Mixed up in Hyper-V network configuration

Hello, let's get straight to the point.  This is the infrastructure that I'm trying to obtain (ip adresses fictive):

I have 2 brand new (and powerful) servers running Windows server 2008 Enterprise.

Server 1 acts as main server.  Server 2 will act as a backup with failover clustering of Server 1.

On Server 1, a domain is created for the main office, with around 30 users.  That server has DNS, DHCP and file sharing roles.  Hyper-V role is also added, but no virtual machine is yet created on it.  The server itself has 6 network ports, spread over 3 double-port NICS.

(fictive IPs):

Port 1: (active, principal connection)
Port 2: (inactive at the moment, plan to use it in the cluster)
Port 3: (inactive at the moment)
Port 4: (inactive at the moment)
Port 5: (inactive at the moment)
Port 6: (inactive, but renamed as "Hyper-V physical connection", as I intend to use it as the physical link of Hyper-V).

Subnet on all nics.

For the main office, everything works well, users connect, access the shares and all.  My problems come from my Hyper-V configuration.  Being somewhat a newbie with the product and with virtualization, I'm just stuck with how to configure the networking part.  What I want for the VM:

- Will host Server Standard 2003
- Will be the DC of a NEW domain, with 6 users who will use it as their main server for file shares, authentication, printing.

The VM will use the host server's access to the Internet to connect to the Internet itself and share it to the machines connecting to it.  While this is possible, the users of the new domain will only interact with the VM, and not the host's domain, users and shares.  

Basically, 2 domains, 1 on a VM with computers connecting to it, but Internet shared between both through the host's connection.

What I can't figure out is how to configure the IP addressing both on the host and on the VM so the VM connects to the Internet of the host's machine, and how to configure the users' computer that will only use the VM's domain to only connect to that machine and not the host, basically using only the nic dedicated to the VM.  

Am I making any sense?  

Please help!

Thank you!

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

When you say share the Internet, is there some form of proxy server running on the host machine that the VM needs to go through, or is there just a NAT firewall/router on the LAN with an IP in the range 10.13.224.x?  If a firewall/router with an IP address, what type is it?
It's probably a bit late now, but are you aware the host should not have anything running on it other then the HyperV role?  I know it's a bit of an overhead, but really in this instance you should have created two VMs, one for each AD domain.
francoisroseAuthor Commented:

No, there's no proxy.  The gateway is on the same ip range, and is a fiber optics to ethernet converter (constantly connected).

As for your second comment, I understand that, but since the vm is really running a minimal configuration, and that clustering will be used anyways, I figured that it would be ok to work the way I am.

I am not done with the configs, so nothing is for sure yet.  I can still reinstall with minimal configs and hyper-v role only.  It still doesn't tell me how to configure the network though lol.

Thank you.
It depends on the level of seperation you're trying to achieve between the two Active Directories.

The first problem is that the gateway has an IP of say  If you're not going to use any form of proxy then all servers and all PCs need to be able to use this as their default gateway if they're going to get Internet access, so all servers and all users need to be on the same subnet as that IP, so 10.13.224.x.  Depending on the gateway in question it may be able to have two LAN IPs in different subnets which changes this, but there's no point in my guessing at that.

The simplest way:
Give the host sever an IP like on its interface to the LAN (a Virtual Network Adapter once HyperV role is installed), give the VM an IP like on its interface to the LAN (the Virtual Network Adapter) and give all PCs IPs in the range 10.13.224.x.  On PCs that are to use the host's Active Directory set their Primary DNS server to, on PCs that are to use the VM's Active Directory set their Primary DNS server to  This will work straightaway but there are some obvious downsides -
- No physical seperation of the two Active Directory domains and their PCs.  In theory a user from one AD can browse to a PC/Server of the other, though provided they don't have a matching AD user account they won't gain access.
- DHCP is only useful for giving out IPs, you will have to set the DNS settings manually on each PC as the DHCP server won't be able to differenciate who to give what DNS settings to.
- Users will probably end up with multiple choices of the domain they want to log on to at logon.  Again no major deal if there is no cross over of user accounts.

If these downsides aren't acceptable in your scenario you're going to have to look further into the capabilities of your gateway.  Some firewalls would allow the LAN interface have two seperate IP addresses in different subnets, in which case you could leave all your PCs/Servers on the one LAN/switch, but give the VM server an IP like and give it's PCs IPs in the same subnet.  The downsides here are -
- DHCP is even less useful as it won't be able to determine what IPs to give each computer, nevermind what DNS settings.
- A computer savvy user could easily figure out to give his PC a second IP in the other range and gain access to the second server.  Again mitigated by decent passwords through.

The best solution is that the gateway has two physically seperate LAN interfaces that don't allow traffic between the ports and can be given different IPs.  In this case you connect the host server and its PCs up to a seperate switch that is connected to one LAN interface of the gateway, you connect the VM server's NIC to another switch along with its PCs and hook that up to the second LAN interface on the gateway.  In this case DHCP will work to its full advantage as there is no crosstalk between LANs.  You've got physical seperation so no chance of somebody accessing the other server without actually unplugging themselves from their switch.
This could be achieved with a router or even ISA Server installed on one of the boxes if you wanted to go down that road.

I hope that's of some use.  I haven't implemented your exact scenario before, but I've done a few similar so this is the way I'd do it, though there may be others...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
francoisroseAuthor Commented:
If I set up manually the Ips of the computer connecting to the VM (around 5 machines), specifying the DNS to be the VM's ip, can I leave the DHCP on for the other machines that are connecting on my host, so that they get the adresses dynamically, with the DNS being the host's?
francoisroseAuthor Commented:
Thank you, everything works well now :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.