• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 545
  • Last Modified:

Best Practice for Hyper-V Hosts in domains

I have 3 Hyper-V hosts servers that I recently upgraded to Windows Server 2012. These hosts run the majority of my domain servers as VMs. I have a primary DC in a separate physical box that also provides my DHCP. The 2nd DC is a VM.

Each Hyper-V host server has 2 NICs. Originally, I set up the Hyper-V host servers with the Management NIC on a private subnet that was isolated from the domain and on each virtual switch, I unchecked the "Allow management operating system to share this network adapter". My understanding was that it was best practice to keep the Hyper-V hosts isolated from the domain for security purposes.

Now, I am reading many posts where the Hyper-V host servers are actually joined to the same domain that the hosted VMs are in. As I understand it, this is done to facilitate easier Hyper-V host management.

Which is the current best practice approach?

I would like the Hyper-V hosts on the domain so that I could manage them from the same workstation that I use to manager the server VMs and other domain resources. I could also team the two network adapters in each Hyper-V server for better network performance/resilience.

Thanks,

Dave
0
dcadler
Asked:
dcadler
2 Solutions
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Have more than 2 NICs available for one.
Team them for another and then attach the vSwitch leaving the host OS access so that they both share the teamed NICs.

Our preference is for a minumum of 4 NICs, preferably with two h/w setups, and Intel only.

For standalone situations where there is only one host we leave them workgroup and use HVRemote to configure both the host and a management system.
EDIT: Forgot the link: http://bit.ly/13pOYph

We've seen enough issues when the only DC is offline when trying to manage the host.

In your case, where there are two DCs on separate hosts you can indeed join the domain and then use RSAT on a Windows desktop OS machine to manage.

AzMan can be used to further fine tune permissions for folks that can manage say one VM but not the whole host.
http://bit.ly/14FlSzO

Philip
0
 
Svet PaperovIT ManagerCommented:
From security point of view I would say that your design is the better one. The main advantage is that you can control who and from where can access the server via ACL on the router; you could even block any Internet access from that server and leave it without an anti-virus.

For remote management you could set up HVRemote http://code.msdn.microsoft.com/windowsdesktop/Hyper-V-Remote-Management-26d127c6 

If, on other hand you had a big Hyper-V shop with many servers, than yes, it would be wise to set a dedicated domain for Hyper-V Management.
0
 
McKnifeCommented:
Hi.

"isolated from the domain for security purposes" - now what should that mean in detail? Please link that statement you read. What should get more secure because it's not on the domain and why?
0
 
dcadlerAuthor Commented:
I decided to add teaming to the server NICs and to keep the Hyper-V hosts on a separate VLAN as stand alone rather than domain connected. I also teams the adapters on that VLAN to allow me to more easily move VMs from one server to another as needed. Thanks for all of your help.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now