Solved

Best Practice for Hyper-V Hosts in domains

Posted on 2013-06-07
4
528 Views
Last Modified: 2014-11-12
I have 3 Hyper-V hosts servers that I recently upgraded to Windows Server 2012. These hosts run the majority of my domain servers as VMs. I have a primary DC in a separate physical box that also provides my DHCP. The 2nd DC is a VM.

Each Hyper-V host server has 2 NICs. Originally, I set up the Hyper-V host servers with the Management NIC on a private subnet that was isolated from the domain and on each virtual switch, I unchecked the "Allow management operating system to share this network adapter". My understanding was that it was best practice to keep the Hyper-V hosts isolated from the domain for security purposes.

Now, I am reading many posts where the Hyper-V host servers are actually joined to the same domain that the hosted VMs are in. As I understand it, this is done to facilitate easier Hyper-V host management.

Which is the current best practice approach?

I would like the Hyper-V hosts on the domain so that I could manage them from the same workstation that I use to manager the server VMs and other domain resources. I could also team the two network adapters in each Hyper-V server for better network performance/resilience.

Thanks,

Dave
0
Comment
Question by:dcadler
4 Comments
 
LVL 38

Accepted Solution

by:
Philip Elder earned 250 total points
ID: 39229130
Have more than 2 NICs available for one.
Team them for another and then attach the vSwitch leaving the host OS access so that they both share the teamed NICs.

Our preference is for a minumum of 4 NICs, preferably with two h/w setups, and Intel only.

For standalone situations where there is only one host we leave them workgroup and use HVRemote to configure both the host and a management system.
EDIT: Forgot the link: http://bit.ly/13pOYph

We've seen enough issues when the only DC is offline when trying to manage the host.

In your case, where there are two DCs on separate hosts you can indeed join the domain and then use RSAT on a Windows desktop OS machine to manage.

AzMan can be used to further fine tune permissions for folks that can manage say one VM but not the whole host.
http://bit.ly/14FlSzO

Philip
0
 
LVL 20

Assisted Solution

by:Svet Paperov
Svet Paperov earned 250 total points
ID: 39231608
From security point of view I would say that your design is the better one. The main advantage is that you can control who and from where can access the server via ACL on the router; you could even block any Internet access from that server and leave it without an anti-virus.

For remote management you could set up HVRemote http://code.msdn.microsoft.com/windowsdesktop/Hyper-V-Remote-Management-26d127c6

If, on other hand you had a big Hyper-V shop with many servers, than yes, it would be wise to set a dedicated domain for Hyper-V Management.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39233585
Hi.

"isolated from the domain for security purposes" - now what should that mean in detail? Please link that statement you read. What should get more secure because it's not on the domain and why?
0
 

Author Closing Comment

by:dcadler
ID: 39244475
I decided to add teaming to the server NICs and to keep the Hyper-V hosts on a separate VLAN as stand alone rather than domain connected. I also teams the adapters on that VLAN to allow me to more easily move VMs from one server to another as needed. Thanks for all of your help.
0

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now