Solved

Best Practice for Hyper-V Hosts in domains

Posted on 2013-06-07
4
533 Views
Last Modified: 2014-11-12
I have 3 Hyper-V hosts servers that I recently upgraded to Windows Server 2012. These hosts run the majority of my domain servers as VMs. I have a primary DC in a separate physical box that also provides my DHCP. The 2nd DC is a VM.

Each Hyper-V host server has 2 NICs. Originally, I set up the Hyper-V host servers with the Management NIC on a private subnet that was isolated from the domain and on each virtual switch, I unchecked the "Allow management operating system to share this network adapter". My understanding was that it was best practice to keep the Hyper-V hosts isolated from the domain for security purposes.

Now, I am reading many posts where the Hyper-V host servers are actually joined to the same domain that the hosted VMs are in. As I understand it, this is done to facilitate easier Hyper-V host management.

Which is the current best practice approach?

I would like the Hyper-V hosts on the domain so that I could manage them from the same workstation that I use to manager the server VMs and other domain resources. I could also team the two network adapters in each Hyper-V server for better network performance/resilience.

Thanks,

Dave
0
Comment
Question by:dcadler
4 Comments
 
LVL 38

Accepted Solution

by:
Philip Elder earned 250 total points
ID: 39229130
Have more than 2 NICs available for one.
Team them for another and then attach the vSwitch leaving the host OS access so that they both share the teamed NICs.

Our preference is for a minumum of 4 NICs, preferably with two h/w setups, and Intel only.

For standalone situations where there is only one host we leave them workgroup and use HVRemote to configure both the host and a management system.
EDIT: Forgot the link: http://bit.ly/13pOYph

We've seen enough issues when the only DC is offline when trying to manage the host.

In your case, where there are two DCs on separate hosts you can indeed join the domain and then use RSAT on a Windows desktop OS machine to manage.

AzMan can be used to further fine tune permissions for folks that can manage say one VM but not the whole host.
http://bit.ly/14FlSzO

Philip
0
 
LVL 20

Assisted Solution

by:Svet Paperov
Svet Paperov earned 250 total points
ID: 39231608
From security point of view I would say that your design is the better one. The main advantage is that you can control who and from where can access the server via ACL on the router; you could even block any Internet access from that server and leave it without an anti-virus.

For remote management you could set up HVRemote http://code.msdn.microsoft.com/windowsdesktop/Hyper-V-Remote-Management-26d127c6 

If, on other hand you had a big Hyper-V shop with many servers, than yes, it would be wise to set a dedicated domain for Hyper-V Management.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39233585
Hi.

"isolated from the domain for security purposes" - now what should that mean in detail? Please link that statement you read. What should get more secure because it's not on the domain and why?
0
 

Author Closing Comment

by:dcadler
ID: 39244475
I decided to add teaming to the server NICs and to keep the Hyper-V hosts on a separate VLAN as stand alone rather than domain connected. I also teams the adapters on that VLAN to allow me to more easily move VMs from one server to another as needed. Thanks for all of your help.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This article runs through the process of deploying a single EXE application selectively to a group of user.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question