but no virtual machine is yet created on it.  The server itself has 6 network ports, spread over 3 double-port NICS.

(fictive IPs):

Port 1: (active, principal connection)
Port 2: (inactive at the moment, plan to use it in the cluster)
Port 3: (inactive at the moment)
Port 4: (inactive at the moment)
Port 5: (inactive at the moment)
Port 6: (inactive, but renamed as "Hyper-V physical connection", as I intend to use it as the physical link of Hyper-V).

Subnet on all nics.

For the main office, everything works well, users connect, access the shares and all.  My problems come from my Hyper-V configuration.  Being somewhat a newbie with the product and with virtualization, I'm just stuck with how to configure the networking part.  What I want for the VM:

- Will host Server Standard 2003
- Will be the DC of a NEW domain, with 6 users who will use it as their main server for file shares, authentication, printing.

The VM will use the host server's access to the Internet to connect to the Internet itself and share it to the machines connecting to it.  While this is possible, the users of the new domain will only interact with the VM, and not the host's domain, users and shares.  

Basically, 2 domains, 1 on a VM with computers connecting to it, but Internet shared between both through the host's connection.

What I can't figure out is how to configure the IP addressing both on the host and on the VM so the VM connects to the Internet of the host's machine, and how to configure the users' computer that will only use the VM's domain to only connect to that machine and not the host, basically using only the nic dedicated to the VM.  

Am I making any sense?  

Please help!

Thank you!

Question by:francoisrose
  • 3
  • 2
LVL 11

Expert Comment

ID: 22933078
When you say share the Internet, is there some form of proxy server running on the host machine that the VM needs to go through, or is there just a NAT firewall/router on the LAN with an IP in the range 10.13.224.x?  If a firewall/router with an IP address, what type is it?
It's probably a bit late now, but are you aware the host should not have anything running on it other then the HyperV role?  I know it's a bit of an overhead, but really in this instance you should have created two VMs, one for each AD domain.

Author Comment

ID: 22933192

No, there's no proxy.  The gateway is on the same ip range, and is a fiber optics to ethernet converter (constantly connected).

As for your second comment, I understand that, but since the vm is really running a minimal configuration, and that clustering will be used anyways, I figured that it would be ok to work the way I am.

I am not done with the configs, so nothing is for sure yet.  I can still reinstall with minimal configs and hyper-v role only.  It still doesn't tell me how to configure the network though lol.

Thank you.
LVL 11

Accepted Solution

Zenith63 earned 2000 total points
ID: 22933664
It depends on the level of seperation you're trying to achieve between the two Active Directories.

The first problem is that the gateway has an IP of say  If you're not going to use any form of proxy then all servers and all PCs need to be able to use this as their default gateway if they're going to get Internet access, so all servers and all users need to be on the same subnet as that IP, so 10.13.224.x.  Depending on the gateway in question it may be able to have two LAN IPs in different subnets which changes this, but there's no point in my guessing at that.

The simplest way:
Give the host sever an IP like on its interface to the LAN (a Virtual Network Adapter once HyperV role is installed), give the VM an IP like on its interface to the LAN (the Virtual Network Adapter) and give all PCs IPs in the range 10.13.224.x.  On PCs that are to use the host's Active Directory set their Primary DNS server to, on PCs that are to use the VM's Active Directory set their Primary DNS server to  This will work straightaway but there are some obvious downsides -
- No physical seperation of the two Active Directory domains and their PCs.  In theory a user from one AD can browse to a PC/Server of the other, though provided they don't have a matching AD user account they won't gain access.
- DHCP is only useful for giving out IPs, you will have to set the DNS settings manually on each PC as the DHCP server won't be able to differenciate who to give what DNS settings to.
- Users will probably end up with multiple choices of the domain they want to log on to at logon.  Again no major deal if there is no cross over of user accounts.

If these downsides aren't acceptable in your scenario you're going to have to look further into the capabilities of your gateway.  Some firewalls would allow the LAN interface have two seperate IP addresses in different subnets, in which case you could leave all your PCs/Servers on the one LAN/switch, but give the VM server an IP like and give it's PCs IPs in the same subnet.  The downsides here are -
- DHCP is even less useful as it won't be able to determine what IPs to give each computer, nevermind what DNS settings.
- A computer savvy user could easily figure out to give his PC a second IP in the other range and gain access to the second server.  Again mitigated by decent passwords through.

The best solution is that the gateway has two physically seperate LAN interfaces that don't allow traffic between the ports and can be given different IPs.  In this case you connect the host server and its PCs up to a seperate switch that is connected to one LAN interface of the gateway, you connect the VM server's NIC to another switch along with its PCs and hook that up to the second LAN interface on the gateway.  In this case DHCP will work to its full advantage as there is no crosstalk between LANs.  You've got physical seperation so no chance of somebody accessing the other server without actually unplugging themselves from their switch.
This could be achieved with a router or even ISA Server installed on one of the boxes if you wanted to go down that road.

I hope that's of some use.  I haven't implemented your exact scenario before, but I've done a few similar so this is the way I'd do it, though there may be others...

Author Comment

ID: 22934019
If I set up manually the Ips of the computer connecting to the VM (around 5 machines), specifying the DNS to be the VM's ip, can I leave the DHCP on for the other machines that are connecting on my host, so that they get the adresses dynamically, with the DNS being the host's?

Author Closing Comment

ID: 31515583
Thank you, everything works well now :)

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question