?
Solved

Best Practice for Hyper-V Hosts in domains

Posted on 2013-06-07
4
Medium Priority
?
540 Views
Last Modified: 2014-11-12
I have 3 Hyper-V hosts servers that I recently upgraded to Windows Server 2012. These hosts run the majority of my domain servers as VMs. I have a primary DC in a separate physical box that also provides my DHCP. The 2nd DC is a VM.

Each Hyper-V host server has 2 NICs. Originally, I set up the Hyper-V host servers with the Management NIC on a private subnet that was isolated from the domain and on each virtual switch, I unchecked the "Allow management operating system to share this network adapter". My understanding was that it was best practice to keep the Hyper-V hosts isolated from the domain for security purposes.

Now, I am reading many posts where the Hyper-V host servers are actually joined to the same domain that the hosted VMs are in. As I understand it, this is done to facilitate easier Hyper-V host management.

Which is the current best practice approach?

I would like the Hyper-V hosts on the domain so that I could manage them from the same workstation that I use to manager the server VMs and other domain resources. I could also team the two network adapters in each Hyper-V server for better network performance/resilience.

Thanks,

Dave
0
Comment
Question by:dcadler
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 39

Accepted Solution

by:
Philip Elder earned 1000 total points
ID: 39229130
Have more than 2 NICs available for one.
Team them for another and then attach the vSwitch leaving the host OS access so that they both share the teamed NICs.

Our preference is for a minumum of 4 NICs, preferably with two h/w setups, and Intel only.

For standalone situations where there is only one host we leave them workgroup and use HVRemote to configure both the host and a management system.
EDIT: Forgot the link: http://bit.ly/13pOYph

We've seen enough issues when the only DC is offline when trying to manage the host.

In your case, where there are two DCs on separate hosts you can indeed join the domain and then use RSAT on a Windows desktop OS machine to manage.

AzMan can be used to further fine tune permissions for folks that can manage say one VM but not the whole host.
http://bit.ly/14FlSzO

Philip
0
 
LVL 20

Assisted Solution

by:Svet Paperov
Svet Paperov earned 1000 total points
ID: 39231608
From security point of view I would say that your design is the better one. The main advantage is that you can control who and from where can access the server via ACL on the router; you could even block any Internet access from that server and leave it without an anti-virus.

For remote management you could set up HVRemote http://code.msdn.microsoft.com/windowsdesktop/Hyper-V-Remote-Management-26d127c6 

If, on other hand you had a big Hyper-V shop with many servers, than yes, it would be wise to set a dedicated domain for Hyper-V Management.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39233585
Hi.

"isolated from the domain for security purposes" - now what should that mean in detail? Please link that statement you read. What should get more secure because it's not on the domain and why?
0
 

Author Closing Comment

by:dcadler
ID: 39244475
I decided to add teaming to the server NICs and to keep the Hyper-V hosts on a separate VLAN as stand alone rather than domain connected. I also teams the adapters on that VLAN to allow me to more easily move VMs from one server to another as needed. Thanks for all of your help.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question